§ § 1 GENERAL
1. The Joint Controllers of personal data are companies from the CB Group of Companies, i.e.: a) CB Spółka Akcyjna with its registered office in Chrząstowice ul. Ozimska 2a, 46-053 Chrząstowice, entered into the National Court Register under KRS number 0000320862, kept by the District Court in Opole, VIII Commercial Division of the National Court Register, Tax Identification Number (NIP) 7541013532 and REGON number 530993551, b) CB Service sp. z o.o. with its registered office in Chrząstowice ul. Ozimska 2a, 46-053 Chrząstowice, entered into the National Court Register under KRS number 0000443347, kept by the District Court in Opole, VIII Commercial Division of the National Court Register, Tax Identification Number (NIP) 9910495612 and REGON number 161500456, c) CB Production sp. z o.o. with its registered office in Chrząstowice ul. Ozimska 2a, 46-053 Chrząstowice, entered into the National Court Register under KRS number 0000128793, kept by the District Court in Opole, VIII Commercial Division of the National Court Register, Tax Identification Number (NIP) 8512796288 and REGON number 812529611, hereinafter referred to as the Joint Controllers.
2. The Joint Controllers have established a common contact point for matters relating to the protection of personal data: CB Group – Data Protection Officer ul. Ozimska 2a, 46-053 Chrząstowice, e-mail address: firstname.lastname@example.org
3. Contact in the matter of personal data protection is possible at the e-mail address to the Officer for Personal Data Protection appointed in the CB Group of Companies: email@example.com, hereinafter referred to as the DPO.
5. The Joint Controllers exercise the utmost care to protect the privacy of data subjects. In order to protect personal data of persons using the website, the Joint Controllers have taken technical and organisational measures to ensure the protection of personal data processed, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) ( hereinafter referred to as the GDPR).
6. Personal data provided in the website is treated as confidential and is not visible to other users with the exception of the account owner and Joint Controllers or persons authorised by the account owner.
7. The www.corotop.com.pl, www.secco.pl, www.red.net.pl websites perform functions of obtaining information about persons using the websites and their behaviour by: a) voluntarily entering information in the contact form by the users, b) storing cookies in terminal devices, c) recording logins and logs on servers maintained by the Joint Controllers.
8. The operation of the fanpage is in accordance with the requirements that are contained in the Facebook regulations in the section on data rules, located at www.facebook.com/about/privacy/update. All information contained in your profile and activities resulting from its use is directly administered by Facebook.
9. The Joint Controllers control the data from the fanpage only for the necessary answers to questions, comments on posts and communication with users within the framework of our business activity and content provided by us.
10. The Joint Controllers control the data of Facebook users who, in response to a job advertisement, are interested in participating in the recruitment process only for the purposes of the recruitment process and within the scope of the data contained in the CV and/or cover letter provided by a given Facebook user. 11. The Joint Controllers control the personal data contained in the electronic correspondence transmitted by electronic mail only for the purpose of responding to the correspondence addressed and for business communications within the framework of our business activity.
§ 2 PROCESSING PURPOSES
1. The Joint Controllers process personal data of website users for the purpose resulting from the function of the form, i.e. for the purpose and scope necessary for information contact, i.e. to prepare and respond to the message using the form on the website. This means that this data is needed in particular to: a) respond to messages sent using the form on the website, b) send e-mail notifications, c) direct marketing of the Joint Controllers’ products and services, d) create registers and records related to the GDPR, including, for example, a register of clients who have raised objections in accordance with the GDPR.
2. Personal data collected through communication with fanpage users is processed by the Joint Controllers only for the purpose of providing a response, if necessary. Your activity related to the use of our fanpage will not be archived outside of Facebook.
3. The personal data of Facebook users who are interested in participating in the recruitment process in response to a job advertisement are processed by the Joint Controllers only for the purpose of assessing professional qualifications for the position for which the user applies (conducting the recruitment process).
4. Personal data contained in electronic correspondence transmitted by electronic mail are processed by the Joint Controllers in response to the correspondence addressed.
§4 SCOPE OF PERSONAL DATA PROCESSING
1. The provision of personal data is voluntary, but is necessary to prepare and/or respond to requests made to the Joint Controllers.
2. The contact form requires the following data: first name, e-mail, country, telephone, company and message content.
3. Through the functioning of the fanpage, the Joint Controllers collect and process the following types of personal data: a) Facebook identifier (usually containing first and last name), which is not verified by the Joint Controllers in any way to confirm the accuracy of the data), b) profile photo (which in some cases allows the Joint Controllers to become acquainted with your image), c) other photos (which may also represent your image) resulting from the fanpage-user relationship. Posting photos under the posts is voluntary on your part, d) the content of your comments and the content of the conversation via Messenger (thanks to it we can find out about your e-mail address, telephone number and the description you have included in connection with the circumstances of your correspondence to the Joint Controllers),
4. By posting job advertisements on Facebook, the Joint Controllers collect and process personal data contained in the CV and/or cover letter of Facebook users who are interested in taking part in the recruitment process in response to the posted job advertisement.
5. By replying to the e-mail correspondence addressed, the Joint Controllers collect and process all personal data contained in that correspondence by the sender.
§ 5 LEGAL BASIS FOR PROCESSING
1. Personal data is processed in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC. In order to respond to your enquiries via the contact form, data will be processed on the basis of your voluntary consent at the time of sending the completed form – Article 6(1)(a) of the GDPR. For the purpose of direct marketing, the legal basis for the processing of data is Article 6(1)(f) of the GDPR which allows the processing of personal data if in this way the Joint Controllers of Personal Data pursue their legitimate interest in this case the interest of the Joint Controllers is to inform about products and services of the entities of the Group of Companies. In order to establish GDPR-related registers and records, including, for example, a register of clients who have objected in accordance with the GDPR, we process such personal data because, firstly, the GDPR regulations impose certain documentation obligations on us to demonstrate compliance and accountability and, secondly, if you object to the processing of your personal data for marketing purposes, for example, we need to know who not to apply direct marketing to due to disagreement. The legal basis for such processing is, firstly, Article 6(1)(c) of the GDPR which allows for the processing of personal data where such processing is necessary for the fulfilment of the legal obligations of the Joint Controllers of Personal Data; secondly, Article 6(1)(f) of the GDPR which allows for the processing of personal data where this is done in order for the Joint Controllers of Personal Data to exercise their legitimate interest, in this case the Joint Controllers have an interest in knowing about the persons who exercise their powers under the GDPR. By sending us an inquiry in a private message and/or commenting on our posts, you consent to the processing of your personal data. The legal basis for the processing of personal data from the fanpage is then Article 6(1)(a) of the GDPR which allows the Joint Controllers to process data on the basis of the consent given. If you, as a user of the fanpage, wish to use the services of the Joint Controllers and you wish to enter into cooperation and establish its terms and conditions, the legal basis for the processing of your personal data will be Article 6(1)(b) of the GDPR. In order to carry out the recruitment process, the legal basis for the processing of personal data will be the law, including in particular Article 221 of the Labour Code. The legal basis for the processing by the Joint Controllers of the data indicated in Article 221 of the Labour Code will be Article 6(1)(c) of the GDPR. If you indicate other personal data in your CV and/or cover letter (e.g. image, interests, data referred to in Article 9(1) of the GDPR, i.e. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexuality or sexual orientation data), their provision is voluntary and does not affect the possibility of taking part in the recruitment process, but their voluntary inclusion in the application documents is tantamount to consent to their processing (Article 6(1)(a) of the GDPR). Consent to the processing of such data may be revoked at any time. Therefore, if you do not want the Joint Controllers to process this data, please do not include them in your application documents. By sending electronic correspondence to the Joint Controllers by e-mail, you consent to the processing of the personal data contained in this correspondence (Article 6(1)(a) of the GDPR). The consent to the processing of personal data is completely voluntary, however, the lack of consent may make it impossible to respond to e-mail correspondence addressed to the Joint Controllers. If you do not agree with the processing of your personal data, please send us an e-mail that does not contain such data or make it anonymous. If you wish to enter into cooperation and establish its terms and conditions, the legal basis for the processing of your personal data will be then Article 6(1)(b) of the GDPR.
§ 6 RIGHT OF WITHDRAWAL
1. If the processing of your personal data is based on your consent, you may withdraw your consent at any time, at your own discretion.
2. If you would like to withdraw your consent to the processing of personal data, it is enough to send an e-mail directly to the DPO appointed in the CB Group of Companies to the e-mail address: firstname.lastname@example.org
3. If the processing of personal data was based on consent, its revocation does not affect the legality of the previous processing.
§ 7 AUTOMATIC DECISION-MAKING AND PROFILING
The Joint Controllers do not make automated decisions, including decisions based on profiling.
§ 8 RECIPIENTS OF PERSONAL DATA
User data may be transferred to other entities of the Group of Companies, i.e. ASGLATEX Ohorn GmbH, Kiosk-Rednet.eu GmbH, as well as entities with which we cooperate in order to provide services by means of the website, i.e. entities providing IT, marketing and hosting services. These entities process data on the basis of the contract concluded with us, and only in accordance with our instructions or on the basis of legal regulations.
§ 9 TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
The Joint Controllers do not transfer user personal data outside the European Economic Area.
§ 10 RETENTION PERIOD FOR PERSONAL DATA
1. The duration of the processing of personal data depends on the legal basis for the processing of personal data by the Joint Controllers. Data is never processed for longer than is apparent from the legal basis for processing.
2. Where the Joint Controllers process personal data on the basis of consent, the processing period lasts until the user withdraws that consent.
3. Where the Joint Controllers process personal data on the basis of a legitimate interest of the controller, the processing period lasts until the aforementioned interest ceases to exist (e.g. the statute of limitations for civil law claims) or until the data subject objects to such further processing – in situations where such objection is legally valid.
4. In the case of information that the Joint Controllers possess through the comments made available by you on the fanpage, it will be available on the website until the author removes it. In the case of contents that are offensive, vulgar or violent to the law, the Joint Controllers may remove comments and posts at any time.
5. Your personal data collected by Facebook, i.e. the history of posts, the history of activity in the Messenger application, is subject to retention according to the rules of Facebook.
6. Personal data of Facebook users collected in connection with their willingness to take part in the recruitment process will be processed for the duration of the recruitment process for a given position, i.e. for 6 months.
7. Personal data contained in the electronic correspondence provided via e-mail will be processed for the duration of the business communication within the framework of our business activity, however, not longer than 2 years.
§ 11 INFORMATION ON COOKIES
2. Cookies are IT data. This data is in particular text files which are stored in the website user’s terminal device and are intended for the use of the website. Cookies usually contain the name of the website from which they originate, the time they were stored on the terminal device and a unique number.
3. Cookies fulfil many functions on websites, most often useful ones, which we will try to describe below (if the information is insufficient, please contact us at email@example.com).
4. The entity that places cookies on the website user’s terminal device and obtains access to them is the hosting operator of the Controller.
5. Cookies are used for the following purposes: a) ensuring security – cookies are used to authenticate users and prevent unauthorised use of the client panel. They therefore serve to protect your personal data against unauthorised access; b) affecting the processes and efficiency of website use – cookies are used to keep the website running smoothly and to make use of the functions available on it, which is possible, among other things, by remembering settings between visits to the website. They therefore enable you to navigate the website and its individual subpages efficiently; c) session status – information on how visitors use the website is often stored in cookies, e.g. which subpages they display most often. They also allow us to identify errors displayed on some subpages. Cookies used to save the so-called “session status” thus help to improve the service and increase the comfort of browsing the pages; d) maintaining the session status – if a client logs into his/her panel, cookies enable the maintenance of the session. This means that after switching to another subpage, you do not need to re-enter your login and password each time, which promotes comfortable use of the website; e) creating statistics – cookies are used to analyse how users use the website (how many of them open the website, how long they stay on it, which content arouses most interest, etc.). This allows us to constantly improve the website and adapt its operation to users’ preferences. We use Google tools such as Google Analytics to track activity and create statistics; in addition to reporting website usage statistics, pixel-based Google Analytics can also be used, together with some of the cookies described above, to help you view more relevant content on Google services (e.g. in the Google search engine) and across the web;
6. Importantly, many cookies are anonymous to us – without additional information, we cannot identify you from them.
8. The website uses two basic types of cookies: session and persistent cookies. Session cookies are temporary files that are stored on the user’s terminal device until the user signs out, leaves the website or turns off the software (web browser). Persistent cookies are stored in the user’s terminal device for a period of time specified in the parameters of cookies or until they are deleted by the user.
§ 12 SERVER LOGS
1. Information about certain user behaviour is logged in the server layer. This data is used solely for the purpose of administering the website and to provide the best possible service for the hosting services provided.
2. Browsed resources are identified through URL addresses In addition, the following may be recorded: a. time of inquiry, b. time of response, c. client station name – identification implemented by the http or https protocol d. information about errors that occurred during the implementation of http or https transactions e. URL of the page previously visited by the user (referrer link) – if the ALVI website was accessed through a link, f. information about the user’s browser, g. information about the IP address.
3. Above data shall not be associated with specified persons visiting websites. 4. The above data is used only for the purpose of administration of the server.
§ 13 DATA SUBJECTS’ RIGHTS
1. We kindly inform you that each user of the website has the right to: a) access their personal data; b) correct their personal data; c) delete their personal data; d) limit the processing of personal data; e) object to the processing of personal data; f) transfer personal data.
2. We respect the rights arising from data protection regulations and try to facilitate their implementation as much as possible.
3. We would like to point out that these rights are not absolute and therefore, in some situations, we may legitimately refuse to grant them to you. However, if we refuse to honour your request, it is only after careful consideration and only if necessary.
4. With regard to the right to object, we explain that you have the right at any time to object to the processing of your personal data on the basis of the legitimate interest of the Joint Controllers of Personal Data in relation to your particular situation. However, you must be aware that we may refuse to honour an objection if we demonstrate that: a) there are legitimate grounds for processing that take precedence over your interests, rights and freedoms or b) there are grounds for establishing, asserting or defending claims.
5. Furthermore, you may object to the processing of your personal data for marketing purposes at any time. In such a situation, after receiving an objection, we will cease processing for this purpose.
6. Each user may exercise his/her rights by sending an e-mail directly to the DPO appointed in the CB Group of Companies to the e-mail address: firstname.lastname@example.org.
§ 14 RIGHT TO LODGE A COMPLAINT
2. Questions or doubts about the privacy and security policy for personal data in the website may be sent via e-mail directly to the DPO appointed in the CB Group of Companies to the e-mail address: email@example.com.
5. This Policy has been adopted by CB SA, CB Service sp. z o.o. and CB Production sp. z o.o. and is valid since 06.02.2020.