Transparency policy
01. Transparency policy
1.Definitions
1.1. Administrator – the company under the name Apius Technologies S.A. based in Krakow (31-523), ul. Moniuszki 50, registered in the register of entrepreneurs of the National Court Register kept by the District Court for Central Krakow in Krakow, XI Commercial Division of the National Court Register under the number KRS: 0000565486, NIP: 9452155088.
1.2. Personal Data – any information relating to an identified or identifiable natural person by one or more specific factors determining their physical, physiological, genetic, mental, economic, cultural, or social identity, including image, voice recording, contact data, location data, information contained in correspondence, information collected through recording equipment or other similar technology.
1.3. Policy – this Personal Data Processing Policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5. Data Subject – a natural person whose personal data is processed by the Administrator.
2.Data processing by the Administrator
2.1. In connection with its business operations, the Administrator collects and processes Personal Data in accordance with relevant legal regulations, including in particular the GDPR, and the principles of data processing provided therein.
2.2. The Administrator ensures transparency in the processing of Personal Data, especially always informing about data processing at the moment of collection, including the purpose and legal basis of processing (e.g., when concluding a sales contract for goods or services). The Administrator ensures that the data is collected only to the extent necessary to achieve the specified purpose and processed only for the period necessary.
2.3. When processing Personal Data, the Administrator ensures their security and confidentiality and provides access to information about processing to the individuals whose data is being processed. If, despite the security measures in place, there is a breach of Personal Data protection (e.g., a "leak" of data or its loss), the Administrator will inform the Data Subjects in accordance with regulations.
3. Contact with the Administrator
3.1. Contact with the Administrator is possible via the e-mail address personaldata@apius.pl or the mailing address: ul. Stanisława Moniuszki 50, 31-523 Kraków, with the note Personal Data Protection.
3.2 The Administrator has designated a coordinator for personal data protection, who can be contacted via e-mail at personaldata@apius.pl regarding any matters related to the processing of Personal Data. The coordinator does not act as a Data Protection Officer.
4.Personal Data Security
4.1. To ensure the integrity and confidentiality of the data, the Administrator has implemented procedures allowing access to Personal Data only to authorized persons and only to the extent necessary for the tasks they perform. The Administrator applies organizational and technical solutions to ensure that all operations on personal data are recorded and carried out only by authorized persons.
4.2. The Administrator also takes all necessary actions to ensure that its subcontractors and other cooperating entities provide guarantees of applying appropriate security measures whenever they process Personal Data on behalf of the Administrator.
4.3. The Administrator continuously conducts a risk analysis related to the processing of Personal Data and monitors the adequacy of the applied data security to identified threats. If necessary, the Administrator implements additional measures to enhance data security.
5.Purposes and legal bases of processing
E-MAIL AND TRADITIONAL CORRESPONDENCE
5.1. When addressing the Administrator via e-mail or traditional correspondence unrelated to services provided on behalf of the sender, another contract concluded with him, or in any other way not related to any relationship with the Administrator, personal data contained in such correspondence is processed solely for communication and resolution of the matter addressed in the correspondence.
5.2. The legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting of handling correspondence addressed to him in connection with his business activity.
5.3. The Administrator processes only personal data relevant to the matter addressed in the correspondence. All correspondence is stored in a manner that ensures the security of the personal data (and other information) contained therein and is disclosed only to authorized persons.
PHONE CONTACT
5.4. When contacting the Administrator by phone, in matters not related to a concluded contract or provided services, the Administrator may request the provision of personal data only when necessary for handling the matter the call concerns. In such a case, the legal basis is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting of the need to resolve the reported matter related to his business activity.
5.5. Telephone conversations may also be recorded - in such a case, appropriate information is provided to the individual at the beginning of the call. Conversations are recorded for the purpose of monitoring the quality of the provided service and verifying and documenting the work of consultants, as well as for statistical purposes. Recordings are available only to the Administrator's employees and those handling calls directed to the Administrator.
5.6. Personal data in the form of call recordings are processed:
5.6.1. To monitor the quality of service, verify and document the work of consultants handling phone calls directed to the Administrator, as well as for analytical and statistical purposes - the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting of ensuring the highest quality of service for customers and stakeholders, as well as the highest quality work of consultants and conducting statistical analyses regarding telephone communication.
VISUAL MONITORING AND ACCESS CONTROL
5.7. Due to the need to ensure the safety of people and property, the Administrator uses visual monitoring and controls access to the premises and the area under his management. Data collected in this way is not used for any purposes other than those described below.
5.8. Personal data in the form of monitoring recordings are processed to ensure the safety of people and property and to maintain order within the facility, and possibly to defend against claims made against the Administrator or to establish and pursue claims by the Administrator. The legal basis for processing personal data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), ensuring the safety of people and property on the territory managed by the Administrator and the protection of his rights.
5.9. The area covered by the Administrator's monitoring is marked with appropriate graphic signs.
RECRUITMENT
5.10. As part of recruitment processes, the Administrator expects the submission of personal data (e.g., in a CV or resume) only to the extent specified in labor law regulations. Therefore, one should not provide information beyond this scope. If submitted applications contain additional data beyond what's mandated by labor law, their processing will be based on the candidate's consent (Article 6(1)(a) of the GDPR), expressed by the unequivocal act of sending application documents by the candidate. If applications contain information irrelevant to the purpose of recruitment, they will not be used or considered in the recruitment process.
5.11.Personal data is processed:
5.11.1. when the preferred form of employment is a contract of employment - to fulfill obligations arising from legal regulations related to the employment process, especially the Labor Code – the legal basis for processing is the legal obligation on the Administrator (Article 6(1)(c) of the GDPR in connection with labor law);
5.11.2. when the preferred form of employment is a civil contract – for the recruitment process – the legal basis for processing data contained in application documents is taking steps prior to entering into a contract at the request of the data subject (Article 6(1)(b) of the GDPR);
5.11.3. to conduct the recruitment process in terms of data not required by law or by the Administrator, and also for future recruitment processes – the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
5.11.4. to verify the qualifications and skills of the candidate and establish terms of cooperation – the legal basis for processing data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR). The Administrator's legitimate interest is the verification of job candidates and defining the conditions of potential cooperation;
5.11.5. to establish or pursue any claims by the Administrator or defend against claims made against the Administrator – the legal basis for processing data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR).
5.12. To the extent that personal data is processed based on given consent, this consent can be withdrawn at any time, without affecting the legality of processing done before its withdrawal. If consent is given for future recruitment processes, personal data will be deleted after two years – unless consent is withdrawn earlier.
5.13. Providing data within the scope specified in Art. 22(1) of the Labor Code is mandatory - in case the candidate prefers employment based on an employment contract – by legal regulations, mainly by the Labor Code, whereas when preferring employment based on a civil contract – by the Administrator. The consequence of not providing these data is the inability to consider the given application in the recruitment process. Providing other data is voluntary.
EVENT ORGANIZATION
5.14. In relation to organizing events or other similar activities, the Administrator processes participants' data for the purpose of participant identification and smooth event organization. Using the registration form requires providing personal data necessary for establishing contact with the User and registration for the event. The User can also provide additional data to facilitate contact or inquiry processing. Providing data marked as mandatory is required to accept and process the inquiry, and not providing them results in the inability to process. Providing other data is voluntary.
5.15. Personal data are processed:
5.15.1 for the purpose of identifying the sender and registering for the event – the legal basis for processing is the necessity of processing for the performance of the service contract (Article 6(1)(b) of the GDPR); regarding data provided optionally, the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
5.15.2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Administrator and potential co-organizers of the event (Article 6(1)(f) of the GDPR), consisting of maintaining statistics of submitted inquiries and event settlement;
5.15.3. for accounting and evidential purposes – the legal basis for processing is the legitimate interest of the Administrator and potential co-organizers of the event (Article 6(1)(f) of the GDPR), which involves verifying participation in the event for financial settlement of the event in appropriate cases;
5.15.4. for the purpose of implementing the legitimate interest of Apius consisting of examining the satisfaction of event participants (Article 6(1)(f) GDPR);5.15.5. for the purpose of contact by post (for sending gifts or marketing or informational materials) – the legal basis for processing is the legitimate interest of the Administrator, which involves postal communication in connection with the interest expressed by the participant (Article 6(1)(f) GDPR);
5.15.6. for the purpose of sending marketing materials by telephone or e-mail, in case a separate consent is given in this regard - the legal basis of the processing is the legitimate interest of the Administrator to promote its business, based on the consent given (Article 6(1)(f) RODO)
5.15.7. for the purpose of sharing data for marketing communications with the Administrator's partners, in case a separate consent has been given in this regard for such communications - the legal basis for sharing is the Administrator's legitimate interest in promoting its enterprise, based on the consent given (Article 6(1)(f) RODO).
5.16. If a third party participates in the organization of a given event, users' personal data may be transferred to such an entity for the purposes indicated in points 5.15.2, 5.15.3, and 5.15.7 to the necessary extent. In cases where such an entity is located outside the European Economic Area, the transfer is made with the observance of additional safeguards specified by law. More details on this topic can be found in section 7 of this Transparency Policy – Data Transfer outside the EEA. The list of partners to whom data are transferred for the purposes indicated above is located in section 6.
DATA COLLECTION IN CONNECTION WITH THE PROVISION OF SERVICES OR PERFORMANCE OF OTHER AGREEMENTS
5.17. When collecting data for the purposes related to the performance of a specific contract, the Administrator provides the Data Subject with detailed information on the processing of their personal data at the moment of concluding the agreement or at the time of obtaining personal data if processing is necessary to undertake actions by the Administrator upon the request of the Data Subject, before the conclusion of the agreement.
PROCESSING OF PERSONAL DATA OF STAFF MEMBERS OF CONTRACTORS OR CLIENTS COOPERATING WITH THE ADMINISTRATOR
5.18. In connection with the conclusion of commercial agreements as part of its business activities, the Administrator obtains from contractors/clients data of persons involved in the execution of such agreements (e.g., persons authorized for contact, placing orders, performing commissions, etc.). The scope of the data provided is always limited to the extent necessary for the performance of the contract and usually does not include other information than the name and business contact details. Such personal data are processed for the purpose of realizing the legitimate interests of the Administrator and his contractor (Art. 6 para. 1 lit. f GDPR), consisting of enabling the correct and efficient execution of the agreement. Such data may be disclosed to third parties involved in the execution of the agreement, in particular to providers responsible for the operation of IT systems and equipment (e.g., CCTV equipment for visual monitoring, systems supporting work organization and communication), and also to entities accessing data based on public information openness provisions and proceedings conducted based on public procurement law, to the extent provided by these provisions.
5.19. In special cases justified by the execution of the contract, audiovisual data concerning staff members of contractors or clients may be processed in tele- and videoconferencing systems. The data is processed for the purpose of remote communication and may also be recorded - in such a case, appropriate information is provided to the individual at the beginning of the tele- or video conference.
5.20. Data is processed for the period necessary to achieve the above interests and to fulfill obligations arising from regulations.
DATA COLLECTION IN OTHER CASES
5.21. In connection with its activities, the Administrator also collects personal data in other cases - e.g., by building and using lasting mutual business contacts (networking) during business meetings, at industry events, or through the exchange of business cards - for purposes related to initiating and maintaining business contacts. The legal basis for processing in this case is the legitimate interest of the Administrator (Art. 6 para. 1 lit. f GDPR), consisting of building a network of contacts in connection with its activities.
5.22. Personal data collected in such cases are processed only for the purpose for which they were collected, and the Administrator ensures their adequate protection.
6.Data recipients
6.1. In connection with its activities requiring processing, personal data is disclosed to external entities, especially to providers responsible for the operation of IT systems and equipment (e.g., CCTV equipment for visual monitoring, IT infrastructure, and IT services), entities providing legal or accounting services, couriers, marketing or recruitment agencies. Data is also disclosed to entities affiliated with the Administrator.
6.2. The Administrator cooperates with business partners to whom specific data may be disclosed in cases indicated in the Transparency Policy. The Administrator ensures that such partners always have a legal basis for processing personal data. In case of questions about the processing of personal data by these partners, the data subject can contact the Administrator or directly the partner based on the data provided below:
- Arista Networks, Inc. - 5453 Great America Parkway,Santa Clara, CA 95054Phone: +1-408-547-5500Fax: +1-408-538-8920, USA
- Arrow ECS -Sosnowiecka 79, 31-345 Kraków, POLSKA https://www.arrow.com/globalecs/pl/strony-regionalne/prawo-i-polityka/polityka-prywatnosci/
- Check Point Software Technologies Ltd., - 5 Shlomo Kaplan Street, Tel Aviv 67897, IZRAEL, Attention: Legal Department https://www.checkpoint.com/privacy/
- Cisco Systems, Inc. 170 West Tasman Dr., San Jose, CA 95134 USA (Administrator danych w UE: Cisco Systems International BV - Haarlerbergweg 13-19, 1101 CH Amsterdam-Zuidoost, HOLANDIA https://www.cisco.com/c/pl_pl/about/legal/privacy-full.html
- CLICO Sp. z o.o. - ul. Oleandry 2, 30-063 Kraków, POLSKA https://clico.pl/privacypolicy
- CyberArk Software Ltd., - 60 Wells Avenue Newton, MA 02459, USA https://www.cyberark.com/privacy-notice/
- Dragos, Inc. - EU-REP.Global GmbH, Attn: Dragos, Hopfenstr. 1d, 24114 Kiel, NIEMCY
- Exclusive Networks Poland S.A. - Zawiła 61, 30–390 Kraków, POLSKA https://www.exclusive-networks.com/pl/informacje-prawne/polityka-prywatnosci/
- F5, Inc. - 801 5th Ave Seattle, WA 98104, USA https://www.f5.com/company/policies/privacy-compliance-and-practices (Administrator Danych w Polsce: F5 Networks Poland Sp. z o.o, ul. Postępu 15, Warszawa 02-676, POLSKA)
- Forcepoint – 10900-A Stonelake Blvd. Quarry Oaks 1, Ste. 350 Austin, TX 78759, USA https://www.forcepoint.com/company/privacy-policy (Administrator Danych w UE: Forcepoint Poland Sp. z o.o. Ul. Przemysława Gintrowskiego 53/315 02-697 Warszawa, POLSKA)
- Illumio, Inc. - 920 De Guigne Drive Sunnyvale, CA 94085, USA https://www.illumio.com/legal/privacy-policy
- Imperva, Inc. - Suite 203, One Curiosity Way, San Mateo, California 94403, USA https://www.imperva.com/trust-center/privacy-statement/
- Ivanti - 10377 South Jordan Gateway Suite 110 South Jordan, Utah 84095, USA https://www.ivanti.com/company/legal
- Netskope, Inc. - 2445 Augustine Dr. 3rd floor, Santa Clara, CA 95054, USA https://www.netskope.com/privacy-policy
- One Identity LLC. - 4 Polaris Way Aliso Viejo, CA 92656, USA https://www.oneidentity.com/legal/privacy.aspx
- Palo Alto Networks, – 3000 Tannery Way Santa Clara, CA 95054, USA https://www.paloaltonetworks.com/legal-notices/privacy
- Prianto GmbH - Barthstraße 18 80339 München, NIEMCY https://www.prianto.com/at/datenschutz
- Rapid7, Inc. Rapid7 LLC - 120 Causeway Street Suite 400 Boston, MA 02114, USA https://www.rapid7.com/privacy-policy/
- Radware Ltd. - 575 Corporate Drive Mahwah, NJ 07430, USA https://www.radware.com/privacypolicy.aspx/
- Recorded Future, Inc. - 363 Highland Avenue Somerville, MA 02144, USA https://www.recordedfuture.com/privacy-policy (Administrator Danych w UE: Recorded Future AB, Västra Hamngatan 24, 411 17 Göteborg, SZWECJA)
- Red Hat, Inc. - 100 East Davie Street Raleigh, NC 27601, USA https://www.redhat.com/en/about/privacy-policy
- SailPoint Technologies, Inc. - 11120 Four Points Drive, Suite 100 Austin, TX 78726, USA, https://www.sailpoint.com/legal/privacy/
- SentinelOne, Inc. - 444 Castro Street Suite 400 Mountain View, CA 94041, USA https://www.sentinelone.com/legal/privacy-policy/
- Splunk Inc. - 250 Brannan Street San Francisco, CA 94107, USA https://www.splunk.com/en_us/legal/privacy-policy.html
- Synopsys, Inc. - 675 Almanor Ave, Sunnyvale, CA 94085, USA
- Tenable, Inc. - Columbia, USA World Headquarters 6100 Merriweather Drive 12th Floor Columbia, MD 21044, USA
- Thales DIS Technologies B.V - 4 rue de la Verrerie, 92190, Meudon, FRANCJA https://www.thalesgroup.com/en/privacy-notice
- Trend Micro Inc. - JR Shinjuku Miraina Tower 4-1-6 Shinjuku, Shinjuku-ku, Tokyo, JAPONIA, ZIP 160-0022 https://www.trendmicro.com/pl_pl/about/trust-center/privacy.html (Administrator Danych w UE: Trend Micro (EMEA) Ltd., Cork Business & Technology Park, Model Farm Road, Cork, IRLANDIA)
- Tufin Software Technologies Ltd. – 11 Tuval Street, Ramat Gan, 52522, IZRAEL https://www.tufin.com/privacy-center
- TXOne Networks - High Tech Campus 5, 5656 AE Eindhoven, HOLANDIA
- Wallix SARL – 250 bis, rue du Faubourg Saint-Honoré, 75008 PARIS, FRANCJA, https://www.wallix.com/privacy-policy
- Yubico AB - Kungsgatan 44, 2nd Floor, 111 35 Stockholm, SZWECJA, https://www.yubico.com/support/terms-conditions/privacy-notice/
6.3. The Administrator reserves the right to disclose selected information about the Data Subject to the appropriate authorities or third parties who request such information, relying on the appropriate legal basis and in accordance with the provisions of applicable law
7.Data Transfer Outside the EEA
7.1. The level of personal data protection outside the European Economic Area (“EEA”) differs from that ensured by European law. For this reason, the Data Controller transfers personal data outside the EEA only when necessary, ensuring an adequate level of protection, primarily through:
7.1.1. collaboration with entities processing personal data in countries regarding which a relevant decision has been issued by the European Commission confirming an adequate level of protection for personal data;
7.1.2. use of standard contractual clauses issued by the European Commission, provided that an adequate level of personal data protection is ensured;
7.1.3. application of binding corporate rules approved by the relevant supervisory authority, provided that an adequate level of personal data protection is ensured;
7.1.4. with the explicit consent of the data subject, after informing them of the risks associated with such data transfers.
7.2. The Data Controller always informs about the intention to transfer personal data outside the EEA at the time of their collection.
8.Personal Data Processing Period
The data processing period by the Administrator depends on the type of service provided and the purpose of processing. The data processing period may also result from regulations when they constitute the basis for processing. When processing is based on the legitimate interest of the Administrator (e.g., for security reasons), data is processed for the period allowing the realization of this interest or until an effective objection to data processing is raised. If processing is based on consent, data is processed until it is withdrawn. When the basis for processing is the necessity to conclude and perform a contract, data is processed until its termination.
8.2. The data processing period may be extended if processing is necessary to determine or pursue claims or defend against claims, and after this period - only to the extent and as long as required by law.
9. Rights Associated with Personal Data Processing
DATA SUBJECT RIGHTS
9.1. Data subjects have the following rights:
9.1.1. right to information on personal data processing – based on this, the Administrator provides the individual submitting the request with information on data processing, especially about the purposes and legal bases of processing, the scope of held data, entities to which they are disclosed, and the planned data deletion date;
9.1.2. right to obtain a copy of the data – based on this, the Administrator provides a copy of the processed data related to the individual making the request;
9.1.3. right to rectification – the Administrator is obliged to remove any discrepancies or errors in the processed personal data and complete them if they are incomplete;
9.1.4. right to data erasure – based on this, one can demand the deletion of data whose processing is no longer necessary to achieve any of the purposes for which they were collected;
9.1.5. right to restrict processing – upon submitting such a request, the Administrator ceases to perform operations on personal data - except for operations to which the data subject has consented - and their storage, in line with adopted retention rules or until the reasons for restricting data processing cease (e.g., a supervisory authority decision permitting further data processing is issued);
9.1.6. right to data portability – based on this, to the extent that data is processed automatically in connection with a concluded contract or expressed consent, the Administrator provides data provided by the person they concern in a format readable by a computer. It is also possible to request that this data be sent to another entity, but this requires technical capabilities on both the Administrator's side and the indicated entity's side;
9.1.7. right to object to data processing for marketing purposes – A data subject can object to personal data processing for marketing purposes at any time, without the need to justify such objection;
9.1.8. right to object to other processing purposes – A data subject can object at any time, for reasons related to their particular situation, to the processing of personal data carried out based on the legally justified interest of the Administrator (e.g., for analytical or statistical purposes or reasons related to property protection); the objection in this scope should include a justification;
9.1.9. right to withdraw consent – if data is processed based on expressed consent, the data subject has the right to withdraw it at any time, but this does not affect the legality of processing carried out before its withdrawal;
9.1.10. right to lodge a complaint – if it is believed that the processing of personal data violates GDPR provisions or other regulations concerning personal data protection, the data subject can lodge a complaint with the supervisory authority responsible for personal data processing, appropriate due to the usual residence of the data subject, their place of work, or the place of the alleged infringement. In Poland, the supervisory authority is the President of the Office for Personal Data Protection.
REPORTING REQUESTS RELATED TO THE EXERCISE OF RIGHTS
9.2. Requests related to the exercise of data subject rights can be submitted:
9.2.1. In writing to the address: ul. Stanisława Moniuszki 50, 31-523 Kraków, with the note Personal Data Protection;
9.2.2. Electronically to the e-mail address: daneosobowe@apius.pl.
9.3. If the Administrator is unable to identify the individual based on the submitted request, he will ask the applicant for additional information. Providing such data is not mandatory, but failing to provide it will result in the refusal to process the request.
9.4. Requests can be submitted personally or through a representative (e.g., a family member). For data security reasons, the Administrator recommends using a power of attorney in a form certified by a notary or authorized legal counsel or attorney, which will significantly expedite the verification of the request's authenticity.
9.5. A response to the request should be given within a month of its receipt. If necessary to extend this period, the Administrator will inform the applicant about the reasons for this action.
9.6. If the request was directed to the Company electronically, the response is provided in the same form, unless the applicant has requested a response in a different form. In other cases, the response is given in writing. If the deadline for processing the request prevents a written response and the range of the applicant's data processed by the Administrator allows for electronic contact, the response should be provided electronically.
9.7. The Company retains information regarding the submitted request and the person who made the request to ensure the ability to demonstrate compliance and for the determination, assertion, or defense of any data subject claims. The request registry is kept in a way that ensures the integrity and confidentiality of the data contained therein.
FEES POLICY
9.8. The procedure for submitted applications is free of charge. Fees may only be charged in the case of:
9.8.1. Requesting the issuance of a second and each subsequent copy of data (the first copy of the data is free); in such a case, the Administrator may request a fee of 100 zł. This fee covers the administrative costs associated with processing one request;
9.8.2. Reporting by the same person requests that are excessive (e.g., very frequent) or manifestly unfounded; in such a case, the Administrator may request a fee of 100 zł. This fee covers the costs of communication and the costs associated with taking the requested actions;
9.8.3. If the decision to charge a fee is disputed, the data subject can file a complaint with the supervisory authority overseeing personal data processing, competent due to the person's usual place of residence, place of work, or place of the alleged violation. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
10. Changes to the Personal Data Processing Policy
10.1. The adequacy of the policy content is continuously monitored and updated as needed.
10.2. The current version of the Policy was adopted on 13.03.2019.