Privacy Policy

1. Introductory Information

2. Glossary of Terms

3. Contact with the Data Controller and Data Protection Officer

4. Joint Controllership – Key Provisions

5. Information about the Purposes, Legal Bases, Scope, Sources, Recipients, and Retention Periods of Personal Data Processing:

5.1.    Business Partners and Their Representatives

5.2.   Individuals Contacting the Company via Electronic or Traditional Communication Channels

5.3.   Individuals Registering for Online Events

5.4.   Individuals Who Have Consented to Marketing Activities

5.5.   Individuals Recorded by the Video Surveillance System

6. Location of Personal Data Processing

7. Data Subject Rights

8. Final Provisions

1. Introductory Information

Yarrl S.A., in connection with its business operations, collects and processes personal data in accordance with applicable regulations, especially the GDPR, and best practices in data and IT systems security. As the Data Controller, the Company exercises special care to protect the rights of individuals whose data it processes and ensures that collected data is: (1) processed lawfully; (2) collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes; (3) substantively correct and adequate for the purposes for which they are processed; (4) stored in a form that allows identification of data subjects for no longer than necessary for the purposes of the processing; and (5) processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage using appropriate technical and organizational measures.

2. Glossary of Terms

Data Controller - the entity that determines the purposes and means of personal data processing.

Personal Data - any information about an identified or identifiable natural person, including device IP address, location data, online identifiers, and data collected through cookies or similar technologies.

EEA – European Economic Area; a free trade and common market area including EU countries and EFTA states (excluding Switzerland), where personal data can flow freely.

Data Recipient – any natural or legal person, organizational unit without legal personality, public authority, or other entity to whom personal data is disclosed.

Profiling – any form of automated processing of personal data that evaluates personal aspects of a natural person, particularly to analyze or predict factors such as job performance, economic situation, health, preferences, reliability, behavior, or location, provided such processing significantly affects the person or produces legal effects.

Processing – any operation performed on personal data, whether automated or not, such as collection, storage, modification, use, transfer, or deletion.

GDPR – Regulation (EU) 2016/679 of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data.

(click to expand)

3. Contact with the Data Controller and Data Protection Officer

The Administrator of your personal data within the meaning of RODO is yarrl S.A. with its registered office in Kraków (31-866) at 14 Skarżyńskiego Street, Kraków) entered in the register and entrepreneurs of the National Court Register kept by the District Court for Kraków Śródmieście, XI Economic Department of the National Court Register under the KRS number 0000218370, REGON: 351570688, NIP: 6772087174. In all matters concerning your personal data, you can contact the Administrator at the mailing address of the registered office or by phone at +48 12 29 80 511. The Administrator has appointed a Data Protection Inspector, who is Barbara Chaberka. The Inspector can be contacted via email address iod@yarrl.pl on any matter concerning the processing of your personal data.Translated with DeepL.com (free version)

4. Joint Controllership – Key Provisions  

The companies comprising the yarrl Group:

  1. yarrl S.A. ul. Skarżyńskiego 14, 31-866 Kraków NIP: 6772087174, www.yarl.pl
  2. Lockus Sp. z o.o., ul. Skarżyńskiego 14, 31-866 Kraków, NIP: 6792591757, www.lockus.pl
  3. Lockus K2 Sp. z o.o., ul. Skarżyńskiego 14, 31-866 Kraków, NIP: 9542534990www.lockus-k2.pl

have entered into an agreement to jointly determine the purposes and means of processing personal data to the following extent

  • internal administration of data related to contractors or potential contractors of yarrl S.A. Group Companies. (CRM database)Thus, they became Joint Administrators of the personal data collected and processed by each company. As part of the agreement, the Companies agreed that:
  1. each of the Joint Administrators is obliged to independently fulfill the information obligation referred to in Article 13 of the RODO
  2. each of the Joint Administrators is obliged to independently fulfill the information obligation referred to in Article 13 of the RODO
  3. each of the Joint Administrators is obliged to independently fulfill the information obligation referred to in Article 13 of the RODO
  4. within the framework of co-administration, the point of contact for data subjects is the Data Protection Officer of yarrl S.A., who can be contacted by email at: iod@yarrl.pl
5.1. Business partners and representatives of business partners  

DATA SOURCE:

The Company processes personal data obtained directly from you or from our business partners as part of ongoing contracts or agreements where you are an employee, principal or representative.  We may also obtain your data from publicly available sources such as the National Court Register (KRS), Central Register and Information on Business Activity (CEiDG), REGON database. In each case, the Company verifies whether it has a legal basis for processing such personal data.

RANGE OF DATA

Depending on the relationship you have with the Company, we may process, in particular, your identification data (e.g., name, ID card series and number, PESEL), contact data (e.g., email address, phone number, home address, mailing address), work-related data, such as your position and the name of the company you are associated with and other employment information, financial information, such as bank account and payment processing card numbers.

PURPOSE OF PROCESSING

Performing a contract to which you are a party or taking action at your request prior to the conclusion of the contract.

LEGAL BASIS
RODO
Article 6(1)(b)

PROCESSING PERIOD

Until the completion of all activities preceding the conclusion of a contract with the Company, and after its conclusion - until the end of the contract.Performance of a contract to which you are not a party (e.g. you are a representative, including a member of a body, a proxy or a person designated by our business partner for contacts) or taking action at the request of another person before the conclusion of the contract. RODOart. 6(1)(f)Until the completion of all activities preceding the conclusion of a contract with the Company, and after the conclusion of the contract - until the completion of the contract.To carry out purposes arising from legitimate interests such as:

  • Determination, investigation or defense of claims that the Company may incur or that may be raised against the Company;
  • Maintaining with business relationships, including conducting conversations, correspondence and/or other forms of business contact with your participation;
  • Implementation of direct marketing activities, including strengthening of mutual business relations, promotion of products and services - organization of conferences, training and other activities;
  • Ensure IT security, in terms of monitoring electronic communications;
  • Internal administrative, analytical, statistical and internal reporting objectives of the Company within yarrl S.A.

RODO
art. 6.1. lit. f)For the period of existence of the legitimate interest pursued by the Company, forming the basis for such processing, or the filing by you of an effective objection to such processing. In the event that a dispute is pending or a proceeding, in particular a court proceeding, is pending during the aforementioned period, your personal data will be processed until the date of termination of the dispute or the final conclusion of the proceeding.

CONSEQUENCES OF NOT PROVIDING DATA

In the case of persons who are a party to the contract or a party's representative, the provision of data is voluntary, but necessary for the conclusion and performance of the contract.  In the case of contact persons or other persons involved in the execution of the contract - the provision of personal data is voluntary, but necessary to ensure contact and proper execution of the contract.

RECIPIENTS OF PERSONAL DATA

Only authorized personnel will have access to personal data inside the Company's organizational structure and only to the extent necessary. Personal data may also be disclosed:

  • co-administrators within the yarrl Group, the current list of which is included in Section 4 of this Privacy Policy (link)
  • entities providing services to the Company such as IT and technical support services, archiving and document shredding services, marketing agencies and video conferencing platform providers, with such entities processing data as subcontractors under contract with the Company and in accordance with its instructions;
  • independent third-party service providers, suppliers, partners of, among others, postal, courier, financial, consulting, insurance services;
  • law enforcement agencies and state authorities, when this is required by applicable law.
5.2 Persons contacting the Company using electronic or traditional communication channels

DATA SOURCE:

Depending on the form of contact, the Company may process, in particular, your identification data (e.g., name), contact data (e.g., e-mail address, telephone number, home address, mailing address), company name, position, information about your computer and other devices, and connection information such as IP address, browser type and version, and other information provided to us through various communication channels.

PURPOSE OF PROCESSING

To fulfill the purposes of the Company's legitimate interest:

  • Handling the application, contact including communication to answer questions;
  • Determination, investigation or defense of claims that the Company may incur or that may be raised against the Company;
  • Ensure IT security, in terms of monitoring electronic communications;
  • Internal administrative, analytical, statistical and internal reporting objectives of the Company within yarrl Group S.A.

LEGAL BASIS

RODO art. 6(1)(f)

PROCESSING PERIOD

Until the completion of the handling of the request, contact or response;Thereafter, for the period of the existence of a legitimate interest pursued by the Company or the filing by you of an effective objection to such processing, but no longer than for a period of 12 months from the completion of the handling of the request; In case there is a dispute or pending proceedings, especially court proceedings, during the aforementioned period, the personal data will be processed until the date of completion of the dispute or the final conclusion of the proceedings.

CONSEQUENCES OF NOT PROVIDING DATA

Provision of data is voluntary, but necessary for the handling of your request, including the execution of the inquiry. The consequence of failing to provide personal data may be the inability to respond to or fulfill your request.Access to personal data within the organizational structure of the Company will be granted only to authorized personnel and only to the extent necessary. Personal data may also be disclosed to:

  • co-administrators within the yarrl Group, the current list of which is included in Section 4 of this Privacy Policy (link)
  • entities providing services to the Company such as IT and technical support services, archiving and document shredding services, marketing agencies and video conferencing platform providers, with such entities processing data as subcontractors under contract with the Company and in accordance with its instructions;
  • independent third-party service providers, suppliers, partners of, among others, postal, courier, financial, consulting, insurance services;
  • law enforcement agencies and state authorities, when this is required by applicable law.
5.3. Persons reporting participation in online events (webinars)

DATA SOURCE:

The Company processes personal data obtained directly from you when you enter it on the form when registering for a free webinar on the website, and when you actively participate in the webinar.

RANGE OF DATA

The Company may process personal data, in particular your identification data (e.g., name, nickname), contact data (e.g., email address, phone number, company name, IP address), as well as audiovisual information, such as your voice and image captured on recordings, but only if you consent.

PURPOSE OF PROCESSING

Entering into and executing a contract for the provision of webinar services involving the fulfillment of your order to participate in an online event, including accepting registration and sending an invitation to the event, recording the event and making it available in the form of a recording.

LEGAL BASIS
RODOart 6(1)(b)

PROCESSING PERIOD
For the period of time necessary for the performance of the contractRealization of purposes arising from legitimate interests such as:

  • For the period of time necessary for the performance of the contractRealization of purposes arising from legitimate interests such as:
  • Data archiving
  • Verification of the quality of services provided
  • Internal administrative, analytical, statistical and internal reporting objectives of the Company within yarrl Group S.A.
  • Maintaining and developing business relationshipsakquality of services provided

RODOart. 6.1. lit. f)
For the period of existence of the legitimate interest pursued by the Company, constituting the basis for such processing, or the filing by you of an effective objection to such processing. In the event that a dispute is pending or a proceeding, in particular a court proceeding, is pending during the aforementioned period, your personal data will be processed until the date of termination of the dispute or the final conclusion of the proceeding.

CONSEQUENCES OF NOT PROVIDING DATA

Providing personal data such as, name, surname, data of the company where you are employed and consent to receive marketing and commercial information by e-mail is voluntary, but necessary for the conclusion of the contract and its execution. The consequence of not providing personal data will be the inability to register and participate in the online event.

RECIPIENTS OF PERSONAL DATA

Only authorized personnel will have access to personal data inside the Company's organizational structure and only to the extent necessary. Personal data may also be disclosed:

  • co-administrators within the yarrl Group, the current list of which is included in Section 4 of this Privacy Policy (link)
  • entities providing services to the Company such as IT and technical support services, archiving and document shredding services, marketing agencies and video conferencing platform providers, with such entities processing data as subcontractors under contract with the Company and in accordance with its instructions;
  • independent third-party service providers, suppliers, partners of, among others, postal, courier, financial, consulting, insurance services;
  • law enforcement agencies and state authorities, when this is required by applicable law.
5.4 Those who have consented to marketing activities

DATA SOURCE:

The Company processes personal data obtained directly from you when you give us permission to receive marketing content and commercial information in your preferred manner, i.e. by email and/or telephone.

DATA SOURCE:

The Company may process personal data typical of the type of activity, i.e. name, position, e-mail address, telephone number, company name.

PURPOSE OF PROCESSING

Conducting direct marketing of own products and services consisting of sending marketing and commercial information by e-mail and telephone

LEGAL BASIS

RODO
Article 6(1)(b)

PROCESSING PERIOD

Until the consent is revoked or the purpose for which it was given ceases.

CONSEQUENCES OF NOT PROVIDING DATA

Provision of data is voluntary, however, failure to do so will result in the inability to receive marketing content and commercial information.

CONSENT

You can withdraw your consent at any time. Data processing until you withdraw your consent remains lawful.

PERSONAL DATA RECEIVERS

Only authorized personnel will have access to personal data inside the Company's organizational structure and only to the extent necessary. Personal data may also be disclosed:

  • co-administrators within the yarrl Group, an updated list of which is provided in Section 4 of this Privacy Policy
  • entities providing services to the Company such as IT and technical support services, marketing agencies, whereby such entities process data as subcontractors under contract with the Company and in accordance with its instructions;
5.5 Persons recorded by video surveillance system

DATA SOURCE:

The Company processes personal data obtained directly from you when you enter it on the form when registering for a free webinar on the website, and when you actively participate in the webinar. The Company processes personal data obtained directly from you when you find yourself in the area covered by video surveillance.

SCOPE OF MONITORING

Video surveillance covers the area around the Company's headquarters, traffic routes and key premises. The area covered by video surveillance is marked in a permanent and visible way with information boards with the symbol of the camera. Only the image is recorded and stored on the recorder.

PURPOSE OF PROCESSING

Protecting property and ensuring the safety of people on the Company's premises

LEGAL BASIS

RODO
Article 6(1)(f)

PROCESSING PERIOD

The image recorded with surveillance equipment is stored until the disk is full, but no longer than for a period of 30 days from the date of recording. After this period, the recordings are subject to destruction by overwriting with new recordings. In justified cases (e.g., for evidentiary purposes), recordings may be kept for a longer period, as secured material, for the purpose of conducting internal investigations or other proceedings, including court proceedings

CONSEQUENCES OF NOT SUBMITTING DATA

Providing personal data such as, name, surname, data of the company where you are employed and consent to receive marketing and commercial information by e-mail is voluntary, but necessary to conclude a contract and perform it. The consequence of not providing personal data will be the inability to register and participate in the online event.

RECEIVERS OF PERSONAL DATA

Access to personal data inside the organizational structure of the Company will be granted only to authorized personnel and only to the necessary extent. Personal data may also be disclosed to:

  • entities providing services to the Company such as IT and technical support services, archiving and document destruction services, with such entities processing data as subcontractors under contract with the Company and in accordance with its instructions;
  • law enforcement agencies and state authorities, when this is required by applicable law.

6.  Location of personal data processing

Your data, as a general rule, will be processed within the EEA. However, due to our use of cloud solutions provided by Dublin-based Microsoft Ireland Operations Limited and US-based Avaya Inc. in some cases, your data may be transferred to third countries.  The providers of these solutions ensure the security of personal data by applying the appropriate compliance mechanisms required by European Union law, in particular through the use of standard contractual clauses.

7. rights of persons

Under the RODO, you have the following rights:

  1. The right to access your personal data, including obtaining information about the scope of the processed data and obtaining a copy of the data;
  2. The right to rectify or supplement your data;
  3. The right to request deletion of your data in cases provided by law;
  4. The right to data portability, i.e. the right to receive in a structured, commonly used machine-readable format the personal data you have provided to us, if the processing of such data is based on consent or contract and by automated means, provided that such technical possibility exists;
  5. The right to request that the Company restrict the processing of your personal data;
  6. Right to withdraw consent - if your data is processed based on consent, you have the right to withdraw such consent at any time. Withdrawal of consent does not affect the lawfulness of processing that was carried out on the basis of consent before its withdrawal;
  7. Right to object - you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on the Company's legitimate interests.  In such a case, the Administrator shall no longer be allowed to process such personal data, unless the Administrator demonstrates the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or grounds for establishing, asserting or defending claims;
  8. Right to object to direct marketing - if your personal data is processed by the Company for direct marketing purposes, you have the right to object at any time to the processing of personal data for such marketing, including profiling, to the extent that the processing is related to such direct marketing.

In order to exercise the rights referred to in this section of the Privacy Policy, you may contact the Company by sending a relevant message in writing or by e-mail to the contact details: marketing@yarrl.pl

The right to lodge a complaint with the supervisory authority
If you consider that your personal data is processed by the Company in violation of the provisions of RODO, you have the right to lodge a complaint to the supervisory authority, which in Poland is the President of the Office for Personal Data Protection.

PROFILING
We do not make decisions about you based solely on automated processing, including profiling, that would produce legal effects or similarly materially affect you.

8. Final provision

8.3 This Privacy Policy is for information purposes only and shall be reviewed on an ongoing basis and amended as necessary, in particular in the event of changes in the scope of services offered, technological developments and adaptation to changes in applicable laws.

8.4 The current version of the Privacy Policy has been adopted and is effective from 01.12.2023.