This document sets out the conditions for the processing of personal data (hereinafter also referred to as “Data”) via the URVE Smart Office application, hereinafter referred to as the “Application”.
§1.DEFINITIONS OF TERMS
- The Administrator – the entity processing the Users’ personal data via the Application.
- The Supplier – the producer of the Application, Eveo Sp. z o. o. with its registered office in Kraków, Walerego Sławka 3A street, recorded in the Register of Entrepreneurs of the National Court Register under KRS number: 0000297280, NIP: 676-23-63-773 and REGON: 120580987.
- The Buyer – an entity that takes the Application to use in its closed server environment and makes it available for use by its employees.
- Users – natural persons whose personal data is processed by the Administrator as part of the use of the Application
- Implementation – full delivery of the Application by the Supplier and its installation in the Buyer’s server environment.
§2.WHO IS THE PERSONAL DATA ADMINISTRATOR
- As part of the Implementation, the Supplier delivers to the Buyer the Application together with the server software, which is installed remotely in the Buyer’s closed server environment.
- The Supplier remains the Administrator until the completion of the Application Implementation at the Buyer. From that moment on, the Buyer becomes the personal data Administrator and the duties regarding the processing of personal data in the application are transferred to the Buyer.
- The Supplier shall not store any personal data of the Users on its servers after the end of the Implementation.
- The Administrator is obliged to inform Users of any processing of their personal data in connection with the use of the Application and of third parties who will be recipients of that data.
- The Supplier can be contacted via the e-mail address: biuro[at]eveo.pl.
§3.ON WHAT BASIS PERSONAL DATA ARE PROCESSED
The legal basis for data processing derives from the provisions of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data on the free movement of such data and repealing Directive 95/46/EC – General Data Protection Regulation). When there is a reference to:
- Article 6(1)(b) of the GDPR – this means that personal data are processed on the basis of the consent obtained,
- Article 6(1)(b) of the GDPR – this means that personal data are processed because they are necessary for the performance of a contract or for taking action prior to entering into one, at your request,
- Article 6(1)(c) of the GDPR – this means that personal data are processed in order to comply with a legal obligation,,
- Article 6(1)(f) of the GDPR – this means that personal data are processed in order to pursue legitimate interests.
§4.INFORMATION ON DATA PROCESSING FOR THE USE OF THE APPLICATION
- The Administrator may process data in order to enable Users to use the Application. The processing of this data is based on Article 6(1)(b) of the GDPR.
- The Administrator processes Users’ personal data, such as: name, surname and e-mail address.
- The personal data collected by the Administrator are used to authenticate users who use the application.
- The data may be used to verify the identity of a user who has lost access to his/her account in the application.
- The application can access data using the following permissions on the mobile device:
- access to a camera for the purpose of QR code scanning – subject to the User’s consent,
- access to internal memory – subject to the User’s consent.
- Data are processed until they are deleted or the account in the Application is deleted.
- Users have the right to access their data, rectification, erasure, restriction of processing, the right to data portability, as well as the right to lodge a complaint to the supervisory authority.
- The provision of this data is voluntary, but failure to provide this data will effect in use of the Application impossible.
§5.INFORMATION ON DATA PROCESSING FOR SECURITY PURPOSES
- From the moment the User starts the Application, the Administrator, in order to ensure the security of the service, processes the following data:
- the public IP address of the device from which the request was received,
- date and time of the request,
- number of bytes sent by the server,
- information about errors which occurred during the execution of the request.
- The Administrator’s legitimate interest in this processing is to keep server logs and to protect the Application from potential cyber attacks and other misuses. This includes the ability to determine the IP address of anyone performing unauthorised activity in the Application area, such as attempting to breach security measures or publishing prohibited content, or attempting unauthorised activities using the Administrator’s servers.
- The processing of this data takes place on the basis of Article 6(1)(f) of the GDPR.
- The Administrator shall store these data for the period necessary for the accomplishment of the stated purposes, not longer than until the statute of limitations for claims arising from separate provisions of law.
- The provision of this data is a condition for the use of the Application. Failure to provide this data will render the use of the Application impossible.
- Users have the right to access their data, rectification, erasure, restriction of processing, to object to their processing, and to lodge a complaint to the supervisory authority.
- the Application gives the Administrator the possibility to make the User’s personal data anonymous at their request.
§6.ABSOLUTE RIGHTS OF DATA SUBJECTS
When writing about rights related to the processing of Users’ personal data, our reference is to the rights described below. The possibility of exercising the following rights is independent of the legal basis of the processing of personal data.
- The right to access the data– Users have the right to obtain confirmation from the Administrator as to whether it is processing personal data concerning them. Upon receipt of such a request, the Administrator is obliged to provide a copy of the personal data being processed. If such a request is received by e-mail and if the Administrator does not receive another objection, the information shall also be provided by e-mail.
- The right to rectify the data – Users have the right to request from the Administrator the immediate rectification of personal data concerning them that is inaccurate. Having regard to the purposes of the processing, you have the right to request that incomplete personal data be completed, including by providing an additional statement.
- The right to delete the data (to be forgotten) – Users have the right to demand from the Administrator the immediate deletion of personal data concerning them. The Administrator is then obliged to delete the personal data without undue delay
- The right to restrict the data processing – Users have the right to request the Administrator to restrict the processing of their data.
- Automated decisions, including profiling– Users have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects concerning them or similarly significantly affects them.
- The right to file a complaint – Users have the right to file a complaint regarding the processing of their personal data with the Office for Personal Data Protection.
§7.RELATIVE RIGHTS OF DATA SUBJECTS
When writing about rights related to the processing of Users’ personal data, our reference is to the rights described below. The possibility of exercising them depends each time on the legal basis of the processing of personal data.
- The right to withdraw consent to processing – In case where the Administrator processes personal data on the basis of the consent given to do so, Users have the right to withdraw the consent given at any time. Naturally, the withdrawal of granted consent does not affect the legitimacy of earlier processing of personal data.
- The right to data portability – Users have the right to receive the personal data provided by them to the Administrator, in a structured and commonly used machine-readable format. Users also have the right to send this personal data to another controller without hindrance from the controller.
- The right to objection– in case where the Administrator processes Users’ personal data on the basis of Article 6(1)(f) of the GDPR, they have the right to object to the processing of such data on grounds relating to their particular situation.