Ladies and Gentlemen,
On May 25, 2018, regulation enacted by the European Parliament and Council (EU) 2016/679, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directives 95 / 46 / EC (General Data Protection Regulation) (Journal of Laws UE L 2016, No. 119) came into force. The Regulation imposes a number of new obligations on entities that collect, process, and use personal data.
- Basic terms
In the content below, there are phrases the meanings of which may be legally determined. Therefore, for better understanding, we provide the following definitions:
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 2016, No. 119);
- personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- profiling – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- processor – means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
- recipient – means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- consent – of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
- data concerning health – means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
- supervisory authority – means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR;
- personal data of a specific category – data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- What principles do we follow when processing your personal data?
Personal data processed at SGGW are:
- processed lawfully, fairly, and in a transparent manner for the data subject;
- collected for specific, explicit, and legitimate purposes and not further processed in a manner inconsistent with these purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes is not recognized in accordance with Art. 89 sec. 1 as inconsistent with the original purposes;
- adequate, relevant, and limited to what is necessary for the purposes for which they are processed;
- correct and, if necessary, updated; all reasonable steps must be taken to ensure that personal data that are inaccurate in view of the purposes of their processing are immediately deleted or rectified;
- kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed; personal data may be stored for a longer period as long as they are processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 sec. 1, provided that the appropriate technical and organizational measures required by this Regulation are implemented to protect the rights and freedoms of data subjects;
- processed in a manner ensuring adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, by appropriate technical or organizational measures.
- Who is the controller of your personal data and what is the address of its registered office?
The controller of your personal data is the Warsaw University of Life Sciences (SGGW) with its registered office at 166 Nowoursynowska Street, 02-787 Warsaw.
- Has the Warsaw University of Life Sciences appointed a Data Protection Inspector?
SGGW has appointed a Data Protection Officer, who can be contacted in order to exercise the rights described in this policy by writing to the e-mail address: firstname.lastname@example.org, or to the address of the registered office:
Data Protection Inspector
Warsaw University of Life Sciences
- On what basis do we process your personal data?
The legal basis for the processing of your personal data by SGGW may be:
- 6 sec. 1 (a) of GDPR, when you have given your consent in the scope and for the purpose specified in its content;
- 6 sec. 1 (b) of GDPR, when processing is necessary to perform a contract to which you are a party or to take action at your request before concluding a contract with SGGW;
- 6 sec. 1 (c) of GDPR, when processing is necessary to fulfill the legal obligation to which SGGW is subject;
- 6 sec. 1 (d) of GDPR, when processing is necessary to protect your vital interests by SGGW;
- 6 sec. 1 (e) of GDPR, when processing is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in SGGW;
- 6 sec. 1 (f) of GDPR, when processing is necessary for the purposes of the legitimate interests pursued by SGGW or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that requires protection of personal data, in particular where the data subject is a child.
- For what purpose do we process your personal data?
The purposes for which SGGW processes your personal data result in particular from:
- the Law on Higher Education and Science (Journal of Laws 2021.478, as amended), i.e. the personal data of the Warsaw University of Life Sciences is processed for the purpose of:
- providing education to students;
- conducting postgraduate studies or providing other forms of education;
- conducting scientific research, providing research services, and transferring knowledge and technology to the economy;
- educating doctoral students;
- educating and promoting university staff;
- creating conditions for people with disabilities to enable them to fully participate in:
- the process of admitting to a university,
- the process of education,
- conducting scientific research;
- educating students with a sense of responsibility for the Polish state, national tradition, strengthening the principles of democracy and respect for human rights;
- creating conditions for the physical development of students;
- disseminating and multiplying the achievements of science and culture, including by collecting and making available library, information, and archival collections;
- acting for the benefit of local and regional communities;
- providing specialist education;
- running student dormitories and student canteens;
- the Regulation of the Minister of Science and Higher Education of 27 September 2018 on studies (and the subsequent Regulations replacing the above), i.e. SGGW processes personal data for the purpose of:
- giving the student, as part of the university, the album number assigned to him or her at all faculties and levels at which he or she studies at this university;
- entering the following data concerning the student in the register of students:
- the student registration number;
- the commencement date;
- first and last names;
- date and place of birth;
- PESEL number, and in its absence – the name and number of the document confirming the identity and the name of the country that issued it;
- information about the document constituting the basis for applying for admission to university:
- name of the school or district examination commission, number, date, and place of issuing the document
- referred to in Art. 69 sec. 2 of the Act – in the case of the first-cycle or long-cycle programmes of study
- name of the university, number, date, and place of the graduation diploma – in the case of the second-cycle programme of study;
- name of the field of study, level, and profile of studies;
- the year of study for which he/she was admitted;
- date and reason for leaving the university.
- storing in the student’s personal files the information referred to in the Regulation, i.e. the SGGW stores:
- documents required from a candidate for studies, including:
- a copy certified by the university:
– the document constituting the basis for applying for admission to the university, referred to in art. 69 sec. 2 of the Act
– in the case of a candidate for the first-cycle or long-cycle programmes of study,
– graduation diploma – in the case of a candidate for the second-cycle programme of study,
- a personal questionnaire containing a photo of the candidate, first and last name, date, and place of birth, PESEL number, and in its absence – the name and number of the document confirming the identity and the name of the country that issued it, gender, place of residence before starting studies: village or city, address of the place of residence and correspondence address, telephone number, citizenship, and in the case of foreigners also the name of the country of birth and information about the possession of the Pole’s Card;
- documents constituting the basis for admission to the university;
- the oath signed by the student;
- confirmation of receipt of the student ID and student’s registration book, as well as their duplicates;
- student’s periodic achievements report;
- decisions regarding the course of studies;
- review of the thesis;
- diploma examination protocol;
- graduation diploma – a copy to be filed;
- diploma supplement – a copy to be filed;
- confirmation of receipt of the diploma and its copies, the diploma supplement and its copies, as well as the duplicate of the diploma or duplicate of the diploma supplement, or these documents in the event of failure to collect them.
In addition, since individual entities perform activities other than scientific ones, personal data may be processed under the provisions and for the purposes indicated therein:
- the Act of 15 April 2011 on Medical Activity,
- the Act of November 6, 2008 on Patient’s Rights and the Patient’s Ombudsman,
- the Act of December 5, 1996 on the Professions of Doctor and Dentist,
- the Act of 15 July 2011 on the Professions of Nurse and Midwife,
- the Act of 27 August 2004 on Health Care Services Financed from Public Funds,
- the Act of 7 September 1991 on the Education System,
- the Act of December 14, 2016 – Education Law,
- the Act of 27 June 1997 on Libraries,
- the Act of July 14, 1983 on the National Archival Resource and State Archives,
and other regulations and executive acts, including subsequent ones replacing the current legislation, methods of processing, and protection of personal data.
In addition, SGGW processes personal data, among others for the following purposes:
- keeping accounting records, making bank transfers,
- implementation of legal provisions to be observed by the employer, customer, service recipient,
- fulfillment of the payer’s obligations related to the handling and sending of tax declarations,
- performing recruitment processes,
- performing agreements and contracts concluded with external entities (data entrusted by other entities – personal data controllers, e.g. the Ministry of Economic Development, Labour and Technology),
- implementation of the provisions of the Act on the Social Insurance System and other legal provisions to be applied by the Payer,
- conducting monitoring,
- office services,
- fulfillment of a contact request (e.g. via the contact form),
- sending a newsletter,
- exchange of business cards during various types of events attended by employees of SGGW or organized by SGGW,
- conducting lectures, trainings, courses,
- data storage for archival purposes, and ensuring accountability (showing compliance with our obligations under the law).
- Whose personal data do we have?
In connection with the tasks performed by SGGW, specified in the above-mentioned regulations, we have the following categories of personal data:
- Data of students, doctoral students, researchers, candidates for the 1st and 2nd cycle programmes of study and a long-cycle programme of study, candidates for doctoral school, i.e. data of people using educational services from the Warsaw University of Life Sciences or participating in events, courses and scientific conferences organized by SGGW,
- Data of people participating in evaluations and research organized by SGGW,
- Data of people who subscribed to the newsletter,
- Data of senders and recipients of correspondence to and from SGGW,
- Data of persons calling SGGW,
- Data of bidders, contractors, apprenticeship providers, and their employees,
- Data of owners or proxies of entities performing services at the request of SGGW,
- Data of employees, co-workers and possibly their family members, as well as data of candidates for a job or applying for a job on a different basis, including data of interns and apprentices,
- Data of natural persons who are parties to, participants in civil, criminal, court-administrative, and enforcement proceedings,
- Data of owners or proxies of entities who have failed to meet their obligations towards SGGW,
- Data of persons performing inspection activities and persons appearing in the documentation related to the conducted inspections,
- Data of persons reporting corruption and unethical threats.
- Is there an obligation to provide personal data?
- If the processing of your personal data is based on your consent – providing the data is voluntary.
- In the case of processing personal data on the basis of legal provisions – their processing is a legal requirement, so we must have them.
- When we conclude a contract with you, providing SGGW with your personal data is necessary for its conclusion and performance.
- What rights do you have in relation to the processing of personal data by SGGW?
Your rights are described in individual provisions of the GDPR. It is important to bear in mind their limitations. However, as a rule, depending on the basis for the processing of personal data, you are entitled to:
- access your personal data (Article 15 of the GDPR),
- rectify (correct) or supplement incomplete personal data – if possible (Article 16 of the GDPR),
- request the erasure of your personal data in cases provided for by law (Article 17 of the GDPR),
- request the restriction of processing of your personal data (Article 18 of the GDPR),
- receive your data in a structured, commonly used, and machine-readable format and transfer the data when the processing is based on your consent or a concluded contract, as well as when the processing is carried out by automated means and does not violate the rights of third parties (Article 20 of the GDPR),
- object to the processing of your personal data in the event of their being processed in order to serve the legitimate interest of the Controller, on grounds relating to your particular situation, including profiling (Article 21 of the GDPR),
In a situation when the processing of your personal data takes place on the basis of your consent, you have the right to withdraw this consent at any time. This withdrawal does not affect the lawfulness of the processing which was carried out on the basis of your consent before its withdrawal.
If you believe that the processing of your personal data violates the provisions of the Regulation, you have the right to lodge a complaint with the supervisory body, i.e. the Head of the Personal Data Protection Office based in Warsaw, ul. Stawki 2, who can be contacted as follows:
- by post: ul. Stawki 2, 00-193 Warszawa
- via an electronic inbox available at https://www.uodo.gov.pl/pl/p/kontakt
- by phone: (22) 531 03 00
SGGW has appointed a Data Protection Officer, who you can contact in order to exercise the above rights by writing to the address: email@example.com.
- Who are the recipients of your personal data?
The recipients of the data are:
- authorized employees/associates of SGGW,
- entities processing data for and on behalf of SGGW, on the basis of the concluded data processing agreement, in order to provide specific services,
- Microsoft – due to the use of this company’s services by SGGW, which means that sending an e-mail to the address in the @sggw.edu.pl domain involves data processing by Microsoft, the use of MS Teams or other functionalities offered by Microsoft,
Due to the use of Microsoft services, data may be transferred outside the European Economic Area (EEA) – to the USA. Microsoft provides guarantees under Chapter 5 of the GDPR and has been obliged to comply with the protection of personal data on the basis of standard contractual clauses. For more up-to-date information, please visit: https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46
- How long is your personal data stored?
From the moment your personal data is obtained, it will be processed at SGGW for the period:
- indicated by law, because it is the law that forces us to store the data;
- of consent granted for a specific purpose of processing, until its withdrawal;
- resulting from contracts concluded with other entities that obligated us (being a separate data controller) to store information for a specified period of time;
- possibly for the duration of the investigation, determination, or defense against claims.
Document updated as of April 28, 2021