OKTAWAVE PRIVACY POLICY

II. YOU ARE THE REPRESENTATIVE OR CONTACT PERSON OF A CONTRACTOR WITH WHOM/WHICH WE ENTER INTO A CONTRACT: which personal data do we collect and what are the purposes of and legal grounds for our actions?

Your personal data may be obtained from you directly or from our contractor as part of cooperation with Oktawave.

The scope of data that we process includes first and foremost the following data categories:

• identification data, including name, surname and taxpayer identification number (NIP);
• place of work, position, department and professional qualifications;
• contact details (e.g. telephone number, e-mail address);
• other data provided by a contractor or directly by you in connection with the entering into or performance of a contract.

Provision of the above personal data is usually necessary to enter into and perform a contract with Oktawave. If those data are not provided, it shall be impossible to enter into the contract or take steps in connection with its performance.

We may process the above information in order to enter into and perform a contract, and to fulfill the obligations imposed by the provisions of law.

The legal ground for such processing is the necessity for the performance of a contract (Article 6(1)(b) of the GDPR), our legitimate interest as a party to the contract (Article 6(1)(f) of the GDPR) and our legal obligation (Article 6(1)(c) of the GDPR) respectively.

Sometimes your data are also processed for archiving (evidence) purposes and for the establishment, exercise or defense of claims. In such case, the legal ground for the processing of your data is our legitimate interest (Article 6(1)(f) of the GDPR).

Where your data are processed on the grounds of the Controller’s legitimate interest, you have the right to object to such processing.

III. WE CONTACT EACH OTHER: which personal data do we collect and what are the purposes of and legal grounds for our actions?

The scope of data that we process depends on which information we receive from you or, for instance, your employer, on the form of contacting us that you choose, and on the category of information necessary for our relationship. The scope includes first and foremost the content of documents and messages/communication as well as other information we may obtain from publicly available sources in connection with our business relationship (e.g. industry websites).

Those are in particular:

• identification data, including name and surname;
• place of work, position or department, and professional qualifications;
• contact details, including correspondence address, telephone number and e-mail address, or other details.

Thus, we obtain the above information from you directly, from other persons, e.g. your employers/principals, or from publicly available sources.

When you use our customer service call center, electronic communication systems or e-mail addresses, we process your identification data (e.g. telephone number, e-mail address or IP address, respectively), the communication metadata (e.g. date of contact, chat duration) and the content of messages (e.g. chat history, e-mail message content or a telephone conversation transcript provided that you are informed about it in advance). We process the above information in order to answer your questions, streamline our communication, improve customer service as well as market our services and enter into a relevant service contract with you.

The legal ground for those steps depends on the communication context. For general inquiries or conversations, the ground is our legitimate interest as the Controller (it stems from the above purposes) (Article 6(1)(f) of the GDPR). For inquiries aimed at entering into a contract or related to already existing contracts other than our service contracts (that is stipulated by section IV below), the ground is “to take steps at the request of the data subject prior to entering into a contract” (Article 6(1)(b) of the GDPR).

When visiting our website, you may consent to our use of the cookie technology, which enables correct operation of our website and allows us to analyze the information on the way that you use the website, for instance, on the course of the account creation process. We process those data to improve the quality of our website, adjust the content to the visitors’ interests and constantly perfect website operation. Some cookies also allow us to market our products and services, both as part of our website and our partners’ websites.

The legal ground for the use of cookies and similar technologies is your consent, excluding the case where their use is necessary for the operation of our website (the provision of our service to you by electronic means in this scope), in which case our steps are based on the provision of law (Article 173 par. 3 subpar. 2 of Polish Telecommunications Law) and our legitimate interest respectively (Article 6(1)(f) of the GDPR).

We may have received some of your data from you during a conference or an industry event in which our representatives took part, or from the organizer of such event. In that case, the data coming from a business card, an inquiry or a list of participants are processed in our database in order to send you the information in which you were interested, answer your questions and manage future correspondence/contact regarding that matter, or in order to send you thanks for the meeting or participation in the event. In such case, the legal ground for our steps is our legitimate interest (Article 6(1)(f) of the GDPR).

Where you provide your data to us not in your own name, which means that, for instance, you act in the name of our customer or provider or another entity, we process your data to perform a contract, in the context where you act in the name of that third entity, and to enter into or perform the contract with that third entity or carry out a joint venture. The ground for processing your personal data for this purpose is our legitimate interest (Article 6(1)(f) of the GDPR) — building and maintenance of a relationship with the third entity in the name of which you act, including entering into and performing relevant contracts with that entity, as well as the intention of building a positive image of Oktawave.

Regardless of the above, we may use your personal data, first and foremost your name, surname and correspondence address (or, possibly, e-mail address), to send you occasional messages (e.g. season’s greetings) or contact you with regard to promotions of Oktawave products or services.

The ground for processing your personal data for this purpose is our legitimate interest (Article 6(1)(f) of the GDPR) — the intention to maintain our relationship and build a positive image of Oktawave as well as marketing of Oktawave products or services.

In addition, where we process your personal data in order to:

• defend potential claims and, possibly, file claims, the ground for processing your personal data for this purpose is our legitimate interest (Article 6(1)(f) of the GDPR);
• fulfill the Controller’s legal obligations (e.g. tax or accounting ones), the ground for processing your personal data for this purpose is the fulfillment of legal obligations imposed on the Controller (Article 6(1)(c) of the GDPR).

In each case, we send commercial information to electronic addresses (e-mail address / telephone) only after obtaining your consent (legal ground).

Your provision of personal data is voluntary but may sometimes be necessary for the purposes of our cooperation, e.g. required to enter into or perform a contract, answer your question or exchange messages. This means that failure to provide those data may sometimes constitute grounds for a refusal to establish cooperation by Oktawave or for taking legal action by Oktawave in order to terminate an existing contract.

Where the data are processed based on consent, please remember that you can withdraw your consent any time, but this shall not affect the legality of the processing carried out under the consent before its withdrawal. Where your data are processed on the grounds of the Controller’s legitimate interest, you have the right to object to such processing.

IV. YOU ARE OUR USER: which personal data do we collect and what are the purposes of and legal grounds for our actions?

If you already use our services, then, beside the data we may have already processed in accordance with section III above, we also process the information related to our provision of services, such as usage data, data concerning the way of using our services or the course of contract performance, or your communication with us (if any). The purpose of and the legal ground for their processing is proper performance of a contract (Article 6(1)(b) of the GDPR), e.g. adjustment of infrastructure parameters or making out of bills. The scope of data which we may process stems, beside the GDPR, in particular also from Article 18 of the Polish Act on the provision of services by electronic means. The data necessary to create an account are appropriately marked at the sign-up stage. Provision of all the information is voluntary, but certain data (appropriately marked at the sign-up stage) are required for the purposes of entering into a contract and commencing the provision of our services.

If our customer has already added you as a service user (including e.g. as a contact person or a person authorized to make changes to service configuration), we process your data in the following scope: e-mail address, other contact details, data concerning the way of using our services and the course of contract performance, and your communication with us (if any). The legal ground for our steps is our legitimate interest (Article 6(1)(f) of the GDPR) — performance of a contract entered into with our customer.

Regardless of that, we may also analyze the information on the traffic to/from the virtual machines we make available to you, in order to ensure cloud security and prevent misuse. In such case, the legal ground for our steps is our legitimate interest (Article 6(1)(f) of the GDPR).

We process some information to fulfill the obligations imposed by provisions of law. This applies mainly to the data concerning our accounting (tax regulations; Article 6(1)(c) of the GDPR).

As a rule, we do not analyze or browse the content you store on our servers. Moreover, such steps are impossible to us if you encrypt data properly.

V. How long do we process your data?

As a rule, data processing on the ground of our legitimate interest shall last until an objection is raised or until the purpose for which the data are processed is achieved.

Unless you are our contractor, we store the data collected only in connection with ongoing contact (section III above) for a period depending on the data category: from several weeks (certain cookies) to no longer than two years (more detailed inquiries and conversations which may be important for our future contact). Data processing carried out only on the basis of your consent shall last until you withdraw that consent or until the purpose for which the consent was granted is achieved.

We store the data connected with the performance of various contracts, including data of representatives and contact persons (section II–IV above) during the contract term and then usually for seven years after its termination/expiration. This stems from tax regulations and the prescription period of certain claims.

The above periods may be extended as necessary in the event of legal claims or proceedings (by the duration of those proceedings and their settlement) or if the provisions of law in specified cases oblige us to carry out longer processing.

VI. Who actually has access to your personal data?

Only the following persons and entities obtain access to your personal data:

• duly authorized employees or cooperators of Oktawave, who are obliged to keep the data secret and use them only for the purposes for which Oktawave obtained those data;
• entities which support us in service provision (under relevant personal data processing agreements), such as e-mail marketing platforms, colocation service providers, or providers of information and communication technology services or tools used for getting in touch (communicators);
• providers of legal, consulting, accounting and tax services;
• providers of auditing services;
• postal operators and couriers;
• insurers and entities providing archiving services;
• entities the services of which you may use while using our services, i.e. payment processing entities;
• companies from the capital group to which Oktawave belongs.

All the above entities have access only to the information that they need to perform specific tasks.

The registered offices of some of the entities providing solutions to us may be located outside the European Economic Area (EEA). In each case of transferring data beyond the EEA, we apply the required protections, including standard clauses of data protection adopted under a decision made by the European Commission. Moreover, to protect personal data both during their transfer and after their receipt, we apply generally accepted standards which meet the requirements of the GDPR and the judicature of the Court of Justice of the European Union (CJEU).

You have the right to obtain a copy of the protections we apply with regard to transfers of personal data to third countries — please send a message to our e-mail address: .

Oktawave may also be obliged to provide specific information to public authorities for the purposes of proceedings conducted by those authorities. In such case, the information is provided only if a relevant legal ground exists.

VII. What are cookies and other similar technologies? How and for what purposes do we use them?

Cookies (cookie files) are small pieces of text information sent by a server and saved on your device (usually on the hard drive of a computer). Cookies store information which we may need to adjust to the way in which you use our website and to collect statistical data.

Whenever you visit our website, we have the opportunity to collect data concerning: the domain name of the Internet service provider, the browser type, the operating system type, the IP address, the websites you have visited, the elements you have downloaded, and the operation data or information on the location of the device that you are using. We assure you that we use all the information received this way only for the purposes indicated in this policy and that it is not harmful to you or your device in any way because it does not make any configuration changes to your device.

Still, you can naturally change the way of using cookie files, including blocking them completely or deleting them via your Internet browser or service configuration. However, please remember that such operations can prevent or considerably hinder the proper functioning of our website, for instance by slowing it down significantly. That is why we advise you to keep cookie handling turned on in the browser.

The cookies used by our website:

• technical cookies — they are necessary for proper operation of the website and of its functionalities, but they do not entail any tracking of the user;
• analytical cookies — they are used to analyze the users’ behavior within the website for statistical and analytical purposes (improvement of website operation), but they do not include information which would permit the identification of a specific user’s data;
• marketing cookies — they are used to analyze the users’ behavior and they provide information which identifies a specific user’s data, including for marketing purposes within third party websites.

List of cookies on Oktawave websites:

VIII. Contact details of Oktawave and its Data Protection Officer

The Controller of your personal data is Oktawave S.A., seated in Warsaw.

The seat address of Oktawave is: ul. Poleczki 13, 02-822 Warsaw; office address: ul. Puławska 464, 02-884 Warsaw

General e-mail address for contact:

The Data Protection Officer at Oktawave is Grzegorz Leśniewski, attorney at law. Direct contact with the DPO:

Helpline open on weekdays from 8 am to 8 pm: +48 22 10 10 555 (mobile calls; prices depend on the operator).

VIII. What rights do you have in connection with the processing of your personal data by Oktawave?

Please remember that the instructions on the way/form of contacting us stated below are only recommendations, not requirements.

Access to personal data

You can always ask us to grant you access to your personal data in order to see what data we process concerning you and to obtain detailed information on the following aspects:

• whether we process your personal data,
• the purposes for which we process them,
• the categories of data that we process,
• the data recipient(s),
• if possible, the planned storage period of those data; otherwise, the criteria of setting such period,
• all the available information on the data source (in the cases where the personal data were not collected from you).

To streamline the provision of information, please send the requests for access to personal data to the following e-mail address: entering “Access to data — GDPR” in the headline field.

Right to demand rectification of personal data

If you believe that the information concerning you is incorrect or incomplete, you have the right to demand rectification of the data which you consider to be inaccurate or incomplete in terms of their scope.

To streamline the rectification of information, please send the requests for rectification or supplementation to the following e-mail address: entering “Rectification of data — GDPR” in the headline field.

Right to erasure of personal data

In certain situations, the GDPR grants you so-called right to be forgotten. The circumstances justifying such a demand include:

• the personal data no longer being necessary for the purposes for which they have been collected or otherwise processed;
• your withdrawal of the consent to personal data processing, where no other legal ground for further processing exists;
• your objection to personal data processing, where no legally overriding and justified grounds for processing exist;
• your objection to personal data processing for marketing purposes;
• unlawful processing of your personal data;
• fulfillment of a legal obligation imposed by the EU law or by the law of the Member State by which Oktawave is governed.

To streamline the erasure of information, please send the requests for erasure to the following e-mail address: entering “Erasure of data — GDPR” in the headline field.

Right to restrict processing

You can demand restriction of the processing of your personal data where:

• you question the correctness of the personal data that we process — for a period permitting the verification of correctness of those data;
• the processing of your personal data is unlawful, but you prefer restriction of processing to erasure;
• Oktawave no longer needs your personal data for processing purposes, but you need the data for the establishment, exercise or defense of claims;
• you have objected to the processing of your personal data — only until the dispute in question is settled.

An effective submission of a demand for processing restriction shall result in a restriction of the operations we perform on the data specified by you and the scope of specified operations / processing purposes to the necessary minimum — in principle, to storage alone.

To streamline the restriction of information processing, please send the requests for restriction to the following e-mail address: entering “Restriction of data processing — GDPR” in the headline field.

Right to data portability

You have the right to receive your personal data in a commonly used and machine-readable format and the right to transmit those data to another controller.

You can exercise this right if:

• the processing is based on your consent or a contract; and
• the processing is carried out by automated means. To streamline the transfer of information, please send the requests for transfer to the following e-mail address: entering “Transfer of data — GDPR” in the headline field.

Right to object

In specific situations, you have the right to object to specified processing. You can object to:

• the processing of your personal data the legal ground for which is the performance of a task carried out for reasons of public interest or the exercise of official authority entrusted to Oktawave, including profiling, on grounds relating to your particular situation;

• the processing of your personal data where that processing is necessary for the purposes stemming from legitimate interests pursued by Oktawave or a third party, including profiling, on grounds relating to your particular situation;

• the processing of your personal data for the purposes of direct marketing, at any moment, in the scope in which the processing is related to such direct marketing;

• the processing of your personal data for statistical purposes, on grounds relating to your particular situation.

However, please remember that if, despite the objection you have filed, we assess that there exist compelling legitimate grounds for processing which override your interests, rights and freedoms, or grounds for the establishment, exercise or defense of claims, we shall continue the processing of your data covered by the objection in question. If you do not agree with such assessment of the situation, you can exercise your right to file a complaint with a supervisory authority (see below).

To streamline the handling of objections, please send them to the following e-mail address: entering “Objection — GDPR” in the headline field.

Right to file a complaint with a supervisory authority

You have the right to file a complaint with a supervisory authority in connection with our actions as the Controller of your personal data.

Naturally, if you have comments about our actions, we encourage you to contact our Data Protection Officer first: . The DPO is an independent person within our structure who is responsible for ensuring that we fully comply with the obligations concerning personal data protection. If we make a mistake anywhere, the DPO shall surely take appropriate steps.

If you wish to file a complaint with a supervisory authority, you can find a list of local authorities responsible for personal data protection in the European Union together with their contact details on the following website: https://edpb.europa.eu/about-edpb/board/members_en. In Poland, the competent supervisory authority is the President of the Personal Data Protection Office (PUODO).

A detailed description of the procedure of filing a complaint with the PUODO is available on the website managed by the PUODO: https://uodo.gov.pl/pl/83/155.