Privacy Policy
The website expat.lgbt is part of Queerpol and the use of it is covered by the Queerpol privacy policy available below:
The purpose of the Personal Data Security Policy for the processing of personal data within the scope of the activities conducted by the Queerpol Foundation (NIP: 8982312968) is to ensure the due diligence required when processing and securing personal data in accordance with legal requirements concerning the principles of their processing and security, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”).
§ 1. Definitions
Whenever the Security Policy refers to:
- Data Controller – this shall be understood as the Queerpol Foundation, ul. Kazimierza Jagiellończyka 44/2, 50-239 Wrocław; email address: kontakt@queerpol.pl; Tax Identification Number (NIP): 8982312968
- Personal Data – this shall mean any information relating to an identified or identifiable natural person;
- Processor – this shall mean a natural person or organizational unit that processes Personal Data on behalf of the Controller under a personal data processing agreement;
- Data Processing – this shall mean an operation or set of operations performed on Personal Data, whether or not by automated means (i.e., through IT Systems), such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, deleting, or destroying;
- Third Party – this shall mean a natural or legal person, public authority, entity, or entity other than the data subject, Controller, Processor, or User, that may process Personal Data; 6) User – this shall mean the person processing Personal Data based on authorization granted by the Data Controller;
- Data Set – this shall mean any structured set of personal data, accessible according to specific criteria.
§ 2. General Provisions
The Security Policy applies to all Personal Data processed by the Data Controller, regardless of the form of processing.
The Security Policy has been prepared in writing and is stored at the Data Controller’s registered office.
An electronic version of the Security Policy, identical to the written one, is made available to Processors and Users to familiarize them with the principles of processing and securing Personal Data used within the scope of the Data Controller’s business activities.
To implement and execute the Security Policy, the Data Controller ensures: a) technical measures and organizational solutions appropriate to the threats and categories of Data subject to protection, b) control and supervision of Personal Data Processing, c) monitoring of the security measures applied. 5. The Data Controller’s monitoring of the security measures applied includes, among other things: supervising Users’ activities and monitoring Processors; informing competent authorities of Personal Data security breaches and data protection policies; and analyzing the adopted Personal Data protection methods, including ensuring file integrity and the effectiveness of Data protection against external and internal attacks.
The Data Controller shall take all appropriate, reasonable, and proportionate measures to ensure that activities performed in connection with the processing and security of Personal Data comply with the Security Policy and legal provisions.
§ 3. Data Processing by the Data Controller
Personal data processed by the Data Controller are organized into Data Sets.
Data Processing by the Data Controller will not include activities that could involve a high probability of a high risk of violating the rights or freedoms of Data Subjects. If such activities are planned, the Data Controller will perform a data protection impact assessment, as referred to in Article 35 et seq. of the GDPR. 3. If new Personal Data processing activities are planned for purposes other than those for which they were obtained, the Data Controller will obtain renewed consent from the data subject for these activities. At the same time, the Data Controller will analyze their impact on personal data protection and will take data protection considerations into account when designing new activities.
§ 4. Personal Data Security Management
- The Data Controller, Processors, and Users are obligated to process Personal Data in accordance with applicable regulations and the Security Policy, as well as other internal documents and procedures related to Personal Data Processing.
- The processing of all Personal Data always requires compliance with the following principles, in particular:
a) the processing of Personal Data always requires the existence of at least one
of the grounds for data processing provided for in the GDPR;
b) Personal Data are processed lawfully, fairly, and transparently for data subjects;
c) Personal Data are collected for specific, explicit, and legitimate purposes and not further processed in a manner incompatible with these purposes;
d) Personal Data are processed only to the extent necessary to achieve the purpose of data processing;
e) Personal Data are accurate and updated as necessary;
f) The storage period of Data is limited to the period of their usefulness for the purposes for which they were collected, and after this period, they are anonymized or deleted, unless further processing is necessary for the legitimate interests of the Foundation or the Data Controller; g) Data subjects are always required to comply with the information obligation in accordance with Articles 13 and 14 of the GDPR; h) Data are secured against violations of the principles of their protection. 3. A violation or attempted violation of the principles of personal data processing and protection constitutes: a) a breach of the security of the IT systems in which Personal Data are processed; b) making Personal Data available or assisting in the disclosure of Personal Data to unauthorized entities; c) failure, including unintentional failure, to comply with the obligation to ensure the protection of Personal Data; d) failure to comply with the obligation to maintain the confidentiality of Personal Data and the principles and methods of securing it; e) processing Personal Data inconsistently with the intended scope and purpose for which it was transferred; f) damage, loss, uncontrolled modification, or unauthorized copying of Personal Data; g) violation of the rights of Data subjects, including in particular the rights referred to in Articles 15-18 of the GDPR. 4. If an imminent risk of a Data breach or a breach of personal data protection principles is identified, the Data Controller, Processor, or User is obligated to take all necessary measures to prevent the breach and limit the effects of any potential breach. 5. The Data Controller’s obligations regarding the employment of employees under employment contracts or civil law contracts who will process Personal Data as part of their duties include: a) appropriate training of employees in the provisions and principles of Personal Data protection, including familiarization with the Security Policy and the Instructions for Using the IT System, b) obtaining from employees an obligation to keep Personal Data confidential. 6. Users are obligated to: a) strictly comply with the scope of the granted authorization; b) processing and protecting Personal Data in accordance with Data Protection regulations and principles; c) maintaining the confidentiality of personal data and the methods used to secure it; d) reporting violations and attempted violations of Personal Data and other events that may affect the security of Data protection.
§ 5. Place of Personal Data Processing
Personal data are processed at the Data Controller’s registered office and in all locations used by the IT System, to the extent necessary for its proper functioning.
§ 6. Breach of Personal Data Protection Principles
- If a Personal Data breach is identified, the Controller assesses whether the breach has resulted or could have resulted in a risk to the rights and freedoms of Data subjects.
- If the breach has resulted in a high risk to the rights and freedoms of Data subjects, the Controller shall notify the Data subject of the breach.
- If the breach has resulted in a risk to the rights and freedoms of Data subjects, the Controller shall report the breach of Personal Data Protection Principles to the supervisory authority without undue delay – if possible, no later than 72 hours after the breach is discovered.
§ 7. Entrusting Personal Data Processing
- The Controller may entrust another entity with the Processing of Personal Data only by means of a written agreement, provided that the entity provides sufficient guarantees to implement appropriate technical and organizational measures to ensure that the Processing meets the requirements of the GDPR and protects the rights of Data subjects. 2. Before concluding a contract for the processing of Personal Data, the Data Controller shall, to the extent possible, obtain information about the current practices of the entity with which the contract is to be concluded, in order to verify whether that entity provides the guarantees referred to in paragraph 1.
§ 8. Transfer of Data to a Third Country
The Data Controller will not transfer Personal Data to a third country, except at the request of the Data Subject.
§ 9. Final Provisions
- Violation of the Security Policy by Users will result in liability specified in Personal Data Protection Regulations.
- Violation of the Security Policy by the Processor will result in liability specified in the Civil Code and Personal Data Protection Regulations.
- The Security Policy enters into force on the date of its adoption.
- Personal data collected by the Data Controller prior to the entry into force of the Security Policy will be processed in accordance with the Security Policy from the date of its entry into force.
