Controller of Personal Data
The controller of your personal data is Fundacja Polski Instytut Evidence Based Medicine (Polish Institute for Evidence Based Medicine; hereinafter: “CONTROLLER”) with its registered seat at ul. Gazowa 14A, 31-060 Kraków, Poland. The Controller can be contacted in writing through post at the address above or by email sent at contact@piebm.org.
Data Protection Officer
The Controller has not appointed a Data Protection Officer.
Legal Basis
Personal data are processed based on the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; GDPR), and based on the Polish Act on Foundations of 6 April 1984.
Contact
We use the personal data you have provided when contacting us (such as your first and last name, email address, and other details you have submitted in your message to the Controller). The provision of these data is necessary for us to be able to contact you.
We use the personal data you have provided in order to contact you regarding your inquiry. The processing of your personal data is based on our legitimate interest in effective communication with you, as outlined in Art. 6(1)(f) of GDPR. Your personal data will be processed by the Controller for 5 years, whereupon their necessity will be reviewed and they may be deleted if no longer needed.
We do not collect personal data from third parties.
No automated decision making is to be carried out on these data by the Controller.
Professional Contacts
The personal data are processed for the purpose of personal data exchange as part of professional contacts. The processing of your personal data is based on our legitimate interest, as outlined in Art. 6(1)(f) of GDPR. We may obtain personal data from third parties, including employees, cooperators, volunteers, beneficiaries, contractors, customers, or officials. The personal data will be processed by the Controller indefinitely.
No automated decision making is to be carried out on these data by the Controller.
Donations
We use the personal data you have provided in the payment form or bank transfer (such as your first and last name, address, email address, and bank account number). The provision of personal data is necessary if you want to support our activity. We use the personal data you have provided in order to enable and handle your donation to the Controller. The processing of your personal data is based on Art. 6(1)(b) of GDPR. We also use the abovementioned personal data for the purpose of issuing financial records documenting donations, which is our legal obligation, as outlined in Art. 6(1)(c) of GDPR. Your personal data will be processed for this purpose for 5 years following the reconciliation of your donation.
We use your personal data such as your email address and street address in order to send you a thank you note and information about our activity that has been funded owing to your support. The processing of your personal data is based on our legitimate interest, as outlined in Art. 6(1)(f) of GDPR. Your personal data will be processed for this purpose for 1 year following your support or until you object to their processing, whichever is earlier.
We do not collect personal data from third parties.
No automated decision making is to be carried out on these data by the Controller.
Invoices
We process your personal data for the purpose of invoicing and payment, as outlined in Art. 6(1)(b) of GDPR, and invoice settlement, as outlined in Art. 6 (1)(c) of GDPR, pursuant to the Polish Act of 29 September 1994 on Accounting. Your personal data will be processed by the Controller for 5 years starting from the beginning of the year following the year of issue of the financial records.
We do not collect personal data from third parties.
No automated decision making is to be carried out on these data by the Controller.
Newsletter
We use your personal data such as your email address to inform you about our activity and planned and undertaken actions. The processing of your personal data is based on your consent to the processing of such data, as outlined in Art. 6(1)(a) of GDPR. You can unsubscribe from the newsletter at any time by writing to the Controller. We will process your data until you withdraw your consent or until the Controller ceases to share the newsletter.
We do not collect personal data from third parties.
No automated decision making is to be carried out on these data by the Controller.
Meeting Participants
We process your personal data in order to enable your participation in online meetings and trainings organized by the Controller, including establishing contact with you. The processing of your personal data is based on Art. 6(1)(b) of GDPR. Your data will be stored until the end of the meeting. We will also process your data for the purpose of the establishment, exercise, or defense against claims. The processing of your personal data for this purpose is based on our legitimate interest, according to Art. 6(1)(f) of GDPR. Your data will be stored for this purpose for 3 years following the end of the meeting/training.
We do not collect personal data from third parties.
No automated decision making is to be carried out on these data by the Controller.
Information for Job Candidates and Employees
Child Care Allowance
Applicant
We process the personal data of your child because you have filed a request for child care allowance, as outlined in Art. 6(1)(c) and Art. 9(2)(h) of GDPR. The data will be stored for 5 years and will be handled thereafter as archived data.
We will process your personal data because you have filed a request for child care allowance, as outlined in Art. 6(1)(c) GDPR. The data will be stored for 5 years and will be handled thereafter as archived data.
The other parent/spouse/other member of the applicant’s family
We process your personal data because the mother or father of your child or your spouse/family member has filed a request for child care allowance, as outlined in Art. 6(1)(c) of GDPR. The data will be stored for 5 years and will be handled thereafter as archived data.
No automated decision making is to be carried out on these data by the Controller.
Allowance for Caring for a Sick Family Member
Applicant
We process your personal data because you have filed a request for allowance for caring for a sick family member, as outlined in Art. 6(1)(c) of GDPR. The data will be stored for 5 years and will be handled thereafter as archived data.
Spouse/other member of the applicant’s family
We process your personal data because your spouse/family member has filed a request for allowance for caring for a sick family member, as outlined in Art. 6(1)(c) of GDPR. The data will be stored for 5 years and will be handled thereafter as archived data.
No automated decision making is to be carried out on these data by the Controller.
Carer’s Leave
We process your personal data because you have been on a carer’s leave to care for a sick family member, as outlined in Art. 6(1)(c) and Art. 9(2)(b) of GDPR. The data will be retained for 50 years following the termination or expiry of your employment (for employment relationships established before 1 January 1999 and for those established between 1 January 1999 and 31 December 2018 with no filed information report) or for 10 years following the end of the calendar year of termination or expiry of your employment or submission of the information report (for employment relationships established after 31 December 2018 and between 1 January 1999 and 31 December 2018 with filed information report).
No automated decision making is to be carried out on these data by the Controller.
Recruitment Under the Labor Code
We process your personal data in order to conduct a recruitment procedure and to the extent set forth in the law on employment, as outlined in Art. 6(1)(b) and Art. 6(1)(c) of GDPR, based on the Act of 26 June 1974 – Polish Labor Code, as well as for the purpose of establishment, exercise, or defense against claims, as outlined in Art. 6(1)(f) of GDPR. Furthermore, your personal data may be processed beyond the provisions of the law on employment, based on the consent you have given—Art. 6(1)(a) of GDPR.
Finally, we can process your personal data for the purpose of conducting future recruitment processes if you have given your consent to the processing of your personal data for this purpose, according to Art. 6(1)(a) of GDPR.
If the recruitment documents contain the personal data referred to in Art. 9(1) of GDPR, such data will be processed solely based on your explicit consent, as outlined in Art. 9(2)(a) of GDPR.
The personal data of candidates whose job applications have been unsuccessful will be processed until the end of the recruitment process and then for a period of 3 years for the purpose of establishment, exercise, or defense of claims. If you have given your consent to the processing of your personal data in subsequent recruitment processes, your data will be stored for 1 year.
After the employment contract is signed, the successful candidates’ personal data are included in their personal files and stored according to applicable laws.
We do not collect personal data from third parties.
The Controller does not transfer personal data to third countries.
No automated decision making is to be carried out on these data by the Controller.
Recruitment Under the Civil Code
We process your personal data in order to conduct a recruitment procedure, which includes verifying your qualifications—Art. 6(1)(b) of GDPR—based on the Act of 23 April 1964, Polish Civil Code, and for the purpose of establishment, exercise, or defense against claims, as outlined in Art. 6(1)(f) of GDPR. If the documents contain personal data that have not been identified as mandatory in the job advertisement, such data will be processed on the basis of your explicit consent to their processing, pursuant to Art. 6(1)(a) of GDPR.
If the documents contain personal data referred to in Art. 9(1) of GDPR, such data will be processed solely based on your explicit consent—Art. 9(2)(a) of GDPR.
Finally, we may process your personal data for the purpose of conducting future recruitment processes if you have given your consent to the processing of your personal data for this purpose, pursuant to Art. 6(1)(a) of GDPR.
Your personal data will be processed by the Controller until the end of the process of verification and confirmation of your qualifications.
The personal data of candidates whose job applications have been unsuccessful will be processed until the end of the recruitment process and then for a period of 3 years for the purpose of establishment, exercise, or defense of claims. If you have given your consent to the processing of your personal data in subsequent recruitment processes, your data will be stored for 1 year.
We do not collect personal data from third parties.
The Controller does not transfer personal data to third countries.
No automated decision making is to be carried out on these data by the Controller.
Social Media Buttons
By placing social media buttons (Facebook, Instagram, YouTube, X/Twitter, LinkedIn, TikTok) on our websites, we enable operators of these platforms to collect personal data from our website users and further process such data for purposes specified by these operators. This is done in 2 ways:
1) We feature a button that directs you to the relevant social media platform, where you can like, follow, or recommend our fan page to friends. Operators of these platforms track your activity and use the data collected for purposes such as behavioral marketing. This applies solely to our website users who are subscribers to social media services.
2) We allow social media operators to install cookies on your device to track your activity across various websites. The data collected in this manner are used by them for purposes including behavioral marketing. This applies to all users of our websites, irrespective of their subscription status to social media services. Social media buttons on our websites aim to enhance the attractiveness of these websites.
The processing of your personal data is based on our legitimate interest, as outlined in Art. 6(1)(f) of GDPR, which involves promoting and popularizing the Controller’s activity.
We do not store personally identifiable information for the purposes outlined above. However, such data may be stored by social media operators for their own defined purposes, which remain outside of any arrangements with these operators.
Managing Social Media Fan Pages
We use your personal data collected when you visit our social media fan pages (Facebook, Instagram, YouTube, X/Twitter, TikTok, LinkedIn) and undertake activity on these fan pages, including information on following and liking the fan page; posting, commenting on, and reacting to content published on the fan page; and sharing content with other users. In line with the nature of social media platforms, this information may be public to some or all other users of these platforms. We use your personal data for the purpose of managing the fan page, including development of engaging content and sharing it with social media users.
The processing of your personal data is necessary for the performance of a contract for electronic services and is based on Art. 6(1)(b) of GDPR.
Server Administration and Website Use Statistics
We use your personal data regarding your activity on our websites, including the content of HTTP requests from your device to our server (URL, IP address, browser type, operating system, browser language, date and time of request, cookie ID, browsed resources). The data collected in this manner are recorded in server logs.
We use your personal data for the purpose of server administration, ensuring its security, and for statistical purposes. The processing of your personal data is based on our legitimate interest in effective communication with you, as outlined in Art. 6(1)(f) of GDPR, which encompasses server administration, identifying errors in our website structure, and keeping statistics of the most frequently accessed resources.
Cookies
Cookies are IT data, in particular text files, that are stored on the user’s terminal device and are intended for using the websites. Cookies identify the user for the purpose of adjusting contents of the website to the user’s needs. By remembering user preferences, cookies enable personalization of contents targeted at the user, including advertisements. The Controller uses cookies in order to guarantee proper standards of experience while using our websites; the data collected are used internally by the company to optimize its operations.
Cookies are used for the following purposes:
- Adjusting website content to user preferences.
- Website use optimization, particularly through recognition of the user’s terminal device.
- Production of statistics.
- Maintaining user’s session.
- Delivering advertising contents to the user.
The data collected are used for the purpose of monitoring and evaluating how users engage with the website, aiming to enhance its use by ensuring smoother and more efficient navigation.
Note that in some cases, independent of the owner, the software installed by the user on the terminal device and used for browsing websites (eg, web browser) allows cookies to be stored on the user’s terminal device by default. Users can change their cookie settings at any time. These settings can be changed in particular in such a way as to block the automatic handling of cookies in the web browser settings or to inform about their every posting on the user’s terminal device. Detailed information on the possibilities and methods of handling cookies is available in the software (web browser) settings.
The user can disable or enable cookies at any time by changing settings in their browser.
Changing the settings of cookies is an expression of the user’s objection, which may affect future use of the website. Completely disabling cookies will not prevent you from browsing contents of the website, except for those that require logging in.
Unless you adjust your privacy settings, cookies will be stored in your terminal device (they will be automatically saved in your terminal device whenever you use our website).
The data stored in the user’s terminal devices do not cause any changes in the configuration of their terminal device or the installed software.
This information on cookies also applies to other similar technologies used on the website.
Authorities to Which Personal Data are Disclosed
Our website contains links to other websites. We assume no responsibility for the privacy policies of any third-party sites. Therefore, we strongly advise you to review the privacy policy of these websites. This Privacy Policy applies exclusively to the website run by the Controller.
Your personal data will be disclosed to banks, Polish postal services (Poczta Polska S.A.), couriers, Microsoft Sp. z o.o., Vimeo, cyber_folks S.A., Mobile Madness Sp. z o.o., Google LLC, Encode Marek Czarnowski, Medycyna Praktyczna Sp. J., Medycyna Praktyczna – Szkolenia s.c., Meta, HubSpot, BeDigital sp. z o.o., Stripe Payments Europe Limited, Stripe Technology Europe Limited, UX Voyager Michał Kacprowicz, Adobe Inc.
We may also disclose your personal data to public authorities under applicable laws, as well as to our partners based on the relevant entrustment agreements.
Your Rights
As a data subject, you can request the following from us:
1) Access to your personal data, confirmation as to whether or not the personal data relating to you are being processed, a copy of your personal data and information on their use (Art. 15 of GDPR).
2) A copy of the personal data you have provided to us and their transmission either to you or to another controller in a structured, commonly used and machine-readable format (Art. 20 of GDPR).
3) Rectification of incomplete or inaccurate personal data concerning you (Art. 16 of GDPR).
4) Erasure of all or some of your personal data (Art. 17 of GDPR) if the personal data are no longer necessary in relation to the purposes for which they were used or there is no longer a legal ground for the processing, for instance, if you have withdrawn your consent, objected to the processing of your data, or your personal data have been unlawfully used.
5) Restriction of the processing of your personal data (Art. 18 of GDPR) for a period needed to determine the legitimacy of your claim to erase or rectify these data or the legitimacy of your objection, or for a period needed to establish, exercise, or defend your claims.
You have the right to object to the processing of your personal data for the purpose of our legitimate interest (Art. 21 of GDPR). Once you have lodged your objection, we will assess whether, in your specific situation, your fundamental rights and freedoms as a data subject override the protection of the confidentiality of the personal data that we are processing.
You have the right to withdraw your consent to processing your personal data at any time (Art. 7 of GDPR). The withdrawal shall not affect the lawfulness of processing based on your consent before its withdrawal.
You have the right to lodge a complaint in regard to processing of your data with the President of the Data Protection Office, ul. Stawki 2, 00-193 Warsaw, Poland. The complaint can be filed electronically, in writing, or orally for the record at the seat of the President of the Office.
Amendments to this Policy
This Policy can be amended or supplemented as needed. We will notify you of any amendments and supplementations by posting the relevant information on our website or, for significant changes, directly by email.