The data Controller is CASE – Center for Social and Economic Research – scientific foundation based in Warsaw at Al. Jana Pawła II 61 suite 212, 01-031 Warsaw, entered into the business register of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, XII Division of the National Court Register, under number 0000167095, tax identification number (NIP) 5260205291, registered business number (REGON) 012118755 (“CASE”).
Purpose, scope and basis of personal data processing
Users’ personal data are collected in the following cases:
- communication with CASE – responding to correspondence, queries, requests, and complaints,
- Newsletter services,
- registering for CASE events,
- administering the Website, and research and analysis of activity on the Website.
CASE processes Users’ personal data where such data are necessary to duly perform the services provided. The purpose, lawful basis, and duration of personal data processing are specified separately for each data processing purpose, in line with the detailed clauses below describing the various purposes of data processing.
Communication with CASE
- Personal data are obtained when the User communicates with CASE by e-mail, fax, or by telephone
- In such a case, the lawful basis for personal data processing is the User’s consent, given through the act of contacting CASE.
- Personal data provided during communication with the User are processed solely in order to process a query submitted by the User. Records may be kept of the contents of the communication.
- When subscribing to the Newsletter, the User gives their e-mail address.
- In such a case, the lawful basis for personal data processing is a service provided electronically – the data subject gives consent to performance of an agreement for provision of a Newsletter service.
- Personal data provided in connection with the Newsletter are processed in order to send information about CASE’s activities. The User may cancel the Newsletter free of charge at any time.
- CASE will process the User’s data with respect to this service until the User withdraws consent to receipt of this service.
Registration for events
- Personal data are obtained when the User registers by sending in the registration form for an event, or via e-mail. We collect your data for the purpose of registration for an event or when necessary to contact you regarding the event and event-related activities (art. 6(1)(b) of the GDPR). If you give CASE separate, voluntary consent, which can be withdrawn at any time, your data given on the registration form (first name, surname, e-mail address, organisation) may also be processed to send information about other CASE events and activities - (art. 6(1)(a) and (f) of the GDPR.
- The lawful basis for personal data processing is the User’s consent, which is given through the act of registering for a CASE event.
- Your personal data will be processed until the event comes to an end, and subsequently for the duration and to the extent required by law or to safeguard any claims that may arise, and also due to consent to receive information about other CASE events and activities, until consent to processing of this kind is withdrawn.
Administering the Website, research and analysis of activity on the Website
- The data collected and processed when administering the Website are the IP address, server date and time, information about the browser, information about the operating system, the date and time at which the website is visited, approximate location, the time spent on the website, and subsites visited. When subscribing to the Newsletter, the User also gives their e-mail address.
- In such a case, the lawful basis for processing personal data is a legitimate interest pursued by CASE.
Disclosure to third parties
Users’ personal data may be disclosed to processors on behalf of CASE, such as providers of technological services, providers and partners in provision of logistical, forwarding, and delivery services, providers and partners in provision of marketing and advertising services, and Google Analytics. In such cases, CASE requires the third parties to keep the information confidential and secure, and monitors to ensure that the proper personal data protection measures are employed.
In addition, Users’ personal data may also be disclosed to parties authorised to obtain the data under currently applicable law, for example to law enforcement agencies. Where permitted under currently applicable law, CASE may also disclose Users’ data to debt collection and debt purchase organisations.
Transfer of data to third countries
CASE partners are mostly based within the EEA (the EU plus Iceland, Liechtenstein, and Norway) - or in Switzerland, which is a country recognised as ensuring an adequate level of personal data protection.
Some CASE partners, such as MailChimp, are based outside of the EEA. When data are transferred outside of the EEA, CASE monitors to ensure that the partners have provided guarantees of a high level of personal data protection. These guarantees are given in particular in an undertaking to apply standard contractual clauses adopted by the EC, or taking part in the Privacy Shield scheme under Commission implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US Privacy Shield.
CASE distributes the newsletter and receives registration for Events via the e-mail marketing platform MailChimp, and this means that the User data recipient is the Rocket Science Group LLC, based in Atlanta, USA. As the Newsletter is distributed via MailChimp, Users’ personal data are transferred to the United States, but are secure as they are protected under the EU-US Privacy Shield. A copy of personal data transferred to a third country may be obtained.
Automated decision-making and profiling of personal data
CASE does not conduct automated decision-making or profiling based on personal data.
Duration of personal data processing
The period for which Users’ personal data are stored depends on the purpose of processing the data. This is provided for by law (requiring data to be stored for a certain period of time) or is vital in order to perform an agreement or for the purpose of a legitimate interest pursued by CASE or a third party.
If personal data are processed based on consent, CASE processes the User’s personal data until consent is withdrawn, and, once consent is withdrawn, for a period valid under the limitation of claims.
If data processing is based on performance of an agreement, CASE processes the User’s personal data for the period necessary to perform the agreement, and subsequently for a period valid under the limitation of claims.
If CASE processes personal data based on legitimate interest as a controller, CASE processes the personal data until the User submits an effective objection.
Rights of data subjects
A data subject has the following rights:
- right to request access to their data, and to rectification, erasure, and restriction of processing of their data,
- right to object to processing,
- right to data portability,
- right to withdraw consent to personal data processing for a specific purpose if the data subject previously gave such consent; withdrawal of consent does not affect the lawfulness of processing performed before withdrawal,
- right to lodge a complaint with a supervisory authority due to processing of personal data by CASE.
A data subject may exercise their rights by contacting CASE at Al. Jana Pawła II 61 suite 212, 01-031, Warsaw or by e-mail at email@example.com
CASE may refuse a request to exercise some of the rights listed above if exercise of that right is incompatible with a legitimate purpose for which CASE processes data.
The User always provides personal data voluntarily, but the data must be provided for example in order to contact CASE or use the Newsletter service. If CASE erases or ceases processing personal data, this could render provision of services impossible.
CASE guarantees confidentiality of any personal data disclosed to CASE, and that all measures to secure and protect personal data as required by personal data protection laws are taken. Personal data are collected with due diligence and appropriately protected against unauthorised access.
Last updated: 4 January 2019.