PL

GDPR

Acting pursuant to Article 13 and Article 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and repealing Directive 95/46/EC, the so-called RODO, Grupa Kęty S.A. informs that:

1. Controller of Data:

The controller of the personal data is Grupa Kęty S.A. (ul. Kościuszki 111, 32-650 Kęty, NIP: 5490001468).

2. Category of personal data processed:

Personal data are processed:

  • for the purpose of entering into an employment contract or at the request of the data subject prior to entering into an employment contract on the basis of Article 6(1)(b) RODO;
  • on the basis of the job applicant’s consent on the basis of Article 6(1)(a) RODO and Article 9(2)(a) RODO, which may also include the processing of personal data for subsequent recruitment

The processed data is limited to information required by labour legislation and necessary for contract conclusion. This includes first name(s), surname, date of birth, and contact details provided by the person, education, professional qualifications, and previous employment history. Additionally, job applicants may provide voluntary information such as a photo, other contact details, personality and/or psychological test results, fluid intelligence test results, and a video recording of the interview.

In the case of an online recruitment interview, personal data in terms of name, surname, username in Zoom, data provided during the recruitment interview and image if displayed during the recruitment interview are used exclusively for the purpose of on – line recruitment, which is the Administrator’s legitimate interest under Article 6(1)(f) RODO.

Processing personal data is a necessary requirement for participating in the recruitment process for a job with the Administrator.

However, providing personal data is voluntary if processing is based on consent.

It is important to note that personal data will be processed during and after the recruitment process, as long as consent is not withdrawn, but no longer than one year.

Each job applicant is entitled to:

  • pursuant to Article 15 of the DPA, the right of access to personal data;
  • pursuant to Article 16 RODO, the right to rectification of personal data;
  • pursuant to Article 17 of the DPA, the right to request the erasure of personal data;
  • pursuant to Article 18 RODO, the right to request the restriction of the processing of personal data, subject to the cases referred to in Article 18(2) RODO;
  • pursuant to Article 20 RODO, the right to data portability only to the extent that personal data is processed by automated means;
  • the right to lodge a complaint with the President of the Office for Personal Data Protection, ul. Stawki 2, 00 – 193 Warsaw in the event thatthe processing of personal data is deemedto violate the provisions of the RODO.

In the case of the processing of personal data on the basis of consent, the job applicant has the right to withdraw the consent, which, however, does not affect the validity of the acts carried out on the basis of consent during the period between the granting of the consent and the withdrawal.

Due to the nature of the processing of personal data during the on line recruitment interview, the job candidate does not have the right to access the data, the right to obtain a copy of the data, the right to erasure, the right to restrict the processing of the data, the right to data portability and the right not to be subject to automated decision making.

The job candidate does not have the right to object to the processing of personal data on the basis of Article 21 RODO, as the legal basis for the processing of personal data is not Article 6(1)(e) or (f) RODO.

The scope of personal data processed includes data that are obliged to be provided under employment law as well as personal data provided voluntarily by the employee.

Personal data are processed:

  • pursuant to voluntary consent to the processing of personal data on the basis of Article 6(1)(a) and Article 9(2)(a) of the RODO;
  • in order to conclude an employment contract on the basis of Article 6(1)(b) of the DPA;
  • in order to comply with the Administrator’s legal obligations on the basis of Article 6(1) lit. c RODO and Article 9(2) lit. b RODO, in particular with regard to obligations under labour, tax and social security law;
  • in respect of data processed for the purpose of providing social benefits from the Company Social Benefits Fund on the basis of Article 6(1)(c) RODO and Article 9(2)(b) RODO;
  • with regard to video surveillance to ensure the safety of persons, the protection of property, the control of production and to ensure the confidentiality of information, which constitutes the legitimate interest of the Administrator on the basis of Article 6(1)(f) RODO and Article 22 (2) § 1 k.p.;
  • in terms of other forms of monitoring used by the Administrator in order to ensure the organisation of work that allows full use of working time and the proper use of the work tools provided to the employee, which constitutes the Administrator’s legitimate interest on the basis of Article 6(1)(f) of the RODO and Article 22 (3) of the PCC;
  • in respect of data processed during the use of the ZOOM platform for the purpose of holding meetings while working remotely, which constitutes the legitimate interest of the Administrator on the basis of Article 6(1)(f) of the RODO.

The processing of personal data is necessary for the conclusion and execution of the employment relationship with the Administrator.

However, providing personal data is voluntary if processing is based on consent.

Personal data shall be processed during and after employment for as long as required by the relevant legislation or as long as consent to the processing of personal data is not withdrawn, where this is the legal basis for the processing of personal data.

Personal data from video surveillance shall be retained for no longer than 30 days and data from other forms of surveillance shall be retained for the period indicated in the IT procedures.

Each employee is entitled to:

  • pursuant to Article 15 of the DPA, the right of access to personal data;
  • pursuant to Article 16 RODO, the right to rectification of personal data;
  • pursuant to Article 17 of the DPA, the right to request the erasure of personal data;
  • pursuant to Article 18 RODO, the right to request the restriction of the processing of personal data, subject to the cases referred to in Article 18(2) RODO;
  • pursuant to Article 20 RODO, the right to data portability only to the extent that personal data is processed by automated means;
  • the right to lodge a complaint with the President of the Office for Personal Data Protection, ul. Stawki 2, 00 – 193 Warsaw in the event thatthe processing of personal data is deemedto violate the provisions of the RODO.

Where personal data is processed on the basis of consent, the employee has the right to withdraw the consent, but this does not affect the validity of the activities carried out on the basis of the consent during the period between its granting and withdrawal.

Due to the nature of the processing of personal data during online interviews, you do not have the right to access your data, the right to obtain a copy of your data, the right to erasure, the right to restrict processing, the right to data portability and the right not to be subject to automated decision-making.

Where data is processed on the basis of Article 6(1)(f) RODO, i.e. for the purpose of pursuing legitimate interests, the employee has the right to object to the processing.

The scope of personal data includes data necessary for identification, data recorded by monitoring and vehicle data (optional data).

Personal data is processed on the basis of Article 6(1)(f) of the RODO solely for the purpose of ensuring the safety of persons and the protection of property, controlling production and ensuring the confidentiality of information, which is a legitimate interest of the Administrator.

Provision of data is necessary – failure to do so will result in non-identification and therefore inability to access the Company’s premises.

Therefore, it is necessary to present an ID card in order to issue a pass – however, the ID card will not be photocopied, scanned or photographed.

Personal data are processed for as long as required by law to ensure the safety of persons and the protection of property for the establishment, investigation or defence of claims.

Data recorded by video surveillance shall be kept for a period not exceeding 30 days. Each person is entitled to:

  • pursuant to Article 15 of the DPA, the right of access to personal data;
  • pursuant to Article 16 RODO, the right to rectification;
  • pursuant to Article 18 RODO, the right to request the controller to restrict the processing of personal data, subject to the cases referred to in Article 18(2) RODO;
  • The right to lodge a complaint with the President of the Data Protection Authority if it is considered that the processing of personal data violates the provisions of the RODO.

Where the legal basis for processing is Article 6(1)(f) of the RODO, you have the right under Article 21 of the RODO to object to the processing of your personal data.

You are not entitled to:

  • The right to request the erasure of personal data in relation to Article 17(3)(b, d or e) RODO;
  • the right to data portability referred to in Article 20 of the RODO,

Video surveillance recordings cannot be corrected for technical reasons and are not subject to the right to obtain a copy where this could infringe the rights and freedoms of others who may be on the recording.

The scope of personal data includes identification data, contact data and data contained in publicly available records and sources or provided by the Customer/Contractor, including data of persons entitled to representation and data of proxies and data of persons indicated for contact.

Personal data are processed, depending on the legal basis linking the Parties, for the purpose of:

  • the conclusion of a contract or the performance of its provisions on the basis of Article 6(1)(b) of the DPA;
  • to take pre-contractual action at the request of the data subject, in particular to prepare an offer on the basis of Article 6( 1)(b) of the RODO;
  • fulfilment of a legal obligation in terms of tax, accounting obligations on the basis of Article 6(1)(c) of the DPA;
  • the fulfilment of the Administrator’s legitimate interest in marketing its own goods, in carrying out correspondence or responding to enquiries made using the Administrator’s contact details, and in carrying out debt collection activities and handling complaints where necessary on the basis of Article 6(1)(f) of the RODO;
  • in respect of data processed when using the ZOOM platform to hold remote meetings, which is the Administrator’s legitimate interest under Article 6 (1)(f) of the RODO.

In the case of the conclusion of acontract with a commercial company or institution, the Administrator will process the personal data of the persons authorised to represent them and the persons indicated for contact exclusively for the purposes related to the conclusion and performance of contracts and the conduct of possible complaint and recovery actions, which constitutes the Administrator’s legitimate interest on the basis of Article 6(1)(f) of the RODO. In this case, personal data includes identification data, contact data, position held and other data available in publicly available registers (e.g. KRS, CEIDG) or provided by the company or institution in order to conclude and perform the contract.

The provision of personal data is necessary for the conclusion and performance of the contract. The personal data will be stored for the duration of the contract and furthermore:

  • until the statute of limitations for claims in accordance with generally applicable legal provisions;
  • in the scope of accounting and tax documentation – for the period of 5 years calculated from the end of the calendar year in which the agreement was terminated or expired;
  • the Administrator deems the lodged objection justified in the case of processing of personal data solely on the basis of the Administrator’s legitimate interest.

Each person is entitled to:

  • pursuant to Article 15 of the DPA, the right of access to personal data;
  • pursuant to Article 16 RODO, the right to rectification of personal data;
  • pursuant to Article 17 of the DPA, the right to request the erasure of personal data;
  • pursuant to Article 18 RODO, the right to request the restriction of the processing of personal data, subject to the cases referred to in Article 18(2) RODO;
  • pursuant to Article 20 RODO the right to data portability only to the extent that personal data are processed by automated means and on the basis of a contract;
  • the right to lodge a complaint with the President of the Office for Personal Data Protection, ul. Stawki 2, 00 – 193 Warsaw in the event thatthe processing of personal data is deemedto violate the provisions of the RODO.

In the case of processing on the basis of Article 6(1)(f) RODO, i.e. for the purpose of pursuing legitimate interests, the customer/contractor has the right to object to the processing.

Due to the nature of the processing of personal data during online interviews, you do not have the right to access your data, the right to obtain a copy of your data, the right to erasure, the right to restrict processing, the right to data portability and the right not to be subject to automated decision-making.

The Controller processes personal data to respond to enquiries made through the contact form or by post, which is considered a legitimate interest under Article 6(1)(f) of RODO.

In order to process the request made through the contact form or by e-mail, it is essential to provide the required information.

It is important to note that the processing of your personal data will be carried out for the duration required to fulfill our legal obligations. Each person is entitled to:

  • pursuant to Article 15 of the DPA, the right of access to personal data;
  • pursuant to Article 16 RODO, the right to rectification of personal data;
  • pursuant to Article 17 of the DPA, the right to request the erasure of personal data;
  • pursuant to Article 18 RODO, the right to request the restriction of the processing of personal data, subject to the cases referred to in Article 18(2) RODO;
  • pursuant to Article 20 RODO the right to data portability only to the extent that personal data are processed by automated means and on the basis of a contract;
  • the right to lodge a complaint with the President of the Office for Personal Data Protection, ul. Stawki 2, 00 – 193 Warsaw in the event thatthe processing of personal data is deemedto violate the provisions of the RODO.

Where data is processed on the basis of Article 6(1)(f) of the RODO, i.e. for the purpose of pursuing the legitimate interests of the sender or addressee of the correspondence, you have the right to object to the processing.

The controller processes the following categories of personal data of shareholders or shareholder proxies: identification data, address data, contact data and image.

Personal data of shareholders or proxies may be processed for the following purposes:

  1. to organise the General Meeting and enable authorised persons to exercise their voting rights at the General Meeting on the basis of Article 6(1)(c) of the DPA,
  2. recording and broadcasting the proceedings of the General Meeting on the basis of Article 6(1)(f) of the DPA as part of promoting transparency in the Administrator’s operations and equal access to decisions and discussions at the General Meeting,
  3. to exercise the rights and obligations of the Shareholder on the basis of Article 6(1)(c) of the RODO.

Personal data of shareholders or proxies may be shared by the Administrator:

  1. to other shareholders where they relate to shareholders of the Administrator pursuant to Article 407 § 1 and § 11 of the Commercial Companies Code,
  2. In order to comply with the regulations set forth by the Financial Supervision Authority (FSA), it is required that any entity processing personal data on behalf of the Administrator and performing the service of voting at the General Meeting adhere to Article 70(2) of the Act on Public Offering and the Conditions for Introducing Financial Instruments to the Organised Trading System and on Public
  3. The personal data of shareholders or proxies in the form of their image recorded during the General Meeting will be made available as part of the real-time transmission and publication of the recording on the Administrator’s website.

Access to the data is also available to authorised employees/co-workers of the Administrator, as well as to notaries and providers of IT, legal, courier, postal, auditing services.

Personal data will be stored for the period of your status as a shareholder of Grupa Kęty S.A., with the reservation that data included in the minutes of the General Meeting and in the documents attached to the minutes (art. 421 § 2 and 3 of the Code of Commercial Companies) will be stored until the end of Grupa Kęty S.A.’s operations.

In the case of the processing of your data on the basis of the legitimate interest of Grupa Kęty S.A. (Article 6(1)(f) RODO), they will be stored until this interest ceases, and in particular for the time necessary to secure the information in the event of a legal need to prove facts or until the expiry of the limitation period for potential claims.

Each shareholder or proxy is entitled to:

  • pursuant to Article 15 of the DPA, the right of access to personal data;
  • pursuant to Article 16 RODO, the right to rectification of personal data;
  • pursuant to Article 17 of the DPA, the right to request the erasure of personal data;
  • pursuant to Article 18 RODO, the right to request the restriction of the processing of personal data, subject to the cases referred to in Article 18(2) RODO;
  • pursuant to Article 20 RODO the right to data portability only to the extent that personal data are processed by automated means and on the basis of a contract;
  • the right to lodge a complaint with the President of the Office for Personal Data Protection, ul. Stawki 2, 00 – 193 Warsaw in the event thatthe processing of personal data is deemedto violate the provisions of the RODO.

With regards to personal data processed under Article 6(1)(f) of the GDPR, shareholders or their proxies are entitled to object to the processing of personal data under Article 21 of the GDPR.

It is important to note that due to the nature of personal data processing during online meetings, certain rights such as the right to receive a copy of the data, the right to erasure, the right to restrict processing, the right to data portability, and the right not to be subject to automated decision-making may not be available.

The personal data of a shareholder or proxy may originate:

  • from the system of the National Depository for Securities S.A. when they relate to the shareholder of the Administrator,
  • from the principal in the case of a power of attorney granted, when they concern the shareholder’s proxy.

The provision of personal data by the shareholder or proxy is necessary for the purpose set out above, for the preparation and transmission to the FSA, possibly to another shareholder, of a list of persons entitled to participate in the General Meeting and verification of entitlement to participate in the General Meeting.

3. Transfer of personal data outside the European Economic Area:

The employee’s personal data may be transferred outside the European Economic Area only in the case of business trips. In this case, the Administrator shall ensure that personal data is duly secured, in particular by signing the relevant contracts, and that the right to obtain a copy of the data can be exercised or information about the place where the data can be accessed.

In cases not mentioned above, personal data shall not be transferred outside the European Economic Area or to international organisations.

4. Profiling:

Personal data are not used in automated decision-making processes, in particular profiling.

5. Recipients of personal data:

Personal data may be made available to state authorities in connection with their proceedings under applicable law.

Otherwise, the personal data may also be accessed by trained and authorised employees or associates of the Administrator, including entities providing security services for persons and property, legal, consultancy, IT, accounting, courier or postal services, auditing, programming, insurance.

6. Contact information for the data protection officer:

If you have any questions or comments regarding the processing of your personal data, in particular to exercise your rights, please contact the Data Protection Officer Mr. Tomasz Cygan, e-mail: IODO_grupakety@grupakety.com, tel. 694 429 337 or by post to the Controller’s address.