Personal data protection

CONTACT IN TERMS OF PERSONAL DATA PROTECTION

Acting pursuant to Articles 13 and 14 of Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC, hereinafter referred to as the GDPR, Polwax S.A. informs you that:

  1. Data Controller:

The Controller of your personal data is POLWAX S.A., with its registered office in Jasło, ul. 3 Maja 101, 38-200.

  1. Categories of personal data processed:

 

  • JOB CANDIDATES:

Personal data are processed:

– for the purpose of concluding an employment contract or at the request of the data subject prior to the conclusion of an employment contract pursuant to Article 6(1)(b) of the GDPR;

– on the basis of the candidate’s consent pursuant to Article 6(1)(a) of the GDPR and Article 9(2)(a) of the GDPR, which may also include the processing of personal data for the purposes of subsequent recruitment processes.

 

The scope of the data processing is limited to the information the provision of which is required by labour law and which is necessary for the conclusion of the contract (first name and surname, date of birth, contact details indicated by the person concerned, education, professional qualifications, previous employment) and information voluntarily provided by the candidate for employment (e.g. image – photo, other contact details).

The processing of personal data is necessary to participate in the recruitment process aiming at obtaining a job at the Controller.

To the extent that consent is the basis for the processing of personal data, the provision of personal data is entirely voluntary.

Personal data are processed in the course of the recruitment process and, once it has been completed, as long as the consent to the processing of personal data has not been withdrawn, but no longer than one year.

Each candidate shall be entitled to:

  • access their personal data, pursuant to Article 15 of the GDPR;
  • rectify their personal data, pursuant to Article 16 of the GDPR,
  • request the deletion of their personal data, pursuant to Article 17 of the GDPR, subject to the exceptions provided for in Article 17(3) of the GDPR;
  • request a restriction of the processing of personal data, pursuant to Article 18 of the GDPR, subject to the cases referred to in Article 18(2) of the GDPR;
  • transfer personal data only insofar as personal data are processed in an automated manner, pursuant to Article 20 of the GDPR;
  • lodge a complaint with the President of the Office for the Protection of Personal Data, ul. Stawki 2, 00-193 Warsaw if the processing of personal data is considered to be in breach of the provisions of the GDPR.

If personal data are processed on the basis of consent, the candidate shall have the right to withdraw their consent at any time, but the withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.

The candidate shall not be entitled to object to the processing of personal data pursuant to Article 21 of the GDPR, as the legal basis for the processing of personal data is not Article 6(1)(e) or (f) of the GDPR.

 

  • VISITORS

The scope of personal data includes data necessary for identification, data recorded by monitoring and vehicle data (optional data).

Personal data are processed pursuant to Article 6(1)(f) of the GDPR solely for the purpose of ensuring the safety of persons and the protection of property, production control and confidentiality of information, which constitutes a legitimate interest of the Controller.

Their provision is necessary – failure to provide them will result in the impossibility of identification and therefore in the refusal of access to the Company’s premises.

Therefore, it is necessary to present an ID card to issue a pass – however, the ID card will not be copied, scanned or photographed.

Personal data are processed as long as required by the provisions of the law on the security of persons and the protection of property in respect of the establishment, investigation or defence of claims.

Data recorded by video surveillance are retained for a period not exceeding 14 days.

Each person shall be entitled to:

  • access their personal data, pursuant to Article 15 of the GDPR;
  • rectify their personal data, pursuant to Article 16 of the GDPR,
  • request the deletion of their personal data, pursuant to Article 17 of the GDPR, subject to the exceptions provided for in Article 17(3) of the GDPR;
  • request a restriction of the processing of personal data, pursuant to Article 18 of the GDPR, subject to the cases referred to in Article 18(2) of the GDPR;
  • lodge a complaint with the President of the Office for the Protection of Personal Data, ul. Stawki 2, 00-193 Warsaw if the processing of personal data is considered to be in breach of the provisions of the GDPR.

Where the legal basis for the processing of data is Article 6(1)(f) of the GDPR, pursuant to Article 21 of the GDPR, the data subject shall be entitled to object to the processing of personal data.

The data subject shall not be entitled to transfer their personal data, as referred to in Article 20 of the GDPR.

Video surveillance recordings cannot be improved for technical reasons and shall not be subject to the right to obtain copies where this could infringe the rights and freedoms of others who may be included in the recording.

 

  • CUSTOMERS AND CONTRACTORS:

The scope of personal data includes identification data, contact details and data contained in publicly available records and sources or provided by the Customer/Contractor, including the data of persons authorised to represent and the data of representatives and the persons designated as contact persons.

Personal data are processed, depending on the legal basis binding the parties, in order to:

  • conclude a contract or implement its provisions pursuant to Article 6(1)(b) of the GDPR;
  • take measures prior to concluding a contract, at the request of the data subject, in particular, to prepare an offer pursuant to Article 6(1)(b) of the GDPR;
  • fulfil legal obligations in the scope of tax and accounting obligations, pursuant to Article 6(1)(c) of the GDPR;
  • pursue the legitimate interest of the Controller consisting in the marketing of its own goods, keeping correspondence or responding to requests made using the Controller’s contact details and in carrying out recovery operations and processing claims, where necessary, pursuant to Article 6(1)(f) of the GDPR.

Where a contract is concluded with a commercial law company or an institution, the Controller processes the personal data of persons entitled to represent them and of persons identified as contact persons only for the purposes of the conclusion and performance of contracts and carrying out of any complaint and recovery operations, which constitutes a legitimate interest of the Controller pursuant to Article 6(1)(f) of the GDPR. In such a case, the personal data include identification data, contact details, position held and other information available in publicly available registers (e.g. KRS, CEIDG) or provided by the company or institution for the purpose of concluding and implementing the contract.

Provision of personal data is necessary for the conclusion and performance of a contract.

Your personal data will be processed for the time necessary for the performance of the contract or limitation of claims and for the fulfilment of the legal obligation imposed on the Controller, in particular regarding tax and accounting obligations.

Each person shall be entitled to:

  • access their personal data, pursuant to Article 15 of the GDPR;
  • rectify their personal data, pursuant to Article 16 of the GDPR,
  • request the deletion of their personal data, pursuant to Article 17 of the GDPR, subject to the exceptions provided for in Article 17(3) of the GDPR;
  • request a restriction of the processing of personal data, pursuant to Article 18 of the GDPR, subject to the cases referred to in Article 18(2) of the GDPR;
  • transfer their personal data only insofar as personal data are processed in an automated manner and on the basis of a contract, pursuant to Article 20 of the GDPR;
  • lodge a complaint with the President of the Office for the Protection of Personal Data, ul. Stawki 2, 00-193 Warsaw if the processing of personal data is considered to be in breach of the provisions of the GDPR.

In the case of processing pursuant to Article 6(1)(f) of the GDPR, i.e. in order to fulfil the legitimate interests of the customer/contractor, shall be entitled to object to the processing of personal data.

 

  • CONTACT/CORRESPONDENCE

Personal data are processed in order to respond to a question asked through a contact form or sent by post, which constitutes a legitimate interest of the Controller pursuant to Article 6(1)(f) of the GDPR.

The provision of personal data is necessary to answer a question asked through a contact form or sent by post.

Your personal data are processed for the time of limitation of claims.

Each person shall be entitled to:

  • access their personal data, pursuant to Article 15 of the GDPR;
  • rectify their personal data, pursuant to Article 16 of the GDPR,
  • request the deletion of their personal data, pursuant to Article 17 of the GDPR, subject to the exceptions provided for in Article 17(3) of the GDPR;
  • request a restriction of the processing of personal data, pursuant to Article 18 of the GDPR, subject to the cases referred to in Article 18(2) of the GDPR;
  • transfer their personal data only insofar as personal data are processed in an automated manner and on the basis of a contract, pursuant to Article 20 of the GDPR;
  • lodge a complaint with the President of the Office for the Protection of Personal Data, ul. Stawki 2, 00-193 Warsaw if the processing of personal data is considered to be in breach of the provisions of the GDPR.

In the case of processing of data pursuant to Article 6(1)(f) of the GDPR, i.e. for the purpose of fulfilling the legitimate interests of the sender or the addressee of the communication, the right to object to the processing.

 

  • SHAREHOLDERS

The Controller processes the following categories of personal data of shareholders or shareholders’ representatives: identification data, address, contact details and image.

Personal data of shareholders or representatives may be processed for the following purposes:

1) organisation of the General Meeting and the exercise of voting rights by authorised persons pursuant to Article 6(1)(c) of the GDPR,

2) exercise of the rights and obligations of the Shareholder pursuant to Article 6(1)(c) of the GDPR.

Personal data of shareholders or representatives may be made available by the Controller to:

 

1) other shareholders, where such data concern the shareholders of the Controller pursuant to Article 407(1) and (11) of the Commercial Companies Code,

2) the Financial Supervision Commission, pursuant to Article 70(2) of the Public Offering Act and the conditions for the introduction of financial instruments into the organised trade system and on public companies,

3) the National Depository for Securities (KWDP).

Personal data of shareholders or proxies are kept indefinitely.

Each shareholder or representative shall be entitled to:

  • access their personal data, pursuant to Article 15 of the GDPR;
  • rectify their personal data, pursuant to Article 16 of the GDPR,
  • request the deletion of their personal data, pursuant to Article 17 of the GDPR, subject to the exceptions provided for in Article 17(3) of the GDPR;
  • request a restriction of the processing of personal data, pursuant to Article 18 of the GDPR, subject to the cases referred to in Article 18(2) of the GDPR;
  • transfer their personal data only insofar as personal data are processed in an automated manner and on the basis of a contract, pursuant to Article 20 of the GDPR;
  • lodge a complaint with the President of the Office for the Protection of Personal Data, ul. Stawki 2, 00-193 Warsaw if the processing of personal data is considered to be in breach of the provisions of the GDPR.

Regarding personal data processed pursuant to Article 6(1)(f) of the GDPR, a shareholder or a representative shall be entitled to object to the processing of personal data pursuant to Article 21 of the GDPR.

Personal data of a shareholder or a proxy may come from:

1) the system of the National Depository for Securities, where such data concern a shareholder of the Controller,

2) the principal, in the case of an authorisation granted, where it concerns a representative of the shareholder.

The provision of personal data by a shareholder or a representative is necessary for the purpose set out above in order to draw up and transfer to the NFS or any other shareholder the list of persons entitled to participate in the General Meeting and to verify the right to participate in the General Meeting.

 

  • REPRESENTATIVES:

The scope of personal data includes first name, surname, series and number of the identity card, its expiry date and correspondence address. Other personal data may be processed where the granting of a power of attorney so requires.

Personal data shall be processed for the purpose of granting, amending or revoking a power of attorney pursuant to Article 6(1)(b) of the GDPR.

Where a power of attorney is granted to a commercial law company, the Controller shall further process the personal data of persons authorised to represent them and of persons designated to be contacted for the purposes of granting, amending or revoking a power of attorney, which constitutes a legitimate interest of the Controller pursuant to Article 6(1)(f) of the GDPR. In such a case, the personal data include identification data, contact details, position held and other information available in publicly available registers (e.g. KRS, CEIDG) or provided by the company or institution for the purpose of concluding and implementing the contract.

The provision of personal data is necessary to grant a power of attorney and to take specific actions after granting it.

Your personal data will be processed until the withdrawal of a power of attorney or until the claims become statute-barred.

Each person shall be entitled to:

  • access their personal data, pursuant to Article 15 of the GDPR;
  • rectify their personal data, pursuant to Article 16 of the GDPR,
  • request the deletion of their personal data, pursuant to Article 17 of the GDPR, subject to the exceptions provided for in Article 17(3) of the GDPR;
  • request a restriction of the processing of personal data, pursuant to Article 18 of the GDPR, subject to the cases referred to in Article 18(2) of the GDPR;
  • transfer their personal data only insofar as personal data are processed in an automated manner and on the basis of a contract, pursuant to Article 20 of the GDPR;
  • lodge a complaint with the President of the Office for the Protection of Personal Data, ul. Stawki 2, 00-193 Warsaw if the processing of personal data is considered to be in breach of the provisions of the GDPR.

In the case of processing pursuant to Article 6(1)(f) of the GDPR, i.e. in order to fulfil the legitimate interests of the customer/contractor, shall be entitled to object to the processing of personal data.

  1. Transfer personal data outside the European Economic Area:

Personal data will not be transferred outside the European Economic Area or to international organisations.

  1. Profiling:

Personal data are not used in automated decision-making processes, in particular in profiling.

  1. Recipients of personal data:

Personal data may be made available to public authorities in connection with their conduct of proceedings under applicable law.

In the remaining scope, access to personal data is also granted to trained and authorised employees or co-operators of the Controller, including providers of personal and property protection services, legal, advisory, IT, accounting services, courier or post, audit, development, insurance services.

 

 

In case of any questions or comments regarding the processing of personal data, in particular in order to exercise your rights, please contact the Data Protection Supervisor, Tomasz Cygan, by e-mail: inspektorod@polwax.pl, by phone: 694 429 337 or by letter to the Controller’s address.

Please be assured that the Personal Data Controller is committed to providing the means to physically, technically and organizationally protect personal data against accidental or deliberate destruction, loss, alteration, unauthorised disclosure, use or access in accordance with applicable laws.