How do we process your personal data
July 25th 2019
When as a natural person you contact us or use our services, regardless of whether you act on your behalf or on behalf of another entity (e.g. our client, supplier, etc.) or when we have obtained your personal data from other sources (e.g. from publicly available industry websites or when your personal data have been disclosed to us as a contact for the purpose of execution of the contracts) we start to process your personal data. We approach all information about you responsibly and in accordance with the law - in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter also “GDPR”).
This policy explains who we are, how we collect information and what we do with them in business, commercial and marketing relations and in connection with contacting us. If anything raises your doubts, do not hesitate to contact us.
I. Glossary – basic concepts
Personal data - all information that we process related to you. For example: name, surname, e-mail address, consumption data, payment details etc;
Processing – all operations that we perform on your personal data. This includes e.g.: collecting, storage, updating, sending correspondence, analysing in order to issue an invoice, and erasure;
User – the person, who has concluded with us an agreement for providing the services;
Data controller – Oktawave S.A., with its registered seat in Warsaw, at ul. Domaniewska 44a, 02-672 Warsaw, Poland, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court for Wrocław – Fabryczna in Wrocław, XIII Commercial Division of the National Court Register under entry number: 0000858468, NIP (taxpayer ID): 5213633306, REGON (statistical ID number): 146197794, share capital PLN 5.290.000,00;
Cloud - organized IT system, consisting of, in particular, computer hardware, software and telecommunications connections, used to provide services.
II. When we contact each other – what personal data do we collect and what is the purpose and legal basis of such activities?
The scope of personal data that we process depends on what information you or e.g. your employer provided to us, on the form of contact you’ve chosen and on the information that is vital for a given relationship – it primarily encompasses the content of documents, as well as of our correspondence/communication, along with other information we have obtained from publicly available professional sources regarding our business relations (e.g. industry websites).
This data in particular includes:
- identification data, including first name and last name,
- information regarding professional activity, including place of employment, position and/or department, qualifications;
- contact details, including correspondence address, telephone number, e-mail address or other contact information.
Therefore, we obtain the above personal data directly from you or from other people, e.g. from your employers / clients or from public sources.
If you use the telephone customer service, electronic communication tools or e-mails, we will process data identifying you (respectively e.g. telephone number, e-mail address, IP number), metadata relating our communication (e.g. date of contact, duration of our conversation) and the content of our communication (e.g. chat history, e-mail content, audio record of our phone call if you were informed in advance about such recording). We process the abovementioned information in order to respond to your inquiries, improve our communication and the quality of customer service, as well as to marketing our services and concluding an appropriate agreement with you for the provision of services.
The legal basis of our actions depends on the context of our communication. If these are only general inquiries or conversations, the legal basis for such processing will be our “legitimate interest” (results from the purposes indicated above – Art. 6(1)(f) GDPR). However if such inquiry leads to the conclusion of the agreement, or remains in connection with a contract already concluded with you other than for providing our services, the legal basis for such processing will be “taking steps at the request of the data subject prior to entering into a contract” or necessity for the performance of the contract (Art. 6(1)(b) GDPR).
The legal basis for using the cookies and similar technologies is your consent, except when their use is necessary for the proper functioning of our website (providing you with electronic services), when the legal basis for such processing will be legal provision (Art. 173(3)(2) of the Telecommunications Law) and respectively – our legitimate interest (Art. 6(1)(f) GDPR).
Some of your personal data we may have obtained from you during a conference or industry event, in which our representatives took part or we may have obtained them from such event’s organiser. In this case, data from your business card, inquiry or data from list of participants are processed in our database in order to send you information, which were interesting for you, respond to your inquiry and to conduct further correspondence / contact in this matter, or in order to thank you for the meeting or participation in an event. In such cases the legal basis for processing is our legitimate interest (Art. 6(1)(f) GDPR).
If you haven’t given us your data on your own behalf, for example, you are acting on behalf of our client, supplier, or another entity, we process your data in order to process the contact in the context in which you are acting in the name of the third party, as well as for the conclusion and/or processing of a contract with that third party and/or conducting a joint project. The legal basis for processing your personal data in accordance with this purpose will be our legitimate interest (Art. 6(1)(f) GDPR) – building and maintaining relations with the third party in whose name you are acting, including the conclusion and performance of relevant contracts with that party, as well as the intention of building a positive image of Oktawave.
Regardless of the foregoing, your personal data, that is, in particular, your first name and last name, as well as correspondence address and/or e-mail address, can be used by us in order to contact you from time to time (for example, to send holiday season greetings) or to contact you regarding the promotion of Oktawave’s products or services. The legal basis for processing your personal data in accordance with this purpose will be our legitimate interest (Art. 6(1)(f) GDPR) – maintaining relations and building a positive image of Oktawave and marketing of Oktawave’s products and services.
Additionally, with regard to the processing of your personal data in order to:
- defend against potential claims, as well as for the purpose of potential directing claims, the legal basis for processing of your personal data will be our legitimate interest (Art. 6(1)(f) GDPR);
- fulfill the legal obligations of the data controller (e.g. tax, accounting), the legal basis for processing of your personal data will be the necessity for compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR).
In any case, we send commercial information on electronic addresses (e-mail, telephone) only upon your prior consent (legal basis).
Your submission of personal data is voluntary, but sometimes it may be necessary for purposes related to our cooperation, e.g. in order to conclude or execute the contract or to respond to your query or to conduct further correspondence. This means that failure to provide data may constitute grounds for refusal by Oktawave to enter into cooperation, or for Oktawave to take legal measures to terminate possible contract.
Please be reminded, that in any case when processing of personal data is based on your consent, you may revoke it at any time, without affecting the legality of processing performed prior to such revocation. However in case of processing your personal data based on our legitimate interest, you may object to such processing.
III. When you are the user: what personal data do we gather and what is our purpose and legal basis of our actions?
Once you use our services, apart of the part II above, we also process information related to the provision of services by us such as data on consumption, on how you use our services and on the process of execution of our agreement, and also our possible communication. The purpose of processing the abovementioned data and the legal basis as well, is proper implementation of the agreement (Art. 6 (1)(b) GDPR) – e.g. adjusting infrastructure parameters, generating settlements. The scope of data we may process results, except from GDPR, in particular also from Art. 18 of the Act on provision of services by electronic means. Providing all information is voluntary, but some of data (appropriately marked at the registration stage) are necessary to create an account, for the conclusion of the agreement and commencement of the provision of services by us.
If you have been added by our client as a user of services provided by Oktawave to this client (including e.g. as a contact person or entitled to make changes in service configuration), we process your data in the scope of an e-mail, other contact details, data on the use of our services and the process of execution of the agreement, and also our possible communication. The legal basis of our actions is our legitimate interest (Art. 6 (1)(f) GDPR), i.e. implementation of the agreement with our client.
Nevertheless, we may analyse information about the traffic from/to your virtual machines, which we have provided to you, in order to ensure the security of the Cloud and prevent any abuse. In such case the legal basis of our actions is our legitimate interest (Art. 6(1)(f) GDPR).
We process part of the information to fulfil the obligations imposed by law - this applies mainly to data regarding our settlements (tax regulations; art. 6(1)(c) GDPR).
As a rule, we do not analyse and review content that you store on our servers. What’s more, such activities will be impossible for us if you properly encrypt your data.
IV. How long do we process your data?
Data processed on the basis of the consent, are processed until possible revocation of such consent or fulfilling of the purpose, for which it has been granted.
The above periods may be extended, as appropriate, in the event of any possible claims and court proceedings - for the duration of these proceedings and their settlement, and also if we are obliged to further processing of such data to meet legal obligations.
V. Who has access to your personal data?
Your personal data will only be accessed by:
- duly authorized employees or associates of Oktawave, who are obliged to maintain them in secrecy and not to use them for purposes other than those for which Oktawave obtained such data;
- entities, which support us in providing services, based on separate data processing agreements, such as e-mail marketing platforms, collocation service providers, IT service providers or contact tools (communicators), legal and consulting services providers;
- entities, whose services you can use when using our services, i.e. entities handling payments, as well as carriers or couriers (if, for example, you take part in the promotion, as a result of which you are entitled to a material reward).
All these persons and entities have access only to the personal data, which are necessary to perform specific actions by them.
It is possible that some of the entities that provide us with solutions may be based outside the European Economic Area (EEA). In each case of data transmission outside the EEA, we apply all required safeguards, including standard data protection clauses adopted pursuant to decisions of the European Commission, we conclude data processing agreements that meet the requirements of the GDPR, and in the case of data transmission to the US, we verify the participation of our partners in the Privacy Shield program (more: https://www.privacyshield.gov/). You have right to access the list of such recipients and a copy of the security measures we apply for the transfer of personal data to third countries by contacting us at .
Oktawave may also be required to provide specific information to public authorities for the purposes of proceedings conducted by them. In this case, any information are provided only if there is a proper legal basis for it.
VI. What are the “cookies” files and similar technologies? how and in what purpose do we use them?
“Cookies” files are pieces of information that are transferred by the server and stored on your device (usually on your computer’s hard drive). It stores information that we may need in order to adjust to the way you use our website and in order to collect statistical data. When you visit our website, we may collect data about the domain name of your Internet service provider, browser type, type of operating system, IP address, websites visited by you, items you have downloaded, as well as operational data or location information about the device you use.
You may change the way of using “cookies” files, including completely block or delete them via your web browser or configuration of the service. However you must remember that such operations may prevent or significantly impede the proper functioning of our website, for example by substantial slowdown of its functioning, so we strongly recommend not to block them through your web browser.
“Cookies” files used on our website:
- technical - includes cookies: necessary for the proper functioning of the website and to enable the functionalities of the website, but their operation does not lead to user tracking;
- analytical – used to analyze user’s behavior within the website, for statistical and analytical purposes (improving the operation of the website), but do not include information that could identify the data of a specific user;
- marketing - used to analyze user’s behavior, including for marketing purposes within the websites of third parties, provides information identifying data of a particular user.
The list of “cookies” files used on Oktawave website:
|Google Double Click
VII. Contact details of oktawave and data protection officer
The data controller of your personal data is Oktawave S.A. with its registered seat in Warsaw.
Address: ul. Domaniewska 44a, 02-672 Warsaw, Poland
Contact e-mail address:
Data protection officer – advocate Grzegorz Leśniewski. Direct contact to DPO:
The hotline is open on business days from 7:00 am to 9:00 pm: +48 22 10 10 555 (mobile calls, the price depends on the operator).
VIII. What are your rights regarding the processing of your personal data by oktawave?
Please note that the instructions given below are only a recommendation, not a requirement.
Access to your personal data
You may ask us at any time for access to your personal data, in order to check what data about you we process and to obtain detailed information regarding:
- whether we are processing your personal data;
- for what purpose;
- what categories of data we are processing;
- who is the recipient of your data;
- what is the planned duration of processing (if possible), and if we are not able to say, the criteria for determining that duration;
- if the personal data has not been given by you – all available information about the source of the data. For the effective exercise of your rights, please send any requests for access to the personal to the e-mail address: , along with the title “Access to the personal data – GDPR”.
Right to rectify the personal data
If, in your opinion, information about you is or has become inaccurate or incomplete, you have the right to demand that data is rectified or made complete.
For the effective exercise of your rights, please send any requests for rectification of the personal data to the e-mail address: , along with the title “Data rectification – GDPR”.
Right to erasure of the personal data
In certain situations, GDPR gives you the “right to be forgotten.” You can invoke this right if we are still processing your personal data, particularly in the following cases:
- the personal data is no longer vital for the purposes for which it was collected or otherwise processed;
- you revoked consent to the processing of personal data and there is no other legal basis for continuing to process it;
- you object to the processing of your personal data when there are no overriding, legitimate grounds for processing;
- you object to the processing of your personal data for marketing purposes;
- your data is processed in a manner that violates the law;
- the law requires that we erase your data.
For the effective exercise of your rights, please send any requests for erasure of the personal data to the e-mail address: , along with the title “Data erasure – GDPR”.
Right to restriction of processing
You can demand that we limit processing of your personal data when:
- you question the correctness of personal data we are processing – for a period of time that allows us to determine the correctness of that data;
- the processing of your personal data violates the law, but you prefer that processing be restricted rather than the data be erased;
- Oktawave no longer needs your personal data for the purposes of processing, but you need it for establishing, pursuing, or defending legal claims;
- you have objected to the processing of your personal data – only until the dispute has been resolved.
Effective submission of a request for restriction of processing personal data, will limit the actions taken by us on the data indicated by you and in the scope of particular operations/purposes to necessary minimum - basically only to storage.
For the effective exercise of your rights, please send any requests for restriction of processing to the e-mail address: , along with the title “Restriction of processing – GDPR”.
Right to data portability
You have the right to receive your data in a commonly-used format that can be read by a computer, and also to have your data sent to another data controller.
You may invoke this right, if:
- processing is done on the basis of your consent or a contract; and
- processing is done in an automated manner.
For the effective exercise of your rights, please send any requests in this matter to the e-mail address: , along with the title “Data portability– GDPR”.
Right to object
In certain situations, you have the right to object to some operations we perform on your personal data. You may invoke you right:
- when processing of your personal data is based on Article 6(1)(e) GDPR that is, when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Oktawave, including profiling, on grounds relating to your particular situation;
- when processing of your personal data is based on Article 6(1)(f) GDPR that is, when processing is necessary for the purposes of the legitimate interests pursued by Oktawave or by a third party, including profiling, on grounds relating to your particular situation;
- when personal data are processed for direct marketing purposes, at any time and to the extent that it is related to such direct marketing;
- when we process your personal data for purposes related to scientific or historical studies, or for statistical purposes, on grounds relating to your particular situation.
Remember, however, that when despite of your objection we conclude that there are important, legitimate grounds for processing that override your interests, rights and freedoms, or the basis for establishing, pursuing or defending claims, we will continue to process your personal data encompassed by the objection. If you disagree with such an assessment of the situation, you can exercise your right to file a complaint with the relevant public authority (more information below).
For the effective exercise of your rights, please send any objections to the e-mail address: , along with the title “Objection– GDPR”.
Complaints to the relevant public authority
In connection with our actions as the data controller of your personal data, you have the right to file a complaint to the relevant data protection authority.
Of course, if you have any comments about how we do things, we encourage you to first contact our Data Protection Officer - . It is an independent person who, within our structure, is responsible for ensuring that we fulfil the obligations related to the processing of personal data. If we make any mistakes anywhere, DPO will definitely take the appropriate steps.
If you would like to file a complaint to the data protection authority, you can find list of local authorities responsible for data protection across the EU and their contact details at: https://edpb.europa.eu/about-edpb/board/members_en.
In Poland, since May 25th 2018, this function is performed by President of the Personal Data Protection Office (PUODO). A detailed description of the complaint procedure is available on the website maintained by PUODO at: https://uodo.gov.pl/pl/83/155.