JJP Biologics Privacy Policy


This Privacy Policy contains information about the processing of personal data of our Users, Business Partners, and their Representatives, Visitors, members of our social media network, Subscribers to our Newsletter, and those who contact JJP Biologics.

Below you will find information about how we process your personal data, how we protect it, what rights you have and other information, in accordance with the GDPR[i].

If you do not find all the information you are looking for, or if you wish to exercise your RODO rights, please contact us at the following email address: rodo@jjpbiologics.com or in writing to 6 Bobrowiecka Street, 00-728 Warsaw.

1. Who processes your personal data?

The personal data controller processing the data referred to in this Privacy Policy is JJP Biologics sp. z o.o. with its registered office in Warsaw, 6 Bobrowiecka Street, 00-728 Warsaw, entered in the National Register of Companies under number: 608696, tax ID: 5252652578.

2. For what purposes do we process your personal data?

We only process your personal data for the purposes for which you contact us or use our services. Below you will find details of the different categories of data subjects.

2.1 Users of www.jjpbiologics.com

Every User who visits our website and views the content on it leaves an electronic footprint. This is solely related to the technical aspects of the websites, including functional cookies, which make the website work properly. Thanks to functional cookies, we can remember your preferences regarding the use of cookies and not ask you for them in the future. We may also count visits and traffic on the website, but this is general, statistical information and does not apply to individual Users.

We do not use any additional mechanisms to collect additional information. As a general rule, we do not have the possibility to combine data from functional cookies with other data that could allow the identification of our website Users. In extreme cases, however, it may happen that a User who uses other services on the website: a Newsletter subscription or a contact form, may be identified using this additional data.

We also do not use measures to adapt the content displayed.

We only store the data collected by functional cookies for the duration of the technical requirements. In the event that they constitute personal data within the meaning of the GDPR, the basis for their processing will be the legitimate interest related to the provision of the website service and the security of its operation (Art. 6(1)(f) GDPR).

2.2 Newsletter Subscribers

The website allows you to leave your e-mail address to subscribe to our Newsletter. We only process the email addresses of our Subscribers for the purpose of sending the Newsletter. The Newsletter may contain promotional, commercial and marketing information (please refer to the terms and conditions of the Newsletter Service contained in <JJP Biologics T&Cs>).

Any Subscriber may unsubscribe at any time, without giving any reason. To do so, please write us an email at: rodo@jjpbiologics.com or use the unsubscribe option included in the content of the Newsletter received.

All Subscribers receive the Newsletter with the same content. We do not use profiling or other forms of customisation of the content provided.

The basis for the provision of the Newsletter service to our Subscribers in accordance with the JJP Biologics T&Cs is the ordering of the Newsletter to the e-mail address provided in the order (Article 6(1)(a) of the GDPR and Article 10 of the Act on Provision of Electronic Services and, following the entry into force of the Electronic Communications Law, its Article 393). We process Subscribers’ data (email addresses) until they unsubscribe. Thereafter, we may process the Subscription history for evidential purposes for supervisory authorities, for a maximum of 1 year.

2.3 People contact via Contact Form, email, Social Media Chats and messages etc.

The data of persons who use our Contact Form on the website, correspond with us by post or e-mail, through various types of Chat or through social media messengers, are processed by us solely for the purpose of conducting the said correspondence, providing answers, settling matters with which the persons contact us. If an enquiry is made about our offer, activities or services, answering the enquiry may require the sending of commercial, promotional or marketing information, but only within the scope of the enquiry made.

We do not use contact data obtained in this way for future marketing purposes.

We keep a history of correspondence for a period of 3 years. If the correspondence relates to the performance of the cooperation, complaints or may result in potential claims by either Party, the correspondence will be stored for up to 6 years or as required by separate legislation.

2.4 Business Partners and their Representatives

We process the personal data of our Business Partners[i] and their Representatives: persons representing business entities or organisations, agents, employees, and representatives who act on behalf of or for or on behalf of the respective Business Representative.

We obtain the data from the Business Partner or directly from the data subject.

Depending on the scope and basis of the cooperation, the data of Business Partners and their Representatives is processed to a different extent. These may include:

  1. Data of representatives and proxies processed in accordance with the national registers (e.g. National Register of Companies, Central Registration and Information On Business, content of the power of attorney, content of the agreement, NDA and other documents exchanged between the Parties, processed in connection with the concluded agreement or legal requirements;
  2. Data contained in correspondence exchanged in connection with the implementation of the cooperation;
  3. Data contained in accounting, tax records;
  4. Data contained in project documentation, grant procedures, purchasing regimes, in accordance with relevant procedures and legal requirements.

The basis for our processing of personal data is:

  1. Business Partner data – performance of cooperation (Art. 6(1)(b) GDPR) or legal requirements (Art. 6(1)(c) GDPR), e.g. commercial, civil, tax, accounting laws;
  2. Representatives’ Data – legitimate interest of us and the Business Partner to provide ongoing business contacts for the purpose of the cooperation (Article 6(1)(f) GDPR);
  3. Data required by law in connection with regulatory purchasing regimes or grant procedures – Article 6(1)(c) of the GDPR.

We process the data for the duration of the cooperation and then for a period of 6 years for tax, accounting and documentary purposes from the performance of the contract. In the case of research projects, grants, specific purchasing procedures or public procurement, the retention period may be longer. In each case, this will result from the documentation of the cooperation between the Parties.

2.5 Participants in procurement procedures – Offerers and their Representatives

Above, we have described the basis and scope for processing the personal data of Offerers[ii] and their Representatives. In connection with the conduct of purchasing procedures, we also process the personal data of Offerers and their Representatives with whom we do not currently cooperate, but whose data were included in the offers submitted to us as part of purchasing procedures, including the NDA. Our Offerers include varying degrees of their personal data and that of their Representatives, depending on the subject of the bid and the applicable purchasing procedure.

We only obtain personal data from Offerers in the offers submitted to us. Offerers are obliged to comply with the provisions of GDPR, so any Representative whose data is included in a offer should be informed that their personal data is being shared in the offer submitted to us.

The basis for processing the personal data contained in the offer is:

  1. Offerer’s data – necessary to take steps to establish cooperation (Art. 6(1)(b) GDPR);
  2. Data of Representatives – legitimate interest of ours and of the Offerer in order to establish cooperation (Art. 6(1)(f) GDPR);
  3. Data required by law – if the relevant legal requirements apply in the applicable purchasing regime (Art. 6(1)(c) GDPR).

Data will be processed until the end of the purchasing procedure and then for 3 years for archiving purposes. This period may be longer if directly required by law.

2.6 Visitors

Our Guests visiting us at our premises are subject to identity verification carried out at the reception desk and, for this purpose, must present their identity document (e.g. ID, passport, driving license) (this obligation applies only to the presentation of the document, the document does not leave our Guest’s hands). Each of our Visitors is registered in advance on the list of scheduled visits for the day, and his/her presence is then recorded in the visitors’ book with the date and time of entry and exit.

We only process the data for the purpose of providing a reliable administrative service and for the security of property and protected information (Article 6(1)(f) of the GDPR). We do not use the data so obtained for other purposes. Data entered regarding visits are archived for 3 years for security purposes.

The office building in which our headquarters is located is equipped with video surveillance. However, this monitoring is outside our administration. Please contact the building administrator regarding the video surveillance used in the building. 

2.7 Social Media activity

We are active on Social Media, in particular:

  1. we operate a Fanpage on LinkedIn;
  2. we operate a youtube channel.

 We post content related to our activities and products, news on the achievements and successes of our Team Members, share interesting industry articles authored by our Team Members or from other sources.

Team members actively participate in the exchange of opinions in the comments under our posts and on the profiles of other individuals or institutions.

We also occasionally post job advertisements for our Team.

In connection with social media activity, we have access to personal data under the terms of the relevant social media platform: members of our social networks: followers, subscribers, people who post comments or are otherwise active on our profiles, people who use instant messaging to exchange correspondence with us, people on whose profiles our Team Members are active, who share our content, tag us or our Team Members or otherwise interact with us. We also receive notifications about the activities of people we follow or who follow us.

Furthermore, in connection with the use of a professional profile on LinkedIn, we have access to the statistical and analytical tools provided to us by LinkedIn. We can therefore receive information on who has visited our Fanpage, what activities they have undertaken, how long they have stayed on our Fanpage and what content they have used. We can also receive reports showing us where we are mentioned on LinkedIn, what activities are undertaken towards us by other LinkedIn users elsewhere on the platform.  LinkedIn provides a wide range of statistical and analytical tools per LinkedIn’s Terms and Conditions. We only use the basic functions that allow us to keep up to date with news in the industry in which we operate and in related industries, provide content to members of our social network, professional activity and take care of our PR and that of our Team Members.

We only access personal data from social media on the respective Social Media platform. We do not copy social media data, save it elsewhere or store it on our media[iii] . Occasionally, we generate statistical reports and use them outside LinkedIn, but these contain only general data.

The basis for the processing of personal data on social media is our legitimate interest in undertaking industry and professionally related community and PR activities (Article 6(1)(f) GDPR).

2.8 Job Applicants

Sometimes we post job advertisements on our website or Social Media. In such cases, we process the data of Job Candidates contained in the applications submitted to us (CVs, cover letters, completed forms, other documents submitted by the Candidate) solely for the purpose of recruitment.

We publish job advertisements on various portals, including LinkedIn, pracuj.pl. A Candidate wishing to make an offer can use the application options available on a given portal. We will then receive information about the submitted application and have access to it through the portal selected by the Candidate.

We do not copy the applications of Job Candidates and do not ask them to send their applications by e-mail directly to us. It is only at an advanced stage of recruitment that we can download the application of the selected Candidate(s).

The legal basis for the processing of the Job Candidates’ personal data depends on the position and the related form of the proposed collaboration and on the scope of the data provided to us:

  1. If the job advertisement relates to employment under the Labour Code, the basis for our processing of the data of the Candidates will be the law (Article 6(1)(c) RODO). If the scope of the data submitted to us exceeds that indicated by us, the basis for processing will be your consent (Article 6(1)(a) GDPR);
  2. If the advertisement relates to a cooperation based on a civil law contract or a B2B contract, the legal basis for the processing of the Candidates’ data will be to take steps towards the conclusion of a cooperation agreement (Article 6(1)(b) GDPR).

We will process your data until the recruitment is completed. The portals on which we advertise jobs decide how long applications will be available. The standard timeframe is four months, but this timeframe is set by the respective portal. After this time, we do not have access to the applications submitted. If a Candidate has progressed to an advanced stage of recruitment and we have downloaded their application, we can process it until the recruitment process is complete and then for 1 year.

If you submit your application without us recruiting you or, during the recruitment process, you express your wish to have your application included in our Job Candidate database, your application will be processed on the basis of your freely given consent (Art. 6(1)(a) GDPR) for one year, unless you inform us beforehand that you have withdrawn your consent to have your personal data processed in the Job Candidate database.

2.9 Complaints, disputes, defense, or redress of grievances

Certain documents and information are archived in order to provide us and our Business Partners with economic security in the event of the need to defend or assert claims. This applies to the implementation of collaborations, grants, purchase proceedings, but may also relate to other matters, e.g. the Guests register, correspondence received by us, the content of Social Media activity or recruitment proceedings. The basis for our data processing for this purpose is Article 6(1)(f) of the GDPR.

If an investigation, mediation, or court case is initiated, the documents and data we need will be processed until the conclusion of the proceedings and the expiry of the limitation period for claims, in accordance with the applicable legal provisions.

3. To whom do we disclose your personal data?

3.1 Data sharing

We only share personal data if we are obliged to do so by law or if it is necessary for the performance of an activity. We do not share personal data if it is not necessary.

Personal data may be shared by us:

  1. to supervisory bodies and institutions entitled to audit and control in the case of projects covered by the legal regime or project requirements of specific institutions. This always follows from the terms and conditions of the respective project and the Business Partner is informed of this and aware of the terms and conditions of the project;
  2. to authorized state authorities, in particular tax authorities;
  3. to couriers and postal carriers – if you are the addressee of a parcel and your address details must appear on the envelope / parcel;
  4. to external auditors, consultants and lawyers working with us or institutions authorized to carry out audits or inspections with us;
  5. to our corporate management control – data is then not transferred outside the group of companies to which we belong.

These entities are separate controllers of your personal data and are obliged to comply with all GDPR requirements themselves. You have every right to make an enquiry or exercise your GDPR rights against them as well.

3.2 Entrustment of processing

We may disclose your data to our service providers and subcontractors with whom we have entered into appropriate personal data processing outsourcing agreements. These entities may not process the personal data disclosed to them for their own purposes, but only perform tasks on our behalf and for our benefit. Under the GDPR, we are obliged not only to enter into an appropriate contract with such an entity, but also to verify that the entity will ensure adequate protection of the personal data disclosed to it. These entities may be:

  1. providers of IT and hosting services;
  2. job portals to the extent that they accept job applications on our behalf;
  3. external administrative support;
  4. external security support;
  5. external consultants and experts.

3.3 Social Media

Social Media platforms (service companies) process the personal data of all Social Media users in accordance with their own terms of service and privacy policies. Their role independent from us may vary: to a certain extent, they will be responsible completely independently for the processing of Social Media users’ personal data, or sometimes they will carry out certain activities as a data processor. In each case, the details are contained in the documents of the Social Media platform concerned.

4. What are the rights of data subjects under the GDPR?

The GDPR provides for a number of rights that data subjects can exercise. We have a maximum of one month to respond to you. Within this time, we should comply with your request or, if there are exceptional circumstances, inform you of these and the timeframe within which we will comply with the request.

If your request cannot be fulfilled because it exceeds your GDPR rights, we will also inform you within one month.

In all cases, we will respond as quickly as possible for us.

The applicable GDPR rights are:

  • right to withdraw your consent to osov data processing – you can withdraw the consent you have given at any time without giving any reason. The processing that took place before you withdrew your consent will continue to be lawful for that purpose, but from the moment you withdraw your consent we will no longer be able to process your data for that purpose;
  • right to object – you can object to the processing of your personal data on grounds relating to your particular situation where the processing is based on a legitimate interest (Article 6(1)(f) GDPR). We will then re-examine the legitimate interests and inform you of the outcome;
  • right of access to your data – you have the right to be fully informed at any time about our processing of your personal data and to receive a copy;
  • right to data portability – you have the right to request that we transfer to another entity your data processed under a binding contract or consent, received from you and processed by automated means;
  • right to rectification – if your data is out of date or incorrect, you have the right to request that it be updated or corrected;
  • right to erasure – if we do not have a proper legal basis and we still process your personal data, you have the right to request permanent erasure;
  • right to restrict processing – you can request that we restrict the processing of your personal data while we are clarifying your request regarding irregularities in the processing of your personal data or data that we should delete.
5. Other information

The provision of personal data to us is voluntary.

Where we process personal data in order to comply with the law, failure to provide personal data may result in an inability to participate in the relevant process, e.g. inability to conclude a contract, to participate in a purchasing process or rejection of an offer due to non-compliance, inability to participate in a recruitment or employment process. If the provision of certain personal data is mandatory in order to take part in a given process, this is specified accordingly.

We do not perform automated decision-making on individuals.

We do not transfer personal data to countries outside the European Union and the European Economic Area.

6. Supervisory Authority

If you want to exercise your rights, get back to us. We will help you determine which right you want to exercise in order to achieve the goal you want and, if possible, provide you with additional information right away.

If you believe that we are processing your personal data in violation of the GDPR, you can also complain to the supervisory authority, which in Poland is the President of the Office for Personal Data Protection, ul. Stawki 2 in Warsaw, hotline: 606 950 000.

However, we encourage you to contact us in advance.


This Privacy Policy is effective as of ……………………………………..

[i] GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC

[ii] The GDPR covers natural persons, including sole proprietors (sole traders). So, Business Partners who are sole traders are covered by this Privacy Policy. Data of Business Partners who are legal entities, authorities, or organizations do not constitute personal data and are not entitled to the protection set out in the GDPR. However, any Representative is entitled to protection if they are an individual, regardless of whether they represent an individual or a legal entity (or organization).

[iii] The same rules apply to Offerers as to Business Partners, as described in index ii above

[vi] Exceptions to this may be the content of correspondence that needs to be archived or incorporated into a specific file, or the content of activity that may form the basis for the defense or assertion of claims. In other sections of the Privacy Policy, we write about both cases of processing personal data for the above purposes.