1.1. Controller – Apius Technologies S.A. with its registered office in Kraków (31-523), address: ul. Moniuszki 50, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for Kraków Śródmieście in Kraków, XI Commercial Division of the National Court Register under the number KRS: 0000565486, NIP [Taxpayer Identification Number]: 9452155088.
1.2. Personal Data – any information about an individual identified or identifiable by one or several specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact details, location data, correspondence information, information collected by the use of recording equipment or other similar technology.
1.3. Policy – this Personal Data Processing Policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5. Data Subject – a natural person to whom Personal Data processed by the Controller relate.
2. Processing of Personal Data by the Controller
2.1. In connection with the conducted business activity, the Controller collects and processes Personal Data in accordance with the relevant provisions of law, including GDPR, and the rules of data processing provided for therein.
2.2. The Controller shall ensure transparency in the processing of Personal Data and shall, in particular, always provide information about the processing of Personal Data at the time of their collection, as well as about the purpose and legal basis of the processing (e.g. when entering into a contract for the sale of goods or services). The Controller shall ensure that the data are collected only to the extent necessary to achieve the indicated purpose and processed only for the period that is necessary.
2.3. When processing Personal Data, the Controller shall ensure their security and confidentiality, as well as make it possible for the Data Subjects to have access to information on the processing. If, despite the applied security measures, a personal data protection breach occurs (e.g. data “leakage” or loss of data), the Controller will inform the Data Subjects of such an event in a manner compliant with the provisions of law.
3. Contact with the Controller
3.1. The Controller may be contacted via e-mail: email@example.com or by post mail: ul. Stanisława Moniuszki 50, 31-523 Kraków with a note: ”Personal Data Protection”.
3.2. The Controller has appointed a Personal Data Protection Coordinator, who may be contacted by e-mail: firstname.lastname@example.org in every case concerning the processing of Personal Data. The Coordinator shall not act as Data Protection Officer.
4. Personal Data security
4.1. In order to ensure data integrity and confidentiality, the Controller has implemented procedures, which grant only authorised persons an access to Personal Data and only to the extent that it is necessary due to the tasks performed by them. The Controller applies organisational and technical solutions in order to ensure that all operations on Personal Data are recorded and carried out only by authorised persons.
4.2. Moreover, the Controller takes all necessary steps to ensure that its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process Personal Data on behalf of the Controller.
4.3. The Controller conducts the analysis of risks related to the processing of Personal Data on an ongoing basis and monitors whether the applied data security measures are adequate to the identified threats. If necessary, the Controller implements additional measures to enhance data security.
5. Purposes and legal basis of Personal Data processing
E-MAIL AND TRADITIONAL CORRESPONDENCE
5.1. If the sender contacts the Controller by e-mail or post mail in any matter that is not related to the services provided to the sender or to another agreement entered into with the sender, or to any other relationship between the sender and the Controller, Personal Data contained in such correspondence shall be processed solely for the purpose of communication and resolution of the matter to which the correspondence relates.
5.2. The legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) consisting in handling correspondence addressed to the Controller in connection with its business activity.
5.3. The Controller processes only those Personal Data that are relevant to the matter to which the correspondence relates. All correspondence is stored in a manner ensuring the security of Personal Data (and other information contained therein) and disclosed only to authorised persons.
CONTACT VIA TELEPHONE
5.4. If the Controller is contacted via telephone, in matters not related to the agreement or services provided, the Controller may request the provision of Personal Data only if it is necessary to handle the matter to which the communication via telephone relates. In such a case, the legal basis for Personal Data processing is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) consisting in the need to resolve the matter related to the business activity conducted by the Controller.
5.5. The telephone conversations may also be recorded – in which case the individual who makes a call shall be informed about it at the beginning of the conversation. The telephone conversations are recorded in order to monitor the quality of service, verify and document the work of the consultants, as well as for statistical purposes. The recordings are available only to the Controller’s employees and persons handling phone calls addressed to the Controller.
5.6. Personal Data in the form of a call recording are processed:
5.6.1. in order to monitor the quality of service, verify and document the work of consultants handling telephone calls addressed to the Controller, as well as for analytical and statistical purposes – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) consisting in ensuring the highest possible quality of service for customers and interested parties, the highest quality of work of the consultants, as well as conducting statistical analyses concerning telephone communication.
VIDEO SURVEILLANCE AND ACCESS CONTROL
5.7. Due to the need to ensure the security of persons and property, the Controller employs video surveillance and controls access to the premises and to the area managed by the Controller. The data collected in such a manner are not used for any other purposes than those described below.
5.8. Personal Data in the form of video surveillance recordings are processed in order to ensure the security of persons and property, maintain order on the premises of the facility, as well as to make it possible for the Controller to defend against potential claims made against him or to establish and exercise claims. The legal basis for the processing of Personal Data is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) consisting in ensuring the security of persons and property located on the premises managed by the Controller and providing the protection of the Controller’s rights.
5.9. The area covered by the Controller’s video surveillance system is marked with appropriate graphic signs.
5.10. As part of the recruitment process, the Controller expects Personal Data to be provided (e.g. in a CV or résumé) only to the extent specified in the provisions of the labour law. Therefore, information that exceeds that scope should not be provided. If the applications submitted contain additional data that exceed the scope specified in the provisions of the labour law, their processing will be based on the candidate’s consent (Article 6(1)(a) GDPR) expressed by means of a clear affirmative action, i.e. the fact of sending the application documents by the candidate. If the applications submitted contain information inadequate for the purposes of recruitment process, they will not be used or taken into account in the recruitment process.
5.11. Personal Data are processed:
5.11.1. in the case when the preferred form of employment is an employment contract – in order to perform obligations arising from the provisions of law, related to the employment process, including the Labour Code – the legal basis for the processing is a legal obligation incumbent on the Controller (Article 6(1)(c) GDPR in connection with the provisions of the labour law);
5.11.2. in the case when the preferred form of employment is a civil law contract – in order to conduct the recruitment process – the legal basis for the processing of data contained in the application documents is necessity to take appropriate steps at the request of the Data Subject prior to entering into a contract (Article 6(1)(b) GDPR);
5.11.3. in order to conduct the recruitment process with respect to data that are not required by law nor by the Controller, as well as for the purposes of future recruitment processes – the legal basis for the processing is an individual’s consent (Article 6(1)(a) GDPR);
5.11.4. in order to verify the qualifications and skills of the candidate and to determine the terms of cooperation – the legal basis for the processing of data is the Controller’s legitimate interest (Article 6 (1)(f) GDPR). The Controller’s legitimate interest is to verify the candidates who apply for work and determine the conditions of potential cooperation;
5.11.5. to establish or exercise any possible claims, or to defend against any claims made against the Controller – the legal basis for the processing of data is the Controller’s legitimate interest (Article 6.1(f) GDPR).
5.12. If Personal Data are processed on the basis of a consent, such consent may be withdrawn at any time without affecting the lawfulness of the processing carried out before its withdrawal. If the consent is given for the purposes of future recruitment processes, Personal Data will be deleted after two years – unless the consent is withdrawn earlier.
5.13. Providing data in the scope specified in art. 22(1) of the Labour Code is required – in the case when the candidate prefers employment based on an employment contract – by the provisions of applicable laws, including the Labour Code, whereas in the case when the candidate prefers employment based on a civil law contract – by the Controller. Failure to provide such data results in the inability to consider a given candidacy in the recruitment process. Providing other data is voluntary.
COLLECTION OF DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR PERFORMANCE OF OTHER CONTRACTS
5.14. In the event that data are collected for the purposes related to the performance of a specific agreement, the Controller shall provide the Data Subject with detailed information on the processing of their personal data at the time of entering into the agreement or at the time of collecting Personal Data if the processing is necessary to enable the Controller to take steps at the request of the Data Subject before entering into an agreement.
PROCESSING OF PERSONAL DATA OF THE CONTRACTORS’ STAFF MEMBERS OR CLIENTS COOPERATING WITH THE CONTROLLER
5.15. In connection with entering into commercial agreements as part of the conducted business activity, the Controller obtains from contractors / customers data of persons involved in the performance of such agreements (e.g. persons authorised to be contact persons, place orders, carry out orders, etc.). The scope of the data provided shall always be limited to the extent necessary for the performance of the agreement and shall not normally include information other than the name, surname and official business contact details. Such personal data are processed for the purpose of meeting the legitimate interest of the Controller and the Controller’s contractor (Article 6(1)(f) GDPR) consisting in enabling the proper and effective performance of the agreement. Such data may be disclosed to third parties involved in the performance of the agreement, including suppliers of IT systems and equipment (e.g. CCTV equipment for video surveillance, systems supporting work organisation and communication) as well as entities gaining access to such data based on the provisions concerning the access to public information and proceedings carried out on the basis of the applicable public procurement law, to the extent provided for by those provisions.
5.16. In special cases justified by the performance of the agreement, audiovisual data relating to the contractors’ staff members or customers may be processed in teleconference and videoconference systems. The data are processed for the purpose of remote communication and may also be recorded, in which case the relevant information is given to an individual at the beginning of the teleconference or videoconference.
5.17. The data are processed for the period necessary for the performance of the above said Controller’s and its contactors’ interests and obligations resulting from the law.
COLLECTION OF DATA IN OTHER CASES
5.18. In connection with the conducted business activity, the Controller also collects Personal Data in other cases – e.g. by establishing and making use of long-term mutual business contacts (networking) during business meetings, during business events or by exchanging business cards – for the purpose of initiating and maintaining business contacts. In such a case, the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) consisting in the creation of a network of contacts in connection with the conducted business activity.
5.19. Personal Data collected in such cases are processed solely for the purpose for which they were collected and the Controller shall ensure their appropriate protection.
6. Data recipients
6.1. Due to the fact that the Controller’s business activity requires data processing, Personal Data are disclosed to external entities, including suppliers of IT systems and equipment (e.g. CCTV equipment for video surveillance, IT infrastructure and IT services), legal or accounting services providers, couriers, marketing or recruitment agencies. The data are also disclosed to the Controller’s affiliated entities.
6.2. The Controller reserves the right to disclose selected information concerning the Data Subject to the competent authorities or third parties, which will request such information based on the appropriate legal basis and in accordance with the provisions of applicable laws.
7. Transfer of data outside the EEA
7.1. The level of protection of Personal Data outside the European Economic Area (EEA) differs from that ensured by European law. For this reason, the Controller shall transfer Personal Data outside the EEA only when necessary and after providing an adequate level of protection, in particular by:
7.1.1. cooperation with entities processing Personal Data in countries for which a relevant decision of the European Commission has been issued regarding the adequacy of the protection of Personal Data;
7.1.2. use of standard contractual clauses issued by the European Commission;
7.1.3. application of binding corporate rules approved by a relevant supervisory authority;
7.1.4. in the case of data transfer to the USA – cooperation with entities participating in the Privacy Shield programme approved by a decision of the European Commission.
7.2. The Controller shall always inform about the intention to transfer Personal Data outside the EEA at the stage of their collection.
8. Personal Data processing period
8.1. The period of data processing by the Controller depends on the type of service that is provided and the purpose of processing. The processing period may also result from the relevant provisions if they are the basis for the processing. In the event that the processing is based on a legitimate interest of the Controller (e.g. for security reasons), the data shall be processed for a period of time enabling that interest to be met or until an effective objection against processing is filed by a Data Subject. If the processing is based on a consent, the data shall be processed until its withdrawal. If the data is processed due to the necessity to enter into and perform an agreement, the data shall be processed until its termination.
8.2. The processing period may be extended if the processing is necessary to establish or exercise potential claims, or to defend against claims filed against the Controller, whereas after that time – only if and to the extent that it is required by law.
9. Rights related to the processing of Personal Data
RIGHTS OF THE DATA SUBJECTS
9.1. Data Subjects shall have the right to:
9.1.1. obtain information on the processing of Personal Data – on this basis the Controller provides a natural person who submits the request with information on the processing of data, including all the purposes and legal basis for the processing, the scope of the data possessed by the Controller, the entities to which the data are disclosed and the planned date of data deletion;
9.1.2. obtain a copy of Personal Data – on this basis the Controller provides a copy of the processed data relating to a natural person who submits the request;
9.1.3. rectify Personal Data – the Controller is obliged to remove any discrepancies or errors in Personal Data being processed and to supplement them if they are incomplete;
9.1.4. erase Personal Data – on this basis the Data Subject has the possibility to demand erasure of data the processing of which is no longer necessary for the purposes for which they were collected;
9.1.5. restrict the processing – in the event of such a request, the Controller will cease to perform operations on Personal Data – except for operations for which the Data Subject expressed their consent – and to store them, in accordance with the adopted retention rules or until the reasons for limiting the processing have ceased to exist (e.g. a supervisory authority issues a decision authorising further processing of such data);
9.1.6. transfer Personal Data – on this basis – to the extent that the data are processed by automated means in connection with an agreement or a consent – the Controller issues the data provided by the Data Subject in a machine-readable.. It is also possible to request that such data be sent to another entity, provided that there are technical possibilities in this respect both on the part of the Controller and the designated entity;
9.1.7. object to the processing of Personal Data for marketing purposes – the Data Subject may at any time object to the processing of their Personal Data for marketing purposes, without the need to justify such an objection;
9.1.8. object to other purposes of data processing – the Data Subject may at any time object – on grounds related to their particular situation – to the processing of Personal Data which is based on the Controller’s legitimate interest (e.g. for analytical or statistical purposes, or purposes related to property protection); the objection in this respect should include a justification;
9.1.9. withdraw a consent – if the data are processed on the basis of a consent, the Data Subject may withdraw it at any time, but this shall not affect the lawfulness of the processing based on a consent before its withdrawal;
9.1.10. file a complaint – if the Data Subject assumes that the processing of Personal Data violates the provisions of GDPR or other regulations concerning the protection of Personal Data, the Data Subject may lodge a complaint with the supervisory authority that supervises the processing of Personal Data, which is competent for the Data Subject’s place of residence, place of work or place of alleged violation. In Poland, the President of the Personal Data Protection Office is the competent supervisory authority.
REQUESTS CONCERNING THE EXERCISE OF RIGHTS
9.2. The requests concerning the exercise of the Data Subjects’ rights may be submitted:
9.2.1. in writing to the following address: ul. Stanisława Moniuszki 50, 31-523 Kraków with a note: Personal Data Protection”;
9.2.2. by e-mail: email@example.com.
9.3. If the Controller is not able to identify a natural person on the basis of a submitted request, the Controller will request additional information from such a person. The provision of such data is not obligatory, but failure to provide it will result in the Controller’s refusal to recognize such a request.
9.4. The request may be submitted in person or through a proxy (e.g. a family member). For the data security reasons, the Controller encourages to use the power of attorney in the form certified by a notary, authorised legal counsel or attorney, which will significantly accelerate the process of verification of the authenticity of a request.
9.5. A response to the request should be issued within one month as of its receipt. If tit is necessary to extend this period, the Controller will inform an applicant of the reasons for this.
9.6. If the request is addressed to the Company by electronic means, a response will be given in the same manner, unless the applicant has requested otherwise. In other cases, a response will be given in writing. If the deadline for exercising the request makes it impossible to provide a response in writing and the scope of an applicant’s data that are processed by the Controller allows contact by electronic means, the response should be provided by electronic means.
9.7. The Company stores information concerning the request and the person who made the request in order to make it possible to prove compliance and to establish, defend or exercise any Data Subjects’ claims. The register of requests is stored in a manner that ensures the integrity and confidentiality of the data contained therein.
RULES GOVERNING THE COLLECTION OF FEES
9.8. The procedure regarding the submitted applications shall be free of charge. Fees can only be charged if:
9.8.1. there is a request for the second or each subsequent copy of the data (the first copy of the data is free of charge); in such a case the Controller may demand payment of a fee in the amount of PLN 100. The above fee includes administrative costs related to recognition of one request;
9.8.2. the same person makes excessive (e.g. very frequent) or manifestly unfounded requests; in such a case, the Controller may demand payment of a fee in the amount of PLN 100. This fee includes the costs related to communication and the costs associated with performance of the requested actions;
9.8.3. If the decision to impose a fee is challenged by the Data Subject, the Data Subject may file a complaint with the authority supervising the processing of Personal Data competent for the Data Subject’s place of residence, place of work or place of alleged infringement. In Poland, the President of the Personal Data Protection Office is the competent supervisory authority.
10. Amendments to the Personal Data Processing Policy
10.1. The adequacy of the Policy shall be monitored on an ongoing basis and updated as necessary.
10.2. The current version of the Policy was adopted on 13.03.2019.