Policy of personal data processing

General provisions

1.This Personal Data Processing Policy (hereinafter referred to as the “Policy”) sets forth the rules of personal and project data protection applied by Startup Hub Poland Foundation (hereinafter referred to as SHP or the Foundation).

2.The Policy is an element of Foundation’s customized information security management system, under which Foundationdefines technical and organizational measures to ensure, among others, the protection of processed personal data appropriate to the threats, their category, size and availability of the Foundation’s resources.

  1. The manner of data processing as well as technical and organizational measures referred to in clauses 1 and 2 above have been included in the IT system management instruction used to process personal data covered by the project.


The terms used in the Policy have the following meanings:

  1. Act – the Act of 10 May 2018 on personal data protection (Journal of Laws of 2018, item 1000);
  2. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;
  3. Personal data – information about an identified or identifiable natural person (“data subject”), whereby an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
  4. Data processing – any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, processing, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  5. Administrator – Startup Hub Poland Foundation 
  6. Verification – activities aimed at verifying the compliance of personal data processing with the Personal Data Protection Regulations;
  7. IT system – a set of cooperating devices, programs, information processing procedures and software tools used to process data at the Foundation.
  8. Other terms used in the Policy have the meaning given to them by the Act, GDPR or the SHP organizational regulations. 

Personal data

  1. SHP processes personal data whose Administrator is Startup Hub Poland Foundation. In addition, SHP processes personal data that has been entrusted to it by third parties in accordance with the principles set out below. 
  2. The Data Controller shall only process personal data for which it has an appropriate legal basis, resulting from the provisions of law, the consent of the data subject or the legitimate interest of the Data Controller or a third party. In case of doubts as to the scope of the consent given, any ambiguity shall be interpreted in favor of the person who gave it. 
  3. The Controller shall process personal data in accordance with the purpose for which they were collected. The Data Controller shall allow processing of data for a purpose other than the one for which the data were collected, but only if the prerequisites specified in the GDPR or the Act are met and if the processing is carried out in a manner consistent with the SHP Policy. 
  4. The controller processes personal data on the basis of the consent of the person or entity to which the data relates, expressed each time by signing an appropriate document and after becoming familiar with the contents of the SHP Policy. The Foundation is not responsible for the personal data of persons implementing a research and development or technology project submitted to the Foundation for analysis, selection and promotion of the project in relation to the Foundation and its partners, which comes to the Foundation through the project application form, and which relates to other members of the submitted projects than the person who accepts the Policy (this applies in particular to personal data of members of the research and development team on behalf of whom a given member of the research and development project acts, e.g. a project leader presenting the staff potential of their project).
  5. Personal data are processed until all the purposes for which they were processed have been achieved. Personal data that have ceased to be processed for a particular purpose are permanently erased or made non-identifiable through anonymization or pseudonymization.
  6. Personal data are processed in both paper and electronic form.

Personal data security

  1. In order to ensure data integrity and confidentiality, the Administrator has implemented procedures which allow access to personal data only to authorized persons and only to the extent necessary due to the tasks they perform. The Administrator applies organizational and technical solutions in order to ensure that all operations on personal data are recorded and performed only by authorized persons. 
  2. The Administrator shall also take all necessary measures to ensure that its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the Administrator. 
  3. The Administrator conducts ongoing risk analysis and monitors the adequacy of applied data security measures to the identified threats. If necessary, the Administrator implements additional measures to increase data security.

Principles of accessing and entrusting data processing 

  1. In case of a request for access to personal data by a third party, the Data Controller shall examine the legitimacy of the request and the purpose for which the personal data are to be processed by the requester. 
  2. SHP may entrust another entity with the processing of personal data. The entrusting of data processing may take place only after the conclusion of a written agreement on entrusting data processing or the signing of another agreement containing provisions regulating the entrusting of data processing. Individuals and entities providing personal data to the Foundation shall be informed of the necessity to transfer their personal data.
  3. The external entity to which the processing is to be entrusted must provide sufficient guarantees – in particular in terms of expertise, reliability and resources – of the implementation of appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR (in particular regarding the security of the processing) and protects the rights of the data subjects. These principles also apply to the entities to whom the third parties will further share personal data.

Rights of data subjects

The data subjects have the following rights:

  1. right to information about the processing of personal data – on this basis the Controller provides the data subject with information on the processing of personal data, including in particular information on the purposes and legal basis of data processing, the scope of data possessed, the entities to which the data are disclosed, and the planned date of data erasure;
  2. right to obtain a copy of data – on this basis the Administrator provides a copy of the processed data to the person submitting the request;
  3. right to rectification – the Administrator is obliged to remove any inconsistencies or errors in the processed personal data, and to complete them if they are incomplete;
  4. the right to erasure of data – on this basis the erasure of data, the processing of which is no longer necessary for any of the purposes for which it was collected, can be requested
  5. the right to restrict processing – if such a request is made, the Administrator shall cease performing the operations on personal data – with the exception of operations on which the data subject has given the consent – and their storage in accordance with the adopted rules of retention or until the reasons for the restriction of data processing cease to exist (e.g. a decision is issued by a supervisory authority allowing further processing)
  6. the right to data portability – on this basis – to the extent that the data are processed in relation to the concluded contract or the given consent – the controller issues the data provided by the data subject in a computer readable format. It is also possible to request the data to be sent to another entity, provided that technical capacities of both the Administrator and the other entity exist;
  7. right to object to processing for marketing purposes – the data subject may at any time object to processing of personal data for marketing purposes, without having to justify the objection;
  8. right to object to other processing purposes – the data subject may at any time object to the processing of personal data which is carried out on the basis of a legitimate interest of the Administrator (e.g. for analytical or statistical purposes, or for reasons of property protection); the objection in this regard should contain a justification
  9. right to withdraw consent – if the data are processed on the basis of an expressed consent, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of processing performed before the withdrawal of consent.
  10. right to lodge a complaint – if the processing of personal data is considered to breach the provisions of the GDPR or other provisions on personal data protection, the data subject may lodge a complaint with the President of the Office for Personal Data Protection.

Submission of requests for the exercise of rights

A request for the exercise of subjects’ rights may be submitted:

  1. In writing to the address: SHP Foundation, Senatorska 2, 00-075 Warsaw
  2. By e-mail to: mydata@startuphub.pl  
  3. If the Administrator is not able to identify the person submitting the request on the basis of the notification, it will ask the applicant for additional information.
  4. The application may be submitted personally or through a proxy (e.g. a family member).
  5. The application should be responded to within one month of receipt. If it is necessary to extend this deadline, the Administrator shall inform the applicant of the reasons for the delay.
  6. The response shall be provided via postal mail, unless the request was submitted via email or an electronic response was requested.

Procedure in case of a personal data breach

  1. In any situation in which a breach of personal data protection has occurred or is suspected, the person who discovered the incident shall inform a member of the Board of the Foundation.
  2. Any member of the Board of the Foundation shall, in particular, identify and analyze the facts that have occurred, resulting in a written report or memo that includes: a description of the circumstances that occurred, the reasons for the incident, identification of the person or persons guilty of negligence or breach of protection, ways to repair any damage and restore proper operation. The informed member of the Board of the Foundation shall keep a record of all reports of breaches or suspected breaches of data security. 
  3. The informed member of the Board of the Foundation shall take immediate action to remedy the effects of the incident, restore the original state, if possible, and prevent further spread of the threat to the security of data processing. 
  4. The informed member of the Board of the Foundation shall decide on the notification of the supervisory authority for the protection of personal data and, possibly, the police or prosecutor’s office, and shall apply sanctions to persons contributing to or violating the principles of personal data protection on a statutory basis, i.e. in agreement with the Foundation’s Board.