Privacy policy
As the personal data controller (PDC), Hocan Estate sp.z o.o. with its registered office in Warsaw determines the following policy of personal data protection:
- PDC carries out the assessment of risk associated with the processing of personal data and undertakes all measures, which are adequate to the given risk, in order to secure the processing of personal data.
- Personal data is processed only to the extent necessary as a result of the PDC's business activity. In each case, in which the extent of processed data is not justified by the implementation of the purpose for which the data was made available, the pursuit of claims or if there is no other legal premise for the processing of data, the data may be processed only after getting the consent of the data subject.
- Every natural person, whose data is processed, must be particularly informed about:
- data processor
- purpose and extent of data processing
- voluntary nature of the provision of data
- possibility of access to data
- right to request the deletion of data, as well as transfer and correction of data
- period of time after which the data will be deleted
- possibility to lodge a complaint regarding violation of the personal data protection.
- The information referred to in section 3 must be provided in a manner that is clear and understandable to an average recipient, and it may be provided in any form, including:
- in the oral form
- in the form of placing information in an accessible location at the company's registered office or on the website.
- In order to ensure the protection of personal data, the following measures are applied:
- technical measures that protect the data against loss, unauthorised modification, unauthorised access of third parties
- training of employees in the scope of personal data protection
- securing rooms and data stored in paper form against access of unauthorised persons, as well as against random factors that may result in the loss/destruction or disclosure of data to unauthorised persons.
- PDC does not envisage the processing of data in an automated manner, nor for the purpose of profiling.
- Transfer of data to a third country/international organisation, in relation to which a decision of the European Commission has not been issued stating that such country provides appropriate protection of personal data, may be carried out to the extent necessary to implement an agreement or activities preparing for conclusion of an agreement, or based on the express consent of the data subject. In such case, the transfer of data requires:
- estimation of the risk associated with the processing
- notification of the supervisory authority about such transfer
- notifying the data subject about the scope of such transfer and associated risk
- ensuring the processing in accordance with the standards of personal data protection resulting from applicable provisions of the Polish law and the European Union law.
- The personal data shall be deleted immediately after it ceases to be necessary to implement the purpose for which it was collected. The data necessary for accounting settlements is stored for the period provided for in the tax law. Data of employees is stored for the period required by applicable regulations.
- In the case of violation of the principles of personal data protection, PDC shall implement a procedure associated with the violation of data protection.
- The PDC’s employees and contractors are obliged to observe the procedures ensuring the protection of personal data, particularly including:
- appropriate use of the technical measures that secure data, including the use of passwords for securing the devices on which the data is processed
- processing of data only to the extent necessary for the purpose for which it was collected
- maintaining full confidentiality of personal data
- securing documents containing data against access of unauthorised persons by ensuring their appropriate storage (in locked cabinets and rooms)
- providing the data subjects with information, in accordance with section 3
- reporting potential threats to the protection of personal data to supervisors, including information regarding insufficient protection of data
- reporting each case of data breach to supervisors.
- In the case of entrusting data processing to a processor, the processing of data by such processor on behalf of PDC may be implemented only based on an agreement concluded between PDC and such processor, which must at least specify the nature and purpose of processing, the type of personal data, the categories of data subjects and the duration of processing. In the contents of agreements concluded with the processors, there must be reserved the processor's obligation to observe the principles of personal data processing, as well as technical measures ensuring the security of data. PDC shall undertake cooperation only with the processors ensuring the compliance with the principles of personal data protection.