Privacy policy

  1. This Privacy Policy sets out the principles for the processing of personal data obtained through the website www.ruj.edu.pl and all its subdomains. The owner of the Website and simultaneously the data controller is the Jagiellonian University, with its registered office in Kraków (31-007), ul. Gołębia 24, (NIP): 6750002236, (REGON): 000001270, hereinafter referred to as the UNIVERSITY.
  2. The personal data collected by the UNIVERSITY via the Website are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR.
  3. The UNIVERSITY exercises particular diligence to respect the privacy of Users visiting the Website.

§ 1 Types of processed data, purposes, and legal basis

  1. The UNIVERSITY collects information regarding natural persons performing a legal act not directly related to their business activity, natural persons conducting business or professional activity in their own name, as well as natural persons representing legal persons or organizational units that are not legal persons but are granted legal capacity by law, hereinafter collectively referred to as Users.
  2. The Repository of the Jagiellonian University is maintained for the purpose of collecting, archiving, and providing access to the scientific output of the academic community of the Jagiellonian University.
  3. When using the Website, additional information may be collected, in particular: the IP address assigned to the User’s computer or the external IP address of the Internet provider, domain name, browser type, access time, and the type of operating system.
  4. Navigational data may also be collected from Users, including information about the links and references they choose to click on or other activities undertaken within the Website.
  5. Legal basis: legitimate interest (Article 6(1)(f) GDPR), consisting of facilitating the use of electronic services and improving the functionality of those services.
  6. For the purpose of establishing, pursuing, and enforcing claims, certain personal data provided by the User when using the functionalities of the Website may be processed, such as: first name, surname, data regarding the use of services (where the claims arise from the manner in which the User uses the services), and other data necessary to prove the existence of a claim, including the extent of damage suffered. Legal basis: legitimate interest (Article 6(1)(f) GDPR), consisting of establishing, pursuing, and enforcing claims, as well as defending against claims in proceedings before courts and other state authorities.
  7. Providing personal data to the UNIVERSITY is voluntary.

§ 2 To whom the data are disclosed or entrusted and how long they are stored

  1. The User’s personal data are transferred to service providers used by the UNIVERSITY in operating the Website. Depending on contractual arrangements and circumstances, the service providers to whom personal data are transferred either follow the UNIVERSITY’s instructions regarding the purposes and means of processing such data (processors) or independently determine the purposes and means of processing (controllers).
    1. Processors. The UNIVERSITY uses service providers who process personal data solely on the instructions of the UNIVERSITY. These include, among others, providers of hosting services, accounting services, marketing systems, website traffic analysis tools, and systems for analysing the effectiveness of marketing campaigns.
    2. Controllers. The UNIVERSITY uses service providers who do not act solely on its instructions and independently determine the purposes and means of processing Users’ personal data.
  2. Location. Service providers are mainly based in Poland and other countries of the European Economic Area (EOG).
  3. Users’ personal data are stored:
    1. If the legal basis for processing is consent, the User’s personal data are processed by the UNIVERSITY until the consent is withdrawn, and after the withdrawal of consent for a period corresponding to the statute of limitations for claims that may be raised by the UNIVERSITY or against it. Unless a specific provision states otherwise, the limitation period is six years, and for periodic claims and claims related to business activity – three years.
    2. If the legal basis for processing is the performance of a contract, the User’s personal data are processed by the UNIVERSITY for as long as is necessary to perform the contract, and after that for a period corresponding to the statute of limitations for claims. Unless a specific provision states otherwise, the limitation period is six years, and for periodic claims and claims related to business activity – three years.
  4. Navigational data may be used to provide Users with better service, analyse statistical data, tailor the Website to Users’ preferences, and administer the Website.ane nawigacyjne mogą być wykorzystywane w celu zapewnienia Użytkownikom lepszej obsługi, analizy danych statystycznych i dostosowania Serwisu Internetowego do preferencji Użytkowników, a także administrowania Serwisem Internetowym.
  5. Upon receiving an official request, the UNIVERSITY discloses personal data to authorised state authorities, in particular to organisational units of the Prosecutor’s Office, the Police, the President of the Personal Data Protection Office, the President of the Office of Competition and Consumer Protection, or the President of the Office of Electronic Communications.

§ 3 Cookie Mechanism, IP Address

  1. The Website uses small files known as cookies. They are stored by the UNIVERSITY on the end device of the person visiting the Website, provided that the web browser allows it. A cookie file typically contains the domain name from which it originates, its “expiry time,” and an individual, randomly generated number identifying the file. The information collected through such files helps tailor the UNIVERSITY’s offerings to the individual preferences and actual needs of visitors to the Website. They also make it possible to compile general statistics on visits to the products presented on the Website.
  2. The UNIVERSITY uses two types of cookies:
    1. Session cookies: after a given browser session ends or the computer is switched off, the stored information is deleted from the device’s memory. The session cookie mechanism does not allow the collection of any personal data or confidential information from Users’ computers.
    2. Persistent cookies: these are stored on the User’s end device and remain there until deleted or expired. The persistent cookie mechanism does not allow the collection of any personal data or confidential information from Users’
  3. The UNIVERSITY uses its own cookies for the purpose of:
    1. authenticating the User on the Website and ensuring the User’s session on the Website (after logging in), so that the User does not have to re-enter their login and password on every subpage of the Website;
    2. analysis, research, and audience measurement, in particular for creating anonymous statistics that help understand how Users use the Website, which enables improvement of its structure and content.
  4. The UNIVERSITY uses external cookies for the purpose of:
    • collecting general and anonymous statistical data via analytical tools such as Google Analytics (administrator of the external cookie: Google Inc., based in Ireland);
    • analysing the conversion of marketing campaigns carried out using Google Signal (administrator of the external cookie: Google Inc., based in the USA). The tool collects user data enabling conversion measurement, advertisement optimisation, creation of custom audiences, and remarketing campaigns, including advertisement personalisation;
  5. The cookie mechanism is safe for Users’ computers. No viruses, unwanted software, or malicious software can infiltrate Users’ computers this way. Nevertheless, Users may limit or disable cookie access to their devices through their browser settings. If this option is used, browsing the Website will remain possible, except for functions that inherently require cookies.
  6. Below are instructions on how to change cookie settings in popular internet browsers:
    1. Browser Chrome and Chrome Mobile
    2. Browser Samsung Browser
    3. Browser Internet Explorer
    4. Browser Microsoft EDGE
    5. Browser Mozilla Firefox
    6. Browser Opera
    7. Browser Safari and Safari Mobile
  7. The UNIVERSITY may collect Users’ IP addresses. An IP address is a number assigned to the computer of a person visiting the Website by their internet service provider. The IP number enables access to the Internet. In most cases, it is assigned dynamically, meaning it changes with each internet connection. The IP address is used by the UNIVERSITY to diagnose technical issues with the server, create statistical analyses (e.g., determine which regions generate the most visits), provide useful information for administering and improving the Website, and for security purposes and potential identification of automatic programs overloading the server or undesired automated browsing of the Website’s content.
  8. The Website contains links and references to other websites. The UNIVERSITY is not responsible for the privacy practices in place on those websites.

§ 4 Rights of Data Subjects

  1. Right to withdraw consent - legal basis: Article 7(3) GDPR.
    1. The User has the right to withdraw any consent they have given to the UNIVERSITY.
    2. Withdrawal of consent takes effect from the moment it is withdrawn.
    3. Withdrawal of consent does not affect the lawfulness of processing carried out by the UNIVERSITY before the withdrawal.
    4. Withdrawal of consent does not entail any negative consequences for the User; however, it may prevent further use of services or functionalities that the UNIVERSITY is legally permitted to provide only on the basis of consent.
  2. Right to object to data processing - legal basis: Article 21 GDPR.
    1. The User has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data, including profiling, if the UNIVERSITY processes their data based on legitimate interests, e.g. marketing of the UNIVERSITY’s products and services, statistics on the use of particular Website functionalities, facilitating the use of the Website, or conducting satisfaction surveys.
    2. Unsubscribing via email from marketing communications concerning products or services shall be understood as the User’s objection to the processing of their personal data, including profiling, for these purposes.
    3. If the user's objection is justified and the UNIVERSITY has no other legal basis for processing personal data, the user's personal data will be deleted.
  3. Right to erasure (“right to be forgotten”) - legal basis: Article 17 GDPR.
    1. The User has the right to request the deletion of all or some of their personal data.
    2. The User has the right to request the deletion of personal data if:
      1. the personal data are no longer necessary for the purposes for which they were collected or processed;
      2. the User has withdrawn specific consent to the extent that the data were processed based on that consent;
      3. the User has objected to the use of their data for marketing purposes;
      4. the personal data have been processed unlawfully;
      5. the personal data must be deleted in order to comply with a legal obligation under EU or Member State law to which the UNIVERSITY is subject;
      6. the personal data were collected in connection with the provision of information society services.
    3. Despite a request for data erasure made due to an objection or withdrawal of consent, the UNIVERSITY may retain certain personal data to the extent that processing is necessary for establishing, pursuing, or defending legal claims, as well as fulfilling a legal obligation under EU or Member State law to which the UNIVERSITY is subject. This applies in particular to personal data such as: first name, last name, email address – retained for handling complaints and claims related to the UNIVERSITY's services; or additionally home address/correspondence address and order number – retained for handling complaints and claims arising from sales contracts or service provision.
  4. Right to restrict processing - legal basis: Article 18 GDPR.
    1. The User has the right to request restriction of the processing of their personal data. Submission of such a request prevents the use of specific functionalities or services requiring the processing of the restricted data until the request is resolved. The UNIVERSITY will also refrain from sending any communications, including marketing communications.
    2. The User has the right to request restriction of the processing of personal data in the following cases:
      1. when the User contests the accuracy of their personal data – the UNIVERSITY shall restrict processing for the time necessary to verify the accuracy of the data, but not longer than 7 days;
      2. when data are processed unlawfully and, instead of erasure, the User requests restriction of their use;
      3. when the personal data are no longer necessary for the purposes for which they were collected or used, but are needed by the User for establishing, pursuing, or defending legal claims;
      4. when the User has lodged an objection to the use of their data – restriction shall apply for the time necessary to determine whether, due to the User’s particular situation, their rights, freedoms, and interests override those of the Controller.
  5. Right of access - legal basis: Article 15 GDPR.
    1. The User has the right to obtain confirmation from the Controller as to whether their personal data are being processed. If this is the case, the User has the right to:
      1. obtain access to their personal data;
      2. obtain information on the purposes of processing, categories of personal data processed, recipients or categories of recipients, planned storage period or criteria for determining that period (if it is not possible to specify the exact period), rights under GDPR, the right to lodge a complaint with a supervisory authority, the source of the data, automated decision-making including profiling, and safeguards related to the transfer of the data outside the European Union;
      3. obtain a copy of their personal data.
  6. Right to rectification - legal basis: Article 16 GDPR.
    1. The User has the right to demand that the Controller promptly rectify any inaccurate personal data concerning them. Considering the purposes of processing, the User has the right to request the completion of incomplete personal data, including by submitting an additional statement, by sending a request to the email address indicated in §6 of this Privacy Policy.
  7. Right to data portability - legal basis: Article 20 GDPR.
    1. The User has the right to receive the personal data they have provided to the Controller and then transmit them to another controller of their choice. The User also has the right to request that the data be transmitted directly by the Controller to such another controller, where technically feasible. In such a case, the Controller shall transmit the User’s personal data in a csv file format, which is commonly used, machine-readable, and enables transfer to another data controller.
  8. If the User exercises any of the rights listed above, the UNIVERSITY shall comply with the request or refuse to comply without undue delay, but no later than within one month after receiving it. However, due to the complexity of the request or the number of requests, if the UNIVERSITY is unable to comply within one month, it shall comply within the following two months, informing the User within one month of receiving the request about the extension and the reasons for it.
  9. The User may submit complaints, inquiries, and requests to the Controller regarding the processing of their personal data and the exercise of their rights, e.g. to the email address iod@uj.edu.pl or by post to: Jagiellonian University, ul. Gołębia 24, 31-007 Kraków, with the note “Data Protection Officer.”
  10. The User has the right to request that the UNIVERSITY provide a copy of the standard contractual clauses by submitting a request as indicated in §6 of the Privacy Policy.
  11. The User has the right to lodge a complaint with the President of the Personal Data Protection Office regarding any violation of their data protection rights or other rights under the GDPR.

§ 5 Security Management – Password

  1. Logging into the Jagiellonian University Repository takes place through the Central Authentication System (CSU). The UNIVERSITY provides Users with a secure and encrypted connection when transmitting personal data and when logging into the User Account in the Service. The UNIVERSITY uses an SSL certificate issued by one of the world’s leading companies in the field of Internet data security and encryption.
  2. The UNIVERSITY never sends any correspondence, including electronic correspondence, requesting login details, and in particular, the User Account password.

§ 6 Amendments to the Privacy Policy

  1. The Privacy Policy may be amended, and the UNIVERSITY will inform Users of any changes 7 days in advance.
  2. Questions related to the Privacy Policy should be sent to: iod@uj.edu.pl
  3. Date of last modification: 21.08.2025