3DFORM Sp. z o.o.
- 3DFORM Sp. z o.o. is the Data Controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L of 4 May 2016), hereinafter referred to as the Data Controller.
- In order to ensure the processing of personal data by the Data Controller in accordance with applicable law, and in particular to ensure the highest level of protection of processed personal data, the Data Controller adopts this Policy.
- This Policy is in line with:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L of 4 May 2016 – hereinafter referred to as the GDPR);
- The Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2018, item 1000 – hereinafter referred to as the Personal Data Protection Act);
- The Act of 18 July 2002 on the provision of electronic services (as amended, Journal of Laws of 2017, item 1219 – hereinafter referred to as the Act on electronic services);
- The Act of 26 June 1974 – Labour Code (as amended, Journal of Laws of 2018, item 108 – hereinafter referred to as the Labour Code).
- The Policy is an integral part of the personal data protection system in force at the Data Controller’s, specifying in particular:
- the principles of personal data processing at the Data Controller;
- the procedures applied at the Data Controller;
- templates of documents and forms used by the Data Controller.
- This Policy is a legal instrument provided for in Article 24(2) of the GDPR.
- The Data Controller, who supervises the area of data protection, is responsible for implementing and maintaining this Policy.
- The following are responsible for the implementation of this Policy:
- The Data Controller;
- All members of the personnel working for the Data Controller.
- The Data Controller shall also ensure compliance with the provisions of this Policy by contractors cooperating with the Data Controller on the basis of civil law agreements, to the extent necessary when personal data is transferred to them by the Data Controller and by members of the personnel working for the Data Controller.
- For the purposes of this Policy, the following definitions of terms used are assumed:
- Data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Special categories of data means data referred to in Article 9(1) of the GDPR, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life or sexual orientation;
- Criminal data means data referred to in Article 10 of the GDPR, i.e. data concerning criminal convictions and offences;
- Data concerning children means data of persons under the age of majority;
- Data export means the transfer of data to a third country or international organisation;
- Person means a person to whom the data relates, unless otherwise apparent from the context;
- Policy means this personal data protection policy, unless otherwise apparent from the context;
- Data processor means an organisation or person to whom the Data Controller has entrusted the processing of personal data;
- Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119,
- The data controller creates a personal data protection system in their organization, building it on the following foundations:
- Security – The data controller is obligated to ensure the security of personal data processing, taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
- Legality – The data controller, as well as all individuals involved in personal data processing, are obliged to carry out any operations related to personal data processing in full compliance with applicable law;
- Risk-based approach – The data controller is required to identify the risks associated with personal data processing and assess their impact on personal data operations, in particular on the rights and freedoms of natural persons;
- Respect for the rights of data subjects – The data controller, as well as all individuals involved in personal data processing, are obliged to facilitate the exercise of data subjects’ rights related to data protection;
- Accountability – The data controller, as well as all individuals involved in personal data processing, are obliged to document how they fulfill the obligations arising from data protection regulations.
- The data controller processes personal data based on the following principles:
- Temporal principle – Personal data is stored in a form that allows identification of the data subject for no longer than is necessary for the purposes for which the data are processed;
- Integrity and confidentiality principle – Personal data is processed in a manner ensuring appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or
- Minimization of data principle – Personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
- Limitation of purpose principle – Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Accuracy principle – Personal data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;
- Lawfulness, fairness, and transparency principle – Personal data is processed lawfully, fairly, and in a transparent manner in relation to the data subject.
- Security. The controller ensures an appropriate level of data security, including:
- Adapting data protection measures to the established risk;
- Having an information security management system;
- Conducting risk assessments for data processing activities or categories of data;
- Conducting data protection impact assessments where the risk to the rights and freedoms of individuals is high;
- Implementing procedures for identifying, assessing, and reporting identified data breaches to the Data Protection Authority – incident management.
- Data Export. The controller has procedures for verifying whether it transfers data to third countries (i.e., outside the EU, Norway, Liechtenstein, Iceland) or to international organizations and ensures the lawful conditions for such transfers if they occur.
- Data Inventory. The controller identifies personal data assets held by the controller, data classes, dependencies between data assets, identification of data usage methods (inventory), including:
- cases of processing special category data and “criminal” data (special data);
- cases of processing data of persons not identified by the controller (unidentified data);
- cases of processing children’s data;
- profiling;
- co-administration.
- The controller has principles of managing minimization (privacy by default), including:
- principles of managing data adequacy;
- rules of regulation and access management to data;
- rules of managing data retention period and verifying further utility;
- Individual Rights Handling. The controller fulfills informational obligations towards individuals whose data it processes and ensures support for their rights by fulfilling requests received in this regard, namely:
- Information obligations. The controller provides individuals with legally required information when collecting data and in other situations and organizes and ensures documentation of the fulfillment of these obligations.
- Possibility to make requests. The controller verifies and ensures the possibility of
- Request Handling. The controller ensures appropriate investments and procedures to ensure that individuals’ requests are processed within the required timeframe and manner under the GDPR and documented.
- Legal Basis. The controller ensures, identifies, verifies the legal basis for data processing and records them in the Register, including:
- maintaining a consent management system for data processing and distance communication,
- inventorying and detailing the justification for cases when data is processed based on the legitimate interest of the contractor.
- Data Processors. The controller has rules for selecting data processors on behalf of the controller, requirements for processing conditions (data processing agreement), verification rules for fulfilling data processing agreements.
- Privacy by design. The controller manages changes affecting privacy. For this purpose, procedures for launching new projects and investments at the controller take into account the need to assess the impact of the change on data protection, ensuring privacy (including the compatibility of processing purposes, data security, and minimization) at the design stage of the change, investment, or at the beginning of a new project.
- Cross-Border Processing. The controller has verification rules for cases of cross-border processing and rules for determining the lead supervisory authority and the main organizational unit within the meaning of the GDPR.
- The controller develops, maintains, and keeps the Register of Data Processing Activities (Register). The Register is a tool for accountability for data protection compliance at the controller.
- Breach Notification. The controller applies procedures allowing to determine the necessity of notifying individuals affected by identified data breaches.
- Joint Data Controllers:
- The data controller may jointly determine the purposes and methods of processing personal data with a joint data controller — if such necessity arises from the activities carried out by the data controller.
- The data controller is obliged to conclude an agreement with the joint data controller on joint data processing.
- In the agreement on joint data processing, it is necessary to specify in particular:
- the scope of responsibilities of the data controller and the joint data controller;
- the method of fulfilling obligations arising from the provisions on personal data protection;
- the method of fulfilling the information obligations under Article 13 and Article 14 of the GDPR;
- the contact point — if indicated;
- the relationships between the data controller and the joint data controller and the data subjects;
- The method of transferring the agreed content between the data controller and the joint data controller to data subjects.
- In cases specified in Article 37(1) of the GDPR or under Polish law, the data controller is obliged to appoint a Data Protection Officer.
- In cases other than those specified in point 1, the data controller may decide to voluntarily appoint a Data Protection Officer.
- The data controller shall notify the President of the Personal Data Protection Office within 14 days of:
- appointing the Data Protection Officer, providing his/her contact details;
- changing the Data Protection Officer, providing his/her contact details;
- resigning from appointing the Data Protection Officer, if previously appointed.
- The data controller may employ the Data Protection Officer based on an employment contract or a civil law contract for services.
- The Data Protection Officer’s tasks include:
- informing the data controller and the employees processing personal data about their obligations under the law;
- advising on compliance with provisions on personal data protection;
- taking actions to increase awareness of personal data protection;
- conducting training for employees on personal data protection;
- conducting audits;
- monitoring compliance with provisions on personal data protection, this Policy, and other documents of the data controller;
- monitoring the division of responsibilities;
- acting as a contact point for the supervisory authority on matters related to processing, including prior consultation referred to in Article 36 of the GDPR, and in appropriate cases, conducting consultations on any other matters;
- providing recommendations to the data controller on the assessment of the impact of data protection and monitoring its implementation in accordance with Article 35 of the GDPR;
- cooperating with the President of the Personal Data Protection Office;
- The data controller is obliged to ensure that the Data Protection Officer is properly and promptly involved in all matters concerning data protection;
- The data controller is obliged to support the Data Protection Officer in carrying out his/her tasks, providing him/her with the necessary resources for this purpose and ensuring access to personal data and processing operations, as well as resources necessary to maintain his/her professional knowledge.
- The data controller:
- may not issue any instructions to the Data Protection Officer;
- may not penalize the Data Protection Officer for the performance of his/her duties;
- may not dismiss the Data Protection Officer for the performance of his/her duties.
- The Data Protection Officer is subject directly to the data controller or the highest management of the data controllers.
- Processing of personal data within the data controller’s structure may only be carried out by persons authorized by the data controller.
- A person authorized to process personal data before starting activities is obliged to:
- familiarize themselves with documents on personal data protection, especially with this Policy — to the extent determined by the data controller;
- submit a written declaration of familiarization with documents on personal data protection and completion of training on personal data protection;
- submit a written declaration of compliance with the principles of personal data protection and established procedures;
- complete training on personal data protection.
- The data controller provides authorized persons with access to documents on data protection, except for those documents that should not be accessible to all authorized persons.
- The data controller maintains a register of persons authorized to process personal data.
- The data controller may entrust the processing of personal data to a data processor according to its own needs.
- The data controller is obliged to entrust the processing of personal data only to data processors who provide sufficient guarantees of implementing appropriate technical and organizational measures to meet the GDPR requirements and protect the rights of the data subjects. The use of services of data processors that do not provide such guarantees is prohibited.
- In the event of a data processor using the services of another data processor that does not provide equivalent guarantees as mentioned in point 2, the data controller is obliged to object, and in other cases — may object if there are grounds for it.
- The data controller is obliged to monitor compliance with GDPR provisions by the data processor throughout the duration of the agreement.
- In the event of a data processor violating GDPR provisions, the data controller is obliged to immediately cease cooperation with the data processor.
- The data controller maintains a register of data processors with whom it has concluded agreements on entrusting the processing of personal data.
- The data controller discloses personal data to data recipients only after verifying the legal basis for such disclosure.
- In the absence of a legal basis as referred to in point 1, the data controller refuses to disclose personal data to any recipient.
- The data controller maintains a record of data recipients.
- The Data Processing Activities Register (DPAR) serves as a documentation of data processing activities, acts as a data processing map, and is one of the key elements enabling the implementation of the fundamental principle on which the entire personal data protection system is based, namely the principle of accountability.
- The controller maintains the Data Processing Activities Register, in which it inventories and monitors how personal data is used.
- The Data Processing Activities Register is one of the basic tools enabling the controller to account for most of the data protection obligations.
- In the Register, for each data processing activity considered by the controller to be separate for the purposes of the Register, at least the following is recorded:
- name of the activity,
- purpose of processing,
- description of categories of individuals,
- description of categories of data,
- legal basis for processing, specifying the categories of legitimate interest of the second party and/or the controller if the basis is legitimate interest,
- method of data collection,
- description of data recipients (including processors),
- information on transfer outside the EU/EEA;
- general description of technical and organizational measures for protection.
- The data controller implements and maintains a risk management procedure.
- The data controller is obliged to take into account the risk in planned and ongoing processes of personal data processing.
- The risk management procedure is attached to the Policy.
- In cases specified in Article 35(1) of the GDPR, Article 35(3) of the GDPR, and concerning processing operations listed in the list published by the President of the Personal Data Protection Office based on Article 35(4) of the GDPR, the Data Controller is obliged to carry out a Data Protection Impact Assessment.
- A Data Protection Impact Assessment is not required for processing operations listed in the list published by the President of the Personal Data Protection Office based on Article 35(5) of the GDPR.
- The procedure for conducting a Data Protection Impact Assessment is attached to the Policy.
- If the assessment of the impact on personal data protection indicates that the processing would entail high risk unless the Data Controller applies measures to minimize that risk, the Data Controller is obliged to consult with the President of the Personal Data Protection Office before commencing processing.
- The procedure for conducting prior consultations with the President of the Personal Data Protection Office constitutes an Annex to the Policy.
- The Data Controller is obligated to consider data protection during the design phase of new systems, programs, applications, services, as well as during the design phase of new processes and methods of personal data processing (privacy by design).
- The Data Controller is obligated to ensure default data protection, i.e., only those personal data that are necessary to achieve a specific processing purpose can be processed by default (privacy by default). Waiving privacy or limiting it may only occur upon explicit request from the data subject.
- The privacy by design and privacy by default procedure constitutes an Annex to
- The Data Controller is obligated to adhere to the principle
- To ensure compliance with the minimization principle, the Data Controller, in particular:
- verifies the amount of personal data processed—the Data Controller may not process more personal data than necessary for the intended purpose;
- verifies the scope of personal data processed—the Data Controller may not undertake more processing activities than necessary
- limits access to personal data by employing legal measures (contracts with confidentiality clauses, authorization systems), physical measures (access control of individuals to buildings, premises, and systems), and logical measures (authorization control in IT systems and access to IT systems);
- limits the processing time of personal data—the Data Controller may not process personal data longer than necessary for the intended purpose.
- The Data Controller documents in the Register the legal basis for processing data for individual processing activities.
- When specifying the general legal basis (consent, contract, legal obligation, vital interests, public task/public authority, legitimate interests of the Data Controller), the Data Controller further specifies the basis when necessary.
- The Data Controller implements consent management methods enabling the registration and verification of the data subject’s consent to process their specific data for a specific purpose, consent to remote communication (email, telephone, SMS, etc.), as well as registration of refusal of consent, withdrawal of consent, and similar actions (objection, restriction, etc.).
- The Data Controller ensures clarity and style in the information and communication provided to individuals whose data it processes.
- The Data Controller ensures compliance with legal deadlines for fulfilling obligations towards individuals.
- The Data Controller introduces appropriate methods for identifying and authenticating individuals for the purpose of fulfilling individual rights and obligations
- To fulfill individual rights, the Data Controller provides procedures and mechanisms to identify the specific data of individuals processed by the Data Controller, integrate this data, make changes to it, and delete it in an integrated manner,
- The Data Controller documents the handling of informational obligations, notifications, and requests from individuals.
- The Data Controller determines lawful and effective methods for fulfilling informational obligations;
- The Data Controller informs the individual about the extension of the period for considering the individual’s request beyond one month.
- The Data Controller informs the individual about the processing of their data when obtaining data from the individual.
- The Data Controller informs the individual about the processing of their data when obtaining data about the individual indirectly from them;
- The Data Controller determines the method of informing individuals about the processing of unidentified data, where possible;
- The Data Controller informs the individual about the planned change in the purpose of data processing;
- The Data Controller informs the individual before lifting the restriction on processing;
- The Data Controller informs data recipients about the correction, deletion, or restriction of data processing (unless this would require disproportionately high effort or be impossible);
- The Data Controller informs the individual about the right to object to data processing no later than at the first contact with that individual;
- The Data Controller promptly notifies the individual of a breach of personal data protection if it could result in a high risk to the rights or freedoms of that individual.
- Rights of third parties. When exercising the rights of individuals whose data are processed, the Data Controller introduces procedural guarantees for the protection of the rights and freedoms of third parties. In particular, in the event of receiving credible information that fulfilling a request for the issuance of data copies or the right to data portability by an individual may adversely affect the rights and freedoms of other individuals, the Data Controller may contact the individual to clarify doubts or take other legally permissible steps, including refusing to comply with the request.
- Non-processing. The Data Controller informs the individual that it does not process their data if the individual has submitted a request regarding their rights.
- Refusal. The Data Controller informs the individual, within one month of receiving the request, of the refusal to consider the request and the rights associated with it.
- Access to data. Upon the individual’s request for access to their data, the Data Controller informs the individual whether it processes their data and provides the individual with details of the processing, in accordance with Article 15 of the GDPR (the scope corresponds to the informational obligation when collecting data), and also provides the individual with access to their data. Access to data may be provided by issuing a data copy, subject to the condition that a copy of the data issued in
- Data copies. Upon request, the Data Controller issues the individual a copy of their data and records the issuance of the first data copy. The Data Controller introduces and maintains a price list for data copies, according to which fees are charged for subsequent data copies. The price of data copies is calculated based on the estimated unit cost of processing the data copy request.
- Data correction. The Data Controller corrects incorrect data at the individual’s request. The Company has the right to refuse data correction unless the individual reasonably demonstrates inaccuracies in the data they seek to correct. In the event of data correction, the Data Controller informs the individual about the data recipients, upon the individual’s request.
- Data completion. The Data Controller supplements and updates data at the individual’s request. The Data Controller has the right to refuse data completion if the completion would be inconsistent with the purposes of data processing. The Data Controller may rely on the individual’s statement regarding the data being completed unless it is insufficient in light of the Data Controller’s adopted procedures.
- Deletion Upon the individual’s request, the Data Controller deletes data when:
- the individual has lodged an effective objection to the processing of such data,
- the data are no longer necessary for the purposes for which they were collected or processed for other purposes,
- consent to their processing has been withdrawn, and there is no other legal basis for processing,
- the data have been processed unlawfully,
- there is a legal obligation to delete them,
- the request concerns data of a child collected based on consent for the provision of information society services directly to the child (e.g., a child’s profile on a social networking site, participation in a contest on a website).
- Restriction of processing. The Data Controller restricts the processing of data at the individual’s request when:
- the individual contests the accuracy of the data—for a period allowing verification of their accuracy,
- processing is unlawful, and the individual whose data it concerns opposes the deletion of the personal data, requesting instead that its use be restricted,
- the Data Controller no longer needs the personal data, but it is required by the individual whose data it concerns for the establishment, exercise, or defense of legal claims,
- the individual has objected to processing for reasons relating to their particular situation—pending verification whether the Data Controller’s legitimate grounds override those of the individual.
- Data portability. Upon the individual’s request, the Data Controller provides, in a structured, commonly used, machine-readable format or transfers to another entity, if possible, data concerning that individual that the individual has provided to the Data Controller, processed based on the individual’s consent, or for the purpose of entering into or performing a contract with the individual, in the Data Controller’s information systems.
- Objection in a particular situation. If an individual objects, based on their particular situation, to the processing of their data, and the data are processed by the Data Controller based on the Data Controller’s legitimate interest or a task entrusted to the Data Controller in the public interest, the Data Controller will consider the objection unless there are compelling legitimate grounds for the processing on the Data Controller’s side that override the interests, rights, and freedoms of the objecting individual, or grounds for establishing, investigating, or defending claims.
- Objection to scientific, historical, or statistical research purposes. If the Data Controller conducts scientific, historical research or processes data for statistical purposes, an individual may raise a justified objection based on their particular situation against such processing. The Data Controller will consider such objection unless the processing is necessary for the performance of a task carried out in the public interest
- Objection to direct marketing. If an individual objects to the processing of their data by the Data Controller for direct marketing purposes (including possibly profiling), the Data Controller will consider the objection and cease such
- Right to human intervention in automated processing. If the Data Controller processes data automatically, including profiling individuals, and as a result makes decisions with legal effects or similarly significantly affects the individual, the Company ensures the possibility of appealing to human intervention and decisions by the Data Controller, unless such automated decision (i) is necessary for entering into or performing a contract between the individual and the Data Controller; or (ii) is directly permitted by law; or
- The Data Controller is obligated to monitor whether it transfers any personal data to third countries or international organizations, particularly when using services of other entities.
- The Data Controller is obligated to identify and verify the legal basis for transferring personal data to third countries or international organizations.
- The Data Controller is obligated to monitor changes
- Instances of transferring personal data to third countries or international organizations are recorded in the register of data processing activities
- The Data Controller is obligated to take actions to increase awareness of personal data protection among its employees and to enhance their knowledge and qualifications in this area.
- The Data Controller provides training on personal data protection to its employees, the frequency and level of advancement of which depend on the employee’s position in the data protection system
- Any matters not regulated by this Policy are subject to applicable laws, especially those concerning personal data protection.
- In case of a change in the legal status resulting in the inconsistency of this Policy with the law, such provision loses its validity. The Data Controller takes immediate actions to adapt this Policy to the new status.
- This Policy may be amended or repealed in the same manner it was adopted.
- This Policy is effective from May 25, 2018
10. Foundations of the Personal Data Protection System:
11. Principles of Personal Data Protection:
12. Data Protection System:
The personal data protection system at the data controller consists of the following elements:
effective execution of each type of request by themselves and their processors.
13. Entities Creating the Personal Data Protection System:
2) Data Protection Officer:
3) Authorized Persons:
4) Data Processors
5. Data Recipients:
14. Data Processing Activities Register
15. Risk Management:
16. Data Protection Impact Assessment
17. Prior consultation with the President of the Personal Data Protection Office:
18. Privacy by design and privacy by default:
19. Minimization:
for the intended purpose;
20. Legal basis for processing
21. Handling of individual rights and informational obligations:
– Information obligations:
– Individual requests:
carrying out the right to access data by the Data Controller will not be considered the first free copy of data for the purposes of data copy fees.
(iii) is based on explicit consent from the individual appealing.
22. Transfer of personal data to third countries or international organizations:
23. Training:
24. Final provisions
26. List of attachments:
Any attachments forming part of this Policy are held by the Data Controller and will be made available upon written request—considering the legal interest of the entities whose data are included in the aforementioned attachments.
COOKIE POLICY:
Cookies are pieces of information stored in the user’s end device and intended for the use of websites.
Cookies typically contain the name of the website they come from, the time they are stored on the end device, and a number.
The service does not collect information automatically, except for the information contained in cookie files.
The entity placing cookie files on the end user’s device and accessing them is the operator, Company 3DFORM Sp. z o.o., Włókniarek 10, 67-100 Nowa Sól.
Cookie files are used for:
optimizing the use of websites.
creating statistics that help understand how users of the Service use websites, enabling the improvement of their structure and content
In the Service, the following types of cookies are used: session cookies and persistent cookies.
Persistent cookies are stored on the end device of the user for the time specified in the parameters of the cookie files.
Session cookies are temporary files that are stored on the end device until logging out, leaving the website.
Within the Service, cookies are created through external software of Google company. These files are used to collect traffic and statistics of the service via Google Analytics and Google Webmasters services
In many cases, the web browser allows cookies to be stored on the user’s device by default.
Users can change cookie settings themselves. Detailed information on the possibilities and methods of handling cookie files is available in the settings of the web browser.
These settings allow, among other things, to change the automatic handling of cookie files and inform about their each time they are placed on the device.
More information about cookie files is available in the “Help” section of the web browser menu.