Privacy policy for Clinical Consulting
Controller
Clinical Consulting
Dzwonkowa 104
43-100 Tychy
Poland
(hereafter ”we” or ” Clinical Consulting”)
Contact person for register matters
What is the legal basis for and purpose of the processing of personal data?
The basis of processing personal data is the performance of a contract between us and our legitimate interest to develop our business.
The purposes of processing personal data are:
The delivery and development of our products and services (performance of a contract and legitimate interest),
Sourcing and acquiring products and services necessary for our business from suppliers (performance of a contract and legitimate interest),
Fulfilling our contractual and other rights, promises and obligations (performance of a contract),
Taking care of the customer and supplier relationship (performance of a contract and legitimate interest),
We do not use automated decision-making (inc. profiling) to identify the data subjects’ profiles and online behavior.
What data do we process?
We process the following personal data of our customers, suppliers or other data subjects (like prospects) in connection with the customer and supplier register:
Basic information of the data subject such as name*, date of birth, the language of use;
Contact information of the data subject such as e-mail address*, phone number, and address;
Technical information about the user of a website such as IP address and cookie information;
Other possible information collected from the data subject him-/herself.
Providing the information marked with an asterisk (*) is a prerequisite for our contractual relationship and/or supplier relationship. We cannot enter into a relationship without the necessary information.
From where do we receive data?
We receive personal data primarily from the data subject him-/herself, professional social media networks and company websites.
For the purposes described in this privacy policy, personal data may also be collected and updated from publicly available sources and based on information received from authorities or other third parties within the limits of the applicable laws and regulations. Data updating of this kind is performed manually.
To whom do we disclose data and do we transfer data outside of the EU or EEA?
We use subcontractors that process personal data on behalf of and for us (data transfer). We have outsourced the IT management to an external service provider, to whose server the data is stored. The server is protected and managed by an external service provider.
We transfer and disclose personal data related to customers outside the EU/EEA. We have implemented suitable safeguards for the transfers and disclosures. We use EU Commission standard contractual clauses or the Privacy Shield system.
How do we protect the data and how long do we store them?
Only those of our employees, who on behalf of their work are entitled to process customer and supplier data, are entitled to use a server containing personal data. Each user has a personal username and password to the server. The server is equipped with a hard disk matrix and has a redundant Internet connection. A hardware firewall is configured (all incoming connections except VPN connections are blocked). Access for remote employees is provided via an individual VPN connection using L2TP/IPsec protocol. The server keeps a log of system events. Data is also protected by physical security measures such as lockable doors to the building entrance and to the room where the server is located. The building is secured by an alarm system and surveillance
We store personal data for as long as necessary considering the purpose of the processing. Personal data about customers and suppliers is processed and retained during the customer or supplier relationship or as long as services are delivered, and after the relationship or service provision has ended for ten (10) years.
We regularly assess the need for data retention in light of the applicable legislation. In addition, we take reasonable measures to ensure that the personal data in the register is not incompatible, obsolete or inaccurate considering the purpose of the processing. We rectify or delete such information without delay.
What are your rights as a data subject?
As a data subject, you have the right to inspect the personal data concerning yourself, which is stored in the register, and a right to require rectification or erasure of the data. You also have a right to withdraw or change your consent, in cases where the processing of the data is based on your consent.
As a data subject, you have a right, according to the EU’s General Data Protection Regulation (applied from 25.5.2018) to object to the processing or request restricting the processing of your personal data. Additionally, you have a right to request your data to be delivered to you in a standard format, in cases where the processing of data is based on your consent or a contract between us.
You also have a right to lodge a complaint with a data protection authority in your jurisdiction or with the power to investigate processing concerning your personal data.
For specific personal reasons, you also have a right to object to profiling and other processing concerning you, when the processing of the personal data is based on our legitimate interest. In connection to your claim, you should identify the specific grounds on which you object to the processing. We can refuse to act on such a request on the basis of privacy legislation.
Who can you contact?
All contacts and requests concerning this privacy policy shall be submitted in writing or in person to the person mentioned in section two (2).
Changes in the Privacy Policy
Should we make amendments to this privacy notice, we will place the amended statement on our website, with an indication of the amendment date. If the amendments are significant, we may also inform you about this by other means, for example by sending an email or placing a bulletin on our homepage. We recommend that you review this privacy notice from time to time to ensure you are aware of any amendments made.