INFORMATION CLAUSE - PROCESSING OF PERSONAL DATA

This Personal Data Processing Notice is a document of an informational nature only and is disclosed for the purpose of the WSEI University’s compliance with its information obligations under the GDPR.

PERSONAL DATA ADMINISTRATOR

  1. WSEI University located at Projektowa 4, 20-209 Lublin, entered in the Register of Non-Public Higher Education Institutions kept by the Ministry of Education and Science under number 196, NIP: 712-26-52-693, REGON: 432260703 is the administrator of personal data (hereinafter: Administrator) of its customers, contractors and persons who provided their data via forms available on the website or via e-mail, as well as other entities who gave their consent to the processing of personal data.
  2. The Administrator declares that it processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter GDPR).

PRELIMINARY PROVISIONS

  1. Information on data processing by the Administrator applies to data received in particular:
    • via electronic forms;
    • obtained by the Administrator’s representatives within the scope of activities related to the Administrator’s business or marketing activities.
  2. The information does not apply to the processing of personal data of employees, job applicants or data entrusted for processing under an entrustment agreement.
  3. Data is processed for the purpose of performing contracts, and also when it is necessary for the fulfillment of the legitimate interests of the Administrator, in particular for the purpose of informing electronically about promotions of the Administrator’s own services, or for other purposes for which the authorized person gives his/her consent, if it is required under applicable regulations.

SOURCE OF DATA ACQUISITION AND CATEGORIES OF DATA MADE AVAILABLE BY OTHERS

  1. The Administrator may obtain personal data directly from the data subject (e.g., through electronic forms, email) or through others (e.g., from an employer, another employee, or another entity with which the person has an ongoing relationship).
  2. In the case of direct contact, the data subject has full control over the extent of the data shared with the Administrator.
  3. In the case of sharing personal data by another entity, the Administrator generally obtains only basic contact data related to the professional activity, including: name, surname, e-mail address, telephone number, position or function, company, and possibly other data resulting from the contract in connection with which the personal data of the contacted person is shared.
  4. Data entrusted for processing by other personal data controllers are processed to the extent specified in the agreement on entrustment of personal data processing, for the purpose and in the manner specified by the controller of the personal data transferred.

LEGAL BASIS, PURPOSES AND DURATION OF PERSONAL DATA PROCESSING

  1. The administrator processes personal data only if at least one of the following conditions is met:
    1. the data subject has given his/her consent to the processing of his/her personal data (Article 6(1a) GDPR),
    2. the processing is necessary for the performance of a contract to which the data subject is a party or to take steps prior to entering into a contract (Article 6(1b) GDPR),
    3. processing is necessary for compliance with a legal obligation incumbent on the Administrator (Article 6(1c) GDPR);
    4. the processing is necessary to protect the vital interests of the data subject or of another natural person (Art. 6(1d) GDPR);
    5. processing is necessary for the performance of a task carried out in the public interest (Article 6(1e) GDPR);
    6. processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party (Article 6(1f) GDPR).
  1. Personal data is processed by the Administrator only for the following purposes:
        1. Conclusion of a contract – the legal basis for processing is Article 6(1)(b) of the GDPR.
          • If a contract is concluded, the personal data will be processed for the purpose of executing such contract and its financial settlement.
          • In the case of obtaining personal data via electronic forms enabling a meeting, the data provided will be processed for the purpose of organizing such a meeting and for the purpose of related contacts, as well as for making any financial settlements.
          • In carrying out this purpose, personal data will be processed for the period of performance of obligations and the period of limitation of claims under common law.
        2. Business-related contacts – the legal basis for processing is Article 6 (1) (f) GDPR.
            • The realization of this purpose includes day-to-day contacts concerning, in particular, business meetings or business correspondence, ongoing negotiations, execution of contracts, directing offers, marketing activities, as well as other activities undertaken in connection with professional activities.
            • In pursuit of this purpose, the data subject may occasionally receive information regarding the Administrator’s services and other information relevant to the Administrator’s business.
            • If the data subject is a representative of a supplier or service provider of the Controller, representatives of the Administrator may also contact the data subject to receive offers, information or documents.
            • The processing of personal data in such a case will be undertaken for the purpose of the Administrator’s legitimate interest in marketing and selling services as well as building and strengthening business relationships.
            • The data subject has the right to object to such processing of personal data.
            • The Administrator may process contact data provided via electronic forms, as well as provided within the framework of a valid contract.
            • For this purpose, personal data will be processed until the date on which an objection made under Article 21 of the GDPR is taken into account.
        3. Response to an inquiry – the legal basis for processing is Article 6(1)(a) GDPR
          • When filling out a contact form or submitting an inquiry in any other form (e.g., via email, telephone, social network), the person concerned consents to be contacted in connection with the fulfillment of the request or inquiry.
          • Such consent may be withdrawn at any time, but withdrawal of consent does not affect the legality of processing prior to withdrawal of consent, moreover, withdrawal of consent results in no response.
          • Data obtained on the basis of consent is processed until the consent is withdrawn or until the purpose for which the consent was given is fulfilled.
        4. Execution of a concluded contract between the Administrator and another entity – the legal basis for processing is Article 6(1)(f) GDPR.
          • If a data subject is designated as a contact person by an employer or other entity, the data of that person may be processed for the purpose of performing and settling a contract concluded between the Administrator and the employer of that person or other entity in order to realize the Administrator’s legitimate interest in protecting the data subject’s rights, performing the concluded contracts and obtaining due remuneration therefrom.
          • The processing of data in such a case will include ongoing contacts related to the execution of such a contract, the preparation and archiving of documentation on its execution, and the assertion of claims or defense against claims of the other party.
          • The data subject shall in such case have the right to object to such processing.
          • In fulfilling this purpose, personal data will be processed for the period of performance of the obligations and the period of the statute of limitations for claims under the law, or until the date on which an objection made under Article 21 of the GDPR is taken into account.
        5. Contacts with the media and promotion in the media of the Administrator’s activities, services – the legal basis for processing is Article 6(1)(a) of the GDPR.
          • In the case of journalists, editors, reporters and other persons engaged in journalistic activities, personal data will be processed in order to maintain the Administrator’s representatives’ contacts with the media and promote the Administrator’s activities, services and products in the media. Such activity may include, in particular, reporting on important events, activities, products and services and achievements of the Administrator.
          • Undertaking contacts with the Administrator’s representative will be treated as consent to such contacts.
          • If consent is given – such consent is treated as voluntary and may be withdrawn at any time. The withdrawal of consent does not affect the legal compliance of data processing before the withdrawal of consent.
          • For this purpose, personal data will be processed until you opt out of contacts (withdrawal of consent).
        6. Fulfillment of a legal obligation in the form of preparation and storage of documentation – the legal basis for processing is Article 6(1)(c) GDPR.
          • In the case of execution of a contract or other service for the benefit of a data subject, the Administrator shall also process personal data contained in invoices, ledgers or other documentation confirming the conclusion and execution of the contract prepared and stored in accordance with applicable laws. This applies when the data subject is a party to the contract, as well as when his or her employer or an entity with which the data subject cooperates is a party to the contract.
          • The time limit for storing invoices, ledgers and documents confirming the conclusion and performance of a contract is based on the provisions of law.
        7. Confirmation of fulfillment of obligations and the assertion or defense against complaints – the legal basis for processing is Article 6(1)(f) GDPR.
          • Data provided on an electronic form, made available under a contract or otherwise made available to the Administrator may be processed for the purpose of archiving information or documents confirming the fulfilment of the Administrator’s duties and for the purpose of pursuing possible claims or defending against claims made against the Administrator.
          • This applies to a situation where the data subject is a party to the contract, as well as to a situation where the party to the contract is his/her employer or an entity with which the data subject cooperates, and also to a situation where the Administrator was obliged on any basis to perform a service for the person or to exercise his/her rights.
          • Data processing will be undertaken in such a case in order to realize the legitimate interest of the Administrator, which is to protect the person’s rights, confirm the performance of obligations and obtain due remuneration therefor.
          • The data subject shall have the right to object to such processing of personal data.
          • In fulfillment of this purpose, personal data will be processed for the period of performance of obligations and the period of limitation of claims under common law.
        8. Verification of the contractor – the legal basis for processing:
          • the contractor’s data is Article 6(1)(b) GDPR,
          • data of persons designated by the contractor for contact purposes is Article 6(1)(f) GDPR:
          • Prior to the conclusion and during the execution of a contract, the data of a subcontractor, supplier, service provider or partner with whom the Administrator engages in cooperation, and the data of the persons indicated by these entities for contact purposes, will be processed for the purpose of contractor verification, which may be carried out by sending a questionnaire regarding the contractor for completion or by verifying the contractor’s data and financial situation in publicly available public registers or by entities specializing in contractor verification.
          • The processing of data of persons indicated by the contractor for contact purposes will be undertaken in such a case for the purpose of realization of the Administrator’s legitimate interest, which is the execution of the contract and protection of the contractor’s rights.
          • After the period of realization of this purpose of processing, the data will be further processed:
          • for the purpose of fulfilling the legal obligation to prepare and keep records, and
          • for the purpose of confirming the performance of obligations and asserting or defending against claims.
          • When fulfilling this purpose, personal data will be processed for the period of verification of the counterparty.

OBLIGATION TO PROVIDE DATA AND CONSEQUENCES OF NOT PROVIDING DATA

  1. In the case of electronic forms – providing data is voluntary, however, failure to provide data indicated as mandatory (required) results in the inability to send the form and, consequently, depending on the type of form, no response to the inquiry.
  2. In the case of data collected by the Administrator’s representatives in the scope of activities related to the Administrator’s business – the provision of data is fully voluntary and the consequence of their failure may be the inability to contact the interested party in the future.
  3. In the case of data of persons who are party to a contract concluded with the Administrator – the provision of data necessary for the execution of the contract and performance of legal obligations is a condition for the conclusion and performance of the contract. If you refuse to provide the data, it will not be possible to fulfill the purpose of the contract.
  4. Providing data for information and marketing purposes is voluntary.
    In case of refusal to consent to the processing of data in this regard, it will not be possible for the Administrator to perform certain activities, in particular such as: informing about current packages, promotions, new range of services, etc.
  5. Giving consent to the processing of personal data for marketing or information purposes is voluntary, and consent may be withdrawn at any time, without affecting the legality of processing carried out on the basis of consent before its withdrawal.
  6. Indication of e-mail address and other data in electronic correspondence is voluntary.
    Withdrawal of consent for data processing will result in the inability to conduct further electronic correspondence.

RIGHTS OF DATA SUBJECTS

  1. According to Articles 15 – 22 of the GDPR, the data subject has the following rights:
    1. The right to information about the processing of personal datato the person making such a request, the Administrator shall provide information about the processing of personal data, the purposes and legal grounds for the processing, the scope of the data held, the entities to which the personal data are disclosed and the planned date for their deletion;
    2. The right to obtain a copy of the data – the Administrator shall provide a copy of the processed data concerning the person making the request;
    3. The right to rectification – the Administrator shall, at the request of the authorized person, remove any inconsistencies or errors regarding the processed personal data, and supplement or update them if they are incomplete or have changed;
    4. The right to erasure – the entitled person may request erasure of data whose processing is no longer necessary for the realization of any of the purposes for which they were collected. The right to erasure is granted only in the cases enumerated in the GDPR regulations. The Administrator may refuse to erase the data of a data subject despite such a request, as long as one of the exceptions listed in the GDPR applies, e.g. when the processing is necessary to comply with a legal obligation or to establish, assert or defend claims;
    5. The right to restrict processing – on this basis, the Administrator shall cease performing operations on personal data, with the exception of operations consented to by the data subject and their storage, in accordance with the adopted retention rules, or until the reasons for restricting processing cease to exist (e.g., a decision is issued by a supervisory authority authorizing further processing). The right to request restriction of their processing is granted only in the cases enumerated in the GDPR regulations.
    6. The right to data portability – on this basis, to the extent that the data are processed in connection with a contract or consent, the Administrator shall release the data provided by the data subject. The right to data portability applies only if the legal basis for processing is consent or performance of a contract;
    7. The right to object to the processing of data for marketing purposes – the data subject may object at any time to the processing of personal data for marketing purposes, without having to justify such objection;
    8. The right to object to other purposes of processing – the data subject may object to the processing of personal data at any time. An objection in this regard should contain a justification and is subject to the Administrator’s assessment. In some cases, the Administrator may refuse to take into account an objection to the processing of data on the basis of a legitimate interest of the Administrator, when there are valid legitimate grounds for processing that override the interests, rights and freedoms of the data subjects, or there are grounds for establishing, asserting or defending claims – such a right is not available to the Administrator when the data are processed for direct marketing purposes (e.g., commercial contacts).
    9. The right to withdraw consent – if the data are processed on the basis of consent, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of processing performed prior to the withdrawal of that consent;
    10. The right to complain – if the processing of personal data is deemed to be in violation of GDPR or other data protection laws, the data subject may file a complaint with the supervisory authority.
  2. The request for the implementation of the rights of data subjects can be submitted via email: to: iod@wsei.lublin.pl
  3. Applications will be responded to within one month of receipt. If it is necessary to extend this period, the Administrator will inform the applicant of the reasons for such extension.
  4. The response will be provided to the e-mail address from which the application was sent, and in the case of applications sent by letter, by registered mail to the address indicated by the applicant, unless the content of the letter indicates a desire to receive feedback to the e-mail address (in this case, the e-mail address must be provided).

RECIPIENTS OF DATA, TRANSFER TO THIRD COUNTRIES

  1. As a general rule, the Administrator does not transfer data to a country outside the EU. In the case of transfer of data to a third country for which no decision of the European Commission stating an adequate level of protection has been issued, the Administrator shall apply appropriate safeguards through standard data protection clauses adopted by the European Commission or supervisory authority (pursuant to Article 46(2)(c) and (d) of the GDPR).
  2. The data may be shared with suppliers, service providers and partners with whom the Administrator undertakes cooperation to the extent necessary for the performance of services to customers, business contacts, marketing activities and the operation of its business.
  3. A third party with access to personal data processes them only on the basis of a contract for entrustment of personal data processing and only on the Administrator’s instructions.
  4. For inquiries regarding data processing and how to obtain a copy of the standard data protection clauses, please refer to the information provided in paragraph 2 of the section “RIGHTS OF PERSONS WHOSE DATA ARE CONCERNED“.

INFORMATION ON AUTOMATED DECISION-MAKING

  1. The Administrator may automatically tailor certain content to the needs of customers and those who have consented to the processing of personal data, i.e. perform profiling, using the personal data they have provided. This profiling primarily involves automatically assessing what products the data subject may be interested in in order to tailor marketing content, offers or information sent by the Administrator to the interests and business or professional activities of the data subject.
  2. The profiling carried out by the Administrator does not result in decisions that produce adverse legal effects on data subjects or affect them in any other material way.
Skip to content