Privacy Policy

Psychosocial Counselling Association (PCA)

Effective from: 01.01.2026

I. General Provisions

This Privacy Policy explains the rules for collecting and processing personal data of Website Users, Candidates, and Members of the Psychosocial Counselling Association (PCA). The document was developed based on GDPR and Polish law.

PCA is a non-governmental organization focused on membership and competency certification of specialists (register, document verification, issuing certificates, professional development). As a rule, PCA does not provide healthcare services and does not keep "medical records" within the meaning of regulations on medical activity.

II. Data Controller

The data controller is Psychosocial Counselling Association (PCA) based in Poland: ul. Warszawska 1/3, 59-700 Bolesławiec, Poland.

Registration Data:

  • NIP: 6121869763
  • REGON: 385092831
  • KRS: 0000819107

Contact:

⚠️ Note: formal correspondence is conducted exclusively via e-mail.

III. Data Scope and Processing Purposes

We process data adequate to the purpose, in particular:

1. Website Users

  • technical data: IP address, server logs, cookie identifiers (if used), analytical data.

2. Candidates for registration and certification

  • identification and contact data (name, surname, e-mail, phone),
  • data on qualifications (education, training, experience),
  • billing data (e.g. invoice data),
  • documents required by registration standards (e.g. diplomas, certificates, CPD confirmations).

3. Members

  • member account data, membership history, registration status, level and specializations,
  • data published in the register (only if the member consents and/or enables public profile).

4. Criminal Record Data

As part of registration standards, we may require submission of a criminal record certificate.

  • access to such documents is strictly limited,
  • we process them solely for the purpose of assessing compliance with registration standards,
  • we strive for data minimization (e.g. noting the verification result instead of storing a full copy – if possible in a given process).

Processing purposes include, among others: conducting registration/certification, membership management, billing and accounting, certification portal management, communication, organization of training and supervision (at the organizational level), ensuring security and preventing fraud.

IV. Legal Bases

We process data based on:

  • Art. 6(1)(b) GDPR (performance of contract / membership regulations and certification services),
  • Art. 6(1)(c) GDPR (legal obligations – e.g. accounting/taxes),
  • Art. 6(1)(f) GDPR (legitimate interest – system security, fraud prevention, claims assertion/defense),
  • consent (e.g. publication of profile in the register, marketing/newsletter consents – if applied).

V. Data Recipients, Processors and Transfer outside EEA

Access to data is granted only to authorized persons and entities to which we entrust data processing to the extent necessary to achieve the objectives, in particular:

  • members of the registration/certification committee and authorized administrators,
  • accounting services and payment operators (in the scope of settlements),
  • IT infrastructure providers (hosting, e-mail, portal systems).

Financial data and IT/portal support: in the scope of IT support, service administration and certification portal, data may be processed by the cooperating entity Hobweek Agency (Australia), ABN 33 257 573 623, which handles the IT part and administrative support of services and the portal. We transfer only data necessary for this process.

Transfer outside EEA (e.g. Australia): if processing or technical support requires transferring data outside the EEA, the transfer takes place only to the extent necessary and based on an appropriate mechanism consistent with GDPR (e.g. performance of contract and/or appropriate contractual safeguards).

VI. Retention Period

  • candidate data: for the duration of the registration process and a reasonable period after its completion (e.g. for appeals or claims defense),
  • member data: for the duration of membership and settlements and the period required by law (e.g. accounting documents),
  • financial documents: as a rule 5 years from the end of the tax year (tax requirements),
  • technical data (logs): for the period necessary for security and diagnostics.

After the periods expire, data is deleted or anonymized.

VII. Rights of the Data Subject

You have the right to: access data, rectification, erasure (unless it conflicts with legal obligations), restriction of processing, objection (when the basis is legitimate interest) and data portability (to the extent provided by GDPR).

Complaints regarding data protection can be directed to the President of the Personal Data Protection Office (UODO) (Poland).

Contact for privacy matters and complaints: office@psychcon.org.

VIII. Cookies and Security

The website may use cookies for functional and statistical purposes (if implemented). We apply organizational and technical security measures, including connection encryption (SSL/TLS), access control and data minimization.

IX. Policy Changes

The policy may be updated. The new version is effective from the date indicated in the document header.