Privacy Policy

I. General Information

  1. This Privacy Policy is a set of rules intended to inform you about all aspects of the process of collecting, processing, and safeguarding your personal data. The Policy is addressed to all Users of the Administrator’s Website as well as those subscribed to the Newsletter service. This Policy sets out the rules regarding the processing of personal data by the Data Controller, which is:Institute of Physical Chemistry, Polish Academy of Sciences, Kasprzaka 44/52, 01-224 Warsaw, Poland,
    NIP (Tax ID): 5250008755,
    REGON (Business ID): 000326049,
    e-mail: gdpr-icter@ichf.edu.pl
    (hereinafter referred to as the “Administrator”)
  2. Contact with the Data Protection Officer, Ms. Daria Bartnicka, is possible via traditional post addressed to the registered office of the Administrator or via e-mail to: iod@ichf.edu.pl
  3. This Policy may be amended and updated in the event of changes to practices regarding the processing of personal data (including, inter alia, current case law and guidelines of the Polish Data Protection Authority – PUODO) or changes to applicable laws. The Administrator will duly inform Users of any changes to the Policy by posting relevant information on the Website, and, in the case of Newsletter subscribers, by sending such information directly to the e-mail address provided by the User.
  4. Using the Administrator’s Website requires the User to read the contents of this Privacy Policy and, in the case of subscribing to the Newsletter, to accept it.
  5. Providing personal data to the Administrator is voluntary; however, in the case of data processed in necessary cookies or when communicating with the Administrator via a contact form, providing the data will be a necessary condition for achieving the indicated purposes and for the correct functioning of the Website.

 

II. Definitions

  1. Administrator – the entity which determines how and for what purposes Personal Data are processed. The Administrator is responsible for ensuring compliance of processing with applicable data protection laws.
  2. Personal Data – any information relating to an identified or identifiable natural person.
  3. Processing – any operation performed on Personal Data, whether or not by automated means, such as collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination, or otherwise making available, aligning or combining, restricting, erasing, or destroying.
  4. Processor – any person or entity that processes Personal Data on behalf of the Administrator (other than an employee of the Administrator).
  5. Website – https://triovi.icter.pl/
  6. Administrator’s social media pages (“Fanpages”):
    1. Facebook: https://www.facebook.com/icterresearch/
    2. LinkedIn: https://www.linkedin.com/company/international-centre-for-translational-eye-research/
    3. X (Twitter): https://x.com/icter_pl
    4. YouTube: https://www.youtube.com/@ICTER
  7. Electronic Services – services provided via the Website. The provision of Electronic Services to Users is carried out under the terms set forth in this Policy.

 

III. Processing of Users’ Personal Data

  1. The Administrator may obtain Users’ Personal Data, in particular, in the following cases:
    1. Provision of Personal Data by Users (e.g., via e-mail, telephone, or any other means) based on Art. 6(1)(f) GDPR (legitimate interest of the Administrator – responding to messages or inquiries) in connection with the need to handle the reported matter or inquiry.
    2. Pursuing claims and taking action in defence of the Administrator’s rights, conducting legal proceedings, enabling the use of the Website through cookies, preventing fraud when using the Website, including the operation, maintenance, improvement, and availability of all its functions, as well as creating internal reports, analyses, and statistics on the basis of Art. 6(1)(f) GDPR (legitimate interest of the Administrator).
    3. Obtaining Users’ Personal Data published on social media (Administrator’s Fanpages) – e.g., information from a User’s private profile to the extent publicly visible – for purposes of promoting the Administrator’s activities and services, managing the social media profile, strengthening client relationships, conducting analyses and statistics, and defending against claims (Art. 6(1)(f) GDPR).
    4. Consent-based processing – when the User consents to the processing of their personal data for the purpose of sending the Newsletter (Art. 6(1)(a) GDPR) and for sending commercial information in accordance with the Electronic Communications Law.
    5. Data obtained automatically – during visits to the Website or use of its functions (including cookies from third parties such as Google Analytics). The Administrator will obtain the User’s consent for all cookies except strictly necessary ones.
  2. Providing personal data is voluntary, but in some cases, without it, full use of the Website or Newsletter services may not be possible. The categories of Users’ Personal Data processed by the Administrator may include, in particular:
    1. Personal details: first name(s), surname(s).
    2. Contact details: company details, e-mail address, phone number.
    3. Message content: any communications, queries, opinions, or statements sent via the contact form or posted on the Website or Fanpages.
    4. IP address, cookies, and information on how the Website or Newsletter is used – when using the Website or Newsletter.
    5. Image: when publishing opinions, leaving comments, or interacting (e.g., “likes”) on the Administrator’s social media pages, where the User’s private profile includes their image.
  3. The Administrator uses Fanpages on social media platforms. Public data shared by Users on these platforms may be used for:
    1. Responding to private messages addressed to the Administrator,
    2. Participating in discussions in comments under posts,
    3. Sharing posts with Followers,
    4. Marketing purposes – informing about services and activities via posts (including sponsored posts displayed to a wider audience),
    5. Statistical purposes – presenting data on post reach, views, and engagement, as provided by the social media platform operators.
  4. Currently, the Administrator’s Website includes links to the following social media profiles:
    1. Facebook,
    2. LinkedIn,
    3. X,
    4. YouTube.
  5. By liking a post, leaving a comment, sending a private message, or subscribing to the Administrator’s channel, the Administrator jointly determines the purposes and means of processing with:
    1. Meta Platforms Ireland Limited,
    2. LinkedIn Ireland Unlimited Company,
    3. X International Unlimited Company,
    4. Google Ireland Limited.
  6. Users are encouraged to read the respective privacy policies:
    1. Facebook: https://www.facebook.com/privacy/policy/
    2. LinkedIn: https://pl.linkedin.com/legal/privacy-policy
    3. X (Twitter): https://twitter.com/pl/privacy
    4. YouTube: https://policies.google.com/privacy?hl=en

 

IV. Disclosure of Personal Data to Third Parties

  1. The Controller may disclose Users’ Personal Data to:
    1. persons authorised by the Controller to process data,
    2. entities entrusted with the processing of data, e.g., providers of technical services and entities providing advisory services,
    3. other controllers, where required by law or in good faith where such action is necessary to comply with applicable legal provisions, in particular in response to a request from a court or state authorities.
  2. If we engage a third party to process Users’ Personal Data, under a data processing agreement concluded with such entity, the Processor shall be obliged to:
    1. process only the Personal Data indicated in the prior written instructions of the Controller; and
    2. apply all measures to protect the confidentiality and security of the Personal Data and to ensure compliance with all other requirements of generally applicable law.
  3. Due to the use of Facebook, Instagram, and LinkedIn services, data may be transferred by these entities to third countries – the United States of America (USA) or China – in connection with their internal sharing of such data with: Meta Platforms Inc., Google LLC (USA), or Beijing ByteDance Technology Co. Ltd. (China), over which the Controller has no control.

 

V. Third-Party Services

  1. The Website may contain features or links redirecting to websites and services provided by third parties that are not operated by us. Any information you provide on such websites or services will be subject to their own privacy policies and data processing procedures.
  2. The Controller shall not be liable for the data processing practices of independent controllers of websites and service providers.
  3. We encourage you to review the privacy and security policies of third parties before providing them with any information.

 

VI. Data Protection

  1. The Controller informs that it has implemented appropriate technical and organisational measures to protect Personal Data, in particular safeguards against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful and unauthorised forms of Processing, in accordance with applicable law.
  2. The Controller shall not be liable for the actions or omissions of Users. Users are responsible for ensuring that all Personal Data are transmitted to the Controller in a secure manner.
  3. Personal Data will not be subject to automated profiling, i.e., automated decision-making concerning the User, meaning decisions taken by technical means without human involvement, producing legal effects concerning the profiled person or otherwise significantly affecting them.

 

VII. Data Accuracy

  1. The Controller shall take all reasonable measures to ensure that:
    1. the Users’ Personal Data processed by the Controller are accurate and, where necessary, kept up to date; and
    2. any Users’ Personal Data processed by the Controller that are inaccurate (having regard to the purposes for which they are processed) are erased or rectified without undue delay.
  2. The Controller may, at any time, request Users to confirm the accuracy of the Personal Data being processed.

 

VIII. Data Minimisation

  1. The Controller shall take all reasonable measures to ensure that the scope of Users’ Personal Data processed is limited to the Personal Data reasonably required for the purposes indicated in this Policy.

 

IX. International Data Transfers

  1. Personal Data may be disclosed and processed outside the European Economic Area (the European Economic Area consists of the European Union, Iceland, Liechtenstein, and Norway, collectively the “EEA”). If Personal Data is transferred outside the EEA, the Controller shall require appropriate safeguards to be in place. The Controller shall fulfil its obligations under Chapter V of the GDPR to ensure the lawfulness of such processing, including, inter alia, relying on European Commission adequacy decisions, such as the EU–US Data Privacy Framework.

 

X. Retention Period of Personal Data

  1. The criteria determining the duration for which the Controller retains Users’ Personal Data are as follows: the Controller shall retain copies of Users’ Personal Data in a form permitting identification only for as long as is necessary to achieve the purposes set out in this Policy, unless a longer retention period is required by applicable law. The Controller may, in particular, retain Users’ Personal Data for the entire period necessary to establish, exercise, or defend legal claims (statute of limitations pursuant to Article 118 of the Polish Civil Code).
  2. Personal Data shall be retained for the following periods:
    1. Contact data – for a period of 30 days from the time of contact (telephone or email via the Website); such data may be processed for a longer period if, as a result of the submitted inquiry, the User decides to use the Controller’s services (e.g., subscription to the Newsletter).
    2. In the event of a contract – for the duration of the performance of the contract and the period necessary to handle submitted complaints, until the resolution of any disputes, and the settlement of accounts between the parties, taking into account the relevant limitation periods for claims.
    3. For internal administrative purposes and other purposes where the legal basis for processing is the Controller’s legitimate interest – for as long as necessary to fulfil the Controller’s legitimate interests, or until an objection to such processing is lodged, following an appropriate balancing of the User’s interests against the Controller’s grounds for processing.
    4. Data processed on our Fanpage – until an objection to further processing is made by, for example, clicking “unlike,” withdrawing a “like” from a post, or removing a comment to a post, cancelling a subscription.
    5. Newsletter services – for the duration of the provision of the service, or until the withdrawal of consent to receive commercial information by electronic means.

 

XI. Google Analytics

  1. The Controller uses the Google Analytics tool provided by Google LLC, with infrastructure located at Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The Controller notes that Google LLC (1600 Amphitheatre Parkway, Mountain View, California 94043, USA) has joined the EU–US Data Privacy Framework, thereby ensuring an adequate level of protection for the processing of personal data in accordance with the GDPR.
  2. Google Analytics enables:
    1. Tracking website traffic – information about the number of users, number of visits, sources of entries (e.g., advertisements, search engines, social media).
    2. Monitoring user behaviour – analysis of which pages are most frequently visited, time spent on the website, bounce rate.
    3. User segmentation – demographic, geographic, and technological data (e.g., device type, browser).
    4. Tracking goals and conversions – analysis of how users perform specific actions such as making purchases, subscribing to newsletters, or downloading materials.
  3. Google Analytics processes data that may include:
    1. IP addresses – used to identify the geographic location of users, which, in combination with other data, may constitute personal data.
    2. Cookies – storing unique user and session identifiers, enabling the tracking of user activity, only after the User has given the appropriate consent.
    3. Technical data – e.g., browser type, operating system, screen resolution, Internet service provider.
  4. The Controller uses the IP anonymisation function, which prevents the identification of Users (the last octet of the IP address is masked before storage or processing).
  5. The Controller processes data using the above tool for the purpose of providing analyses and reports on website traffic and the effectiveness of marketing activities, on the basis of the Controller’s legitimate interest and the User’s consent (acceptance of Google Analytics cookies). The Controller has entered into a Data Processing Agreement with Google, regulating data security matters as required by law.
  6. The Controller uses Consent Mode, which enables the measurement of traffic and conversions on the Website even if the User does not consent to the storage of cookies, while remaining fully compliant with the GDPR and the ePrivacy Directive, respecting Users’ decisions regarding cookie consent. In this mode, the tracking code collects only basic, anonymised, and aggregated data regarding visit time and referring page, and allows measuring conversions from advertising campaigns. If the User gives consent for specific types of processing (Google Analytics cookies), the relevant tags will operate in full scope. If consent is not given, the tools will still function but in a limited mode, collecting only anonymous data without any possibility of identifying the User.
  7. The retention period for collected data, where Google Analytics cookies are accepted, is 14 months.
  8. Users are encouraged to review Google’s Privacy Policy at: https://policies.google.com/privacy.
  9. Users may configure their browser to block cookies associated with Google Analytics. Google Analytics uses cookies such as _ga, _gid, and _gat.
  10. Users may also opt to block Google Analytics via a dedicated browser add-on available at: https://tools.google.com/dlpage/gaoptout. Once installed, the add-on prevents data from being sent to Google Analytics from all visited websites.

 

XII. Cookies

  1. When the User visits the Website, data concerning the User is automatically collected. This data may include:
    1. IP address,
    2. domain name,
    3. browser type,
    4. operating system type.
  2. Such data may be collected via:
    1. cookies,
    2. the Google Analytics system,
    3. and may also be stored in server logs.
  3. A cookie is a small text file stored by the browser on the User’s device (e.g., hard drive of a computer, memory card of a smartphone). Upon subsequent visits, the information stored in the cookie is sent back to the Website, enabling it to recognise the User and tailor content to their needs.
  4. In order to improve our Website, deliver the most relevant content, and analyse how Users interact with it, we may use cookies.
  5. We may process data contained in cookies for purposes:
    1. Personalising the Website: remembering User information to avoid re-entering it on subsequent visits;
    2. Providing tailored advertising, content, and information;
    3. Monitoring aggregated usage metrics, such as total number of visitors and pages viewed.
  6. We use the following types of cookies:
    1. session cookies – temporary files stored on the User’s device until they leave the Website;
    2. persistent cookies – stored on the User’s device for the period specified in the cookie parameters or until manually deleted;
  7. Cookies may be categorised as:
    1. necessary cookies – ensure proper functioning of the Website, security, and maintained sessions; these are installed by default and without them the Website cannot function correctly,
    2. statistical cookies – enable the collection of information on how the Website is used (consent checkbox);
    3. functional cookies – allow remembering choices made by Users, e.g., language selection, font size (consent checkbox).
  8. We use analytics and similar services that include third-party cookies. When using the Website, third-party cookies may be placed to enable certain functionalities, integrate with third-party sites, or analyse advertising campaign effectiveness and collect anonymous statistical information about Website use.
  9. This Privacy Policy does not govern the rules regarding the use of third-party cookies. Each third party determines its own rules for the use of cookies in its privacy policy. We encourage you to review the details regarding data processing within Google Analytics, as indicated in the explanations prepared by Google: https://support.google.com/analytics/answer/6004245, and Facebook Pixel: https://www.facebook.com/privacy/policy
  10. The User may at any time manage consents for selected cookies using the dedicated tool available on the Website, selecting the cookies to be collected during the User’s use of the Website of the Data Controller (except for the necessary cookies required for the functioning of the Website). At the same time, we inform you that lack of consent, deletion, blocking, or limitation of the placement of cookies may cause difficulties or even prevent the use of certain functionalities of the Website.

 

XIII. Server Logs

  1. The use of the Website involves sending requests to the server on which the Website is hosted.
  2. Each request sent to the server is recorded in the server logs. The logs include, among other things, the User’s IP address, server date and time, information about the internet browser, and the operating system used by the User.
  3. The logs are stored on the server.
  4. The data stored in the server logs are not associated with specific individuals using the Website and are not used by the Controller to identify the User of the Website.
  5. Server logs constitute auxiliary material used for the administration of the Website, and their content is not disclosed to anyone other than persons authorised to administer the server.

 

XIV. Newsletter

  1. The Controller provides the Newsletter service electronically. The Newsletter service consists of sending to the User’s provided e-mail address information about the activities of the Controller, including organised events. The Controller specifies that the Newsletter will not be sent at regular intervals (e.g., monthly); the sending of the Newsletter will depend on the promotional activities undertaken by the Controller and will be irregular in nature.
  2. The service is provided in accordance with the applicable laws, in particular the Act of 18 July 2002 on the Provision of Electronic Services and Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
  3. To use the free Newsletter service, the User must have an active e-mail address and accept the terms of the Privacy Policy, i.e., give voluntary consent to receive information electronically. Subscription to the Newsletter is carried out by completing the contact form available on the Controller’s Website (providing personal data in the form of an e-mail address). Submission by the User in this manner constitutes a declaration of intent by the User to conclude the Newsletter service.
  4. The Controller shall not be liable for the provision of false data by the User or for the non-delivery of the Newsletter for reasons beyond the Controller’s control (e.g., technical issues on the part of the internet service provider).
  5. The Controller undertakes to provide the service in accordance with the Policy and applicable legal regulations, and to protect the Users’ personal data in accordance with the GDPR and the Act on the Protection of Personal Data. The User undertakes to use the service in compliance with the law and this Policy and not to provide unlawful content.
  6. The Newsletter service is provided for an indefinite period. The User may unsubscribe from the Newsletter at any time by withdrawing consent to the provision of this service. A statement of withdrawal of consent may be sent at any time to the e-mail address or registered office address of the Controller indicated in Section I. Upon unsubscribing, the User’s e-mail address will be promptly deleted from the subscriber database.

 

XV. Provision of Electronic Services

  1. It is prohibited for Users to provide unlawful content.
  2. The User is obliged to use the Controller’s Website and the Services offered in compliance with the law and good practices, providing data consistent with the facts and otherwise not acting in violation of the provisions of this Policy. The Controller shall not be liable for the provision of false data by the User or for the non-provision of the service for reasons beyond the Controller’s control (e.g., technical issues on the part of the internet service provider).
  3. The User is obliged to maintain confidentiality and not disclose to third parties any information obtained in connection with the provision of Services by the Controller, including commercial, organisational, technological, and financial information.
  4. The technical requirements necessary to use the Services provided electronically are: access to the Internet; a device enabling such access, such as a computer, laptop, or other portable device with an internet browser; access to e-mail and a configured e-mail account; any properly configured version of an internet browser supporting, among others, cookies (Internet Explorer, Opera, Mozilla Firefox, Safari, Google Chrome).
  5. The use of Services on the Internet, despite the security measures applied by the Controller to prevent or significantly hinder unauthorised access to the system (hacker attacks), may involve the risk of unwanted infection of the IT system with malicious software. Accordingly, the Controller additionally recommends the use of up-to-date antivirus software and the application of an appropriate system firewall by the User.
  6. The User has the right to lodge a complaint regarding the provision of electronic services. Complaints should be submitted in writing to the registered office address of the Controller or by e-mail (as indicated in Section I). The complaint should contain the User’s name and e-mail address (for e-mail submissions), a description of the problem forming the basis of the complaint, and the User’s demand related to the complaint. The Controller will process the complaint within 14 days from the date of its receipt. The User will be informed of the outcome of the complaint via the same communication channel used to submit it.

 

XVI. User Rights in Relation to the Processing of Personal Data

  1. In connection with the processing of personal data, you have the following rights:
    1. Right of access to processed personal data – on this basis, the Controller, at the request of the data subject, provides information on the processing of their personal data, including, in particular, the purposes and legal grounds of processing, the scope of the data held, the entities to which the personal data are disclosed, and the planned date of their deletion. As part of the right of access, the data subject may also request information on whether their personal data are subject to profiling or automated decision-making, as well as obtain a copy of their data.
    2. Right to rectification – on this basis, the Controller, at the request of the data subject, corrects any inconsistencies or errors in the processed personal data and supplements or updates them if they are incomplete or have changed.
    3. Right to erasure (“right to be forgotten”) – on this basis, the Controller, at the request of the data subject, deletes the data that are no longer necessary for the purposes for which they were collected, where consent to their processing has been withdrawn, or where an objection has been raised, unless such processing is necessary for the establishment, exercise, or defence of legal claims by the Controller.
    4. Right to restriction of processing and to data portability – on this basis, the Controller, at the request of the data subject, ceases to carry out operations on such personal data to the extent permitted by law and also provides such data in a format readable by a computer.
    5. Right to lodge a complaint – by exercising this right, a person who considers that their personal data are being processed unlawfully may lodge a complaint with the President of the Personal Data Protection Office.
    6. Right to object – the data subject may, at any time, object to the processing of personal data for the purposes for which they were collected and are processed. In the case of direct marketing, where personal data are processed for such purposes, the data subject has the right to object at any time to the processing of their personal data in this respect.
    7. Right to withdraw consent – if we process personal data based on consent, such consent may be withdrawn at any time by the data subject. Withdrawal of consent does not render unlawful any processing carried out before the withdrawal. However, it will result in the personal data no longer being used for those purposes from the moment consent is withdrawn.
  2. A request regarding the exercise of the rights described above may be submitted by traditional mail to the registered office address of the Controller or by e-mail to the address indicated in Section I.
  3. The request should, where possible, specify precisely what it concerns, in particular, the addressee of the request and which of the rights described above the applicant wishes to exercise. If the Controller is unable to determine the content of the request or identify the applicant based on the submission, they will request additional information from the applicant.
Funded by the European Union
EMDESK