1.1. Controller – Helm Polska sp. z o.o. with its registered office in Warsaw, ul. Domaniewska 42, postal code: 02-672, entered into the National Court Register maintained by the District Court for the Capital City of Warsaw, XIII Economic Department of the National Court Register under KRS number: 0000023594, NIP: 525-182-09-09, REGON: 012698801. The share capital is PLN 1.000.000.
1.2. Personal Data – any information about a natural person, identified or identifiable by one or several specific factors defining his/her physical, physiological, genetic, psychic, economic, cultural, or social identity, including the image, voice recording, contact data, location data, information included in correspondence and information collected through recording equipment or other similar technologies.
1.3. Policy – this Personal data processing policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
1.5. Data subject – any natural person whose personal data are processed by the Controller, e.g. a person visiting the Controller’s premises or sending it an inquiry by email.
2. DATA PROCESSING BY THE CONTROLLER
2.1. In connection with the conducted business activity, the Controller collects and processes personal data in compliance with relevant laws, especially the GDPR and the data processing principles provided therein.
2.2. The Controller ensures transparency of data processing, in particular by always informing about data processing at the moment of their collection, including the purpose and legal basis of the processing, e.g. while entering into a sales agreement for commodities or services. The Controller makes every effort to collect data only to the extent necessary for the indicated purpose and process them only as long as it is necessary.
2.3. While processing personal data, the Controller ensures their security and confidentiality and an access to information about the processing to the data subjects. If, in spite of the applied security measures, there is a personal data breach (e.g. a data leak or loss), the Controller shall inform data subjects about the event in compliance with laws and regulations.
3. CONTACT WITH THE CONTROLLER
3.1. The Controller may be contacted by e-mail email@example.com or by letter sent to the mailing address HELM Polska sp. z o.o. ul. Domaniewska 42, 02-672 Warsaw.
4. PERSONAL DATA SECURITY
4.1. To ensure data integrity and confidentiality, the Controller has implemented procedures making access to personal data possible only to authorized persons and only to the extent necessary for them to perform their tasks. The Controller applies organizational and technical solutions to ensure that all the operations on personal data are recorded and performed only by authorized persons.
4.2. In addition, the Controller takes any necessary actions so that also its subcontractors and other cooperating entities guaranteed the application of appropriate security measures in each case when they process personal data on the Controller’s behalf.
4.3. The Controller performs risk analysis on an ongoing basis and monitors the adequacy of applied data protection mechanisms to the identified threats. If necessary, the Controller implements additional measures to increase data security.
5. PURPOSES AND LEGAL BASIS OF DATA PROCESSING
EMAIL AND TRADITIONAL CORRESPONDENCE
5.1. If the Controller receives correspondence, by email or traditional mail, unconnected with the services provided for the sender or another agreement executed with them, the personal data found in the correspondence shall be processed only for the purpose of communicating and resolving the issue which is the subject of the correspondence.
5.2. The legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) to carry on correspondence sent to it in connection with its business activity.
5.3. The Controller processes only the personal data relevant to the issue that the correspondence is about. All the correspondence is stored so as to ensure security of the personal data (and other information) found therein and disclosed only to authorized persons.
CONTACT BY TELEPHONE
5.4. If the Controller is contacted by telephone about issues unconnected with an executed agreement or provided services, the Controller may require that personal data should be provided only if this is necessary to handle the issue that the telephone conversation was about. In such a case, the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) involving the need to resolve an issue connected with its business activity.
5.5. The Contoller provides the possibility of contacting him using electronic contact forms. Using the form requires providing Personal Data necessary to contact the Data subject and answer the inquiry. The Data subject may also provide other data to facilitate contact or handling the inquiry. Providing data marked as mandatory is required in order to accept and handle the inquiry, and failure to do so results in the inability to handle. Providing other data is voluntary.
5.6. The legal basis for processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR), consisting in answering an inquiry addressed to him in connection with his business activity.
5.7. The Controller processes only Personal Data relevant to the matter to which the inquiry relates. The content of the inquiry is stored in a way that ensures the security of Personal Data (and other information) contained therein and is disclosed only to authorized persons.
5.8. Personal data of persons participating in the recruitment processes of Controller will be processed to determine to what extend the skills of the candidates correspond to the position they are applying for. Personal data of potential employee/collaborators may be also processed (after receiving proper consent in that scope) to process professional potential assessment (if it will be conducted during the recruitment process).
5.9. Within recruitment processes, the Controller expects provision of personal data (e.g. in a CV or a resume) only to the extent defined in the labor law. Accordingly, no wider range of information should be provided. If the submitted applications contain additional data, which exceed the scope et forth under provisions of the Polish Labour Code processing of such data will be based on the consent of a candidate (Article 6(1)(a) GDPR), expressed by a clear affirmative action, i.e. submitting his/her application to the Controller. If the sent applications include additional however inadequate data with regards to the recruitment process, those will not be used or taken into consideration in the recruitment process.
5.10. Personal data are processed:
5.10.1. should an employment contract be desired – processing is necessary for compliance with a legal obligation related to recruitment issues, including in particular provisions of the Polish Labour Code – the lawful ground for processing is derived from a legal obligation imposed upon the Controller (Article 6(1)(c) GDPR in connection with provision of applicable labour laws);
5.10.2. should a contract other than an employment contract be desired (civil contract) – in order to run recruitment process – processing is necessary in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR);
5.10.3. to run a recruitment process with regard to data not required by law and also for the purpose of future recruitment processes – the legal basis for the processing is an individual’s consent (Article 6(1)(a) GDPR);
5.11. Personal data of job candidates will be processed during the time of the duration of the recruitment process, or until the employment contract / civil law contract concluding with the selected candidate or candidates, and in the scope of consent-based processing – until its withdrawal.
5.12. To the extent that Personal Data is processed on the upon a consent, this consent may be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal. Should a consent for the purposes of future recruitment processes be given, personal data are deleted after two years - unless such consent is withdrawn.
5.13. Provision of personal data within the scope set forth in Article 22(1) of the Polish Labor Code is statutory - should the candidate prefer employment based on an employment contract - by provisions of the applicable laws, in particular by the Polish Labor Code, an employment based on a civil law contract is preferred – provision of personal data is required by the Controller. The consequence of not providing this data is the inability to consider a given candidate in the recruitment process. Providing other personal data is voluntary.
DATA COLLECTION RELATING TO THE PROVISION OF SERVICES OR PERFORMANCE OF OTHER AGREEMENTS
5.14. If data are collected for the purposes connected with performing a specific agreement the Controller shall provide the Data Subject with detailed information about processing his or her personal data at the moment of entering into the agreement or at the moment of collecting Personal Data in the case when processing is necessary in order to take steps at the request of the Data Subject prior to entering into a contract.
CONTRACTORS’ STAFF MEMBERS OR CLIENTS’ PERSONAL DATA PROCESSING
5.15. Given the conclusion of commercial contracts as part of the Controller’s business activity, the Controller collects from contractors / clients personal data of persons involved in enforcement of such contracts (e.g. persons authorized to contact, place orders, execute orders etc.). The scope of the provided data is in any and every case limited to the necessary minimum for the performance of the contract and usually does not include other information than full name and business contact details.
5.16. Such personal data are processed in order to pursue the Controller’s legitimate interest of and its contractor (Article 6(1)(f) GDPR), which allows correct and efficient performance of the said contract. The data may be disclosed to third parties involved in the performance of the contract, as well as to entities accessing data based on the public information disclosure regulations and proceedings conducted under applicable public procurement law, to the extent provided for by these provisions.
5.17. The data are processed for the period necessary to pursue the above-mentioned interests and fulfill the obligations resulting from the applicable laws.
5.18. In case of making complaints to the Controller, personal data will be processed only to handle complaints and to solve the matter related with correspondence. Personal data may be processed also for the purpose of defense against claims and pursuing claims.
5.19. The basis of processing is the legitimate interest of the Controller (Article 6(1) (f) GDPR), consisting in the need of considering complaints. In the case of pursuing and determining claims or defense against claims – legal basis of the processing is legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting of the protection of its interests.
5.20. The Controller processes only Personal Data which are relevant for the complaint for the period necessary to its consideration. The data period may be extended if the processing is necessary for establishing and pursuing claims or for defense against claims, and after their terminations – only in case and the extend required by the provisions of the law.
5.21. Complaint documents are stored in a way of providing a security of personal data (and other information) contained in them and disclosed only to the authorized persons.
6. DATA RECIPIENTS
6.1. In connection with conducting business activity which requires processing, personal data are disclosed to third parties, including in particular vendors responsible for the operation of IT systems, entities providing legal or accounting services, couriers.. Data will be also disclosed to entities related to the Controller, including companies from its group of undertakings. More information on the Controller’s group can be found here.
6.2. The Controller reserves the right to disclose selected information items referring to the data subject to relevant authorities or third parties which will demand that they are provided such information pursuant to an appropriate legal basis and in compliance with the applicable laws.
7. TRANSFER OF DATA OUTSIDE THE EEA
7.1. The level of personal data protection outside the European Economic Area (EEA) differs from that guaranteed by the European law. For this reason, the Controller transmits personal data to places outside the EEA only when necessary and ensuring an adequate protection level, mainly by:
7.1.1. cooperating with personal data processors in the states with respect to which a relevant decision of the European Commission has been issued;
7.1.2. application of standard contractual clauses issued by the European Commission;
7.1.3. application of binding corporate principles approved by the relevant supervisory authority;
7.2. At the data collection stage, the Controller always informs the User of the intention to transmit personal data outside the EEA.
8. PERIOD OF PERSONAL DATA PROCESSING
8.1. The period of data processing by the Controller depends on the type of provided service and the purpose of the processing. The data processing period may also follow from laws when these are the basis for the processing. If data are processed on the basis of the Controller’s legitimate interest, e.g. for security reasons, the data are processed for the period making it possible to satisfy the interest or until the data subject has effectively objected against the data processing. If data are processed on the basis of a consent, the processing will be performed until the consent is withdrawn. If data are processed on the basis of the necessity to enter into and perform an agreement, the data will be processed until its termination.
8.2. The data processing period may be extended if processing is necessary to establish or pursue possible claims or defend against such claims and, after that time, only when and to the extent required by law.
9. RIGHTS CONNECTED WITH PERSONAL DATA PROCESSING
RIGHTS OF DATA SUBJECTS
9.1. The following rights are vested in data subjects:
9.1.1. right to information on personal data processing – on that basis, the Controller provides the person making the request with information about data processing, including first of all about the purposes and legal grounds for the processing, the scope of the data held, entities to which they are disclosed and the planned date for deleting the data;
9.1.2. right to receive a copy of the data – on that basis, the Controller provides a copy of the data processed to a person making the request;
9.1.3. right to rectification – the Controller is obligated to remove any non-compliance or errors in personal data processed and supplement them if they are incomplete;
9.1.4. right to erasure – on that basis, one may demand deleting the data whose processing is no longer necessary to achieve any of the purposes for which they were collected;
9.1.5. right to restriction of the processing – if such a request is made, the Controller stops performing any operations on the personal data except for those to which the data subject has given consent and except storing them in accordance with the adopted retention rules or until the reasons for restricting the processing disappear (e.g. the supervisory authority issues a decision permitting further data processing);
9.1.6. right to data portability – on this basis, to the extent that the data are processed in connection with an executed contract or given consent, the Controller delivers the data provided by the data subject in a machine-readable format. Is it also allowed to request that the data are transmitted to another entity on condition, though, that both the Controller and the other entity have the technical capabilities to do so;
9.1.7. right to object to personal data processing for marketing purposes – the data subject has the right to object at any time to personal data processing for marketing purposes without the obligation to justify such an objection;
9.1.8. right to object to data processing for other purposes – the data subject may object at any time to personal data processing carried out on the basis of the Controller’s legitimate interest (e.g. for analytical or statistical purposes or for reasons connected with protecting property); such an objection should include a justification;
9.1.9. right to withdraw consent – if data are processed on the basis of a given consent, the data subject may withdraw it at any time, which does not have, however, any effect on the lawfulness of processing based on consent before its withdrawal.
9.1.10. right to complain – if the data subject believes that the personal data processing breaches the provisions of GDPR or other personal data protection regulations, the data subject has the right to lodge a complaint with the President of the Personal Data Protection Authority.
NOTIFICATION OF REQUESTS ASSOCIATED WITH EXERCISING THE RIGHTS
9.2. A request about exercising the rights of data subjects may be filed:
9.2.1. by letter to the address: Helm Polska sp. z o.o. ul. Domaniewska 42, 02-672 Warszawa;
9.2.2. by e-mail to the address: firstname.lastname@example.org.
9.3. If the Controller is unable to identify the person filing a request on the basis of the notification made, the Controller will ask the petitioner for additional information. Provision of such data is not mandatory, however failure to provide them will result in a request recognition refusal.
9.4. The request may be filed in person or through an attorney-in-fact (e.g. a family member). In view of data security, the Controller encourages data subjects to use a power-of-attorney in the form certified by a notary public or an authorized legal counsel or attorney-at-law, which will significantly accelerate verification of the request’s authenticity.
9.5. A reply to the request should be provided within one month of its receipt. If it is necessary to extend the deadline, the Controller shall inform the applicant about reasons for the delay.
9.6. Where the application is submitted to the Company electronically, the response is given in the same form unless the applicant requests otherwise. In all other cases the response is given in writing. When the deadline for exercising the request makes it impossible to reply in writing and the applicant's data processed by the Controller allow for contact by electronic means, the response should be provided electronically.
9.7. The Company shall store information regarding the request in order to ensure that compliance with applicable laws can be demonstrated and to establish, exercise or defend against any legal claims on the data subjects’ part. The data subjects’ requests register is kept and stored in a manner that ensures the integrity and confidentiality of the personal data contained therein.
RULES OF CHARGING FEES
9.8. The proceeding concerning filed requests is free of charge. Fees may be charged only if:
9.8.1. making a request to provide the second and each further copy of the data (the first copy is free of charge); in such a case, the Controller may demand that fees are paid in the amount of PLN.
The above fee includes administrative expenses connected with recognizing the request.
9.8.2. making requests by the same person that are excessive (e.g. extremely frequent ones) or manifestly unfounded; in such a case, the Controller may demand that fees are paid in the amount of PLN.
The above fee includes costs of carrying on communication and costs connected with taking requested actions.
9.8.3. If the data subject challenges the decision to charge fees, the person may lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. In Poland the competent Supervisory Authority is the President of the Personal Data Protection Authority.
10. AMENDMENTS TO THE PERSONAL DATA PROCESSING POLICY
10.1. The policy is verified on an ongoing basis and updated when needed.
10.2. The present version of the Policy was accepted and is valid from the date of the resolution adopted by the management board.