Privacy Policy

 

PRIVACY POLICY

Under what legal provisions is or may your personal data be processed?

 

The principles concerning the protection of personal data (hereinafter ODO) are set out, inter alia, in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016[1] on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter RODO), the Act on the Protection of Personal Data of 10 May 2018 (hereinafter DPA[2] ) and in special laws (lex specialis) also in the national order.

Important definitions

 

1. "Personal data" - means any information about an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person,
2. "Processing" - means an operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,
3. "Controller" - or Data Controller - means the natural or legal person, public authority, entity or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or Member State law, a controller may also
    
   be designated by Union law or Member State law, or specific criteria for its designation may be laid down,
4. "Joint Controller" - in accordance with Article 26 RODO means two or more Controllers who jointly determine the purposes and means of processing personal data,
5. "Supervisory authority" means an independent public authority established by a Member State. The supervisory authority is the President of the Office for the Protection of Personal Data (Office for the Protection of Personal Data, ul. Stawki 2, 00-193 Warsaw, contact: https://uodo.gov.pl/pl/p/kontakt),
6. "Recipient" - means a natural or legal person, public authority, individual or other entity to whom personal data is disclosed, whether or not a third party,
7. "Processor" - means a natural or legal person, public authority, entity or other body that processes personal data on behalf of the controller,
8. "Third party" - means a natural or legal person, public authority, entity or body other than the data subject, controller, processor or persons who, under the authority of the controller or processor, may process personal data,
9. "Third country" - An entity outside the EEA (European Economic Area) to which personal data is disclosed,
10. "Consent" - consent of the data subject means a freely given, specific, informed and unequivocal demonstration of will by which the data subject, by means of a statement or a clear affirmative action, consents to the processing of personal data concerning him or her,
11. "Privacy Policy" - this document, presenting information on the principles of personal data processing in accordance with the substantive scope indicated in Article 13 RODO - information clause on personal data processing,
12. "Cookies Policy" - information regarding the use of cookies on the website operated by the Data Controller. The Cookie Policy is available on the website of the Data Controller as a separate document,
13. "RODO" - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation): https://uodo.gov.pl/pl/404

 

To whom does this Privacy Policy apply?

 

This Privacy Policy (hereinafter PP) applies to the processing of personal data of natural persons, sole proprietors and persons acting on behalf of legal persons, i.e. persons appointed to represent the legal person, agents,

employees and/or collaborators acting on behalf of the legal person.

 

Who is the Data Controller of the personal data?

 

Pursuant to Article 13 RODO, i.e. the right to be informed, we would like to inform you that the data controller is Fabryka Automatów Tokarskich Wrocławiu S.A., based in Wrocław (53-234) at Grabiszyńska 281, (NIP: 896-000-01-38).

Contact details for the Data Controller

 

Please address your data protection queries directly to the Data Controller (by post) or to the dedicated email address: odo@fathaco.com

 

Data Protection Officer

 

Please be informed that the Data Controller has not appointed a Data Protection Officer.

For what purposes is or may your personal data be processed?

 

Personal data are processed or may be processed for the following purposes:

 

Lp.	Purpose of processing	Scope of data	Lawfulness of processing
1.	Personal data processed for contact purposes - replying to correspondence received	name, surname, telephone number, e-mail address, information provided in the body of the e-mail: position, place of work,	1) Article 6(1)(a) RODO - consent of the data subject, 2) Article 6(1)(f) RODO - legitimate interest pursued by the controller
2.	Personal data processed for the purpose of preparing and presenting an offer in respect of own products and services	name, surname, telephone number, e-mail address, company name, registered office	1) Article 6(1)(a) RODO - consent of the data subject, 2) Article 6(1)(f) RODO - legitimate interest pursued by the controller
3.	Personal data processed e for the purpose of sending commercial information regarding own products and services electronically	name, e-mail,	1) Article 6(1)(a) RODO - consent of the data subject [Article 10 Act on Provision of Electronic Services]. 2) Article 6(1)(f) RODO - legitimate interest pursued by the controller
4.	Personal data processed for the purpose of sending marketing information in relation to own products and services by telephone in the form of a voice call	name, surname, telephone number,	(1) Article 6(1)(a) RODO - consent of the data subject [Article 172 Telecommunications Act]. 2) Article 6(1)(f) RODO - legitimate interest pursued by the controller
5.	Personal data processed for the purpose of concluding and performing the contract	name, surname, identity card number, taxpayer identification number (NIP), correspondence address, contact data: telephone number, e-mail address, bank account number, data of persons representing legal entity, data of persons indicated on behalf of the legal entity for contact, other data necessary to conclude and perform the provisions of the agreement,	1) Article 6(1)(b) RODO - processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject before entering into a contract (2) Article 6(1)(c) of the DPA - processing is necessary for compliance with a legal obligation incumbent on the controller 3) Article 6(1)(f) RODO - legitimate interest pursued by the controller
6.	Personal data processed in connection with participation in the current or future recruitment process - a full information clause is available in the body of this Privacy Policy (Information on the processing of personal data in connection with participation in the recruitment process)	name(s) and surname, date of birth, contact details indicated by the person, education, professional qualifications, previous employment history, other data provided in the submitted application documents (e.g. image in the form of a photograph),	1) Article 22'1 § 1. of the Labour Code Act (hereinafter the Labour Code), 2) Article 6(1)(c) of the DPA - processing is necessary for the fulfilment of a legal obligation incumbent on the controller, 3) Article 6(1)(a) RODO - consent of the data subject,
7	For other purposes - whereby the content of Article 13 of the RODO will then be presented individually, for the respective purpose of processing	-	-

Disclosure of personal data by the Data Controller

 

Please be advised that personal data is or may be disclosed by the Data Controller:

• disclosed to recipients of data providing services to the Data Controller based on Article 28 RODO - entrustment of personal data processing. The categories of recipients of the data may be: IT infrastructure providers at the software and hardware level, website hosting providers, other entities to whom the Data Controller entrusted the processing of personal data. The list of entities to whom the Data Controller entrusted the processing of personal data is available at the request of the data subject,
• Disclosure to recipients of data cooperating with the Data Controller. The categories of recipients to whom personal data may be disclosed are entities operating in the field of audits, law firms. Please be informed that once personal data is disclosed, the data recipient to whom the data has been disclosed becomes the Data Controller. The list of entities to which the Data Controller has disclosed personal data is available at the request of the data subject,
• disclosed to recipients of the data who are public/state authorities. The categories of data recipients may be authorities such as the Tax Office, the Police, the courts, the Office for Personal Data Protection or other entities to which the Data Controller discloses personal data under the applicable legislation. Please be informed that once personal data is disclosed, the data recipient to whom the data has been disclosed becomes the Data Controller. The list of entities to which the Data Controller has disclosed personal data is available at the request of the data subject,

Transfers of personal data to a third country (i.e. outside the EEA)

 

1. Please be advised that personal data may be transferred to a third country, i.e. outside the EEA. In the event that personal data is transferred outside the European Economic Area, such transfer can only take place under the terms of Chapter V of the RODO:

• on the basis of Article 45 RODO - transfer on the basis of a decision establishing an adequate level of protection,
• under Article 46 RODO - transfer subject to appropriate safeguards, including the use of standard data protection clauses adopted by the European Commission,

2. Please be advised that there may be a risk associated with the transfer of personal data outside the EEA that personal data may not be sufficiently secure. Where there is a risk associated with the transfer of personal data outside the EEA, the Data Controller shall provide such information in this Privacy Policy,
3. Please be advised that the list of entities outside the EEA to which the Controller discloses personal data is available upon request from the data subject,
4. List of entities that may transfer personal data outside of the EEA that may not provide sufficient protection of personal data under the RODO:

 

Lp.	Name of the entity	Link to information	Potential negative consequences for the data subject
1.	Facbook	https://www.facebook.com/legal/terms	1) unauthorised access to data, 2) loss of control over their data, 3) the impossibility of exercising your rights under the RODO, 4. other negative impacts indicated in recital (75) of the preamble to the RODO: tangible and intangible impacts
2.	YouTube	https://www.youtube.com/t/terms	1) unauthorised access to data, 2) loss of control over their data, 3) the impossibility of exercising your rights under the RODO, 4. other negative impacts indicated in recital (75) of the preamble to the RODO: tangible and intangible impacts
3.	Google	https://policies.google.com/terms?hl=en&gl=be	1) unauthorised access to data, 2) loss of control over their data, 3) the impossibility of exercising your rights under the RODO, 4. other negative impacts indicated in recital (75) of the preamble to the RODO: tangible and intangible impacts
4.	Microsoft	https://www.microsoft.com/en/servicesagreement/	1) unauthorised access to data, 2) loss of control over their data, 3) the impossibility of exercising your rights under the RODO, 4. other negative effects indicated in recital (75) of the preamble to RODO: tangible and intangible effects

 

How long, according to the principle of temporality, will personal data be processed?

 

Please be advised that your personal data is or may be processed for a period of:

 

Lp.	Purpose of processing	Lawfulness of processing	Processing period
1.	Personal data processed for contact purposes - replying to correspondence received	1) Article 6(1)(a) RODO - consent of the data subject, 2) Article 6(1)(f) RODO - legitimate interest pursued by the controller	1) until you withdraw the consent you have given, 2) until you object to the processing, 3) for a period of 5 years for internal administrative purposes
2.	Personal data processed for the purpose of preparing and presenting an offer in respect of own products and services	1) Article 6(1)(a) RODO - consent of the data subject, 2) Article 6(1)(f) RODO - legitimate interest pursued by the controller	1) until you withdraw the consent you have given, 2) until you object to the processing, 3) for a period of 5 years in internal administrative purposes
3.	Personal data processed for the purpose of sending commercial information regarding own products and services electronically	1) Article 6(1)(a) RODO - consent of the data subject [Article 10 Act on the provision of electronic services]. 2) Article 6(1)(f) RODO - legitimate interest pursued by the controller	1) until you withdraw the consent you have given, 2) until you object to the processing, 3) for a period of 5 years for internal administrative purposes
4.	Personal data processed for the purpose of sending marketing information in relation to own products and services by telephone in the form of a voice call	(1) Article 6(1)(a) RODO - consent of the data subject [Article 172 Telecommunications Act]. 2) Article 6(1)(f) RODO - legitimate interest pursued by the controller	1) until you withdraw the consent you have given, 2) until you object to the processing, 3) for a period of 5 years for internal administrative purposes
5.	Personal data processed for the purpose of concluding and performing the contract	1) Article 6(1)(b) RODO - processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract (2) Article 6(1)(c) of the DPA - processing is necessary for compliance with a legal obligation incumbent on the controller 3) Article 6(1)(f) RODO - legitimate interest pursued by the controller	1) for a minimum period of 6 years from the completion of the contract, subject to change, 2) for the period provided for by the applicable legislation, not less than for a period of 6 years after the financial settlements related to the implementation of the contract provisions, 3) for a minimum of 10 years for internal administrative purposes, although this period may vary and in some cases for an indefinite period,
6.	Personal data processed in connection with participation in a current or future recruitment process - the full information clause is available in the body of this Privacy Policy	Information on the processing of personal data in connection with participation in the recruitment process	-
7.	For other purposes - whereby the content of Article 13 RODO will then be presented on an individual basis, for the respective purpose of processing	-	-

What rights does the data subject have?

 

We inform you of your right to request the Data Controller to exercise the following rights:

• The right of access to personal data concerning the data subject,
• The right to rectification of personal data,
• the right to erasure of personal data,
• The right to restrict the processing of personal data,
• The right to object to the processing,
• the right to data portability,
• The right to receive a copy of your personal data.

Please be advised that due to the particular purposes of processing mentioned in this Privacy Policy, the exercise of the rights of data subjects may be limited in whole or in part, e.g. due to applicable laws that oblige the Data Controller to process the data.

Who is the supervisory authority?

 

1. We inform you of your right to lodge a complaint with the supervisory authority, i.e. the President of the Office for Personal Data Protection (UODO) with its registered office at 2 Stawki Street in Warsaw, https://uodo.gov.pl/pl, https://uodo.gov.pl/pl/83/155,
2. In the case of co-administration with Facebook Ireland Limited, we inform you that the supervisory authority is the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland (as amended): https://www.dataprotection.ie/.

Under what circumstances is the provision of personal data a statutory or contractual requirement or a condition for entering into a contract?

 

We inform you that the provision of personal data is:

 

Lp.	Purpose of processing	Lawfulness of processing	Provision of personal data
1.	Personal data processed for contact purposes - replying to correspondence received	1) Article 6(1)(a) RODO - consent of the data subject, 2) Article 6(1)(f) RODO - legitimate interest pursued by the controller	1) is voluntary, whereby failure to provide personal data will result in the impossibility of responding to enquiries, correspondence received,
2.	Personal data processed for the purpose of preparing and presenting an offer in respect of own products and services	1) Article 6(1)(a) RODO - consent of the data subject, 2) Article 6(1)(f) RODO - legitimate interest pursued by the controller	1) is voluntary, failure to provide personal data will result in the impossibility to prepare and send an offer
3.	Personal data processed for the purpose of sending commercial information in regarding own products and services by e-mail	1) Article 6(1)(a) RODO - consent of the data subject [Article 10 Law on provision of services by electronic means]. 2) Article 6(1)(f) RODO - legitimate interest pursued by the controller	1) is voluntary; failure to provide personal data will result in the impossibility to prepare and send commercial information
4.	Personal data processed for the purpose of sending marketing information in relation to own products and services by telephone in the form of a voice call	(1) Article 6(1)(a) RODO - consent of the data subject [Article 172 Telecommunications Act]. 2) Article 6(1)(f) RODO - legitimate interest pursued by the controller	1) is voluntary, failure to provide personal data will result in the impossibility to prepare and send marketing information
5.	Personal data processed for the purpose of concluding and performing the contract	1) Article 6(1)(b) RODO - processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract (2) Article 6(1)(c) of the DPA - processing is necessary for compliance with a legal obligation incumbent on the controller 3) Article 6(1)(f) RODO - legitimate interest pursued by the controller	1) is contractual in nature and is a condition for the conclusion of the contract, failure to provide personal data will result in the impossibility of preparing and concluding and implementing the contractual provisions, 2) is of a statutory nature, failure to provide personal data will result in the impossibility to fulfil the obligations incumbent on the Data Controller under the law
6.	Personal data processed in connection with participation in a current or future recruitment process - the full information clause is available in the body of this Privacy Policy	Information on the processing of personal data in connection with participation in the recruitment process	-
7.	For other purposes - whereby the content of Article 13 RODO will then be presented on an individual basis, for the respective purpose of processing	-	-

Information on automated decision-making, including profiling

 

• Please be informed that by accessing the website of the Data Controller, you are not subject to automated decision-making, including profiling. Information on the cookies used by the Data Controller is available in the Cookie Policy available on the website as a separate document,
• We would like to inform you that in the event that the Data Controller operates a fanpage through entities such as: Facebook, Google, YouTube, profiling may occur, whereby information on this profiling by the aforementioned entities is available in the privacy policies available on the websites of the aforementioned entities:

1. Facebook: https://www.facebook.com/legal/terms
2. YouTube: https://www.youtube.com/t/terms
3. Google: https://policies.google.com/terms?hl=en&gl=be
4. Google Maps: https://www.google.com/intl/en_be/help/terms_maps/

What is the source of the data?

 

Personal data can be:

• come directly from the data subject,
• not directly from the data subject: from entities cooperating with the data controller (real estate agents, sales platforms, from other sources),
• in the case of legal persons, the source of personal data may be publicly available registers of the National Court Register and the CEIDG, as well as the legal person who provides personal data of persons appointed on behalf of the legal person to represent it or to implement provisions concluded between the parties.

What range of personal data is processed?

 

The data controller processes personal data ordinarily and to the extent necessary to fulfil the purposes indicated in the Privacy Policy, including name, telephone number and/or e-mail address, registration data of a legal entity or sole proprietorship, correspondence data, bank account number and other personal data. In accordance with the principle of minimisation, we only process as much personal data as is necessary to fulfil the purpose of the processing or as is required by current legislation.

How do we secure personal data?

 

Please be informed that, in order to protect your privacy and personal data, the Data Controller has implemented appropriate technical and organisational measures to ensure the security of the processing of your personal data.

Processing of personal data using social media

 

We inform you, the Data Controller operates a Fanpage via social media such as Facebook, YouTube, Google. We inform you that in the event that the Data Controller decides on the purposes and means of data processing, the Data Controller becomes the Data Controller for such data and entrusts the processing of personal data to social media. In the case of the processing of personal data by social media for purposes not specified by the Data Controller, the Data Controller is not responsible for the further processing of personal data, including, among others, in the form of cookies, profiling tools, statistics tools and other purposes used by them, and is therefore not responsible for the consequences resulting from breaches of security of the processing of personal data by social media. Please be informed that in the case of the Facebook Fanpage held by the Data Controller, personal data is transferred outside the EEA (to a third country), to entities that may not guarantee a sufficient level of personal data protection, privacy protection, may not ensure the realisation of the rights and/or freedoms of the data subjects. The negative consequences of the transfer of personal data outside the EEA may be material or non-pecuniary damage, loss of control over one's data, inability to exercise the data subjects' rights or freedoms under the DPA. We would like to inform you that the use of the Fanpage on FB by individuals is completely voluntary and depends solely on the decision of the data subject. In addition, we would like to inform you that negative consequences for the protection of personal data, the protection of the privacy of users of the Fanpage operated by the Data Controller, may be, among others. (based on Recital 75 of the RODO/GDPR): property or non-property damage, discrimination, identity theft, identity fraud, financial loss, damage to reputation, breach of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation or any other significant economic or social damage, deprivation of an individual's rights and freedoms or the ability to exercise control over his/her personal data, and other material and non-material effects on an individual. We would like to remind you that each FB user may, within the framework of his/her rights under the current legal provisions on privacy, data protection, on his/her own request comprehensive information on the aforementioned infringement from social media and inquire into claims (Articles 80 and 82 RODO/GDPR). We would like to inform you that Fanpage users can file a complaint directly with the PUODO via the form available at: https://uodo.gov.pl/pl/.

Joint controllers and joint management of personal data

 

We would like to inform you that in connection with the Administrator's operation of the Facebook Fanpage, a process of joint control of personal data is taking place between the Data Controller and Facebook Ireland Limited, with registered office at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (the Data Controller). Pursuant to Article 26 of the DPA, we would like to inform you that the aforementioned joint controllers have entered into joint arrangements in respect of their obligations under the DPA. Information on the joint arrangements between the Joint Administrators is available at the following link: https://www.facebook.com/legal/controller_addendum - effective date: 31 August 2020. Please be advised that due to the occurrence of a joint control process with Facebook Ireland Limited, there may be transfers of personal data outside the EEA (to a third country) by FB, which may not ensure sufficient protection of personal data, the exercise of the rights and/or freedoms of data subjects, the protection of privacy. We inform you of the right to address queries about the co-management process for each of the co-managers individually. We inform you that the supervisory authority responsible for Facebook Ireland Limited is the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland (as amended): https://www.dataprotection.ie/.

Processing of personal data based on the consent of the data subject

 

Please be informed that in the case of processing of personal data based on the consent of the data subject (Art. 6(1)(a) RODO):

 

Lp.	Purpose of processing	Lawfulness of processing	Article 6(1)(a) RODO
1.	Personal data processed for contact purposes - replying to correspondence received	1) Article 6(1)(a) RODO - consent of the data subject,	The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal. The withdrawal of the consent given should be notified to the email address: odo@fathaco.com
2.	Personal data processed for the preparation and presentation of offers for own products and services	1) Article 6(1)(a) RODO - consent of the data subject,	The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal. The withdrawal of the consent given must be notified to the email address: odo@fathaco.com
3.	Personal data processed for the purpose of sending commercial information regarding own products and services electronically	1) Article 6(1)(a) RODO - consent of the data subject [Article 10 Act on the provision of electronic services].	The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal. The withdrawal of the consent given should be notified to the email address: odo@fathaco.com
4.	Personal data processed for the purpose of sending marketing information in relation to own products and services by telephone in the form of a voice call	(1) Article 6(1)(a) RODO - consent of the data subject [Article 172 Telecommunications Act].	The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal. The withdrawal of the consent given must be notified to the email address: odo@fathaco.com
5.	Personal data processed in connection with participation in a current or future recruitment process - the full information clause is available in the body of this Privacy Policy	Information on the processing of personal data in connection with participation in the recruitment process	-

 

Processing of personal data based on a legitimate interest pursued by the Data Controller

 

Please be informed that in the case of processing of personal data based on a legitimate interest pursued by the Data Controller (Art. 6(1)(f) RODO):

 

Lp.	Purpose of processing	Lawfulness of processing	Article 6(1)(f) RODO
1.	Personal data processed for contact purposes - replying to correspondence received	1) Article 6(1)(f) RODO - legitimate interest pursued by the controller	The legitimate interest of the Data Controller is considered to be the processing of personal data for the purpose of responding to received correspondence, enquiries - keeping in touch with the data subject on an ongoing basis
2.	Personal data processed for the purpose of preparing and presenting an offer in respect of own products and services	1) Article 6(1)(f) RODO - legitimate interest pursued by the controller	A legitimate interest is considered to be a binding relationship between the parties, including a business relationship, an ongoing contract with the data subject and the processing of data for internal administrative purposes, also with regard to the exercise of the data subject's rights in connection with the possibility of exercising the data subject's right and provided for by legislation (e.g. documenting the withdrawal of granted consent)
3.	Personal data processed for the purpose of sending commercial information regarding own products and services electronically	1) Article 6(1)(f) RODO - legitimate interest pursued by the controller	A legitimate interest is considered to be a binding relationship between the parties, including a business relationship, an ongoing contract with the data subject and the processing of data for internal administrative purposes, also with regard to the exercise of the data subject's rights in connection with the exercise of the data subject's rights and as provided for by law (e.g. documenting the withdrawal of consent granted)
4.	Personal data processed for the purpose of sending marketing information in relation to own products and services via by telephone in the form of a voice call	1) Article 6(1)(f) RODO - legitimate interest pursued by the controller	A legitimate interest is considered to be a binding relationship between the parties, including a business relationship, an ongoing contract with the data subject, and the processing of data for internal administrative purposes, also in relation to the exercise of the data subject's rights as provided by law (e.g. documenting the withdrawal of granted consent)
5.	Personal data processed for the purpose of concluding and performing the contract	1) Article 6(1)(f) RODO - legitimate interest pursued by the controller	A legitimate interest is considered to be a binding relationship between the parties, including a business relationship, an ongoing contract with the data subject, and the processing of data for internal administrative purposes, also with regard to the exercise of the data subject's rights in connection with the possibility of exercising the data subject's right and provided for by law, the exercise of possible claims (e.g. debt collection, court cases, warranty or guarantee cases)

Information on the processing of personal data in connection with participation in the recruitment process

 

Pursuant to Article 13 RODO, we would like to inform you that the Administrator of the data in relation to applicants for employment is Fabryka Automatów Tokarskich we Wrocławiu S.A. with its registered office at Grabiszyńska 281, 53-234 Wrocław (NIP: 896-000-01-38).   Contact details to the Data Protection Administrator:odo@fathaco.com or by post at the above address.  Please be informed that the Data Protection Inspector has not been appointed. We would like to inform you that personal data is or may be processed for the following purposes:

1. (a) in order to carry out the current recruitment process in connection with the job search announcement. The legal basis for the processing of personal data is the Labour Code Act of 26 June 1974, Article 22'1 (Article 6(1)(c) RODO). We inform you that the provision of personal data is of a statutory nature and results from Article 22'1 of the Labour Code,
2. (b) in relation to the processing of personal data in planned (future) recruitment processes by the Data Controller. In the case of consent to participate in future, planned recruitment processes by the Data Controller, please include the following clause in your CV: "I consent to processing of my personal data contained in the submitted documentation in order to participate in future recruitment processes conducted by the Data Controller". The legal basis for the processing of personal data is the data subject's consent to the processing of his/her personal data in the recruitment processes planned by the Data Controller (Article 6(1)(a) RODO). Please be informed that the granting of consent is voluntary and that the consent given may be withdrawn at any time, without affecting other provisions arising from the recruitment process. In case of withdrawal of the consent given, the personal data will not be taken into account in future (planned) recruitments by the Data Controller. We would like to inform you that the scope of personal data processed in the recruitment process results from Article 22'1 § 1 of the Labour Code. Pursuant to Article 22'1 § 1, the employer requests personal data from a person applying for employment, including: name(s) and surname, date of birth, contact details indicated by such person, education, professional qualifications, course of previous employment. The employer requests personal data including: first name(s) and surname, date of birth, contact details indicated by such person, education - when it is necessary to perform work of a certain type or in a certain position. In addition, a person applying for employment may, on his/her own initiative, provide and submit to the employer a broader range of data than that provided for in Article 22'1 1 of the Labour Code including:
3. a) sensitive data as indicated in Article 9 RODO (the following are considered as special categories of personal data/sensitive data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sexuality or sexual orientation),
4. (b) data in the form of a link or links to information about oneself provided by the applicant for employment (including links to social media or dedicated websites), whereby the provision of personal data to a greater extent shall be deemed to be voluntary consent to its processing by the applicant for employment. We would like to inform you that in the event that an applicant for employment provides, on his/her own initiative, personal data to a greater extent than specified in Article 22'1 of the Labour Code, consent to their processing may be withdrawn at any time without any negative impact on the current or future recruitment process. We inform you that personal data are or may be disclosed to recipients of personal data, to state authorities only under applicable laws or to third parties based on Article 28 RODO - entrustment of personal data processing. The categories of recipients to whom personal data are disclosed are: external service providers of the recruitment service in the form of dedicated recruitment applications, external companies engaged in carrying out the recruitment process at the instruction of the Data Controller, other entities providing services to support the carrying out of the recruitment process of the Data Controller. Upon request, the Data Controller shall make available a list of all entities to which personal data is disclosed in the recruitment process. We inform you that in the conducted recruitment process, personal data is not transferred to a third country (i.e. outside the European Economic Area). We inform you that personal data are or may be processed:
5. (a) for the purposes of ongoing recruitment, for a period of 6 months from the date of completion of the recruitment process,
6. b) for the purpose of processing of personal data in relation to the Administrator's planned (future) recruitment - for no longer than 24 months from the date of completion of the recruitment or until the withdrawal of consent for processing of personal data in planned (future) recruitment. The Data Controller informs that the aforementioned period of personal data processing may be subject to change (extension) depending on the circumstances which may affect the necessity of changing the aforementioned period. In case the aforementioned period of personal data processing is changed, the Data Controller will inform the persons participating in the recruitment process about such change. We inform you of the right to request from the Data Controller access to, rectification, erasure or restriction of processing of personal data concerning the data subject, or the right to object to the processing, as well as the right to data portability. We inform you about the right to lodge a complaint to the supervisory authority, i.e. the President of the Office for Personal Data Protection in Warsaw. Contact details to the supervisory authority: Office for the Protection of Personal Data, 2 Stawki Street, 00-193 Warsaw or through the contact details available on the authority's website: https://uodo.gov.pl/pl/p/kontakt. We would like to inform you that personal data processed in connection with the conducted recruitment or future recruitment is not subject to profiling, automated profiling or automated decision-making, including profiling. Please be informed that the Data Controller does not plan to process personal data for any other purpose than the one indicated above. If there are other purposes, the Data Controller will inform you of these purposes in a separate communication. Please be informed that in order to protect privacy and personal data, the Data Controller has implemented appropriate technical and organisational measures to ensure the security of the processing of personal data. Please be informed that the recruitment process may be based on personal data directly from the data subject or from other sources, i.e. not directly from the data subject. Where personal data is obtained from sources other than directly from the applicant for employment, the Data Controller shall, in accordance with Article 14(3) of the RODO, inform the data subject of the processing of his/her personal data within a reasonable period after the personal data is obtained - at the latest within one month, and if the personal data is to be used for communication with the data subject - at the latest on the first such communication with the data subject.

Data breach notifications

 

Please be informed that, pursuant to Article 34 RODO, in the event of a personal data breach which may result in a high risk of infringement of the rights or freedoms of natural persons, the Data Controller shall, without undue delay, notify the data subject of such breach. We inform you that pursuant to Article 34 of the RODO, personal data may be processed in connection with the occurrence of the breach referred to above. We inform you that the legal basis for the processing of personal data is Article 6(1)(c) RODO. We inform you that in the event of a personal data breach, the Data Controller will take all possible and available technical and organisational measures to comply with the requirements set out in Article 33 and Article 34 of the RODO.

[1] RODO: https://uodo.gov.pl/pl/404/224

[2] DPA: https://uodo.gov.pl/pl/395/1192