SPCC is committed to protecting your personal data. The following information is addressed to individuals whose personal data SPCC processes in connection with its business, i.e. in accordance with point 2: those who contact SPCC (e.g. by email, our members their representatives and members' contact persons, participants in events organised by SPCC, our counterparties/service providers and job applicants. If you are in one of these groups please check accordingly how we process your data below.

1. Personal Data Controller

a) The Controller of your personal data is the Scandinavian-Polish Chamber of Commerce (SPCC), ul. MarszaÅ‚kowska 142, p. 6, 01-061 Warsaw (the ‘Controller’ or ‘SPCC’).
b) Contact with the Controller on any matters related to the protection of personal data is possible at the following e-mail address: e-mail: spcc@spcc.pl, phone: +48 22 849 74 14 or by sending correspondence to the above address.

2. Processing of personal data.

a) Persons contacting SPCC - the purpose of personal data processing is to communicate with persons contacting the Controller. The legal basis for the processing of personal data is the legitimate interest of the Controller to enable:
    (i)     communication with the contacting person,
    (ii)    establishing relations with the contacting person,
    (iii)    provide the contacting person with necessary information.
Personal data processed includes: name, surname, e-mail address, telephone number, correspondence address and other information provided by the person contacting the Controller. The provision of personal data is voluntary; however, if all personal data relevant under the circumstances is not provided, the communication process may be impeded or impossible.

Data storage period: as long as necessary to pursue the legitimate legal interest of the Controller or of a third party.
b) Our members, member representatives and member contact persons - the purpose of the processing of personal data is to join and realise, exercise SPCC member rights, enable contact with members, carry out promotional and marketing activities, build relationships with SPCC and between members. The processing of personal data takes place on the basis of legitimate interest (where the member is a legal entity and is represented by a natural person) or the necessity to conclude or prepare to conclude an agreement (membership declaration) if the member is a natural person, or on the basis of consent, where the use of the data in a certain way (e.g. transfer of data to other members) is voluntary. Provision of personal data is voluntary; however, in the case of non-availability of personal data, it will not be possible to exercise the rights of the organisation as a member of the SPCC. The extent of necessary data and optional data are indicated in the membership declaration accordingly.

Data storage period: up to 1 year after resignation from membership.
a) Participants in our events - the purpose of the processing of personal data is to enable participants to take part in events organised by SPCC (e.g. conferences, online meetings, competitions). The processing of personal data in this case is based on the legitimate interest of the controller, in connection with the fact that the participant has applied for participation, sometimes also when the event has its own rules and regulations (e.g. a competition) the processing is necessary for the performance of the agreement with the participant. In some cases at our events we may take photos, videos, participants may then voluntarily pose for photos and this may involve, for example, publishing the photos or sending them to other participants, for the sole purpose of documenting the event, for internal SPCC purposes. Sometimes the processing of participants' data for marketing purposes may take place on the basis of consent (e.g. participants share business cards, give consent to sending emails, forward their email address). Data of speakers who agree to take on such a role is processed on the basis of legitimate interest or consent, SPCC may also process their image to promote the event.
The provision of personal data is voluntary, however, if you do not provide the minimum amount of personal data to take part in the event (usually name, surname, e-mail address) it will not be possible to take part in the event.
Data storage period: up to 1 year after the end of the event, unless the participant consented to the processing of his/her data for longer. If consent is given, the data shall be stored until it is withdrawn.
b) Counterparties and representatives of counterparties (including subcontractors) – the purpose of the processing of personal data is to conclude and/or perform the agreement and maintain relations with counterparties, i.e. service providers, SPCC suppliers and SPCC business partners. The processing of personal data of counterparties and persons designated by them (including their employees and co-workers) takes place in order to conclude or perform the agreement or on the basis of the Controller’s legitimate interest, i.e. enabling communication and maintaining relations with the counterparty, as well as the performance of the agreement connecting the represented parties. Personal data processed includes: name, surname, e-mail address, telephone number, place of work, position, business address, NIP (Tax ID), REGON (Business ID), PESEL (Personal ID) number, bank account details and other data necessary to conclude and/or perform the agreement and maintain relations with counterparties. The provision of personal data is necessary to maintain relations or to conclude/execute the agreement when the relationship exists (or when the agreement is concluded) with a natural person. In the case of individuals who represent a legal entity, the provision of their data is not necessary, however, it enables them to contact the Controller.
Data storage period: the period of validity of the agreement concluded with the counterparty and the period necessary to enable the parties to pursue their claims under such an agreement, but no shorter than the period prescribed by law or as long as it is necessary to pursue the legitimate legal interest of the Administrator or a third party.
c) Job candidates - the purpose of the processing of personal data is to carry out the recruitment process for potential employees/co-workers. The processing of personal data of job candidates takes place on the basis of necessity to conclude or prepare for the conclusion of a contract of employment or another civil law contract, or in connection with the Controller's legal obligation under the law, or on the basis of the candidate's consent (e.g. for future recruitment). The provision of personal data is voluntary; however, if personal data is not provided, it will not be possible to participate in the recruitment process. The data necessary to carry out the recruitment process includes: name, surname, residence address, information on education and previous experience. Other data provided by the employee candidate, such as contact details in the form of telephone number, e-mail address or image in the form of a photograph attached to the CV, may also be processed.
Data retention period: up to 1 year after the end of the recruitment process. If you agree to the processing of data during further recruitment: up to 2 years.

3. Provision of personal data

Data may be made available to entities and bodies authorised to process such data on the basis of the provisions of law. Your personal data may also be shared with providers of technical and organisational services (e.g. IT service providers) and providers of consultancy services, whereby these entities process the data on the basis of an agreement with the Controller and in accordance with the Controller's instructions.

4. Data transfer outside the European Economic Area (EEA)
The Controller may transfer personal data outside the EEA in certain cases, only if it is necessary and it is not otherwise possible to achieve the purpose (e.g. use of certain subcontractors), but the SPCC shall do so in a secure manner, only on the basis of an agreement and with appropriate safeguards for such transfer (e.g. using the so-called Standard Information Clauses approved by the European Commission.

5. Rights of data subjects
In relation to the processing of personal data, data subjects are entitled (respectively) to:
a. request from the Controller access to the processed personal data,
b. request the Controller to correct the processed personal data,
c. request the Controller to delete the processed personal data,
d. request the Controller to restrict the processing of personal data,
e. object to the processing of personal data,
f. transfer the personal data,
g. withdraw consent to the processing of personal data, whereby the withdrawal of consent shall not affect the lawfulness of processing carried out on the basis of consent before its withdrawal,
h. lodge a complaint with the supervisory authority (President of the Office for the Protection of Personal Data).
You can make your request for the exercise of the above-mentioned right by contacting the Controller.

6. Source of obtaining personal data
If we have received personal data from entities other than the data subject, this means that we have received it from other entities with which the Controller is affiliated, its counterparties (and/or their representatives).