Privacy Policy
Personal Data Protection Policy at BIM ALLY Sp. z o. o., as of Jan 22, 2022
Taking into account the obligations arising from art. 25 and art. 32 of Regulation of the European Parliament and of the Council (EU) 2016/679 of 27April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, p. 1), to ensure that personal data at BIM ALLY Sp. z o. o., ul Żurawia nr 71, 15-540 Białystok, NIP: 9662146397 REGON: 387972536 KRS: 0000879453 (hereinafter: BIM ALLY) are processed and secured in accordance with the provisions of law by implementing appropriate technical and organizational measures designed to effectively implement data protection principles and to provide the necessary safeguards for processing; and BIM ALLY ensures, that by default, only personal data that are necessary to achieve each specific processing purpose are processed.
1. Initial provisions
- The controller of Personal Data is BIM ALLY Sp. z o. o., ul. Żurawia nr 71, 15-540 Białystok, NIP: 9662146397 REGON: 387972536 KRS: 0000879453. The policy defines the principles of processing and protecting Personal Data in BIM ALLY, in order to ensure the compliance of Processing with the requirements of the GDPR and the provisions of the mandatory Polish law regarding the processing of personal data. The policy is a collection and the basis for the requirements, procedures and principles of personal data protection implemented in BIM ALLY. The policy includes:
- a description of the BIM ALLY data protection rules;
- a set of procedures, instructions and detailed regulations concerning the processing of Personal Data in BIM ALLY regarding specific areas of personal data protection; constituting attachments to the Policy.
- The policy applies to all employees and associates of BIM ALLY. The entities and persons responsible for the compliance with and maintaining the provisions of the Policy are:
- BIM ALLY;
- BIM ALLY organizational units which process Personal Data;
- Employees and associates.
- For effective implementation of the Policy, taking into account the scope, context and purposes of processing as well as the risk of violating the rights or freedoms of persons with different probabilities and the importance of the risk, BIM ALLY provides:
- implementation of appropriate technical and organizational measures to ensure compliance of the processing of Personal Data with the requirements of law and the necessary protection of personal data being processed;
- continuous monitoring of the compliance of the processing of Personal Data consistent with the legal requirements and continuous reviews and updates of the measures referred to in paragraph 1.3 (i) above
- control and supervision over the processing of Personal Data.
- The supervision of compliance with the policy is ensured by Piotr Janiak, the co-owner of the company. The supervision referred to in the preceding sentence seeks, in particular, but not exclusively to ensure that the activities related to the processing of Personal Data in BIM ALLY comply with the requirements of law and the provisions of the Policy.
- BIM ALLY ensures compliance of the business entities cooperating with BIM ALLY, including, in particular, the Processors with the provisions of the Policy in an appropriate scope in all situations where personal data are transferred to these entities for processing, including storage.
- The policy is stored and made available in paper and electronic version at the BIM ALLY office.
- The policy is made available to:
- compulsory to all individuals authorized to process personal data at BIM ALLY in order to provide authorized persons with reasonable knowledge and information about the principles and requirements for processing Personal Data in BIM ALLY;
- to interested persons, in particular to data subjects – at their request.
2. Definitions
- The following definitions or phrases used in this Policy shall have the following meaning:
- Policy – means this Policy;
- Personal data – mean information about an identified or identifiable physical person, such as name, identification number, location data, internet identifier, or one, or more specific factors determining physical, physiological, genetic, psychological, economic, cultural or the social identity of a natural person; referred to in art. 4 point 1 GDPR;
- GDPR – means Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, p. 1);
- Authorized Person – means a person authorized by BIM ALLY to process Personal Data in a given scope;
- Processing – means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, ordering, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, dissemination or other type of sharing, matching or merging, limiting, erasing or destroying, as referred to in art. 4 point 2 GDPR;
- Data set – means any structured Personal Data set, available according to specific criteria;
- Processor – means any natural or legal person, public authority, entity or other entity that processes personal data on behalf of BIM ALLY;
- Registry – means BIM ALLY Personal Data Processing Registry;
- Authentication – means an activity whose purpose is to verify the User’s declared identity;
- BIM ALLY – means BIM ALLY Sp. z o. o., ul Żurawia nr 71, 15-540 Białystok, NIP: 9662146397 REGON: 387972536 KRS: 0000879453 email address: [email protected], telephone number: +48 796878844;
- Employees – means both persons employed in BIM ALLY on the basis of an employment relationship, as well as natural persons cooperating with BIM ALLY under a Civil Law Agreement;
- Customers – means natural persons acting on their own behalf, as well as natural persons acting on behalf of and for the benefit of entities, regardless of their organizational and legal form, cooperating with BIM ALLY, in particular suppliers, distributors, service providers, recipients of services;
- System – means the Personal Data Protection System at BIM ALLY, referred to in § 5 of the Policy;
- Sensitive Data – means Personal Data referred to in art. 9 THE GDPR.
3. Personal data
- BIM ALLY processes Personal Data for the purpose of:
- enabling customers to submit a request for quotation and become acquainted with the BIM ALLY offer as well as to perform the contract, including delivery, (Article 6 paragraph 1 letter b) of the GDPR),
- compliance with BIM ALLY obligations arising from law, including the Accounting Act and the Tax Ordinance (Article 6 (1) (c) of the GDPR),
- the pursuit of the legitimate interests of BIM ALLY, including the pursuit of claims and defense against claims (Article 6 (1) letter f of the GDPR),
- the promotion of BIM ALLY products and services (Article 6 (1) (a) and (f) of the GDPR).
- BIM ALLY processes Personal Data collected in data sets.
- Updating or expanding the Data Sets list follows the previous analysis of the consequences and risks of personal data processing for the rights and freedoms of natural persons included in the set.
- BIM ALLY does not undertake any Processing activities that could involve a significant risk of violating the rights and freedoms of the data subjects. In the case of planning the activities referred to in the preceding sentence, BIM ALLY obligatorily carries out a prior assessment of the effects of the processing referred to in Art. 35 GDPR.
- By default, personal data are processed in the BIM ALLY premises located in the office located at ul. Żurawia, nr 71, 15-540 Białystok. Additional areas in which Personal Data are processed are all portable computers and other data carriers located outside the area indicated in the preceding sentence.
4. Foundations of Data Protection in BIM ALLY
- BIM ALLY ensures the application of technical and organizational measures necessary to ensure confidentiality, integrity, accountability and continuity of the processed data.
- Authorized persons and all other persons, to whom personal data are provided at BIM ALLY are obliged to process it in accordance with the legal requirements and in accordance with the provisions of the Policy, as well as other internal BIM ALLY laws or internal procedures related to the processing of personal data.
- When hiring employees and during employment, BIM ALLY ensures that:
- Employees, before commencing their official duties, receive adequate knowledge of the Principles of Processing and Protection of Personal Data at BIM ALLY;
- each employee is authorized in writing to Process Personal Data to the necessary extent;
- each employee is obliged to maintain the confidentiality and integrity of Personal Data, with Employees being obliged in particular, but not exclusively to:
- strict compliance with the scope of the authorization;
- compliance with legal requirements and the provisions of the Policy regarding processing;
- keeping Personal Data secret;
- maintain the confidentiality and integrity of Personal Data;
- notify BIM ALLY immediately if any incident related to a Personal Data breach takes place.
- BIM ALLY ensures that Personal Data Processed at BIM ALLY are:
- Processed in accordance with law, fairly and transparently for the data subject;
- collected for specific, explicit and legitimate purposes and not further processed in a manner inconsistent with those purposes;
- adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- correct and updated where necessary; all reasonable steps must be taken to ensure that personal data, which are incorrect in view of the purposes for which they are processed are immediately removed or corrected (‘regularity’);
- kept in a form, which permits identification of the data subject for no longer than is necessary for the purposes, for which the data are processed;
- processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures.
- While ensuring the processing of personal data in accordance with the principles set out in paragraph 4.1 above BIM ALLY bases the Processing on the following grounds:
- Legality – BIM ALLY cares for the protection of privacy and processes Personal Data as required by law;
- Security – BIM ALLY provides an adequate level of Personal Data security by constantly taking action in this area;
- Rights of Data Subjects – BIM ALLY enables persons, whose Personal Data are processed, to exercise their rights and implement these rights;
- Accountability – BIM ALLY provides a proper documentation of how to comply with data protection obligations.
5. Personal data protection system
- BIM ALLY ensures compliance of Personal Data Processing with legal requirements also by designing, implementing and maintaining the System. The System consists of organizational measures and technical protection measures, adequate to the level of risk identified for individual Data Sets and data categories. The system consists, in particular, of the following measures:
- restricting access to the premises in which Personal Data are processed, only to Authorized Persons and ensuring that other persons remain in rooms used for processing Personal Data only in the presence of an Authorized Person;
- closing the rooms constituing the area referred to in paragraph 3.4 of the Policies in case of the employees’ absence, in a way that prevents access to those rooms by the third parties;
- ensuring the security of the area referred to in paragraph 3.4 of the Policies against random factors such as fire or flood;
- using lockers, drawers or other technical resources to prevent unauthorized persons from accessing the Personal Data stored in them;
- implementing the Clean Desk Policy;
- implementation of the Procedure for opening and closing buildings and office spaces;
- ensuring effective removal or destruction of documents containing Personal Information in a manner that prevents their subsequent reproduction;
- ensuring hardware and IT security, including:
- protection of the local network against external unauthorised initiatives,
- ensuring that the software used is up to date,
- securing the hardware used in BIM ALLY against malware,
- ensuring the permanent and repeated back-up of data stored on computers, the server and the BIM ALLY network,
- restricting access to hardware, server and local area network by applying Authentication rules;
- conducting a risk analysis for data processing activities or categories of data;
- implementation of the verification and selection standards of Processors, as well as the conditions for entrusting Data Processing to individual Processors;
- monitoring changes in the processing of personal data in the BIM ALLY and on an ongoing basis managing changes affecting the protection of Personal Data at BIM ALLY.
6. Register
- The register includes categories of processing of Personal Data in the Office. Through the BIM ALLY Registry, it documents the processing of Personal Data and inventory and monitors the manner, in which it uses Personal Data.
- Through the Registry, in particular by indicating in the Register general protection measures for Personal Data covered by a separate processing activity, BIM ALLY also strives to demonstrate compliance of the Personal Data Processing with the legal requirements.
- In the Register, separately for each category of processing of Personal Data identified, recorded are at least:
- the name of the activity;
- the purpose of the processing;
- a description of the categories of data subjects as a part of a given activity;
- a description of the categories of Personal Data processed in the course of the activity;
- the legal basis for the processing, specifying the category of the legitimate interest of BIM ALLY, if the basis of the processing is a legitimate interest;
- description of the categories of recipients of the data, including the Processors,
- information about the possible transfer of Personal Data outside of the European Union or the European Economic Area;
- a general description of the technical and organizational measures to protect Personal Data applicable to the activity.
- In the event of an upgrade or extension of the category of processing personal data, BIM ALLY shall immediately update the Register in order to ensure that the Registry complies with the actual state and scope of the processing of Personal Data in BIM ALLY.
- The provisions of paragraph. 6.3 above do not exclude the possibility of including additional information in the Register, increasing the accuracy or legibility of the Register or facilitating the management of the compliance of personal data protection with the legal requirements, and the implementation of the accountability principle.
- BIM ALLY documents in the Register the legal grounds for data processing for particular processing activities by indicating the general legal basis for processing, such as: consent, contract, legal obligation imposed on BIM ALLY, legitimate purpose of BIM ALLY.
7. Responsibilities towards data subject
- BIM ALLY implements consent management methods that enable registration and verification of the consent of the person to process specific data for a specific purpose, consent to remote communication (email, telephone, text messages) and registration of refusal of consent, withdrawal of consent and similar activities such as raising an objection or restriction of processing.
- BIM ALLY takes care of the legibility and style of information transmitted and communication with data subjects.
- BIM ALLY publishes the following information on the BIM ALLY website which is available for inspection at BIM ALLY:
- policy;
- Information on the rights of data subjects;
- Information on the scope of personal data processed for specific purposes;
- Methods of contacting BIM ALLY regarding personal data;
- In order to exercise the rights of data subjects, BIM ALLY provides procedures and mechanisms to identify the data of specific persons processed by BIM ALLY, integrate this data, make changes to them and delete in an integrated manner.
- BIM ALLY documents the handling of information obligations, notifications and requests of persons, informing the data subject:
- on the processing of its data, in the collection of data from that person.
- about the processing of its data, when collecting data about that person indirectly from it;
- about the planned change of the purpose of data processing.
- before revoking the processing restriction.
- rectification, deletion or limitation of data processing (unless this requires a disproportionate effort or is impossible).
- about the right to object to data processing at the latest at the first contact with that person.
- BIM ALLY informs the person about the personal data breach without undue delay, if it can cause a high risk of violating the rights or freedoms of that person. At the request of persons regarding access to their data, BIM ALLY informs the person whether he processes its data and informs the person about the details of processing, in accordance with art. 15 GDPR, and also gives the person access to data concerning him. Access to the data can be done by issuing a copy of the data.
- BIM ALLY issues to the person whose Personal Data relates to a copy of its data and notes the fact of the first copy of the data.
- BIM ALLY corrects incorrect data at the request of the data subject. BIM ALLY has the right to refuse to rectify the data, unless the person in a reasonable manner shows the irregularities of the data which he or she demands. If the data is corrected, the BIM ALLY informs the person about the recipients of the data at the request of that person.
- BIM ALLY supplements and updates data at the request of the data subject. BIM ALLY has the right to refuse to supplement the data if the supplement would be incompatible with the purposes of data processing. BIM ALLY may rely on a statement of the person for the data being filled in, unless this is insufficient in the light of the procedures adopted by BIM ALLY, the law or the grounds for considering the statement to be unreliable.
- Pursuant to paragraph 7.12 below, at the request of a data subject, BIM ALLY deletes data when:
- the data is not necessary for the purposes for which it was collected or processed for other purposes,
- the consent for their processing has been withdrawn and there is no other legal ground for processing,
- the person has lodged an effective objection against the processing of such data,
- the data was processed unlawfully,
- the necessity of removal results from a legal obligation,
- the request concerns the child’s data collected on the basis of consent to provide information society services directly offered to the child.
- BIM ALLY takes into account the removal of personal data to ensure effective implementation of this law, while respecting all data protection principles, including security, and verifying that there are no exceptions referred to in Article 17. sec. 3 GDPR.
- If the data to be deleted has been made public by BIM ALLY, BIM ALLY takes reasonable steps, including technical measures, to inform other controllers processing this personal data about the need to delete and access data. In the event of deletion of data, BIM ALLY informs the person about the recipients of the data at the request of that person.
- BIM ALLY limits data processing at the request of a person when:
- the person questions the correctness of the data – for a period that allows checking their correctness,
- the processing is unlawful and the data subject opposes the removal of personal data, requesting instead to limit their use,
- BIM ALLY no longer needs personal data, but it is necessary for the data subject to establish, assert or defend claims,
- the person has objected to the processing for reasons related to its specific situation – until it is established that there are legitimate grounds on the BIM ALLY side that override the grounds of objection.
- During processing restrictions, BIM ALLY stores data but does not process them (it does not use them, does not transmit them), without the consent of the data subject, unless to establish, investigate or defend claims, or to protect the rights of another natural or legal person, or because of important public interest considerations. BIM ALLY informs the person before revoking the processing limit. In the event of limitation of data processing BIM ALLY informs the person about the recipients of data, at the request of that person.
- At the request of the person, the BIM ALLY publishes in a structured, commonly used machine-readable format or transfers to another entity, if possible, data about the person provided by the BIM ALLY, processed on the basis of that person’s consent or to conclude or perform a contract with contained in it, in BIM ALLY information systems.
- If a person objects to a special situation motivated by it, the opposition to the processing of his data referred to in art. 21 of the GDP and data are processed by BIM ALLY on the basis of BIM ALLY’s legitimate interest or the BIM ALLY task entrusted to the public interest, BIM ALLY undertakes to take into account objections, unless BIM ALLY has important legitimate grounds for processing that override interests, rights and the freedom of the opponent or grounds for establishing, investigating or defending claims.
- If the person objects to the processing of his data by the BIM ALLY for direct marketing purposes, BIM ALLY will take into account the opposition and stop such processing.
8. Data minimization
- BIM ALLY implements procedures to implement the principle of minimizing processed Personal Data in terms of:
- the adequacy of Personal Data for purposes of Processing, including the limitation of the amount of Personal Data processed and the scope of processing to the purpose of Processing;
- restricting access to Personal Data only to Authorized Persons for whom the use of Personal Data in a specific scope is necessary for the proper performance of duties;
- limitation of storage time of Personal Data to the period for which storage of Personal Data is necessary due to the fulfilment of the purpose of the Processing or obligations imposed on BIM ALLY.
- BIM ALLY performs a periodic review of the amount of data processed and the scope of their processing at least once a year.
-
BIM ALLY applies restrictions on access to Personal Data by implementing:
- Employees’ commitment to confidentiality, including Personal Data;
- verification of the circle of internal recipients of Personal Data by granting individual Employees specific authorizations regarding the Processing of Personal Data;
- implementing logical technical measures to protect Personal Data by limiting access to systems, software and network resources used in the Processing of Personal Data;
- implementing physical technical measures to protect Personal Data referred to in paragraph 5.1 (iv) Policies.
- BIM ALLY updates the access permissions for changes in the composition of personnel and changes in the roles of persons, as well as changes of processors. BIM ALLY performs periodic review of established system users and updates them at least once a year.
- Detailed rules for controlling physical and logical access are contained in the BIM ALLY physical security and information security procedures.
- BIM ALLY processes personal data taking into account the criteria indicated in the Register. BIM ALLY implements the personal data life cycle control mechanisms at BIM ALLY, including verification of the further suitability of the data against the dates and checkpoints indicated in the Register.
- Data whose scope of use is limited as time goes by are removed from BIM ALLY systems as well as from handheld and main files. Such data can be archived and located on backups of systems and information processed by BIM ALLY. Procedures for archiving and using archives, creating and using backup copies take into account the requirements of controlling the life cycle of data, including the requirements for data deletion.
9. Security of personal data
- Taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of individuals with different probability of occurrence and risk of death BIM ALLY implements technical and organizational measures ensuring adequate protection of personal data, corresponding to the risk of violation of rights and freedoms individuals due to the processing of personal data by BIM ALLY.
- BIM ALLY carries out and documents the adequacy analysis of personal data security measures. For this purpose:
- BIM ALLY categorizes the data and processing activities for the risks they represent;
- BIM ALLY conducts analyzes of the risk of violation of the rights or freedoms of individuals for data processing activities or categories of data. BIM ALLY analyzes possible situations and scenarios of personal data breach taking into account the nature, scope, context and purposes of processing, the risk of violation of the rights or freedoms of individuals with varying likelihood of occurrence and the severity of the threat;
- BIM ALLY implements measures to ensure business continuity and prevent the effects of disasters, i.e. the ability to quickly restore the availability of personal data and access to them in the event of a physical or technical incident.
10. Breach of personal data protection
- The breach or attempted violation of the terms of processing and protection of Personal Data shall be considered in particular, but not exclusively:
- Infringement of the security of information systems in which Personal Data is processed;
- disclosing Personal Data to unauthorized persons;
- processing of Personal Data not in accordance with the assumed scope and purpose of their Processing;
- unauthorized or accidental damage, loss, destruction or change of Personal Data.
- In the event of a breach of personal data protection, BIM ALLY assesses whether the breach could have the potential to infringe the rights or freedoms of individuals and estimates the scale of risk.
- In the event of a breach of Personal Data protection, BIM ALLY shall, without undue delay – if possible, no later than 72 hours after the violation is discovered – report it to the appropriate supervisory authority, unless it is unlikely that the violation would result in the risk of violating the rights or freedoms of natural persons.
- If the risk of violating the rights and freedoms of the person whose personal data is high, BIM ALLY also notifies the incident of the person to whom the data relates, unless:
- BIM ALLY will implement appropriate technical and organizational security measures and these measures have been applied to the personal data affected by the breach, preventing unauthorized persons from accessing such personal data;
- BIM ALLY will then apply measures to eliminate the likelihood of a high risk of violation of the rights or freedoms of the data subject; or
- it would require a disproportionately large effort. In this case, a public message is issued or a similar measure is put in place by which the data subjects are informed in an equally effective manner.
- Notwithstanding the obligations set out in paragraph 10.2-10.4 above, BIM ALLY documents any breaches of the protection of personal data, including the circumstances of personal data breach, its consequences and the remedial actions taken.
11. Entrusting processing
- BIM ALLY may entrust the Processing of Personal Data to a Processing Entity only by way of an agreement concluded in writing, in accordance with the requirements specified in art. 28 para. 3 GDPR.
- BIM ALLY uses only the services of such Processors that provide sufficient assurances that appropriate technical and organizational measures are implemented to ensure that the processing complies with the requirements of this regulation and protects the rights of the data subjects. In order to verify the fulfillment of the obligation referred to in the preceding sentence, BIM ALLY prior to entrusting the processing to a potential Processing Entity, if possible, obtains information about the principles of Personal Data Protection applied by a potential Processing Entity, and about the practices of that entity regarding the protection of Personal Data.
12. Transmission of data to a third country
- BIM ALLY does not transfer Personal Data to a third country located outside the territory of the European Union or the European Economic Area, except where it occurs at the request of the person to whom the Personal Data relates.
- To avoid unauthorized data export, in particular in connection with the use of publicly available cloud services, BIM ALLY periodically verifies user behavior and, where possible, provides equivalent solutions to data protection law.
13. Cookies and web analytics
- BIM ALLY uses cookies on its website (https://www.bimally.com/). Cookies are small text files that are automatically saved on the User’s end device. Some cookies used by us are deleted after the end of the web browser session, i.e. after its closing (so-called session cookies). Other cookies are stored on the end device and enable BIM ALLY to recognize the User’s browser the next time they access the site (permanent cookies). The storage time is given in the User’s Internet browser settings. The browser can be configured in this way to receive information about the use of cookies and be able to decide on their acceptance or rejection in specific cases or completely. Browsers manage cookie settings in various ways. The auxiliary browser menu contains explanations of changing cookie settings. They are available at the following links: Internet Explorer ™: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies Safari ™: http://safari.helpmax.net/en/protection-and-sprivacy/usuwanie-plikow-cookie/ Chrome ™: https://support.google.com/chrome/answer/95647?hl=en&hlrm=en Firefox ™: https://support.mozilla.org/pl/kb/usuwanie-ciasteczek Opera ™: http://help.opera.com/Windows/12.10/en/cookies.html
-
The processing of personal data in this way is dictated by the need to:
- the provision of services;
- adapting the content of websites and applications to the User’s preferences and optimizing the use of websites; e.g. cookies allow you to in particular, recognize the User’s device and properly display the website adapted to his individual needs;
- advertising presentation, including in a way that takes into account the interests of the User or his place of residence (individualising the advertising message) and with the guarantee of excluding the possibility of repeatedly presenting the same advertisement to the User;
- the implementation of surveys – in particular to avoid multiple presentations of the same questionnaire to the same Recipient and to present surveys in a manner that takes into account the interests of recipients;
- The user voluntarily agrees to the use of cookies. If you do not agree to the use of cookies, the functionality of the BIM ALLY website may be limited.
14. Final provisions
- The policy comes into force on the day of announcement.
- In matters not covered in the Policy, the provisions of the GDPR and generally binding provisions of Polish and European law apply accordingly.
- Any changes or supplements to the Policy require a written form to be effective, otherwise they are null and void. Changes or supplements to the Policy shall enter into force not earlier than within 7 days from the date of their publication.