1.1. Administrator – GABOS SOFTWARE sp. z o. o. with its registered office in Katowice at ul. Mikołowska 100, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court Katowice-Wschód, VIII Commercial Division-KRS in Katowice, under KRS number 377104
1.2. Personal data – information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact details, location data, information contained in correspondence, information collected through recording equipment or other similar technology.
1.3. Policy – this Personal Data Processing Policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5. Data subject – a natural person to whom personal data processed by the Administrator relates, e.g. a person visiting the Administrator’s premises or sending an e-mail inquiry to him.
2. DATA PROCESSING BY THE ADMINISTRATOR
2.1. In connection with the conducted business activity, the Administrator collects and processes personal data in accordance with the relevant provisions, including in particular the GDPR, and the data processing principles provided for therein.
2.2.1. ensures transparency of data processing;
2.2.2. always informs about the processing of data at the time of their collection, in particular about the purpose and legal basis for the processing of personal data, unless under separate provisions he is not obliged to do so;
2.2.3. ensures that the data is collected only to the extent necessary for the indicated purpose and is processed only for the period in which it is necessary.
2.3. When processing data, the Administrator ensures their security and confidentiality as well as access to information about processing for Data Subjects. If, despite the security measures in place, there is a breach of personal data protection (e.g. data leakage or loss) and such a breach could result in a high risk of violating the rights or freedoms of Data Subjects, the Administrator will inform Data Subjects about such an event in a manner consistent with the regulations.
3. CONTACT WITH THE ADMINISTRATOR AND DATA PROTECTION INSPECTOR
3.1. Contact with the Administrator is possible via the e-mail address email@example.com or the correspondence address: GABOS SOFTWARE sp. z o. o., ul. Mikołowska 100, 40-065 Katowice.
3.2. The administrator has appointed a Data Protection Officer who can be contacted via e-mail firstname.lastname@example.org or correspondence address: GABOS SOFTWARE sp. z o. o., ul. Mikołowska 100, 40-065 Katowice, in any matter regarding the processing of Personal Data.
4. SECURITY OF PERSONAL DATA
4.1. In order to ensure the integrity and confidentiality of data, the Administrator has implemented procedures that allow access to personal data only to authorized persons and only to the extent that it is necessary due to the tasks they perform. The Administrator applies organizational and technical solutions to ensure that all operations on Personal Data are registered and performed only by authorized persons.
4.2. The Administrator takes all necessary actions to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures whenever they process Personal Data at the request of the Administrator.
4.3. The administrator conducts risk analysis on an ongoing basis and monitors the adequacy of the data security applied to the identified threats. If necessary, the Administrator implements additional measures to increase data security.
5. OBJECTIVES AND LEGAL BASIS FOR PROCESSING EMAIL AND TRADITIONAL CORRESPONDENCE
5.1. In the case of directing to the Administrator via e-mail or traditional correspondence not related to the services provided to the sender or any other contract concluded with him, personal data contained in this correspondence is processed only for the purpose of communication and solving the matter to which the correspondence relates.
5.2. The legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) consisting in conducting correspondence addressed to him in connection with his business activity.
5.3. The Administrator processes only Personal Data relevant to the case to which the correspondence relates. All correspondence is stored in a manner that ensures the security of the personal data contained therein (and other information) and is disclosed only to authorized persons.
CONTACT US BY PHONE
5.4. In the case of contacting the Administrator by phone, in matters not related to the concluded contract or the services provided, the Administrator may request the provision of Personal Data only when it is necessary to handle the matter to which the contact relates. The legal basis in this case is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) consisting in the need to resolve a reported case related to the business activity conducted by him.
5.5. The Administrator provides the possibility of contacting him using electronic contact forms on the Administrator’s websites. Using the forms requires providing Personal Data necessary to contact the Data Subject and answer the inquiry. The data subject may also provide other data to facilitate contact or handling the inquiry. Providing data marked as mandatory is required in order to accept and handle the inquiry, and failure to provide them results in the inability to service. Providing other data is voluntary.
5.6. Personal data is processed in order to identify the sender and to handle his inquiry sent via the provided form – the legal basis for processing is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in the need to solve a reported case related to his business activity ; in the scope of data provided optionally, the legal basis for processing is consent (Article 6(1)(a) of the GDPR).
FACEBOOK, LINKEDIN AND INSTAGRAM PROFILES
5.8. The administrator has public profiles on Facebook and LinkedIn social networks. Therefore, it processes data left by visitors to these profiles (e.g. comments, likes, online identifiers).
5.9. Personal data of such persons are processed:
5.9.1. in order to enable them to be active on profiles;
5.9.2. in order to effectively run profiles, by presenting portal users with information about the Administrator’s initiatives and other activities and in connection with the promotion of various types of events, services and products;
5.9.3. for statistical and analytical purposes;
5.9.4. possibly, they may be processed for the purpose of pursuing claims and defending against claims.
5.10. The legal basis for the processing of Personal Data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in:
5.10.1. promoting your own brand and improving the quality of services provided,
5.10.2. if necessary – to pursue claims and defend against claims.
NOTE: The above information does not apply to the processing of personal data by website administrators (Facebook, LinkedIn, Instagram).
5.11. As part of the recruitment processes, the Administrator expects the transfer of Personal Data (e.g. in a CV or curriculum vitae) only to the extent specified in the provisions of labor law. Therefore, more extensive information should not be provided. If the submitted applications contain additional data beyond the scope indicated in the provisions of the labor law, their processing will be based on the candidate’s consent (Article 6(1)(a) of the GDPR), expressed through an unequivocal confirming action, which is sending by the candidate application documents. If the submitted applications contain information inadequate for the purpose of recruitment, they will not be used or taken into account in the recruitment process.
5.12. Personal data is processed:
5.12.1. if the preferred form of employment is an employment contract – in order to perform the obligations arising from the law, related to the employment process, including in particular the Labor Code – the legal basis for processing is the legal obligation incumbent on the Administrator (Article 6(1)(a) of the GDPR) c of the GDPR in connection with the provisions of labor law);
5.12.2. if the preferred form of employment is a civil law contract – in order to conduct the recruitment process – the legal basis for the processing of data contained in the application documents is taking action before concluding the contract at the request of the data subject (Article 6(1)(b) of the GDPR) ;
5.12.3. in order to carry out the recruitment process in the scope of data not required by law or by the Administrator, as well as for the purposes of future recruitment processes – the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
5.12.4. in order to verify the qualifications and skills of the candidate and to determine the terms of cooperation – the legal basis for data processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR). The legitimate interest of the Administrator is the verification of job candidates and determining the conditions of possible cooperation;
5.12.5. in order for the Administrator to determine or pursue any claims or defend against claims against the Administrator – the legal basis for data processing is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR).
5.13. To the extent that Personal Data is processed on the basis of consent, it can be withdrawn at any time, without affecting the lawfulness of the processing carried out before its withdrawal. In the case of consent for the purposes of future recruitment processes, personal data is deleted no later than after 12 months – unless the consent has been withdrawn earlier.
5.14. Providing data in the scope specified in art. 22(1) of the Labor Code is required – if the candidate prefers employment based on an employment contract – by the law, including in particular the Labor Code, and if the candidate prefers employment based on a civil law contract – by the Administrator. The consequence of not providing this data is the inability to consider a given candidacy in the recruitment process. Providing other data is voluntary.
COLLECTING DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR THE PERFORMANCE OF OTHER AGREEMENTS
5.15. In the event of collecting data for purposes related to the performance of a specific contract, the Administrator provides the data subject with detailed information regarding the processing of his personal data at the time of concluding the contract or at the time of obtaining personal data if the processing is necessary for the Administrator to take action at the request of the Data Subject, before concluding the contract.
PROCESSING OF PERSONAL DATA OF MEMBERS OF STAFF OF COUNTERPARTIES OR CLIENTS COOPERating WITH THE ADMINISTRATOR
5.16. In connection with concluding contracts as part of its business, the Administrator obtains from contractors / clients data of persons involved in the implementation of such contracts (e.g. contact persons, performing orders, etc.). The scope of the data provided is in each case limited to the extent necessary to perform the contract and usually does not include information other than the name and business contact details.
5.17. Such personal data is processed in order to implement the legitimate interest of the Administrator and his contractor (Article 6(1)(f) of the GDPR), consisting in enabling the correct and effective performance of the contract. Such data may be disclosed to third parties involved in the performance of the contract.
5.18. The data is processed for the period necessary to implement the above interests and fulfill the obligations arising from the regulations.
DATA COLLECTION WITHIN BUSINESS CONTACTS
5.19. In connection with the conducted activity, the Administrator also collects personal data in other cases – e.g. during business meetings or by exchanging business cards – for purposes related to initiating and maintaining business contacts. The legal basis for processing in this case is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in creating a network of contacts in connection with the conducted activity.
5.20. Personal data collected in such cases are processed only for the purpose for which they were collected, and the Administrator ensures their adequate protection.
ORGANIZING ONLINE EVENTS
5.21. In connection with the organization of online events, the Administrator obtains Personal Data from people signing up for events and participating in them. The scope of the data provided is in each case limited to the extent necessary for the organization of the event and usually does not include information other than name and surname, job position and place of employment and e-mail address.
5.22. Such personal data is processed in order to identify event participants, contact them and support participation in the event. In this case, the basis for data processing is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in organizing an event in connection with the submitted application for participation in the event.
5.23. Personal data will also be processed for purposes related to the survey of satisfaction with participation in the event and for statistical purposes. In this case, the basis for data processing is the legitimate interest of the administrator (Article 6(1)(f) of the GDPR), consisting in conducting analyzes to improve the quality of organized events.
5.24. Online events may be recorded – in each case, the participant will be informed about this fact, in particular in the message displayed as part of the tool used by the Administrator to organize the online event. The recordings may be made available to the participants of the event.
5.25. Personal data of all persons using the Websites (including IP address or other identifiers and information collected via cookies) are processed by the Administrator:
5.25.1. in order to provide electronic services in the scope of providing the Data Subject with the content collected on the Website – then the legal basis for processing is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in promoting its own brand;
5.25.2. for analytical and statistical purposes – in order to analyze the activity of the Data Subject, as well as their preferences in order to improve the functionalities used and the services provided, then the legal basis for processing is the consent of the Data Subject (Article 6(1)(a) of the GDPR);
5.25.3. for marketing purposes of the Administrator and other entities, then the legal basis for processing is the consent of the Data Subject (Article 6(1)(a) of the GDPR).
In some cases, the administrator uses profiling to carry out marketing activities. This means that thanks to automatic data processing, the Administrator assesses selected factors regarding the Data Subject in order to analyze their behavior or create a forecast for the future. This allows for better matching of the displayed content to the individual preferences and interests of the Data Subject, in such cases the legal basis for processing is the consent of the Data Subject (Article 6(1)(a) of the GDPR)
5.25.4. in order to possibly establish and pursue claims or defend against claims – the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in the protection of its rights;
6. DATA RECIPIENTS
6.1. In connection with the conduct of activities requiring the processing of personal data, personal data may be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and equipment, entities providing accounting services, postal operators, couriers, marketing or recruitment agencies.
6.2. The Administrator reserves the right to disclose selected information regarding the Data Subject to competent authorities or third parties who submit a request for such information, based on the appropriate legal basis and in accordance with the provisions of applicable law.
7. TRANSFER OF DATA OUTSIDE THE EEA
7.1. The level of protection of Personal Data outside the European Economic Area (“EEA”) differs from that provided by European law. For this reason, the Administrator transfers Personal Data outside the EEA only when necessary and with an appropriate level of protection, primarily through:
7.1.1. cooperation with entities processing Personal Data in countries for which an appropriate decision of the European Commission has been issued regarding the determination of ensuring an adequate level of protection of Personal Data;
8. PERIOD OF PROCESSING PERSONAL DATA
8.1. The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. The period of data processing may also result from the provisions when they constitute the basis for processing. In the case of data processing based on the legitimate interest of the Administrator – e.g. for security reasons – the data is processed for a period enabling the implementation of this interest or until an effective objection to data processing is submitted. If the processing is based on consent, the data is processed until its withdrawal. When the basis for processing is necessary to conclude and perform the contract, the data is processed until its termination.
8.2. The period of data processing may be extended if the processing is necessary to establish or pursue claims or defend against claims, and after this period – only if and to the extent required by law. After the end of the processing period, the data is irreversibly deleted or anonymized.
9. RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA RIGHTS OF DATA SUBJECTS
9.1. Data subjects have the following rights:
9.1.1. the right to information about the processing of personal data – on this basis, the Administrator provides the natural person submitting the request with information about the processing of data, including in particular about the purposes and legal grounds for processing, the scope of data held, entities to which they are disclosed, and the planned date of data removal;
9.1.2. the right to obtain a copy of the data – on this basis, the Administrator provides a copy of the processed data concerning the natural person submitting the request;
9.1.3. the right to rectification – the Administrator is obliged to remove any inconsistencies or errors in the processed Personal Data and supplement them if they are incomplete;
9.1.4. the right to delete data – on this basis, you can request the deletion of data, the processing of which is no longer necessary to achieve any of the purposes for which they were collected;
9.1.5. the right to limit processing – in the event of such a request, the Administrator ceases to perform operations on Personal Data – with the exception of operations to which the Data Subject has consented – and their storage, in accordance with the adopted retention rules or until the reasons for limiting data processing cease to exist (e.g. issued decision of the supervisory authority allowing for further data processing);
9.1.6. the right to transfer data – on this basis – to the extent that the data is processed in an automated manner in connection with the concluded contract or consent – the Administrator issues the data provided by the person to whom they relate, in a format that allows the data to be read by a computer. It is also possible to request that these data be sent to another entity, provided that there are technical possibilities in this respect both on the part of the Administrator and the indicated entity;
9.1.7. the right to object to the processing of data for marketing purposes – the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such an objection;
9.1.8. the right to object to other purposes of data processing – the data subject may at any time object – for reasons related to his particular situation – to the processing of Personal Data, which is carried out on the basis of the legitimate interest of the Administrator (e.g. for analytical or statistical purposes or for reasons related to with property protection); an objection in this respect should contain a justification;
9.1.9. the right to withdraw consent – if the data is processed on the basis of consent, the Data Subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before its withdrawal;
9.1.10. the right to complain – if it is considered that the processing of Personal Data violates the provisions of the GDPR or other provisions regarding the protection of Personal Data, the Data Subject may submit a complaint to the body supervising the processing of Personal Data, competent for the place of habitual residence of the Data Subject, his place of work or place committing the alleged infringement. In Poland, the supervisory authority is the President of the Office for Personal Data Protection.
SUBMIT REQUESTS RELATED TO THE EXERCISION OF RIGHTS
9.2. A request regarding the exercise of the rights of Data Subjects can be submitted:
9.2.1. in writing to the address: GABOS SOFTWARE sp. z o. o., ul. Mikołowska 100, 40-065 Katowice;
9.2.2. by e-mail to the following address: email@example.com
10. CHANGES TO THE PERSONAL DATA PROCESSING POLICY
10.1. The policy is reviewed on an ongoing basis and updated if necessary.
10.2. Any changes made to the document entitled The Personal Data Processing Policy will be published on the website https://gabos.com.pl/en/personal-data processing-policy