Policy: this Policy for the processing of personal data by AMIC POLSKA Sp. z o.o.
Controller: AMIC POLSKA Sp. z o.o., 58 Ogrodowa St. 00-876 Warsaw
personal data: information regarding an identified, or identifiable natural person (a person whom the data is concerning). A natural person possible to identify is a person who can be directly or indirectly identified, particularly on the basis of an identifier such as their first or last name, id number, details of their location, internet ID, or one or several particular factors defining their physical, physiological, genetic, psychological, economical, cultural, or social identity.
GDPR: Regulation of the European Parliament and Council of April 27, 2016 (EU) 2016/679, on the protection of natural persons in relation to the processing of personal data and on the free flow of such data and on repealing Directive 95/46/EC (General Data Protection Regulation).
A person whom the data is concerning: each natural person whose personal data is processed by the Controller in relation to the commercial activity it is conducting, e.g., a person who visits limited access zones on Controllers premises, a person who is bound with the controller by contract or who sends them an inquiry by email.
INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA BY THE CONTROLLER
The Controller of the Personal Data collects and processes personal data in compliance with the provisions of the law, in particular with the provisions of GDPR, with the purpose of conducting their commercial activity.
The Controller complies with the transparency rule regarding the processing of personal data. The persons whom the data is concerning are informed that their data is being processed no later than upon the moment the data is collected, moreover, they are informed of the purpose and the legal basis for the processing - e.g., upon the moment of concluding a sales contract for products or services.
The Controller makes sure that the principle of personal data minimization is respected by the Company. Data is collected to the extent necessary for the indicated purpose of processing and processed only for a minimum retention period. In order to speed up and improve the service for its customers, the Controller obtains from them personal data which are not necessary, e.g., to perform the contract concluded with them - such as telephone number or e-mail, only with their consent, and before collecting such data, the Controller informs the customers about the fact that provision of such data is voluntary.
The Controller ensures an appropriate level of security and confidentiality of personal data processed by them. In case of an incident related to the security of personal data, the Controller shall inform the persons to whom the personal data relate about such an event in accordance with the law.
CONTACT REGARDING ISSUES RELATED TO PROTECTION OF PERSONAL DATA
The Controller appointed a Personal Data Inspector, who can be contacted by:
- email: [email protected]
- mail using the following address: AMIC POLSKA Sp. z o.o., 58 Ogrodowa St., 00-876
PERSONAL DATA SECURITY
The procedures introduced by the Controller allow for maintaining a proper level of confidentiality and integrity of the personal data it is processing. Only properly trained and authorized personnel can access the data. The Controller utilizes organizational and technical solutions that ensure that all operations on personal data are registered and performed only by authorized persons.
The Controller undertakes all necessary means while selecting the entities which process data and other contractors so that the level of security of personal data provided by those entities is sufficient.
The Controller conducts an ongoing security risk analysis and monitors the adequacy of the implemented security measures with regards to data and the identified threats. If necessary, the Controller implements additional measures to increase data security.
PURPOSES AND LEGAL BASES FOR PROCESSING DATA BY THE CONTROLLER
The Controller uses contact details provided by customers (email address, telephone number) with the purpose of carrying out the provisions of agreements which they have concluded. The data may also be used for marketing purposes (informing about new products or services), but only if they have obtained proper consent for this type of use.
All personal data included both in traditional correspondence and in electronic correspondence and collected by phone which is directed at the Controller in matters unrelated to the provision of services to the sender are processed only with the purpose of providing a response to the sender. In such cases, provision of particular data is required by the Controller only in cases when it is necessary for the above-mentioned purpose, and if the data is not provided, settlement of the matter becomes impossible. In such a case, the legal basis for the processing of data is the legally justified interest of the Controller (art 6., letter f., of the GDPR), i.e., conducting correspondence directed at the Controller in relation to their business activity.
The administrator ensures that the amount of processed data in the correspondence is consistent with the principle of data minimization and that only authorized persons have access to it.
Telephone conversations can also be recorded - in this case, information about the recording of the conversation is given at the beginning of the conversation. The conversations are recorded in order to verify the quality of the service provided and to verify the work of the consultants, as well as for statistical purposes. The recordings are also used to register complaints or to express (or revoke) consent to receive marketing content. The recordings are available only to authorized employees of the Controller and persons operating the administrator's hotline.
Visual monitoring and access control
In order to ensure the security of people and property, the Controller uses video monitoring and controls access to buildings managed by the Controller. The data in the form of images from cameras are not used for any other purpose.
Personal data in the form of monitoring recordings and personal data collected in the entry and exit register are processed in order to ensure security and order on the premises of the property and possibly for the purpose of defense or issuing claims. Refusal to provide data in the form of an image makes it impossible for the refusing party to remain on the Controller’s premises. The basis for the processing of personal data is the legally justified interest of the Controller (Article 6., section 1., letter f., of the GDPR) consisting of ensuring the security of the Controller’s property and protecting their rights.
In order to inform the persons entering the Controller’s premises, information about the coverage of a given facility by video surveillance is displayed in visible places.
The Controller processes the personal data provided by potential employees in the recruitment process, the scope of data that the Controller expects from the candidates for work does not exceed the catalog included in the labor law regulations. However, at the moment when a potential candidate for work provides data beyond what is required by the applicable regulations, it is presumed that he or she has agreed to the processing of this data. Such consent may be withdrawn at any time, without affecting the lawfulness of the processing carried out before the withdrawal. In the event that the applications submitted contain information that is inadequate for the purpose of recruitment, they will not be used or taken into account in the recruitment process.
Personal data is processed:
- with the purpose of carrying out any duties resulting from the provisions of the law - Labor Law, more precisely any processes related to the process of recruitment. The legal basis for such processing is the legal obligation of the Controller (Article 6., section 1., letter c., of the GDPR in relation to the Labor Law),
- in order to conduct the process of recruitment in the scope of data which is not required by the provisions of the Labor Law as well as for the purpose of conducting future recruitment processes - the legal basis is the consent (article 6., section 1., letter a., of the GDPR),
- with the purpose of determining or making claims or defending against any claims - the legal basis for such processing is the legally justified interest of the Controller (article 6., section 1., letter f., of the GDPR).
To the extent that personal data is processed on the basis of your consent, you may withdraw it at any time without affecting the lawfulness of the processing carried out before its withdrawal.
The retention period for consent for future recruitments is set at two years. After this period, the data will be deleted.
Collection of data in connection with the provision of services or performance of other contracts
In the case of data collection for the purposes of performing a specific contract, the Controller shall provide the data subject with detailed information on the processing of his or her personal data at the time of conclusion of the contract.
Collection of data for other purposes
In connection with the conducted activity, the Controller collects personal data also in other cases - e.g., during business meetings, industry events, or by exchanging business cards - for the purposes related to establishing and maintaining business contacts. In such cases, personal data is provided voluntarily. The legal basis for such processing is the legally justified interest of the Controller (article 6., section 1., letter f., of the GDPR) consisting of creating a network of relations for the purpose of conducting the business activity.
Personal data collected in such cases are processed only for the purpose for which they were collected, and the Administrator ensures their adequate protection.
RECIPIENTS OF DATA
Personal data may be disclosed to proper authorities or third parties if the request for disclosure of such information is based on an appropriate legal basis and will be in accordance with applicable law.
TRANSFER OF PERSONAL DATA OUTSIDE OF THE EUROPEAN ECONOMIC AREA
Personal data may be transferred to recipients located outside the EEA. In such cases, we will ensure that the recipient employs an adequate level of data protection (based on a decision of the EU Commission stating the adequate level of protection for the country concerned, the contractual arrangements with the recipient of the data contained in the standard contractual clauses in accordance with the decision of the European Commission or based on your consent) before the data is transferred. For more information regarding the transfer of data contact: [email protected]
DURATION OF THE PROCESSING PERIOD
The duration of the period of processing by the Controller depends on the purpose for which the data is processed.
In cases when the basis for the processing is the necessity of providing data for the purpose of executing an agreement, the personal data is processed until the agreement expires. If the processing is based on consent, the personal data is processed until the consent is withdrawn.
Provisions of the law
In cases when the basis for the processing is a provision of the law, the duration of the period of processing also results from the particular provisions of the law.
Justified interest of the Controller
In cases when the basis for the processing is the Controller’s justified interest, personal data is processed throughout the duration of a period necessary for this interest to be carried out or until an objection is filed against such processing.
Protection against claims
The period of data processing may be extended in cases when the processing is necessary to establish, execute, or defend against any claims that may occur, and after that period only in the scope which is required by the provisions of the law.
In cases where the period of retention expires, the personal data is immediately removed or anonymized.
RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA
Rights of persons whom the data is regarding
The persons whom the data is regarding have the following rights:
- The right to be informed about the processing of their data
- The right to obtain a copy of their data
- The right to correct their data
- The right to remove their data
- The right to limit the processing of their data
- The right to transfer their data
- The right to object to the processing of their data
- The right to withdraw their consent for the processing of their data.
In cases where it is established that the processing of data is in breach of GDPR or other regulations regarding personal data protection, the person whom the data is regarding may lodge a complaint with the Chairman of the Office for Personal Data Protection.
Submitting motions for the above rights to be executed
A motion regarding the execution of the data subjects’ rights can be submitted:
- in writing by traditional mail to the address of AMIC POLSKA Sp. z o.o. “Data Protection Inspector”, or
- by email to the following email address: [email protected]
The response to any submitted motion should be provided within one month from receiving the motion. In case the period needs to be extended, the Controller will notify the author of the motion of the basis for such an extension.