1. General provisions
- visiting websites, applications and online tools owned by OPI PIB, or using the Services they provide,
- participating in tendering procedures to select tenderers,
- participating in projects being implemented,
- whose data are processed as part of conducted research or development works,
- collaborating within the scope of contracted Services or tasks,
- whose data are processed in connection with the processes at OPI PIB,
- contacting OPI PIB in any matters, including sending correspondence, requests for access to public information, submitting offers, or providing their personal data to OPI PIB for any purpose.
The above cases of data processing are hereinafter jointly or individually referred to as ‘Services’.
The Policy is of a general nature and lays down the most important matters connected with personal data processing. This Policy is supplemented by the OPI PIB Personal Data Security Policy and relevant detailed rules or information clauses which individuals receive or accept at the moment their personal data is collected, including through newsletter subscriptions, contact forms, user accounts on a given website, participating in a public procurement procedure, and participating in a recruitment process.
All personal data we gather in connection with the use of Services is processed responsibly and diligently, and in line with legal requirements. The data is processed in a transparent procedure for the purposes it has been gathered, upholding the principle of data minimisation and storage restriction and ensuring control over data processing through making it possible for every data subject to exercise their rights related to their data under GDPR.
2. Contact data
2.1 Personal data controller
The Personal Data Controller, as part of the Services, is the National Information Processing Institute headquartered in Warsaw at the following address: al. Niepodległości 188b, entered in the Register of Entrepreneurs maintained by the Regional Court for the capital city of Warsaw, Commercial Court, 12th Commercial Division of the National Court Register, under No. 0000127372, tax identification number (NIP): 525-000-91-40, business entity statistical number (REGON): 006746090.
Address: Ośrodek Przetwarzania Informacji – Państwowy Instytut Badawczy
Al. Niepodległości 188b
Tel. +48 22 570 14 00
2.2 Data protection officer
Correspondence address with the postscript: ‘IOD’
National Information Processing Institute
Al. Niepodległości 188b
3. Rules of law
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L No. 119, p. 1) – hereinafter referred to as ‘GDPR’,
- Act of 10 May 2018 on Personal Data Protection (Polish Journal of Laws of 2018, item 1000),
- Telecommunications Act of 16 July 2004 (Polish Journal of Laws of 2017, item 1907, as amended),
- Electronic Services Act of 18 July 2002 (Polish Journal of Laws of 2017, item 1219, as amended),
- Act on Higher Education and Science of 20 July 2018 (Polish Journal of Laws of 2018, item 1668, as amended),
- Act on Research Centers of 30 April 2010 (Polish Journal of Laws of 2018, item 736).
4. Rules of personal data processing
As part of the personal data processing of individuals using the Services of OPI PIB, particular attention is paid to ensuring the data is processed in a secure, diligent, legal and transparent manner for an individual to whom the data pertains.
These are the most important rules to which OPI PIB adheres when processing data:
- Personal data is collected only in a minimal scope, vital to meet the goals it has been collected for,
- The goals of gathering personal data are clearly specified, are supported by the law or statutory activities of the Institute; OPI PIB does not process data in a manner incompatible with said goals.
- OPI PIB ensures the up-to-date information and correct personal data of individuals using the Services and immediately reacts to any request for clarification or data update, unless relevant laws stipulate otherwise,
- OPI PIB recognises the right of data subjects to access and correct their personal data, unless relevant laws stipulate otherwise,
- OPI PIB also recognises, wherever applicable: the right of data subjects to have their personal data deleted, withdraw their consent, request to restrict the processing of their personal data, transfer their data, object to data processing, not to be subject to a decision based solely on automatised data processing, including profiling,
- OPI PIB restricts the storage of personal data in accordance with the law only to the period essential to meet the goals for which it is gathered, unless legitimate reasons exist to prolong the data storage period,
- OPI PIB protects personal data from loss, unauthorised access, accidental loss or change as well as from other illegal forms of processing,
- Whenever personal data is made available to other entities, it is safely disclosed under contract and in accordance with applicable rules of law,
- Protection of natural persons in connection with the processing of their personal data is one of the basic rights of each data subject. OPI PIB pays particular attention to respecting the privacy of data subjects whose data are processed, regardless of whether the data has been acquired directly from a data subject or from other sources.
5. Rights of data subjects connected with processing
OPI PIB recognises the rights of data subjects connected with the processing of their personal data in the context of using the Services. Those rights stem from applicable personal data regulations, in particular from GDPR (Articles 16-21). Enforcement of a right may be subject to exceptions resulting only from applicable laws, of which a person making a request shall be notified by the administrator.
A data subject whose personal data is processed as part of the Service, excluding the exceptions as stated in the rules of law, is entitled to:
- Withdraw their consent to process their personal data at any time, if the consent is the legal basis of data processing,
- Access the data, i.e. the data subject has the right to receive information from OPI PIB confirming that their personal data has been processed by OPI PIB and stating the purpose for which it is processed, how it is processed and for how long has been been or will be processed,
- Clarify out-of-date or incomplete personal data, as well as the right to complete it if it is incomplete,
- Object to the processing of their personal data if OPI PIB processes their personal data based on a justified interest (e.g. for analytical, statistical, evidentiary or archiving purposes). In the case of objection, OPI PIB shall cease to process data, unless OPI PIB demonstrates relevant, legitimate bases for processing which, objectively, ought to have priority over the interest of the data subject, or are essential to determine, assert or defend claims (e.g. for evidence purposes or assertion of claims),
- Delete their personal data (‘the right to be forgotten‘). As a rule, the controller requests to delete the data subject’s personal data immediately under Article 17 of the GDPR. However, there are exceptions to this rule (particularly for the purpose of determining, asserting or defending claims),
- Restrict the processing of personal data, which, in practice, may consist in temporarily blocking access to the data in transferring the data to another system,
- Transfer the data, i.e. the data subject is entitled to receive backup copies they have provided to OPI PIB, if their data is processed on the basis of their consent, on the basis of a contract, or in an automated manner,
- Submit a complaint to a supervisory body, i.e. the President of the Personal Data Protection Office headquartered in Warsaw at the following address: ul. Stawki 2.
All applications or requests pertaining to the processing of personal data, including the ones pertaining to enforcement of rights should be sent by e-mail: firstname.lastname@example.org or email@example.com or by mail to the address: Ośrodek Przetwarzania Informacji – Państwowy Instytut Badawczy, al. Niepodległości 188b, 00-608 Warszawa
OPI PIB shall reply to applications/requests without unreasonable delay, but in no event later than within 30 days from the moment of receiving the application/request. The above deadline may be extended by another two months if a particular request proves complex or if there are multiple requests, of which the applicant shall be notified.
The applications/requests ought to include the name and surname of the applicant as well as contact data (telephone number, e-mail address and, in the case of application/requests in writing, a correspondence address). If the applications/requests pertain to the use of websites, please provide an address of the website or information about the Service provided by our websites and additional clarifications supplementing the submitted application (in order to speed up the application handling process). In the case of handing some applications/requests, OPI PIB may ask for additional information to confirm the identity of the applicant.
6. Personal data security
OPI PIB undertakes technical and organisational measures to protect personal data from illegal or unauthorised access or use, as well as from accidental destruction, loss or privacy breach. The rule of ensuring security is implemented at every stage of data processing and in every area of OPI PIB activity. The safety procedures include in particular: access security, backup copy system, monitoring, maintenance and upkeep, security incident management.
In order to ensure data processing security, OPI PIB is obliged to include the rules of:
- confidentiality, i.e. protection of data from accidental disclosure to third parties;
- Integrity, i.e. protection of data from unauthorised modifications,
- accessibility, i.e. ensuring access to data to authorised persons, if the need arises.
Personal data may be processed by third parties only if the subject commits to providing proper technical and organisational means guaranteeing that personal data is secure, as well maintaining its confidentiality. Each person having access to personal data in OPI PIB is duly authorised and obliged to keep it confidential.
Personal data which data subjects provide on our websites is encrypted and protected by the SSL certificate.
7. How we process personal data
7.1 For what purpose and on what basis does OPI PIB process the data of persons using the Services?
OPI PIB processes personal data only for specified, explicit and legitimate purposes.
The purpose and the legal basis of personal data processing is at any one time stated in a separate notice issued by OPI PIB and dedicated to specific Services, projects, research, development works, contracts, tendering procedures, public orders, etc. within the scope of which personal data is processed.
Listed below are various legal bases and purposes for which OPI PIB can process personal data (as part of a single data processing procedure, personal data can be processed for several different purposes and on the basis of various legal bases):
Consent of a data subject. Consent can be given by submitting a declaration of will or by express confirmation actions,or by other actions of data subjects, including providing the data and sending out a form, or by being obligated to tick a checkbox, for example. In both cases, the legal basis shall be Article 6 item 1 letter (a) of GDPR. In any case, after giving his/her consent, the data subject may withdraw his/her consent in the manner specified in the information on the processing of personal data dedicated to a given Service. The consent forms a legal basis if, including but not limited to, the data subjects:
- freely provide OPI PIB with their data and request that OPI PIB, for example, to issue a report or to provide Services offered by OPI PIB,
- reach out with a contract request,
- send any kind of e-mail to an address in the opi.org.pl domain,
- subscribe to a newsletter,
- send queries or comments with the use of the appropriate contact forms,
- gather information about fairs, exhibitions, conferences and other science events organised by entities in the scientific community.
In the case of queries addressed to OPI PIB regarding the possibility of providing specific Services, the legal basis for personal data protection, should such Services be accepted, shall change to steps needed to enter into a contract or to a contract (Article 6 item 1 letter (b) of GDPR).
Performance of a contract or steps needed to enter into a contract (Article 6 item 1 letter (b) of GDPR).
The legal basis in the form of a contract or in the form of steps needed to enter into a contract shall apply, including but not limited to, if OPI PIB processes personal data within the scope of Services provided by OPI PIB websites, such as BWNP, Inventorum or Navoica, as it is necessary to perform a contract entered into by OPI PIB by accepting the terms of electronic services available in said websites and for the purposes specified therein.
This legal basis is also applied to the processing of data of contractors providing Services to OPI PIB as natural persons.
In some cases, the processing of personal data may be based on compliance with a legal obligation imposed on the controller (Article 6 item 1 letter (c) of GDPR).
This applies in particular to the obligations imposed on OPI PIB resulting from legal regulations, specifically tax or labour regulations, but also industry regulations concerning OPI PIB as an entity having the status of a research institute (reporting obligations arising from the Act on Research Institutes or the Act on Higher Education and Science). Personal data shall be processed on the basis of the premise resulting from legal regulations also in the case of the performance of public orders announced by OPI PIB and requests for proposals conducted by-laws drafted on the basis of such regulations.
Based on the premise of fulfilling legal obligations, we process personal data for archiving purposes, which results from the Act of 14 July 1983 on National Archival Collections and Archives; under said regulations, a public entity is obliged to archive documents within the scope of which personal data is processed in accordance with an adopted office procedure.
Performance of a task conducted in the public interest (Article 6 item 1 letter (e) of GDPR)
OPI PIB processes personal data because it is necessary for the performance of a task conducted in the public interest, which includes: supporting the processes of organising and financing scientific research; dissemination of knowledge about science, scientific research and development work; preparation of analyses, opinions and expert reports on conducted scientific research, acquisition and development of aggregate, comprehensive and synthetic information concerning scientific research and development work, including for statistical purposes and support for the scientific and academic community.
In view of the foregoing, OPI PIB processes personal data to:
- promote and publish information regarding scientific, research, development and expertise activity of persons registered in the bases managed by OPI PIB,
- promote and present scientific achievements,
- provide comprehensive information on scientific, research, development and expertise activity at the request of entities operating within the scope of the scientific community, as well as at the request of public administration bodies and entities, and of any other interested persons,
- use gathered data to create analyses and statistics for Polish science, the Polish scientific community, and scientific research,
- inform the entities interested in transferring knowledge and technology from the science sector to the business sector,
- store and manage archival data for the public interest,
- carry out scientific and research study tasks,
- perform statistics-related tasks,
- organise training.
Legitimate interests (except where OPI PIB interests are overridden by the interests or fundamental rights and freedoms of the data subject) (Article 6 item 1 letter (f) of GDPR)
Based on the principle of legitimate interests, OPI PIB processes personal data, among other things:
- to monitor publicly available traffic routes,
- for the purpose of financial settlements,
- to prevent and detect fraud,
- for evidence and archival purposes, as well as protecting the information in case of a legal need to demonstrate facts or to determine, assert or defend against claims,
- for analytical and statistical purposes to ensure the quality of services provided to optimise operation processes. In this case, aggregate data is the result of the processing,
- in connection with performance of Services provided electronically to ensure their security,
- to handle the complaint procedure,
- to exercise the rights of data subjects, specifically the right to data accuracy, the right to withdraw the consent, and the right to store requests and proofs necessary to serve the data subjects,
- to ensure data security, in particular to ensure that data is integral, accurate and up-to-date,
- to enter into and perform contracts representing a business partner or individuals appointed as contact persons.
7.2 Manner of data collection
As part of the use of Services, OPI PIB collects personal data of persons when they fill in forms on websites belonging to OPI PIB, contact OPI PIB by phone, ask questions or send messages with the use of websites or online tools belonging to OPI PIB, and automatically collects data included in system logs and cookies.
Personal data is also collected from persons entering into contracts, sending offers, submitting inquiries in any way, filing applications in the public information access mode, participating in tender procedures, offering cooperation, and participating in training courses.
Personal data is provided to OPI PIB also from science centres in which the data subject is employed as a researcher or academic teacher, or conducts scientific activities in that centre.
OPI PIB also obtains data for scientific and research, analytical or statistical purposes from publicly available sources, such as public databases.
What data can we process and where do we get it from?
Personal data may cover a different range of data, depending on the category of the data subject, on the Services he/she uses, and on the purpose for which the data is collected.
At any one time OPI PIB processes only the necessary data range.
Within the scope of Services, personal data processed by OPI PIB includes: identification data (e.g. name, surname), contact data (e.g. telephone number, e-mail address, address of residence), data concerning inquiries, orders, complaints, data concerning scientific and research activities, data concerning publications and data concerning the place of employment. In the case of economic operators, data also includes the company name, tax identification number, and contact person details (position).
If data is collected in connection with the fulfilment of obligations under legal regulations, we process only the data that are required by such regulations.
As far as using the Services is concerned, in which case data processing is not based on legal regulations, providing personal data is voluntary, but often necessary to be able to use the Services; in all other cases, the data is collected because of applicable legal regulations, of which the data controller shall inform the data subjects in relevant information clauses dedicated to particular Services.
Forms intended to collect personal data within the Services must be completed by adults only. In view of the above, OPI PIB does not intentionally process any personal data of any individuals under 16 years of age. Consent shall be legally valid only if given by persons aged 16 and over. No person using the Services who is under 16 years of age should provide us with any information. Should we become aware that a person under 16 years of age has provided us with personal data without verifiable parental consent, we shall not process such data and access to the Services shall be blocked.
8. Consent .Withdrawal of consent.
Withdrawal of consent shall make it no longer possible for a person to use certain Services: he/she shall not receive any newsletters, answers, invitations to events, conferences, and his/her scientific activity will cease to be promoted.
Withdrawal of consent shall not affect the lawfulness of the processing of personal data conducted before the consent was withdrawn.
The consent withdrawal request shall be considered immediately after it has been received. After the request has been considered, OPI PIB shall cease to process personal data for the purposes to which the data subject agreed in the consent. However, until the application is considered, a person may receive information from which he/she has resigned after withdrawing his or her consent, due to the time needed to consider the application in the OPI PIB systems.
If OPI PIB possesses the data of persons for purposes other than those for the processing of which the consent was given (e.g. performance of contracts, services, demonstration of evidence, assertion of claims), it may continue to process them for such purposes, but on a different legal basis.
In any case, consent given may be withdrawn at any time without giving any further explanation. Consent may be withdrawn by sending an e-mail to: firstname.lastname@example.org, email@example.com, by submitting a contact form, by calling +48 22 570 14 00 or by sending a request to the address of OPI PIB’s registered seat.
If a request to withdraw the consent is made on the phone, further verification may be required to confirm a person’s identity.
9. Storage of data
Data will be stored for as long as is necessary to achieve the purposes for which it has been collected. If possible, OPI PIB shall specify the data storage period in the information clauses dedicated to particular Services.
If the data is processed on the basis of consent, the data will be stored until the expiry date of that consent, or until the consent is withdrawn.
However, the storage period may change, i.e. personal data may be stored longer if required by law, or if it is necessary to determine, assert or defend against claims (e.g. until the end of the statutory limitation period for claims, OPI PIB may store proof of a user’s consent), or shorter, e.g. after data has been deleted upon request.
The period of storage of personal data is determined in accordance with the applicable legal regulations. The data subject has the right to request information from OPI PIB about the planned and likely duration of storage of personal data.
Listed below are the usual basic data storage periods for particular Services:
- newsletter subscription – until a user decides to unsubscribe,
- in the case of data processing connected with implementation of a task in the public interest – until the purpose of the processing ceases, or until an objection connected with a specific situation of the data subject is made, unless it proves vital to further process the data,
- in the case of correspondence sent via a contact form – until either an objection is raised, the consent is withdrawn, or the purpose of the processing ceases, but for no longer than 3 years,
- provision of services by electronic means or in connection with contracts concluded – for the duration of the contract, but for not longer than until the end of the statutory limitation period for claims,
- In the case of purposes based on legitimate interest – for the period of validity of those purposes, or until an objection is raised, but in no event for any longer than 5 years, unless it is necessary to store the data for a longer period, provided that such an obligation arises from legal regulations, or that it proves necessary to determine, defend or assert claims,
- for purposes connected with public procurement procedures – for a period of 5 years,
- for purposes connected with the settlement of public law receivables – for a period of 5 years,
- for archival purposes – for the period specified in an adopted office procedure and a uniform itemised list of files for a given document.
10. Recipients of data. Making data available to other entities.
The following data recipients may have access to personal data:
- authorised employees of OPI PIB,
- employees of an entity supervising the activities of OPI PIB,
- employees of public administration bodies or entities, in connection with their tasks resulting from legal regulations,
- service providers and their authorised employees who, under an agreement, have been entrusted with the processing of personal data for the purpose of providing services to OPI PIB in connection with performance of their own services, in particular entities operating IT systems, providing consulting, legal, auditing or other services.
If possible, OPI PIB shall specify the actual recipients of the data in the information clauses, and, should it prove impossible, OPI PIB shall specify the category of recipients.
Depending on the type of Service used (e.g. databases kept for the purpose of promoting the scientific activity of persons), data may also be made available to all entities interested in obtaining information on the state of Polish science and higher education, wishing to conduct scientific research, scientific works, or are interested in the commercialisation of scientific research results, seeking contact with experts from particular fields or disciplines of science, willing to conduct development works in their enterprises and those interested in contact with an expert from a particular field/discipline of science, to all entities interested in scientific, research and development activity in order to make contact with other individuals or entities or to conduct research.
Personal data may also be made available to other recipients which act as processing entities providing services ordered by and performed on behalf of OPI PIB and which were commissioned to carry out tasks requiring data processing in connection with personal data processing, in particular within the scope of IT services, archiving, correspondence, e.g. to auditors and professional advisors. In some cases, external entities providing services on our behalf may act as independent administrators, e.g. Poczta Polska or other postal operators.
In justified cases, personal data may also be made available to public administration bodies (e.g. prosecutor’s office, police, city guard, public offices) and courts.
Services provided by OPI PIB may include links to other websites, social networking sites or websites of cooperating entities. Whenever a person accesses a third party website, he or she will be subject to a separate privacy and data protection policy for that website. In that case, it is necessary to read the privacy and personal data protection policies for each of the websites.
11. Transfer of data to countries from outside the EEA
Within the scope of Services OPI-PIB does not transfer personal data to countries from outside the European Economic Area, except for data that is publicly available on the internet, if it is available outside the EEA.
12. Automatic processing (including profiling) of personal data
As far as particular Services are concerned, personal data may undergo automatic processing (including profiling), but that shall not have any legal effect on persons or significantly affect their situation.
Personal data profiling by OPI PIB consists of the automatic processing of data by using it to evaluate certain information about individuals in databases, in particular to analyse the fields or disciplines in which a given individual specialises.
OPI PIB reserves the right to amend this Policy, which may result from the need to adapt to changes in legal regulations or in applicable privacy standards. In view of the above, OPI PIB shall notify the public of any amendment by publishing a relevant notice on its website.
Appendix number 1 – information regarding cookies for the page https://www.opi.org.pl and used analytical tools
- The website with the URL: https://www.opi.org.pl (hereinafter referred to as “the Website”) automatically gathers information in two ways: by using the Google Analytics tool and through cookie files.
- The cookie files (so-called ‘’cookies’’) constitute IT data, and text files in particular, which are stored in the terminal device of the Website user and are designated for using pages of the website. The cookies usually contain the page name, from where it originates, the time of its storage on the terminal device, as well as a unique number.
- The entity saving cookie files on the terminal device of the user and gaining access to such files is the Website operator: Ośrodek Przetwarzania Informacji – Państwowy Instytut Badawczy (National Information Processing Institute) headquartered at the following address: al. Niepodległości 188b, 00-608 Warszawa.
- The cookie files are used to:
- adjust content stored on the pages of the Website to user preferences and to optimise the use of pages; in particular, the files allow the device of the user to be recognised and to properly display a page, adjusted to a user’s individual needs,
- create statistics which can help understand how the users of the Website use the pages, which makes it possible to improve their structure and content.
- The Website uses two basic cookie files: the ‘session cookies’ and the ‘persistent cookies’. ‘Session cookies’ are temporary files which are stored on the final device of the user until the user logs out, leaves the website or closes the software (web browser). ‘Persistent cookies’ are stored on the final device of the user for a specified time as indicated in the parameters of cookie files, or until they are deleted by the user.
- The Website uses the following types of cookie file:
- ‘Strictly necessary’ cookie files, allowing Services to be used on the Website, e.g. authenticating cookie files used in the Services requiring authentication on the Website;
- Cookie files, used to ensure security, e.g. in detection of unauthorised authentication to the Website;
- ‘Performance’ cookie files allowing OPI PIB to collect information on how the pages of the Website are used;
- ‘Functional’ cookie files, which allow the browser to ‘remembe’ the settings chosen by the user and to personalise the user interface, e.g. within the range of a chosen language or region, from where the user originates, font size, website layout and design, etc.
- In many cases, software used for browsing websites (internet browser) allows the cookie files to be stored on the user terminal device by default. Service Users can change the cookie settings at any time. Those settings can be changed; specifically, the user may decide to block the automatic control of cookies in the settings of their web browser, or to be informed at any one time about a cookie being saved on their device. Detailed information on the possibilities and ways to control cookie files can be found in the software (web browser) settings.
- The Website operator informs users that the limitations in using cookie files may impact some of the functions available on the pages of the Website.
- Cookie files stored on the terminal device of the Website user may be used by advertisers and partners collaborating with the Website operator.