Respecting your rights as personal data subjects and respecting the applicable law regulations, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR, we pledge to maintain the security and confidentiality of the personal data which we have obtained from you.
The controller of the personal data on the website under the address www.testportal.net, along with the websites which are related to it, hereinafter referred to as the Website, is Testportal Sp. z o.o., with its registered office in Babimost, Poland, European Union, under the address Szewska 9, 66-110 Babimost, entered into the register of entrepreneurs of the National Court Register kept by the District Court in Zielona Góra, VIII Commercial Division of the National Court Register, under the number 0000512302, NIP (Tax Identification Number) 9731017273, REGON (National Business Registry Number) 081208720.
1. We collect the following personal data on the Website:
a) The data necessary for registering a User and for creating an Account: an e-mail address, password, name and surname, country of origin, time zone, and type of entity (an individual user/a company). Such data is required for the correct configuration of an Account and for establishing contact with a User, if need be;
b) Data required for providing services to a User or to a Respondent, the contents of which may change depending on the service provided or on the nature of an online Test. This may include a residence or address, date of birth, PESEL (Polish citizen identification) number, age, sex, NIP (Tax Identification Number), phone number, education, profession, and the data contained within the online Tests;
c) Data required to proceed with the complaint process — name and surname, as well as a User's or Respondent's e-mail address, the device's IP address, and NIP (Tax Identification Number) — which we require from entrepreneurs and from those requesting an invoice who have a NIP number;
d) Information resulting from the general principles of Internet connections, such as an IP address (as well as other information contained within the system logs), which is used by the Website administrator for technical purposes. IP addresses may also be used for statistical purposes, including the collection of general demographic information (e.g., determining the region in which the connection is made).
2. Providing the data mentioned above is necessary in cases specified therein, including:
a) To use the services which are offered on the Website;
b) To reply to your questions and make it possible to get in touch via e-mail;
c) To proceed with voluntary registration (setting up an Account) on the Website. In such a situation, we store the data the User has provided in order to make it easier for the User to use the services available on the Website in the future until the User deregisters (delete the Account).
4. The personal data of the User is processed by our company as the Personal Data Controller in order to proceed with the implementation of the services which we render to the User (i.e., the persons whom the data concerns), and which are offered within the scope of the Website. Pursuant to the data minimization principle, we process only those personal data categories which are necessary to achieve the goals which have been discussed in the preceding sentence.
5. In relation to the personal data of the Respondents, the Controller is the entity processing the personal data on the basis of an agreement concluded with the User. In such a case, the Controller of the data is a User who is collecting data via online Tests. The Data Processing Agreement is available here.
7. We process personal data for the period necessary to achieve the objectives mentioned in par. 1 and 2 above. Personal data may be processed for a longer period of time if an obligation is imposed on us as the Controller, if required by specific legal provisions, or because of the Controller's legitimate interest specified in par. 9 let. c below (i.e., for the period of the termination of the claims, or the completion of the relevant proceedings, if these were started within the limitation period).
8. The sources of the personal data processed by the Personal Data Controller are the persons the data concerns.
9. The following articles are the basis for the processing of your personal data:
a) Art. 6 par. 1, let. b of the GDPR, i.e., the indispensability of the performance of the agreement, of which you are a party of, or to act as per the your request prior to concluding a contract;
b) Art. 6 par. 1, let. C of the GDPR, i.e., the necessity of fulfilling the legal obligations of the Controller;
c) Art. 6 par. 1, let. f of the GDPR, i.e., the legitimate interest of the Controller, which is the determination, investigation, or the defense of the claims until their expiration, or until the relevant proceedings are completed, if these have been initiated within this period;
d) Art. 6 par. 1, let. a of the GDPR, i.e., your approval of the processing of the personal data for specific purposes, when any other legal grounds of the processing of personal data are not applicable.
10. The personal data is transferred by us to a third country, The United States of America (Twilio, Inc. and Zendesk, Inc.), under the provisions of the GDPR. In a case where the personal data is transferred to a third country, or to an international organization, you will be notified about this fact in advance, and the Controller will apply the safeguards which have been mentioned in Chapter V of the GDPR.
11. We do not make any personal data available to third parties without the explicit consent of the person whom the data concerns. Without the consent of the person whom the personal data concerns, this data can be made available only to the bodies which are governed by public law (i.e., tax authorities, law enforcement authorities, as well as to other entities which are authorized by the generally applicable provisions of the law).
12. In the case of the occurrence of the "like" button, or any other links to the Controller's social media accounts, within the scope of personal data regarding the IP or the Internet browser's identifier, the Controller may use any of the following products:
a) Facebook (e.g., Facebook, Messenger, Instagram) — The above data is processed on the basis of joint administration principles along with Facebook Ireland Ltd., with its registered office at the following address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
b) Google (e.g., YouTube, Maps) — The above data is processed on the basis of joint administration principles along with Google Ireland Ltd., with its registered office at the following address: Barrow St, D04 E5W5, Dublin, Ireland (Google Building Gordon House).
c) LinkedIn — The above data is processed on the basis of joint administration principles along with LinkedIn Ireland Unlimited Company, with its registered office at the following address: Gardner House, 2 Wilton Place, Dublin 2, Ireland.
d) Twitter — The above data is processed on the basis of joint administration principles along with Twitter International Company, with its registered office at the following address: The Academy, 42 Pearse Street, Dublin 2, Ireland.
If, in the cases which have been described in this paragraph, there would be any transfer of personal data to third parties, this is done on the terms and conditions defined in par. 10.
13. The personal data may be entrusted for processing to the processors of such data on behalf of our company as the Personal Data Controller. In such a situation, as the Personal Data Controller, we conclude an entrustment agreement with the processor for the processing of personal data. The processor processes the entrusted personal data only for the purposes, within the scope, and as per the goals indicated in the entrustment agreement, which has been referred to in the preceding sentence. Without entrusting your personal data for processing, we would not be able to proceed with our activities through the Website. As the Personal Data Controller, we entrust personal data to the following entities for processing:
a) Those providing hosting services for the webpage the Website functions on;
b) Those providing other services to us — services which are necessary for the continuous operation of the Website.
14. The personal data is not profiled by us as the Controller under the provisions of the GDPR.
15. Under the provisions of the GDPR, each person whose personal data we are processing as the Personal Data Controller has the right to:
a) Be informed about the processing of the personal data referred to in art. 12 of the GDPR;
b) Have access to their personal data referred to in art. 15 of the GDPR;
c) Correct, supplement, update, or rectify the personal data referred to in art. 16 of the GDPR;
d) Delete the data (the right to be forgotten), referred to in art. 17 of the GDPR;
e) Limit the processing referred to in art. 18 of the GDPR;
f) Transfer the data referred to in art. 20 of the GDPR;
g) Object to the processing of the personal data, which is referred to in art. 21 of the GDPR;
h) In the case of the legal basis referred to in par. 9 let. d above: The right to withdraw the consent at any time without any influence on the compliance with the processing right, which has been made on the basis of the consent prior to its withdrawal;
i) Not be the subject of profiling, referred to in art. 22, in conjunction with art. 4 par. 4 of the GDPR;
j) Lodge a complaint with a supervisory body (e.g., the President of the Personal Data Protection Office), referred to in art. 77 of the GDPR.
Each person whose personal data we are processing must take into consideration the principles of using and implementing these authorizations that result from the provisions of the GDPR.
16. If you would like to exercise your rights as referred to in the preceding paragraph, you should use the correct tabs on the Website, which will allow you to delete your account and the data stored on the Website. You may also send an e-mail message to either of the addresses referred to in par. 17 or write to the correspondence address.
17. Any inquiries, requests, and complaints regarding the processing of the personal data by the Controller, hereinafter referred to as the Requests, should be sent to either of the following e-mail addresses: firstname.lastname@example.org or email@example.com.
18. The content of such a Request should clearly indicate the following:
a) The data of the person or persons whom the notification concerns;
b) The event which is the reason for submitting the Request;
c) The requested action and the legal basis for the request;
d) The expected method of resolving the request.
19. Each identified security breach is documented and in case any of the situations described in the provisions of the GDPR of the Act occurs, each person whose data has been affected will be notified about a breach of the provisions of personal data protection, and, if applicable, the President of the Personal Data Protection Office will be informed about this as well.