PERSONAL DATA PROCESSING POLICY
1. On account of its business activities, the Controller collects and processes personal data under the applicable provisions, in particular the General Data Protection Regulation (the Regulation), and the data processing principles included therein.
2. The Controller ensures transparency of data processing, in particular by always informing of data processing upon collection, including of the purpose of and legal grounds for processing. When processing the data, the Controller assures the security and confidentiality thereof, and access for the data subjects, to that information.
3. It is possible to contact the Controller by email to firstname.lastname@example.org or to other email addresses indicated for that purpose, or in writing to ul. Boryszewska 22 C, 05-462 Wiązowna.
4. In order to assure data integrity and confidentiality, the Controller has implemented the procedures that only allow the authorized persons to have access to the personal data and only in the scope necessary taking into account the tasks performed by them. The Controller applies organizational and technical measures for the purpose of ensuring that all the operations on personal data are recorded and performed only by authorized persons.
5. The Controller exercises any and all the efforts necessary to ensure that its subcontractors and other collaborators also guarantee the application of suitable security measures in every case when they process personal data. The Controller analyzes risk on a regular basis and monitors the adequacy of the data protection measures to the identified threats.
6. If the Controller receives an email or a letter sent using traditional mail, the personal data included in that correspondence will be processed solely for the purpose of communicating and handling the issue that the correspondence referred to and the matters associated therewith. The legal grounds for processing is the legitimate interests of the Controller (art. 6 section 1 letter f of the Regulation), which consists in managing correspondence on account of the conducted activities. The Controller only processes the personal data necessary for the case, to which the correspondence is connected. All the correspondence is stored so as to ensure security of the personal data included therein as well as other information, and disclosed only to authorized persons.
7. In the case of contact by phone, the Controller may request that personal data be stated only if it is necessary for handling the case, to which the contact refers. In such a case, the legal grounds is Controller's legitimate interests (art. 6 section 1 letter f of the Regulation), consisting in the need to handle the reported matter connected to the business activities conducted.
8. For the purpose of ensuring safety of people and property, the Controller may use visual monitoring and control access to the premises and to the area managed by the Controller. The data collected in that manner will not be used for any other purpose. The personal data in the form of monitoring recordings as well as the data collected in the sign in and out book will be processed in order to ensure safety and order in the facility and, potentially, to defend or pursue claims. The basis for processing personal data is Controller's legitimate interests (art. 6 section 1 letter f of the Regulation).
9. Within recruitment processes, the Controller expects provision of personal data (e.g. in a resumé or professional bio) solely within the scope specified in the provisions of labor law. As a result, no other information should be provided. If the applications sent contain such additional data, that data will not be used or taken into account in the recruitment process or for any other purpose. Personal data is processed for the following purposes:
a) performing the obligations under the law, associated with the employment process, in particular under the Labor Code – under art. 6 section 1 letter c of the Regulation in conjunction with the provisions of the Labor Code;
b) conducting the recruitment process –n the scope of the data not required under the law or for the purposes of future recruitment – under art. 6 section 1 letter a of the Regulation;
c) determining or pursuing potential claims or defending against such claims – under art. 6 section 1 letter f of the Regulation.
10. If data is collected for the purposes associated with performing a specific agreement, the Controller will provide the data subject with the information on processing its personal data, no later than upon conclusion of the agreement.
11. On account of its conducted business activities, the Controller collects personal data also, for example, during business meetings, events or by exchanging business cards – for the purposes of establishing and maintaining business contacts. In that case, the legal grounds for processing is the legitimate interests of the Controller (art. 6 section 1 letter f of the Regulation), which consists in establishing a contact network on account of the conducted business activities. The personal data collected in that manner will be processed solely for the purpose, for which it has been collected, and properly protected.
12. On account of the conducted activities that require personal data processing, it may be disclosed to third parties, including those operating IT systems and equipment, to the entities that provide legal or accounting services, couriers, marketing or recruitment agencies. The data may also be disclosed to the entities associated with us, including the companies from Controller's group. The personal data may be disclosed or provided to competent authorities or third parties that request such data only on the basis of proper legal grounds and in compliance with the applicable provisions of the law.
13. The level of protection of personal data outside of the European Economic Area (EEA) is different from the level provided by European law. For that reason, the Controller will provide personal data outside of the EEA only if necessary, and while providing proper degree of protection. The Controller always informs, at the collection stage, of the intention to provide personal data outside of the EEA.
14. The period of personal data processing depends on the purpose of processing, and may result from the provisions of the law that provide the grounds for processing. In the case of data processing on the basis of Controller's legitimate interests, it will be processed for the period allowing the fulfillment of those interests or until an objection to data processing is submitted. If the processing takes place under a consent, the data may be processed until the consent is revoked. If data is processed for the purpose of concluding and performing an agreement, the data will be processed until the agreement terminates.
15. The period of data processing may be extended if it is necessary for determining, pursuing or defending against potential claims, while after that period – only in the case and in the scope required by provisions of the law. After the lapse of the processing period, the data will be irretrievably deleted or anonymized.
16. Data subjects are vested with the following rights:
a) the right to information on personal data processing – the Controller will provide the person submitting such a request with the information on data processing, including, in particular, on the purposes of and legal grounds for processing, on the scope of data held, on the entities to which it is disclosed and on the planned date of deleting it;
b) the right to receive a copy of the data – the Controller will provide a copy of the processed data concerning the person submitting the request;
c) the right to correct – at the request of the data subject, the Controller will remove the potential irregularities or errors in the processed personal data and will supplement it, if it is incomplete;
d) the right to delete data – one may request that the data, the processing of which is no longer necessary for any purpose, for which it has been collected, to be deleted;
e) the right to limit processing – if such a request is submitted, the Controller will cease the to perform operations on the personal data and to store it, until the cause for limitation of data processing disappears (e.g. until a regulatory body issues the consent for further data processing);
f) the right to transfer the data – in the scope, in which it is processed automatically or in connection with a concluded agreement or expressed consent, the Controller will release the data delivered by the person it refers to, in the format that allows it to be accessed using a computer. Furthermore, one may request that the data be sent to another entity – but on the condition that it is technically possible on the part of the Controller and of that other entity;
g) the right to object to data processing for direct marketing purposes – one may object to the processing of one's personal data for direct marketing purposes, at any time, without the need to justify such an objection;
h) the right to object to other purposes of data processing – the data subject may, at any time, object to its personal data processing for reason of a particular situation – if the Controller processes its data under Controller's legitimate interests (i.e. under art. 6 section 1 letter f of the Regulation, e.g. for analytical or statistical purposes for property protection purposes). Such an objection must include justification;
i) the right to revoke consent – if the data is processed under a granted consent, data subject is entitled to revoke it at any time which, however, will not affect the legality of the processing before the revocation of such a consent
j) the right to complaint – in the case of considering that personal data processing violates the provisions of the Regulation or other provisions on personal data processing, the data subject may submit a complaint to the President of the Personal Data Protection Office.
17. An application/request associated with exercising one's rights may be submitted in writing to: ul. Boryszewska 22 C, 05-462 Wiązowna or by email to: email@example.com. An answer will be given in writing, unless the request/application has been submitted by email or unless it requires that the answer be sent by email. In the case of doubt regarding the identity of the person submitting a request by email, the Controller reserves the right to verify that identity.
a) Controller: ATS Display Sp. z o. o. with its registered office in Wiązowna at Boryszewska street No. 22 C, 05-462 Wiązowna, entered in the register of entrepreneurs of the National Court Register maintained by the District Court for the capital city of Warsaw in Warsaw, XIV Commercial Division of the National Court Register at KRS No. 0000075752, with the share capital of PLN 50,000, Tax Identification (NIP) No.: 5321790563.
b) Personal data: all the information on an identified or identifiable natural person which, through one or several specific factors, describe the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person, including its image, voice recording, contact data, location data, information included in correspondence, information collected using recording equipment or other, similar technologies.
c) Policy: this Personal Data Processing Policy.
d) Regulation: Regulation 2016/679 (EU) of the European Parliament and of the Council of 7 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
e) Data subject: every natural person, the personal data of whom is processed by the Controller (e.g. our customers, persons using our services, persons visiting our premises, persons corresponding with us).