a. App – MySii, that owner is Sii
b. Sii – Sii Ltd. with its seat in Warsaw at Niepodległości Av. 69, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the capital city of Warsaw, XIII Commercial Division of the National Court Register, under KRS number 0000249203, with a share capital of PLN 400,000, NIP number: 5252352907.
c. Personal data – defined as Personal data within the meaning of the GDPR, i.e. all information relating to an identified or identifiable natural person. These data identify directly or indirectly a natural person with regards to the name, e-mail address, or telephone number of the natural person and other data that, in connection with the above-mentioned, may identify the User.
d. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation), pursuant to which Sii and its Subsidiaries process Users' Personal Data.
f. Subsidiary – company or entity that is directly or indirectly controlled by Sii, where "control" means: (a) in the case of corporate entities, direct or indirect ownership of more than fifty percent (50%) of stocks or shares entitled to vote, or (b) in the case of non-corporate entities, holding directly or indirectly more than fifty percent (50%) of the equity with the power to direct such non-corporate entities. The subsidiary company is, in particular, Sii Sweden.
The administrator of Users' personal data provided in connection with the use of the Application is Sii Sp. z o. o. al. Niepodległości 69, 02-626 Warsaw, phone: (22) 486 37 37, e-mail: firstname.lastname@example.org. (hereinafter also referred to as the "Administrator").
Sii has appointed a Data Protection Inspector: Sebastian Pyzik. In case of any questions regarding regulations concerning personal data processing described in this Policy, contact the Data Protection Officer by sending an email to email@example.com.
Sii processes Personal Data for various purposes for which it needs a specific scope of Personal Data from the User, and each purpose of processing has its legal basis resulting from the provisions of the GDPR and sectoral regulations that contain regulations regarding the protection of Personal Data:
a. Purpose of processing personal data:
b. Legal basis for processing:
c. Scope of processed personal data:
d. Sii does not process the User's specific personal categories specified in art. 9 GDPR.
Legitimate interest is one of the legal grounds provided for in Art. 6 para. 1 GDPR, which assumes that there are situations in which the Personal Data Administrator may perform specific processing of Personal Data. Such legitimate interests that we use at Sii include:
a. Possibility of pursuing claims or defending against them.
b. Handling inquiries sent to Sii - providing answers to Users.
In the event of contact with the User in order to provide an answer, the legal basis for the processing of Personal Data is the legitimate interest of Sii as the administrator of Personal Data provided on the contact form (Art. 6 para. 1 point f GDPR). The legitimate interest is manifested in the possibility of responding to the inquiry sent, providing the User with a comprehensive answer. Without the processing of Personal Data, in particular contact data, we will not be able to provide an answer, and thus, help in resolving an issue indicated in the inquiry.
There are situations in which Sii transfers the User's Personal Data to other external entities – companies, entrepreneurs, or public institutions. Your data may be transferred to external entities to the extent necessary to achieve the above-mentioned purposes of their processing.
The transfer of Personal Data results from:
The transfer of Personal Data takes place in the form of their provision or entrustment. Below is an explanation of the differences between the indicated forms.
Sharing of Personal Data
Sharing of Personal Data consists of transferring data to another entity based on one of the legal grounds specified in the provisions of the GDPR - specifically: Art. 6 para. 1. i.e.:
Attention! Other grounds: vital interests (point d) and acting in the public interest (point e) do not apply to Sii, as it does not conduct activities for which it collects and processes Personal Data on their basis.
Entrusting Personal Data
Entrustment is the transfer of Personal Data based on Art. 28 GDPR - Sii, as the Administrator of Personal Data, transfers them to another entity by concluding a special so-called contracts for entrusting the processing of personal data.
Sii provides or entrusts Personal Data to the following entities:
Sharing of Personal Data
Sharing of Personal Data takes place, among others, in particular for Sii Sweden. Due to the fact that the Subsidiaries use Sii's IT systems for organizational facilitation in the implementation of various purposes, Sii transfers the Users' Personal Data to the Subsidiaries. The transfer of Personal Data to Subsidiaries is carried out on the basis of art. 6 sec. 1 lit. f of the GDPR, i.e. the legitimate interest of Sii as the Administrator of personal data.
Sharing Personal Data to the Subsidiaries takes place by enabling the employees of these companies to access the CRM system belonging to Sii. The use of one common CRM system is the so-called co-administration of Personal Data, i.e. Sii and its Subsidiaries jointly decide on the purposes (why?) and methods (how?) of processing Users' Personal Data. In order to secure Personal Data, Sii has concluded special agreements with its Subsidiaries – agreements for the co-administration of Personal Data.
Entrusting Personal Data
The entrustment of Personal Data takes place, among others: in particular for Sii Ukraine. In the context of Subsidiaries based in a country not belonging to the European Union or the European Economic Area, Sii has concluded additional contractual clauses with such Subsidiaries securing the processed data and meeting the requirements of art. 44-49 GDPR. These clauses are concluded due to the fact that in the case of Subsidiaries based in a country not belonging to the European Union or the European Economic Area, the principles set out in the GDPR do not apply to Personal Data processed by such entities.
The recipients of the data may be based in a country outside the European Economic Area (EEA), but in this case, the Administrator will ensure an appropriate level of security so as to protect the data subject. Data transfer to countries outside the EEA may be related, for example, to the use of analytical tools and tools for anonymous tracking of user behaviour, in particular, such as Google Analytics.
Each User has the right to access information to which client the Personal Data has been made available on the terms set out in Chapter V of this Policy.
In connection with the use of the Application, Sii uses Google Analytics services (provided by Google LLC), which, based on IP addresses, provides Sii with information on the approximate location of Users using the Application. Information regarding the location of Users is provided
in an anonymized manner and is used only for statistical purposes. Sii is unable to associate a given location with a specific User.
The processing of personal data generally continues until the purpose for which the Personal Data was obtained and processed and stored, for the purpose of achieving it, ceases to exist. After achieving the goal or its termination, Sii removes all personal data obtained from the User. However, there are situations in which Sii stores Personal Data even if the purpose of processing has been achieved or will no longer be achieved. This is due to legal requirements or business needs.
Importantly, the provisions of the GDPR make it possible to show the exact duration of the storage of Personal Data (days/weeks/months/years) and to indicate the criteria for data storage for a given period of time, e.g. "for the period of limitation of the User's potential claims against Sii", "until withdrawal consent to the processing of Personal Data".
Below, information on the storage periods of Personal Data:
a. in the case of data processing based on consent - until its withdrawal;
b. if the processing is necessary to perform the contract, for the duration of its performance and until the expiry of the limitation period for claims related to the subject of the contract, taking into account the limitation periods for claims specified in generally applicable law;
c. if the basis for data processing is the legitimate interest of the administrator until the User submits an objection or the interest ceases.
a. The right to access one's Personal Data (Art. 15 GDPR) – The User receives a list of Personal Data obtained from him by Sii and processed in documents and IT systems.
b. The right to rectify the processed data (art. 16 RODO) – The User may report the need to update, supplement the Personal Data provided to Sii, or request correction if Sii uses incorrect data.
c. The right to delete data ("the right to be forgotten") (art. 17 RODO) – Sii deletes all Personal Data obtained from the User. This right is exercised without undue delay in one of the following circumstances:
Situations excluding the implementation of the law: Legal provisions that require further processing - the storage of Personal Data despite the lack of purpose for their processing.
Considerations of public interest in the field of public health.
Establishing, pursuing, or defending claims by Sii or the User.
d. Right to restriction of processing (art. 18 RODO) – The User may request the restriction of the processing of his Personal Data, i.e. he may oblige Sii, for example, not to disclose them to another entity to be used for the implementation of marketing mailing, to withhold access to them by Sii employees. The User may exercise this right in the following situations:
e. Right to transfer of Personal Data (art. 20 RODO) – The User may submit a request for Sii to prepare a report / statement with his Personal Data, and then for Sii to provide the report / statement to another entity - the Personal Data Administrator. This right is exercised if:
f. Right to object to further data processing (art. 21 RODO) – The User may object to Sii against further processing of their Personal Data, regardless of the reason. From the moment the objection is raised, Sii cannot continue processing Personal Data.
Situations excluding the implementation of the law: Sii will prove to the User that its own legitimate interests for data processing override the User's rights.
The data is processed for the purposes of scientific, historical, or statistical research.
g. The right not to be subject to decisions based solely on automated processing, including profiling (art. 22 RODO) – The User has the right to be assessed on the basis of comprehensive actions based on the Personal Data obtained from the User, not only by special algorithms that bring the data together but also by actions taken by employees.
Situations excluding the implementation of the law: Making decisions is necessary for the performance of the contract between Sii and the User.
The law authorizes to make such decisions.
The user has consented to such decisions.
h. The right to withdraw consent to the processing of Personal Data (Art. 7 sec 3 GDPR) – The User may revoke the previously expressed voluntarily consent to the processing of his Personal Data. Wherever consent is the only legal basis for Sii to process Personal Data, this right is strictly enforced.
i. The right to file a complaint against the processing of Personal Data (Art. 13 para. 2 point d GDPR; Art. 14 sec 2 point e GDPR) – The user may notify the GDPR control authority - in Poland it is: The President of the Personal Data Protection Office, that Sii violates the provisions of the GDPR, that, for example, it fails to secure data, has obtained more data than is actually necessary for a specific purpose. Contact details:
Personal Data Protection Office (Urząd Ochrony Danych Osobowych) Stawki 2, 00-193 Warsaw, www.uodo.gov.pl, e-mail: firstname.lastname@example.org, telephone number: 606-950-000.
The implementation of each of the above rights takes place at the User's request sent to email@example.com. Sii examines the submitted application and sends a reply within 1 month from the date of receipt of the application together with an indication of the result of the examination - what specific actions have been taken with the estimated time for the processing of the entire application if specific activities require a longer processing time.
Sii reserves the right to respond to a request for the exercise of any right later than the abovementioned date: up to two months (resulting from Art. 12 para. 3 GDPR), due to the number of inquiries or the complex nature of the inquiry sent. By complexity, we understand the need to compile data from many IT systems or the need to consult more than one person from a department or departments in order to obtain information that is the subject of the application. In each case, Sii undertakes to inform the User about this fact, providing justification.
Sii also reserves that it may refuse to exercise any of the rights specified in Art. 15 - 22 of the GDPR in a situation where the User submits applications in a continuous, excessive manner, without any justification. Each time Sii will justify the refusal to exercise the right indicated in the application. By persistent and excessive nature, we mean sending subsequent requests with a similar request to the original one, despite the examination and notification of its processing, e.g. The User sends the request for access to information, Sii executes it – it sends a summary of the information it has, and the User sends the second and the same request again, without explaining the reason for the repeated request for information.
Under the right to withdraw consent, the User may at any time withdraw consent to further processing of Personal Data for purposes that require consent, provided that the withdrawal of consent does not affect the lawful use of Personal Data in activities based on consent before its withdrawal.
Under the right to access information, the User is entitled to obtain the following information in the form of a report or statement:
Sii also informs that each subsequent copy of Personal Data is associated with a fee resulting from the costs incurred in connection with the creation of another copy of Personal Data. Sii notifies the User about the costs after assessing the scope of the information indicated in the application.
As regards the right to delete Personal Data, Sii deletes not only data obtained from the User himself but also information obtained as a result of the analyzes carried out, e.g. information about the User's interests in specific categories of information, products, and services based on the actions of the User-consumer.
Exceptions to the implementation of the law indicated above in subsection c., f., g., result from applicable law. Sii analyzes each case of an exception individually for each case - the relationship between Sii and the User.
What is crucial, this right shall always be executed. Legal or internal - business requirements are the only factors that extend the full implementation of the request for the removal of Personal Data.
The right to object to the further processing of Personal Data is that the User indicates that he does not want his Personal Data to be used for purposes that are pursued as legitimate interests within the meaning of Art. 6 para. 1 point f GDPR. After receiving the objection, Sii analyzes whether the objection may be taken into account or whether there are grounds to reject it, as it is not an absolute right. There may be situations in which the User's right to object to further data processing will make it impossible for Sii to achieve the goal. Examples of the purposes of processing Personal Data in a legitimate interest, where the objection may be disregarded:
Each case is analyzed individually. The result of the analysis, together with the decision and justification for not considering the objection, is sent to the User by Sii as part of the examination of the submitted application.
If the analysis shows that Sii has no prerequisites for further processing of Personal Data, the objection is accepted and Sii deletes the Personal Data.
With regards to the right not to be subject to decisions based solely on automated processing, including profiling – it is important that no automated activities are performed at Sii. Typical automated processing activities are e.g. carrying out a creditworthiness assessment.
Sii has implemented appropriate (organizational and technical) security measures to protect personal data from loss, misuse, unauthorized processing, or modification. Sii is obliged to protect any information disclosed by Users in accordance to security and confidentiality standards.
Sii has implemented the Information Security Management System that is certified as compliant with international ISO 27001 security norms which ensures that Sii operates according to GDPR regulations in terms of implemented security measures for processing personal data (Art. 32 GDPR). Sii has proper procedures for managing accesses to IT systems that disable unauthorized workers from processing data. Sii’s workers are subjected to regular trainings regarding the secure processing of personal data and current threats. In order to guarantee the security of personal data provided by the users, Sii uses dedicated SSL certificates that use data encryption keys based on most reliable encryption algorithms such as RSA or SHA (min. 1024 bites) to transfer data provided on Sii’s websites to IT systems.
of these rules by posting the new content of this document in the message appearing in the Application.