NOWY STYL
PERSONAL DATA PROCESSING POLICY
(TRANSPARENCY POLICY)
1. DEFINITIONS
1.1. Controller - NOWY STYL sp. z o.o. with registered office at the address: ul. Pużaka 49, 38-400 Krosno.
1.2. Personal Data – any information about an individual identified or identifiable by one or more specific factors determining a physical, physiological, genetic, psychological, economic, cultural or social identity, including image, recording of voice, contact details, location data, information included in correspondence, information collected via recording equipment or other similar technology.
1.3. Policy – this Personal Data Processing Policy.
1.4. GDPR - Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC.
1.5. Data Subject - any individual whose personal data is processed by the Controller, eg. a person visiting Controller’s premises or sending a query to Controller by e-mail.
2. DATA PROCESSING BY CONTROLLER
2.1. In connection with its business activity, the Controller collects and processes personal data in accordance with relevant regulations, including in particular with GDPR, and with principles of data processing included therein.
2.2. Controller ensures the transparency of data processing, in particular he always gives notice of the processing of data upon its collection, including notice about the purpose and legal grounds of processing – eg. when concluding a contract for the sale of goods or services. Controller makes sure that data is collected only to the extent necessary to achieve an indicated purpose and only processed for as long as it is necessary.
2.3. When processing data, Controller ensures the security and confidentiality of data as well as access to information about processing to data subjects. If, despite safety controls applied, a breach of personal data has occurred (e.g. a data leak or loss), Controller will inform data subjects of such an event, as required by regulations.
3. CONTACTING THE CONTROLLER
3.1. Controller can be contacted via e-mail to the address rodo@nowystylgroup.com or to mailing address: ul. Pużaka 49, 38-400 Krosno, Poland.
4. SECURITY OF PERSONAL DATA
4.1. In order to ensure the integrity and confidentiality of data, Controller has procedures in place that allow access to personal data only to authorized persons and only to the extent necessary given tasks performed by those persons. Controller has organizational and technical solutions in place to ensure that all operations on personal data are logged and performed only by authorized persons.
4.2. In addition, Controller takes all necessary measures to ensure that his subcontractors and other cooperating entities guarantee that appropriate safety controls are applied whenever they process personal data at the request of the Controller.
4.3. Controller conducts ongoing risk analysis and monitors the relevance of data security measures applied to threats identified. If necessary, Controller implements additional measures to increase data security.
5. PURPOSES AND LEGAL GROUNDS FOR PROCESSING
E-MAIL AND TRADITIONAL CORRESPONDENCE
CONTACT BY PHONE
5.1. Where the Controller is contacted by phone about matters not related to a contract concluded or services provided, the Controller may request personal data only if necessary to handle the matter to which such contact relates. In such a case, the legal grounds for processing is a legitimate interest of the Controller (Article 6(1) f) of GDPR) which consists in the need to resolve a reported matter which is in connection with Controller’s business activity.
5.2. Telephone calls can also be recorded – in this case, appropriate notice must be provided at the beginning of a phone call. Calls are recorded to monitor the quality of the service provided and check the work of consultants, as well as for statistical purposes. Recordings are available only to Controller’s staff and persons operating Controller's hotline.
5.3. Personal data in the form of a call recording are processed:
5.3.1. for purposes related to providing customer service via a hotline, if the Controller provides such service - the legal grounds for processing is the need to process data in order to provide such service (Article 6(1) b) of GDPR);
5.3.2. for the purpose of monitoring the quality of service and checking the work of consultants operating the hotline, and for analytical and statistical purposes – the legal grounds for processing is a legitimate interest of the Controller (Article 6 (1) f) of GDPR) consisting in ensuring the highest possible quality of customer service and consultants’ work, and conducting statistical analysis of telephone communication.
VIDEO MONITORING AND ACCESS CONTROL
5.4. In order to ensure the safety of persons and property, the Controller uses video monitoring and controls access to premises and areas managed by the Controller. Data collected in this way are not used for any other purposes.
5.5. Personal data in video monitoring recordings and data collected in the register of entries and exits are processed for the purpose of ensuring safety and order on the premises and, possibly, to defend against or pursue claims. The grounds for the processing of personal data is a legitimate interest of the Controller (Article 6 (1) f) of GDPR) consisting in ensuring the safety of Controller’s property and the protection of his rights.
RECRUITMENT
5.6. As part of recruitment processes, the Controller expects to receive personal data (eg. in a CV or resume) only to the extent specified in labour law. Therefore, broader information should not be submitted. Should applications submitted contain any additional data, such data will not be used or considered in the recruitment process.
5.7. Personal data are processed:
5.7.1. to comply with legal obligations related to a recruitment process, including in particular the Labour Code – the legal grounds for processing is the legal duty of the Controller (Article 6(1)c) of GDPR in connection with the provisions of the Labour Code);
5.7.2. to conduct a recruitment process, as regards data not required by law, and for the purposes of future recruitment processes – the legal grounds for processing is consent (Article 6(1)a) of GDPR);
5.7.3. to establish, pursue or defend against claims – the legal grounds for data processing is a legitimate interest of the Controller (Article 6(1)f) of GDPR).
DATA COLLECTION IN CONNECTION WITH THE PROVISION OF SERVICES OR THE PERFORMANCE OF OTHER CONTRACTS
5.8. Where data is collected for purposes related to the performance of a specific contract, the Controller provides the data subject with detailed information regarding the processing of their personal data upon conclusion of the contract.
OTHER CASES OF DATA COLLECTION
5.9. In connection with its business activity, the Controller also collects personal data in other cases – eg. during business meetings, at industry events or through exchange of business cards - for purposes related to initiating and maintaining business contacts. In such cases, the legal grounds for processing is a legitimate interest of the Controller (Article 6(1)f) of GDPR) which consists in developing a network of contacts in connection with its business.
5.10. Personal data collected in such cases are processed only for the purpose for which they were collected and the Controller ensures their adequate protection.
6. DATA RECIPIENTS
6.1. In connection with conducting a business that requires data processing, personal data are disclosed to third parties, in particular suppliers responsible for the operation of IT systems and equipment (eg. CCTV equipment), entities providing legal or accounting services, couriers, marketing agencies or recruitment agencies. Data is also disclosed to Controller’s affiliates, including companies in its capital group. More information on Controller’s capital group can be found at: http://nowystylgroup.com/files/doc/Nowy-Styl-Group_Companies.pdf.
6.2. Controller reserves the right to disclose selected information about a data subject to competent authorities or third parties who request such information on appropriate legal basis and in accordance with applicable law.
7. TRANSFERRING DATA OUTSIDE THE EEA
7.1. The level of personal data protection outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and ensuring an adequate level of protection, primarily through:
7.1.1. cooperation with personal data processors in countries in respect of which an appropriate decision of the European Commission has been issued;
7.1.2. application of standard contractual clauses issued by the European Commission;
7.1.3. application of binding corporate rules approved by the competent supervisory authority;
7.1.4. where data is transferred to the USA – cooperation with entities participating in the Privacy Shield programme approved by the decision of the European Commission.
7.2. The Controller always gives notice of its intention to transfer personal data outside the EEA at the collection stage.
8. PERSONAL DATA PROCESSING PERIOD
8.1. The period of data processing by the Controller depends on the type of service provided and the purpose of the processing. Data processing period can also arise from regulations, where processing is carried out based on such regulations. Where data is processed based on a legitimate interest of the Controller – for example for security reasons - data is processed for a period of time making it possible to achieve such interest or to effectively object to data processing. If processing is carried out based on a consent, data will be processed until such consent is withdrawn. If data is processed based on the need of such processing to enter into and perform a contract, such data will be processed until such contract is terminated.
8.2. The data processing period may be extended where processing is necessary to establish, pursue or defend against claims, and after that period only where and to the extent that it is required by law. After the end of the processing period data is irreversibly deleted or anonymized.
9. RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA
RIGHTS OF DATA SUBJECTS
9.1. Data subjects have the following rights:
9.1.1. right to information about the processing of personal data – on this basis, a person making a request will be provided information about data processing by the Controller, including primarily about the purposes and legal grounds for processing, the scope of data held, entities to which such data is disclosed and the planned date of data deletion;
9.1.2. right to obtain a copy of the data – on this basis, the Controller will provide a copy of the processed data concerning the person making a request;
9.1.3. right to rectify – the Controller is required to rectify any discrepancies or mistakes in processed personal data and to amend such data, if incomplete;
9.1.4. right to delete data – on this basis, one can request the deletion of data the processing of which is no longer necessary to achieve any of the purposes for which they were collected;
9.1.5. right to restrict processing – if such a request is made, the Controller will cease to perform operations on personal data - except for operations consented to by the data subject, and to retain data, in accordance with accepted retention rules or until the reasons for restriction of data processing have ceased to exist (for example, a supervisory authority decision is issued allowing further processing of data);
9.1.6. right to transfer data – on this basis - to the extent that data is processed in connection with a contract concluded or a consent expressed - the Controller will issue data provided by the data subject in a machine-readable format. It is also possible to request that data be sent to another entity – provided, however, that there is technical capacity in this regard on the part of both the Controller and the other entity;
9.1.7. right to object to the processing of data for marketing purposes – the data subject may at any time object to the processing of their personal data for marketing purposes, without the need to justify such objection;
9.1.8. right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data which takes place on the basis of a legitimate interest of the Controller (eg. for analytical or statistical purposes or for reasons related to the protection of property); objection in this respect must contain a justification;
9.1.9. right to withdraw consent – if data is processed based on a consent given, the data subject has the right to withdraw such consent at any time, which does not affect the lawfulness of processing carried out prior to the withdrawal of the consent.
9.1.10. right to complain – if it is found that the processing of personal data violates the provisions of GDPR or other regulations on the protection of personal data, the data subject may file a complaint with the President of the Personal Data Protection Authority.
MAKING REQUESTS RELATED TO THE EXERCISE OF RIGHTS
9.2. A request regarding the exercise of the rights of data subjects can be submitted:
9.2.1. in writing to the following address: NOWY STYL sp. z o.o. ul. Pużaka 49, 38-400 Krosno, Poland.
9.2.2. by e-mail to the following address: rodo@nowystylgroup.com
9.3. If the Controller is unable to identify the person submitting a request based on the request submitted, the Controller will ask the person making the request for additional information.
9.4. A request can be submitted in person or through a proxy (eg. a family member). For reasons of data security, the Controller encourages the use of a power of attorney certified by a notary public or an authorized legal counsel or attorney, which will significantly speed up the verification of the authenticity of the request.
9.5. A response to a request should be given within one month of its receipt. If this period needs to be extended, the Controller shall inform the person making the request about the reasons for the delay.
9.6. Response must be provided via traditional mail, unless the request was submitted via e-mail or it was requested that the response be given in an electronic format.
CHARGING POLICY
9.7. Proceedings regarding submitted requests are free of charge. Charges can only be collected where:
9.7.1. a request is made for the second and each subsequent copy of data (the first copy of data is free); in this case, the Controller can demand a charge to cover administrative costs related to the fulfilment of the request.
9.7.2. the same person makes requests that are excessive (eg. extremely frequent) or clearly unjustified; in this case, the Controller can demand a charge to cover administrative costs related to the fulfilment of the request.
9.8. If the decision to impose a charge is disputed, the data subject may file a complaint with the President of the Personal Data Protection Authority.
10. CHANGES TO THE PERSONAL DATA PROCESSING POLICY
10.1. The Policy is reviewed on an ongoing basis and updated as necessary. The current version of the Policy was adopted on 25 May 2018.