APRIL Polska Broker Sp. z o. o. with its registered office at 73 Sienna Street, 00-833 Warsaw, Poland (APRIL further on) attaches great significance to respecting the privacy of the users visiting our website. Any logged data are used only for the purposes of website administration. We do not seek to identify the Users of our website.
The identification data are not associated with any individuals browsing the website of APRIL Polska Broker Sp. z o. o., with the exception of data provided by Users in contact forms. To ensure the highest quality of service, we occasionally analyse our log files in order to determine which pages are visited the most frequently, what is the most popular browser being used, as well as to ensure that the page structure does not contain any errors, etc.
The contents of the Website’s pages are the property of APRIL Polska Broker Sp. z o. o. All moral and economic rights to any elements of the Website (graphic, text, page layout, etc.) are reserved. The Website and all of its elements are protected by the provisions of the law, in particular by the Act of 4 February 1994 on Copyright and Neighbouring Rights (consolidated text: Journal of Laws 00.80.904, as amended), and of the Act of 16 April 1993 on Combating Unfair Competition (consolidated text: Journal of Laws 03.153.1503, as amended).
Personal Data Protection
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Users of the website provide their personal data voluntarily.
Personal Data Controller
The Data Controller of the processed data is APRIL Polska Broker Sp. z o. o. with its registered office at 73 Sienna Street, 00-833 Warsaw, Poland.
Data Processing by the Data Controller
In connection with its business activities, the Data Controller collects and processes personal data in accordance with appropriate provisions, including in particular the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC), and the data processing regulations prescribed there.
The Data Controller ensures transparent data processing, which means in particular that it always provides information on data processing at the time of collection, including information on the purpose and legal basis of the processing – e.g. when concluding a contract of sale of merchandise or services. The Data Controller ensures that the data are collected only to the extent necessary for the indicated purpose and processed only for the period necessary.
When processing data, the Personal Data Controller ensures their safety and confidentiality, as well as the availability of information on the processing to the data subjects. If, in spite of the security measures adopted, the personal data security is breached (e.g. data are ‘leaked’ or lost), the Personal Data Controller will notify the data subjects of such event in accordance with the law.
How to Obtain Additional Information on Personal Data Processing?
For additional information, please contact the Data Protection Officer (DPO) appointed by APRIL. The relevant contact data are provided below:
Data Protection Officer
APRIL Polska Broker Sp. z o. o. with its registered office at 73 Sienna Street, 00-833 Warsaw, Poland.
As some business activities require processing, the personal data are disclosed to external entities, including in particular providers responsible for handling the IT systems and hardware, entities rendering legal or accounting services, couriers, as well as marketing and recruitment agencies. The data are also disclosed to entities affiliated to the Personal Data Controller, including companies of its capital group.
The Personal Data Controller reserves the right to disclose selected information concerning a data subject to the appropriate authorities or third parties that submit a request for such information, based on an appropriate legal basis and in accordance with the applicable law.
Personal Data Processing Period
The period of data processing by the Personal Data Controller depends upon the type of service being rendered and upon the purpose of the processing. The data processing period may also result from legal provisions where they constitute the basis for processing. In the event that data are processed on the basis of a legitimate interest of the Personal Data Controller – e.g. security considerations – the data are processed for a period of time which enables the achievement of such interest or until an effective objection is raised to the data processing. If the processing is based on consent, the data are processed until it is withdrawn. When the processing is necessary for the conclusion and performance of a contract, the data are processed until its termination.
The data processing period may be extended if the processing is necessary to establish or assert any claims or defend against them, and after that time only in the event and to the extent required by law. After the processing period ends, the data are permanently destroyed or anonymised.
Rights of Data Subjects
APRIL Polska Broker Sp. z o. o. enables the data subjects to exercise their rights arising from the GDPR.
The data subjects have the following rights:
• right to be informed about personal data processing – based upon this right, the Personal Data Controller provides the requester with information on the data processing, including in particular on the purposes and legal bases of the processing, scope of the data in its possession, entities to which they are disclosed, and planned date of data erasure;
• right to obtain a copy of the data – based upon this right, the Personal Data Controller provides a copy of the processed data to the data subject who has made the request;
• right to rectification – the Personal Data Controller is obliged to remove any possible inconsistencies or errors in the data processed, as well as to have them completed if they are incomplete;
• right to data erasure – based upon this right, one may request erasure of any data the processing of which is no longer necessary to achieve any of the purposes for which they have been collected;
• right to restriction of processing – in the event that such request is made, the Personal Data Controller ceases to perform any operations on the personal data – except for any operations to which the data subject has consented – and ceases to store them, as per the adopted retention principles or until the causes of the restriction of processing cease to exist (e.g. a supervisory authority gives a decision that enables continuation of data processing);
• right to data portability – based upon this right – to the extent to which the data are processed in connection with a contract concluded or a consent expressed – the Personal Data Controller hands over the data provided by the data subject in a format readable by a computer. One may also request that the data be transmitted to another entity – but only on the condition that this is technically feasible for both the Data Controller and the other entity;
• right to object to data processing for marketing purposes – a data subject may at any time object to the processing of their personal data for marketing purposes, without having to justify such objection;
• right to object to other purposes of data processing – a data subject may at any time object to the processing of their personal data based upon the Personal Data Controller’s legitimate interest, but any such objection should include the reasons for it;
• right to withdraw consent – if the data are processed on the basis of consent, the data subject has the right to withdraw their consent at any time, which does not affect the lawfulness of processing based on consent before its withdrawal;
• right to complain – if a data subject believes that the processing of their personal data violates the provisions of the GDPR or any other personal data protection regulations, they may submit a complaint to the President of the Personal Data Protection Office. In order to exercise the above rights, one must contact the Personal Data Controller or the Data Protection Officer, using the aforementioned contact information.
Purposes and Legal Bases of Processing
Electronic and Traditional Correspondence – in the event that the Personal Data Controller receives via e-mail or traditional post any correspondence unrelated to the services rendered to the sender or any other contract concluded with them, any personal data contained in that correspondence are only processed for the purposes of communication and resolving the subject matter of the correspondence.
Article 6(1)(f) of the GDPR – legitimate interests pursued by the Personal Data Controller, consisting in receiving and sending correspondence in connection with its business activities.
The Data Controller processes only the personal data relevant to the subject matter of the correspondence. All correspondence is stored in a manner that ensures the security of personal data (and other information) contained in it and is disclosed only to authorised persons.
Telephone communication – if the Personal Data Controller is contacted via telephone with regard to matters unrelated to the contract concluded or services rendered, the Personal Data Controller may only request provision of the personal data when it is necessary to resolve the subject matter of the communication.
Article 6(1)(f) of the GDPR – legitimate interests pursued by the Personal Data Controller, consisting in the need to resolve a reported matter related to its business activities.
Telephone conversations may also be recorded – in such case, this will be announced at the beginning of the conversation. The conversations are recorded in order to monitor the quality of the service rendered and to verify the work of the consultants, as well as for statistical purposes.
The recordings are only available to the employees of the Personal Data Controller and to persons working at the Personal Data Controller’s hotline.
Personal data in the form of a conversation recording are processed for the following purposes:
• for purposes related to handling of clients and applicants via a hotline if the Personal Data Controller makes such service available – the legal basis for the processing is the necessity of the processing to render the service (Article 6(1)(b) of the GDPR);
• in order to monitor the quality of services and verify the work of consultants working at the hotline, as well as for analytical and statistical purposes – the legal basis for the processing is the legitimate interest of the Personal Data Controller (Article 6(1)(f) of the GDPR), consisting in ensuring the highest possible quality of service provided to clients and applicants, as well as ensuring the highest possible quality of the work of consultants and statistical analyses with regard to telephone communication.
As part of recruitment processes, the Personal Data Controller expects personal data to be provided (e.g. in a CV or a resume) only to the extent set out in the provisions of the labour law. Therefore, no excess details should be provided. In the event that any applications sent contain additional data, they will not be used or taken into consideration for the recruitment process.
Personal data are processed for the following purposes:
• in order to perform obligations arising from the provisions of the law relating to the employment process, including in particular the Labour Code – the legal basis for processing is a legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR in connection with the provisions of the Labour Code);
• in order to conduct recruitment with regard to data not required by provisions of the law, as well as for the purposes of future recruitment processes – the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
• in order to establish or exercise or defend against any possible legal claims – the legal basis for data processing is the legitimate interest of the Personal Data Controller (Article 6(1)(f) of the GDPR).
Collection of Data in Connection with Rendering of Services or Performance of Other Contracts
In case of collecting data for purposes related to the performance of a specific contract, the Personal Data Controller provides the data subject with detailed information on the processing of their personal data upon conclusion of the contract.
In order to ensure the integrity, confidentiality and availability of the data, the Personal Data Controller has implemented the procedures (Personal Data Processing Policy) which enable access to the personal data only to authorised persons and only to the extent necessary for them to perform their tasks.
The Personal Data Controller also takes any necessary measures so that its subcontractors and other cooperating entities also ensure that appropriate security measures are taken whenever they process personal data at the request of the Personal Data Controller.
‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Profiling consists of three elements:
• the form of processing is automated (at least partly);
• the processing concerns personal data;
• the purpose of processing is to evaluate certain personal aspects, to attribute specific traits, or to predict behaviours.
What Is Automated Data Processing?
Automated data processing is when the data are processed only by an algorithm (computer), i.e. without human participation.
The Personal Data Controller is obliged to inform about automated processing, including profiling – if such processing produces legal effects concerning a given natural person or similarly significantly affects that person. A data subject has the right to object to automated processing, including profiling. The GDPR also guarantees the right not to be subject to a decision based solely on automated processing.
What are Cookies?
They are small pieces of information called cookies that are sent by a website visited by you and recorded on a terminal device (computer, laptop, smartphone) used by you for browsing websites.
Cookies, which consist of a string of letters and numbers, contain various information necessary for the proper operation of some websites, e.g. those who require authorisation – such as when you log into your e-mail account or an online shop.
Cookies also enable things such as storage of your preferences and customisation of websites for their displayed contents and matching advertisements to your interests. Cookies also enable registering of products and services as well as voting in online surveys.
Personal data gathered using cookies can only be collected for the purpose of performing specific functions for the user, e.g. remembering a website login or remembering the goods added to the cart in an online shop. Such data are encrypted in a manner which prevents unauthorised persons from accessing them.
Two general types of cookies and similar technologies are distinguished, when classifying by their lifespan:
• session cookies – temporary files stored on the User’s terminal device until they log out, leave the website and app or turn off the software (web browser);
• permanent cookies – stored on the User’s terminal device for a period of time set in the cookie parameters or until they are deleted by the User.
The following types of cookies and similar technologies are distinguished, when classifying by their purpose:
• cookies necessary for the service and app to work – those that enable the use of our services, e.g. authentication cookies, which are used for any services that require authentication;
• security cookies, they are used for purposes such as detecting authentication abuse;
• performance cookies – they enable collection of information on the use of websites and apps;
• functional cookies – they enable storage of the settings selected by the User and customisation of the User’s interface, e.g. with regard to the selected language or region of the User, font size, website and app appearance, etc.;
• advertising cookies – they allow for providing the Users with advertisements more tailored to their interests;
• statistical cookies – they are used to calculate website and app statistics.
The User can at any time delete any stored cookies or block storage of cookies, using the options available in their web browser. Removing or blocking the storage of cookies may hinder the use of the website or even prevent the use of some of its options.
The way of managing and deleting cookies varies depending on the browser used. Detailed information on that can be obtained by using the Help function in your browser.
Data Transmission outside of the EEA
The Personal Data Controller always provides information on the intent to transmit the personal data outside of the EEA when they are being collected.