Privacy and Security Policy

PRIVACY POLICY

YourWay app

Our approach to information security and personal data protection

The policy is based on three basic principles:

hear the needs and demands of our clients and match perfect solutions, specifically in the field of information security and personal data protection,
When planning the implementation of processes, we identify potential risks of violating the rights of data subjects, including the risk of confidentiality loss, data availability and data integrity. We take actions to prevent these risks,
We realize how important it is to constantly raise awareness in the field of security to perform our work professionally and in accordance with current legal regulations and the requirements of our clients and other stakeholders,
Compliance with the principle of data protection at the stage of designing as well as general principle of data protection, e.g. by minimizing the processing of personal data or pseudonymizing personal data as soon as possible,

We implement the above safety rules by:

integration of modern IT technologies in the field of security and information systems,
Maintaining the confidentiality, availability and integrity of the data entrusted to us by handling data in accordance with applicable legal requirements, customer requirements and security procedures,
Monitoring the compliance with EU or Member State data protection regulations and the Company's or clients' policies in the field of personal data protection,

Regular testing, measuring and evaluating the effectiveness of technical and organizational measures to ensure the security of data processing,
Systematic training of the personnel who work under the company’s supervision in the field of data security,
Increasing the employees’ awareness of the importance of their work and the importance of their personal contribution to the effectiveness of safety management system, as well as the consequences of non- compliance with security requirements and regulations in the field of information security and personal data protection,
Documenting breaches and incidents in the field of information security and personal data protection,
Monitoring and evaluating the effectiveness of the implemented security measures,
Regular assessment of the implementation of security objectives and risk management plans in terms of compliance with the Company's strategic direction.

Commitment to information security and personal data protection

We undertake to constantly meet the applicable requirements and to continuously improve our security management system and the security measures applied.

Responsibility

Each employee is personally responsible for maintaining the confidentiality, availability and integrity of the data entrusted. Responsibility for maintaining, assessing and setting directions for continuous improvement of the safety management system is put on the company's management.

We familiarize our employees and partners with the principles of the information security management system and personal data protection as well as the objectives of this policy.

This information security policy is available to our employees, associates, clients and interested parties.

Personal data administrator

“Chance for the Blind” Foundation is the administrator of personal data in all of the above-mentioned processes. You can contact us via post at our legal address or via email: chance@szansadlaniewidomych.org .

Data Protection Officer:

The administrator has assigned a Data Protection Officer. You can contact them via post using the administrator's address with the note "IOD" or by e-mail: iod@szansadlaniewidomych.org.

Purposes, grounds and timelines of personal data processing

Purpose of processing	Legal basis	Legitimate interest	Estimated processing time
Provision of services by electronic means	Article 6 par. 1 lit. b), c), f) GDPR Provisions of the Acts on: 1. corporate income tax 2. goods and services tax 3. accounting 4. providing services by electronic means	Defense and pursuing claims	For the duration of the contract, the limitation of claims arising from it, as well as for the period specified by law (generally 5 years) and for the period during which the data remain useful for the purpose for which they were collected.
Contact (email, telephone, web forms)	Article 6 par. 1 lit. b) and f) GDPR	1. Defense and pursuing claims 2. Response to inquiries and further correspondence	For the time during which the data remain useful for the purpose for which they were collected.
Processing of data related to the individuals representing contractors or clients	Article 6 par. 1 lit. c) and f) GDPR	Performance of a contract to which the employer or principal of the representative is a party	For the duration of the contract, the limitation of claims arising from it, as well as for the period specified by law (generally 5 years) and for the period during which the data remain useful for the purpose for which they were collected.
Cookies and server logs	Article 6 par t 1 lit. a) f) Article 173 of the Law telecommunications	Ensuring security, statistics and records, research and development, marketing	For the period during which the data remain useful for the purpose for which they were collected.

Recipients of personal data

The recipients of personal data are the authorized employees and associates of the administrator, entities authorized to obtain data on the basis of legal provisions and the Administrator's subcontractors, if the method of processing requires entrusting them with data (e.g. IT solution providers), as well as providers of specific services for the company (banks, companies telecommunications, law firms, auditors).

Rights of data subjects

The provisions of the GDPR grant the right to:

1) the right to access your data and receive a copy thereof

2) the right to rectify (correct) your personal data;

3) the right to limit the processing of personal data;

4) the right to delete personal data;

5) the right to object to processing based on a legitimate interest;

6) the right to lodge a complaint to the President of the Personal Data Protection Office (to the address of the Personal Data Protection Office, Stawki ST. 2, 00 - 193 Warsaw)

However, these rights are not absolute and may not be applicable in certain circumstances (e.g. the right to object or delete data does not apply when data is processed for the purpose of defending or pursuing claims). The provisions of art. 12-22 of the GDPR specify in what circumstances one can exercise a specific right.

Transfer of data to countries outside the European Economic Area

We do not transfer personal data to third countries / Using some tools (especially IT) we may transfer some of the data to countries outside the European Economic Area. The level of data protection in these countries may be lower than in EEA States. The legal instrument securing such data transfer are: standard contractual clauses adopted by the European Commission (their content is available at http://eur-lex.europa.eu , they can also be obtained by contacting us).

Information about the requirement to provide data

Providing your personal data is a condition for the service provision. To the extent specified by law, providing data is a legal obligation (e.g. providing invoice data).