GDPR Information

Following the entry into application on the 25th May 2018 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (known as General Data Protection Regulation „GDPR”), as the data Controller we herewith inform our valued customers and collaborators about the principles and legal bases of data processing by the Foundation for Promotion of Entrepreneurship in Łódź.

In the case of individual projects and various categories of our services, we provide each time more specific information related to data processing. The following information contains general information on the legal basis, key principles governing data processing at our institution and other relevant information concerning the processing of personal data by our Foundation.

The data Controller for the majority of data processed is the Foundation for Promotion of Entrepreneurship in Łódź, (90-103 Łódź, ul. Piotrkowska 86), later referred to as the „Foundation„.

The Foundation also processes personal data on behalf of other data controllers and only on the basis of documented instructions from these controllers, included in the data processing agreements duly concluded between these controllers and the Foundation. In such cases we always provide our clients and collaborators with the relevant information about the data Controllers and the principles governing the processing of personal data.

The data are processed in relation to implementation of the following aims pursued by the Foundation:

  1. Implementation of projects (including projects financed under EU and domestic frameworks), covering provision of information, training and consulting services, organisation of internships and international exchanges, providing the intermediary services in business contacts and provision of economic information, as well as implementation of all services and benefits provided for in the project’s regulations.
  2. Implementation of information, training and consulting services and other services for customers under economic activities of the Foundation as provided for in the Foundation’s Statutes.
  3. Recruitment and employment of personnel, including permanent staff, collaborators and interns.
  4. Contracting of entities supplying goods and providing services for the Foundation.
  5. Accounting, keeping books, and records as well as reporting from the Foundation’s activities as required by laws in force.
  6. Marketing of the Foundation’s services, including services offered under projects schemes as well as the Foundation’s economic activities, as provided for in the Statutes.

What is the legal basis for data processing?

Each processing at the Foundation is lawful based on the relevant provision of GDPR, and in particular related to:

  1. In the case of project-related data, the legal bases for processing are:
    • processing is necessary for the performance of a task carried out in the public interest (implementation of projects provided for in EU and Polish laws);
    • processing is necessary for the purposes of the legitimate interests pursued by the Controller;
    • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    • in the case of projects, for which the data Controllers are other entities, the legal bases are constituted by data processing agreements, containing instructions related to data processing, addressed to the Foundation as the processor.
  1. Legal bases for data processed for the purpose of implementing the Foundation’s own services, including the ones offered under economic activities run by the Foundation are:
    • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    • processing is necessary for the purposes of the legitimate interests pursued by the Controller;
    • processing is necessary for compliance with a legal obligation to which the controller is subject (recording of activities carried out and compliance with financial, accounting and taxation regulations in force)
  1. Legal bases for data processing in recruitment and employment of personnel:
    • processing is necessary for the purposes of the legitimate interests pursued by the Controller (recruitment of personnel);
    • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    • processing is necessary for compliance with a legal obligation to which the controller is subject (in particular compliance with labour and social security laws in force);
    • in the case of data, the processing of which is not directly legitimised by the laws in force, the legal basis for processing is constituted by the data subject’s consent.
  1. Legal bases for processing of personal data of the suppliers and services providers:
    • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    • processing is necessary for compliance with a legal obligation to which the controller is subject (recording of activities carried out and compliance with financial and taxation regulations in force);
    • processing is necessary for the purposes of the legitimate interests pursued by the Controller (maintaining contacts with suppliers and services providers).
  1. Legal basis for reporting and bookkeeping, accounting and reporting activities:
    • processing is necessary for compliance with a legal obligation to which the controller is subject (recording of activities carried out and compliance with financial, accounting and taxation regulations in force).
  1. Legal bases for data processing for the purpose marketing activities of the Foundation:
    • processing is necessary for the purposes of the legitimate interests pursued by the Controller (advertising services offered by the Foundation).
    • data subject’s consent.

There is no legal obligation for the data subjects to disclose their data, however non-disclosure of data prevents the used of the Foundation’s services, both under project schemes and Foundation’s own services as well as receiving information related thereof.

How long the data are processed?

In the majority of cases, the data are processed as long as provided for in the laws in force, in particular in relation to:

  • data processed for the purposes of employment of personnel (data retention period is 50 years, as provided for laws regulating pension schemes);
  • data processed for the purpose of the performance of a contract as well as related to accounting and tax and financial reporting – not less than 5 years from the end of the year, in which the last activity was recorded (by virtue of accounting laws in force), unless the circumstances arise that legitimise prolongation of this period for the purpose of the establishment, exercise or defence of legal claims.

In the case of projects – data are processed as long as stipulated in the regulations governing mandatory periods of data storage for archive purposes.

In other cases, we process your data as long as the data subject expresses his/her objection against processing, unless the circumstances arise that may restrict exercising this right by the data subject.

If data are processed on the basis of a data subject’s consent, they are processed as long as the consent is not withdrawn by the data subject.

Who processes the data?

The data processed at the Foundation are subject exclusively to processing by appropriately trained personnel, processing the data on behalf of the Foundation and bound by the obligation to secrecy.

To whom the data are made accessible?

The data are made accessible to state institutions such as tax offices and social security institutions as well as banking institutions in the course of processing the contracts between the Foundations and the data subjects.

The data may be also made accessible to the institutions, to which the Foundation reports (substantive and financial reporting) from all activities pursued – in compliance with the laws in force and relevant project-related contracts.

The data may be also made accessible to the partners taking part in projects implementation and wider networks of institutions participating in provision of services offered by the Foundation.

In the case when the Foundation commissions execution of certain tasks to other entities, the data may be also made accessible to these entities, as processors, with whom the appropriate data processing agreements are concluded.

The data may be also disclosed to competent public bodies in the course of the procedures handled by these institutions.

What are the rights of the data subjects under GDPR?

Under the GDPR the data subjects have the following rights:

  • the right of access and rectification by the data subject;
  • the right to restriction of processing, the right to data portability, the right to object, the right to erasure (‘right to be forgotten’), unless the circumstances arise that may limit the exercise of these rights;
  • the right to withdraw consent – in the case when data processing is based on the data subject’s consent;
  • the right to lodge a complaint with a supervisory authority.

Are your data transferred to third countries, outside the European Economic Area?

In principle the Foundation does not transfer any personal data outside the European Economic Area.

In exceptional cases – related to data disclosed by customers using the services of Enterprise Europe Network (EEN) Centre at the Foundation – the data may be transferred to the countries taking part in the  EEN Network and takes place exclusively be means of the data subject’s consent, that is the request to disclose the data for the purpose of exchange of international business information, provided under the EEN services.

Are your data subject to automated individual decision-making, including profiling?

The data processed by the Foundation are not used for automated individual decision-making, based solely on automated processing, including profiling.

Whom to contact regarding personal data processing?

If you have any questions or requests concerning data processing by the Foundation or regarding the exercise of your rights, please contact us via e-mail: fundacja@frp.lodz.pl.