PRIVACY AND COOKIES POLICY
CONFIMA GROUP SP. Z O.O.
Confima Group Sp. z o.o. based in Poznań respects the privacy of Users utilizing the Service and other services provided by the Service Provider. This Privacy and Cookies Policy, hereinafter referred to as the Privacy Policy, helps to understand what personal data and non-personal information we collect, the purpose for which we collect it, and the principles governing this process. We recommend that you read its content before using our services.
We inform you that the actions taken by the Service Provider comply with:
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Official Journal of the EU L 119/1), hereinafter referred to as GDPR,
• The Personal Data Protection Act of 10 May 2018 (consolidated text: Official Journal of 2019, item 1781, as amended),
• The Act of 18 July 2002 on the provision of electronic services (consolidated text: Official Journal of 2020, item 344, as amended), hereinafter referred to as the Act on Electronic Services,
• The Telecommunications Law of 16 July 2004 (consolidated text: Official Journal of 2024, item 34, as amended), hereinafter referred to as the Telecommunications Law.
§ 1
DEFINITIONS
Digital Services Act ― Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC
Cookies ― refers to IT data, in particular small text files, saved and stored on the User’s end device, through which the User uses the Service’s websites
Data ― all content and information provided by Users
Civil Code ― the Act of 23 April 1964 – Civil Code (consolidated text: Official Journal of 2023, item 1610, as amended)
Privacy Policy ― refers to this document
Copyright Law ― the Act of 4 February 1994 on Copyright and Related Rights (consolidated text: Official Journal of 2022, item 2509, as amended)
Profiling ― a form of automated processing of personal data which involves the use of personal data to evaluate certain personal factors of a natural person, in particular to analyze or predict aspects concerning personal preferences and interests
Terms of Service ― the Terms of Service for the provision and delivery of Digital Services and Digital Content by electronic means of Confima Group Sp. z o.o.
Service ― websites owned by the Service Provider, in particular operated at: https://confima.pl as well as, to an appropriate extent, the Service Provider’s fan pages operated on the portal:
• Facebook at: https://www.facebook.com/confimaacademy/
• Instagram at: https://www.instagram.com/confima.academy/
• Linkedin at: https://www.linkedin.com/company/confima-group
Website ― an HTML document (text file read by a web browser) made available on the Internet by a web server
ICT System ― a set of cooperating IT devices and software that ensures the processing and storage, as well as sending and receiving data through telecommunications networks by means of an appropriate device for a given type of network terminal device
Digital Environment ― computer hardware, software, and network connections used by the consumer to access or use digital content or digital services
Content ― all content provided by Users, such as comments, reactions
Digital Content ― data produced and supplied by the Service Provider in digital form
Agreement ― an agreement concluded between the Service Provider and the User, using the Service, under which the Service Provider undertakes to provide electronic services, specified Digital Services, or deliver Digital Content
Device ― an electronic device through which the User can use the services or digital content provided by the Service Provider, in particular, a personal computer, laptop, tablet, smartphone, e-book reader
Terminal Device ― a telecommunications device intended for direct or indirect connection to network terminations
Digital Services/Services ― services provided by the Service Provider that allow the consumer to produce, process, store, or access data in digital form, share data in digital form transmitted or produced by the consumer or other users of this service, or other forms of interaction using data in digital form
Electronic Services ― all services provided electronically by the Service Provider to Users based on these Terms
Service Provider ― Confima Group Sp. z o.o. based in Poznań, ul. Święty Marcin 29 lok. 8, 61-806 Poznań, entered in the register of entrepreneurs of the National Court Register by the District Court Poznań – Nowe Miasto and Wilda in Poznań, VIII Commercial Division of the National Court Register under number KRS: 0001072936, NIP: 7831892861, share capital: 5,000.00 PLN, e-mail: kontakt@confima.pl, tel. +48 574 893 170
Consumer Rights Act ― the Act of 30 May 2014 on consumer rights (consolidated text: Official Journal of 2023, item 2759, as amended)
User ― a natural person, legal person, and organizational unit referred to in Article 331 § 1 of the Civil Code using the Service
§ 2
METHODS OF DATA COLLECTION
1. The Administrator of the Users’ personal data is the Service Provider.
2. Personal data collected by the Service Provider is processed in accordance with the GDPR.
3. The Service Provider collects various non-personal and personal data about Users.
4. Depending on the purpose, consent, and legal basis for the collection and processing of personal data, the Service Provider may collect and process, among others, the following data:
1) Identification data, including: first name and last name, PESEL, NIP,
2) Contact data, including: address of residence/correspondence/business operation, phone number, email address,
3) Other data, including: User profile name on Facebook, Instagram, LinkedIn, User’s profile picture made public on the aforementioned services, image, bank account number, educational history and professional resume, other data provided in the CV or related to the User’s social media accounts.
5. The Service Provider – except for data automatically collected via cookies and login data, as mentioned below – collects and processes User data for the purpose of:
1) Contacting via private message within Facebook, Instagram, LinkedIn, phone number, or email address, including responding to a message sent by the User through the contact form or contacting those individuals at their request, which constitutes a legitimate interest of the Service Provider. The legal basis for processing is: Art. 6(1)(a) GDPR, Art. 6(1)(b) GDPR, and Art. 6(1)(f) GDPR. Data will be processed for a period of one year;
2) Conducting recruitment processes. The legal basis for processing is: Art. 6(1)(a) GDPR, i.e., consent given by the User and Art. 6(1)(c) GDPR in connection with Art. 221 § 1-4 of the Labor Code of 26 June 1974, if the basis for employment is an employment contract and the scope of data includes the data specified in the aforementioned provisions. Data will be processed for the duration of the current recruitment process, and in the case of additional consent, personal data will also be processed for future recruitment, until consent is withdrawn, but no longer than for a period of 2 years;
3) Identifying the User in the elevato system (email address only). The legal basis for processing is: Art. 6(1)(f) GDPR, i.e., the legitimate interest of the Service Provider. Data will be processed for the duration of the current recruitment process, and in the case of additional consent, personal data will also be processed for future recruitment, until consent is withdrawn, but no longer than for a period of 2 years;
4) Fulfilling the contract for the provision of electronic services. The legal basis for processing is: Art. 6(1)(a) GDPR and Art. 6(1)(b) GDPR. Data will be processed for the limitation period resulting from generally applicable laws or for the period specified by tax laws;
5) Direct marketing, including receiving commercial information (provided the User has given marketing consent), which constitutes a legitimate interest of the Service Provider. The legal basis for processing is: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Data will be processed for a period of fifteen years or until consent for processing is withdrawn;
6) Promoting or advertising the activities carried out by the Service Provider, including offered products or services (provided the User has given consent), which constitutes a legitimate interest of the Service Provider. The legal basis for processing is: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Data will be processed for a period of fifteen years or until consent for processing is withdrawn;
7) Conducting proceedings resulting from the provision of illegal content, regulated by the Digital Services Act (e.g., Articles 9, 10, 16-18) and the Terms of Service. The legal basis for processing is: Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR. Data will be processed for the duration of the proceedings unless a longer period is required by generally applicable laws;
8) Conducting complaint proceedings. The legal basis for processing is: Art. 6(1)(f) GDPR. Data will be processed for the duration of the proceedings or for the limitation period resulting from generally applicable laws;
9) Establishing, pursuing claims, and defending against claims arising from business activities, which constitutes a legitimate interest of the Service Provider. The legal basis for processing is: Art. 6(1)(f) GDPR. Data will be processed for the limitation period resulting from generally applicable laws;
10) Keeping accounting books and tax documentation. The legal basis for processing is: Art. 6(1)(c) GDPR in connection with Art. 74(1) and (2) of the Accounting Act of 29 September 1994 (consolidated text: Official Journal of 2023, item 120, as amended). Data will be processed for a period of five years unless a longer period is specified by special regulations governing the storage of accounting and tax documentation.
6. Browsing the content of the Service does not require providing personal data other than information automatically obtained about connection parameters.
7. The consent given by the User for the processing of their personal data is entirely voluntary, conscious, explicit, and confirmed. However, it is necessary, for example, to obtain a response to a sent message or receive marketing/commercial information.
8. In the case of consent to the processing of personal data, the User is obliged to provide true data that allows their identification or contact with them.
§ 3
LEGALITY OF PROCESSING AND IMPLEMENTATION OF APPROPRIATE SAFEGUARDS
1. The Service Provider processes data in accordance with the law, collects it for specified, lawful purposes, and does not subject it to further processing inconsistent with these purposes. Data is collected only to the extent that is adequate, necessary, and essential for the purposes for which it is processed. The Service Provider does not process special categories of personal data.
2. The Service Provider makes every effort to protect Users’ personal data from unauthorized access by third parties and employs high-level organizational and technical security measures in this regard. The Service Provider does not disclose personal data to any recipients unauthorized to do so under the applicable legal provisions. The Service Provider may entrust another entity, by way of a written agreement, with the processing of personal data on behalf of the Service Provider. Data may only be shared with entities authorized to receive it under applicable legal provisions.
3. The Service Provider employs security measures for servers, connections, and the Service. However, these measures may prove insufficient if Users themselves do not adhere to security principles.
§ 4
PROFILING AND AUTOMATED PROCESSING OF PERSONAL DATA
1. To ensure the most advantageous, tailored, and personalized offer for its Users, as well as for purposes necessary for the conclusion or performance of a contract between the data subject and the Service Provider, and in the case of the explicit consent of the data subject, the Service Provider may use profiling.
2. Decisions regarding the sending of a personalized offer or granting a discount or other benefit are made automatically based on information/statistics collected in cookies. After determining that the criteria are met, the IT system automatically sends information about the granted benefit. The benefit can be used under the terms specified in the information about its granting or can be declined.
3. Users’ personal data may also be processed in an automated manner (e.g., as part of automatic feedback responses). The primary purpose of automated personal data processing is to improve the service provision by the Service Provider.
§ 5
RIGHTS
1. The Service Provider ensures that Users can exercise the rights mentioned in paragraph 2 below. To exercise these rights, an appropriate request should be sent via email to the Service Provider’s email address.
2. Users have the right to access the content of their data and receive a copy of it (including Article 15 GDPR), rectify it (including Article 16 GDPR), delete it (including Article 17 GDPR), or restrict its processing (including Article 18 GDPR) – provided that separate regulations do not exclude or limit this right. Users also have the right to data portability (including Article 20 GDPR), the right to object to data processing based on, among others, Article 6(1)(e) or (f) GDPR, or for direct marketing purposes or for the promotion and advertising of the Service Provider (if consent has been given for data processing for this purpose) – (including Article 21 GDPR). Additionally, Users have the right to request the cessation of data processing, as well as the right to withdraw consent at any time and the right to lodge a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection (including Article 77 GDPR); exercising the right to withdraw consent does not affect the processing that took place up to the moment of consent withdrawal.
3. The Service Provider processes the submitted requests promptly, but no later than within one month from the moment of receipt. However, if – due to the complex nature of the request or the number of requests – the Service Provider cannot process the User’s request within the specified time, it will inform the User about the intended extension of the term and indicate the date for considering the application, which will not exceed 2 months.
4. The Service Provider informs each recipient to whom personal data has been disclosed about the rectification, deletion, or restriction of data processing made in accordance with the User’s request unless this proves impossible or requires disproportionately large efforts.
§ 6
TRANSFER OF DATA TO OTHER ENTITIES
1. In accordance with Article 28 of the GDPR, the Service Provider may entrust the processing of personal data to third parties without the separate consent of the User. The data processor processes the data solely within the scope and for the specific purpose commissioned by the Service Provider (under a data processing agreement) to ensure the security of such data or to enable the provision of services by the Service Provider. The data processor is obliged to ensure the confidentiality and security of personal data.
2. The User’s data may, in particular, be transferred to:
1) employees and collaborators of the Service Provider authorized by the Service Provider to process Users’ personal data,
2) entities with which the Service Provider has concluded a data processing agreement,
3) potential employers within the framework of conducted recruitment processes,
4) ELEVATO S.A. based in Bielsko-Biała, ul. Prof. Dr. Mieczysława Michałowicza 12, 43-300 Bielsko-Biała within the framework of conducted recruitment processes,
5) an accounting/bookkeeping office or an appropriate entity dealing with accounting matters – for the purpose of accounting and bookkeeping services for the Service Provider,
6) providers of technical and organizational services (in particular, providers of ICT services, entities providing postal and courier services),
7) providers of legal and advisory services, including in the case of pursuing claims related to the business activities conducted by the Service Provider and defense against claims,
8) other entities, persons, or bodies – to the extent and on the principles specified by law.
3. Users’ personal data may be disclosed to the relevant public authorities or law enforcement agencies if required by applicable law.
4. Processed personal data is not disclosed externally to recipients not indicated above in a form that would allow any identification of Users, unless the User or Client has given their consent for such disclosure.
§ 7
SOCIAL MEDIA AND ADDITIONAL TOOLS
1. The Service Provider may use services and technologies offered by Meta Platforms Inc. such as Facebook, Messenger, and Instagram.
2. The Service Provider may also use additional tools such as Google Analytics provided by Google LLC, Meta Pixel provided by Meta Platforms Inc., and Microsoft Clarity provided by Microsoft Corporation.
3. The Service Provider indicates that the aforementioned entities are based outside the European Union and EEA, and therefore, under GDPR regulations, they are treated as entities operating in a third country.
4. The Service Provider points out that GDPR introduces certain restrictions on the transfer of personal data to third countries, as European regulations generally do not apply there.
5. The User acknowledges that personal data provided by them within the services and technologies offered by the aforementioned entities and used by the Service Provider will be co-administered by these entities and the Service Provider to an appropriate extent.
6. The User acknowledges that specific personal data provided by them, depending on the specific settings, within the services and technologies offered by the aforementioned entities and used by the Service Provider may be accessible to other users of the aforementioned social media services (e.g., information about the Service Provider’s followers, expressed reactions, as well as the content of comments or posts are public).
7. The User acknowledges that within the Service Provider’s Service, there may be links (hyperlinks) to other services operated by the Service Provider’s business partners. Using these services may require accepting additional terms of service or privacy policies.
8. The Service Provider points out that more information on the principles of personal data processing by Meta Platforms Inc. within Facebook can be found at: https://www.facebook.com/about/privacy, and within Instagram at: https://privacycenter.instagram.com/policy.
§ 8
COOKIES
1. While using the Service, small files, particularly text files, containing information that allows the retention of certain User data (hereinafter: “cookies”) are saved on the User’s end device. Cookies also enable the collection of statistical data, as mentioned in paragraph 2 below.
2. Cookies do not contain identifying data, which means that it is not possible to determine the identity based on them. The files used by the Service are not harmful to the User or the device and do not interfere with its software or settings.
3. The cookies system does not interfere with the operation of the User’s computer and can be disabled.
4. Generally, browsers have a default setting that allows the saving of cookies.
5. Users can choose which types of cookies can be saved when using the Service. Users can change their choice at any time.
6. The Service Provider points out that more information on the use of cookies by Meta Platforms Inc. within Facebook can be found at: https://www.facebook.com/privacy/policies/cookies/, and within Instagram at: https://help.instagram.com/help/instagram/1896641480634370/?locale=pl_PL.
§ 9
SERVER LOGS
Using the Service involves sending queries to the server. Each query directed to the server is recorded in the server logs. The logs include, among others, the User’s IP address, the date and time of the server, information about the web browser, and the operating system used by the User. Logs are saved and stored on the server. The data stored in the server logs is anonymous and is not associated with specific individuals using the Service, nor is it used by us to identify the User. Server logs serve solely as an auxiliary material for website administration, and their content is not disclosed to anyone except persons authorized to administer the server.
§ 10
COPYRIGHT
1. The Service Provider is the sole entity authorized to use the content of this Privacy Policy under a non-exclusive license. The content of the Privacy Policy is legally protected under Copyright Law as well as other regulations concerning intellectual property protection.
2. Subject to the provisions of generally applicable law, the use of this Privacy Policy in specific known fields of exploitation (particularly by copying or other use for commercial purposes, as well as distribution, modification, and publication on other websites) without prior written consent from the Service Provider is prohibited.
3. Any person using this Privacy Policy in a manner contrary to the above-mentioned principles is subject to criminal and civil liability as provided in Copyright Law and may also be liable for damages under general principles specified in the Civil Code.
§ 11
FINAL PROVISIONS
1. Contact with the Service Provider as the data controller is possible via the email address: kontakt@confima.pl.
2. The Service Provider has the right to amend this document, of which the User will be notified in a manner that allows them to become familiar with the changes before they take effect, e.g., by posting relevant information within the Service or by sending a notification to the email address provided by the User.
3. This document does not limit any rights that the User is entitled to under generally applicable laws.
4. Effective date: May 8, 2024.