INFORMATION POLICY REGARDING THE PROCESSING OF PERSONAL DATA
NCBR Investment Fund ASI S.A. based in Warsaw


Introduction

NCBR Investment Fund ASI S.A. based in Warsaw (hereinafter: NIF or the personal data administrator), attaches the highest importance to respecting the privacy of persons whose personal data is processed. One of the basic obligations of NIF is to ensure adequate protection and proper use of your personal data collected in the course of the services provided (e.g. via e-mail or websites). Therefore, NIF introduces this Policy document. In matters related to the protection of personal data, you can contact the DPO: iod@nifasi.pl

Principles of handling personal data

1. Due to use of the NIF services which require the processing of personal data, the personal data administrator collects only necessary data to the proper provision of services.
2. The rules for the processing of personal data that are followed by NIF for the safe and lawful processing of personal data are set out below.
3.NIF respects the privacy of visitors to the websites under NIF administration and makes every effort to ensure that the processing of personal data complies with the law, in particular with the requirements of the following legal acts:
1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on the protection of data), Journal of Laws EU.L 2016 No. 119, p. 1, as amended. amended, hereinafter referred to as „GDPR”,
2) the Act of May 10, 2018 on the protection of personal data, i.e. of 2019, item 1781
3) the Act of July 18, 2002 on the provision of electronic services, i.e. Journal of Laws of 2020, item 344,
4) Act of July 16, 2004 Telecommunications Law, i.e. Journal of Laws No. of 2019, item 2460 as amended d.
4.The data controller uses appropriate technical and organizational measures to secure the processing of personal data, but also to properly secure the rooms and places of data collection, access control system to processing areas, as well as the use of dedicated procedures for handling data, providing access to processing only authorized persons and securing processing processes with the participation of other cooperating or co-administrating entities by means of appropriate data processing entrustment agreements and data co-administration agreements. By applying appropriate safeguards, the NIF bases its procedures on an approach based on the ongoing assessment and monitoring of data processing risk.
5. The processing of personal data takes into account in particular the following principles:
1) Legality – data is processed on the basis of premises resulting from the GDPR and in accordance with other legal provisions.
Such premises, depending on the situation, may be:
– Art. 6 sec. 1 lit. f GDPR – legitimate interest of the administrator:
• consisting in ensuring appropriate functionalities and correctness of the services provided and the security of data processing;
• enabling the correct and effective selection of the recruitment process and possible selection of the Offer submitted as part of the Recruitment of Partner Funds;
• consisting in the possibility of defending against claims and pursuing claims;
– Art. 6 sec. 1 lit. b GDPR – when it is necessary for the conclusion and performance of the contract between NIF and the other party of the contract;
– Art. 6 sec. 1 lit. c GDPR – when it is necessary to fulfill the legal obligation incumbent on NIF e.g. resulting from the provisions of the Labor Code or the Act on Investment Funds and Alternative Investment Funds Management, the Anti-Money Laundering and Terrorism Financing Act, the Act on the performance of the Agreement between the Government of the Republic of Poland and the Government of the United States of America on improving the fulfillment of international tax obligations and implementation FATCA legislation and the Tax Information Exchange Act with other countries (CRS), the Accounting Act or the tax laws;
– Art. 6 sec. 1 lit. a GDPR – consent of the data subject.
2) Restrictions on the purpose of processing – data are processed only to the extent necessary to achieve the purpose for which they were collected and are not further processed contrary to these purposes. After achieving the goal or exhausting the conditions for legalizing the processing, the data is immediately deleted in a manner ensuring the security of this process.
3) Data minimization and limitation of the processing period – data is collected only to the extent necessary to achieve the purposes of processing. Where possible, data processing dates are defined in line with the purposes. There are also ongoing, periodic reviews and controls of the legitimacy of data processing.
4) Confidentiality and integrity – processing takes place on the basis of appropriate technical and organizational measures adequate to the level of risk, primarily taking into account the protection of personal data against unauthorized or unlawful processing and accidental loss, destruction or damage.
5) Transparency and fairness – every effort is made to ensure that the processing is fair and reliable, and that data subjects are informed in a legible manner and in a clear, transparent form about the processing processes and their related rights.
6) Substantive correctness – data are processed in accordance with reality, updated, rectified or deleted on an ongoing basis if necessary or relevant information.
7) Accountability – data processing processes and the application of technical and organizational measures to protect them are documented as far as possible, which ensures greater and more effective control of the administrator over the processing processes.

General information on the processing of personal data

6. NIF, treating the protection of personal data as one of the highest priorities in the framework of its activities, has prepared the following information on the processing of personal data during the provision of services, in particular as part of contacts by e-mail or the processing of personal data as part of the use of websites.
6.1. Who is the administrator of your personal data?
6.1.1. The administrator of your personal data is NCBR Investment Fund ASI S.A. with headquarters in Warsaw, at st. Nowogrodzka 47A, 00-695 Warsaw, which can be contacted by sending correspondence to the above-mentioned address or via e-mail at: biuro@nifasi.pl.
6.2. Who to contact regarding the processing of personal data?
6.2.1. NIF has appointed a Data Protection Officer who can be contacted in any matter regarding the processing of personal data. Contact with the Inspector is possible by e-mail (e-mail address: iod@nifasi.pl) or in writing (address: Wspólna 70, 2nd floor, 00-687 Warsaw, with the annotation „IOD”)
6.3. Do you have an obligation to provide personal data?
6.3.1. Depending on the purpose and premises for the processing of personal data, the provision of personal data may be voluntary, e.g. when the basis for processing is consent or mandatory when the processing takes place on other legal grounds.
6.4. Can you withdraw the consent given to us?
6.4.1. Withdrawal of consent or access to data may take place at any time by submitting such a request via electronic communication channels.
6.4.2. Withdrawal of consent does not affect the lawfulness of the processing of personal data, which was made on the basis of consent before its withdrawal.
6.5. Who, in principle, can we disclose or transfer your personal data to?
6.5.1. If necessary, the data may be made available by NIF to public authorities and entities performing public tasks or acting on behalf of public authorities, to the extent and for the purposes resulting from legal provisions, as well as to entities providing services necessary for the performance of tasks by NIF, in particular, such entity is NCBR + sp. z o.o. in Warsaw. These data may also be transferred to NIF advisors, IT partners, entities providing technical or organizational support to NIF.
6.5.2. In some cases, external entities providing services on behalf of the NIF may act as independent administrators, e.g. telecommunications networks or postal operators, including courier companies.
6.5.3. Personal data may also be made available to entities that will be entitled to receive them on the basis of legal provisions – e.g. services, public administration bodies, courts and prosecutor’s office, court bailiffs, state and local government organizational units, parties to proceedings and other entities – to the extent necessary entities to perform their tasks.
6.6. How long will we process your personal data?
6.6.1. Personal data will be processed for the period necessary to achieve the purposes for which they were collected, as well as taking into account the nature of the processing (e.g. as part of the evaluation of Offers). In any case, personal data will not be processed for less than 6 years from the end of the activities related to the acquisition of personal data due to the need to defend against any claims by the NIF (deadline in accordance with art.118 in conjunction with art.120 § 1 of the Act of 23 April 1964 Civil Code).
6.7. Do we process your personal data automatically (including through profiling) in a way that affects your rights?
6.7.1. Your personal data will not be processed in an automated manner (including in the form of profiling).
7. In connection with the processing of personal data, you are also entitled to a number of rights, which, in order to ensure the greatest possible transparency and detail of their communication, have been described in a separate chapter of the Policy.

Detailed information on the processing of personal data

8. With regard to each of the services provided by NIF, some of the information provided with regard to the processing of personal data may / may be regulated separately (eg processing may take place on the basis of other legal grounds).

E mail

9. Detailed information on the processing of personal data in the scope of the service – e-mail:
9.1. On what basis and for what purpose do we process your personal data?
9.1.2. – Art. 6 sec. 1 lit. f GDPR, i.e. processing is carried out in connection with the legitimate interest of NIF, which should be understood as the possibility of correspondence with a potential client, bidder, contractor, partner. The legitimate interest of NIF also includes the processing of personal data to defend against possible claims and the related protection of the necessary data for conducting court proceedings.
9.2. Do we store personal data for a predetermined period of time as part of this service?
9.2.1. Personal data will be processed for the period necessary to achieve the purposes for which they were collected, as well as taking into account the nature of the processing undertaken.
9.3. Do we transfer your personal data to another entity as part of this service?
9.4. As part of the implementation of this service, your data may be made available by NIF to processors providing specific services on behalf of NIF – e.g. hosting services or IT services.
9.5. Can your personal data be transferred to third countries?
9.5.1. As part of this service, we do not transfer personal data to third countries.

Rights of data subjects

10. In connection with the application of the GDPR, with regard to the processing of your personal data
you have the following rights:

The right to access data
10.1. It takes into account the possibility for the data subject to obtain from the administrator information whether and to what extent his personal data are processed. In addition, a person requesting the exercise of this right may request the administrator to obtain access to the data and – if necessary – to obtain a copy of it. This copy should be issued free of charge. For subsequent requests of this type, a reasonable fee may be imposed on the applicant, resulting, inter alia, from from administrative expenses.

The right to rectify data
10.2. If the personal data processed by the administrator is incorrect or incomplete, the data subject may request the administrator to correct them.

The right to delete data
10.3. Also often referred to as the „right to be forgotten”. On the terms and in cases specified by law, where possible, the person whose data is processed has the right to request their removal. However, it should be remembered that this request may not always be implemented, e.g. in a situation where there is a legal obligation to process them by the administrator for a specific period of time.

Right to restriction of processing
10.4. The GDPR also provides for the possibility of submitting, in certain circumstances, a request to limit the processing of data to be made by the controller, in particular in cases where the processing is unlawful, when the person questions the correctness of the data, or when the purposes of data processing by the controller have been exhausted and the data subject continues they need them (e.g. to defend claims).

The right to object to processing
10.5. An objection to the processing of personal data is available to the data subject in situations where the processing takes place on the basis of art. 6 sec. 1 lit. e) and f), respectively in connection with the performance of tasks in the framework of public authority or in the public interest, and as part of the legal interest of the data controller. This is an important right of data subjects to object to processing in a situation where there is an imbalance of the parties to the processing.

The right to transfer personal data
10.6. It only applies to cases where the processing is based on the consent of the data subject (Article 6 (1) (a) of the GDPR) and the processing is automated. The person may then request the administrator to provide him with a complete set of data collected about him in the form of a structured, commonly used machine-readable format, and additionally that his personal data be sent by the administrator directly to another administrator, if it is technically possible.

Complaint to the supervisory authority
10.7. For unlawful processing, the data subject always has the right to lodge a complaint with the supervisory body, i.e. the President of the Personal Data Office.

Withdrawal of consent
10.8. During processing of data due to approval of owner of data, owner has the right to withdraw this consent at any time. Importantly, the withdrawal of consent will not affect the lawfulness of the processing before the consent is withdrawn.