SPCC Privacy policy

SPCC is committed to protecting your personal data. The following information is addressed to
individuals whose personal data SPCC processes in connection with its business, i.e. in
accordance with point 2: those who contact SPCC (e.g. by email, our members their
representatives and members’ contact persons, participants in events organised by SPCC, our
counterparties/service providers and job applicants. If you are in one of these groups please
check accordingly how we process your data below.

a) The Controller of your personal data is the Scandinavian-Polish Chamber of Commerce
(SPCC), ul. Marszałkowska 142, p. 6, 01-061 Warsaw (the ‘Controller’ or ‘SPCC’).
b) Contact with the Controller on any matters related to the protection of personal data is
possible at the following e-mail address: e-mail: spcc@spcc.pl, phone: +48 22 849 74 14 or by
sending correspondence to the above address.

a) Persons contacting SPCC – the purpose of personal data processing is to communicate with
persons contacting the Controller. The legal basis for the processing of personal data is the
legitimate interest of the Controller to enable:

(i) communication with the contacting person,
(ii) establishing relations with the contacting person,
(iii) provide the contacting person with necessary information.

Personal data processed includes: name, surname, e-mail address, telephone number,
correspondence address and other information provided by the person contacting the
Controller. The provision of personal data is voluntary; however, if all personal data relevant
under the circumstances is not provided, the communication process may be impeded or
impossible.
Data storage period: as long as necessary to pursue the legitimate legal interest of the
Controller or of a third party.

b) Our members, member representatives and member contact persons – the purpose of
the processing of personal data is to join and realise, exercise SPCC member rights, enable
contact with members, carry out promotional and marketing activities, build relationships with
SPCC and between members. The processing of personal data takes place on the basis of
legitimate interest (where the member is a legal entity and is represented by a natural person) or
the necessity to conclude or prepare to conclude an agreement (membership declaration) if the
member is a natural person, or on the basis of consent, where the use of the data in a certain
way (e.g. transfer of data to other members) is voluntary. Provision of personal data is voluntary;
however, in the case of non-availability of personal data, it will not be possible to exercise the
rights of the organisation as a member of the SPCC. The extent of necessary data and optional
data are indicated in the membership declaration accordingly.

Data storage period: up to 1 year after resignation from membership.
a) Participants in our events – the purpose of the processing of personal data is to enable
participants to take part in events organised by SPCC (e.g. conferences, online meetings,
competitions). The processing of personal data in this case is based on the legitimate interest of
the controller, in connection with the fact that the participant has applied for participation,
sometimes also when the event has its own rules and regulations (e.g. a competition) the
processing is necessary for the performance of the agreement with the participant. In some
cases at our events we may take photos, videos, participants may then voluntarily pose for
photos and this may involve, for example, publishing the photos or sending them to other
participants, for the sole purpose of documenting the event, for internal SPCC purposes.
Sometimes the processing of participants’ data for marketing purposes may take place on the
basis of consent (e.g. participants share business cards, give consent to sending emails,
forward their email address). Data of speakers who agree to take on such a role is processed on
the basis of legitimate interest or consent, SPCC may also process their image to promote the
event.
The provision of personal data is voluntary, however, if you do not provide the minimum amount
of personal data to take part in the event (usually name, surname, e-mail address) it will not be
possible to take part in the event.
Data storage period: up to 1 year after the end of the event, unless the participant consented to
the processing of his/her data for longer. If consent is given, the data shall be stored until it is
withdrawn.

b) Counterparties and representatives of counterparties (including subcontractors) – the
purpose of the processing of personal data is to conclude and/or perform the agreement and
maintain relations with counterparties, i.e. service providers, SPCC suppliers and SPCC
business partners. The processing of personal data of counterparties and persons designated
by them (including their employees and co-workers) takes place in order to conclude or perform
the agreement or on the basis of the Controller’s legitimate interest, i.e. enabling
communication and maintaining relations with the counterparty, as well as the performance of
the agreement connecting the represented parties. Personal data processed includes: name,
surname, e-mail address, telephone number, place of work, position, business address, NIP
(Tax ID), REGON (Business ID), PESEL (Personal ID) number, bank account details and other
data necessary to conclude and/or perform the agreement and maintain relations with
counterparties. The provision of personal data is necessary to maintain relations or to
conclude/execute the agreement when the relationship exists (or when the agreement is
concluded) with a natural person. In the case of individuals who represent a legal entity, the
provision of their data is not necessary, however, it enables them to contact the Controller.
Data storage period: the period of validity of the agreement concluded with the counterparty
and the period necessary to enable the parties to pursue their claims under such an agreement,
but no shorter than the period prescribed by law or as long as it is necessary to pursue the
legitimate legal interest of the Administrator or a third party.

c) Job candidates – the purpose of the processing of personal data is to carry out the
recruitment process for potential employees/co-workers. The processing of personal data of job
candidates takes place on the basis of necessity to conclude or prepare for the conclusion of a
contract of employment or another civil law contract, or in connection with the Controller’s legal
obligation under the law, or on the basis of the candidate’s consent (e.g. for future recruitment).
The provision of personal data is voluntary; however, if personal data is not provided, it will not
be possible to participate in the recruitment process. The data necessary to carry out the
recruitment process includes: name, surname, residence address, information on education
and previous experience. Other data provided by the employee candidate, such as contact
details in the form of telephone number, e-mail address or image in the form of a photograph
attached to the CV, may also be processed.
Data retention period: up to 1 year after the end of the recruitment process. If you agree to the
processing of data during further recruitment: up to 2 years.

Data may be made available to entities and bodies authorised to process such data on the basis
of the provisions of law. Your personal data may also be shared with providers of technical and
organisational services (e.g. IT service providers) and providers of consultancy services,
whereby these entities process the data on the basis of an agreement with the Controller and in
accordance with the Controller’s instructions.

The Controller may transfer personal data outside the EEA in certain cases, only if it is
necessary and it is not otherwise possible to achieve the purpose (e.g. use of certain
subcontractors), but the SPCC shall do so in a secure manner, only on the basis of an
agreement and with appropriate safeguards for such transfer (e.g. using the so-called Standard
Information Clauses approved by the European Commission.

In relation to the processing of personal data, data subjects are entitled (respectively) to:
a. request from the Controller access to the processed personal data,
b. request the Controller to correct the processed personal data,
c. request the Controller to delete the processed personal data,
d. request the Controller to restrict the processing of personal data,
e. object to the processing of personal data,
f. transfer the personal data,
g. withdraw consent to the processing of personal data, whereby the withdrawal of consent
shall not affect the lawfulness of processing carried out on the basis of consent before its
withdrawal,
h. lodge a complaint with the supervisory authority (President of the Office for the Protection of
Personal Data).
You can make your request for the exercise of the above-mentioned right by contacting the
Controller.

If we have received personal data from entities other than the data subject, this means that we
have received it from other entities with which the Controller is affiliated, its counterparties
(and/or their representatives).