Service Privacy Policy of the Cracow University of Economics

 

Introduction

For the sake of duly informing about matters related to the processing of personal data, especially pertaining to the content of the new provisions on the protection of personal data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and the free movement of such data, as well as repealing the Directive 95/46/EC (“GDPR”), in this document the CUE will communicate information about the legal grounds for the processing of personal data, about the ways in which these data are gathered and used, and about the extent of the rights of persons whom these data concern (i.e. data subjects).

 

Who is the administrator of your personal data?

The administrator of personal data is the Cracow University of Economics (CUE) with headquarters in Krakow, at Rakowicka 27, 31-510 Krakow.

 

Who should you contact in matters related to the protection of personal data?

The Inspector for Data Protection was appointed at the Cracow University of Economics. You can contact the Inspector in matters related to the processing of data, by writing to the following address: Inspector for Data Protection at the Cracow University of Economics, ul. Rakowicka 27, 31-510 Kraków, by e-mail to the following e-mail address: iod@uek.krakow.pl, or by phone at (12) 293 7590. The Inspector for Data Protection is Anna Dąbrowska-Waśniowska.

 

What are personal data and what does it mean to process them?

Personal data means information about an identified or identifiable individual. The processing of personal data is basically any action performed on the personal data, irrespective of whether it is done in an automated manner or not, such as for example: gathering, collecting, storing, recording, ordering, modifying, browsing, using, sharing, restricting, deleting or destroying that data. The CUE processes personal data for different purposes, whereas – depending on the purpose of data processing – various data gathering methods may be appropriate, as well as varying legal grounds for the processing, use, disclosure and data storage periods may apply.

 

When does this privacy policy apply?

This privacy policy applies to all cases in which the CUE is the administrator of personal data and when it processes personal data. This applies to both the cases where the CUE processes personal data obtained directly from the subject of that data, as well as the cases in which the CUE has obtained personal data from other sources (for instance, from official registers). The CUE performs its information duties in both of the above cases, as specified in articles 13 and 14 of the GDPR, in accordance with these provisions.

 

In what manner, based on what legal foundation, and what type of personal data is processed by the CUE?

Cracow University of Economics processes personal data for purposes necessary to fulfill its obligations resulting from the provisions of law; for the purposes necessary to execute the contracts entered into; whenever it is necessary with the view of protecting vital interests of the person to whom the data pertains; whenever it is necessary to perform a task carried out in the public interest; whenever it is necessary for purposes resulting from legitimate interests pursued by the CUE or by a third party; or whenever the person previously informed about the intended purpose of processing his/her personal data voluntarily consents to this processing.

 

Cracow University of Economics processes personal data of students, employees, contractors and other individuals (natural persons) whose personal data it is authorized to process on the basis of legal regulations, or on the basis of consent expressed by the person to whom the said data pertains (i.e. the data subject).

 

At the same time, the CUE would like to indicate that whenever it processes personal data based on the legitimate interest of the data administrator, it endeavours to analyse and balance the interest of the CUE and the potential impact (both positive and negative) on the person being the subject of the data, and the rights of that person under the provisions regulating the protection personal data. The CUE does not process personal data based on its legitimate interest in cases when it comes to the conclusion that the impact on the data subject would prevail over the interests of the CUE (then the CUE may process personal data if, for example, it has obtained the appropriate consent, or if it is required or permitted to do so by law).

 

Information about “cookie” files

The website of the University of Economics in Krakow supports “cookies”. Cookies are small-sized text files saved in the browser on the user’s computer or in another mobile device while using the websites. Cookie files are used, among others, in order to support various functions provided on a given website or to confirm that a given user has seen certain content from a given website.

Based on the provisions of article 173 of the “Telecommunications Act” of July 16, 2004, the CUE informs that it is possible to block the possibility of saving data in browser files.

 

Purpose of “cookies”

The website uses cookies in order to collect information related to the use of the web service.

Cookies-type files make it possible:

  • to adjust the website to the needs of the users
  • to maintain the internet session (after logging in)
  • to create viewer statistics pertaining to the website’s sub-sites
  • to support a more efficient operation of voting systems
  • to enable easier administration and monitoring of website visits history

This particular mechanism of gathering information can be turned off at any time in the browser settings. If the website user does not consent to having such data recorded, he/she should change the browser settings or leave the website.

How to block “cookies”

The user can decide to block cookies independently, by choosing appropriate browser settings.

  • for Internet Explorer: Tools > Internet Options > Privacy
  • for Firefox: Tools > Options > Privacy
  • for Chrome browser: Settings > Advanced settings > Privacy > Content settings
  • for Opera browser: Preferences > Advanced > Cookies

 

Access logs

The CUE collects information on the use of the website by its users, and on their IP addresses, based on the analysis of access logs. This information is used by the CUE in diagnosing server-related problems, in analysing possible security breaches, and in managing the website.

At the same time, the CUE informs that it may be required to disclose information regarding the IP number of a given user of the website at the request of entities authorised to obtain such information, based on binding legal regulations, that is state authorities in connection with their proceedings.

 

How long does the CUE process personal data?

The time during which the CUE may process personal data depends on the legal foundation, which constitutes a legal premise for the processing of personal data. In its effective CUE policies, instructions, guidelines, and other documents pertaining to the processing of personal data, in the scope regarding the length of data storage period, the CUE determines that personal data must never be processed above the length of time that results from the aforementioned legal foundation. Accordingly, the CUE informs that:

  1. in the event that the CUE processes personal data on the basis of consent, the processing period lasts until the data subject withdraws that consent;
  2. in the event that the CUE processes personal data on the grounds of the justified interest of the data administrator, the processing period lasts until the cessation of the above-mentioned interest (for instance, until the expiration of period for claims under civil law) or until the data subject objects or withdraws consent for further such processing – in situations when such objection remains in accordance with the provisions of the law;
  3. in the event that the CUE processes personal data because it is necessary due to the applicable law, periods of data processing are determined by the said provisions (for instance, by the provisions of tax law);
  4. in the absence of specific legal or contractual requirements, the basic data storage period for records and other documentary evidence drawn up during the performance of the contract is a maximum of 10 years.

 

When and how does the CUE disclose personal data to third parties? Does the CUE transfer data to third countries?

The CUE discloses personal data to other entities only if such disclosure is permitted by the law. In such cases, within the relevant agreement with the third party, the CUE agrees appropriate provisions and establishes security mechanisms in order to protect the data, and to preserve the adopted standards for data protection and confidentiality. Such agreements are called contracts for entrusting the processing of personal data, and the CUE has control over how and to what extent the entity, which has been entrusted by the CUE with the processing of certain categories of personal data, processes that data. In relation to the above, recipients of personal data that the CUE processes as the administrator of personal data may include:

  • entities processing personal data under the contracts for entrusting the processing of personal data (the so-called data processing entities);
  • entities providing hosting services for the CUE;
  • other CUE subcontractors who provide services in the field of software delivery, the servicing of software or hardware used by the CUE, as well as suppliers of goods, whose assistance the CUE seeks;
  • debt collection companies (whereas the CUE makes available the personal data only to such extent as is absolutely indispensable to achieving the given purpose);
  • auditors and inspectors, legal counsels, tax advisers;
  • law enforcement bodies, regulatory authorities and other public administration bodies

(whereas, in the latter two cases, the CUE provides data only if, and only to the extent, that it is actually indispensable and required by the mandatory provisions of law, and in a manner consistent with these provisions).

The Cracow University of Economics may transfer the processed personal data to a third country and/or to an international organization based on:

  1. the decision by the European Commission, stating the appropriate level of protection;
  2. appropriate safeguards applied by a third country by means of:
  1. a legally binding and enforceable instrument between authorities, or between public entities;
  2. binding corporate rules, approved by the supervisory body;
  3. standard data protection clauses, adopted by the European Commission;
  4. standard data protection clauses adopted by the supervisory authority, and approved by the European Commission;
  5. a code of conduct approved by the supervisory body;
  6. a certificate regarding the protection of personal data;
  7. supervisory authority’s authorization of contractual clauses;
  8. the supervisory body’s authorizations for administrative provisions between public authorities or bodies.

For personal data that is subject to EU regulations, it should be noted that cross-border transfers of data may concern countries not belonging to the European Economic Area (EEA), and countries where there are no provisions defining specific protection of personal data. In the event of transfer of personal data outside the EEA to a country, which – according to the European Commission – does not ensure an adequate level of personal data protection, data transfer may only take place on the basis of an agreement that takes into account the EU requirements for the transfer of personal data outside the EEA.

The person whom the data concerns (the data subject) has the right to obtain copies of any of his or her personal data transferred to a third country.

 

What are the rights of data subjects and how are these rights implemented?

Individuals (natural persons) have specific rights regarding their personal data, and the CUE as the data administrator is responsible for the implementation of these rights in accordance with the applicable regulations of the law. In case of any questions and requests regarding the scope and implementation of these rights, as well as in order to contact the CUE precisely in order to exercise a specific right in the field of personal data protection, please contact us at the following e-mail address: iod@uek.krakow.pl

The CUE reserves the right to exercise the following rights after successfully verifying the identity of the person applying for the given action to be taken.

Access to personal data

Individuals (natural persons) have the right to access their data that the CUE stores as the administrator of these data.

Changes to personal data

Any changes, including the updating of your personal data that is processed by CUE, can be made by sending an email to the following e-mail address: iod@uek.krakow.pl or – where appropriate – by contacting the CUE via the relevant registration page, or by modifying the personal data stored in the relevant applications in which the registration was made. Students and employees of the CUE, in order to change their personal data, are required to contact: the Dean’s Office, or the Employee Affairs Department, respectively.

Withdrawal of consent

In the case of processing personal data on the basis of consent, individuals have the right to withdraw such consent at any time. The CUE communicates this information almost at every stage of obtaining consent, and accepts the withdrawal of consent as easily and promptly as it had been given. In the absence of other information, that is, if no other address or contact number has been provided to withdraw your consent, please send an email to: iod@uek.krakow.pl

 

The right to limit the processing, or object to the processing of personal data

Individuals (natural persons) have the right to limit the processing, or object to the processing, of their personal data at any time, according to their particular situation, unless such processing is required by the regulations of law.

An individual may object to the processing of his/her personal data when:

  • the processing of personal data takes place on the basis of a legitimate interest or for statistical purposes, and the objection is justified by the specific situation of the data subject, which he/she has found himself/herself in;
  • personal data is processed for direct marketing purposes, including profiling for this purpose.

 

The right to demand limitation of data processing is granted when:

  • the data subject questions the accuracy of these data – for a period of time that allows the administrator to check the correctness of the data in question;
  • the data processing is unlawful, and the data subject opposes the removal of such data, demanding in turn a restriction to the use thereof;
  • the data is no longer needed by the administrator for processing but is needed by the data subject in order to determine, assert or defend his or her claims;
  • the data subject has objected to the processing in connection with his or her specific situation – until it is determined whether the legitimate grounds for data processing on the part of the CUE are overriding the grounds for objection on the part of the data subject.

 

The right to request deletion of data and the right to transfer data

Should you wish to exercise these rights, please send an email to: iod@uek.krakow.pl

The right to delete data (“the right to be forgotten”) can be used when:

  • the data of the individual (natural person) are no longer necessary for the purposes for which they were obtained by the CUE;
  • the individual (natural person) withdraws his or her consent to the processing of data by the CUE, and there is no other legal basis for the processing of such data;
  • the data subject objects to the data processing, due to his or her specific situation, and there are no overriding legitimate grounds for the data processing; or when the data subject is objecting to profiling;
  • personal data have been processed unlawfully;
  • data must be removed in order to comply with the resulting obligation from the law that CUE is subject to;
  • personal data were collected in connection with offering the services pertaining to information society, from a person who at the time of data collection was aged below 16 years of age.

In turn, the right to transfer data applies when the processing of a person’s data takes place based on the consent of the individual (a natural person), or when it is based on an agreement concluded with that individual, and when this processing takes place in an automated manner.

 

Any other questions, concerns and complaints

Should you have any further questions, concerns or doubts regarding the content of this Privacy Policy, or regarding the way in which the CUE processes personal data, as well as for any complaints regarding these issues, please send an email along with detailed information on the complaint to the following address: iod@uek.krakow.pl

All the complaints received will be processed and the CUE will respond to them.

Persons whose personal data are processed by the CUE also have the right to lodge a complaint to the supervisory body, that is Prezes Urzędu Ochrony Danych Osobowych [Head of the Office for the Protection of Personal Data] (address: Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw).

 

Persons wishing to contact the CUE in person, by post or by phone, can do so, using the information below:

Cracow University of Economics

ul. Rakowicka 27

31-510 Krakow

Phone (12) 293 57 00, (12) 293 52 00

 

Are changes to this Privacy Policy possible, and when?

The CUE undertakes to regularly review this Privacy Policy and change it in a situation when it might prove necessary or desirable due to: new legal regulations passed, new guidelines issued by the bodies responsible for supervising the processes of personal data protection, best practices applied in the area of personal data protection (such as codes of good practices, if the CUE is bound by such codes, in which regard we shall issue information). The CUE also reserves the right to modify this Privacy Policy in the case of changes to the technology used in the processing of personal data (if that change affects the wording of this document), as well as in the event of a change in the ways, purposes, or legal grounds for the processing of personal data by the CUE.

 

The most recent update of this document took place on 21/09/2018.

This site uses cookies. The terms and conditions on storage and access to cookies can be changed in the browser's settings. Privacy Policy