Privacy policy

Grant Thornton Technology Sp. z o.o. (former IMMUSEC Sp. z o.o.) is a company supporting clients in the field of broadly understood security, of which an important element is protection of information security, including protection of privacy. We present this Privacy Policy to show you what actions we take to protect the privacy of our clients, their clients and users visiting our website.

APPROACH TO PERSONAL DATA

As part of the services provided to clients, generally we do not decide about the purposes and methods of personal data processing or do not process personal data.

“Personal data” is information that concerns living individuals (including individuals conducting business activity based on the entry into the Central Register and Information on Economic Activity) and allows identifying such individuals directly or indirectly (including by linking these individuals’ data with other data held). Examples of personal data types are: first name, last name, home address, e-mail address, PESEL number or location data. Data on corporations, organizational units without legal personality (including contact details of such entities) or deceased individuals, are not personal data.

In case of deciding about the purposes and methods of personal data processing or processing personal data by us as part of our services or for our own activities, we meet the requirements of Regulation (UE) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation), so-called “GDPR”. This means that any personal data will always be processed by us as a personal data administrator or as a processor of personal data (so-called “processor”) and in compliance with obligations that the GDPR imposes on each of these roles.

If we provide services to customers electronically (“Electronic Services”), documents related to such services (primarily the regulations for the provision of electronic services) contain detailed provisions as to whether and how personal data are processed in connection with specific Electronic Services. Below, we present the general principles and requirements of GDPR related to the processing of personal data, which we use (“General Principles”). If you use any of the Electronic Services and the General Rules are contrary to the principles of personal data processing in the Electronic Services you use – priority is always given to the rules set out for your Electronic Service.

WEBSITE

We maintain a website at https://www.immusec.com, in Polish and English language versions.

Our website is operated using secure technologies, such as the https protocol, which provides encryption of data sent between the device, from which you visit our website, and the server where our website is located.

In certain situations it is possible that individuals visiting our website will provide us with their personal details. This applies to the following situations:

– filling out the contact form (“Contact Form”);

– submitting an inquiry via the contact form (“Inquiry”);

– sending us your CV in response to a job offer or to register in our CV database (“Curriculum Vitae”).

THE ADMINISTRATOR OF PERSONAL DATA AND THE REQUIREMENTS OF THE GDPR

In the event that personal data is provided to us and we decide about the purposes and methods of its processing, the personal data administrator is: Grant Thornton technology (former IMMUSEC Sp. z o.o.), with its registered office in Warsaw, operating at ul. Chłodna 52, 00-872 Warsaw, entered into the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Division of the National Court Register, under KRS number 0000360418, NIP: 9512317130, REGON: 142487704.

The administrator of personal data can be contacted at the address indicated in paragraph 1 above, as well as by sending a contact form, located in the “contact” tab on our website or by sending an e-mail to: biuro@immusec.com.

Hereby we provide information required by the GPRD regarding the situation when we are the administrator of personal data:

Lp.	Processing operation	Purpose of personal data processing	Legal basis for the processing of personal data	The period of storage of personal data
1.	Contact Form	making a contact to reply to your message	depending on the situation:   a) performance of the contract to which you are a party (if you already have a contract with us and you are contacting us via the Contact Form) or taking action on your request, before concluding the contract (when the potential goal of the contact may be the conclusion of a contract between us) – art. 6 par. 1 letter b) GDPR b) the legitimate interest of the administrator – art. 6 par. 1 letter f) GDPR   the legitimate interest lies in the possibility of acquiring new customers or building a positive image of our brand	3 years from the date of sending a message via the Contact Form
2.	Inquiry	providing you with our commercial offer, for your express order, related to specific services provided by us	take action at your request, before concluding the contract – art. 6 par. 1 letter b) GDPR	3 years from the date of sending an Inquiry, or 5 years in the case when submitting an Inquiry will result in a contract between you and us
3.	Curriculum vitae	conducting the recruitment process for a specific position or using your CV for the future recruitments	the legitimate interest of the administrator – art. 6 par. 1 letter f) GDPR   the legitimate interest lies in the search for new employees	up to 1 year from the date of sending your CV to us

Providing personal data in connection with the above situations is not a requirement under the law or a condition for entering into any contract with us. However, refusal to provide personal data in the above situations will result in the fact that we will not be able to meet the above-mentioned purposes of processing to individuals.

RIGHTS OF INDIVIDUALS FOR WHICH WE ARE ADMINISTRATOR OF PERSONAL DATA

According to the GDPR, if we are the administrator of your personal data, you have the following rights:

• The right to request access to your personal data from us. This right consists in the fact that:

1. you can get confirmation that your personal data is processed by us;
2. if we process your personal data, you can obtain information about: (i) the purpose of processing this data; (ii) categories of personal data processed; (iii) recipients of your personal data; (iv) periods of personal data storage; (v) your rights related to the processing of personal data; (vi) the right to lodge a complaint with the supervisory authority; (vii) the source of your personal data – if there was a situation that the data was not collected from you; (viii) applying or not applying of profiling and automatically making decisions about you;
3. you can get a copy of your personal data which is processed by us.

• The right to rectify your personal data. This right consists in the fact that:

1. you can request correction of incorrect personal data or
2. you may request completion of incomplete personal data if it is related to the purpose of personal data processing.

• The right to delete your personal data. This right consists in the fact that:

1. you may request removal of your personal data, but only if one of the following circumstances occurs: (i) personal data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) personal data have been processed unlawfully; (iii) personal data must be removed in order to comply with a legal obligation under European Union law or the law of the Member State to which we are subject; (iv) personal data were collected in connection with the offering of information society services (in other words, simplifying: services provided via the internet), the processing of which was based on the consent given by the child (we note that we do not provide such services);
2. in addition, your personal data must be deleted by us when (i) you use the right to object or (ii) you withdraw your consent to the processing of personal data and have no other legal basis for processing.

• The right to limit the processing of your personal data. This right consists in the fact that:

1. personal data, the processing of which has been limited, can only be stored by us. We can not perform any other operations on these personal data;
2. the processing restriction applies when you (i) report that the processing of your personal data is unlawful, but you do not request their removal, only processing restrictions; (ii) we no longer need this personal data for processing but you need it to settle your claims, pursue claims or defend claims;
3. in addition, the restriction of processing applies when: (i) you question the correctness of your personal data processing – the processing of personal data is limited for the period when we check the correctness of this data; (ii) you object to the processing of your personal data – until it is considered, the only operation allowed on your personal data is its storage.

• The right to withdraw consent to the processing of your personal data. It consists in the fact that when the basis for the processing of these data is your consent, you can withdraw it at any time. This results in the fact, that if we have no basis for the processing of your personal data other than consent, it must delete it. Withdrawal of consent is effective from its delivery to us.
• The right to object to the processing of your personal data. It consists in the fact that:

1. until the objection is considered, we limit the processing of your personal data;
2. accepting the objection removes your personal data (exception: they are needed for another purpose for which there is a legal basis for data processing);
3. it concerns a situation where (i) the basis for processing your personal data is either to perform a task carried out in the public interest or in the exercise of public authority that would be entrusted to us or our legitimate interest; (ii) there are reasons related to your particular situation; (iii) we have no valid, legitimate grounds for processing that override your interests, rights and freedoms and we have no grounds to establish, assert or defend claims.
4. if the object was made becuse of the use of direct marketing, it is enough to bring it in, and the use of such marketing must be discontinued.

• The right to transfer your personal data. It consists in the fact that:

1. if two conditions are met: (i) processing is done on the basis of consent or for the performance of the contract to which you are a party, or to take action before the conclusion of the contract; and (ii) the processing takes place in an automated manner – you have the right to receive your personal data that we have in an electronic format. You can send such personal data to another administrator;
2. if technically possible, you can request us to transfer your personal data to another administrator;
3. executing the right to transfer personal data does not mean that your data will be deleted by us. If you wish that we delete your data, you must clearly indicate it.

• In the case of all rights referred to in paragraph 11 above, with the exception of the right to withdraw consent:

1. We will notify the person making the request about the actions taken in connection with the submitted request – without undue delay, and in any case within 1 month from the date we receive the request.
2. If we determine that there are no grounds to consider the submitted request, it will notify the person making the request – without undue delay, and in any case within one month from the date we receive the request. In this situation, we will also inform about the reason for not taking action, the possibility of submitting a complaint to the supervisory body and the use of legal protection measures before a court.
3. If the submitted request proves to be complicated or the number of requests will be large, we may extend the deadline for consideration of the request. The person concerned will be notified about the deadline extension within the original one month from the date of receipt of the request by us, stating the reasons for the delay. The extension may be a maximum of two additional months, which means that the submitted request will be considered within a maximum of three months from the date of receipt of the request by us.

• In addition, you have the right to lodge a complaint with the supervisory body in connection with the processing of your personal data. The supervisory body is the General Inspector for Personal Data Protection, which in the future is to be replaced by the President of the Office for Personal Data Protection.

USE OF COOKIES

We use cookies on its website. The types of cookies used and the details of their operation can be found in our Cookies Policy.

We may profile your behaviour on our website by using certain third party cookies. Read the current version of the Cookie Policy to find out if, and to what extent, profiling can relate to you. We do not use profiling in other cases.

We never use automatic decision-making for individuals (including this based on profiling).

LINKS TO OTHER WEBSITES

On our website there are links to other websites, for example social networks and our business partners.

Remember that by clicking on such a link, you go to another website managed by another entity, that may present a different approach to personal data protection and privacy than ours.