Legal Notice

The purpose of the Data Security Policy for the processing of personal data within the activities conducted by the Sinusoida Freedom Foundation (KRS: 0001157027) is to ensure due diligence in the processing and securing of personal data in accordance with legal requirements, particularly regarding the principles of data processing and protection, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: "GDPR").

1. Definitions Whenever this Data Security Policy refers to:

  1. Data Controller – means “Sinusoida Freedom Foundation”, ul. Piastowska 7/4, 43-300 Bielsko-Biała; e-mail: support@sinusoidafreedom.org, KRS: 0001157027

  2. Personal Data – means any information relating to an identified or identifiable natural person;

  3. Data Processor – means a natural or legal person or an organizational unit that processes Personal Data on behalf of the Controller based on a data processing agreement;

  4. Data Processing – means any operation or set of operations performed on Personal Data, whether or not by automated means (i.e., via IT systems), such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, restricting, erasing, or destroying;

  5. Third Party – means a natural or legal person, public authority, body, or entity other than the Data Subject, Data Controller, Data Processor, or User, which may process Personal Data;

  6. User – means a person authorized to process Personal Data by the Data Controller;

  7. Data Set – means any structured set of personal data accessible according to specified criteria.

2. General Provisions

  1. This Data Security Policy applies to all Personal Data processed by the Data Controller, regardless of the form of processing.

  2. This Policy is drawn up in written form and stored at the Data Controller's office.

  3. An electronic version identical to the written one is made available to Data Processors and Users to familiarize them with the rules for processing and securing Personal Data used in the activities conducted by the Controller.

  4. To implement and execute the Data Security Policy, the Data Controller ensures: a. technical and organizational measures appropriate to the risks and categories of protected Data, b. control and supervision over the Processing of Personal Data, c. monitoring of applied security measures.

  5. Monitoring by the Data Controller includes, among others: supervision of User activities and control of Data Processors; notifying relevant authorities of data breaches; analyzing adopted data protection methods, including ensuring file integrity and effectiveness of protection against external and internal attacks.

  6. The Data Controller undertakes all necessary, justified, and proportionate actions to ensure that activities related to the processing and securing of Personal Data are compliant with this Policy and legal regulations.

3. Data Processing by the Data Controller

  1. Personal Data processed by the Controller is organized into Data Sets.

  2. The Controller will not process data that involves a high risk of violating the rights or freedoms of Data Subjects. In the event of planning such actions, the Controller will perform a Data Protection Impact Assessment as referred to in Article 35 et seq. of the GDPR.

  3. When planning new Personal Data processing activities for purposes other than those for which the data was originally collected, the Controller will obtain renewed consent from the Data Subject. At the same time, the Controller will analyze the impact of such processing on data protection and consider data protection from the design phase.

  4. The Data Controller may maintain a Register of Processing Activities according to the template in Annex 1 to the Data Security Policy.

4. Managing Personal Data Security

  1. The Data Controller, Data Processors, and Users are required to process Personal Data in accordance with applicable laws, this Data Security Policy, and other internal documents and procedures related to Personal Data Processing.

  2. The processing of all Personal Data must comply with the following principles: a. there must always be at least one legal basis for processing under the GDPR; b. Personal Data must be processed lawfully, fairly, and transparently to the Data Subject; c. Personal Data must be collected for specific, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes; d. Personal Data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed; e. Personal Data must be accurate and, where necessary, kept up to date; f. Personal Data must be stored only for as long as necessary for the purposes for which they were collected; after that, they must be anonymized or deleted unless further processing is necessary for the legitimate interests of the enterprise or Data Controller; g. the Data Subject must always be informed in accordance with Articles 13 and 14 of the GDPR; h. Personal Data must be protected against breaches. A breach or attempted breach of Personal Data processing and protection rules includes: i. a breach of security of the IT Systems used to process Personal Data; j. sharing or assisting in sharing Data with unauthorized entities; k. omission, including inadvertent failure, to ensure the protection of Personal Data; l. failure to maintain the confidentiality of Personal Data and the principles and methods of securing them; m. processing Personal Data inconsistently with the intended scope and purpose for which they were provided; n. damage, loss, uncontrolled alteration, or unauthorized copying of Personal Data; o. violation of the rights of Data Subjects, particularly those mentioned in Articles 15–18 of the GDPR.

  3. If a direct risk of a breach or an actual breach of Data protection rules is identified, the Data Controller, Data Processor, or User must take all necessary actions to prevent and mitigate the consequences.

  4. The Data Controller's responsibilities regarding employees (under employment or civil law contracts) who process Personal Data include: a. appropriate training in data protection laws and principles, including familiarization with the Data Security Policy and IT System Usage Manual, b. granting written authorization to process data in accordance with the template in Annex 3, c. obtaining a confidentiality commitment from employees regarding Personal Data.

  5. Users are obliged to: a. strictly adhere to the scope of their authorization; b. process and protect Personal Data in accordance with laws and data protection principles; c. maintain the confidentiality of Personal Data and their protection methods; d. report breaches or attempted breaches of Personal Data and any events that may affect data security.

5. Location of Personal Data Processing Personal Data is processed at the Data Controller's headquarters and at all locations used by the IT System, if necessary for its proper functioning.

6. Breaches of Data Protection Principles

  1. In case of a breach, the Data Controller assesses whether the breach has caused or could cause a risk to the rights or freedoms of the Data Subjects.

  2. If the breach has caused a high risk to the rights and freedoms of the Data Subject, the Controller shall inform the affected person.

  3. If the breach has caused a risk to the rights or freedoms of Data Subjects, the Controller shall notify the supervisory authority without undue delay – no later than 72 hours from becoming aware of the breach, using the template in Annex 4.

7. Data Processing Outsourcing

  1. The Data Controller may outsource Personal Data Processing to another entity only through a written agreement, provided the entity offers sufficient guarantees of implementing appropriate technical and organizational measures to ensure GDPR compliance and protection of Data Subject rights.

  2. Before entering into a data processing agreement, the Controller shall, as far as possible, obtain information about the practices of the prospective processor to assess whether they provide the guarantees referred to in paragraph 1.

  3. The agreement will be based on the template in Annex 5.

8. Transfer of Data to a Third Country The Data Controller shall not transfer Personal Data to a third country unless requested by the Data Subject.

9. Cookie Policy

  1. This policy outlines the rules for using cookies on the sinusoidafreedom.org website, operated by the SINUSOIDA FREEDOM FOUNDATION, ul. Piastowska 7/4, 43-300 Bielsko-Biała, entered into the National Court Register under KRS 0001157027, e-mail: support@sinusoidafreedom.org. This policy has been prepared in accordance with applicable law, including the GDPR and the ePrivacy Directive.

  2. Cookies are small text files stored on the user’s device during website use. They are used to ensure proper site operation, remember user preferences, perform statistical analysis, and – with consent – for marketing purposes.

  3. The website uses the following types of cookies: a. essential cookies (e.g., for login, forms); b. analytical and statistical cookies (to gather data on site usage for optimization); c. marketing cookies, including from third parties (e.g., Google, Facebook), for advertising and behavior analysis.

  4. Under the law, storing and accessing non-essential cookies requires prior user consent. During the first visit, the user sees a cookie banner with options to manage consent – for all cookies, selected categories, or refusal (except essential cookies).

  5. Users can manage cookie settings at any time via their browser or site tools. Limiting cookies may affect some site functions. Details on cookie settings are available from browser providers: Google Chrome, Mozilla Firefox, Microsoft Edge, Safari.

  6. Cookies are divided into: a. session cookies – deleted after the browser session ends; b. persistent cookies – stored as defined in their parameters or until the user deletes them.

  7. Some cookies may originate from third-party providers (e.g., Google, Meta) who may access the data collected via cookies under their privacy policies. SINUSOIDA FREEDOM FOUNDATION does not share personal data without explicit consent.

  8. Users have rights under the GDPR, including: the right to withdraw consent, access their data, delete their data, and object to processing.

  9. SINUSOIDA FREEDOM FOUNDATION reserves the right to amend this cookie policy at any time, particularly in the event of legal or technological changes. Changes take effect upon publication on the website.

10. Final Provisions

  1. Breach of the Data Security Policy by Users shall result in liability under the Labor Code and personal data protection regulations.

  2. Breach of the Data Security Policy by a Data Processor shall result in liability under the Civil Code and personal data protection regulations.

  3. Annexes to the Data Security Policy include: a. template of the Register of Personal Data Processing Activities – Annex 1, b. template of the Authorization to Process Personal Data – Annex 2, c. template of the Data Breach Notification to the supervisory authority – available at https://uodo.gov.pl/pl/501/2278

  4. This Data Security Policy enters into force on December 27, 2024.

  5. Personal Data collected before the Policy’s entry into force is processed in accordance with this Policy from its effective date.