Privacy Policy

Introduction

Data protection and information security have always been a priority in the activities of SPOC S.A. Giving an example of the conscious and responsible organization, we want to inform you about the proper matters relating to the processing of personal data, especially about the content of new provisions on the protection of personal data, including the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR). We are aware that information has a special value that should be protected in an appropriate manner. For the security of your data, in this document, we provide key information on the legal basis for the processing of personal data, their use, and acquisition.

SPOC S.A.

SPOC S.A. with its registered office at ul. Szyperska 14, Poznań 61-754, hereinafter referred to as the “Company”.

The largest and most experienced ServiceNow partner in Poland. Since 2010, SPOC has been providing its customers with solutions for the management of business services and processes.

When does this Policy apply?

This privacy policy applies to all cases in which SPOC S.A. is the Controller (administrator) of personal data and processes personal data. This applies both to personal data obtained directly from the data subject and such that we have obtained from other sources. SPOC S.A. performs its information obligations in both situations mentioned above, specified in art. 13 and art. 14 GDPR in accordance with these provisions.

SPOC S.A. is the administrator of marketing processes (including managing accounts on social networks), IT contractors (including IT systems in which personal data of e.g. contractors are collected), security incidents, and also coordinates employee recruitment processes. The Company also operates websites www.spoc.pl and www.spoc.eu, and thus it coordinates the processing of personal data sent via the forms available on the websites (e.g. as part of the contact form).

Scope, methods and purposes of data processing

We would like all information regarding the methods and legal grounds for the processing of personal data, as well as the purposes for which we process them, to be understandable. We encourage you to read the list of personal data processing operations presented below.

Processing of personal data of persons visiting the websites operated by SPOC S.A. or using our electronic services

Each of the natural persons using the services we provide electronically or visiting our website has control over the personal data that they provide for us. We hereby inform you that the user data obtained in this way is limited to the minimum necessary to provide services at the expected level.

Cookies

To a limited extent, we may collect personal data automatically via cookies on our websites. Cookies are small computer data files, saved and stored on your computer, tablet, or smartphone for use of websites. Typically cookies contain the name of the page of their origin, time of their storage on the device, and a unique number.

On the website, visitors will be presented with information about cookies in accordance with legal provisions until they accept/closes this information. Data on accepting the information will be saved in cookies on the visitor’s computer.

Cookies are used to:

1. adapt the content of the Website pages to the User’s preferences; in particular, these files allow to recognize the device of the Website User and display the website properly;
2. prepare statistics that allow the structure and content to be improved;

The website uses two types of cookies: session cookies and persistent cookies. Session cookies are temporary files stored on the User’s end device until logging out, leaving the website or closing the software (web browser). Persistent cookies are stored on the User’s end device for the time specified in the cookie file parameters or until they are deleted by the User.

The website uses the following types of cookies:

1. “necessary” cookies, enabling the use of services available on the website;
2. cookies used to ensure safety;
3. “performance” cookies, enabling the collection of information on the use of web pages;
4. “functional” cookies, enabling “remembering” the settings selected by the User and personalizing the User interface.

In many cases, the software used for browsing websites (web browser) allows cookies to be stored on the User’s end device by default. Website users can change their cookie settings at any time. These settings can be changed

in particular in such a way as to block the automatic handling of cookies in the settings of the web browser or inform about every instance of their being saved on the device of the Website User. Detailed information on the possibilities and methods of handling cookies is available in the software (web browser) settings.

Please be advised that restricting the use of cookies may affect some of the functionalities available on the website pages.

Cookies saved on the Website User end device can also be used by partners and advertisers cooperating with us.

Online applications and forms

Visitors to the website of SPOC S.A. may contact the Company by filling out the contact form. When using the forms, it is necessary that you provide us with your personal data. These data are processed only within the framework and for the purpose for which they were provided and with your express consent. In the context of contact forms, consent is expressed through your intentional action (the so-called final consent), i.e. sending the form and providing personal data.

Use of Social Plug-ins

On the websites https://spoc.pl/ and https://spoc.eu we use Social Plug-ins (“Plug-ins”): Facebook, Google+, LinkedIn, and YouTube. We use the so-called double-click solution. This means that when visiting our website, no personal user data is passed on to the plug-in providers by default. You can recognize the plug-in provider by the logo. We provide the possibility to communicate directly with the plug-in provider via the relevant button. Only after the user’s clicking the check box and its activation, the plug supplier receives information about its access to the page with the offer of our Website. After activating the plug-in, your personal data is transferred to the respective plug-in provider and stored on its servers (in the case of American providers in the USA). As the plug-in provider collects this data mainly via cookies, we recommend that you delete all of them via the options in your browser’s security settings before clicking on the gray frame.

As far as the data collected by the plug-in providers is concerned, we have no influence on them or their processing. Neither do we know the full scope of their collection, the purpose of their processing or the duration of their storage. We also have no information on their deletion.

The plug-in provider stores the data provided by the user/user data in the form of a user profile and uses it for the purposes of advertising, market research, and/or designing its website based on the preferences of the users. Such analysis is carried out (even for users who are not logged in) mainly to present advertisements tailored to individual preferences and to inform other users of the respective social network about the user’s activity on our website. The user has the right to object to the creation of these user profiles. To do this, they must contact the provider of the respective plug directly. Thanks to the plug-in mechanism, the user has the ability to integrate with social networks and other users, and this will allow us to improve our offer and make it better suited to the preferences of the users. The legal basis for the use of plug-ins is set out in art. 6 sections 1 sentence 1 (f) GDPR.

The data is provided regardless of whether the user has an account with the plug-in provider and is logged in there. If you are logged in to your account with the plug-in provider, the data collected on our website is assigned directly to your user account with the plug-in provider. If you press the activated button and, for example, share the page, the plug-in provider also saves this information in your user account and makes it publicly available to your friends. We recommend that you log out regularly after leaving the social network, especially before activating the button, as this way you can avoid assigning to your profile with the plug-in provider.

Further information on the purpose and scope of the data collection and its processing by the plug-in provider can be found in the privacy policy of the plug-in provider. It also provides information on user rights and settings enabling the protection of privacy

Photographs

Photographs and icons presented on the website are the property of SPOC S.A. or they come from photograph and icon stocks such as Dreamstime, Freepik, Flaticon, or were purchased from agencies as materials for the site.

Processing of personal data of persons contacting SPOC S.A. in order to obtain information about the offer, comment on the services or to conclude a contract

The following personal data are collected from natural persons that contact SPOC S.A. in order to obtain information about the offer, express their views, comments, and also to conclude an agreement: name and surname, e-mail address, and phone number.

We kindly ask you not to provide information that contains special categories of personal data, listed in art. 9 sec. 1 GDPR (information about race or ethnicity, political views, religious or philosophical beliefs, trade union membership, information regarding physical or mental health, genetic data, biometric data, information about sexual life or sexual orientation and criminal history) via websites. If you provide such information for any reason, it will constitute your express consent to the collection and use of such information by us as set out herein or as specified in the place where the information was disclosed.

Processing of personal data of customers and potential customers

SPOC S.A. processes the personal data of its customers and potential customers. Among them may also be the data of contact persons on the side of customers and potential customers (and their employees). These personal data are processed in IT systems used by SPOC S.A., including in the CRM system. Personal data processed for these purposes include name and surname, employer name, the position of the contact person, telephone number, e-mail address, or other business contact details.

Processing data of persons visiting the business profile of SPOC S.A.

Data of Users who liked the business profile of SPOC S.A. on Facebook at: https://www.facebook.com/spocpl, or LinkedIn at: https://www.linkedin.com/company/spoc-servicenow-elite-partner/ will be processed in order to administer and manage the above-mentioned business profile of SPOC S.A., communicate with Users, including answering questions, interacting, informing about organized events, interesting information, services and products offered by the Controller, creating a community on Facebook. Therefore, as the Controller of the above-mentioned business profiles, SPOC S.A. may use the functions provided by Facebook or LinkedIn to generate anonymous statistical data on people visiting the website. The basis for data processing is consent. The user voluntarily decides to like/follow/interact on the profile/page/group on a given social networking site. The rules applying to the business profile of SPOC S.A. on Facebook/LinkedIn are set by the Controller, however, the rules of staying in the Facebook social network result from the regulations of the Facebook company (Co-controller), and in the case of LinkedIn from the regulations of the LinkedIn company. You can stop following or even block the Controller’s profile created on Facebook/LinkedIn at any time. Due to the specificity of the platforms used by the Controller, only after choosing the “block the user” option, no content created by the Controller will be displayed to you. Other content available on a given social platform is universally available. Withdrawal of consent does not affect the lawfulness of the processing which was carried out on the basis of consent before its withdrawal.

The Controller processes publicly available personal data, such as name, surname, or general information, which are placed on Users’ profiles and available to the public. The processing of other personal data is carried out by the social networking site Facebook/LinkedIn on the terms contained in its regulations. On no account shall the data of

people who liked the business profile of SPOC S.A. on Facebook/LinkedIn be used for any purpose other than the one for which they were provided. Personal data may be transferred outside of Poland, the European Union, and the European Economic Area in the scope of the functioning of these social networks.

In addition, the Controller points out that Facebook data is collected thanks to cookies, each of which contains a unique user code (they are active for two years and saved by Facebook on the hard drive of the computer or on any other data carrier of people visiting the profile). The user code that can be linked to the connection data of users registered on Facebook is downloaded and processed when the business profile is opened. Although these data are anonymous, SPOC S.A. may ask Facebook to process them in the scope of:

– demographic data (e.g. trends in age, gender, marital status, and professional status),

– information on lifestyle and interests,

– geographic data to identify where special promotions or events should be held, how best to target our information offer.

Additional information in relation to electronic correspondence

If you wish to write an e-mail to us, please note that unencrypted e-mails sent over the Internet are not sufficiently protected against unauthorized access by third parties.

Processing data of persons applyinh for work

Data of job applicants are collected for the purposes of ongoing recruitment and pre-contractual actions. The Company may also process data if the job applicant has consented to their processing, e.g. for future recruitment.

Data of job applicants will be processed by us during the recruitment process and a maximum of three years after its completion, i.e. until the expiry of the claim limitation period.

Where the processing takes place on the basis of consent to participate in future recruitment procedures, personal data will be processed until its withdrawal.

Legal basis for processing data

The processing of data of visitors to the website operated by the SPOC S.A., using the services provided electronically or posting on the business profile of SPOC S.A., on social networking sites has different legal bases, depending on the categories of personal data processed and the purpose of the processing. We process the personal data of visitors to our websites on the basis of the legitimate interest of the Data Controller (Article 6 (1) (f) GDPR) or on the basis of consent if we have asked the data subject for such consent (Article 6 (1) (a) GDPR). We process the data of people who fill in the online/contact form because it is necessary for

the performance of the contract or taking steps to conclude it, at the request of the person providing their data (Article 6 (1) (b) GDPR), on the basis of consent (Article 6 (1) (a) GDPR), or on the basis of the legitimate interest of the Controller, which is to answer the question asked (Article 6 (1) (f) GDPR). The data of people visiting our fanpage are processed in accordance with the rules of using Facebook, based on the User’s consent (Article 6 (1) (a) GDPR).

The processing of personal data in contact with SPOC S.A.

The processing of personal data provided to acquire information about the offer, comment on services, or contact us for the conclusion of a contract is based on the consent expressed by the user sending the inquiry to SPOC S.A. (Article 6 (1) (a) GDPR) or to perform the contract (fulfill the request) submitted by a given person (Article 6 (1) (b) GDPR). The provided data may also be processed on the basis of the justified purpose of the Data Controller (Article 6 (1) (f) GDPR).

The processing of personal data of natural persons who are potential customers is based on:

a) the justified interest of SPOC S.A. as a data Controller (especially in the field of creating a database, direct marketing of own products); (Article 6 (1) (f) GDPR);

b) consent (including, in particular, consent to e-mail marketing or telemarketing); (Article 6 (1) (a) GDPR).

Period of data processing

SPOC S.A. processes personal data and stores them for a period of time depending on the legal basis constituting the legal condition for the processing of personal data. Please be advised that if SPOC S.A. processes personal data on the basis of:

1. consent, the processing period lasts until the data subject withdraws their consent or the purpose of processing has been achieved;
2. the legitimate interest of the Controller, the processing period lasts until the cessation of the above-mentioned interest (e.g. the limitation period for civil law claims) or until the data subject objects to further processing – in situations where such objection is permitted under the law;
3. the applicable law, the periods of data processing for this purpose are determined by these provisions.

In the absence of specific legal or contractual requirements, the basic data retention period for records and other documentary evidence prepared in the course of contract performance is a maximum of 6 years.

Data recipients

We provide personal data to other entities on the basis of legal requirements or in connection with the implementation of the purpose for which they were provided to us. At the same time, we declare that we only use the services of proven entities, known on the local market and guaranteeing data security. The data processing agreements concluded by us

contain provisions on the protection measures we require, ensuring the confidentiality, integrity, and availability of the data provided.

We may transfer personal data to companies or other trustworthy business partners who provide services on behalf of the Company and entities with whom we cooperate. In addition, the data may be transferred to providers of services such as debt collection, tax, legal, and accounting services. Personal data is transferred to these entities and other third parties only if it is necessary to perform the services requested by data subjects or authorized by them to protect rights, property, or security, or if the Company is obliged to do so under applicable laws, court regulations or regulations of other offices or if the disclosure of personal data is otherwise necessary to support legal arrangements, including under criminal law, or a court process.

In addition, authorized employees of the Company will have access to personal data.

Rights relating to the processing of personal data

The rights of natural persons with regard to the processing of personal data include:

a) The right to access your personal data;

b) The right to correct data;

c) The right to limit data processing;

d) The right to request deletion of data;

e) The right to transfer data to another data Controller.

You can exercise the above-mentioned rights by contacting us at gdpr@spoc.eu or by letter to the following address: SPOC S.A., ul. Szyperska 14, Poznań 61-754.

Natural persons have specific rights regarding their personal data, and the SPOC S.A. as their Controller is responsible for the implementation of these rights, in accordance with applicable law.

We would also like to inform you that each natural person has the right to object to the processing of their personal data. If personal data are processed based on a legitimate purpose, a natural person has the right to object for reasons related to their particular situation. If they exercise this right, the Company will cease processing data for this purpose unless it demonstrates the existence of legally valid grounds for the processing, overriding the interests of the natural person, their rights and freedoms, or the grounds for establishing, investigating, or defending claims.

The wish to exercise the right to object may be sent by e-mail to: gdpr@spoc.eu or by letter to the following address: SPOC S.A., ul. Szyperska 14, Poznań 60-754.

Changes to this Privacy Policy

We shall review this Privacy Policy on a regular basis and amend it when it proves necessary or desirable due to: new legal regulations, new guidelines of authorities responsible for supervising the processes of personal data protection, best practices applied in the area of personal data protection. Current version (version 1) has been released on 30.07.2021.