Thank you for your interest in our company. Data protection is particularly important for the management of Heller Consult Sp. z o.o. Using the websites of Heller Consult Sp. z o.o. is generally possible without providing personal data. However, if the interested person wants to use our special services through our website, processing of personal data may be required. If processing of personal data is required and there is no legal basis for such processing, we usually seek the consent of the data subject. The protection of personal data is particularly important for the management of Heller Consult Sp. z o.o. and we make every effort to protect your data as much as possible.

Processing of personal data, such as the name, address, e-mail address or telephone number of the data subject is always in accordance with the General Data Protection Regulation (GDPR) and in accordance with national data protection regulations apllied in Heller Consult Sp. z o.o. Thanks to this privacy policy our company tries to inform the public about the nature, scope and purpose of collected, used and processed personal data. Moreover, the data subjects are informed about their rights resulting from this privacy policy.

As a controller, Heller Consult Sp. z o.o. has implemented technical and organizational measures to ensure the highest possible protection of personal data processed through this website. Nevertheless, Internet data transmissions can generally have gaps in security, so absolute protection cannot be guaranteed. For this reason, any interested person wishing to use our special services may provide us with personal data (contact details) in other ways, for example by telephone.

The privacy policy of Heller Consult Sp. z o.o. is based on the terminology used by the European directive and the regulatory body for the adoption of the General Data Protection Regulation (GDPR). Our privacy policy should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to clarify the terminology used in advance.

Definitions

Controller

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third party

A third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Personal data

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Person concerned, data subject, user

Any identified or identifiable natural person whose personal data is processed by the controller.

Consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Processing of data by the controller

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Service

The website (webpage) whose administrator is Heller Consult Sp. z o.o.

Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

Data profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Name and address of the controller:

The controller of personal data responsible within the meaning of the general regulation on data protection and other regulations on data protection in the Member States of the European Union and other regulations of the nature of data protection is:

• Heller Consult Sp. z o.o.
• Chałubiński 8 Street, 36 floor.
• 00-613 Warsaw,
• Poland
• phone: +48 22 501 45 10
• fax: +48 22 621 80 53
• E-mail: hc@heller-consult.pl
• Service: https://heller-consult.pl/

Contact details of the Personal Data Protection Inspector:

• Personal Data Protection Inspector
• Chałubiński 8 Street, 36 floor.
• 00-613 Warsaw,
• Poland
• phone: +48 22 501 45 10
• E-mail: inspektorochronydanychosobowych@heller-consult.pl

Any data subject may contact our Data Protection Officer at any time with any questions or suggestions regarding data protection.

Purposes and legal basis of data processing

The controller collects personal data for marketing purposes, including the extent necessary to provide the services offered, as well as statistical information about the activity of Users on the website owned by the controller. Personal data of all persons who have agreed to receive marketing content in the form of a newsletter or (including IP address or other identifiers and information collected through cookies or other similar technologies) are processed by the controller:

• For the purpose of providing services by electronic means – to the extent of the content made available in connection with initiatives related to the controller’s activity or, in justified cases, information concerning the controller.
• In order to make contact forms available for the purposes of offers – then the legal basis for the processing is the necessity of the processing for the performance of the contract (Article 6(1)(b) of GDPR);
• For analytical and statistical purposes – then the legal basis for the processing is the controller’s legitimate interest (Article 6(1)(f) of GDPR) consisting of conducting analyses of the Users’ activities, as well as of their preferences in order to improve the applied functionalities and provided services;
• For marketing purposes of the controller. The rules of personal data processing for marketing purposes are described in the section “Marketing”.

Contact forms (and handling the data acquired through the form)

The controller provides a possibility to make contact using electronic contact forms on the websites he owns. Using the form requires providing personal data necessary to contact the User and respond to the inquiry. The User may also provide other data in order to facilitate contact or handling of the inquiry. Providing data marked as obligatory is required for accepting and servicing the inquiry, and their omission results in the impossibility of servicing. Providing other data is voluntary.

Data from contact forms are processed in order to identify the sender and to handle his inquiry sent by the form provided – the legal basis for processing is the necessity of processing for the performance of the contract for the provision of services (Article 6(1)(b) of GDPR);

• for analytical and statistical purposes – the legal basis of the processing is the legitimate interest of the controller (Article 6(1)(f) of GDPR) consisting in statistics regarding inquiries submitted by Users.

The controller processes Users’ personal data in order to carry out marketing activities, which may consist in:

• providing electronic marketing content to Users that is relevant to their interests;
• to send the user e-mail alerts about interesting offers or content, which in some cases include commercial information;
• conducting other types of activities related to direct marketing of goods and services (sending commercial information by e-mail and telephone).

Profiling

In order to carry out marketing activities, the controller in some cases uses profiling. It means that by means of automatic data processing, the controller evaluates selected factors concerning the user in order to provide information in line with the user’s preferences and to gather statistical information.

The website of Heller Consult Sp. z o.o. collects a series of general data and information each time a user accesses it. These general data and information are stored in server log files. They relate to information including:

1. browser types and versions,
2. operating system used by the access system,
3. a website, from which the access system gains access to our website (so-called Resellers),
4. subnet pages that can be accessed via (5) date and time of access to the website,
5. Internet Protocol address (IP address),
6. Internet access system service provider and
7. other similar data and information used in the event of attacks on our information systems.

Using this general data and information, the controller does not draw conclusions about the individual. Rather, this information is required to:

• properly deliver the content of our website,
• optimize the content of our website and its advertising,
• ensure the continued functioning of our information systems and our website technology, and
• provide law enforcement with information necessary for law enforcement in the event of a cyber attack.

This anonymously collected data is statistical, and is further evaluated by the controller for the purpose of increasing the data protection and data security of our company, with the aim of ultimately providing the best possible protection for the personal data we process. The anonymized data of the server log files is stored separately from any personal data provided by the affected person.

Cookies

The controller processes data, including personal data collected through cookies and other similar technologies, for marketing purposes in order to obtain statistical information on User preferences. The processing of personal data then includes profiling of Users, however the statistical information does not allow identification of individual Users. The use of data collected by means of this technology for marketing purposes is based on a legitimate interest of the controller and only on the condition that the User has given his consent to the use of cookies. Consent to the use of cookies can be expressed through an appropriate configuration of the browser and can be withdrawn at any time, in particular by clearing the history of cookies and disabling cookies in the browser settings, which is included in Cookie rules.

Direct marketing

If the User has given consent to receive marketing information by e-mail and other means of electronic communication, the User’s personal data will be processed for the purpose of sending such information. The basis for data processing is the legitimate interest of the controller, consisting in sending marketing information within the limits of the consent granted by the User (direct marketing). The User has the right to object to the processing of data for the purposes of direct marketing, including profiling. The data will be stored for this purpose for the period of existence of the legitimate interest of the controller, unless the User objects to receiving marketing information.

Social networking sites

The controller processes personal data of Users visiting controller’s profiles maintained in social media: Facebook, Twitter, and profiles maintained on other portals whose controller is Heller Consult Sp. z o.o. The data are processed only in connection with running the profile, in order to inform the User about the controller’s activities and to promote various events, services and products, as well as to communicate with the User via the functionalities available in social media. The legal basis for the processing of personal data by the controller for this purpose is its legitimate interest (Article 6(1)(f) of GDPR) consisting in promoting its own brand and building and maintaining a community associated with the brand.

Acquisition of statistical data

The controller and other entities providing services to the controller use cookies to monitor website traffic, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyze how the website is used by the User, to create statistics and reports on the functioning of the website). Google does not use the collected data to identify the User nor does it combine this information to enable identification. Detailed information on the scope and principles of data collection in connection with this service can be found under the link: https://www.google.com/intl/pl/policies/privacy/partners. Acquisition of data takes place through the controller’s services, and the processing is secured by means of anonymization of the User’s data, which is ensured by the processor. The controller does not acquire data in order to track Users on the web, does not use tools that enable such activities, and does not carry out activities related to cooperation with other entities, the purpose of which is to obtain such information.

Routine deletion and blocking of personal data

The controller shall process and store your personal data only for the period of time necessary to fulfil the purpose of the storage or, as the case may be, by European directives or regulations or by any other legislator in laws or regulations that provide for a different retention period.

If the storage purpose is omitted or the retention period specified in the European directives and regulations or any other relevant national laws expires, your personal data will be routinely blocked or deleted in accordance with the statutory provisions.

Data retention period

The period of data processing by the controller depends on the type of service provided and the purpose of processing. As a rule, the data are processed for the duration of the provision of the service or the fulfillment of the order, until the withdrawal of the consent or until an effective objection is raised against the processing of the data in cases where the legal basis of the data processing is the legitimate interest of the controller. The period of data processing may be extended if the processing is necessary to establish and assert or defend against possible claims, and thereafter only in the case and to the extent required by law. After the end of the processing period, the data shall be irreversibly deleted or anonymized.

User’s rights

Every User (interested person) who consents to processing of his data by Heller Consult Sp. z o.o. has the right to:

The right to confirmation

Every data subject (data subject, user) has the right, as granted by the European regulatory authorities, to require the controller to verify that their personal data is being processed. If the data subject wishes to exercise this right to confirmation, he or she may contact an employee of the controller at any time.

Right to information about the processing of personal data

Any person affected by the processing of personal data has the right, at any time, to obtain from the controller information about the personal data stored about him or her and a copy of such data. On this basis, the controller shall provide the person making such request with information about the processing of personal data, which may include:

• purposes of processing
• categories of personal data processed
• the recipients or categories of recipients to whom the personal data have been disclosed or are intended to be disclosed, in particular to recipients in third countries or to international organizations
• if possible, the intended period of retention of the personal data or, if this is not possible, the criteria for determining this duration
• the existence of the right to rectification or erasure of personal data concerning the person or restriction of processing by the person responsible or the right to object to such processing
• the existence of a right of appeal to a supervisory authority
• if the personal data is not collected from the data subject: All available information about the source of the data
• the existence of automated decision-making, including profiling in accordance with Article 22(1) and (4) of the General Data Protection Regulation (GDPR), and – at least in these cases – the existence of relevant information on the logic and the extent or intended effects of such processing on the data subject. Furthermore, the data subject shall have the right of access to personal data which are transmitted to a third country or an international organization. In this case, the data subject shall have the right to obtain information on the appropriate safeguards related to the transfer.

If the person concerned wishes to exercise this right of rectification, he or she may contact an employee of the controller at any time.

Right of rectification

Every data subject (user) affected by the processing of personal data has the right granted by the European legislator to request the immediate rectification of inaccurate personal data concerning him or her. Furthermore, the data subject has the right to request the filling in of incomplete personal data, including by means of a supplementary notification, taking into account the purposes of the processing.

If the data subject wishes to exercise this right to rectification, he or she may contact an employee of the controller at any time.

Right of revocation (right to be forgotten)

Any person affected by the processing of personal data has the right granted by European directives and regulatory authorities to request from the controller the immediate erasure of personal data concerning them, provided that one of the following reasons is fulfilled and the processing is not required:

• Personal Data has been collected for such purposes or otherwise processed as to which it is no longer needed.
• The data subject withdraws the consent on the basis of which the processing was carried out in accordance with Article 6(1)(a) of GDPR and Article 9(2)(a) of GDPR and there is no other legal basis for the processing.
• The data subject objects to the processing and there are no legitimate reasons for the processing or the data objects.
• Personal data has been unlawfully processed.
• Erasure of personal data is necessary to comply with a legal obligation under EU or national law to which the controller is subject.

If one of the above reasons is correct, and the person concerned wishes to initiate the erasure of personal data stored by Heller Consult Sp. z o.o., he or she may contact an employee of the controller at any time. An employee of Heller Consult Sp. z o.o. will arrange for immediate fulfillment of the request for assistance.

If personal data have been made public by the Heller Consult Sp. z o.o. and if our company as the responsible person is obliged to delete the personal data in accordance with Article 17(1) of the General Data Protection Regulation (GDPR), the Heller Consult Sp. z o.o. shall take appropriate measures, taking into account the technology available and the costs of implementation also of a technical nature, to inform other data controllers who process the published personal data, that the data subject has requested to delete all links to these personal data or copies or replicas thereof, if processing is not required. An employee of Heller Consult Sp. z o.o. will arrange the necessary measures in individual cases.

Right to restrict processing

Any user affected by the processing of personal data has the right, granted by a European directive and regulatory authority, to require the controller to restrict processing if one of the following conditions applies:

• The accuracy of personal data is contested by the data subject for a period of time that allows the controller to verify the accuracy of the personal data.
• Processing is unlawful, the data subject refuses to have the personal data erased and instead requests that the use of the personal data be restricted.
• The controller no longer needs the personal data for the purposes of the processing, but the data subject requires the controller to assert, exercise or defend legal claims.
• The person concerned has an objection to the processing under Article 21(1) of the General Data Protection Regulation (GDPR) and it is not yet clear whether the legitimate reasons of the responsible person outweigh the interests of the person concerned.

If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of personal data stored by Heller Consult Sp. z o.o., he or she may contact an employee of the controller at any time. An employee of Heller Consult Sp. z o.o. will initiate the restriction of the processing.

Data portability

Any person subject to the processing of personal data has the right under the European directives and regulations to obtain the personal data relating to him or her provided by the data subject to the controller in a structured, common and computer-readable format. In addition, he has the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been transmitted, provided that this is technically feasible and, if so, the rights and freedoms of others are not affected. The condition is that the processing is based on consent in accordance with Article 6(1)(a) of the General Data Protection Regulation (GDPR) or in Article 9(2)(a) of the General Data Protection Regulation (GDPR), or on a contractual basis in accordance with Article 6(1)(b) of the General Data Protection Regulation (GDPR), and the processing is carried out by automated means. An exception is processing if it is necessary for the performance of a task of general interest or a task of public authority; which has been delegated to the controller.

In order to assert the right to data portability, the data subject may at any time contact any employee of the Heller Consult Sp. z o.o.

Right to object

Any person affected by the processing of personal data has the right granted by the European legislative authority to object to the processing of his or her personal data at any time on grounds relating to his or her particular situation pursuant to Article 6(1)(e) or (f) of the General Data Protection Regulation (GDPR). This also applies to profiling based on these provisions.

In case of an objection, the Heller Consult Sp. z o.o. shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which outweigh the interests, rights and freedoms of the data subject, or the processing is for the establishment, exercise or defence of legal claims.

If the Heller Consult Sp. z o.o. processes personal data for direct mailings, the data subject shall have the right to object at any time to processing of personal data for such advertising. This also applies to profiling, insofar as this is related to such direct correspondence. If the data subject requests Heller Consult Sp. z o.o. to stop direct marketing, Heller Consult Sp. z o.o. will no longer process the personal data for these purposes.

In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to the processing of personal data concerning him or her for scientific or historical research purposes, or for statistical purposes pursuant to Article 89 par. 1 of the General Data Protection Regulation (GDPR), unless such processing is necessary for the performance of a task carried out in the public interest.

In order to exercise the right to object, the data subject may directly contact an employee of Heller Consult Sp. z o.o.

Automatic decisions on particular cases basis, including profiling

Every data subject affected by the processing has the right granted by the European legislative authority not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on him or her or similarly significantly affects him or her; if the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and the controller, or (2) is authorised by the legislation of the European Union or of the Member States to which the controller is subject and that legislation provides for suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject, or (3) with the explicit consent of the data subject.

If the decision (1) is required for entering into, or the performance of, a contract between the person concerned and a responsible person, or (2) it is made with the explicit consent of the data subject, Heller Consult Sp. z o.o. shall take appropriate measures to safeguard the data subject’s rights and freedoms as well as legitimate interests, including at least the data subject’s right to intervene with the controller, to express his or her point of view and contest the controller’s decision.

The right to withdraw consent for data protection purposes

Any person subject to the processing of personal data has the right, which is granted by the European Directive and the Regulatory Authority, to withdraw consent for the processing of personal data at any time. If the data subject wishes to assert the right to withdraw the consent, he or she may, at any time, contact any employee of the controller.

Right to lodge a complaint

If the processing of personal data is considered to violate the provisions of the GDPR or other data protection legislation, the data subject may lodge a complaint with the President of the Data Protection Authority.

Data protection in application documents and recruitment process

The controller collects and processes personal data of candidates for the purpose of processing them for the application process. The processing may also take place electronically. This is the case in particular if the candidate submits the relevant application documents to the controller by electronic means, for example, via e-mail of a web form available on the website. If the controller enters into an employment contract with the candidate, the data provided will be stored for the purposes of the employment relationship in accordance with the law. If no employment contract is concluded with the candidate on the part of the controller, the application documents will be automatically deleted two months after the announcement of the rejection, unless the deletion excludes other legitimate interests of the controller. Other legitimate interests in this sense include, for example, the burden of proof in a procedure under the General Data Protection Regulation Act (GDPR).

Privacy Policy regarding the use and application of Google Analytics

This website uses the service “Google Analytics” provided by Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA) to analyse the use of the website (service) by users. The service uses “cookies” – text files stored on your device. The information collected by cookies is usually sent to a Google server in the USA and stored there.

This website accesses IP anonymization. Your IP address is abbreviated in the member states of the EU and the European Economic Area. This reduction eliminates the personal reference of your IP address. According to the terms of the agreement that the operators of this website have with Google Inc., they use the information collected to compile an evaluation of the website activity and to provide online services.

You can prevent cookies from being stored on your device by making the appropriate settings in your browser. There is no guarantee that you will be able to access all features of this website without restrictions if your browser does not allow cookies.

In addition, you can use a browser plug-in to prevent the information collected by cookies (including your IP address) from being sent to Google Inc. and used by Google Inc. The following link leads to the corresponding plug-in: https://tools.google.com/dlpage/gaoptout?hl=en-GB

Here is more information about the use of Google Inc. data: https://support.google.com/analytics/answer/6004245?hl=en

Click here to disable Google Analytics http://tools.google.com/dlpage/gaoptout.

Legal basis for processing

Article 6(1)(a) of the General Data Protection Regulation (GDPR) serves as the legal basis for our company for processing operations in which we obtain consent for a specific purpose of processing. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, in processing operations necessary for the supply of goods or the provision of any other service or performance, the processing is based on: article 6(1)(b) of the General Data Protection Regulation (GDPR). The same principle applies to processing operations that are necessary for the performance of pre-contractual activities, for example in the case of inquiries regarding our products or services. If our company is subject to a legal obligation that requires the processing of personal data, such as the fulfilment of tax obligations, the processing is based on Article 6(1)(c) of the General Data Protection Regulation (GDPR). In rare cases, the processing of personal data may be required to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor to our establishment was injured and his or her name, age, health insurance or other relevant information would have to be provided to a doctor, hospital or other third party. The processing would then be based on Article 6(1)(d) of the General Data Protection Regulation (GDPR).Finally, the processing may be based on Article 6(1)(f) of the General Data Protection Regulation (GDPR). Under this legal basis, processing operations that are not covered by any of the above legal bases are required if the processing is necessary to protect the legitimate interests of our company or a third party, unless the interests, fundamental rights and fundamental freedoms of the data subject prevail. Such processing operations are specifically permitted to us because they are explicitly mentioned by a European legislative body.

Legitimate interests in processing that are pursued by the controller or a third party.

If the processing of personal data is based on Article 6(1)(f) of the General Data Protection Regulation (GDPR) is our legitimate interest in conducting our business for the benefit of all our employees and our shareholders.

Duration of storage of personal data

The criterion for the duration of storage of personal data is the relevant statutory retention period. After the expiration of this period, the relevant data will be routinely deleted if they are no longer necessary for the fulfillment or conclusion of the contract.

Legal or contractual provisions for the provision of personal data; necessity of a contract; obligation of the data subject to provide personal data; possible consequences of failure to provide.

We clarify that the sharing of personal data is partly required by law (e.g. tax legislation) or also due to contractual provisions (e.g. Contracting Party Information).

Existence of automated decision-making

As a responsible company, we refrain from automated decision making or profiling.

Requests

User requests for actions described in the “User Permissions” section may be directed to:

• in electronic form – by means of the e-mail account which was used to grant the User’s consent to data processing, to the address inspektorochronydanych@heller-consult.pl
• in traditional letter – to the correspondence address of the controller: Heller Consult Sp. z o.o. with its registered office at Chałubiński  8 Street, 00-613 Warsaw with a note “Request for user data”.

The request should specify what kind of data operation it relates to (obtaining a copy of the data, restriction of processing), what kind of processing the request relates to (e.g. use of a particular service, activity on a particular website, receiving a newsletter containing commercial information to a particular email address, etc.).

In a situation in which the controller will not be able to determine the request on the basis of the information received from the User, the User will be contacted in order to clarify the information. The response to the request shall be provided to the e-mail address from which the consent to data processing was granted, and in the case of consents sent by letter, by ordinary mail within 30 calendar days from receipt of the request. If it is necessary to extend this deadline, the controller will inform the applicant of the reasons for the extension.

Security of personal data

The controller shall take all the necessary measures to ensure that also its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the controller. The controller shall systematically conduct a risk analysis in order to ensure that the personal data are processed by him in a secure manner – ensuring in particular that only authorized persons have access to the data and only to the extent necessary for the performance of their tasks. The controller makes sure that all operations on personal data are recorded and performed only by authorized employees and co-workers.

Policy change control

This privacy policy is reviewed on an ongoing basis and updated as necessary.