of the National Information Processing Institute
1. General provisions
This Policy is general in nature and presents the most important issues related to the processing of personal data. This Policy is further specified in individual regulations or information clauses which individuals receive or accept at the time when data are collected from them, e.g. through newsletter subscription, contact forms, or account opening.
As part of the Services, OPI PIB processes personal data legally, fairly and consciously, while maintaining transparency in the use of data in accordance with the purpose for which they were collected, and while ensuring control over the individual processing activities by providing you with control over your personal data.
2. Contact details
2.1 Data Controller
The Controller of personal data obtained under the Services is the National Information Processing Institute with its registered office in Warsaw at Al. Niepodległości 188B, entered into the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw, 12th Business Division of the National Court Register, entry no. 0000127372, NIP (taxpayer ID): 525-000-91-40, REGON (statistical ID): 006746090.
2.2 Data Protection Officer
National Information Processing Institute
Al. Niepodległości 188B
00-609 Warsaw, Poland
please add ‘IOD’ on the envelope.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (OJ L No. 119, p. 1), referred to as “GDPR”,
- Polish Act of 10 May 2018 on Personal Data Protection (Polish Journal of Laws of 2018, item 1000),
- Polish Act of 16 July 2004 – Telecommunications Law (consolidated text: Polish Journal of Laws of 2017, item 1907, as amended),
- Polish Act of 18 July 2002 on Rendering Services Electronically (consolidated text: Polish Journal of Laws of 2017, item 1219, as amended),
- Polish Act of 30 April 2010 on Research Institutes (consolidated text: Polish Journal of Laws of 2018, item 736).
4. Rules of personal data processing
As part of the processing of personal data of individuals using the Services, OPI PIB attaches importance to the fact that these data are processed in a safe, reliable, lawful and transparent manner for the data subject.
The key rules followed by OPI PIB in data processing are as follows:
- personal data are collected only to the minimum extent necessary to achieve the purposes for which they are collected,
- the purposes of personal data collection are clearly defined and are based on applicable legislation: OPI PIB does not process data in a manner inconsistent with these purposes,
- OPI PIB ensures the timeliness and accuracy of personal data of individuals using the Services and immediately responds to each application for the correction or update of data,
- OPI PIB exercises the right of individuals to access and correct their personal data,
- OPI PIB also implements, where applicable, the rights of individuals to delete their personal data, withdraw consent, limit the processing, transfer the data, as well as the right to object to data processing, the right not to be subject to a decision based solely on automated data processing, including profiling,
- OPI PIB limits the storage of personal data in accordance with the applicable legislation, only to the period necessary to achieve the purposes for which they are collected, unless there are events that may extend the period of data storage,
- OPI PIB protects personal data against loss, access by unauthorised persons, accidental loss or change and other unlawful forms of processing,
- if personal data are made available to other entities, this is done in a safe, contractually secured manner and in accordance with the applicable legislation,
- the protection of individuals with regard to the processing of their personal data is one of the fundamental rights of every person. OPI PIB attaches particular importance to respecting the privacy of data subjects, regardless of whether the data were obtained directly from the data subject or from other sources.
5. Rights of data subjects in relation to data processing
OPI PIB exercises the rights of data subjects related to the processing of their personal data in connection with the use of the Services. These rights derive from the existing legal provisions on personal data, in particular the GDPR (Articles 16–21).
The data subject whose personal data are processed within the Services has the right to:
- withdrawal of consent to the processing of their personal data at any time if data are processed on the basis of consent,
- access to data, i.e. the data subject has the right to receive a confirmation from OPI PIB as to whether their personal data are processed by OPI PIB and how,
- correction of outdated or inaccurate personal data, as well as the right to supplement the data in case they are incomplete,
- objection to the processing of personal data if OPI PIB processes personal data
based on legitimate interest (e.g. analytical, statistical, evidentiary or archiving purposes), then in case of objection, OPI PIB will cease data processing unless OPI PIB proves the existence of relevant legitimate grounds for processing, which should objectively take precedence over the interest of the data subject or which are necessary to establish, assert or defend claims (e.g. evidentiary purposes, or claim assertion).
- deletion of personal data (“the right to be forgotten”) consists, in principle, in requiring that the data controller deletes the personal data of the data subject without delay; however, according to Article 17 of the GDPR, there are exceptions to this right (in particular, for the purposes of establishing, pursuing or defending claims),
- restrictions on the processing of personal data, which, in practical terms, may consist in temporary blocking of access to data or the transfer of data to another system,
- transfer of data, i.e.the data subject has the right to receive a copy of the personal data that they provided OPI PIB with if the processing is based on their consent or on the basis of a contract and in an automated manner,
- submitting a complaint to the supervisory authority: to the President of the Office for Personal Data Protection (UODO).
Requests concerning the processing of personal data, including the exercise of rights, should be sent by e-mail to: email@example.com or firstname.lastname@example.org, or in writing to the following address: Ośrodek Przetwarzania Informacji – Państwowy Instytut Badawczy (National Information Processing Institute), al. Niepodległości 188b, 00-609 Warsaw, Poland.
Responses to such requests will be given without undue delay, not later than within one month after receipt. This period may be extended by further two months due to the complexity of the request or the number of requests, of which we will inform the individuals concerned.
Requests should include the full name of the requester and contact details (telephone number or email address and, in the case of written requests, also the mailing address). If your request concerns the use of a website, please provide the website address or information about the service provided through our website and additional explanations for your request (in order to improve the handling of your request). In order to handle some requests, OPI PIB may request additional information in order to confirm the identity of the requester.
6. Security of personal data
OPI PIB takes technical and organisational measures to protect personal data against illegitimate or unauthorised access or use, as well as against accidental destruction, loss or violation of integrity. The principle of ensuring safety is implemented at each stage of OPI PIB activity. Security procedures include in particular: security of access, a backup system, monitoring, review and maintenance, and management of security incidents.
In order to ensure the security of the processed personal data, OPI PIB undertakes to take the following into account:
- confidentiality, i.e. to protect data against accidental disclosure to third parties,
- integrity, i.e. to protect data against unauthorised modification,
- accessibility, i.e. to ensure that authorised persons have access to the data when needed.
Personal data may be processed by third parties only if such an party undertakes to ensure appropriate technical and organisational measures to ensure the security of the processing of personal data, as well as the confidentiality of such data. Any employee of OPI PIB who has access to personal data holds a relevant authorisation and is obliged to maintain confidentiality.
The personal data that individuals provide on our websites are encrypted and protected by an SSL certificate.
7. How we process personal data
7.1 What is the purpose and basis for OPI PIB’s processing the data of Services users?
OPI PIB processes personal data only for specified, unambiguous and lawful purposes.
OPI PIB informs individuals each time of the purpose and legal basis of personal data processing in a separate message dedicated to the service used by the person concerned.
Below we present different legal grounds and different purposes for which we may process personal data (within one data processing process, personal data can be processed for different purposes and on different legal grounds):
Consent as a legal basis: Consent can be given either through active action by data subjects (e.g. providing one’s data and sending a form) or by ticking a checkbox (in both cases, Article 6(1)(a) of the GDPR is the legal basis). In any case, a person may withdraw their consent in the manner indicated in the information on the processing of personal data. Consent constitutes the legal basis, inter alia, in the following cases:
- individuals voluntarily provide their data to us and address a request to us, e.g. about the possibility of preparing a report or services provided by OPI PIB,
- individuals ask to be contacted,
- individuals send any e-mail correspondence to the addresses in the opi.org.pl domain,
- individuals subscribe to a newsletter,
- individuals send inquiries or comments via the relevant contact forms,
- individuals obtain information about fairs, exhibitions, conferences and other scientific events organised by the scholarly community.
When individuals inquiry about the possibility of OPI PIB to perform certain services and when such an inquiry is accepted, the legal basis for personal data processing is changed into actions aimed at concluding an agreement or into an agreement.
Implementation of an agreement or actions aimed at concluding an agreement (Article 6(1)(b) of the GDPR).
The legal basis consisting in an agreement or actions aimed at concluding an agreement applies, inter alia, in the following cases:
– When OPI PIB processes personal data within the Services provided by OPI PIB websites, such as BWNP, Inventorum, Navoica, etc., because this is necessary to perform the agreement concluded with OPI PIB through acceptance of regulations for the provision of electronic services, where such regulations are available on these websites, and for the purposes specified therein.
Legitimate interests (except where the interests of data subjects or their fundamental rights and freedoms take precedence over the interests of OPI PIB) (Article 6(1)(f) of the GDPR).
OPI PIB processes personal data on the basis of legitimate interests involving, among others, the following purposes:
- financial settlements,
- assurance that services are provided in keeping with the law,
- prevention and detection of fraud,
- evidentiary and archival purposes and the safeguarding of information in the event of a legal need to establish facts, or to establish claims, assert claims or defend against claims;
- analytical and statistical purposes, to ensure the quality of services and optimisation of service processes – in this case, the processing results in aggregated data,
- in connection with the provision of services provided electronically in order to ensure their security and handling of complaints,
- exercising the rights of data subjects, in particular the right to the accuracy of data, the right to withdraw consent and to store requests and evidence of request handling,
- ensuring the security of data, in particular their integrity, accuracy and timeliness.
In some cases, the processing of personal data may be based on the data controller’s compliance with a legal obligation (legal basis: Article 6(1)(c) of the GDPR).
This applies in particular to the obligations imposed on OPI PIB under the applicable legislation, in particular under the tax legislation.
Performance of a task of public interest
OPI PIB processes personal data because this is necessary to perform a task carried out in the public interest, i.e. supporting the processes of organising and financing scientific research, popularisation of knowledge about science, scientific research and development, preparation of analyses, opinions and expert opinions with regard to scientific research conducted, obtaining and developing collective, cross-sectional and synthetic information concerning scientific research and development, also for statistical purposes, and supporting the scientific and academic community. Therefore, OPI PIB processes personal data for the following purposes:
- presenting and publishing information on scientific, research, development and expert activity undertaken by individuals registered in databases maintained by OPI PIB,
- promoting and presenting scientific achievements,
- providing comprehensive information on scientific, research, development and expert activities commissioned by entities operating within the scientific community, but also public administration bodies and entities, and any interested person,
- creating analyses and statistics on the basis of available data for the needs of Polish science and the scientific community, as well as the needs of scientific research,
- informing the stakeholders about the transfer of knowledge and technology from the scientific sector to industry,
- archiving in the public interest,
- performing scientific or historical research,
- collecting statistical data.
7.2 Data collection method
OPI PIB collects personal data when individuals they fill in forms on our websites, contact us by phone, send questions or messages via our websites or online tools as well as automatic data contained in system logs and cookies.
We may also receive personal data from scientific entities where the data subject is employed as a researcher or an academic teacher or where the data subject conducts scientific activity in such an entity.
What kind of data may we process and where do we have them from?
Personal data may include a different range of data, depending on the category of data subject and the Services used and the purpose for which the data are collected.
Each time OPI PIB processes only the necessary range of data.
As part of the Services, OPI PIB processes personal data such as: identification data (e.g. first name, surname), contact data (e.g. telephone number, e-mail address, address of residence), data on enquiries, orders, complaints, data on scientific research activity, data on publications, data on the place of employment and, in case of business entities, also the company name and NIP (taxpayer ID) number, and contact person data (title).
As part of the use of the Services, the provision of personal data is voluntary, but often necessary for the use of such data.
Forms for collecting personal data within the Services are addressed to adults. Therefore, OPI PIB does not knowingly process personal data of persons under 16 years of age. Consents given by individuals are valid for persons over 16 years of age. If users of Services are under 16 years of age, they should not provide any information. If we become aware that a person under the age of 16 has provided us with personal data without verifiable parental consent, we will not process such data.
8. Consent and withdrawal of consent
Consent may also be given via the so-called “explicit action”, e.g. resulting from the fact that a person voluntarily provides their data and asks for contact or sends an inquiry within the scope specified in the consent, or resulting from checking a check box.
If you subscribe to our newsletter, your consent can be revoked via the “unsubscribe” link available in each email message or by sending a notice of revocation of consent to the email address provided in the correspondence.
Withdrawal of consent means that the individual concerned loses the possibility to use the Services, i.e. ceases to receive newsletters, responses, invitations to events, or promotion of their scientific activities.
Withdrawal of consent does not affect the lawfulness of the processing of personal data carried out on the basis of consent prior to its withdrawal.
A request for withdrawal of consent will be handled promptly. After the request has been processed, OPI PIB will cease to process personal data for the purposes based on consent. However, until the request has been processed, the person concerned may receive information which they cancelled by withdrawing their consent, due to the time needed for the processing of the request in the OPI PIB systems.
If OPI PIB holds data of individuals for purposes other than those for which the processing was based on consent (e.g. performance of an agreement or service, proof of evidence, making claims), OPI PIB may still process such data for these purposes on a different legal basis.
In any case, any consent given may be revoked at any time without giving any reasons. This can be done by contacting OPI PIB via e-mail: email@example.com, via the relevant contact form or by phone at + 48 22 570 14 58 or by sending a request to the address of the registered office of OPI PIB.
In the case of a telephone declaration, we reserve the right to carry out additional verifications of the caller in order to determine their identity.
9. Data storage
The data will be kept for as long as is necessary to achieve the purposes for which the data were collected. If possible, OPI PIB provides the period of data storage in the relevant information clauses.
In the case of data processing based on consent, the data will be kept for a period of validity of the consent, yet not longer than for five years (unless a shorter period is agreed) or until the consent is revoked.
In any case, however, the retention period may change, i.e. personal data may be stored for a longer period if this is required by law or is necessary to establish, defend or assert claims (e.g. we may keep evidence of your consent until the statute of limitations has expired), or for a shorter period, e.g. if a data deletion request has been implemented.
The storage period for personal data is determined in accordance with the applicable legislation. You have the right to obtain information from us about the planned and probable duration of storage of your personal data.
The basic data retention periods adopted for the indicated processes are indicated below:
- newsletter subscription: until you unsubscribe,
- in the case of data processing in connection with the performance of a task in the public interest: for the period until the purpose of the processing has expired or until an objection relating to the specific situation of the data subject has been lodged, unless there are valid grounds for further processing of the data,
- in the case of correspondence sent via a contact form: until an objection has been raised, consent has been withdrawn or the purpose of processing has expired, yet not longer than for a period of up to three years,
- provision of services electronically:for the duration of the contract,
- for purposes based on legitimate interest: either for the period of validity of those purposes or until an objection has been raised, and in any case not longer than for five years, unless there is a need to store the data for a longer time where such an obligation arises from the law or is necessary to establish, defend or assert a claim.
10. Recipients of data. Sharing data with other entities
Access to personal data may be granted to the following recipients of data: authorised employees of OPI PIB; employees of the entity supervising the activity of OPI PIB; employees of public administration bodies or entities in connection with the their tasks performed under the law; as well as service providers and their authorised employees entrusted with the processing of personal data for the needs of services provided to OPI PIB in connection with the performance of its own services, in particular IT system operators, as well as entities providing advisory, legal and auditing services.
Depending on the type of service used (e.g. databases maintained for the purpose of promoting individuals’ scientific activity), data may also be made available to all entities interested in obtaining information on the status quo of Polish science and higher education, those wishing to conduct scientific research, seeking contact with experts in specific fields or scientific disciplines, those wishing to conduct development work in their enterprises and interested in contacting an expert in a specific field/discipline, all those interested in scientific, research and development activities in order to establish contact or conduct research.
Personal data may also be made available to other recipients who are data processors and who provide services for and on behalf of OPI PIB and who have been commissioned to perform activities that require data processing in connection with the processing of personal data, in particular with regard to IT services, archiving, correspondence handling, as well as entities such as auditors or professional consultants. In some cases, external service providers who provide services on our behalf may act as independent data controllers, e.g. the Polish Post Office or other postal operators.
In justified cases, personal data may also be made available to public administration bodies (e.g. prosecution, police, municipal police, government agencies) and courts.
As part of the Services provided by OPI PIB, there may be links to other websites, social media sites or websites of cooperating entities. When accessing a third party website, individuals will be subject to separate privacy policies and data protection policies for those websites. Please read the privacy and data protection policies of the respective websites accessed.
11. Transmission of data to countries outside the EEA
OPI PIB does not transfer personal data within the Services to countries outside the European Economic Area (EEA), with the exception of data which are publicly accessible via the Internet, if the Internet is accessible outside this area.
12. Automatic processing of personal data (also through profiling)
Personal data will be processed automatically (also in the form of profiling), but this will have no legal consequences for individuals or significantly affect them in any similar way.
The profiling of personal data by OPI PIB consists in the processing of data (also in an automated way) by using such data to assess certain information about individuals in databases, in particular to analyse the fields or disciplines that such individuals specialise in.
14. Changes to this Policy