Information on the processing of personal data by KSAP

In seeking to guarantee the right to privacy, we here provide information on rules, objectives and means linked with the processing of data by Krajowa Szkoła Administracji Publicznej im. Prezydenta Rzeczypospolitej Polskiej Lecha Kaczyńskiego (the Lech Kaczyński National School of Public Administration)

Personal data must be processed in accordance with the provisions of the GDPR (RODO in Polish) – i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

The Data Controller

The Data Controller (Administrator in Polish) is KSAP – Krajowa Szkoła Administracji Publicznej im. Prezydenta Rzeczypospolitej Polskiej Lecha Kaczyńskiego, with its seat in Warsaw (postcode 00-922), at the address Wawelska 56.

The Controller may be contacted by email at info@ksap.gov.pl, or by post at the above address.

The Data Protection Officer

The Controller has designated a Data Protection Officer (Inspektor Ochrony Danych in Polish), with whom contact is possible in all matters linked to the processing of personal data, via email, at: iod@ksap.gov.pl, or by writing to the aforementioned seat of KSAP, with the note “Do Inspektora Ochrony Danych”.

The objectives, means and bases of data processing

1. Pursuit of KSAP’s intramural training task (recruitment, training, first employment, monitoring of obligations as regards employment)

  • Art. 6, para. 1, letter e GDPR – processing being necessary for the performance of a task carried out in the public interest – namely the training and preparation for public service of Officials of the Civil Service, as well as senior personnel of the administration of the Republic of Poland

2. Pursuit of KSAP’s task as regards training and training projects for employees of the public administration

  • Art. 6, para. 1, letter e GDPR – processing being necessary for the performance of a task carried out in the public interest – namely the organising of training courses for employees of the public administration

3. KSAP’s provisioning of training to natural persons other than employees of public administration (in the case of both individuals’ own applications and those made for them by an employer)

  • Art. 6, para. 1, letter b GDPR – processing being necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract

4. KSAP’s organising of conferences and other events educational or training-related

  • Art. 6, para. 1, letter b GDPR – processing being necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract; or Art. 6, para. 1, letter e GDPR – processing being necessary for the performance of a task carried out in the public interest – namely the training and preparation for public service of Officials of the Civil Service, as well as senior personnel of the administration of the Republic of Poland; as well as the organising of training courses for employees of the public administration

5. Activity by KSAP seeking specifically to ensure that a contract is entered into, and then made subject to performance, with Contractors, Lecturers, Trainers and other entities rendering services for the Controller

  • Art. 6, para. 1, letter b GDPR – processing being necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract

6. KSAP’s considering of complaints and applications

  • Art. 6, para. 1, letter c GDPR – processing being necessary for compliance with a legal obligation to which the Controller is subject, in connection with provisions of Poland’s Code of Administrative Proceedings (Kodeks postępowania administracyjnego)

7. KSAP’s determining and investigation of claims, and defence against claims (as for example where a Contractor fails to perform a service)

  • Art. 6, para. 1, letter f GDPR – processing being necessary for the purposes of the legitimate interests pursued by the Controller – in this case the possibility to assess, investigate and defend against claims

8. KSAP’s engagement in accountancy and financial settlement

  • Art. 6, para 1, letter c GDPR –  processing being necessary for compliance with a legal obligation to which the Controller is subject – in particular under legal provisions relating to taxation, accountancy and social insurance

9. KSAP’s archiving of documents

  • Art. 6, para. 1, letter c GDPR – processing being necessary for compliance with a legal obligation to which the Controller is subject

10. KSAP’s circulating of its newsletter

  • Art. 6, para. 1, letter a GDPR – consent to the processing of personal data in order for the newsletter to be circulated

11. Visual monitoring performed in the buildings of the Controller

  • Art. 6, para. 1, letter f GDPR – processing being necessary for the purposes of the legitimate interests pursued by the Controller – in this case the securing of an appropriate level of security

12. Recruiting for employment at KSAP

  • Art. 6, para. 1, letter c GDPR – processing being necessary for the purposes of the legitimate interests pursued by the Controller – in this case by virtue of Art. 221 of Poland’s Act on the Labour Code (Kodeks Pracy) of June 26th 1974

13. KSAP’s engagement in library activity

  • Art. 6, para. 1, letter e GDPR – processing being necessary for the performance of a task carried out in the public interest – in this case the ensuring of access to the output of Polish and world science and culture

14. KSAP’s engagement in online and traditional correspondence, as well as the supply of information by telephone

  • Art. 6, para. 1, letter f GDPR – processing being necessary for the purposes of the legitimate interests pursued by the Controller – in this case the ensuring of an appropriate level of service for Clients seeking to have their matters attended to

15. The supply of accommodation in a building belonging to the Controller to persons not in intramural training

  • Art. 6, para. 1, letter b GDPR – processing being necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract

16. KSAP’s hosting and running of its website

  • Art. 6, para. 1, letter b GDPR – processing being necessary for the rendering of services by electronic means

Information on the obligatory or voluntary supply of personal data

The supply of data is essential if KSAP is to run the processes underpinning its missions in intramural training and the provisioning of training courses, as well as if contracts are to be entered into and accounts settled in regard to the activity engaged in by the National School. This is to say that those wishing to avail of the services KSAP offers will need to supply certain personal data. Likewise, a person’s data can also be received from their employer at the moment a place on a training course is applied for. The data in question in this regard are basically name, post and email address. Where the circulation of KSAP’s newsletter is concerned, the supply of data is voluntary, but also essential if a person is to have any possibility of receiving it.

The period of data storage

The Controller is under an obligation to store data for as long as is necessary in respect of the activities as defined above, and each means of processing that is used. Following completion of the given activity, there is also a period of retention and storage of documentation that is determined by separate regulations in Polish law relating to taxation, accountancy, social insurance and the archiving of documents. In this case, the Controller is associated with Poland’s Act on the National Archival Resource and Archives (Ustawa o narodowym zasobie archiwalnym i archiwach). Where processing takes place on the basis of consent, this may continue until such time as that consent is withdrawn.

Means of withdrawing consent

Where data are processed by virtue of consent given, that consent may be withdrawn at any time where an instruction to that effect is sent to iod@ksap.gov.pl. Withdrawal of consent shall be without prejudice to processing in compliance with the law that was achieved through consent given prior to the withdrawal.

Data made available and disseminated

Personal data may be made available in compliance with legal regulations in force. They may also be disseminated and transmitted to other processing entities commissioned by or cooperating with the Controller on the basis of agreements entered into in that regard, including where activity involves entities’ rendering services in ICT.

The rights of persons whose data are involved

  • to access their data, and obtain copies,
  • to have their data rectified (corrected),
  • to have their data erased,
  • to limitations on the processing of their data,
  • to portability of data – where the legal basis for processing is consent (Art. 6, para. 1, letter a GDPR) or a contract (Art. 6, para. 1, letter b GDPR),
  • to raise objections in regard to the processing of personal data – if the legal basis for processing is a legally justified interest (Art. 6, para. 1, letter f GDPR), or if processing is essential for the pursuit of a task in the public interest (Art. 6, para. 1, letter e GDPR)
  • to submit complaints to the supervisory authority – i.e. Prezes at the Office for the Protection of Personal Data (Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa).

Transfer of data to third countries

Personal data are not transferred out of the European Economic Area.

Automated decision-making

The Controller does not take automated decisions, including those arising out of profiling.