- Information on the data controller: Viterra Polska Sp. z o.o. ul. Cypriana Kamila Norwida 2, 80-280 Gdańsk („Controller” or „Company”) KRS 0000047875, District Court Gdańsk-North, 7th Commercial Division of the National Court Register, share capital: PLN 400,000, TIN: 957-05-46-350, REGON: 191299574
- Contact details related to personal data processing issues: email@example.com
- Legal basis:
· Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 („GDPR”)
· Act of 10 May 2018 on personal data protection („PDP Act”)
· Article 10 of the Act of 18 July 2002 on the provision of services electronically
· Article 172 of the Act of 16 July 2004, Telecommunication Law
Definitions of terms used in this Policy can be found in the GDPR.
- When processing personal data the Company follows the following rules:
· Processing in conformity with law (especially in conformity with Articles 5 and 6 of the GDPR).
· Reliability and transparency – a duty to inform the data subject (and where the consent is required, to obtain such consent) about the operation of processing, the purposes thereof and rights of the data subject.
· Full identification of places where data are processed.
· Records of processing activities.
· Adequacy of data processed to the purposes of the Company’s goals achieved (necessary minimum).
· Technical protection of data against uncontrolled access by unauthorised persons.
· Proper preparation of the persons who process data in the Company to meet the GDPR requirements in terms of rights of data subjects and duties imposed on the Company.
· Necessity of absolute compliance with the GDPR provisions.
- 1 Purposes and Legal Basis of Processing
1. The Data Controller processes personal data on the basis of the following rules for data processing:
1.1 Consent of the natural person who is a data subject – Article 6(1)(a) of the GDPR („Consent”); for direct marketing carried electronically or by sms, the Act on the provision of services electronically or the Telecommunication Law also applies.
1.2 Data processing is necessary for performing the contract where the data subject is a party – Article 6(1)(b) of the GDPR (“Performance of the contract”).
1.3. Processing is necessary for fulfilling a legal obligation to which the Data Controller is subject – Article 6(1)(c) of the GDPR (“Legal obligation”).
1.4 Processing is necessary for the purposes of the legitimate interests purposed by the Data Controller – Article 6(1)(f) of the GDPR (“Data Administrator’s legitimate interests”).
- Special categories of data concerning Health are processed on the basis of Article 9(2) of the GDPR, especially letters:
· a („Consent”);
· b („Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controlleror of the data subject in the field of employment and social security and social protection law”);
· c („Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”);
- f („is necessary for the establishment, exercise or defence of legal claims”);
· h („is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, (…)”.
- If the Company acts as a processor, namely it processes the data on the basis of an instruction from another data controller and it does not establish its own purpose for data processing, then the legal basis for such processing is an agreement on entrusting data processing made between the Company as a processor and a relevant data controller – Article 28 of the GDPR. The purpose of processing and scope of data to be processed are agreed in each such agreement individually.
- Purposes of data processing by the Data Controller to particular bases of processing:
4.1. Consents can be obtained for the following purposes:
- carrying out direct marketing electronically or by sending SMS;
- acquiring and processing data for recruiting new employees;
- using images of natural persons for the company’s promotional purposes;
- participation of natural persons in training courses, conferences, benefits and other voluntary events and services not specified in legal regulations and organized by the Controller that involve sharing personal data of participants with any third persons.
4.2 Performance of the agreement
- The purpose of processing is to conclude and perform agreements. Such agreements have different character: are related to hiring employees or to carrying on main business activity.
4.3 Legal obligation
· The Data Controller’s legal obligation is most often about prolonging the processing that started upon the performance of the agreement, namely after the agreement is completed, personal data are still stored in the accounting system, invoices and accompanying accounting documentation on the basis of the Accounting Act and Tax Law.
- An entrepreneur has a number of other legal obligations related to its business and hiring employees, the fulfillment of which may involve processing or entrusting the processing of personal data to third persons, e.g. annual financial audits.
4.4. Data controller’s legitimate interest – the data may be processed for the following purposes:
· video surveillance in the Controller’s facilities and/or office, necessary for ensuring safety of natural persons who are present there and for protecting property.
· surveillance of services, IT systems and networks intended for business purposes, necessary for ensuring safety and confidentiality of data processed (and to protect personal data).
·Keeping a register of persons entering the Data Controller’s offices or facilities, necessary to ensure safety of persons and to protect property.
- Using employee contact details for the purposes of the Company’s internal and external communication, as part of their duties.
- Internal trainings for employees that are not required by applicable legal regulations, but are necessary for the work to be done correctly (e.g. training on changes to legal regulations, etc.) and the necessity for an employee to comply with various policies and procedures applicable in the Company.
. Acquiring and processing contact details of employees of third parties and of other natural persons related to those parties in order to perform agreements that are binding for us and for the purposes of a request for quotations for products and services necessary for our business and for the purposes of direct marketing carried out using other means than electronic transmission or SMS.
· Registration of scheduled transports, including processing drivers’ data necessary for their identification at the place of planned loading or unloading.
- Determination, assertion and defence of claims both by the Data Controller and natural persons whose data are processed.
· Carrying out statistics and analysis of activities for evaluating their efficiency and for improving them.
· Hosting the Data Controller’s website and acquiring information necessary for keeping statistics of visits to the website and for its proper maintenance.
4.5. Data of special categories Article 9(2) of the GDPR – personal data can be processed for the following purposes:
· compliant with the law and specified in the consent granted;
· occupational medicine and social security;
· protection of vital interests of a data subject, e.g. in case of an accident;
· determination, assertion and defence of claims.
- 2 Whose and what personal data are processed
- Type of data and categories of data subjects depend on the purposes and legal basis of processing. The Data Controller processes personal data of the following categories of natural persons:
1.1 Job candidates
1.1.1. Data of job candidates are processed on the basis of their consent, but the scope of information that the Data Controller acquired from a candidate includes:
a) contact details, length of service, education, additional skills and professional qualifications.
b) additional data beyond the above scope are provided by candidates completely voluntarily (e.g. candidate’s photo).
1.1.2. In addition, during a recruitment process the Data Controller may carry out tests to verify the candidate’s qualifications and may process results of such tests to determine whether the candidate meets the requirements for a given position. A candidate who enters the recruitment process expresses its consent for taking part in all the stages. Consent can be withdrawn at any time by resigning from further participation in the recruitment process. Decisions relating to candidates are not automatically made at any stage of recruitment.
1.1.3. Data of job candidates are acquired in two ways:
a) directly from a candidate, for example through its reply to a job offer or registration in the Data Controller’s recruitment system.
b) indirectly – through recruitment agencies.
1.2 Data Controller’s employees and contractors
1.2.1. Data of such natural persons are processed on the basis of:
a) employment contract, civil law contract and legal regulations, namely the Labour Code, Civil Code, Act on Social Insurance and other – any data of an employee or necessary for keeping employee files, paying salaries and social insurance, occupational medicine and necessary for performing its duties under the contract;
b) consent – image and/or contact details in processing not related to performance of duties or a legal obligation, namely for such purpose of processing where the provision of data is voluntary and therefore the consent of an employee or of a contractor is required;
- c) legal obligation – processing of employees’ and contractors’ data in connection with legal regulations arising from the aforementioned laws and in the scope required by such law; also further storing and retaining such data (employee or personal files) on the basis of other regulations, also after the end of an employment relationship or after the completion of a civil law agreement.
d) data controller’s legitimate interests – depending on purposes, these are mainly: image (video surveillance or internal communication), logging data and certain operations performed by employees and contractors in the systems (monitoring of systems and IT services); contact details and data necessary for carrying out training required for work in a given position.
The exception is the assertion and defence of claims – here the processing may comprise any data stored in files, depending on the subject matter of a claim.
- e) Data of special categories – type of data processed depends on the purpose of processing and applicable legal regulations. For data related to occupational medicine the scope of such data is defined by relevant provisions of the Labour Code and of the Act on occupational medicine service. For records of employee or contractor attendance, the data of special categories are data related to sick leaves.
1.2.2. Employee data are acquired directly from an employee; a part of such information may come from a recruitment process carried out previously.
1.2.3. In certain events the Data Controller may process data of members of employees’ families or of accompanying persons on the basis of Article 6 or 9 of the GDPR, for example, when such persons are registered for medical insurance, when data are processed in connection with sick leaves, or when such persons use other services or take part in events organized by the Data Controller.
1.3.1. A counterparty within the meaning of this Policy is an entity that cooperates with the Data Controller in connection with their business activity. Counterparties include natural persons, legal persons and entities without legal personality.
1.3.2. Data of counterparties (who are natural persons) are processed on the basis of:
a) Consents– sending price indications and commercial offers – counterparty’s contact details.
b) agreements made and performed – counterparty’s name, including first name and surname, if included in the business name, contact details (namely address and phone and/or email data), TIN, PESEL number, bank account number. For flat-rate farmers, data from a personal identity card are also required under the VAT Act, namely regulations concerning RR invoices.
- c) legal regulation related to further storing of accounting documentation, also after completion of an agreement – the scope of data is specified in the regulations based on which such data are processed.
d) Data Controller’s legitimate interests, mainly to determine, assert and defend claims. Normally these are the same personal data which are related to performance of contracts, and may also include registers of economic events and accounting documents (deliveries, invoices, etc.) related to the contracts performed.
3.3. Counterparties’ data are acquired directly from them or from a broker that mediates in concluding a contract, if such intermediation takes place.
1.4 Natural persons related to counterparties
1.4.1. This category may include the following persons: employees and contractors of counterparties (including drivers employed or hired by carriers), their customers, debtors, witnesses and other natural persons.
1.4.2. Legal basis of processing is:
a) Data Controller’s legitimate interest in a situation where the Company acts as a controller of data processed, namely after the data are made available by the counterparty, it processes them further for its own legitimate purposes. The example may include contact details of the counterparty’s employees that were acquired for the purposes of contact in concluding and performing the contracts.
- b) An agreement on entrusting the processing of personal data is made in a situation where for the purposes of its business the Company buys services from other entities or it provides services to them and for the needs of provision of such services it is necessary to entrust the processing of personal data of other natural persons between the parties. In such situation the main agreement specifies the rules for provision of such service, while the agreement on entrusting specifies the rules for entrusting the processing of data for the purpose of completing such service. A party that entrusts personal data is a controller of such data while a party that processes them at the controller’s request is a processor. The example may include data of natural persons (drivers) who transport the goods.
1.4.3. Data of a natural person related to counterparties are acquired directly from such natural person or other natural person representing the counterparty when entering or performing the contract.
1.5 Users visiting the Data Controller’s website
1.5.1. The Data Controller’s website places cookie files in the user’s terminal device (computer, smartphone, tablet, etc.), more precisely in a special folder used by the browser user. Cookies are used for recording such information as IP address, time of entry and leaving a site, type of the user’s browser and operating system, etc. The purpose of cookies is to ensure proper operation of the site, to enhance speed and safety of using the site and to use visitor statistics in order to improve it (example of statistics: number of visitors, time spend on the site, type of browser and operating systems, visited subpages, etc.).
1.5.2. By entering the Controller’s website the user expresses its consent for cookies. If the user recognises that cookies infringe its privacy, it may modify browser settings at any time so that it did not record cookies from the Controller’s website. Check the browser manufacturer’s website to learn how to change privacy settings, manage and remove cookies and where a history of visited sites can be seen. Disabling the cookies necessary for the processes of authorization and security may make it difficult or even impossible to use the site.
1.5.3. In addition, using the website involves sending enquiries between the user’s browser and the server where the Controller’s website is located. Each such enquiry is recorded and stored in the server logs. Data recorded in the logs include: user’s IP address, server date and time, information about the user’s Internet browser and operating system, information about errors, address of a previously visited site when the Controller’s site was entered into via a link. The purpose of collecting such data is to host a website.
1.5.4. Unless they register or log into the website (provided the site provides such functionality) users who visit the Controller’s website are not in any way identified based on the data stored in cookies and server logs. Collected data are anonymous and do not allow for identifying a user.
1.5.5. If the Controller’s site allows for the recording by the user of data in forms, such processing serves specific purposes of the form, of which the user may learn on the website and is voluntary.
1.6 Other natural persons who contact the Controller
1.6.1. When contacting the Controller (more precisely with the person representing it) via electronic mail, telephone, letter or in person, a natural person provides its contact details as a party who initiates contact. Examples of such data include: e-mail address, telephone number or a business card. In addition, a message sent electronically may include other personal data.
1.6.2. The legal basis for processing personal data in such event is the consent of such person that arises from the contact initiation.
1.6.3. Personal data provided in the above manner are processed for the purpose of:
a) handling a request if such request was sent to the Controller.
b) future contacts between the parties for the purposes for which such data were provided, for example a business card may be used for initiating business contact, sending requests for quotations or carrying on direct marketing by the Controller, making contracts, etc.
- 3 How long are the data stored
- Duration of processing depends on the purposes and legal basis of processing. After processing the data are removed, unless applicable regulations require that they shall be retained.
There are the following durations of processing:
If processing takes place on the basis of the consent, the processing lasts until the validity of such consent expires or the consent is withdrawn.
1.2. Performance of a contract
For a contract, the processing lasts as long as the contract is performed. The term of the contract is always specified therein and may be extended if the parties so decide.
1.3. Legal obligation
For a legal obligation the processing lasts as long as it is determined by a legal regulation that requires such processing. For the Controller there are two periods defined for storing data of the following categories of natural persons:
- a) employee files – for employee data – the period of storing of such data is specified in separate regulations.
- a) accounting documents and data – for counterparties’ data and other personal data that may be contained in such documents (contracts, delivery confirmations, shipping documents, invoices, etc.), the period of storing such documents is specified in relevant accounting regulations and tax law.
1.4. Controller’s legitimate interest. As regards the controller’s legitimate interest, the period of processing depends on the purpose of such processing. Video surveillance data are stored for the shortest period of time (up to 3 months), while data related to possible claims are stored the longest (up to 6 years).
- 4 Who are the data made available to
- Data shared include a minimum set of data necessary for achieving a specific purpose of processing and conformable to legal regulations.
- Depending on the purposes of processing, data may be provided or made available:
2.1. to the extent necessary and specified in legal regulations, to such recipients as banks, insurance companies, postal and courier service companies, state administration offices, public authorities, law enforcement authorities, independent audit firms and auditors.
2.2. to processing entities that provide the Controller with services related to the Controller’s business and with which agreements on entrusting the processing have been made. An example may include companies that provide IT services or recruitment services as requested by the Controller.
2.3. to other controllers after the prior consent of data subjects.
- 5 Rights of natural persons
- Rights of natural persons are the following:
· Right to be informed about processing – the Controller’s information obligation (Articles 12, 13 and 14)
· Right to withdraw the consent for processing personal data for a specific purpose, if the natural person had previously expressed such consent (Article 7(3) of the GDPR)
· Right to access the data (Article 15 of the GDPR)
· Right to rectify the data (Article 16 of the GDPR)
- Right to erase the data (“right to be forgotten” – Article 17 of the GDPR)
· Right to restrict the processing (Article 18 of the GDPR)
· Right to transfer the data (Article 20 of the GDPR)
· Right to object to processing (Article 21 of the GDPR)
· Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR)
- Controller’s contact details
In any matters related to the aforementioned rights of natural persons, enquiries, complaints, violations, withdrawal of consent, please contact the Controller at firstname.lastname@example.org
- How do we implement the right to be informed
3.2. The Controller makes relevant information available at the request of a natural person (right to access the data – Article 15 of the GDPR).
3.3. When personal data of natural persons are processed on the basis of consents given, privacy notices are included in the consents given.
3.4. When personal data of natural persons are processed for the purposes of a contract – a privacy notice is included in such contract.
3.5. If data are processed in connection with a legal obligation arising from contracts previously made, information on the purpose of processing is included in a privacy notice included in the contract.
3.6. If data are processed in connection with the controller’s legitimate interest:
- Information on the video surveillance used is put in a visible manner for all the persons entering the Controller’s facility or office.
- Withdrawal from the consent
The consent given by a natural person may be withdrawn at any time by sending a message to: email@example.com
Withdrawal of the consent does not affect the lawfulness of processing based on the consent before its withdrawal.
- Right to lodge a complaint with a supervisory authority
The authority that supervises compliance with personal data protection regulation is:
Urząd Ochrony Danych Osobowych (UODO) (Personal Data Protection Office (PDPO))
- Stawki 2, 00-193 Warsaw
Telephone: 22 860 70 86
In case of violation of GDPR regulations, a data subject has the right to lodge a complaint with the President of the Personal Data Protection Office (President of the PDPO).
If a complaint is about the processing of personal data of another person, a power of attorney granted by such person is required for representing it in proceedings before the President of the PDPO.
More details can be found in the PDPO website, section Most important issues -> Complaints: https://uodo.gov.pl/83
- 6 Final provisions