2. WHOSE PERSONAL DATA DO WE PROCESS?
3. WHAT PERSONAL DATA DO WE PROCESS AND FOR WHAT PURPOSES?
4. WHERE IS THE PERSONAL DATA STORED
5. HOW LONG DO WE PROCESS THE PERSONAL DATA?
6. WHO MANAGES THE PERSONAL DATA PROCESSING AND THEIR SECURITY IN THE COMPANY?
7. WHO IS AUTHORISED TO PROCESS PERSONAL DATA IN THE COMPANY?
8. WHAT IS THE PROCEDURE THAT THE AUTHORISED PERSON MUST FOLLOW?
9. HOW DO WE MEET THE INFORMATION OBLIGATIONS?
10. DO WE POSSESS THE RELEVANT CONSENTS FOR PROCESSING OF THE PERSONAL DATA?
10.1 HOW DO CAN THE DATA SUBJECTS ENFORCE THEIR RIGHTS FROM US?
11. DO WE CONCLUDE PERSONAL DATA PROCESSING ENTRUSTMENT AGREEMENTS?
12. DO WE TRANSFER PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA?
13. DO WE MAKE PERSONAL DATA AVAILABLE?
14. HOW DO WE PROTECT OUR PERSONAL DATA?
15. WHAT IS THE PROCEDURE IN CASE OF A PERSONAL DATA BREACH?
16. FINAL PROVISIONS
17. GOOGLE ANALYTICS
18. USE OF SOCIAL MEDIA PLUGINS
This Personal Data Protection Policy (hereinafter referred to as the "Policy") is issued under Art. 24 section 1 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (O.J. EU 119 of 4 May 2016, p. 1) (hereinafter referred to as the "Regulation").
The purpose of the Policy is comprehensive description of the solutions applied by Clear Intec sp. z o.o. (hereinafter referred to as the "Company" or "Employer" or "Potential Employer") within the scope of personal data security.
This Policy applies to all personal data processed by the Company within the scope of the business activity conducted by it.
All employees/co-workers are obliged to follow the principles described herein.
We process the personal data of:
- former employees/co-workers,
- potential employees (mostly for the purpose of employment in the capital group)/co-workers,
- clients, commercial partners, business partners.
Employees and co-workers
We process the employees' personal data which include, first and foremost, all information regarding the employees to possession and archiving of which the employer is obliged under the law.
As regards co-workers, we process personal data included in the contracts signed with them.
Furthermore, we process such personal data as: private telephone number and private e-mail address of the employee and co-worker.
We have created a Database containing data of the Employees and Co-workers in the paper and electronic form.
The personal data of the employees and co-workers are processed exclusively for the purposes connected with performance of the obligations arising from the contracts we concluded with them.
The personal data can also be used within our capital group for the purposes connected with HR policy preparation, exchange of experience, organisation of trainings for employees and co-workers, reporting or joint implementation of business projects within our group.
Former employees and former co-workers
For former employees and former co-workers, personal data are processed solely for archiving purposes (to the extent arising from the absolutely effective provisions of the law).
Moreover, the data of such persons are processed to assert any claims from a former employee or co-worker under a formerly binding contract and to verify the legitimacy of any claims raised against us by a former employee or co-worker.
Potential employees in the capital group
Personal data of potential employees are processed, particularly in the scope resulting from the effective provisions of the law for conduction of recruitment leading to establishment of employment relationship within our capital group but also to clients of capital group.
Depending on the situation, personal data are processed for recruitment for current and future positions.
Personal data of potential employees are obtained directly from them with social media, specialised websites with job offers or other professional counselling enterprises. In the last case, personal data are processed only to the extent allowed by a contract concluded with the company that provides candidate information.
We have created a Potential Employee Data Base in paper and electronic form.
The personal data can also be used within our capital group for the purposes connected with HR policy preparation, reporting or joint implementation of business projects within our group.
First and foremost, personal data of co-workers are processed to the extent arising from the effective provisions of the law and necessary for establishment of cooperation.
Depending on the situation, personal data are processed for recruitment for current and future positions. Personal data of co-workers are obtained via specialised websites with job offers.
Clients and commercial partners
Our clients and commercial partners are usually legal persons whose data are not subject to protection. Nevertheless, contracts concluded with them sometimes state personal data of their employees or co-workers (personal data of persons responsible for a project, contact persons, persons authorised to represent the legal person etc.). Usually, those are personal data limited to full name, position and contact details. They are processed for purposes connected with performance of contracts and assertion of claims under contracts. In addition, the data in question can be made available within our capital group for purposes connected with experience sharing, reporting or joint performance of business projects within our group.
The above personal data are obtained directly from the entities with whom we are in commercial relations, at the same time undertaking not to process them for purposes other than specified above and to protect them.
Personal data of persons with whom we have constant business contact are processed as well even if there is no contract with them or entities which are represented by them or with which they cooperate. Such data are obtained directly from those persons by way of exchanging name cards, during phone calls or via electronic correspondence. Each person provides us with their personal data in this form in a free manner, solely for business purposes, i.e. to allow professional contact, to offer cooperation, for commercial exchange, business information exchange and search for mutual business benefits.
The above personal data are obtained directly from the entities with whom we are in business relations, at the same time undertaking not to process them for purposes other than specified above and to protect them.
The original personal files of the employees are stored at the registered office of the Company and by Rödl&Partner.
Other documents containing personal data (data of clients and business partners) are stored at the Company's registered office and are properly secured, according to Appendix No. 1 hereto.
We process the personal data for the period of time specified in the relevant provisions of the law. If such processing period does not arise from the effective provisions of the law, they are processed as long as there is legal basis and purpose for their processing.
- data of employees - until the archiving obligation expires,
- data of potential employees (mostly for the purpose of employment in the capital group)/co-workers - stored for the time in which they can be used according to the implemented or planned projects, not exceeding 10 years,
- contact data (of clients, suppliers, contractors) - until the claims and tax liabilities expire, where the longer time limit shall apply.
- business data - until withdrawal of the consent.
We erase the personal data immediately upon receipt of the notice of withdrawal of the consent for their processing.
We erase the personal data immediately after the purpose for personal data processing ceases to exist.
Responsibility for processing and protection of the personal data in the Company lies with the Management Board.
The Management Board is responsible for:
- preparation of authorisations to process personal data for signature along with an employment contract/cooperation contract and statements on non-disclosure of personal data and on data protection measures,
- storage of authorisations to process personal data and statements on non-disclosure of personal data and on data protection measures,
- keeping current records of persons authorised to process personal data,
- performance of personal data processing contracts according to the provisions of these contracts,
- keeping the register of breaches,
- periodical analysis of compliance of documentation on personal data processing in the Company with the effective regulations and, if necessary, update of such documentation,
- monitoring of inflow of messages at email@example.com, which e-mail, under the concluded personal data processing contracts, is to receive messages concerning those contracts, and immediate notification of the Management Board of receipt of such a message.
- monitoring of inflow of queries at firstname.lastname@example.org from data subjects and immediate notification of the Management Board of receipt of such a query.
Each person who performs any activities connected with personal data processing is duly authorised to process personal data and has signed a statement of data non-disclosure and manner of data protection both in the term of employment/cooperation contracts and after they cease to bind. Moreover, each such person has been properly trained in personal data protection.
Authorisation to process data in the Company is granted by the Management Board of the Company.
We have created authorisation records, which are updated on an ongoing basis.
The person authorised to process personal data shall:
- familiarise him/herself with the Policy and other documents regarding processing of personal data in the Company,
- process personal data exclusively for a specific, clearly defined and lawful purpose,
- not leave documents containing personal data in the printers,
- not leave paper documents containing personal data on the desk ("clean desk principle"),
- exercise due diligence and care while providing personal data,
- ensure that the entrusted electronic equipment and other devices on which personal data can be stored are not used in a manner that could result in unauthorised access to personal data, particularly refrain from making such equipment available to third parties without due authorisation,
- not use private mail for professional purposes,
- exercise special care when saving documents containing personal data on portable data carriers – it shall be done only in the case of absolute necessity and with provided control over the carrier containing the data so that it is not obtained by unauthorised persons.
Each person in the Company who is authorised to process personal data shall be careful not to allow unauthorised parties access to the personal data processed by the Company.
In particular, each and every employee and co-worker shall take care that no unauthorised person has access to places in the registered office of the Company where personal data are stored. This applies especially to the situation where visitors, clients, job candidates or business partners are invited to the registered office of the Company.
While processing personal data, each and every employee and co-worker shall keep in mind not to use personal data for purposes other than the purposes for which they have been collected by the Company. In particular, they shall keep in mind that the personal data of job candidates can be processed in the recruitment process only, the personal data of clients, employees and co-workers – only for the purposes connected with performance of contracts and any mutual assertion of claims or examination of their legitimacy and the personal data of other business partners with whom the Company has not concluded any contracts – only for the purposes of maintenance of professional and business relations.
Each and every employee and co-worker shall not use personal data obtained from other persons (unless they have been authorised to do so or the data were entrusted by an enterprise with whom the Company has signed a personal data processing contract). For instance, employees and co-workers shall not use personal data coming from sources other than the data subjects or handed over in another legal (compliant with legal regulations) manner by other entities. Employees and co-workers of the Company shall know that the Company does not obtain any personal data without consent of the data subject and does not use any websites allowing acquisition of personal data packages.
Before any personal data are handed over to unauthorised persons (including but not limited to persons not being employees or co-workers of the Company), each and every employee or co-worker of the Company shall make sure that handover of personal data is allowed on a case-by-case basis. In case of any doubts, the Management Board of the Company shall be contacted to obtain additional instructions.
If any contract is concluded which results in the necessity to make personal data available to other entities, the employee or co-worker of the Company responsible for the conclusion of such contract shall make sure that:
- the Company has concluded a due personal data processing contract with that entity, or
- a proper personal data processing clause is included in the draft of the contract planned to be concluded.
At the time of obtaining of personal data from the data subject, i.e. from the employee/co-worker, potential employee/co-worker or client (if applicable), we present any and all information required by the law under Art. 13 and 14 of the Regulation. Such information includes but is not limited to our contact details, indication of purpose(s) of personal data processing, legal basis for such processing and rights the data subject is eligible for.
Such information is provided to each and every employee/co-worker upon conclusion of their employment/cooperation contract.
Candidates submitting their CVs as part of the recruitment process and applying for a job when no recruitment process is under way can learn of their personal data-related rights at our website.
Similarly, all persons employed at our clients' and contractors' sites as well as persons providing us with their contact details for business purposes (even though we have not concluded any contracts with them) can learn of their rights at our website.
Personal data of employees, potential employees, former employees and co-workers
As a rule, as the Employer or Potential Employer, we do not need a consent to process the personal data indicated in the Labour Code in the scope necessary to establish and maintain and employment relationship. Furthermore, we do not need employees' consents to process their data if we employ them for our legitimate interest.
In the scope in which we process personal data outside of what is required of us by the Labour Code or by legitimate interest, we obtain employees' and potential employees' consents covering the purpose for and scope in which we will use their personal data.
Furthermore, in the case of persons providing us with services under civil law contracts, we process only the personal data included in the contracts concluded with them and required for performance of those contracts or for our legitimate interest. Therefore, no separate consents to process personal data are required.
Personal data included in the contracts with clients and commercial partners
The personal data obtained by the Company under contracts with clients and commercial partners cover either data for contacting the enterprise (which means that it is not necessary to obtain consent to process such data under the effective regulations), or data provided to us by an enterprise employing the data subjects. We can process such data without consent of the said persons, providing them, however, with full protection and using them only for the purposes specified in the contract concluded with our client or commercial partner.
As regards other persons being our commercial partners, we process only those personal data which we have obtained directly from those persons (e.g. by way of a name card, e-mail correspondence or a phone call) and only when such a person knowingly and purposefully provides us with their data to allow us to process them for business purposes.
Under Art. 15-22 of the Regulation, any person whose data we process has the right to:
- access to his/her personal data, including obtaining a copy,
- rectification of the personal data,
- erasure of the personal data (in specific situations),
- restriction of processing of the personal data,
- submittal of an objection against data processing,
- submittal of a complaint to the President of the Personal Data Protection Office.
Additionally, in the scope in which the personal data are processed on the basis of consent or within the framework of the performed service/contract, all data subjects have the right to:
- withdraw the consent in the scope in which the data are processed on such a basis. Withdrawal of the consent does not affect lawfulness of processing carried out based on the consent prior to its withdrawal.
- transfer the data.
Any party interested can contact us, sending the request to the e-mail address created for this specific purpose: email@example.com. We respond to all e-mail immediately, however no later than within 1 month from receipt of the request.
Yes, we do. We cooperate only with such entities that guarantee the implementation of technical and organisational measures ensuring a proper safety level for personal data processing. The personal data processing contracts contains the clauses required by the law under Article 28 Section 3 of the Regulation.
Each and every personal data processing contract is consulted with the Management Board of the Company or with a person indicated by the Board.
We do not transfer personal data to entities outside the European Economic Area. If the Management Board of the Company desires to transfer such data, it determines templates for contracts with such entities.
Yes, we do. The personal data can be made available to the entities authorised to obtain them under the governing law, e.g. law enforcement authorities, if such an entity submits a request under a relevant legal basis.
The personal data of potential employees and our employees and co-workers can also be made available within our capital group for the purposes of employment within the capital group, for the purposes connected with HR policy preparation, exchange of experience, organisation of trainings for employees and co-workers, reporting or joint implementation of business projects within our group.
The personal data of employees and co-workers (data of persons responsible for a project, contact persons, persons authorised to represent legal persons etc.) of our clients and commercial partners can be made available within our capital group for purposes connected with experience sharing, reporting or joint performance of business projects within our group.
The above activities do not require obtaining any additional consents.
We have implemented proper technical and organisational measures to provide the safety level corresponding to the risk, taking into account the state of the art, costs of implementation and the nature, scope, purpose and context of processing as well as the risk of infringement of rights and freedoms of natural persons of various probability and magnitude. In particular, we take into account the risk connected with the processing of data arising from unauthorised access to personal data stored, sent or processed otherwise.
A detailed manner of protecting personal data in described in Appendix No. 1 to this Policy.
In addition, we have developed Instructions specifying the manner of IT system management.
In case of statement of breach of the personal data security, all employees/co-workers are obliged to follow the "Instructions in case of a personal data breach". The instructions in case of personal data breach form Appendix No. 2 to the Policy.
The Instructions are handed over to each and every employee/co-worker upon establishment of employment relationship.
If personal data breach is found and if risk of infringement of rights or freedoms of natural persons is found to be probable, the Management Board will report a breach to the President of the Personal Data Protection Office within 72 hours after the breach has been found, under Article 33 of the Regulation.
If personal data breach may cause high risk of infringement of rights or freedoms of natural persons, we will notify the data subject of such breach.
The Management Board of the Company enters all found personal data breaches in the register of breaches. When does the Policy enter into force?
The Policy enters into force on 05.09.2018.
It was approved by the Company's Management Board by way of Resolution 2018 of 05.09.2018.
In all matters not governed by this Policy, the provisions of the Regulation and Personal Data Protection Act shall apply.
You can prevent the saving of cookies by setting up your web browser adequately; however, keep in mind that in such a case it might not be possible to use all functions of a given website. To prevent forming data on your use of website with cookies (including IP address) and sending them to Google and further processing by Google, download the available plugin to your web browser available under the following link: Browser-Add-on to deactivate Google Analytics.
Additionally or alternatively to Browser-Add-on, you can prevent Google Analytics from creating and downloading data by clicking on the link below. An Opt-Out-Cookie will be installed on your computer, which will prevent further gathering of data when visiting a given website and using a given web browser as long as this cookie is not removed from your web browser.
At our website, we use "Social-Media-Plugins" of social networks Facebook, Xing, LinkedIn and kununu. Social-Media-Plugins can be recognised through the logo of given social media.
Facebook Inc. (1601 S. California Ave – Palo Alto – CA 94304 – USA)
XING AG (Gänsemarkt 43 – 20354 Hamburg – Germany)
LinkedIn Corp. (2029 Stierlin Court – Mountain View – CA 94043 – USA)
Kununu GmbH (Neutorgasse 4-8, Top 3.02 – 1010 Vienna - Austria)
As a standard, Social-Media-Plugins are disabled on our website. To use social media networks, you need to activate them by clicking on a proper button. As long as Social-Media-Plugins are not activated, no data will be provided to any social media. Once activated, a social media plugin creates links with social network servers and remains active until you deactivate or remove a proper cookie. Activation will result in establishing a direct connection with the server of respective social network. The content of social media plugin will be transferred from the social media to your web browser which will combine it with the visited website. Therefore, we have no control over the scope of data downloaded via social media plugins.
For more information on the purpose and scope of gathering data and further processing
and use of data by specific social media, your rights in this respect and possibility to set up parameters so as to protect your privacy, read the data protection guidelines of respective social media.
Appendix No. 1
Detailed personal data protection methods applied by the Company
- physical protection measures
- Once not useful anymore, documents in paper form containing personal data are destroyed mechanically with paper shredders,
- Access to the rooms where personal data are processed is subject to an access control system.
- organisational measures
- Access to personal data is granted only to persons authorised to process personal data,
- Visitors and other persons "from the outside" who are not authorised to process personal data can move around the office of the Company only in company of employees/co-workers of the Company authorised to process personal data. Such employees/co-workers are responsible for preventing the persons from outside of the Company from accessing personal data throughout their stay in the registered office of the Company.
- All persons authorised to process personal data have read documents on personal data protection, including but not limited to the Policy, and have been trained in personal data protection.
Appendix No. 2
Instructions in case of a personal data breach in the Company
- In case of statement of personal data breach, all employees/co-workers are obliged to inform the Management Board of Clear Intec sp. z o.o. immediately about this fact.
- A report can be submitted by electronic mail at firstname.lastname@example.org or by phone at +48 22 880 09 63 .
- The Management Board of Clear Intec sp. z o.o. takes immediate action to stop adverse effects of personal data breach.
- The Management Board drafts a report which should contain - if possible - the elements of the report referred to in Art. 33 section 3 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, OJ EU L 119/1).