Transparency Policy

1. Use of terms

(Data) Controller – StarNet Telecom Sp. z o.o. with its registered office in Warsaw.

Personal Data - information about a natural person identified or identifiable by one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice, contact, location, correspondence, information collected through recording equipment or other similar technology.

Policy - this Personal Data Processing Policy.

GDPR - Regulation of the European Parliament and the Council (EU) no. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive no. 95/46/EC.

Data subject - a natural person to whom personal data processed by the Controller relates.

2. Processing of data by the Controller

  2.1. In connection with its business activity, the Controller collects and processes Personal Data in accordance with the relevant legal regulations, including in particular GDPR, and the rules of data processing provided therein.

  2.2.The Controller shall ensure transparency of the processing of Personal Data, in particular by informing about the processing of data at the time of its collection, including the purpose and legal basis of the processing (e.g., when concluding a service contract). The Controller shall ensure that the data is collected only to the extent necessary to achieve the indicated purpose and processed only for the period in which it is necessary.

  2.3. When processing Personal Data, the Controller shall ensure its security and confidentiality and access to information on the processing of personal data by the persons to whom the data relates. Should a breach of personal data protection (e.g., "leakage" or loss of data) occur despite the security measures applied, the Controller shall inform the data subjects about such an event in a manner compliant with the provisions of law.

3. Contact with the Controller

  3.1. Contact with the Controller is possible via the following e-mail address: odo@starnettelecom.pl or the following address for correspondence: Aleja Armii Ludowej 28, 00-609 Warsaw.

  3.2. The Controller has appointed a Data Protection Coordinator who can be contacted via the e-mail address: odo@starnettelecom.pl in any matter concerning the processing of Personal Data by the Controller.

4. Security of Personal Data

  4.1. In order to ensure data integrity and confidentiality, the Controller has implemented procedures allowing access to Personal Data only to authorised persons and only to the extent necessary for the performance of their tasks. The Controller applies organizational and technical solutions to ensure that all operations on personal data are registered and performed only by authorized persons.

  4.2. The Controller shall also take all necessary steps to ensure that its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process Personal Data at the Controller's request.

  4.3. The Controller conducts an ongoing analysis of risks related to the processing of Personal Data and monitors the adequacy of data security measures applied to identified threats. Where necessary, the Controller shall implement additional measures to enhance data security.

5. Purposes and legal basis of the processing

E-MAIL AND TRADITIONAL CORRESPONDENCE

  5.1. If any correspondence not related to the services provided to the sender, another agreement concluded with the sender or otherwise not related to any relationship with the Controller is sent to the Controller via e-mail or traditional means, the personal data contained in such correspondence shall be processed solely for the purpose of communication and solving the matter to which the correspondence relates.

  5.2. The legal basis for the processing is the Controller’s legitimate interest (Article 6.1.f of the GDPR) , consisting in conducting correspondence addressed to the Controller in connection with the Controller’s business activity.

  5.3. The Controller shall process only Personal Data relevant to the matter to which the correspondence relates. All correspondence is stored in a manner ensuring the security of Personal Data (and other information) contained therein and disclosed only to authorized persons.

PHONE CONTACT

  5.4. In case of contacting the Controller by phone, in matters not related to the concluded agreement or provided services, the Controller may request the provision of Personal Data only if it is necessary to handle the matter to which the contact relates. The legal basis in such a case is the Controller’s legitimate interest (Article 6.1.f of the GDPR), consisting in the necessity to resolve a reported matter related to his/her business activity.

  5.5. Telephone calls can also be recorded - in this case, at the beginning of the conversation, an appropriate information is given to the natural person. The calls are recorded in order to monitor the quality of the service provided and to verify the work of the consultants, as well as for statistical purposes. The recordings are available only to the Controller's employees and persons operating the Controller's hotline ("Customer Service phone number").

  5.6. Personal data contained in a call recording is processed:

    5.6.1. for purposes related to service of customers and interested parties via the Customer Service phone number - the legal basis for processing is the necessity of processing to provide the service (Article 6.1.b of the GDPR);

    5.6.2. in order to monitor the quality of service and verify the work of consultants handling the Customer Service phone numbers, as well as for analytical and statistical purposes - the legal basis for processing is the legitimate interest of the Controller (Article 6.1.f of the GDPR), consisting in taking care of the highest possible quality of service for customers and interested parties, as well as the highest quality of consultants' work and conducting statistical analyses concerning telephone communications.

COLLECTION OF DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR PERFORMANCE OF OTHER CONTRACTS

  5.7. In the case of collecting data for purposes related to the performance of a specific contract, the Controller shall provide the Data Subject with detailed information on the processing of his/her personal data at the time of concluding the contract or at the time of acquiring personal data if the processing is necessary for the Controller to take action at the request of the Data Subject, prior to concluding the contract.

PROCESSING OF PERSONAL DATA OF MEMBERS OF CONTRACTORS' STAFF OR CUSTOMERS COOPERATING WITH THE CONTROLLER

  5.8. In connection with the conclusion of commercial agreements within the framework of business activity, the Controller acquires from contractors / customers the data of persons involved in the implementation of such agreements (e.g., persons authorized to contact, persons placing orders, persons performing orders, etc.). The scope of the data transmitted is in any event limited to what is necessary for the performance of the contract and normally does not include information other than the name and business contact details.

  5.9. Such personal data is processed in order to meet the legitimate interest of the Controller and its business partner (Article 6.1.f of the GDPR) in enabling the proper and effective performance of the contract. Such data may be disclosed to third parties involved in the performance of the agreement, as well as to entities gaining access to data under the provisions of public disclosure of public information and proceedings conducted under the public procurement law, to the extent provided for by those provisions.

  5.10. The data is processed for the period necessary for the realization of the above mentioned interests and the performance of obligations resulting from the regulations.

COLLECTION OF DATA IN OTHER CASES

  5.11. In connection with the conducted activity, the Controller collects Personal Data also in other cases - e.g., by building and using permanent business contacts (networking) during business meetings, industry events or by exchanging business cards - for the purposes of initiating and maintaining business contacts. The legal basis for the processing in this case is the Controller’s legitimate interest (Article 6.1.f of the GDPR), consisting in the creation of a network of contacts in connection with the conducted activity.

  5.12. Personal data collected in such cases are processed only for the purpose for which it was collected, and the Controller ensures its proper protection.

6. Data Importers

  6.1. In connection with conducting business requiring processing of Personal Data, Personal Data is disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and equipment, entities providing legal or accounting services, couriers, recruitment agencies. Data is also disclosed to entities related to the Controller, including companies from its capital group.

  6.2. The Controller reserves the right to disclose selected information concerning the Data Subject to competent authorities or third parties, who submit a request to provide such information on the basis of an appropriate legal basis and in accordance with the provisions of applicable law.

7. Transmission of data outside the EEA

  7.1. The level of protection of Personal Data outside the European Economic Area ("EEA") differs from that provided by European law. For this reason, the Controller transfers Personal Data outside the EEA only when necessary and with an adequate level of protection, in particular through:

    7.1.1. cooperation with entities processing Personal Data in the countries in relation to which an appropriate decision of the European Commission has been issued concerning the determination of the appropriate level of protection of Personal Data;

    7.1.2. application of standard contractual clauses issued by the European Commission;

    7.1.3. application of binding corporate rules approved by the relevant supervisory authority;

    7.1.4. in case of data transfer to the US, cooperation with entities participating in the Privacy Shield programme approved by the European Commission decision.

  7.2. The Controller always informs about the intention to transfer Personal Data outside the EEA at the stage of its collection.

8. Period of processing of Personal Data

  8.1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. The period of data processing may also result from the law, when it constitutes the basis for the processing. In the case of processing on the basis of a legitimate interest of the Controller (e.g., for security reasons), the data shall be processed for a period sufficient to enable the exercise of such interest or to object to the processing in an effective manner. If the processing is based on consent, the data shall be processed until the withdrawal of consent. Where processing is based on the necessity to conclude and perform a contract, the data shall be processed until the termination of the contract.

  8.2. The period of processing may be extended where processing is necessary for the establishment or enforcement of claims or for defence against claims, and after that period only if and to the extent required by law.

9. Rights relating to the processing of personal data

RIGHTS OF DATA SUBJECTS

  9.1. Data subjects shall have the following rights:

    9.1.1. the right to information on personal data processing - on this basis the Controller shall provide the natural person making the request with information on data processing, including in particular the purposes and legal grounds for processing, the scope of data held, entities to whom the data is disclosed, and the planned date of data deletion;

    9.1.2. the right to obtain a copy of the data - on this basis the Controller shall provide a copy of the data processed concerning the natural person making the request;

    9.1.3. the right to rectify data - the Controller is obliged to remove any incompatibilities or errors in the processed Personal Data and to complete them if they are incomplete;

    9.1.4. the right to delete data - on this basis it is possible to demand the deletion of data whose processing is no longer necessary for the fulfilment of any of the purposes for which it was collected;

    9.1.5. the right to limit the processing of data - in case of such a request, the Controller shall cease to carry out operations on Personal Data - with the exception of those operations to which the data subject consented - and to store the data, in accordance with the accepted principles of retention or until the reasons for the limitation of data processing cease to exist (e.g., a decision of the supervisory authority allowing further processing is issued);

    9.1.6. the right to transfer data - on that basis - in so far as the data is processed automatically in connection with the conclusion of the contract or the consent given - the controller shall issue the data supplied by the data subject in a computer-readable format. It is also possible to request that such data be sent to another entity, however, provided that there are technical possibilities in this respect on the part of both the Controller and the designated entity;

    9.1.7. the right to object to the processing of data for marketing purposes - the data subject may object at any time to the processing of personal data for marketing purposes, without having to justify such an objection;

    9.1.8. the right to object to other purposes of the processing - the Data Subject may object at any time, on grounds relating to his or her particular situation, to the processing of Personal Data carried out on the basis of the Controller’s legitimate interest (e.g., for analytical or statistical purposes or for reasons related to the protection of property); the objection should state the grounds on which it is based;

    9.1.9. the right to withdraw consent - if the data is processed on the basis of the consent given, the Data Subject has the right to withdraw the consent at any time, but this does not affect the lawfulness of the processing carried out prior to the withdrawal;

    9.1.10. the right to complain - in case of finding that the processing of Personal Data infringes the provisions of the GDPR or other provisions regarding the protection of Personal Data, the Data Subject may file a complaint with the authority supervising the processing of Personal Data, competent for the place of the Data Subject's habitual residence, the place of work or the place where the alleged infringement was committed. In Poland, the supervisory authority is the President of the Office for the Protection of Personal Data.

MAKING REQUESTS FOR THE EXERCISE OF RIGHTS

  9.2. A request for the exercise of the rights of Data Subjects may be submitted:

    9.2.1. in writing to: StarNet Telecom Sp. z o.o., Aleja Armii Ludowej 28, 00-609 Warsaw

    9.2.2. by e-mail to: odo@starnetteelcom.pl.

  9.3. If the Controller is unable to identify a natural person on the basis of a request, it will request additional information from the applicant. The provision of such data is not obligatory, however, failure to provide such data will result in the refusal to fulfil the request.

  9.4. The request may be made in person or through a proxy (e.g., a family member). For reasons of data security, the Controller encourages the use of a power of attorney in the form certified by a notary or authorised legal adviser or attorney, which will significantly accelerate the verification of the authenticity of the request.

  9.5. A reply to the application should be given within one month of its receipt. If necessary, the Controller shall inform the applicant of the reasons for this action.

In the event that the request is addressed to the Company electronically, the response shall be given in the same form, unless the applicant has requested a response in another form. In other cases, responses shall be given in writing. If the deadline for meeting the request makes it impossible to answer in writing and the scope of the applicant's data processed by the Controller enables contact by electronic means, the answer should be given by electronic means.