Privacy Policy

Personal data at Asseco Data Systems S.A. is processed on the basis of applicable laws, in particular those of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”) and the Polish Data Protection Act of 10 May 2018 (hereinafter: “Act”).
This Privacy Policy specifies the principles for personal data processing at Asseco Data Systems S.A. as well as within Internet websites operated by Asseco Data Systems S.A.

Personal Data Controller

  1. Personal Data processed within the company for various purposes related to its business operations shall be administered by Asseco Data Systems S.A. with the seat in Gdańsk, 11 Jana z Kolna Street, 80-864 Gdańsk, entered into the Register of Entrepreneurs of the National Court Register under KRS number 0000421310, kept by the District Court for Gdańsk-Północ in Gdańsk, VIII Commercial Division of the National Court Register, NIP (Tax ID) 517-03594-58, REGON (Statistical number): 180853177, whose share capital amounts to PLN 120,002,940.00 (fully paid up);
  2. You can contact us:
    • by post (traditional mail), writing to the address indicated above;
    • by e-mail at:;
    • by phone: +48 58 550 95 00.
  3. Data Protection Officer
    We have appointed a Data Protection Officer whom you can contact:
    • by post (traditional mail), writing to the address: Asseco Data Systems S.A., Biuro w Łodzi (Łódź Office), 136 Narutowicza Street, 90-146 Łódź,
    • by e-mail at:,
    • by phone: +48 42 675 63 60.
  4. Asseco Data Systems S.A. complies with all privacy protection and processing principles set out in GDPR also with regard to data entrusted by other Controllers or Trusters.

What is personal data and how do we process it

  1. Personal Data — all information about an individual identified or identifiable by one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, Internet identifier, and information collected through cookies and other similar technology.
  2. The Personal Data Controller processes data in accordance with the following principles:
    1. Fairness and lawfulness — meaning that data will be processed fairly, in accordance with correctly identified, GDPR-compliant legal bases that are appropriate to the particular processing activity. The Personal Data Controller identifies and determines the appropriate legal basis for each processing activity.
    2. Transparency — meaning that data subjects are informed in a transparent, accessible and understandable way about who will process their data, on what basis, for what purpose, to what extent and for how long. Data subjects are further informed about: the recipients of the data, their rights and how to exercise them, and whether the data will be transferred to countries outside the EU and whether the data will be subject to automated decision-making and, if so, what impact this will have on the data subject. The Personal Data Controller ensures that the information obligation will be fulfilled:

      • in the case of data collection from the data subject, at the latest at the time of collection,
      • if the data is collected from a source other than the data subject, at the latest within 30 days of collection;

      1. Purpose limitation — meaning that personal data is collected and processed for specific, explicit and legitimate purposes and that it is not further processed in a manner incompatible with those purposes.
      2. Data minimization — meaning that data is adequate and limited to what is necessary to achieve the purpose for which it is processed.
      3. Correctness — which means that the processed data is correct, truthful and, if necessary, subject to updates.
      4. Storage restrictions — which means that data will be kept in a manner that identifies the data subject for no longer than is necessary for the purposes for which the data is processed.
      5. Integrity and confidentiality — which means that the data is processed in a manner ensuring its adequate security, and in particular in a manner ensuring protection against: accidental or unauthorized loss, modification, damage or destruction. The Personal Data Controller ensures data security through the use of adequate technical and organizational measures. The Personal Data Controller shall develop a personal data protection system taking into account the risks defined in their organization to which the processed data is exposed (risk based approach). A description of the measures used is included in this document.
      6. The Personal Data Controller strives to ensure that each process, solution or business idea, already at the design stage, is analyzed in terms of the use of personal data in this solution and takes into account the protection of such data. This analysis should be carried out further, also during the processing itself (privacy by design).
  3. The Personal Data Controller strives to ensure that each process, solution or business idea, already at the design stage, is analyzed in terms of the use of personal data in this solution and takes into account the protection of such data. This analysis should be carried out further, also during the processing itself (privacy by design).

What personal information may be collected by the Internet website.

  1. During the User’s visit to the Website, the following information is collected automatically by means of Google Analytics or Cookies:
    1. IP address and domain name,
    2. the type of Internet browser used,
    3. device-related data, e.g. operating system.
  2. The Internet website automatically downloads geographic data as well as data on the activities performed by the User, which will be used only for marketing or statistical analyses. The Controller does not carry out any actions aimed at identifying natural persons using the data collected via the Internet website.
  3. In a part of the Internet websites, Asseco Data Systems S.A. employs mechanisms for profiling particular Usage within a given Internet website. These Internet websites collect data on User activity, namely: the history of searches, clicks, visits to a given Internet website and its subpages, User login and registration dates, data on the use of specific services. The profiling of the listed information may result in receiving personalized information related to the User’s activity within the Internet website.

Use of Cookies

When using the Internet website, Double Click Cookies are stored in the storage memory of the device used by the User, which:

  1. When using the Internet website, Double Click Cookies are stored in the storage memory of the device used by the User, which:
    1. collect information on how the User uses the content of the Internet website (they contain a randomly generated 18-digit, unique identifier assigned to Internet browsers installed on specific User devices),
    2. are used for storing the data of a logged-in User to a given Internet website (active sessions) concerning, among others, the chosen language of the website, settings of search filters, User data (login or name) used for logging into the given website or the authorization token in the given website.
  2. The device identifier stored in the Double Click Cookie is added to a remarketing list which is stored on Google servers and then grouped according to specific categories.
  3. The information stored in the Cookie files on the User’s device’s storage is then used for remarketing purposes.
  4. Remarketing is the use of data collected in cookies by external providers in order to display advertisements on the basis of data collected during User’s use of the Internet website.
  5. The user can independently manage cookies in their web browsers by selecting the following tab in the browser options: Privacy and Security. The User may also opt out of receiving ads, using Google’s ad opt-out option or on the Network Advertising Initiative website.
  6. Cookies in no way modify other data stored in the User’s device’s storage, nor do they affect the proper operation of the operating system.
  7. The Controller does not use cookies to directly identify Internet website Users.

Principles of sharing and entrusting personal data

  1. The Personal Data Controller shares (and entrusts) personal data with other entities (data recipients) on the basis of:
    1. legislation in force
    2. business decisions on outsourcing selected parts of the business.
  2. When data is shared with entities to which the Personal Data Controller subcontracts services in their name and on their behalf, a written processing entrustment agreement is required. The decision to entrust is preceded by an analysis of the entity’s credibility and reliability.
  3. Each decision regarding outsourcing of services requires that it be analyzed by the Personal Data Controller also in terms of entering into a processsing entrustment agreement.

Exercise of data subjects’ rights

Asseco Data Systems, acting as the controller of personal data, ensures the possibility of exercising the rights of data subjects whose data it processes. Requests based on the rights of data subjects can be implemented:

  • by applying at,
  • by writing to the email address of the Data Protection Officer:,
  • by reporting directly to one of the controller’s offices and making the request in person.

Providing information to data subjects

Asseco Data Systems S.A., as the controller, provides each natural person with information about the processing of their personal data. The Data Controller shall respond to an individual’s request as to whether it processes their personal data. If they process their data, they grant access to personal data and provide information about:
• the person and contact information of the controller,
• the person and contact details of the Data Protection Officer,
• the purpose of processing,
• the legal basis for the processing,
• information about the recipients or categories of recipients to whom the data will be disclosed,
• the intended retention period of the personal data,
• the right to request rectification, erasure or restriction of data processing, data portability and to object to such processing (the rights belonging to the data subject depend on the basis of the processing in question),
• the right to lodge a complaint with the supervisory authority for the protection of personal data,
• information about the intention to transfer data outside the EU,
• information on the obligation to provide data and the consequences thereof,
• information about whether the data will be processed by automated means and whether it will be subject to profiling,
• the categories of data involved and the source from which the person’s data was obtained — if not directly from the person.

In accordance with the principle of transparency, the information specified above is provided to the data subjects in the information clauses.

Data security

Asseco Data Systems makes every effort to protect the data processed in its enterprise according to the highest standards. The company shall conduct a risk analysis for the processing activities for which it is the controller and for the processing of data, which is entrusted to it for the purpose of processing, in order to select the optimum technical and organizational measures by which to ensure the confidentiality, integrity and availability of personal data.
The Personal Data Controller will regularly test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of processing and adjust security measures according to the results of the measurements.
Asseco Data Systems regularly conducts internal audits and is subject to an independent assessment carried out by external auditing firms with regard to standards: ISO 9001, ISO 27001, ISO 22301.