Privacy Policy

30 March 2026

1. General provisions

  1. This Privacy Policy describes the rules for processing personal data and using cookies on the website available at https://sdkgdynia.pl/, including its Polish and English language versions.
  2. The controller of personal data is Studium Doskonalenia Kadr Uniwersytetu Morskiego w Gdyni spółka z ograniczoną odpowiedzialnością, with its registered office in Gdynia, ul. Morska 83, 81-222 Gdynia, Poland, KRS 0000117143, NIP 9581278752, REGON 191703911 (the Controller).
  3. Matters concerning personal data may be addressed to the Controller, in particular via e-mail at sdk@umg.edu.pl.
  4. This Privacy Policy applies to personal data collected through:
  5. the contact form,
  6. the newsletter subscription form,
  7. registration and login forms,
  8. forms used to enrol in courses, training programmes, qualification programmes, recruitment processes or other educational services,
  9. e-mail, telephone and traditional correspondence,
  10. use of the Website, including data stored in system logs and cookies.

2. Scope of collected data

  1. The Controller may process, in particular, the following data:
  2. first name and last name,
  3. e-mail address,
  4. phone number,
  5. company or institution details,
  6. address details,
  7. tax identification number and invoice details,
  8. data provided in messages or applications,
  9. data necessary to participate in a specific course or training programme where required by the nature of the service,
  10. data concerning activity on the Website, including IP address, device identifiers, browser type, operating system, basic technical data and event logs.
  11. Providing personal data is generally voluntary, but in some cases it may be necessary in order to:
  12. create an Account,
  13. receive a reply to a message,
  14. enrol in a course or training programme,
  15. perform a contract,
  16. issue accounting documents,
  17. send the newsletter.

3. Purposes and legal bases of processing

The Controller processes personal data for the following purposes:

  1. operating the Website and ensuring its security – on the basis of Article 6(1)(f) GDPR, i.e. the Controller’s legitimate interest in operating and securing the Website;
  2. handling the contact form, correspondence and enquiries – on the basis of Article 6(1)(f) GDPR, and where the contact concerns the conclusion or performance of a contract, also Article 6(1)(b) GDPR;
  3. registering an Account, login, password reset and Account management – on the basis of Article 6(1)(b) GDPR;
  4. accepting applications, enrolling in courses or training programmes, organisational contact and performance of educational or training services – on the basis of Article 6(1)(b) GDPR;
  5. verifying eligibility requirements, handling participant documents, organising training and confirming participation – on the basis of Article 6(1)(b) GDPR and, where required by law, Article 6(1)(c) GDPR;
  6. issuing invoices, keeping accounting records, handling online payments and performing legal obligations – on the basis of Article 6(1)(b) and (c) GDPR;
  7. handling complaints, pursuing claims or defending against claims – on the basis of Article 6(1)(f) GDPR;
  8. sending the newsletter and marketing communications – on the basis of Article 6(1)(a) GDPR, i.e. consent;
  9. operating functional, analytical or marketing cookies – on the basis of consent where consent is required for a given cookie category;
  10. establishing, pursuing and defending claims – on the basis of Article 6(1)(f) GDPR.

4. Source of data

  1. As a rule, the Controller receives personal data directly from the data subject.
  2. Where a participant is enrolled by an employer, contracting entity or another third party, the Controller may receive the participant’s data from that entity to the extent necessary to organise the service.

5. Recipients of personal data

  1. Personal data may be disclosed to entities cooperating with the Controller only to the extent necessary for the purposes of processing, in particular:
  2. hosting and IT infrastructure providers,
  3. e-mail and communication tool providers,
  4. the payment operator TPay – to the extent necessary to process electronic payments, if the User chooses that payment method,
  5. accounting, legal, audit or administrative service providers,
  6. newsletter support providers,
  7. entities providing maintenance, analytics or IT security services.
  8. Data may also be disclosed to public authorities where such obligation arises from law.

6. Transfers outside the EEA

  1. As a rule, the Controller processes data within the European Economic Area.
  2. If the Controller uses tools or providers whose infrastructure is located outside the European Economic Area, personal data may be transferred outside the EEA only in accordance with law, in particular on the basis of an adequacy decision or subject to standard contractual clauses.
  3. Information on the safeguards applied may be obtained by contacting the Controller.

7. Data retention period

Personal data are retained no longer than necessary for the purpose of processing and then for the period required by law or necessary to secure claims. As a rule:

  1. data related to an Account – for the period during which the Account is maintained and, after deletion, for the period necessary for settlements, compliance demonstration and defence against claims;
  2. data related to a contract, enrolment in a course, training programme or recruitment – for the duration of service performance and the limitation period for claims;
  3. accounting and settlement data – for the period resulting from tax and accounting regulations;
  4. data from correspondence and the contact form – for the time necessary to handle the matter and then for an archiving period justified by the nature of the matter;
  5. data processed on the basis of consent, including the newsletter – until consent is withdrawn, unless earlier deletion is impossible for technical or legal reasons;
  6. data contained in logs and technical data – for a period justified by security, diagnostics and statistics.

8. Rights of the data subject

Each data subject has, within the limits resulting from the GDPR, the right to:

  1. access their personal data,
  2. rectify personal data,
  3. erase personal data,
  4. restrict processing,
  5. data portability,
  6. object to processing based on legitimate interests,
  7. withdraw consent at any time where processing is based on consent; withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal,
  8. lodge a complaint with the President of the Polish Personal Data Protection Office.

9. Automated decision-making and profiling

  1. As a rule, the Controller does not make decisions producing legal effects for users based solely on automated processing.
  2. If analytics or marketing tools involving profiling within the meaning of the GDPR are implemented on the Website, the Controller will provide appropriate information on the Website or in the cookie consent tool.

10. Cookies and similar technologies

  1. The Website may use cookies and similar technologies.
  2. Cookies are small text files stored on the user’s end device.
  3. The Website may use the following categories of cookies:
  4. necessary – required for the proper operation of the Website, login, session maintenance and security;
  5. functional – enabling the Website to remember selected user preferences;
  6. analytical/statistical – helping analyse how the Website is used and improve its performance;
  7. marketing – used to tailor communications or measure promotional effectiveness, if such tools are implemented.
  8. Necessary cookies may be used without consent where they are indispensable for providing a service requested by the user.
  9. Other cookie categories are used only where the user has granted consent, if such consent is required by law.
  10. The user may manage cookie settings through the consent banner, where used, and through browser settings.
  11. Restricting cookies may affect the operation of certain Website functionalities.

11. Server logs and security

  1. Use of the Website involves sending requests to the server on which the Website is hosted.
  2. Each request may be recorded in server logs and may include, among other things, IP address, date and time, browser information, operating system and technical errors.
  3. Logs are used primarily to ensure security, diagnose problems, administer the Website and compile technical statistics.

12. External links and third-party services

  1. The Website may contain links to websites or services of third parties.
  2. This Privacy Policy does not cover the data processing rules of such third parties. Users should review the privacy policy of the relevant provider.

13. Changes to the Privacy Policy

  1. The Controller may update this Privacy Policy, in particular due to legal, organisational or technological changes.
  2. The current version of the Privacy Policy is published on the Website together with the date of the latest update.

14. Contact

For matters related to privacy and personal data, please contact:

Studium Doskonalenia Kadr Uniwersytetu Morskiego w Gdyni sp. z o.o.

ul. Morska 83

81-222 Gdynia

Poland

e-mail: sdk@umg.edu.pl

Subscribe to our newsletter

Stay up to date with the latest news!