This Policy is aimed at informing users of the www.virtuslab.com website (the Website) (the Users) about purposes of and legal bases for processing personal data on the Website, the manner of using the data and about related rights available to the Users. The Users’ personal data are always processed in conformity with applicable laws, including in particular pursuant to the Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the GDPR).
Who is the Controller?
The Controller of the personal data is the group of companies:
- Virtus Lab sp. z o. o. with registered office in Rzeszów (35-211), Zofii Nałkowskiej Street no. 23, Tax Id. No. 5170312965, Industry Id. No.: 180526627.
- VirtusLab Ltd. with an office on Level 18, 40 Bank Street HQ3 Canary Wharf. London, E14 5NR Registration No: 9793578, Registered in UK, VAT No: GB 223 5272 33.
- VirtusLab GmbH with an office on Haus 2, 5. Etage Potsdamer Platz 10, 10785 Berlin
HRB 209644 B, Tax Id. No. DE326092631.
- Sensinum sp. z o. o. with an office on Szlak Street no. 49, in Krakow (31-153), Tax Id. No. 6772376062, Industry Id. No.: 12289924000000.
- VL Group sp. z o. o. with an Office on Zofii Nałkowskiej Street no.23, 35-211 Rzeszow, Tax Id. No. 6793248547, Industry Id. No.: 52312994400000.
- Luminis Research sp. z o. o. with an Office on Zofii Nałkowskiej Street no. 23, 35-211 Rzeszow, Tax Id. No. 5170308981, Industry Id. No.: 18050565400000, referred to as (Co-Controllers).
The Controller / Co-Controller acting as a lead Company in the processing of personal data appointed a Data Protection Officer (DPO) Mr. Mariusz Zajkiewicz, who can be contacted using the email address: [email protected] or by traditional mail to the company’s address.
Purposes of, and legal bases for, processing of personal data
- E-mail correspondence:
Personal data are processed to pursue the Controller’s / Co-Controller’s legitimate interests (Art. 6.1.f of the GDPR). Personal data are provided on a voluntary basis, but the provision thereof is necessary to receive a reply from the Controller / Co-Controller. In such a case, personal data are processed due to the Controller’s / Co-Controller’s legitimate interests. The Controller’s / Co-Controller’s legitimate interests consist in communicating with an individual who requests of the Controller / Co-Controller to provide an answer.The correspondence may be conducted for many reasons which are hard to categorize. The messages may be sent as a result of organizing various events, existing or possible contracts, technical advice, financial settlements, etc.
- Recruitment process and future recruitment processes:
Personal data are processed for the purpose of fulfilling the Controller’s / Co-Controller’s legal obligations arising in particular from Art. 22  of the Polish Labour Code (Art. 6.1.c GDPR), as well as for the purpose of taking pre-contractual action at the Candidate’s request and for the performance of the contract (Art. 6.1.b GDPR). In the case of other recruitment data, the calculation of additional remuneration related to the employment referral and for the purposes of future recruitment processes – also on the basis of the data subject’s consent (Art. 6.1.a GDPR). The provision of personal data is a statutory requirement and is necessary for the conclusion of a contract; if it is not provided, the conclusion of a contract will not be possible. For other recruitment data and for future recruitment processes, consent can be withdrawn at any time – without affecting the lawfulness of the processing before withdrawal.
- Newsletter distribution:
Personal data are processed on the basis of consent of a data subject (Art. 6.1.a of the GDPR), and in the case of direct marketing – also to pursue the Controller’s / Co-Controller’s legitimate interests (Art. 6.1.f of the GDPR). The Controller / Co-Controller ends out a newsletter to the Users who have provided their e-mail address for this purpose. Personal data are provided on a voluntary basis. The User may withdraw their consent at any time – without affecting the lawfulness of processing prior to the withdrawal. In case of sending the Controller’s / Co-Controller’s commercial information, a legal basis for processing, including profiling, involves the Controller’s /Co-Controller’s legitimate interest. The Controller’s / Co-Controller’s legitimate interest consists in carrying out direct marketing activities;
- Conclusion and performance of an agreement:
Personal data are processed in order to take up activities, at the User’s request, prior to the conclusion of an agreement (e.g. to submit an offer) and to perform an agreement (Art. 6.1.b of the GDPR). Providing personal data is necessary for an agreement to be concluded; if they are not provided, it shall be impossible to conclude an agreement;
- Direct marketing of own services, pursuit of and protection against legal claims, fraud prevention, statistics and analytics, ensuring ICT environment security, and application of internal control systems:
Personal data are processed to pursue the Controller’s /Co-Controller’s legitimate interests (Art. 6.1.f of the GDPR). The Controller’s /Co-Controller’s legitimate interest consists in a possibility to undertake the aforementioned activities;
- Financial settlements:
Personal data are processed in order to comply with the Controller’s /Co-Controller’s legal obligations resulting in particular from accounting policies and tax related regulations (Art. 6.1.c of the GDPR). The provision of personal data is a statutory requirement.
Recipients of personal data:
Personal data may be processed by the the Controller’s /Co-Controller’s service providers rendering, among others, financial settlements, legal, advisory, consulting, audit, marketing, archiving, IT, courier, postal services, and by the entities from the Virtus Lab Group. A subset of Candidate’s data may be shared with a partner company if a Candidate agrees. The Users’ data will not be shared with any other third parties, unless this proves necessary and the User consents thereto or a data disclosure obligation results from mandatory rules of law, a final and non-appealable court judgment or a final decision of a relevant body. On the Website, there can be references to other webpages. The the Controller /Co-Controller shall not be liable for the processing of personal data connected with the use of these webpages by the User. Having moved to the other webpages, the User should first consult their privacy policies and personal data protection procedures. The the Controller /Co-Controller shall not transfer personal data to any third parties outside the EEA or to any international organisations unless this proves necessary, e.g. for the recruitment process. The personal data will be transferred only if the entities comply with GDPR requirements.
What does profiling involve and are any data on the Website subject to profiling?
Profiling consists in any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning a data subject’s work performance, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning the data subject or similarly significantly affects the data subject. Data on the Website may be profiled exclusively with regard to a newsletter, which includes direct marketing, if it has been applied. If, following the Website’s development, personal data were to be profiled, the Controller /Co-Controller will inform the Users thereof, and profiling will be carried out in accordance with relevant regulations. In case of profiling, the Controller /Co-Controller shall implement appropriate measures safeguarding rights, freedoms and legitimate interests of the Users, including ensuring an option of a human intervention at the Controller’s /Co-Controller’s side and a possibility to express a personal position and challenge a decision.
How can personal data be changed?
The User has the right of access to content of their personal data and the right of rectification and erasure of the personal data, the right to restrict processing of the data, the right to data portability and the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Further, the User has the right to object to processing of their personal data, including in particular to profiling. To this end, the User can contact the Controller /Co-Controller at the e-mail address: [email protected]. The User can contact the Controller /Co-Controller also otherwise as preferred.
How does the Controller /Co-Controller protect personal data?
The Controller /Co-Controller protects the Users’ data against unauthorised access, disclosure, change or destruction. In particular, the Controlle /Co-Controller makes use of data encryption, physical security measures and verification in IT systems. Further, the Controller /Co-Controller uses anti-virus software and firewalls. The Users’ data may be accessed exclusively by authorised individuals bound by confidentiality and subcontractors that have entered into personal data sub-processing agreements with the Controller /Co-Controller.
How long will personal data be processed?
The Users’ data shall be processed for as long as the Users use the Website or in relation to cooperation with one of the Co-Controller.
In case of processing personal data:
- in connection with e-mail correspondence – personal data shall be processed for a period necessary to provide the User with an answer or until the User raises an effective objection. The correspondence may be one-time, regular or rare but with new messages every now and then. Therefore, it may be stored due to possible continuation of discussions. Current relevance of personal data is, however, checked at least once a year;
- In connection with the recruitment process – Candidate data will be processed for the duration of the recruitment process up to 45 days and in connection with the need to calculate the additional remuneration linked to the employment recommendation for a maximum of 24 months. With regard to potential claims, for a maximum of 36 months. For the use of the Candidate’s data in future recruitment processes and for other recruitment data, the data will be processed until consent is withdrawn, but for a maximum of 36 months.
- in connection with newsletter distribution – the Users’ data shall be processed until consent is withdrawn or an objection is effectively raised;
- prior to the conclusion of an agreement or in connection with the performance thereof, personal data shall be processed for the duration of an agreement performance term, and if an agreement has not been concluded – until either party resigns from concluding an agreement, regardless of a reason;
in case of financial settlements – personal data shall be processed for a period of five years from the end of a calendar year when a transaction has been conducted.
Personal data may also be processed upon the lapse of the indicated periods, until any potential legal claims are time-barred or for as long as is possible or required in compliance with applicable laws. In particular, if a processing period based on a given legal basis has expired, this shall not mean that personal data may not be processed based on another legal basis. Upon the lapse of a processing period, in the absence of any bases for processing, personal data shall be permanently deleted or anonymised.
Other data processing related rights of the Users
The Users have the right to file a complaint with the President of the Personal Data Protection Office if they consider that their personal data are processed in breach of mandatory rules of law.
This Policy and any amendments hereto shall apply as of the moment when they are published on the Website.
COOKIES POLICY VIRTUS LAB
This Policy is aimed at informing users of the www.virtuslab.com website (the Website) (the Users) about purposes of storing and gaining access to cookies in the Users’ terminal equipment and about options to set terms of storing or gaining access to the cookies through browser settings or service configuration. The Website’s controller (the Controller /Co-Controller) might store the cookies in the Users’ terminal equipment and have access thereto.
What are cookies?
Cookies are information saved in text files sent by the Website to the User’s browser and resent by the User’s browser when the User re-visits the Website. The cookies are stored in the User’s terminal equipment (computer, laptop, smartphone). They are used to maintain the User’s session and to save other data so that the User does not need to enter the same information whenever they use the Website. Among other things, the cookies remember a website name, data of the User’s browser, unique settings and a period for which the data will be stored. Data saved in the cookies are not matched with individual Users of the Website.
Change you settings here:
What kind of cookies are used by the Website?
Session cookies – files stored in a browser’s memory until it is closed, required for the Website’s functionalities to operate correctly.
Permanent cookies – files stored in a browser’s memory for a specific period. Among other things, they guarantee the proper navigation and layout of the Website. A period for which these files are stored depends on a choice which the User can make in their browser settings. This type of the cookies allows for information to be passed to the Website whenever the Website is visited by the User.
Analytics cookies – files stored in a browser’s memory for the purposes of website traffic statistics and analytics. The analytics service is provided by Google Inc., as part of Google Analytics, Hotjar Ltd., as part of Hotjar. Information obtained with the use of those tools is not shared with any entities other than Google/Hotjar, and serves only to report the User’s interactions on the Website.
Advertising cookies – files stored in a browser’s memory in order to match advertising content with the User’s behaviour on the Website. An advertising service is provided by Facebook, Inc. as part of Facebook Pixel, Google, Inc., as part of Google Ads, LinkedIn Corporation as part of LinkedIn Ads, Twitter, Inc. as part of Twitter Ads. Any information obtained in this manner might be shared with advertisers and partners that cooperate with the Controller.
Who is the Controller of the Website?
The Website’s Controller / Co-Controller is Virtus Lab Sp. z o.o. with registered office in Rzeszów (35-211), Poland, ul. Zofii Nałkowskiej 23, National Court Register entry No. KRS 0000349785, Tax Id. No. (NIP) 5170312965, Industry Id. No. (REGON) 180526627.
The Controller / Co-Controller has appointed a Data Protection Officer (DPO) Mr. Mariusz Zajkiewicz, who can be contacted using the email address: [email protected] or by traditional mail to the company’s address.
The User’s browser might by default allow for storing of the cookies. At any time, the User can set terms of storing and accessing data saved in the cookies, through browser settings. The cookies can be blocked; an option of storing the cookies can be restricted (e.g. by informing the User about installation of the cookies on a case-by-case basis) or access to the cookies can be limited; however, any blocking or restricting of the cookies may affect the Website’s quality or even prevent the proper display of the Website on the User’s terminal equipment. Detailed information on the options and manner of handling the cookies is available in browser settings. More information on cookies management is available in a given browser’s functionalities.
This Policy and any amendments hereto shall apply as of the moment when they are published on the Website.