Information Clause

In connection with the implementation of the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), we would like to inform you about the following rules for processing personal data:

 

Data Controller (DC)
MCPOLSKA.PL Limited Liability Company Limited Partnership

  1. Wschodnia 5A, 62-080 Swadzim

tel.  61 822 65 61

Data Protection Officer (DPO)
Katarzyna Ślusarek, email address: iod@mcpolska.pl

 

DC processes your data for the purpose of:

  1. Employee recruitment

Legal basis: Art. 6(1)(b) GDPR, Art. 22(1) of the Labor Code, and Art. 9(2)(b) GDPR (sensitive data). Providing this data is a statutory requirement and is necessary for the recruitment process. You are required to provide it, and the consequence of not providing it will be the inability to participate in the recruitment process. Other personal data not required by law (e.g., interests) are processed based on Art. 6(1)(a) GDPR, i.e., with your voluntary consent, and providing it does not affect your ability to participate in the recruitment process.

Retention period for personal data: Your personal data will be processed until the end of the recruitment process, and if you have consented to participate in future recruitment processes, for no longer than 12 months from the date of submission of your application documents.

  1. Employment of employees

Legal basis: Art. 6(1)(b) GDPR, Art. 22(1)  of the Labor Code, and Art. 9(2)(b) GDPR (sensitive data) – processing is necessary for the performance of the contract, Art. 6(1)(c) GDPR – processing is necessary to fulfill a legal obligation, Art. 6(1)(f) GDPR – the legal basis for processing is the legitimate interest of the Data Controller, and Art. 6(1)(a) GDPR – for personal data not required by law – the legal basis for processing is your consent.

Retention period for personal data: Depending on the purpose for which the personal data is processed, the retention period is 50 years or 10 years for contracts concluded after January 1, 2019 (depending on the employment date) from the end of the year in which the employment relationship ended. For contracts concluded after December 31, 1998, and before January 1, 2019, the employer may submit a special information report to ZUS, as referred to in Art. 4(6a) of the Act of October 13, 1998, on the social insurance system. In this case, the period may be reduced to 10 years from the end of the calendar year in which the information report was submitted.

 

  1. Cooperation with external companies with whom DC has a service agreement

Legal basis for processing: Art. 6(1)(b) GDPR – processing is necessary for the performance of the contract or for taking actions before concluding the contract; providing data is necessary for cooperation.

Retention period for personal data: for the period necessary to perform the concluded contracts and the rules specified therein. At least 5 years from the end of the year in which the last invoice/accounting document was issued.

 

  1. Contract performance

Source: Data of employees and collaborators provided in the course of cooperation by the entity that is a party to the contract.

Legal basis for processing: Art. 6(1)(f) GDPR, for contact purposes related to the performance of the main contract, for administrative purposes, including those related to the organization of cooperation and supervision of the provision of services, or the performance of other obligations or rights exercised under the main contract, for evidentiary purposes related to the performance of the main contract, to pursue claims related to the performance of the main contract.
Retention period for personal data: Your personal data will be retained by the Data Controller for at least the duration of the contracts concluded between the companies, and if necessary for evidentiary purposes – personal data may also be retained until the statute of limitations for claims related to the conducted business activity or the conclusion of court proceedings related to the aforementioned contracts.

 

 

  1. Service sales

Legal basis for processing: Art. 6(1)(b) GDPR – processing is necessary for the performance of the contract between you and the Office, Art. 6(1)(c) GDPR – for the purpose of maintaining accounting and tax documentation, and Art. 6(1)(f) GDPR – for the purpose of potentially establishing, pursuing, or defending against claims.

Retention period for personal data: Your data will be retained for the duration of the contract. A maximum of 6 years from the end of the fiscal year in which the last invoice was issued.

 

  1. Future claims

Legal basis for processing: Art. 6(1)(f) GDPR.
Retention period for personal data: for the limitation period for claims under the relevant type of contract: contract for specific work, mandate – 2 years, cooperation agreement – 3 years.

  1. Conducting marketing activities related to the business

Legal basis for processing: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Providing data is voluntary.

Retention period for personal data: Until the consent is withdrawn or the data subject objects.

  1. Responding to questions sent via email
    Legal basis for processing: Art. 6(1)(f) GDPR – the legitimate interest of the DC. Providing data is voluntary.

Retention period for personal data: until the question is answered, a maximum of 12 months.

 

  1. Protection of people and property on DC premises

Source of data: data from monitoring.
Legal basis for processing: Art. 6(1)(f) GDPR.
Retention period for personal data: from the moment of recording for a maximum period of 3 months.

 

If any purpose other than those mentioned above arises, the information obligation will be provided to you directly in the form or during the first action directed towards you.

 

Rights related to personal data processing:

  • If the legal basis is Art. 6(1)(a) or (b) GDPR:
  • right to access data
  • right to rectify data
  • right to delete data (right to be forgotten)
  • right to restrict data processing
  • right to data portability
  • If the legal basis is Art. 6(1)(c) GDPR:
  • right to access data
  • right to rectify data
  • right to restrict data processing
  • If the legal basis is Art. 6(1)(e) or (f) GDPR:
  • right to access data
  • right to rectify data
  • right to delete data (right to be forgotten)
  • right to restrict data processing
  • right to object to data processing

Right to withdraw consent:
If processing is based on your consent (Art. 6(1)(a) GDPR), we will process the data until it is withdrawn. Consent can be withdrawn at any time by sending an email to the address provided above or in person at the Data Controller’s office.  Withdrawal of consent does not affect the legality of the processing carried out based on the consent before its withdrawal.

After withdrawal of consent, the data will be processed for the purpose of protection against claims (Art. 6(1)(f) GDPR) for a period in accordance with the relevant legal provisions, up to a maximum of 3 years.

 

Right to lodge a complaint with the supervisory authority:
If you find that the DC has violated the security of your data processing, you have the right to lodge a complaint with the supervisory authority responsible for personal data protection, i.e., the President of the Personal Data Protection Office. The current address of the supervisory authority is: President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw.

 

Data security:
Your personal data will be processed in accordance with the provisions of the GDPR, in writing or electronically, for the purposes mentioned above, and using appropriate methods to ensure the security and confidentiality of personal data in accordance with Art. 32 GDPR. Cooperation between our company and business entities is regulated by the relevant legal provisions.

Data recipients:

In connection with data processing, your personal data may be shared with other recipients or categories of recipients, such as:

  • Authorities and institutions, as well as relevant public administration and local government entities, to the extent and for purposes arising from generally applicable law.
  • Companies providing services to the DC, particularly in the area of: data protection, auditing services, IT support, software, finance, insurance, device servicing, correspondence.
  • Other entities that, under appropriate agreements, process personal data for the controller.

Your data will not be processed in an automated way, including profiling. Your data is not processed outside the EEA.