PRIVACY POLICY
applicable as of July, 26th 2019
Pracuj Ventures Spółka z ograniczoną odpowiedzialnością Alternatywna Spółka Inwestycja spółka komandytowa (“PV”) being the owner of the Internet portal www.pracuj.vc protects privacy of persons using its services and their personal data.
For the sake of observing the principle of legal, reliable and transparent processing of personal data during the use of the services of the Internet portal www.pracuj.vc PV has adopted this “Privacy Policy” which sets out: the purposes and scope of the processed personal data, the methods of their protection, the legal grounds for their processing and the rights of data subjects.
I. Definitions
-
- Controller– a controller of personal data within the meaning of the GDPR is Pracuj Ventures Spółka z ograniczoną odpowiedzialnością Alternatywna Spółka Inwestycja sp.k. with its registered seat in Warsaw, Prosta 68, 00-838 Warszawa, entered into the registry of entrepreneurs of the National Court Register kept by the District Court for the capital city of Warsaw XII Commercial Division of the National Court Register under the NCR (KRS) number: 779117;
- Personal data – all information on an identified or an identifiable natural person [Article 4 paragraph 1 GDPR], i.e. a person that may be indirectly or directly identified, especially by an identifier such as first name and surname, ID number, location data, online ID or one or one or several special factors defining physical, genetic, mental, economic, cultural or social identity of a natural person;
- Clients – all entities cooperating with the Controller, its contractors, to whom the Controller provides its services and directly related marketing services, as well as a natural person, a legal person or an organizational unit referred to in art. 33 [1] of the Act of 23 April 1964 Civil Code, for which the Controller provides goods or provides services on the basis of a separately concluded contracts;
- Service Providers – all entities cooperating with the Controller, its contractors, providing the Controller with their services and directly related marketing services;
- Profile – set of personal and behavioral information regarding the User, collected by the Controller;
- Profiling – each form of automated processing of personal data by the Controller consisting in the use of the data collected by the Controller for the evaluation of certain personal factors concerning a natural person, especially their analysis or projections regarding aspects of data collected within the Profile or inference about personal features and factors relating to Users, other than the ones collected by the Controller;
- GDPR– Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, Dz. U. UE. L. z 2016 r. Nr 119).
- Website– Internet portal belonging to and managed by the Controller, as a part of which the Controller provides its services, available at the address: www.pracuj.vc;
- User – natural person using the Services through the Website;
- Services – group of services provided by the Controller, in particular electronically through the Website, as well as direct marketing services.
II. Personal data Controller
The Controller of Users’ personal data shall be the Controller, who is Pracuj Ventures Spóła z ograniczoną odpowiedzialnością Alternatywna Spółka Inwestycyjna sp.k. with its registered seat in Warsaw.
In case of any questions on the personal data processing and rights of Users, it is possible to contact the Controller via following channels:
-
- contact form or contact details, available under the address: https://pracuj.vc/contact/ ;
- telephone, under the number: + 48 698 170 933;
- e-mail, at the address: [email protected]
Legal ground: disclosure obligation under Art. 13(1) letter a GDPR.
III. Scope and purposes of processing Users’ personal data
Users’ personal data are processed by the Controller while maintaining the rules set out in the GDPR and only to provide access to the Website functionality and provision of electronic services, as well as complaint/request/contact process.
Personal data is gathered in connection with the business activity and will be used for the purposes of the provision of the Services.
Since the Controller provides various services to Users, User personal data are processed for different purposes, in a different scope and under different legal grounds as specified in the GDPR. To ensure transparency of information, we grouped them according to the purpose of data processing.
Purpose 1: Use the Website, browsing Website contents
Types of Services: The Controller processes the personal data in order to enable the User to use the Website and browse its contents.
Scope of data: For this purpose, the Controller processes personal data regarding the activity of the User in the Website, including registered and stored in cookie files, i.e. data regarding the viewed subpages, as well as data on the User’s device session, operating system, browser, localization and unique ID, as well as information on the device, which has been used to access and browse the Website.
Legal ground: necessity for the performance of a contract for the provision of Services by electronic means (art. 6(1) letter b GDPR) and legitimate interest of the Controller (Art. 6(1) letter f GDPR), consisting in diligent provision of the Services and maintaining the Website accessible by Users.
Purpose 2: Establishing contact with the Controller, processing requests and complaints, answering questions
Types of Services: The Controller processes Users’ personal data provided as part of the contact form, by e-mail or during a telephone conversation, in order to receive a message sent to the Controller via the contact form and to contact the User, including replying and conducting further correspondence.
Scope of data: The Controller processes the following personal data of Users for the above purpose: name and surname, e-mail address, telephone number, address and name of the represented entity, as well as data collected in the Profile, the data submitted in order to use the Service, included in documents annexed to a request, complaint or history of correspondence with the Controller.
Legal ground: necessity for the performance of a contract for the provision of Services by electronic means (art. 6(1) letter b GDPR) and legitimate interest of the Controller (Art. 6(1) letter f GDPR), consisting in improvement of operation of Services and building positive relationships with Users.
Purpose 3: Statistics of use of specific functions and parts of the Website, popularity of subpages and facilitation of the Website’s use
Scope of data: For these purposes, personal data are processed by the Controller in respect of User activity on the Website, such as: the visited pages and subpages of the Website and the amount of time spent on each of them, as well as data regarding the IP address, location, device ID and information on the browser, session and operating system.
Legal ground: legitimate interest of the Controller (Art. 6(1) letter f GDPR) consisting in improvement of the Website’s functionality.
Purpose 4: Marketing and remarketing
Type of Services: The Controller processes Users’ personal data for the purposes of direct or indirect marketing (remarketing) of its own services or products, aimed at matching the Services to User’s current needs.
Scope of data: For this purpose, the Controller processes personal data submitted in the contact form, such as first name, surname, e-mail address, phone number (where consent has been given to the use of telecommunication terminal equipment for direct marketing purposes by means of electronic communication), workplace/represented entity and data on a User’s activity on the Website, registered and stored by means of cookies, in particular the history of accessed subpages of the Website, clicks on the Website, information on accessing and use of specific services on the Website, activity relating to communication with the Controller.
Remarketing: To reach Users by means of marketing communications outside the Websites, the Controller takes advantage of services provided by external suppliers. Such services consist in displaying the Controller’s marketing communications, including commercial information, on pages other than the Website. For that purpose, external suppliers (such as Google, Facebook) install, e.g., an appropriate code, text file or pixel to collect information on User activity on the Website. These information relate to the User’s activity on the Website, in particular to the fact of visiting the Website and the history of accessing subpages within the Website.
Legal ground: legitimate interest of the Controller (Art. 6(1) letter f GDPR) consisting in direct marketing of the Controller’s services or products and in certain cases – User’s consent as well (Art 6(1) letter a GDPR).
Personal data used by the Controller for the purposes indicated above shall not be used for other purposes without prior approval. In particular, personal data will not be processed for marketing purposes without explicit consent.
IV. Cookies
In order to facilitate the Website’s use, the Controller may, through the Website, install on User’s terminal text files, referred to as cookies, destined for the storage of information for User identification or remembering the history of activities of a User on the Website.
Provision by a User of the data covered by cookies is voluntary, and such intention on a User’s part is expressed by appropriate settings of the User’s Internet’s browser by which the Website is accessed.
The purposes for which the Controller uses Cookies do not, however, require identification of the data subject by the Controller. In the light of the above, the Controller shall not be obliged to save, obtain or process any additional information to identify the data subject only for the purpose of complying with the GDPR.
In connection with the above, the Controller notifies the foregoing to Users in this Privacy Policy. In such situations, the rights specified in section X shall not apply, unless the User being the data subject, with a view to exercising his rights under the GDPR, provides additional information enabling his identification.
Legal basis: Art. 11 GDPR.
Types of cookies
According to their lifecycle, cookies are divided into:
-
- session cookies – erased upon closing the Internet browser,
- persistent cookies – erased after a period of time determined in advance, regardless of closing the Internet browser.
According to the Internet domain of their origin, cookies are divided into:
-
- own cookies – set by the Internet servers of our Websites,
- third party cookies – set by Internet servers of sites other than out Websites.
Purposes for which cookies are used
Optimization of the Websites’ use (necessary and analytical cookies)
The Controller uses its own cookies to ensure Users’ convenience in the Website’s use, including to enable remembrance of a User’s logins from a specific device and the unnecessity to renew the login procedure on the Website and to reduce the number of displays of messages (on updates of the Privacy Policy and use of cookies). In addition, the Controller uses cookies to verify security of the IT system and to remember User preferences.
Statistics of site and subpage views of the Websites (analytical cookies)
The controller uses third party cookies (e.g. Google Analytics, Google Analytics 360) to calculate the number of views on the Website, their duration, and to determine what functions or parts of the Website were most frequently used or visited. The information so collected allow the Controller to analyze efficiency of the Website and determine the directions for development of new functions and services.
Tracing activities on the Websites (analytical cookies)
The Controller uses its own cookies to identify a User for the purposes of User activity analysis on the Websites, to determine what the User’s activities at the Website addresses were, in particular what subpages were viewed by a User and where he spent most of his time. The information so collected allow the Controller to evaluate whether the information addressed to Users through the Website is clear and whether the Website does not require any changes in the arrangement of contents.
Displaying advertisements tailored to the User’s preferences (advertising cookies)
Controller’s cookies and external suppliers’ cookies (e.g. Google Adwords) are used to run marketing campaigns and remarketing campaigns that reach our User with marketing communication, if they have previously visited the Website. These cookies remember that the User visited our Website and what activities he performed. Information collected in this way is transferred to external suppliers.
Cancellation of cookies
A User may fix the conditions of storage or accessing cookies by the Internet browser settings or service configuration. In the menu bar of an Internet browser, in the “Help” section, information can be found on how to reject saving of new cookies, how to remove the cookies saved thus far, how to request notification of a new cookie being saved, and how to block the operation of cookies.
For further information on the possibilities to reject the use of cookies and erase all cookies created by the Controller, the Controller invites Users to consult the Controller in one of the ways set out in this privacy policy.
V. The obligatory character of personal data submission and consequences of omission to do so
Submission of certain personal data makes a precondition for the use of Services (data specified in Purpose #2). The obligatory data are marked within the Website with [*]. A consequence of an omission to submit such data is the User’s impossibility to use offered Services. Apart from data marked as obligatory, provision of other personal data is voluntary.
In respect of personal data collected automatically, their submission is also voluntary, and the expression of such intention on the part of a User is appropriate setup of the Internet browser by which the Website is accessed.
VI. Automated decision-making and Profiling
The Controller shall make all reasonable efforts to adjust the offer of its own services and all marketing communications addressed to Users to their interests and preferences. For that purpose, it undertakes automated processing of personal data, which does not take the form of Profiling. The Controller may, however, use the effects of Profiling made by third parties (e.g. Google, Facebook) when sending marketing and remarketing messages to Users.
At the same time, the Controller points out that targeting and personalization of the Controller’s marketing communications, especially offers and trade information, based on the collected behavioral data (relating to the Users’ behavior and his activity on the Website, in particular the history of subpages viewed), as long as it is not a consequence of inference about other features and personal factors of a User based on the data collected by the Controller, does not amount to Profiling.
The above activities and decision-making constitute automated processing of personal data – and take place when a specific action or omission by a User on the Website triggers a specific commercial communication – identical for all Users who have acted in a similar way. Such communication is not addressed to a User on the basis of any assumptions made by the Controller by automated means, but in connection with specific User-submitted information.
Automated processing of personal data and decision-making, does not pose any substantial threat to Users’ rights and freedoms, does not produce any substantial legal consequences to users and is not an excessive nuisance, and, consequently – there are no reasons which would preclude affording priority to the Controller’s interests.
The consequences of automated processing of personal data will be exclusively the diversification of marketing messages addressed to the Users, depending on the activities they have undertaken on the Website.
In connection with the above, Users shall have additional rights, specifically referred to in section X.
VII. Processing of children’s personal data
To take advantage of Services, a User must be at least 16 years of age or obtain consent from a person exercising parental authority or guardianship over the child (legal guardian). The Controller does not intend to consciously collect any personal data from children under 16 years of age without obtaining consent of a parent or guardian.
VIII. Data recipients
Users’ personal data may be disclosed by the Controller to other entities in order to provide services offered on the Website. Depending on the circumstances, such entities may be under Controller’s instructions as to the purposes and methods of processing such data (processors), or independently establish the purposes and methods of processing Users’ personal data (controllers).
The Controller shares Users’ personal data with the following categories of recipients:
Service Providers
Users’ personal data may be disclosed to entities which provide to the Controller services supporting its activities, e.g. to suppliers of marketing tools, accountants, legal advisors.
Processors. The Controller takes advantage of services by entities processing Users’ personal data only upon its request. Those include, among others, providers of hosting services, drive space in a cloud, marketing systems (e.g. for distribution of newsletters and other emails), systems analyzing Website traffic or effectiveness of marketing campaigns, etc.
Presently, the Controller cooperates with the following Service Providers which are personal data processors:
-
- A2 Hosting (PO BOX 2998, Ann Arbor, MI 48106, USA)
Controllers. The Controller uses also services of entities that do not act exclusively on its instruction and by themselves establish the purposes and methods of utilization of Users’ personal data. These are entities which mainly provide services of remarketing campaigns and undertake statistical research.
Currently, the Controller cooperates with the following Service Providers which are personal data controllers:
-
- Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA);
- Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland);
- Twitter International Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland);
- LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland)
Location. Service Providers are domiciled both in Poland and other countries of the European Economic Area (EEA). However, some of the Service Providers may be domiciled outside the EEA. In connection with personal data transfers outside the EEA, the Controller attended that service providers guarantee high level of personal data protection. Such guarantees follow in particular from participation in the “Privacy Shield” program put in place under the implementing decision of the Commission (EU) 2016/1250 of 12 July 2016 on the adequacy of protection afforded by the EU-US Privacy Shield. A User may obtain by email a copy of the personal data transferred from the Controller to a third country, in the same way as he may request access to personal data. Where the above requirement has not been fulfilled, the Controller shall ensure compliance of the data processing with the GDPR by obtaining User consent to such transfer, and in the absence of such consent – exclusion of the personal data of such User from transfers to a third country.
- Persons authorized by the Controller to process data
The Controller shall disclose personal data to all persons authorized by the Controller to process data on its behalf, which follows from the fact that on everyday basis these are people that are responsible for the Controller’s actions.
- State authorities
Personal data are disclosed also when authorized state authorities so request, in particular organizational units of the prosecutor’s office, the Police, or the supervision authority responsible for data protection issues (President of the Data Protection Authority (PUODO).
IX. Data storage period
The Personal data of Users, who used the Services, are stored by the Controller throughout the entire period of using the Website Services to provide the Services as well as for marketing purposes. Personal data are processed, as the case may be, until the consent for processing has been withdrawn, the right to object to the processing of data for direct marketing purposes has been exercised or the right to delete data has been exercised, and in the absence of such activities, for a period of usefulness for the purpose for which they were collected, a significant change the subject of the Controller’s activity, termination of the Controller’s marketing activity or termination of the Controller’s activities in the scope in which he conducted his activity on the day of data collection.
The Personal data of Users, who haven’t used the Services, but only browsed the contents of the Website, are stored for a period corresponding to the validity of the cookies saved on their devices or until the deletion of cookie files.
X. Rights of data subjects
The Controller shall ensure execution of the below rights to Users by contacting the Controller in one of the ways indicated in section II.
Right to withdraw consent
A User shall have the right to withdraw each consent that he/she expressed upon registration on the Website, and during the use of Services. Withdrawal of consent shall be effective as of the moment of the consent’s withdrawal. Withdrawal of consent shall not affect the processing legally performed by the Controller before such withdrawal.
Withdrawal of consent shall not entail any negative consequences and is free of charge. However, it may disable further use of Services. Withdrawal of consent shall be without prejudice to the processing performed under a legal ground other than consent from the data subject, for instance for the purpose of performing the contract between the Controller and a User.
Legal basis: Art. 7(3) GDPR.
Right of objection to the use of data
A User may, at any time, lodge an objection to the processing of his personal data, including automated processing, and in particular Profiling, where the data are processed on the basis of the Controller’s legitimate interest.
Regardless of the above, a data subject may, at any time, lodge objection to the processing of his personal data for the purposes of direct marketing, including Profiling, insofar as the processing relates to such direct marketing.
Such resignation shall be treated as objection to the processing of personal data, including Profiling, for marketing purposes, and shall guarantee cessation of any further processing for that purpose.
Where the Controller is unable to indicate any other legal ground for the processing of personal data of a User who lodged a complaint which would be precedent to the interests, rights and freedoms of a User or grounds for the establishment, assertion or defense of claims, the Controller shall promptly erase the personal data of such User.
Legal basis: Art. 21 GDPR
Right to data erasure (“right to be forgotten”)
A User may request erasure of all or certain personal data.
This right exists if at least one of the following conditions has been met:
-
- personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- A User withdrew the consent on which the processing was based, and the Controller does not have any other ground for the processing;
- A User lodged an objection to the processing and there are no precedent legitimate grounds for the processing or a User lodged an objection to the processing of data for direct marketing purposes;
- personal data was processed contrary to the law;
- personal data must be erased to achieve compliance with a legal obligation prescribed by applicable legal provisions;
Despite a request for erasure of personal data, in connection with a submission of objection or withdrawal of consent, the Controller may keep certain personal data to the extent necessary for the establishment, assertion or defense of claims.
Legal basis: Art. 17 GDPR
Right to restrict data processing
A User may request restriction of processing of his personal data. This right shall exist if at least one of the following conditions is met:
-
- the User questions accuracy of the personal data – restriction is made for a period which allows the Controller to verify accuracy of the data;
- the processing is contrary to law, and the User objects to erasure of the personal data, requesting restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of processing, but they are necessary to the User for the establishment, assertion or defense of claims;
- the User lodged an objection to the processing of personal data – restriction is made pending the determination if the Controller’s legitimate interests are precedent to the grounds for the objection of the data subject.
Legal basis: Art. 18 GDPR
Right of access to data
Everyone may obtain confirmation from the Controller whether the Controller processes personal data of any given person and to what extent, and if so, such person may:
-
- gain access to his personal data;
- obtain information on the purposes of processing, categories of the processed personal data, recipients or categories of recipients of such data, the planned storage period of the personal data or the criteria of determination of such period, on data subject’s rights under the GDPR and the right to lodge a complaint to a supervisory authority, on the sources of such data, automated decision-making, including Profiling, and the securities used in connection with the transfer of such data to a third country;
- obtain a copy of his personal data.
Legal basis: Art. 15 GDPR
Right to rectify data
A. User may rectify, supplement or update the personal data which he/she submitted.
B. User may request from the Controller rectification of that data (if inaccurate) or their supplementation (if incomplete).
Legal basis: Art. 16 GDPR
Right to data portability
A. User may receive his personal data which he/she submitted to the Controller, and then send them to another personal data controller of his/her choice.
B. User may also request that the personal data be sent by the Controller directly to such another controller as far as this is technically possible.
The Controller sends data as a file in the *.xls or *.xml or *.csv format. This format is in general use, machine-readable and permits the transfer of the received data to another personal data controller.
Legal basis: Art. 20 GDPR
Right to obtain human intervention from the Controller
In each situation of automated processing of personal data (automated decision-making, including Profiling), a User may question the decision made exclusively by automated means, express his opinion about the decision made and request human intervention from the Controller. Human intervention is made by repeated evaluation of the features, factors and premises that have been taken into account in the automated decision-making by a person authorized by the Controller and issuance of a decision other than the previous one or its upholding.
This right shall be excluded where such decision does not produce any legal consequences to the User or the impact on his situation is minimal, as well as in a situation where the processing of your personal data is not solely automated.
However, where the decision made by automated means: (i) is not necessary for the conclusion or performance of a contract between a User and the Controller; (ii) is not permitted by the law of the European Union or the law of a Member State applicable to the Controller which provides for appropriate measures safeguarding rights, freedoms and legitimate interests of a data subject; (iii) is not based on clear consent from a data subject – the manifestation of the above User’s right shall be the right not to be entirely subject to decisions made exclusively by automated means. When a request is submitted in exercise of such right, the Controller shall take all reasonable measures so that the decision-making process is not entirely automated, i.e. to ensure presence of a human factor in at least one of its stages.
Legal basis: Art. 22 GDPR.
XI. Reaction time
If a User, in exercise of the rights specified in section X, submits an appropriate request to the Controller, the Controller shall promptly consider that request positively or negatively, however, not later than within a month of its receipt. However, if, as a result of a complex nature of the request or number of requests – it is impossible to comply with the monthly deadline, the Controller shall fulfil its obligation to process the request within the following two months, upon prior notification of the circumstances to the User.
-
- Requests and complaints
The Controller invites questions and requests in respect of the processing of Users’ personal data and exercise of their rights.
If the User decides that the Controller has violated the rules for the processing of personal data, he has the right to submit a complaint directly to the supervisory authority, i.e. the President of the Office for Personal Data Protection (PUODO). The complaint should be submitted directly to the supervisory authority.
-
- Security of personal data
The Controller and entities with whom it cooperates shall make every effort to ensure security to the personal data processed on the Website, including but not limited to, by the use of encrypted data transmission (SSL) during access to the Website, which considerably hinders interception of the Personal data by unauthorized systems or persons.
-
- Amendments to the Privacy Policy
If needed, the Controller may amend or update the Privacy Policy. All amendments or supplementation’s shall be notified to Users by publication on the Website’s home page of appropriate information or by an email sent to Users.