1. Administrator of personal data is the Freedom Institute Foundation with its registered office at 27/14 Hoża Street, 00-521 Warsaw, Tax Identification Number (NIP) 7010340617, National Business Registry Number (REGON) 146099436, registered in the association register kept by the District Court for the capital city of Warsaw in Warsaw XII Economic Division of the National Court Register (KRS) under number KRS 0000417714 (hereinafter referred to as the “Administrator”).
2. The Administrator operates the website www.instytutwolnosci.pl (hereinafter referred to as the “Service”).
3. The Service User (hereinafter referred to as the “User”) gives consent to the processing of their personal data by the Administrator in accordance with the principles specified in this privacy policy.
4. Any statements, inquiries, and information regarding personal data can be provided to the Administrator via:
a. email to the address biuro@instytutwolnosci.pl;
b. Through the contact form available on the Service;
c. in writing to the Administrator’s registered office address.
5. User’s personal data is processed based on Article 6 and Other Provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”).
6. The User’s personal data is processed for the purpose of:
a. managing the User’s account on the Service;
b. responding to questions and other messages sent by the User through the contact form or email and for further communication with the User;
c. providing the User with information about updates, projects, and other marketing or educational information by the Administrator;
d. conducting recruitment for projects and other activities carried out by the Administrator, in which the User expresses interest.
7. User data is also processed for the purpose of fulfilling contracts with the User or taking other actions at the User’s request before entering into a contract.
8. User data is processed when necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the person whose data requires protection).
9. Recipients of the User’s personal data may include:
a. Employees, contractors, subcontractors, and other individuals employed or cooperating with the Administrator;
b. Accounting offices cooperating with the Administrator;
c. Law firms cooperating with the Administrator;
d. Entities providing IT services to the Administrator, especially hosting and email services;
e. Entities providing marketing services to the Administrator;
f. Entities involved in settlements, including providers of invoicing systems, online payment systems, and banks;
g. Entities providing postal and courier services.
10. User’s personal data may be transferred to third countries only under the conditions described in art. 46 of the GDPR, i.e. provided the recipient ensures adequate safeguards. In any case, the User is entitled to receive a copy of their data.
11. User’s personal data will be stored for the period necessary to achieve the purposes of data processing, namely:
a. the period of maintaining the User’s account on the Service;
b. The period of communication with the User, especially the time necessary to provide the User with all requested information;
c. The period of implementing projects in which the User has expressed interest;
d. the period of conducting educational and marketing activities by the Administrator;
e. the period necessary for the proper performance of contracts concluded with the User;
f. The legally required period of keeping accounting documentation. The User’s personal data will be permanently deleted when all the above-mentioned periods expire.
12. The User has the right to:a. obtain confirmation from the Administrator whether personal data concerning them are being processed;b. receive a copy of the processed data;c. obtain from the Administrator any information covered by the scope of this Privacy Policy.
13. The User has the right to request the Administrator to promptly correct their personal data that is incorrect. Considering the purposes of processing, the User has the right to request the completion of incomplete personal data by providing an additional statement.
14. The User has the right to request the Administrator to promptly delete their personal data, and the Administrator is obliged to delete personal data without undue delay (subject to exceptions provided by law), if one of the following circumstances occurs:
a. personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
b. The User withdraws consent on which the processing is based, and there is no other legal basis for the processing;
c. The User objects, as described in points 18 or 19;
d. personal data has been processed unlawfully;
e. Personal data must be deleted to fulfill a legal obligation under Union or Member State law to which the Administrator is subject;
f. personal data has been collected in connection with the offer of information society services directly to a child, based on the child’s or parent’s (guardian’s) consent.
15. The User has the right to request the Administrator to restrict processing in the following cases:
a. when the User disputes the accuracy of personal data – for a period allowing the Administrator to verify the accuracy of such data;
b. when processing is unlawful, and the User opposes the deletion of personal data, requesting instead the restriction of their use;
c. when the Administrator no longer needs personal data for the purposes of processing, but the User needs it to establish, pursue, or defend claims;
d. when the User has objected, as described in points 18 – until it is determined whether the legitimate grounds on the part of the Administrator override the grounds of objection of the person whose data is concerned.
16. The User has the right to receive their personal data provided to the Administrator in a structured, commonly used, and machine-readable format and has the right to transmit this data to another data controller without hindrance from the Administrator, to whom the personal data was provided. Exercising the right to data portability, the User has the right to request that personal data be transferred by the Administrator directly to another data controller, if technically feasible.
17. The User has the right to object, at any time, for reasons related to their particular situation, to the processing of their personal data based on the legitimate interests pursued by the Administrator or by a third party. The Administrator may no longer process this personal data unless they demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the person whose data is concerned or for the establishment, exercise, or defense of legal claims.
18. The User has the right to object at any time to the processing of their personal data for direct marketing purposes, and the Administrator is obliged to consider such objection.
19. The User may withdraw consent to the processing of data at any time. However, it should be noted that:
a. withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
b. despite the withdrawal of consent, the Administrator is still entitled to process data within the scope indicated in points 7-8.
c. withdrawal of consent prevents the Administrator from maintaining the User’s account on the Service and is equivalent to a request for its closure.
20. Providing personal data is a condition for entering into a contract for the operation of an account on the Service. The User has the right to lodge a complaint with the supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged violation if they believe that the processing of personal data concerning them violates the provisions of the GDPR.