Privacy Policy

1. Introductory information

2. Glossary of terms

3. Contact with the Administrator and the Data Protection Inspector

4. Joint control - information on the essential content of joint arrangements

5. Information on the purposes, legal basis, scope, sources, recipients and periods of personal data processing:

5.1.  Business partners and representatives of business partners

5.2. Persons contacting the Company using electronic or traditional communication channels

5.3. People registering for online events

5.4. People who have consented to marketing activities

5.5. Persons recorded by the video monitoring system

6.  Location of personal data processing

7. Rights of persons

8. Final Provision

1. Introductory information

In connection with its business activities, company yarrl S.A. collects and processes personal data in accordance with applicable regulations, in particular in accordance with the GDPR, as well as in accordance with best practices in the field of data and IT system security. As the Controller, the Company takes special care to protect the interests of the persons whose data it processes and ensures that the data it collects is: (1) processed lawfully; (2) collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes; (3) factually correct and adequate in relation to the purposes for which they are processed; (4) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and (5) processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures.

2. Glossary of terms

Administrator/Personal Data Administrator - an entity that determines the purposes and means of personal data processing.

Personal data - any information relating to an identified or identifiable natural person (PII) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one of the following factors specific meant to express physical, physiological, genetic, mental, economic, cultural or social identity, including device IP address, location data, an online identifier, and information collected via cookies and other similar technologies.

EEA - European Economic Area, a free trade zone and common market comprising the European Union and the European Free Trade Association (EFTA) countries, except for Switzerland. It is an area where personal data can be freely transferred.

Data Recipient - means a natural or legal person, an organizational unit without legal personality (a so-called imperfect legal person), a public authority, an entity or other body to whom personal data is disclosed, regardless of whether it is a “third party.”

Profiling - means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. location or movements of the data subject, where such processing produces legal effects concerning the data subject or significantly affects him or her in similar ways.

Processing - means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adapting or altering, downloading, viewing, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.

GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

(click to expand)

3. Contact with the Administrator and the Data Protection Inspector

The administrator of your personal data within the meaning of the GDPR is yarrl S.A. with its registered office in Krakow (31-866) at ul. Skarżyńskiego 14, Kraków), entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Kraków Śródmieście, 11th Commercial Division of the National Court Register, under KRS number 0000218370, REGON: 351570688, NIP: 6772087174. In all matters relating to personal data, you can contact the Administrator at the mailing address of the registered office or by phone at +48 12 29 80 511. The Administrator has appointed Barbara Chaberka as Data Protection Officer. The Officer can be contacted at the email address iod@yarrl.pl in any matter relating to the processing of your personal data.

4. Joint control - information on the essential content of joint arrangements 

Companies comprising the yarrl Group:

  1. yarrl S.A. ul. Skarżyńskiego 14, 31-866 Kraków NIP: 6772087174, www.yarl.pl
  2. Lockus Sp. z o.o., ul. Skarżyńskiego 14, 31-866 Kraków, NIP: 6792591757, www.lockus.pl
  3. Lockus K2 Sp. z o.o., ul. Skarżyńskiego 14, 31-866 Kraków, NIP: 9542534990, www.lockus-k2.pl

have entered into an agreement in which they have jointly determined the purposes and methods of processing personal data in the following scope:

  • internal administration of data related to contractors or potential contractors of companies belonging to the yarrl S.A. Capital Group (CRM database)

Thus, they have become Joint Controllers of personal data collected and processed by each of the companies. Under the agreement, the Companies have agreed that:

  1. each of the Joint Controllers is obliged to independently fulfill the information obligation referred to in Article 13 of the GDPR
  2. each of the Joint Controllers is obliged to independently fulfill the information obligation referred to in Article 13 of the GDPR
  3. each of the Joint Controllers is obliged to independently fulfill the information obligation referred to in Article 13 of the GDPR
  4. within the framework of joint administration, the contact point for data subjects is the Data Protection Officer of yarrl S.A., who can be contacted by email at: iod@yarrl.pl
5.1. Business partners and representatives of business partners  

DATA SOURCE
The Company processes personal data obtained directly from you or from our business partners within the scope of contracts or agreements concluded, where you are an employee, client or representative. We may also obtain your data from publicly available sources such as the National Court Register (KRS), the Central Register and Information on Economic Activity (CEiDG), and the REGON database. In each case, the Company verifies whether it has a legal basis for processing such personal data.

SCOPE OF DATA
Depending on your relationship with the Company, we may process, in particular, your identification data (e.g., first and last name, ID number, PESEL), contact details (e.g., email address, telephone number, home address, mailing address), work-related data, e.g., job title and name of the company you are associated with, and other employment-related information, financial information, such as bank account numbers and payment card numbers.

PURPOSE OF PROCESSING

Performance of a contract to which you are a party or taking steps at your request prior to entering into a contract.

LEGAL BASIS

GDPR Article 6(1)(b)

PROCESSING PERIOD

Until the completion of all activities preceding the conclusion of the contract with the Company, and after its conclusion – until the end of the contract.

Performance of a contract to which you are not a party (e.g., you are a representative, including a member of a body, an agent, or a person designated by our business partner for contact purposes) or taking action at the request of another person prior to entering into a contract Achieving objectives arising from legitimate interests, such as:

GDPR Article 6(1)(f)

Until completion of all activities preceding the conclusion of the agreement with the Company, and after its conclusion – until the end of the agreement.

  • Establishing, pursuing or defending claims that may be brought against the Company or that may be raised against the Company;
  • Maintaining business relationships, including conducting conversations, correspondence and/or other forms of business contact with your participation;
  • Carrying out direct marketing activities, including strengthening mutual business relations, promoting products and services – organizing conferences, training courses and other activities;
  • Ensuring IT security in the area of monitoring electronic communication;
  • Internal administrative, analytical, statistical and internal reporting purposes of the Company within yarrl S.A.


For the period of the Company's legitimate interest, which is the basis for such processing, or until you effectively object to such processing. If a dispute or proceedings, in particular court proceedings, are pending during the above period, personal data will be processed until the dispute is resolved or the proceedings are legally concluded.

CONSEQUENCES OF NOT PROVIDING DATA
In the case of persons who are parties to the contract or representatives of a party, the provision of data is voluntary but necessary for the conclusion and performance of the contract. In the case of contact persons or other persons involved in the performance of the contract, the provision of personal data is voluntary but necessary to ensure contact and the proper performance of the contract.

RECIPIENTS OF PERSONAL DATA
Access to personal data within the Company's organizational structure will be limited to authorized personnel and only to the extent necessary. Personal data may also be disclosed to:

  • co-administrators within the yarrl Group, the current list of which is provided in section 4 of this Privacy Policy (link)
  • entities providing services to the Company, such as IT and technical support services, document archiving and destruction services, marketing agencies and video conferencing platform providers, whereby such entities process data as subcontractors on the basis of a contract with the Company and in accordance with its instructions;
  • independent external service providers, suppliers, partners, including postal, courier, financial, consulting, control, and insurance services;
  • law enforcement and state authorities, when required by applicable law.
5.2. Persons contacting the Company using electronic or traditional communication channels

SOURCE OF DATA
The Company processes personal data obtained directly from you when you contact us via the contact form on the website, when you call us, correspond with us by email or traditional mail, or leave it in another form, e.g. on a business card.

SCOPE OF DATA
Depending on the form of contact, the Company may process, in particular, your identification data (e.g., first and last name), contact details (e.g., email address, telephone number, home address, mailing address), company name, job title, information about your computer and other devices, and connection information such as IP address, browser type and version, and other information provided to us through various communication channels.

PURPOSE OF PROCESSING

  • Handling requests and contacts, including communication to answer questions;
  • Establishing, investigating or defending claims that may be brought against the Company or that may be raised against the Company;
  • Ensuring IT security in the area of electronic communications monitoring;
  • Internal administrative, analytical, statistical, and internal reporting purposes of the Company within the yarrl S.A. Group.

LEGAL BASIS

GDPR Article 6(1)(f)  

PROCESSING PERIOD

Until the completion of the handling of the request, contact or response to the question; Then for the duration of the legitimate interest pursued by the Company or until you effectively object to such processing, but no longer than for a period of 12 months from the completion of the handling of the request; If a dispute or proceedings, in particular court proceedings, are pending during the above period, personal data will be processed until the date of the dispute's resolution or the final conclusion of the proceedings.  Until completion of all activities preceding the conclusion of the agreement with the Company, and after its conclusion – until the end of the agreement.

Performance of a contract to which you are not a party (e.g., you are a representative, including a member of a body, an agent, or a person designated by our business partner for contact purposes) or taking action at the request of another person prior to entering into a contract Achieving objectives arising from legitimate interests, such as:

  • Establishing, pursuing or defending claims that may be brought against the Company or that may be raised against the Company;
  • Maintaining business relationships, including conducting conversations, correspondence and/or other forms of business contact with your participation;
  • Carrying out direct marketing activities, including strengthening mutual business relations, promoting products and services – organizing conferences, training courses and other activities;
  • Ensuring IT security in the area of monitoring electronic communication;
  • Internal administrative, analytical, statistical and internal reporting purposes of the Company within yarrl S.A.


CONSEQUENCES OF NOT PROVIDING DATA
responding to your inquiry. Failure to provide personal data may result in the inability to respond to or process your request.


RECIPIENTS OF PERSONAL DATA
Access to personal data within the Company's organizational structure will be limited to authorized personnel and only to the extent necessary. Personal data may also be disclosed to:

  • co-administrators within the yarrl Group, whose current list is provided in section 4 of this Privacy Policy (link)
  • entities providing services to the Company, such as IT and technical support services, document archiving and destruction services, marketing agencies and video conferencing platform providers, whereby such entities process data as subcontractors on the basis of a contract with the Company and in accordance with its instructions;
  • independent external service providers, suppliers, partners, including postal, courier, financial, consulting, control, and insurance services;
  • law enforcement and state authorities, when required by applicable law.
5.3. People registering for online events

SOURCE OF DATA
The Company processes personal data obtained directly from you when you enter it on the form during registration for a free webinar on the website, as well as when you actively participate in the webinar.

SCOPE OF DATA
The Company may process personal data, in particular your identification data (e.g., name and surname, nickname), contact details (e.g., email address, phone number, company name, IP address), as well as audiovisual information, such as voice and image recorded on recordings, but only if you give your consent.

PURPOSE OF PROCESSING

Conclusion and performance of a contract for the provision of webinar services consisting in the fulfillment of your order to participate in an online event, including accepting your registration and sending you an invitation to the event, recording the event, and making it available in the form of a recording.

LEGAL BASIS

GDPR Article 6(1)(b)

PROCESSING PERIOD

For the period necessary to perform the contract Achievement of objectives resulting from legitimate interests such as:

  • Establishing, pursuing or defending against claims
  • Data archiving
  • Verification of the quality of services provided
  • Internal administrative, analytical, statistical and internal reporting purposes of the Company within the yarrl S.A. Group
  • Maintaining and developing business relationships  

GDPR Article 6(1)(f)

For the period of the Company's legitimate interest, which is the basis for such processing, or until you effectively object to such processing. If a dispute or proceedings, in particular court proceedings, are pending during the above period, personal data will be processed until the dispute is resolved or the proceedings are legally concluded.


CONSEQUENCES OF NOT PROVIDING DATA
Podanie danych osobowych takich jak, imię, nazwisko, dane firmy, w której jesteś zatrudniony oraz wyrażenie zgody na otrzymywanie drogą mailowa informacji marketingowych i handlowych jest dobrowolne, ale niezbędne do zawarcia umowy ijej wykonania. Konsekwencją niepodania danych osobowych będzie brak możliwości rejestracji i udziału w wydarzeniu online.Providing personal data such as your first name, last name, company name, and consent to receive marketing and commercial information by email is voluntary but necessary for the conclusion and performance of the contract. Failure to provide personal data will result in the inability to register and participate in the online event.

RECIPIENTS OF PERSONAL DATA
Access to personal data within the Company's organizational structure will be limited to authorized personnel and only to the extent necessary. Personal data may also be disclosed to:

  • co-administrators within the yarrl Group, whose current list is provided in section 4 of this Privacy Policy (link)
  • entities providing services to the Company, such as IT and technical support services, document archiving and destruction services, marketing agencies, and video conferencing platform providers, whereby such entities process data as subcontractors under a contract with the Company and in accordance with its instructions;
  • independent external service providers, suppliers, partners, including postal, courier, financial, consulting, control, and insurance services;
  • law enforcement and state authorities, when required by applicable law.
5.4. People who have consented to marketing activities 

SOURCE OF DATA

The Company processes personal data obtained directly from you when you give us your consent to receive marketing content and commercial information in your preferred manner, i.e. by email and/or telephone.

SCOPE OF DATA
The Company may process personal data typical for conducting a given type of activity, i.e. name and surname, position, email address, telephone number, company name.

PURPOSE OF PROCESSING

Direct marketing of own products and services consisting in sending marketing and commercial information by electronic and telephone means.

LEGAL BASIS

GDPR Article 6(1)(a)

PROCESSING PERIOD

Until consent is withdrawn or the purpose for which it was granted ceases to exist.

CONSEQUENCES OF NOT PROVIDING DATA
Providing data is voluntary, however, failure to do so will result in the inability to receive marketing content and commercial information.

CONSENT
You can withdraw your consent at any time. Data processing until you withdraw your consent remains lawful.

RECIPIENTS OF PERSONAL DATA
Access to personal data within the Company's organizational structure will be limited to authorized personnel and only to the extent necessary. Personal data may also be disclosed to:

  • co-administrators within the yarrl Group, whose current list is provided in section 4 of this Privacy Policy (link)
  • entities providing services to the Company, such as IT and technical support services, marketing agencies, whereby such entities process data as subcontractors on the basis of a contract with the Company and in accordance with its instructions;
5.5. Persons recorded by the video monitoring system  

DATA SOURCE

The Company processes personal data obtained directly from you when you enter it on the form during registration for a free webinar on the website, as well as when you actively participate in the webinar. The Company processes personal data obtained directly from you when you are in the area covered by video surveillance.

SCOPE OF MONITORING
Video surveillance covers the area around the Company's headquarters, passageways, and key rooms. The area covered by surveillance is marked in a permanent and visible manner with information boards bearing a camera symbol. Only images are recorded and stored on the recorder.

PURPOSE OF PROCESSING

Protection of property and ensuring the safety of persons on the Company's premises

LEGAL BASIS

GDPR Article 6(1)(f)

PROCESSING PERIOD

Images recorded by monitoring devices are stored until the disk is full, but no longer than 30 days from the date of recording. After this period, the recordings are destroyed by overwriting them with new recordings. In justified cases (e.g. for evidence purposes), recordings may be stored for a longer period as secured material for the purposes of internal investigations or other proceedings, including court proceedings.

CONSEQUENCES OF NOT PROVIDING DATA
Providing personal data such as your first name, last name, company details, and consent to receive marketing and commercial information by email is voluntary but necessary for the conclusion and performance of the contract. Failure to provide personal data will result in the inability to register and participate in the online event.

RECIPIENTS OF PERSONAL DATA
Access to personal data within the Company's organizational structure will be limited to authorized personnel and only to the extent necessary. Personal data may also be disclosed to:

  • entities providing services to the Company, such as IT and technical support services, document archiving and destruction services, whereby such entities process data as subcontractors on the basis of a contract with the Company and in accordance with its instructions;
  • law enforcement authorities and state authorities, when required by applicable law.

6.  Location of personal data processing

Your data will generally be processed within the EEA. However, due to our use of cloud solutions provided by Microsoft Ireland Operations Limited, based in Dublin, and Avaya Inc., based in the US, in some cases your data may be transferred to third countries. The providers of these solutions ensure the security of personal data by applying appropriate compliance mechanisms required by European Union law, in particular through the use of standard contractual clauses.

7. Rights of persons

In accordance with the GDPR, you have the following rights:

  1. The right to access your personal data, including obtaining information about the scope of data processing and obtaining copies of such data;
  2. The right to rectify or supplement your data;
  3. The right to request the deletion of your data in cases provided for by law;
  4. Right to data portability, i.e. the right to receive, in a structured, commonly used and machine-readable format, the personal data you have provided to us, if the processing of such data is based on consent or a contract and is carried out by automated means, provided that this is technically feasible;
  5. Right to request restriction of processing of your personal data by the Company;
  6. Right to withdraw consent - if your data is processed on the basis of consent, you have the right to withdraw such consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
  7. Right to object – you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on the Company's legitimate interest. In such a case, the controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims;
  8. Right to object to direct marketing - if your personal data is processed by the Company for direct marketing purposes, you have the right to object at any time to the processing of personal data for such marketing, including profiling, to the extent that the processing is related to such direct marketing.

In order to exercise the rights referred to in this section of the Privacy Policy, you may contact the Company by sending a written message or an email to the following contact details: marketing@yarrl.pl

Right to lodge a complaint with a supervisory authority
If you believe that your personal data is being processed by the Company in violation of the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority, which in Poland is the President of the Personal Data Protection Office.

PROFILING
We do not make decisions based solely on automated processing, including profiling, which would have legal effects on you or similarly significantly affect you.

8. Final Provision

This Privacy Policy is for informational purposes only and is reviewed and updated as necessary, particularly in the event of changes to the scope of services offered, technological developments, and compliance with changes in applicable law.

The current version of the Privacy Policy was adopted and is effective as of March 11, 2024.