Personal Data Controller
BIOCELTIX SPÓŁKA AKCYJNA [JSC], with its registered office in Wrocław (52-326), Poland, at ul. Kwiatkowskiego 4 (KRS [National Court Register no.]: 0000744521) (hereinafter referred to as the ‘Controller‘ or ‘Company‘) is the Personal Data Controller of your personal data. The personal data collected by the Controller are processed pursuant to the principles specified in relevant regulations on the protection of personal data, including the principles laid down in Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and of the free movement of such data and repealing Directive 95/46/EC (the general data protection regulation) (hereinafter referred to as ‘ GDPR‘) and Polish regulations issued in connection with GDPR, including the Act of May 10, 2018 on the Protection of Personal Data.
The Controller shall keep confidential all personal data and protect them against unauthorised access by third parties in accordance with the principles set out in the aforementioned legal acts.
Purposes and Grounds for Data Processing
Within the scope of its activity, the Controller shall collect and process personal data:
1) in order to perform contracts concluded with its Partners (legal basis: art. 6 paragraph 1 point 1 of GDPR);
2) for the purposes of the legitimate interests pursued by the Company as a controller of data (legal basis: article 6 paragraph 1 point f of GDPR), which is particularly meant as:
b) serving the provision of services to its Partners,
c) serving marketing purposes relating to the services provided by the Company, the purpose of providing information on events or activity of the Company,
d) serving analytical and statistical purposes, as well as those intended to ensure the cybersecurity relating to the bioceltix.com website;
3) in order to perform the recruitment process with regard to individuals expressing interest in being employed by the Company or cooperating with it (legal basis, respectively: article 6 paragraph 1 point c and article 6 paragraph 1 point a of GDPR).
Furthermore, the Controller shall process the personal data to the extent necessary for its compliance with any legal obligations to which the Controller is subject (legal basis: article 6 paragraph 1 point c of the GDPR).
Rights under the Provisions of GDPR
Personal data are provided voluntarily. However, depending on specific circumstances, the refusal to provide one’s data or requesting their removal may particularly prevent the Controller from: contacting you, providing you with information on events and activity of the Company, as well as from performing a service. The provision of commercial information via electronic means, e.g. by e–mail, shall be conditional upon the reception of your prior consent. Pursuant to the principles set out in the legal regulations applying to the protection of personal data and to the extent provided therein, you shall have the right to access and correct your personal data, have them erased or restricted in terms of processing, the right to data portability, as well as the right to lodge a complaint with a relevant supervisory authority (Prezes Urzędu Ochrony Danych Osobowych [President of the Office for Personal Data Protection]). If you do not wish to have your personal data processed by the Company for marketing purposes, you are entitled to object to it at any time or to withdraw your consent to the processing of your personal data for this purpose at any time, whilst the withdrawal of such consent shall not affect the lawfulness of processing based on the consent expressed prior to its withdrawal).
Period of Processing
Depending on specific purposes and legal bases applied to the processing, your personal data shall be particularly processed:
1) until the expiry of the limitation periods pertaining to the contract related to the processing of personal data;
2) until relevant and legitimate interests related to the processing of specific data and carried out by the Company as the data controller are executed;
3) until the expiry of limitation periods pertaining to particular obligations arising from the legislation;
4) until an objection is notified or the withdrawal of one’s consent relating to the scope of the processing of one’s data for marketing purposes is made.
Transfer of Personal Data to other Entities
Your personal data shall only be transferred to entities authorised under the relevant provisions of law or on the basis of an entrustment agreement conducted with the Controller. The Controller is entitled to entrust the data to entities that are directly or indirectly related to the Company (particularly by organisational or personal links), having their seats in one of the Member States of the European Union. Furthermore, state authorities and services – particularly Narodowe Centrum Badań i Rozwoju [the National Centre for Research and Development] – may also be recipients of your personal data, external service providers (including IT, accounting and legal services, chartered accountants and auditors) included. The abovementioned service providers shall unconditionally observe the confidentiality of your personal data and process them in conformity with the provisions applying to the protection of personal data.
Absence of Profiling
Your personal data shall be processed at the Company’s registered office and shall not be transferred to any countries situated outside the European Union. In the event of a transfer of personal data to any third countries (located outside the EU), the Controller shall apply appropriate instruments aimed at ensuring the security of your data.
Your personal data shall not be subject to profiling, nor are they to be subject to any other form of automated decision-making.