1. General provisions
- visiting websites, applications and online tools owned by OPI PIB, or using the Services they provide,
- participating in tendering procedures to select tenderers,
- participating in projects being implemented,
- whose data are processed as part of conducted research or development works,
- collaborating within the scope of contracted Services or tasks,
- whose data are processed in connection with the processes at OPI PIB,
- contacting OPI PIB in any matters, including sending correspondence, requests for access to public information, submitting offers, or providing their personal data to OPI PIB for any purpose.
The above cases of data processing are hereinafter jointly or individually referred to as “Services”.
The Policy is of a general nature and lays down the most important matters connected with personal data processing. This Policy is supplemented with the OPI PIB Personal Data Security Policy and relevant detailed rules or information clauses which individuals receive or accept at the moment of gathering their personal data through e.g. newsletter subscription, contact forms, user accounts on a given website, participating in a public procurement procedure, recruitment process, etc.
All personal data we gather in connection with the use of Services are processed responsibly and diligently, and in line with legal requirements. The data are processed in a transparent procedure for the purposes they have been gathered, upholding the principle of data minimization and storage restriction and ensuring control over data processing through making possible for every data subject to exercise their rights related to their data under GDPR.
2. Contact data
2.1 Personal data controller
The Personal Data Controller, as part of the Services, is the National Information Processing Institute headquartered in Warsaw at the following address: al. Niepodległości 188b, entered in the Register of Entrepreneurs maintained by the Regional Court for the capital city of Warsaw, Commercial Court, 12th Commercial Division of the National Court Register, under No. 0000127372, tax identification number (NIP): 525-000-91-40, business entity statistical number (REGON): 006746090.
Address: Ośrodek Przetwarzania Informacji – Państwowy Instytut Badawczy
Al. Niepodległości 188b
Tel. +48 22 570 14 00
2.2 Data protection officer
Correspondence address with a postscript: ‘’IOD’’:
National Information Processing Institute
Al. Niepodległości 188b
3. Rules of law
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L No. 119, p. 1) – hereinafter referred to as “GDPR”,
- Act of 10 May 2018 on Personal Data Protection (Polish Journal of Laws of 2018, item 1000),
- Telecommunications Act of 16 July 2004 (Polish Journal of Laws of 2017, item 1907, as amended),
- Electronic Services Act of 18 July 2002 (Polish Journal of Laws of 2017, item 1219, as amended),
- Act on Higher Education and Science of 20 July 2018 (Polish Journal of Laws of 2018, item 1668, as amended),
- Act on Research Centers of 30 April 2010 (Polish Journal of Laws of 2018, item 736).
4. Rules of personal data processing
As part of personal data processing of individuals using the Services of OPI PIB particular attention is paid to ensuring the data are processed in a secure, diligent, legal and transparent manner for an individual to whom the data pertain.
These are the most important rules that OPI PIB adheres to when processing data:
- Personal data are collected only in a minimal scope, vital to meet the goals they have been collected for,
- The goals of gathering personal data are clearly specified, are supported by the law or statutory activities of the Institute; OPI PIB does not process data in a way incompatible with said goals.
- OPI PIB ensures the up-to-date information and correct personal data of individuals using the Services and immediately reacts to any request for clarification or data update, unless relevant laws provide otherwise,
- OPI PIB recognizes the right of data subjects to access and correct their personal data, unless relevant laws provide otherwise,
- OPI PIB also recognizes, wherever applicable, respectively: the right of data subjects to delete personal data, withdraw their consent, request to restrict the processing, transfer their data, object to data processing, not to be subject to a decision based solely on automatized data processing, including profiling,
- OPI PIB restricts the storage of personal data in accordance with the law only to the period essential to meet the goals for which they are gathered, unless there exist legitimate reasons to prolong the data storage period,
- OPI PIB protects personal data from loss, unauthorized access, accidental loss or change as well as from other illegal forms of processing,
- Whenever personal data are made available to other entities, they are safely disclosed under contract and in accordance with applicable rules of law,
- Protection of natural persons in connection with processing of their personal data is one of the basic rights of each data subject. OPI PIB pays particular attention to respecting the privacy of data subjects whose data are processed, regardless of whether the data have been acquired directly from a data subject or from other sources.
5. Rights of data subjects connected with processing
OPI PIB recognizes the rights of data subjects connected with processing of their personal data in the context of using the Services. Those rights stem from applicable personal data regulations, in particular from GDPR (Articles 16-21). Enforcement of a right may be subject to exceptions resulting only from applicable laws, of which a person making a request shall be notified by the administrator.
A data subject whose personal data are processed as part of the Service, excluding the exceptions as stated in the rules of law, is entitled to:
- Withdraw their consent to process their personal data at any time, if the consent is the legal basis of data processing,
- Access the data, i.e. the data subject has the right to receive information from OPI PIB confirming that their personal data are processed by OPI PIB and stating the purpose for which they are processed, how they are processed and for how long they have been or will be processed,
- Clarify out-of-date or incomplete personal data, as well as the right to complete them if they are incomplete,
- Object to process their personal data if OPI PIB processes their personal data based on the justified interest (e.g. for analytical, statistical, evidentiary, archiving purposes). In the case of objection, OPI PIB shall cease to process data, unless OPI PIB demonstrates relevant, legitimate bases for processing which, objectively, ought to have priority over the interest of the data subject, or are essential to determine, assert or defend claims (e.g. evidence purposes or assertion of claims),
- Delete their personal data (“the right to be forgotten”). As a rule, the controller requests to immediately delete their personal data under Article 17 of the GDPR. However, there are exceptions to this rule (particularly for the purpose of determining, asserting or defending claims),
- Restrict the processing of personal data, which, in practice, may consist in temporarily blocking the access to the data in transferring the data to another system,
- Transfer the data, i.e. the data subject is entitled to receive backup copies they have provided to OPI PIB, if their data are processed on the basis of their consent, on the basis of a contract, or in an automated manner,
- Submit a complaint to a supervisory body, i.e. the President of the Personal Data Protection Office headquartered in Warsaw at the following address: ul. Stawki 2.
All applications or requests pertaining to the processing of personal data, including the ones pertaining to enforcement of rights should be sent by e-mail: email@example.com or firstname.lastname@example.org or by mail to the address: Ośrodek Przetwarzania Informacji – Państwowy Instytut Badawczy, al. Niepodległości 188b, 00-608 Warszawa
OPI PIB shall reply to the applications/requests without unreasonable delay, but in no event later than within 30 days as from the moment of receiving the application/request. The above deadline may be extended by another two months if a particular request proves complex or if there are many requests, of which the applicant shall be notified.
The applications/requests ought to include a name and surname of the applicant as well as contact data (telephone number, e-mail address and, in the case of application/requests in writing, correspondence address). If the applications/requests pertain to the use of websites, please provide an address of the website or information about the Service provided by our websites and additional clarifications supplementing the submitted application (in order to speed up the application handling process). In the case of handing some applications/requests, OPI PIB may ask for additional information to confirm the identity of the applicant.
6. Personal data security
OPI PIB undertakes technical and organizational measures to protect the personal data from illegal or unauthorized access or use, as well as from accidental destruction, loss, or privacy breach. The rule of ensuring security is implemented at every stage of data processing and in every area of OPI PIB activity. The safety procedures include in particular: access security, backup copy system, monitoring, maintenance and upkeep, security incident management.
In order to ensure data processing security, OPI PIB obliges to include the rules of:
- confidentiality, i.e. protection of the data from accidental disclosure to third parties;
- Integrity, i.e. protection of data from unauthorized modifications,
- accessibility, i.e. ensuring access to data to authorized persons, if the need arises.
The personal data may be processed by third parties only if the subject commits to providing proper technical and organizational means guaranteeing that personal data are secure, as well to keep data secret. Each person having access to personal data in OPI PIB is duly authorized and obliged to keep them it secret.
Personal data which data subjects provide on our websites, are encrypted and protected by the SSL certificate.
7. How we process personal data
7.1 For what purpose and on what basis does OPI PIB process the data of persons using the Services?
OPI PIB processes personal data only for specified, explicit and legitimate purposes.
The purpose and the legal basis of personal data processing is at any one time stated in a separate notice issued by OPI PIB and dedicated for specific Services, projects, research, development works, contracts, tendering procedures, public orders, etc. within the scope of which personal data are processed.
Listed below are various legal bases and purposes for which OPI PIB can process personal data (as part of a single data processing procedure, personal data can be processed for several different purposes and on the basis of various legal bases):
Consent of a data subject. The consent can be given by submitting a declaration of will or by express confirmation actions, i.e. by actions of data subjects, e.g. by providing the data and sending out a form, or by being obligated to tick a checkbox, for example. In both cases, the legal basis shall be Article 6 item 1 letter (a) of GDPR. In any case, after giving his or her consent, the data subject may withdraw his or her consent in the manner specified in the information on the processing of personal data dedicated to a given Service. The consent forms a legal basis if, including but not limited to, the data subjects:
- freely provide us with their data and ask us, for example, about the possibility to issue a report or to provide Services offered by OPI PIB,
- reach out with a contract request,
- send any kind of e-mail to the address in opi.org.pl domain,
- subscribe to a newsletter,
- send queries or comments with the use of appropriate contact forms,
- gather information about fairs, exhibitions, conferences and other science events organized by scientific community entities.
In the case of queries addressed to OPI PIB regarding the possibility to provide specific Services, the legal basis for personal data protection, should such Services be accepted, shall change to steps needed to enter into a contract or to a contract (Article 6 item1 litter (b) of GDPR).
Performance of a contract or steps needed to enter into a contract (Article 6 item 1 letter (b) of GDPR).
The legal basis in the form of a contract or in the form of steps needed to enter into a contract shall apply, including but not limited to, if OPI PIB processes personal data within the scope of Services provided by OPI PIB websites, e.g. BWNP, Inventorum, Navoica, etc., as it is necessary to perform a contract entered into by OPI PIB by accepting terms of electronic services available in said websites and for the purposes specified therein.
This legal basis is also applied to process data of contractors being natural persons and providing Services to OPI PIB.
In some cases, the processing of personal data may be based on compliance with a legal obligation imposed on the controller (Article 6 item 1 letter (c) of GDPR).
This applies in particular to the obligations imposed on OPI PIB resulting from legal regulations, specifically tax or labor law regulations, but also industry regulations concerning OPI PIB as an entity having the status of a research institute (reporting obligations arising from the Act on Research Institutes or the Act on Higher Education and Science). Personal data shall be processed on the basis of the premise resulting from legal regulations also in the case of performance of public orders announced by OPI PIB and requests for proposal carried out under by-laws drafted on the basis of such regulations.
Based on the premise of fulfilling the legal obligation, we process personal data for archiving purposes, which results from the Act of 14 July 1983 on National Archival Collections and Archives; under said regulations a public entity is obliged to archive documents within the scope of which personal data are processed in accordance with an adopted office procedure.
Performance of a task carried out in the public interest (Article 6 item 1 letter (e) of GDPR)
OPI PIB processes personal data because it is necessary for the performance of a task carried out in the public interest, which includes: supporting the processes of organizing and financing scientific research; dissemination of knowledge about science, scientific research and development work; preparation of analyses, opinions and expert reports on conducted scientific research, acquisition and development of aggregate, comprehensive and synthetic information concerning scientific research and development work, including for statistical purposes and support for the scientific and academic community.
In view of the foregoing, OPI PIB processes personal data to:
- promote and publish information regarding scientific, research, development and expertise activity of persons registered in the bases managed by OPI PIB,
- promote and present scientific achievements,
- providing comprehensive information on scientific, research, development and expertise activity at the request of entities operating within the scope of scientific community as well as at the request of public administration bodies and entities, and of any other interested persons,
- use gathered data to create analyses and statistics for Polish science, the Polish scientific community, and scientific research,
- inform the entities interested in transferring knowledge and technology from the science sector to the business sector,
- store and manage archival data for the public interest,
- carry out scientific and research study tasks,
- perform statistics-related tasks,
- organize trainings.
Legitimate interests (except where OPI PIB interests are overridden by the interests or fundamental rights and freedoms of the data subject) (Article 6 item 1 letter (f) of GDPR)
Basing on the legitimate interests, OPI PIB processes personal data, among other things:
- to monitor publicly available traffic routes,
- for the purpose of financial settlements,
- to prevent and detect fraud,
- for evidence and archival purposes as well as to protect the information in case of a legal need to demonstrate facts or to determine, assert or defend against claims,
- for analytical and statistical purposes to ensure the quality of services provided to optimize operation processes. In this case aggregate data are the result of the processing,
- in connection with performance of Services provided electronically to ensure their security,
- to handle the complaint procedure,
- to exercise the rights of data subjects, specifically the right to data accuracy, the right to withdraw the consent, and the right to store requests and proofs necessary to serve the data subjects,
- to ensure data security, in particular to ensure that data are integral, accurate and up-to-date,
- to enter into and perform contracts representing a business partner or individuals appointed as contact persons.
7.2 Manner of data collection
As part of the use of Services, OPI PIB collects personal data of persons when they fill in forms on our websites, contact us by phone, ask questions or send messages with the use of our websites or online tools, and automatically collects data included in system logs and cookies.
Personal data are also collected from persons entering into contracts, sending offers, submitting inquiries in any way, filing applications in the public information access mode, participating in tendering procedures, offering cooperation, and participating in training courses.
Personal data are provided to OPI PIB also from science centers in which the data subject is employed as a researcher or academic teacher, or carries out scientific activities in that center.
We also obtain data for scientific and research, analytical or statistical purposes from publicly available sources, such as public databases.
What data can we process and where do we get them from?
Personal data may cover a different range of data, depending on the category of the data subject, on the Services it uses, and on the purpose for which the data are collected.
At any one time OPI PIB processes only the necessary data range.
Within the scope of Services, personal data processed by OPI PIB include: identification data (e.g. name, surname), contact data (e.g. telephone number, e-mail address, address of residence), data concerning inquiries, orders, complaints, data concerning scientific and research activities, data concerning publications, data concerning the place of employment. In the case of economic operators, data also include the company name, tax identification number, and contact person details (position).
If data are collected in connection with the fulfillment of obligations under legal regulations, we process only those data that are required by such regulations.
As far as using the Services is concerned, in which case data processing is not based on legal regulations, providing personal data is voluntary, but often necessary to be able to use the Services; in all other cases, the data are collected because of applicable legal regulations, of which the data controller shall inform data subjects in relevant information clauses dedicated to particular Services.
Forms intended to collect personal data within the Services must be filled in by adults only. In view of the above, OPI PIB does not intentionally process any personal data of any individuals under 16 years of age. Consents shall be legally valid only if given by persons aged 16 and over. No person using the Services and being under 16 years of age should provide us with any information. Should we become aware that a person under 16 years of age has provided us with personal data without a verifiable parental consent, we shall not process such data and access to the Services shall be blocked.
8. Consent .Withdrawal of consent.
Withdrawal of consent shall make it no longer possible for a person to use certain Services, e.g. he or she shall not receive any newsletters, answers, invitations to events, conferences, and his or her scientific activity will cease to be promoted.
Withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out before the consent was withdrawn.
The consent withdrawal request shall be considered immediately after it has been received. After the request has been considered, OPI PIB shall cease to process personal data for the purposes to which the data subject agreed in the consent. However, until the application is considered, a person may receive information from which he or she has resigned after withdrawing his or her consent, due to the time needed to consider the application in the OPI PIB systems.
If OPI PIB has the data of persons for purposes other than those for the processing of which the consent was given (e.g. performance of contracts, services, demonstration of evidence, assertion of claims), it may continue to process them for such purposes, but on a different legal basis.
In any case, consents given may be withdrawn at any time without giving any further explanation. Consents may be withdrawn by sending an e-mail to: email@example.com, firstname.lastname@example.org, by submitting a contact form, by calling at +48 22 570 14 00 or by sending a request to the address of OPI PIB’s registered seat.
If a request to withdraw the consent is made on the phone, further verification may be required to confirm a person’s identity.
9. Storage of data
The data will be kept for as long as it is necessary to achieve the purposes for which the data have been collected. If possible, OPI PIB shall specify the data storage period in the information clauses dedicated to particular Services.
If the data are processed on the basis of a consent, the data will be stored until the consent validity date or until the consent is withdrawn.
However, the storage period may change, i.e. personal data may be stored longer if the obligation is required by law or if it is necessary to determine, assert or defend against claims (e.g. until the end of the statutory limitation period for claims, we may keep proof of a user’s consent), or shorter, e.g. after data have been deleted upon request.
The period of storage of personal data is determined in accordance with the applicable legal regulations. The data subject has the right to request of us to obtain information about the planned and likely duration of storage of personal data.
Listed below are the usual basic data storage periods for particular Services:
- newsletter subscription – until a user decides to unsubscribe,
- in the case of data processing connected with implementation of a task in the public interest – until the purpose of the processing ceases or until an objection connected with a specific situation of the data subject is made, unless it proves vital to further process the data,
- in the case of correspondence sent via the contact form – until either the objection is raised, or the consent is withdrawn, or the purpose of the processing ceases, but for no longer than 3 years,
- provision of services by electronic means or in connection with contracts concluded – for the duration of the contract, but for not longer than until the end of the statutory limitation period for claims,
- In the case of the purposes based on legitimate interests – for the period of validity of those purposes or until an objection is raised, but in no event for any longer than 5 years, unless it is necessary to store the data for a longer period, provided that such an obligation arises from legal regulations or that it proves necessary to determine, defend or assert claims,
- for the purposes connected with public procurement procedures – for a period of 5 years,
- for the purposes connected with the settlement of public law receivables – for a period of 5 years,
- for archival purposes – for the period specified in an adopted office procedure and the uniform itemized list of files for a given document.
10. Recipients of data. Making data available to other entities.
The following data recipients may have access to personal data:
- authorized employees of OPI PIB,
- employees of the entity supervising the activities of OPI PIB,
- employees of public administration bodies or entities, in connection with their tasks resulting from legal regulations,
- service providers and their authorized employees who, under an agreement, have been entrusted with the processing of personal data for the purpose of providing services to OPI PIB in connection with performance of their own services, in particular entities operating IT systems, providing consulting, legal, auditing and other services.
If possible, OPI PIB shall specify the actual recipients of the data in the information clauses, and, should it prove impossible, OPI PIB shall specify the category of recipients.
Depending on the type of Service used by a person (e.g. databases kept for the purposes of promoting scientific activity of persons), data may also be made available to all entities interested in obtaining information on the state of Polish science and higher education, wishing to conduct scientific research, scientific works or interested in commercialization of scientific research results, seeking contact with experts from particular fields or disciplines of science, willing to conduct development works in their enterprises and interested in contact with an expert from a particular field/discipline of science, to all entities interested in scientific, research and development activity in order to make contact with other people or entities or to conduct research.
Personal data may also be made available to other recipients which act as processing entities providing services ordered by and performed on behalf of OPI PIB and which were commissioned to carry out tasks requiring data processing in connection with personal data processing, in particular within the scope of IT services, archiving, correspondence, e.g. to auditors and professional advisors. In some cases, external entities providing services on our behalf may act as independent administrators, e.g. Poczta Polska or other postal operators.
In justified cases, personal data may also be made available to public administration bodies (e.g. prosecutor’s office, police, city guard, public offices) and courts.
Services provided by OPI PIB may include links to other websites, social networking sites or websites of cooperating entities. Whenever a person accesses a third party website, he or she will be subject to a separate privacy and data protection policy for that website. In that case, it is necessary to read the privacy and personal data protection policies for each of the websites.
11. Transfer of data to countries from outside the EEA
Within the scope of Services we do not transfer personal data to countries from outside the European Economic Area, except for the data that are publicly available on the Internet, if it is available outside the EEA.
12. Automatic processing (including profiling) of personal data
As far as particular Services are concerned, personal data may undergo automatic processing (including profiling), but that shall not have any legal effect on persons or significantly affect their situation.
Personal data profiling by OPI PIB consists in (automatic) processing of data by using them to evaluate certain information about persons in databases, in particular to analyze the fields or disciplines in which a given person specializes.
OPI PIB reserves the right to amend this Policy, which may result from the need to adapt to changes in legal regulations or in applicable privacy standards. In view of the foregoing, OPI PIB shall notify the public of any amendment by publishing a relevant notice on its website.
Appendix number 1 – information regarding cookies for the page https://www.opi.org.pl and used analytical tools
- The website with the URL address https://www.opi.org.pl (hereinafter referred to as “Website”) automatically gathers information in two ways: by using the Google Analytics tool and through cookie files.
- The cookie files (so-called ‘’cookies’’) constitute IT data, text files in particular, which are stored in the terminal device of the Website user and designated for using the webpages of the website. The cookies usually contain the webpage name, from which they originate, the time of their storage on the terminal device, as well as a unique number.
- The entity saving cookie files on the terminal device of the user and gaining access to such files is the Website operator: Ośrodek Przetwarzania Informacji – Państwowy Instytut Badawczy (National Information Processing Institute) headquartered at the following address: al. Niepodległości 188b, 00-608 Warszawa.
- The cookie files are used to:
- adjust content stored on the webpages of the Website to user preferences and to optimize the use of webpages; in particular, the files allow to recognize the device of the user and to properly display a webpage, adjusted to user’s individual needs,
- create statistics which can help understand how the users of the Website use the webpages, which makes it possible to improve their structure and content.
- The Website uses two basic cookie files: the “session cookies” and the “persistent cookies”. ”Session” cookies are temporary files which are stored on the final device of the user up until the user logs out, leaves a website or closes the software (web browser). “Persistent” cookie files are stored on the final device of the user for a specified time as indicated in the parameters of cookie files or until they are deleted by the user.
- The Website uses the following types of cookie files:
- “strictly necessary” cookie files, allowing to use the Services on the Website, e.g. authenticating cookie files used in the Services requiring authentication on the Website;
- cookie files, used to ensure security, e.g. used in detection of unauthorized authentication to the Website;
- “performance” cookie files allowing to collect information on how the webpages of the Website are used;
- “functional” cookie files, allowing to “remember” the settings chosen by the user and to personalize the user interface, e.g. within the range of a chosen language or region, from which the user originates, font size, website layout and design, etc.
- In many cases, software used for browsing websites (internet browser) allows the cookie files to be stored on the user terminal device by default. Service Users can change the cookie settings at any time. Those settings can be changed; specifically, the user may decide to block the automatic control of cookies in the settings of their web browser or to be informed at any one time about a cookie being saved on their device. Detailed information on the possibilities and ways to control cookie files can be found in the software (web browser) settings.
- The Website operator informs that the limitations in using cookie files may impact some of the functionalities available on the webpages of the Website.
- Cookie files stored on the terminal device of the Website user may be used by advertisers and partners collaborating with the Website operator.