POLICY ON THE PROTECTION OF PERSONAL DATA
VELVET CARE SP. Z O.O.
This document entitled the “Policy on the Protection of Personal Data”, hereinafter referred to as the Policy, regulates the rules of the processing of personal data by the company under the business name Velvet CARE sp. z o.o. with its registered office in Klucze, Klucze-Osada 3, 32-310 Klucze, hereinafter referred to as Velvet CARE.
This policy is a policy on the protection of personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation), hereinafter referred to as the GDPR.
§ 1. DEFINITIONS.
1) Policy – this “Policy on the Protection of Personal Data” effective since 25 May 2018;
2) Velvet CARE – the company under the business name Velvet CARE sp. z o.o. with its registered office in Klucze, Klucze-Osada 3, 32-310 Klucze;
3) GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation);
4) Controller – Velvet CARE sp. z o.o. with its registered office in Klucze, Klucze-Osada 3, 32-310 Klucze;
5) Employee – a person employed at Velvet CARE under an employment contract;
6) Customer – a natural person or a legal person bound with Velvet CARE by a civil law contract regulating mutual rights and obligations of the parties in a given scope;
7) Guest – a person who is not an Employee that enters the premises of the plant in Klucze;
8) personal data – any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
9) processing – an operation or a set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
10) filing system – any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
11) processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of Velvet CARE;
12) recipient – a natural or legal person, public authority, agency or other body to which the personal data are disclosed;
13) consent – any freely given, specific, informed and unambiguous indication of wishes by the data subject, by a statement or by a clear affirmative action, that signifies agreement to the processing of personal data relating to him or her;
14) personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
§ 2. PROTECTION OF PERSONAL DATA AT VELVET CARE
- Velvet CARE is the Controller of personal data of the Employees, Customers and Guests, so the entity determining purposes and methods of the processing of personal data.
- The Controller can be contacted in the scope of the personal data processed in particular in the following manners:
1) by registered mail sent to the following address: Velvet CARE sp. z o.o., Klucze-Osada 3, 32-310 Klucze,
2) by electronic mail (e-mail) sent to the following address: firstname.lastname@example.org.
- When performing the overriding purpose, which is respecting the privacy of data subjects, Velvet CARE ensures that it exercises due care so that the personal data of those subjects be properly secured against unauthorised interference or access by third parties.
- Velvet CARE obtained the Employees’ personal data based on the provisions of the generally applicable law, in particular based on Article 221 § 1 and § 2 of the Labour Code.
- With respect to a given Employee, Velvet CARE processes the personal data related to that Employee from the moment of concluding an employment contract with that Employee.
- In the scope related to the processing of personal data, Velvet CARE applies the following principles:
1) legality – Velvet CARE processes personal data in accordance with the generally applicable law,
2) purposefulness – Velvet CARE processes personal data only for a clear and legitimate purpose,
3) security – Velvet CARE ensures application of relevant technical and organisational measures, ensuring a high level of personal data safeguards, by undertaking control measures in this respect on a regular basis,
4) respect for an individual’s rights – Velvet CARE makes it possible for Employees to exercise their rights specified in the provisions of the generally applicable law as well as exercises those rights,
5) adequacy – Velvet CARE makes sure that it processes only such personal data that are necessary for it in order to achieve the purpose of collecting them;
6) substantive accuracy – at an Employee’s request Velvet CARE updates or rectifies the personal data processed in a statutory timeframe;
7) restriction of personal data storage – Velvet CARE stores personal data of its former Employees only during a period necessary from the angle of the provisions of the generally applicable law;
8) transparency – Velvet CARE declares full readiness and availability for the purpose of making Employees become aware of all and any risks, principles, safeguards and rights related to the processing of personal data, as well as showing Employees methods of exercising their rights in connection with such processing of personal data by Velvet CARE,
9) accountability – Velvet CARE is adequately prepared to demonstrate at any time that it acts in compliance with the above principles related to the processing of personal data.
- Velvet CARE processes personal data in particular for the following purposes:
1) with respect to Employees – for purposes related to employment, but also at a clear request of a given Employee, and also for other purposes, such as:
a) deducting, on behalf of a given Employee from the remuneration due to that Employee, a contribution related to that Employee’s membership in a trade union,
b) a given Employee using benefits from the Employee Hardship Benefit and Loans Scheme,
c) a given Employee using benefits from the Company Social Security Fund,
d) a given Employee participating in an incentive scheme for employees recommending job candidates at Velvet CARE,
e) a given Employee using supplementary services provided by third parties, such as for instance insurance, medical care, using sports and recreation facilities etc.,
2) with respect to Customers – for purposes related to proper performance of contracts concluded by Velvet CARE with those Customers;
3) with respect to Guests – for purposes related to ensuring a proper level of security of persons and assets situated on the premises of the plant in Klucze.
- Velvet CARE stores personal data during periods determined on the basis of the following criteria:
1) with respect to Employees or former Employees – during periods during which Velvet CARE is obliged to store personal data of its former Employees in accordance with the provisions of the generally applicable law;
2) with respect to Customers or former Customers – during the term of a contract concluded with a given Customer, and also longer, until all the claims due to Velvet CARE from Customers or former Customers have been satisfied, or until the limitations period for those claims has run;
3) with respect to Guests – until Guests have satisfied all possible claims which may be due to Velvet CARE from Guests, e.g. if a Guest causes damage to Velvet CARE, or until the limitations period for those claims has run;
4) with respect to persons who have given consent to the processing of their personal data – until such consent is effectively withdrawn or until the purpose of the processing thereof ceases.
- Velvet CARE processes personal data exclusively in cases where at least one of the grounds specified below applies:
1) the data subject has given consent thereto,
2) this is necessary to perform a contract concluded by Velvet CARE with the data subject,
3) this is necessary for Velvet CARE to perform a legal obligation resting with Velvet CARE,
4) this is necessary to protect vital interests of the data subject,
5) this is necessary for purposes arising from legitimate interests performed by Velvet CARE or a third party.
- Velvet CARE may disclose the personal data that it processes while functioning as a controller to third parties exclusively when this is reasonable due to the initial purpose of the processing of such data, and also when at the same time this is necessary due to the content of contracts concluded by Velvet CARE with such third parties. In particular, personal data may be disclosed by Velvet CARE to the following categories of recipients:
1) entities with capital, personal or organisational ties with Velvet CARE,
2) third parties providing advisory services to Velvet CARE, e.g. auditing firms, consulting firms or law firms,
3) insurance companies,
4) companies leasing passenger cars to be used by Employees,
5) third parties providing services directly to Employees, such as e.g. medical services, using sports and recreation facilities etc.,
6) advertising and marketing agencies – exclusively with respect to personal data of natural persons who are not Employees and who gave consent to receive commercial information from Velvet CARE concerning Velvet CARE products, and also concerning promotional, advertising or marketing activities undertaken by Velvet CARE.
- Velvet CARE does not intend to transfer the personal data that it processes to third countries or to international organisations.
- Velvet CARE does not intend to process personal data on the basis of automated decision-making, including on the basis of personal data profiling.
§ 3. RIGHTS OF DATA SUBJECTS
- Velvet CARE assures that it fully respects and it undertakes to perform all the rights arising from the GDPR to which all the persons whose personal data are processed by Velvet CARE are entitled. In particular these are the following rights:
1) the right to access to personal data, including the right to obtain a copy of such data;
2) the right to request the rectification of personal data – in each and every case where data are inaccurate or incomplete;
3) the right to request erasure of personal data (the so called “right to be forgotten”) – in each and every case where:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
b) the data subject has objected to the processing of data,
c) the data subject has withdrawn the consent on which the processing is based and there is no other legal ground for processing,
d) the data are unlawfully processed,
e) the data have to be erased for compliance with a legal obligation arising from the provisions of law,
4) the right to request the restriction of the processing of personal data – in the case where:
a) the accuracy of the personal data is contested by the data subject,
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead,
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise and defence of legal claims,
d) the data subject has objected to the processing of data, pending the verification whether the legitimate grounds of the controller override those of the data subject,
5) the right to data portability – in the case where the processing is based on a contract concluded with the data subject or consent given by such subject;
6) the right to object to the processing of personal data on grounds relating to the data subject’s particular situation.
- The data subject has the right to withdraw consent in the scope in which that data subject gave Velvet CARE consent to the processing of his or her personal data. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out by Velvet CARE based on consent before its withdrawal.
- If the data subject concludes that the processing of personal data by Velvet CARE is in breach of the provisions of the GDPR, the data subject has the right to lodge a complaint with the competent supervisory authority.
§ 4. FINAL PROVISIONS.
- This policy should also be treated as performance by Velvet CARE of the disclosure obligation with respect to data subjects referred to in Article 13 of the GDPR.
- This policy is available:
1) at the registered office of Velvet CARE, i.e. at the address: Klucze-Osada 3, 32-310 Klucze;
2) at the Warsaw office of Velvet CARE, i.e. at the address: ul. Złota 59, 00-120 Warsaw;
3) on Velvet CARE website, i.e. at the address: www.velvetcare.pl.
- The Policy becomes effective as of 25 May 2018.
Marek Sciążko – Vice President
Rafał Curyło – Member of the Management Board