I. Personal Data Administrator
The Administrator of Personal Data (PDA) is Specfile Project Sp. z o.o. 60-408, Poznan, ul. Nagórskiego 3, registered in the Register of Entrepreneurs of the National Court Register kept by the District Court Poznan-Nowe Miasto and Wilda in Poznan, VIII Economic Department of the National Court Register, NIP: 7811950934, KRS: 0000694508.
II. Data Protection Officer
The PDA has appointed a personal data controller (PDC), who can be contacted by e-mail email@example.com
III. Purposes, duration, compulsory nature and legal grounds for processing personal data
The PDA processes personal data of Entrepreneurs or Entrepreneurs' representatives for the purposes connected with the conclusion, performance and possible termination of the Agreement as well as processing of complaints. The above also includes the processing of personal data connected with communication between the PDA and an Entrepreneur or an Entrepreneur's representative to the extent that this is connected with the purposes referred to in the first sentence.
The processing of personal data is based on Article 6(1)(b) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) [hereinafter the Regulation] - the processing is necessary for the conclusion and performance of the contract to which the Entrepreneur is a party.
The provision of personal data for this purpose is a contractual requirement. Consequently, if you fail to do so, the Contract will not be concluded.
Personal data processed for this purpose will be processed for the duration of the Contract, and after its termination - for the period resulting from legal regulations.
The PDA processes personal data of Entrepreneurs or Entrepreneurs' representatives for the purpose of pursuing potential claims in connection with the Entrepreneur's failure to pay for Services provided by the PDA.
The basis for the processing of personal data is Article 6(1)(f) of the Regulation – processing is necessary for the purposes of the legitimate interests pursued by the PDA.
The provision of personal data for this purpose is a contractual requirement. Consequently, if you do not provide it, the contract will not be concluded.
Personal data processed for this purpose will be processed for the duration of the Agreement and, after its termination, for the period during which it is possible to pursue claims in court, i.e. until the expiry of the limitation period for claims.
The PDA processes personal data of Entrepreneurs or Entrepreneurs' representatives for purposes related to the performance of obligations arising from the law (in particular tax law).
The basis for the processing of personal data is Article 6(1)(c) of the Regulation - processing is necessary for the performance of a legal obligation incumbent on the PDA, in particular a legal obligation under tax law.
Providing personal data for this purpose is a statutory requirement. Therefore, in the event of failure to provide such data, the Contract will not be concluded.
Personal data processed for this purpose will be processed for the time necessary to fulfil these purposes.
The PDA processes personal data of Entrepreneurs or Entrepreneurs' representatives for information purposes, in particular the marketing of its own services.
The legal basis for processing personal data is Article 6(1)(f) of the Regulation - processing is necessary for the purposes of the legitimate interests pursued by the PDA or consent (Article 6(1)(a) of the Regulation).
Providing personal data for this purpose is voluntary.
The personal data processed for this purpose shall be processed for the duration of the Agreement - in the case the data are processed on the basis of Article 6(1)(f) of the Regulation, but no longer than until the date of lodging a justified objection. On the other hand, if the data are processed also on the basis of an expressed consent, the data shall be processed also after the termination of the Agreement, for the period indicated in this consent which falls after the term of the Agreement, but no longer than until the date of withdrawal of the consent.
PDA personal data of Entrepreneurs or Entrepreneurs' representatives for other purposes permitted by law, directly or indirectly related to the purposes mentioned above, in particular for archiving and statistical purposes, for auditing purposes, for management control purposes, or for purposes related to consultancy and surveys and customer satisfaction surveys.
The legal basis for the processing of personal data is Article 6(1)(f) of the Regulation - processing is necessary for the purposes of the legitimate interests pursued by the PDA.
Providing personal data for this purpose is voluntary.
Personal data processed for this purpose will be kept for a period appropriate to the original purpose for which they were collected. However, if other data have been collected for this purpose other than as a result of the purposes referred to above, these data will be processed for the duration of the Agreement and 10 years after its termination, but not beyond the date on which an objection to such processing is raised, provided that it is justified.
Service Recipients on the Website are Whistleblowers submitting reports to the Website in an initially anonymous way and Recipients of reports (i.e. persons authorised by the Entrepreneur to operate the Entrepreneur's Panel on the Website).
The PDA processes personal data of the Recipients for the purposes connected with the conclusion, performance of the Agreement. The above shall also include processing of personal data connected with communication between the PDA and the Recipient to the extent connected with the purpose referred to in the first sentence.
The basis for the processing of personal data is Article 6(1)(b) of the Regulation - processing is necessary for the conclusion and performance of a contract to which the Entrepreneur is a party.
The provision of personal data for this purpose is a contractual requirement. Therefore, if they are not provided, the Agreement will not be concluded. Recipients' personal data will not be processed for any other purpose than that for which they were collected.
Personal data processed for this purpose will be kept for the duration of the Agreement, and after its termination - for the period resulting from legal regulations.
The PDA processes the Recipient's personal data at the time of registration, which are necessary to identify the Entrepreneur and the Recipient personally. The Recipient's personal data are never transferred to the Whistleblower by the Service, unless the Recipient does so himself.
All technical data that may identify the Whistleblower (including data and contents of transmissions to and from the server, data about the IP numbers of the Whistleblower's computer), which appeared during the submission or reading of the response from the server, are not saved, are not archived, nobody has access to them, and they are not processed by the PDA.
The PDA has no access to the content of communications between the Whistleblower and Recipients. The PDA is therefore not responsible for personal data included in their content, whether data about the Whistleblower, the Recipient or other persons mentioned in such correspondence. The obligation to protect personal data contained in such correspondence is borne by the Recipients of this correspondence.
IV. Encryption keys
Encryption keys generated on the Website for both Recipients and Whistleblowers are a special type of data. They are used to secure the content of files containing correspondence and attachments related to Notifications (Notification files), exchanged between the Whistleblower and Recipients, and maintained on the server.
The PDA does not recognize the encryption keys generated for the Whistleblower as the personal data, as it provides the Whistleblower with anonymity on the Service. These keys are only associated with the Whistleblower's Report and not with the person.
The contents of the Report files are encrypted using the RSA-4096 public key algorithm (4096 bit keys) and the AES-256-GCM symmetric key algorithm (256 bit keys).
The encryption process of the Submission file is done by:
Generating a master file key of the appropriate length for the symmetric key algorithm in use.
Downloading public keys for people sharing the Request file, according to the encrypted file sharing configuration
Creating a set of encrypted master keys from a file key encrypted with each public key.
Encrypting the submission file data using the master key of the file, using a symmetric key algorithm.
Combining a set of encrypted master keys and encrypted source file data into a single document with extension .spcf.
The Recipient's encryption keys are always generated on the Recipient's device (computer, smartphone) in the process of registering their e-mail address. Created keys are saved on the server with the exception that the private key is encrypted with the Recipient's password and transmitted to the server in this form.
The Whistleblower's encryption keys are always generated on the Whistleblower's device (computer, smartphone) in the process of creating a notification and giving this notification an identifier. Created keys are stored on the server, however, the private key is encrypted with a password generated (locally) for a given notification of the Whistleblower and transmitted to the server in this encrypted form.
When the Whistleblower creates a Request, the file with the content of the Request and attachments is encrypted with the public keys of persons authorized to receive the Request at the Entrepreneur's company. These persons can download this file from the server and locally decrypt its contents with their private keys.
When the Recipient decrypts the file with the Submission, he/she can create a response for the Whistleblower, the content of which he/she will encrypt with the Whistleblower's public key downloaded from the server (tied to the Submission's identifier), and will transfer to the server.
When the Whistleblower reads the Recipient's response from the server, it provides the Submission identifier and the associated password. The server then transmits the response file and the private key associated with the identifier, and locally the private key is decrypted with the provided password and used to decode the response file.
The same Whistleblower keys generated for a single Notification are used in the exchange of correspondence related to that Notification. Each Notification has its own Whistleblower keys. The Recipient uses one and the same set of keys for all Submissions.
Downloading public keys from the server is done by specifying the e-mail address of the user (in the case of the Recipient) or the user ID (in the case of the Signer) for which you want to download keys. Each authenticated user can download the public keys of other users. Each authenticated user may additionally download his and only his private keys from the server in an encrypted form.
The current version of the Service does not allow the Recipient to change the password, the keys or to store the keys on an external carrier.
Cryptographic operations on files and keys of the Whistleblower are fully automated and independent of the Whistleblower. The Service also does not provide the Whistleblower with access to the Submission files in encrypted form.
The Service enables the Whistleblower to output a file with the Confirmation of dispatch of the Notification and the Confirmation from each exchange of correspondence in the Notification. The Confirmation, in addition to its content, contains the Notification's identifier in the Service and the access password. The Confirmation contains data about the Notification, it does not contain any data about the Signatory (unless he/she has entered them independently).
The deletion of the Recipient's account and the keys in the Service is carried out by Service personnel:
At the request of an identified Lead Report Recipient or an authorised representative of the Entrepreneur
After no response to 3 consecutive e-mails from the Service announcing the deletion of the account, sent by the Service to the Recipient's address at intervals of at least one month.
It is assumed that the Whistleblower's keys may be deleted after a period of 1 year from the date of their registration (registration of the Report related to the Report).
Deletion of the account and keys in the Service database takes place after their transfer to the PDA archives, where they are stored for a period resulting from legal regulations.
V. Transfer of personal data
The recipient is understood to be a natural or legal person, public authority, entity or any other body to which the PDA discloses personal data, regardless of whether it is a third party. However, public authorities which may receive personal data in the context of a particular proceeding in accordance with Union or Member State law shall not be considered as recipients.
Accordingly, the PDA reports the following categories of recipients:
providers of legal services related to the activities of the PDA;
providers of IT services related to the operation of the PDA, including hosting services;
providers of auditing and other services related to the control of the PDA's activities;
the auditors who audit documents related to the operations of the PDA;
entities other than those indicated above, which on the basis of legal regulations are entitled to obtain from the PDA information related to the PDA's activity, which information may include personal data.
The PDA does not intend to transfer personal data to a third country (that is, a country outside the European Economic Area) or to an international organisation.
VI. Automated decision-making
The PDA will not process Recipients' personal data by automated means or profiling.
VII. Data subject rights
The data subject is entitled:
To request access to their personal data, including to obtain a copy of the personal data being processed. The first copy is free of charge. For any subsequent copies you may request, the PDA may charge a reasonable fee based on administrative costs.
To request the PDA to rectify its personal data that is inaccurate, because it was collected in error or because it has changed after collection. The above right also includes the completion of missing data.
To request the PDA to delete their personal data, except that one may exercise this right in the cases set out in the Regulation.
To request the PDA to restrict the processing of one' s personal data, under the conditions set out in the Regulation.
To object to the processing of one' s personal data by the PDA in accordance with Article 21(1) of the Regulation, i.e. to object - on grounds relating to a particular situation - to the processing of one's data based on Article 6(1)(e) or (f) of the Regulation including profiling on the basis of these provisions. In the event of such an objection, the PDA shall no longer be permitted to process such personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of claims.
To object to the processing of personal data by the PDA in accordance with Article 21(2) of the Regulation, that is, to object to the processing of such data for the purposes of such direct marketing, including profiling, insofar as the processing is related to such direct marketing. If you exercise this right, the PDA may no longer process your data for such direct marketing.
To the transfer of personal data, under the conditions set out in the Regulation.
To withdraw consent to the processing of personal data where consent has previously been given,
To submit a complaint to the supervisory authority dealing with personal data protection, i.e. the President of the Office for Personal Data Protection in relation to the processing of personal data by the PDA.
The person of the Whistleblower is anonymous to the PDA, the PDA does not receive or process any personal data of the Whistleblower and therefore does not grant him/her any rights related to personal data protection on the Website.
Cookies are IT data, in particular text files stored in the end device of the user (service recipient) and are intended for use on the website. Cookies generally contain:
the name of the originating website,
the duration of their storage on the end device, and
The entity placing cookies on the user's terminal equipment and accessing them is PDA.
You can read more about cookies at https://www.allaboutcookies.org/
Cookies are used for:
adapting the content of websites to the user's preferences and optimising the use of websites; in particular, these files allow for recognition of the user's device and appropriate display of the website adapted to the user's individual needs,
the creation of statistics which help us understand how users make use of websites, which enables the improvement of their structure and content.
There are two main types of files used on the Website:
session cookies, which are temporary files that are stored in the user's terminal equipment until logging off, leaving the website or switching off the software (web browser);
persistent cookies, which are stored in the user's terminal equipment for the period specified in the cookie parameters or until they are deleted by the user.
The sygnanet.pl website uses the following types of cookies:
„essential” cookies enabling the use of services available on the Website authentication cookies used for services which require authentication on the Website,
cookies used for security purposes, e.g. used to detect abuse of authentication on the Website,
„performance” cookies allowing the collection of information about how websites are used,
„functional” cookies allowing to remember user's selected settings and to personalize user's interface, e.g. with respect to chosen language or region of origin, font size, website layout etc.,
Very often, the software used to browse websites (web browser) allows the storage of cookies on the user's terminal device by default. The Service User can always change their cookie settings. Changes in settings may involve, among other things, blocking the automatic handling of cookies in the settings of a web browser or informing on their placement in the user's device each time. More information on the possibility and methods of using cookies is available in the settings of your software (web browser).