Privacy Policy GDPR

Privacy Policy GDPR Compliance

We engage in various activities related to supporting sales processes for our Partners, and we are well aware that the protection of personal data is a crucial element in constructing sales processes. Compliance with GDPR is essential for both us and our Partners. Due to the many myths surrounding GDPR, we have decided to prepare a privacy policy along with explanations.

GDPR is a European Union regulation that does not require the implementation of internal legislation by member states to have legal force and simultaneously apply in every EU country.

GDPR pertains to the protection of personal data of individuals. Therefore, the regulation does not address the protection of data related to companies or organizations.

Is the expression “John Smith” considered personal data? Article 4(1) of GDPR states that “personal data means any information relating to an identified or identifiable natural person.” The key element of this definition is IDENTIFICATION. This means that depending on the circumstances, certain information may or may not be considered personal data. Therefore, in response to the initial question of whether the expression “John Smith” is personal data: it depends.

– Let’s imagine a situation where the expression “John Smith” appears on a company’s website under the “Our Team” section, along with the designation “Project Manager” – in this case, there is no doubt that the identification of such an individual is possible. Therefore, in this case, we will be dealing with personal data.

  • – On the other hand, we can also easily imagine a situation where we see the expression “jan.kowalski@gmail.com” without any additional information, written on a piece of paper attached to a lamppost on the street. In this case, neither at the moment of finding that piece of paper nor in the near future, can we unequivocally determine which John Smith it refers to – therefore, it will not be considered personal data.

GDPR provides a very broad definition of data processing. It refers to any operation or set of operations performed on personal data or sets of personal data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

GDPR applies to all entrepreneurs, regardless of whether the activity is conducted as a sole proprietorship or as a commercial partnership.

Data processing as a specific activity can sometimes be difficult to capture. It usually takes place in an online environment, in cloud computing, or on disks, making it challenging to determine when the processing occurs within the EU boundaries and when it takes place outside. However, in order to regulate this issue, the legislator emphasized that GDPR also applies to situations when:

a) The entrepreneur has their headquarters outside the EU but carries out activities related to business operations within the EU.

b) The entrepreneur offers their services to customers outside the EU but has their headquarters within the EU.

c) The entrepreneur processes data through cloud computing, whether the server itself is located within the EU or the data processing device is within the EU.

The legal basis for processing personal data of recipients of marketing campaigns is voluntary consent expressed through contact with us (Article 6(1)(a) of GDPR) or information voluntarily provided by the company, for example, through advertisements or cooperation proposals made public (internet, press), which is justified by the specific needs of the data controller, as an entity possessing a database of information on entities interested in commercial cooperation in the area covered by the advertisement or cooperation offer (Article 6(1)(f) of GDPR). LIMITATION OF PURPOSE We have clearly defined the purposes of processing personal data of recipients of marketing campaigns, which include:

a) Carrying out joint business ventures and fulfilling orders or agreements on cooperation.

b) Marketing services offered by the administrator’s partners (which is additionally supported by Recital 47 of GDPR).

c) Searching for optimal offers and solutions in the area of business services based on information regarding the activities of potential recipients of the campaign. We have limited the processing of data exclusively to the purposes indicated above. DATA MINIMIZATION The scope of data processed by us is limited to the data necessary for achieving the designated purposes of processing. The entities whose data is processed are representatives and representatives of companies and legal entities, employees responsible for purchasing and cooperation within companies and legal entities, or individuals designated by these entities as points of contact, business owners, members of statutory bodies of companies and legal entities. The categories of data processed include the first name, last name, contact details (email, phone number), and the position of the contact person.

The data generated by us is organically created “from scratch” for each campaign, ensuring a high level of accuracy. Additionally, our employees manually verify the individual data to further authenticate their correctness. During marketing campaigns, we provide recipients with easy access to their data, the ability to rectify it, restrict its processing, or request its deletion.

Our company adheres to privacy policy, data security policy, and additional documents and registers that enable us to be accountable for the obligations imposed by the GDPR.

 As PROTIP, we do not process personal data of children or sensitive data within our operations.

Within our marketing campaigns, we fulfill the full information obligation towards individuals whose data is processed. With each business communication, we include all the required information as specified by Article 13 or 14 of the GDPR.

In our operations, we do not profile personal data of representatives of our business partners, nor do we make automated decisions based on profiling.

We have conducted impact assessments on the rights and freedoms of individuals and risk analyses regarding their occurrence for the projects we conduct. Based on these analyses, we have implemented adequate systems aimed at safeguarding the processed data.

We have implemented mechanisms in our processes related to the processing of personal data that limit the scope of processed data to the necessary minimum required to achieve our processing objectives. Additionally, when designing new services, we default to privacy protection of personal data.

Cold E-mail – GDPR Compliance

PROTIP provides its services in the form of cold emailing campaigns while respecting and complying with applicable laws and regulations. We also adhere to the highest standards in securing and protecting the entrusted data and fulfilling obligations related to our business activities.

PROTIP utilizes publicly available data provided by companies (e.g., on the internet, flyers, brochures, or business cards) for the purpose of sending offers and contacting potential partners and collaborators. We also gather publicly available data shared by employees of those companies on business social media platforms (e.g., LinkedIn, Goldenline). Based on the above publicly available data and using a proprietary algorithm, PROTIP generates potential email addresses, which are considered valid communication channels with the recipients.

PROTIP sends invitations to collaborate to these generated potential email addresses, and only upon receiving a response and confirmation of data accuracy, the data is included in our databases. If there is no intention to collaborate or consent to the processing and receiving of marketing information, the contact information is not used for sending promotional communications.

In the initial message sent to each potential recipient, PROTIP includes an information clause that provides the recipients with the following information:

  • – Data controller details
  • – Categories of processed or potentially processed personal data
  • – Purposes of personal data processing
  • – Legal basis for personal data processing
  • – Information about the transfer or possible transfer of personal data to third parties
  • – Notification of the right to access, rectify, erase, restrict processing, data portability, object to processing, and withdraw consent
  • – Information about the right to lodge a complaint with a supervisory authority
  • – Any other information required under Article 13 or 14 of the GDPR.

In each case, PROTIP offers the option to easily request the deletion or restriction of personal data processing, and such requests are promptly honored. PROTIP has established a dedicated GDPR department within its organization, which continuously analyzes and enforces the requests of individuals whose data is being processed.

GDPR requires the clear identification of the entity that acts as the Data Controller, while providing the following criteria for determining the Controller in a given process: “Controller” means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

From the definition, two key elements can be identified: determining the purposes of processing and determining the means of processing data. In the context of PROTIP’s cooperation with the Data Subject, the purpose of data processing is to carry out a joint business venture as agreed upon in the cooperation agreement. This venture involves seeking optimal solutions for business services based on information about potential campaign recipients.

The cooperation agreement between PROTIP and the Data Subject is based on the collaboration of both parties in refining the intended campaign results (objectives) by jointly identifying the target audience based on the needs of the Data Subject and the experience of the Data Processor. The database of potential recipients is organically built by the Data Processor. The personal data included in this database is collected in a factual manner by the Data Processor, who has a certain degree of freedom in their selection. However, this freedom is limited to the parameters agreed upon with the Data Subject and outlined in the questionnaire.

Therefore, based solely on the purpose criterion, the clear identification of a Data Controller seems problematic. However, when considering the second criterion regarding determining the means of data processing, it becomes apparent that it is decisive in our specific situation. This conclusion is also supported by the guidelines of the Article 29 Working Party, which state:

“(…) In case of doubt, elements other than the contractual terms, such as the level of actual control exercised by a party, may be useful in finding the data controller (…)” “(…) An entity that has no legal or factual influence on determining the means of personal data processing cannot be considered a data controller (…)” PROTIP is the entity that effectively controls all processes related to the processing of personal data within the scope of campaign execution:

  • – PROTIP independently builds the database of potential recipients using proprietary developed methods.
  • – Data processing processes take place within the PROTIP’s disk environment.
  • – PROTIP effectively controls the infrastructure used for message delivery (setting statuses, follow-ups, maintaining a recipient blacklist).

Additionally, guided by the purposive interpretation, we conclude that the obligation to designate a Data Controller arises to enable individuals whose data is processed to exercise their rights related to the protection of that data. Therefore, the Data Controller should be the entity that has the ability to effectively and promptly fulfill the requests of these individuals based on the infrastructure they control and have continuous access to. The Data Controller must also have full knowledge of the source of the acquired data and all operations performed on it.

As a result, the recommended collaboration model is as follows: PROTIP – Data Controller, Data Requester – Data Processor.

The transfer of data to the Data Requester occurs within our services in two ways:

  • – Data processing is entrusted for the purpose of verification by our partners of the database of potential campaign recipients and for providing partners with access to the platform from which the delivery is conducted. At this stage of campaign execution, our partners act as Processors and are not allowed to use the data for purposes other than the specified database verification or monitoring campaign progress within the provided delivery platform. All data generated within a specific campaign is entrusted.
  • – Data sharing, on the other hand, takes place after a successfully completed email campaign. We provide the generated database of potential clients, excluding the data of individuals who expressed objections to the processing of their data during the campaign. The legal basis for sharing such data is the legitimate interest of the data controller, manifested in direct marketing (Article 47 of the GDPR). Once the data is shared with a partner, they become an independent Data Controller and subsequently decide on the means and purposes of data processing.
  •  

Please note that the information provided is based on the context you provided, and specific legal advice may be required to fully understand and comply with the applicable data protection regulations in your jurisdiction.