Information on the processing of personal data by KSAP

Upholding people’s right to privacy, we hereby offer information on principles under which, objectives for which, and means by which personal data are processed by Poland’s Lech Kaczyński National School of Public Administration (officially Krajowa Szkoła Administracji Publicznej im. Prezydenta Rzeczypospolitej Polskiej Lecha Kaczyńskiego). 

Personal data undergoing processing in the context of the National School meet the criteria set out in provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “GDPR”, though abbreviated to RODO in Polish).

The Data Controller

The Controller of personal data in this case is Krajowa Szkoła Administracji Publicznej im. Prezydenta Rzeczypospolitej Polskiej Lecha Kaczyńskiego (i.e. the Lech Kaczyński National School of Public Administration, or KSAP), with its seat at Warsaw (post code 00-922), at 56 Wawelska Street. The Controller may be contacted by email at info@ksap.gov.pl, or else by traditional letter to the above address.

The Data Protection Officer

The Controller has designated a Data Protection Officer, with whom contact is possible in all matters linked to the processing of personal data, again by email at iod@ksap.gov.pl, or by letter to the aforementioned seat of KSAP – as annotated “Data Protection Officer”.

KSAP’s data-processing objectives and means, and the basis for them

  1. Pursuit of the mission in intramural training (recruitment, training, students’ first employment in administration, monitoring of the obligation as regards employment)

  • In line with Art. 6 para. 1 letter e of the GDPR – processing is here ”necessary for the performance of a task carried out in the public interest”, i.e. the training and preparation for public service of Civil Servants and higher officials in the administration of the Republic of Poland.
  1. Pursuit of activity as regards training and training projects for employees of public administration
  • Again under Art. 6 para. 1 letter e of the GDPR – the relevant processing is ”necessary for the performance of a task carried out in the public interest”, i.e. the organisation of training courses for public-administration employees. 
  1. The supply of training courses to natural persons other than employees of public administration (in respect of both individual applications and those submitted by employers)
  • Under Art. 6 para. 1 letter b of the GDPR – such processing is “necessary for the performance of a contract” … “or in order to take stepsprior to entering into a contract”.
  1. The running of conferences and other events of an educational or training-related nature 
  • Again under Art. 6 para. 1 letter b of the GDPR – processing is “necessary for the performance of a contract” … “or in order to take stepsprior to entering into a contract”; or under Art. 6 para. 1 letter e of the GDPR – processing is ”necessary for the performance of a task carried out in the public interest”, i.e. the training and preparation for public service of Civil Servants and higher officials in the administration of the Republic of Poland; and/or the organisation of training courses for public-administration employees. 
  1. Activity leading to the concluding and implementation of contracts and other agreements with contrahents, lecturers and trainers, and other entities supplying services to the Controller
  • Under Art. 6 para. 1 letter b GDPR – processing is “necessary for the performance of a contract” … “or in order to take stepsprior to entering into a contract”.
  1. The consideration of complaints and applications
  • Under Art. 6 para. 1 letter c GDPR – processing is “necessary for compliance with a legal obligation to which the Controller is subject” – in this case arising out of provisions of the Code of Administrative Procedure of the Republic of Poland.
  1. The determination, pursuit and defence of claims (e.g. where a Contractor fails to supply a service)
  • Under Art. 6 para. 1 letter f GDPR – processing is necessary for the pursuit of the Controller’s legitimate interests, in this case the determination and pursuit of claims, as well as defence against them. 
  1. Accountancy and financial settlement
  • Under Art. 6 para. 1 letter c GDPR – processing is “necessary for compliance with a legal obligation to which the Controller is subject” – in particular in this case under the Polish regulations on taxation, on accountancy, and on social insurance.
  1. The archiving of documents
  • Under Art. 6 para. 1 letter c GDPR – processing is “necessary for compliance with a legal obligation to which the Controller is subject”.
  1. Dispatch of the KSAP Newsletter
  • Under Art. 6 para. 1 letter a GDPR – there is consent to the processing of personal data for the purposes of the dispatch of the Newsletter.
  1. Visual monitoring at the buildings of the Data Controller
  • Under Art. 6 para. 1 letter f GDPR – processing is necessary for the pursuit of legitimate interests by the Controller, in this case the assurance of an appropriate level of security. 
  1. Recruitment procedures for posts at KSAP
  • Under Art. 6 para. 1 letter c GDPR – processing is “necessary for compliance with a legal obligation to which the Controller is subject” – in this case arising out of Art. 221 of Poland’s Labour Code Act of June 26th 1974.
  1. The pursuit of activity by the School Library
  • Under Art. 6 para. 1 letter e GDPR – processing is ”necessary for the performance of a task carried out in the public interest”, in this case the provision of access to the scientific and cultural output of Poland and the world.
  1. Online or traditional correspondence and the supply of information by telephone
  • Under Art. 6 para. 1 letter f GDPR – processing is necessary for the pursuit of legitimate interests, in this case the supply of a Client with a level of service allowing the latter’s issues and matters to be dealt with. 
  1. The accommodating – in the building of the Data Controller – of persons not engaged in intramural training
  • Under Art. 6 para. 1 letter b GDPR – processing is “necessary for the performance of a contract” … “or in order to take stepsprior to entering into a contract”.
  1. The running of the website
  • Under Art. 6 para. 1 letter b GDPR – processing is necessary for the supply of online services.

Information on data required or given freely

People’s supply of data to the National School is essential if it is to pursue the processes of intramural and extramural training, conclude agreements, and run accountancy in respect of the activity engaged in. This means that those wishing to use services KSAP renders will have no choice but to supply personal data. Likewise, KSAP may also have obtained such data from a person’s employer, at the time the latter registered a requirement for training by the School. In essence, the data transferred in this context comprise given name(s) and surname, post held and email address. Where the sending of the KSAP Newsletter is concerned, data are deemed freely-given, and necessary to avail of the possibility of the Newsletter being received.

Duration of periods of data storage

The Data Controller is obliged to store data for the period necessary for the activities set out above to be pursued – appropriately to each processing task. On that task being completed, there is a compulsory period for which data are to be stored, inter alia as determined by separate provisions in Polish tax law, or the law relating to accountancy, or social insurance, or the archivisation of documents (the Data Controller being bound by the Act on National Archive Resources and Archives – Ustawa o narodowym zasobie archiwalnym i archiwach). Where processing is by consent, data may continue to be processed until such time as that consent is withdrawn.

Means of withdrawing consent

Where the processing of data has been consented to, a person may withdraw from that consent at any time, by sending information to that effect to iod@ksap.gov.pl. However, the withdrawal of consent does not affect the conformity with the law of any processing engaged in before consent was withdrawn.

Making available and transferring data

Personal data may be made available by virtue of binding legal regulations. Data may also be transferred to other processors commissioned by or cooperating with the Data Controller – under agreements concluded that entail conferment of such data, including through parties processing data via ICT-related activity.

Rights enjoyed by data subjects

  • the rights of access to data and to obtain a copy thereof,
  • the right to have data rectified,
  • the right to erasure of data,
  • the right to limitations on data processing,
  • the right to data portability – where the legal basis for processing is consent (Art. 6 para. 1 letter a) or a contract (Art. 6 para. 1 letter b of the GDPR),
  • the right of objection to processing on the part of the data subject – where the legal basis for that processing is legitimate interest (Art. 6 para. 1 letter f GDPR), or where the processing was deemed necessary in the pursuit of tasks in the public interest (Art. 6 para. 1 letter e GDPR)
  • the right to lodge complaints, as exercised through submission to the data-protection Supervisory Authority in Poland, i.e. the President of the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa).

Transfers of data to third parties

No personal data are transferred outside the European Economic Area.

Automatic decision-making

The Controller does not engage in automatic decision-making, including the taking of decisions based on profiling.