1. The administrator of personal data is Mental Health Center Sp. z o. o.with registered office in Kraków, at Poznańska 6/4, 30-012 Kraków, entered into the Register of Businesses of the National Court Register (KRS) Kraków-Przedmieście, XI Economic Division under KRS No. 0000863201, National Business Registry Number: 387240922, TIN: 6772456921, share capital 5 000 zł (contributed in full).

2. Respecting your rights as personal data subjects and the applicable laws, in particular the Regulation 2016/697 of the European Parliament and the Council (EU) of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement on such data and repeal of Directive 95/46/EC (general data protection regulation), hereinafter referred to as GDPR, personal data protection act (hereinafter referred to as Act) and other relevant provisions on the protection of personal data, we undertake to maintain security and confidentiality of the obtained personal data. All employees have been adequately trained in personal data processing and our company, as the Personal Dara Administrator, had implemented appropriate safeguards together with technical and organisational measures to ensure the highest level of personal data protection. Additionally, if necessary, we cooperate with the supervisory authority in the Republic of Poland i.e. the President of the Personal Data Protection Office (hereinafter referred to as PUODO).

3. Any inquiries, requests and complaints regarding personal data processing by our company (the Personal Data Administrator), hereinafter referred to as Applications, should be addressed to the following e-mail address: rodo@mhcenter.pl or in writing to the address of the Personal Data Administrator i.e. Poznańska 6/4, 30-012 Kraków. The content of the Application should clearly indicate:
a) personal data of person or persons whom the Application concerns, b) an event the Application relates to,
c) the demands and the legal basis for these demands,
d) expected manner of handling the case.

4. We collect the following personal data on our Website:
a)name and surname,
b)  e-mail address,
c)  telephone number,
d)  company name,
f) position,
g) address.

Moreover, for analytical purposes i.e. research and activity analysis on the Administrator’s website, we process the following personal data:

•  location (country, city), • operating system,
• browser,
• device category,
• display resolution.

This information is collected by external tools, i.e. Google Analytics, and is therefore processed by the tool providers under the rules provided for their terms and conditions and privacy policies.

5. Providing the data indicated in point 4 is necessary in the following cases:

• to submit an application form if you wish to contact us – in this case it is necessary to provide name and surname, e-mail address, telephone number and company name (the legal basis for processing – Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR);
• to join the newsletter – in this case it is necessary to provide an e-mail address (the legal basis for processing – Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR);
• to contact in connection with the MHC offer (the legal basis for processing – Art. 6(1)(f) GDPR);
• for educational and informational communication purposes, in particular the transmission of messages and information, conducting correspondence concerning projects, conferences, trainings, workshops, working groups, research and other events organized or co-organized by the Mental Health Center, as well as promotion of the Mental Health Center’s products and services (the legal basis for processing – Art. 6(1)(f) GDPR);
• for the legitimate internal administrative purposes of the Mental Health Center i.e. keeping statistics (the legal basis for processing – Art. 6(1)(f) GDPR);

6. Our website uses Cookies in order to adjust its functioning to your individual needs. Therefore you can agree that the provided data and information can be saved, so as to be possible to use it the next time you visit our Website, without providing them again. The data and information will not be available for third party website owners. If you do not agree to the personalization of the Website, we suggest disabling Cookies in your web browser.

7. Each of you, as a user of our Website, has the possibility to choose whether and to what extent you want to use our services and share your information and data within the scope of this Privacy Policy.

8. Your personal data is processed by our company as the Personal Data Administrator for the purpose of services provided to you (i.e. the data subject) by the Website. In accordance with the minimisation principle, we process only those categories of personal data which are necessary for the purposes referred to in the foregoing sentence.

9. We process personal data for the time necessary to achieve purposes listed in the abovementioned point. Personal data may be processed for a longer period of time than indicated in the foregoing sentence in the event that such an entitlement or obligation imposed by the Personal Data Administrator arises from specific legislations or if the service we provide is continuous.

10. The source of the personal data processed by the Administrator are the data subjects.

11. Your personal data can be transferred to a third country within the meaning of the GDPR provisions in connection with the use of tools, which store personal data on servers located in third countries (in particular in the United States). The tool providers guarantee an adequate level of data protection through the relevant compliance mechanisms provided by the GDPR, in particular through the use of the standard contractual clauses.

12. We do not disclose any personal data to third parties without the express consent of the data subject. Personal data, without the expressed consent of the data subject, can be disclosed only to public law bodies i.e. authorities and administration (e.g. tax authorities, law enforcement agencies and other entities empowered by the generally applicable legislation).

13. Personal data can be entrusted for processing to entities processing such data on behalf of our company as the Personal Data Administrator. In such situation we, as the Personal Data Administrator, shall enter into a personal data processing entrustment agreement with the processor. The processor shall process the entrusted personal data only to the extent and for the purposes indicated in the entrustment agreement referred to in the foregoing sentence. Without the entrustment of your personal data for processing, we would not be able to conduct our activities on the Website. As the Personal Data Administrator, we entrust your personal data to be processed by:

• entities providing hosting services for the website on which our Website operates;
• the mailing system provider where users’ data is stored, if they are newsletter subscribers;
• entities providing other services to us as the Personal Data Administrator, which are necessary for the current functioning of the website;
• entities providing technical services, which gain access to the data when the conducted technical work concerns areas where personal data is located;
• legal advisors who cooperate with us as the Personal Data Administrator to the extent that data disclosure is necessary for the use of their services;
• public administration, justice and prosecuting authorities, if required by law;
• the provider of the CRM system where the Website users’ data is stored.

14. Personal data shall not be subject to profiling or automated decision-making by the Personal Data Administrator.

15. In accordance with the provisions of the GDPR, any person whose personal data we process as the Personal Data Administrator has the right to:

a) be informed about the processing of personal data, as referred to in Art. 12 of the GDPR – the Administrator is obliged to provide you, as data subjects, with the information defined in the GDPR (incl. your data, DPO contact details, legal purposes and basis of personal data processing, the recipients or categories of recipients of personal data, if any, the period for which the data will be processed or the criteria for determining this period); this requirement shall be met at the moment of data acquisition (e.g. when placing and order in an online shop), and if the data is not obtained from the data subject but from another source – within a reasonable period of time, depending on the circumstances; the Administrator may refrain from providing this information if the data subject already possess it;

b) access your personal data as referred to in Art. 15 of the GDPR – if you provide us with personal data, you have the right to access it; however, this does not mean that you have the right to access all the documents in which your data appears, as these may contain confidential information; however, you have the right to be informed which of your data and for what purpose we process, and the right to obtain a copy of your personal data, the first copy being issued to you free of charge, and for each subsequent copy, in accordance with the provisions of the GDPR, we will charge an appropriate administrative fee corresponding to the cost of copy making;

c) correcting, supplementing, updating, rectifying personal data as referred to in Art. 16 of the GDPR – if your personal data has changed please inform us, as the Personal Data Administrator, of this fact so that the data in our possession is with the actual state and up-to-date; also, if there has been no change to your personal data, but for whatever reason the data is incorrect or has been recorded incorrectly (e.g. as a result of a typing error), please inform us in order to correct or rectify such data;

d) erase data (right to be forgotten), as referred to in Art. 17 of the GDPR – in other words, you have the right to request the “erasure” of data held by us as the Personal Data Administrator and the right to request us, as the Personal Data Administrator, to inform other controllers to whom we have provided your data of the need to erase it. You may request the erasure of your personal data, in particular, when:

• the purposes for which the personal data was collected have been fulfilled,
• the basis for processing your personal data was an express consent, which was subsequentlywithdrawn and there are no other legal grounds for further processing of your personal data;
• you have raised an objection based on Art. 21 of the GDPR and you claim that we have nooverriding legal grounds to continue processing your personal data;
• your personal data have been processed unlawfully, i.e. for unlawful purposes or without anybasis for processing – please note that in this case you must have a basis for your request;
• the necessity of your personal data erasure results from the provisions of the law;
• the personal data concern a minor and was collected in connection with the provision of information society services;

• you contest the accuracy of your personal data or
• you consider that we are processing your data without the legal basis, but at the same time you do not want us to erase the personal data (i.e. you do not exercise the right referred to in the foregoing paragraph), or
• you have submitted an objection as referred to in point (g) of this paragraph, or
• your personal data is needed to establish, assert or defend claims e.g. in a court;

f)  data transfer as referred to in Art. 20 of the GDPR – you have the right to obtain your data in a computer readable format and the right to have it sent in such format to another controller; you have this right only if your data was or was automatically processed;

g)  object to the processing of your personal data as referred to in Art. 21 of the GDPR – you have the right to object if you do not agree with our processing of personal data, which we have previously processed for legitimate lawful purposes;

h)  not to be subject to profiling as referred to in Art. 22 in conjunction with Art. 4(4) of the GDPR – on our Website, you will not be subject to automated decision-making or profiling within the meaning of the GDPR, unless you have given your consent; in addition, we will always inform you of profiling, should it take place;

i)  lodge a complaint with the supervisory authority (i.e. PUODO) as referred to in Art. 77 of the GDPR – if you consider that we are processing your personal data unlawfully or in any way violating your rights under generally applicable data protection legislation.

16. With regard to the right to erasure (right to be forgotten), we notice that under the GDPR provisions, you do not have the right to exercise this legislation if:

a)  the processing of your personal data is necessary for the exercise of your right to freedom of

expression and information, e.g. if you have posted your data on a blog, in comments etc.,

b)  the processing of your personal data is necessary for our company to comply with legal obligations under the law – we cannot delete your data for the period necessary to comply with the obligations imposed on us by the law,

d) the processing of your data is conducted for the purpose of asserting, establishing or defending claims.

17. If you wish to exercise the rights referred to in the abovementioned point, please send an e-mail message to: rodo@mhcenter.pl.

18. Each claimed case of breach shall be documented and, if one of the situations defined in the GDPR provisions or the Act occur, the data subjects and, if applicable, the PUODO shall be informed of such breach.

19. In matters not regulated by this Privacy Policy, the relevant provisions of the generally applicable legislation shall apply. In the event of inconsistency between the provisions of this Privacy Policy and the abovementioned regulations, these regulations shall prevail.