1. DEFINITIONS
Controller – EWL S.A., having its registered office in Warsaw, KRS: 0000080338 and other companies being members of the EWL Group: EWL Outsourcing sp. z o.o., having its registered office in Piaseczno, KRS: 0000463076 and EWLIT sp. z o.o. sp. k., having its registered office in Piaseczno, KRS: 0000553016;
Personal data – all information about an identified or identifiable natural person („data subject”); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an ID such as name and surname, identification number, data about location, online ID or one or several particular factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
Processing – operations or set of operations performed on personal data or personal data sets in an automated or non-automated manner, such as collecting, recording, organizing, ordering, storing, adapting or modifying, collecting, browsing, using, disclosure by sending, distribution, or another kind of sharing, matching or combining, limiting, deleting or destroying;
GDPR – the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and free flow of such data and repealing directive 95/46/WE (General Data Protection Regulation);
Site – the website kept by the Controller at: https://www.ewl.com.pl/;
User – each natural person visiting the Site or using the services or functionalities described in this Privacy Policy;
2. GOALS, LEGAL BASIS AND PERIODS OF PERSONAL DATA PROCESSING
The goals, legal basis and periods of processing of your personal data by the Controller vary depending on the process this processing is present in.
2.1. USING THE SITE
While using the Site, your personal data are processed for the purposes of the services provided electronically with regard to the provision of content collected on the Site to the Users and for analytical and statistical purposes. The data are processed under Article 6 section 1 letter b of GDPR – the need to process the data to conclude as well as perform an agreement and Article 6 section 1 letter f of the GDPR – to pursue the Controller’s legitimate interest, consisting in conducting users’ activity and preference analyses in order to improve the applied functionalities and the services provided. The Controller processes the data for the period necessary to provide the service and then for the period related to raising or defending against any claims.
2.2. OFFER PREPARATION
The purpose of the personal data processing is to send commercial offers in order to conclude an agreement. The data are processed under Article 6 section 1 letter b of GDPR – the need to process the data to conclude, perform an agreement; at the request of the data subject – to take actions before conclusion of the agreement. In the case of concluding an agreement, the personal data are processed throughout the effective term of the agreement and then for the limitation term for the claims resulting from the agreement. With no agreement concluded, we process the data within 1 month after the end of the offer’s validity term. In the case of the offer’s validity term not being defined – for the period of 3 months after the last contact.
2.3. CONCLUSION AND PERFORMANCE OF A SERVICES AGREEMENT
The purpose of the personal data processing is to conclude agreements and provide or use the services on their basis. The data are processed under Article 6 section 1 letter b GDPR – the need to process the data to conclude, perform an agreement; at the request of the data subject – to take actions before conclusion of the agreement. The personal data are processed for the effective period of the agreement and then for the limitation term for the claims resulting from the agreement.
2.4. RECRUITMENT
The Controller processes the candidates’ data in the recruitment process in order to hire employees. Data processing proceeds on the basis of Article 6 section 1 letter b GDPR – the need to process the data to conclude, perform an agreement; at the request of the data subject – to take actions before conclusion of the agreement. The data are processed for the period of the recruitment process. In case an additional consent is expressed to processing data for future recruitment purposes, we will process your data for the maximum period of 2 years from the date of their entry into the Controller’s database or the date of the last contact with you, whichever is later.
2.5. CONTACT FORM
The Controller processes the data shared in the contact form in order to recruit a candidate or in order to answer other questions stated in the form. Data processing proceeds on the basis of Article 6 section 1 letter a GDPR or Article 6 section 1 letter f of the GDPR – on the basis of a consent/at a candidate’s request and in order to pursue the Controller’s legitimate interest, being the need to ensure proper services for the Site visitors.
2.6. NEWSLETTER
The Controller processes the data when sending a newsletter (in the form of electronic messages that may contain commercial information) for publicity, promotional, marketing purposes associated with the Controller’s business operations. The data are processed on the basis of the data subject’s consent – Article 6 section 1 letter a GDPR. The data are processed for the maximum period of 2 years from the date your data are entered into the Controller’s database or the date of the last contact with you, whichever is later.
2.7. COMPETITIONS, PROMOTIONAL CAMPAIGNS
The Controller processes the data in order to conduct a competition/promotional campaign including to: choose the winner, award and hand over a prize, award and hand over bonuses. Data processing proceeds on the basis of Article 6 section 1 letter b GDPR – the need to process the data to conclude, perform an agreement; at the request of the data subject – to take actions before conclusion of the agreement. The data are processed for the period the competition/campaign is being conducted for and then for the limitation term for any claims resulting from participation in the competition/promotional campaign.
2.8. DIRECT MARKETING OF THE CONTROLLER’S OWN PRODUCTS AND SERVICES USING MEANS OF ELECTRONIC COMMUNICATION (E-MAIL, PHONE, SMS TEXT MESSAGE)
The Controller processes electronic messages containing marketing information, for advertising, promotional, marketing purposes associated with the Controller’s business operations. The data are processed on the basis of a consent – Article 6 section 1 letter a GDPR. The data are processed for the maximum period of 2 years from the date your data are entered into the Controller’s database or the date of the last contact with you, whichever is later.
2.9. DETERMINING, PURSUING AND DEFENDING AGAINST CLAIMS
The Controller processes your data in order to recover any amounts due and run court proceedings as well as defend against claims. The processing proceeds on the basis of Article 6 section 1 letter f of GDPR – the Controller’s legitimate interest is the need to pursue or defend against claims. The data are processed for the limitation term for any claims, according to the provisions of the commonly binding law.
3. USING COOKIE FILES AND SIMILAR TECHNOLOGIES
3.1. COOKIE FILES
The Controller uses the so-called service cookies, first of all, to deliver electronically provided services to the User and to improve the quality of these services. Consequently, the Controller and other entities providing analytical and statistical services for their benefit use cookie files to store information or obtain access to any information already stored in the User’s terminal telecommunication device (computer, phone, tablet etc.). The cookie files used for this purpose include:
3.1.1. cookies with data entered by the User (session ID) for the duration of the session (user input cookies);
3.1.2. authentication cookies used for any services requiring authentication mechanisms for the duration of the session (authentication cookies);
3.1.3. cookies used to ensure security, e.g. used to detect transgressions in authentication (user centric security cookies);
3.1.4. multimedia player session cookies (e.g. flash player cookies), for the duration of the session (multimedia player session cookies);
3.1.5. permanent cookies used to customize the user interface for the duration of the session or slightly longer (user interface customization cookies);
3.2. GOOGLE ANALYTICS
The Controller uses Google Analytics analytical tools, which collect information on site visits, such as subpages that you have displayed, the time you spent on the site, or the time of switching between individual subpages. For this purpose, Google LLC cookies regarding the Google Analytics service are used. Under Google Analytics, demographic data and data about interests are collected. Neither the Controller nor Google uses the data collected to identify the User or combines this information in order to make your identification possible. Detailed information about the scope and the principles of collecting data in connection with this service can be found under the following link: https://www.google.com/intl/pl/policies/privacy/partners.
3.3 GOOGLE TAG MANAGER
The Controller uses the Google Tag Manager marketing tool to control marketing campaigns and the way you use the Site. For this purpose, Google LLC cookies related to the Google Tag Manager service are used. Neither the Controller nor Google uses the data collected to identify the User or combines this information in order to make identification possible. Detailed information about the scope and the principles of collecting data in connection with this service can be found under the following link: https://www.google.com/intl/pl/policies/privacy/partners.
3.4. LINKEDIN INSIGHT TAG
The Controller uses LinkedIn Conversion Tracking retargeting tool from LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland (»LinkedIn«). For this purpose, LinkedIn Insight Tag code is installed on the Site allowing LinkedIn to collect statistical, pseudonymous data about your visits and use of our website and to deliver aggregated statistical reports to the Administrator on this basis. This information also allows personalized offers and recommendation to be displayed. Neither the Controller nor the tool uses the data collected to identify the User or combines this information in order to make your identification possible. Detailed information about the scope and the principles of collecting data in connection with this tool can be found under the link: https://www.linkedin.com/help/linkedin/answer/90274/manage-your-linkedin-ads-settings?lang=en
3.5. FACEBOOK PIXEL
The Controller uses Facebook Pixel marketing tool to direct to you personalized advertisements on Facebook. This involves the use of Facebook cookie files. Any information collected under Facebook Pixel is anonymous, i.e. does not allow for your identification. Facebook is an entity certified under the privacy shield agreement and, consequently, guarantees observance of the European regulations regarding data protection https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active. Detailed information about the scope and the principles of collecting data by Facebook can be found under the link: https://www.facebook.com/about/privacy/update. Specific information and details concerning the Facebook Pixel function and the way it works are available in Facebook web portal help section at https://www.facebook.com/business/help/651294705016616. This function can be switched off in the way shown at https://de-de.facebook.com/business/help/1415256572060999?helpref=uf_permalink or at https://www.facebook.com/settings?tab=ads. To do this, please log in to the Facebook web portal.
3.6. BITRIX24
The Controller uses Bitrix24 marketing tool delivered by Bitrix, Inc. (registered office address: 901 N. Pitt St, Suite 325 Alexandria VA 22314 USA), collecting data enabling identification of a specific person according to voluntarily provided categories. The data are kept inside the European Union (Frankfurt, Germany) in Amazon Web Services data centers being fully consistent with the General Data Protection Regulation. More information on the scope and the principles of collecting data in connection with this tool can be obtained from the following link: https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/. Simultaneously, any information related to GDPR compliance and the Privacy Policy document are available under the following link https://www.bitrix24.com/gdpr/ .
3.7. BAZO.IO
The Controller uses BAZO.IO tool delivered by Bazo sp. z o. o. with its registered office in Lublin in connection with use of the BAZO.IO product – in order for collect the following information about your visits on the Site: date and frequency of your visits on the Site, IP address of your device, tabs visited during the visits on the Site, contact details. BAZO fulfills the GDPR requirements as the controller and the processor of personal data. For more information about the processing of your data by Bazo sp. z o.o. see: https://bazo.io/).
3.8. HOTJAR
The Controller uses the Hotjar tool, provided by Hotjar Limited, Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta – in order to analyze your behavior on the Site the following information is kept: date and frequency of your visits on the Site, your device’s IP address, tabs visited during your visits on the Site, contact details. Hotjar does not use this information for your identification. For more information about the processing of your data by Hotjar, see: https://www.hotjar.com/legal/policies/privacy.
In each case you can object to the information about you being stored with the use of the tools described in item 3 above under the cookie file settings from the level of the Site and decide which tools the Controller can use during your visits on the Site.
4. SOCIAL WEBSITES
The Controller processes the personal data of the Users visiting the Controller’s profiles kept in social media (LinkedIn, Facebook). These data are being processed only in connection with running the profile, including in order to inform the Users about the Controller’s activity and to promote various events, services and products. The legal basis for the Controller’s processing of the personal data for this purpose is their legitimate interest (Article 6 section 1 letter f of GDPR) consisting in promoting its own brand.
5. CATEGORIES OF THE PROCESSED PERSONAL DATA
The Controller processes the following Personal Data categories, being property of employee candidates, the Controller’s (future/potential) business partners, employees or (future/potential) associates of the Controller’s business partners and other persons contacting the Controller or any persons the Controller contacts:
1) the identification data (in particular: full name, date of birth, identity document series and number, company name, NIP tax ID, REGON) and address details (registered office address, correspondence address, addresses of retail outlets),
2) contact details (e-mail, telephone number),
3) data about the work post occupied, any professional experience held, any qualifications held,
4) financial data, including the bank account number, bank’s/financial institution’s data, data from VAT invoices,
5) the information obtained when using our website, in particular IP addresses, text files,
6) other data you have provided in any form – necessary for the purpose they have been made available;
6. DATA SOURCES
Any data are obtained by the Controller as follows:
7) information provided voluntarily and directly by you (e.g. in the contact form in the order form, through exchange of business cards, during a telephone interview, when concluding and performing the agreement, providing the services);
8) any information obtained when using our website, in particular: IP address, text files;
9) data of the Controller’s employees or associates, business partners (business partners, subcontractors) – they originate directly from them or from their employer/the entity that they represent; 10) data of employee candidates for the Controller – they originate directly from them or from external recruitment agencies or have been provided by the Controller’s employees and associates under promotional programs and campaigns e.g. the recommendations program,
11) from any commonly available sources, in particular databases and registers: the Central Business Register and Information Service (CEIDG), the National Court Register (KRS), REGON database;
7. DATA RECIPIENTS
Your personal data can be made available to or entrusted by the Controller to:
12) other entities from EWL Group,
13) entities providing services for the benefit of the Controller e.g. accounting, HR, recruitment, legal, debt recovery, IT, infrastructure services, provided that such entities process the data as a subcontractor under an agreement with the Controller and only according to their instructions,
14) any entities conducting mail or courier operations,
15) banks.
The Controller reserves the right to disclose selected information about you to competent entities or third parties that have filed a request to provide such information, based on a respective legal basis and in accordance with regulations of the binding law.
8. RIGHTS OF THE DATA SUBJECTS
In connection with the Controller’s processing of your data, you are legally entitled to:
1) access the content of your data, request them to be corrected, removed or have their processing restricted;
2) withdraw your consent to the personal data processing to the extent your personal data are being processed on the basis of your consent; any consent withdrawal has no effect on conformity with the law of any processing completed prior to its withdrawal;
3) submit an objection against personal data processing to the extent that the basis for the personal data processing is the Controller’s legitimate interest;
4) transfer the personal data, i.e. receive information about the processed personal data from the Controller, in a structured, commonly used format, suitable for machine reading to the extent that your data are being processed in order to conclude and perform the agreement or on the basis of your consent;
5) file a complaint to the President of the Personal Data Protection Office to the address: ul. Stawki 2, 00-193 Warsaw, if you consider that the processing of your personal data breaches the provisions of GDPR.
In order to exercise the aforementioned rights, please contact the Data Controller or the coordinator responsible for the matters of personal data protection to the e-mail address: [email protected]
9. DATA PROCESSING OUTSIDE THE EU
Your personal data may be transferred outside the European Economic Area (which includes the European Union, Norway, Liechtenstein and Iceland) (further: EEA) in connection with the Controller’s cooperation with business partners having their registered office outside the EEA (Ukraine) and the provision of services for the Controller in the field of IT and infrastructure. in order to ensure a suitable degree of protection when your data are transferred outside the EEA, the Company uses, in the agreements with the data recipients, standard contractual clauses issued by the European Commission according to Art. 46 section 2 letter c GDPR.
10. SAFETY OF PERSONAL DATA
The Controller conducts the analysis of risk on the current basis in order to ensure that the personal data are processed in a secure way – to ensure first of all that access to the data is granted only to the authorized persons and only to the extent it is necessary due to their tasks. The Controller cares to ensure that all operations on the personal data are recorded and made by authorized employees and associates only.
The Controller takes all the necessary actions to ensure that their subcontractors and other cooperating entities give a guarantee that they apply the respective safety measures in each case when they process the personal data to the Controller’s order.
11. CONTACT DETAILS
The contact with the Controller is possible at the e-mail address: [email protected] or in writing at the address of the Controller’s registered office.
The controller has appointed the personal data protection coordinator, who can be contacted at the email address: [email protected] in all matters concerning your personal data. The personal data protection coordinator does not hold the data protection officer function as defined by Article 37-39 GDPR
12. AMENDMENTS TO THE PRIVACY POLICY
The Privacy Policy is verified on the current basis and updated when necessary. The up-to-date version of the Privacy Policy has been adopted and has been in force as from 8 April 2020.