Firmy dla Ukrainy

Personal Data Processing Policy

(TRANSPARENCY POLICY)

  1. DEFINITIONS
    1. 1.1. Controller – Global Compact Poland Foundation with its registered office in Warsaw (00-688), Emilii Plater 25/64.
    2. 1.2. Personal Data – information about a natural person identified or identifiable through one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact details, location data, information contained in correspondence, information collected by means of recording equipment or other similar technology.
    3. 1.3. Policy – this Personal Data Processing Policy.
    4. 1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
    5. 1.5. Data Subject – a natural person to whom personal data processed by the Controller relate.
  2. DATA PROCESSING BY THE CONTROLLER 
    1. 2.1. In connection with its statutory activities, the Controller collects and processes Personal Data in compliance with the relevant provisions of law, including in particular the GDPR, and the principles of data processing provided for therein.
    2. 2.2. The controller shall ensure transparency in the processing of Personal Data, in particular it shall always communicate data processing at the time of the collection thereof, including the purpose and legal basis of the processing (e.g. when concluding a contract for the sale of goods or services). The controller shall ensure that data are collected only to the extent necessary to achieve the specified purpose and are processed only for the necessary period of time.
    3. 2.3. When processing Personal Data, the Controller shall ensure their security and confidentiality, as well as provide access to information on the processing to the Data Subjects concerned. Should there be a breach of Personal Data protection despite security measures taken (e.g. data “leak” or loss), the Controller shall inform the Data Subjects of such occurrence in a manner consistent with the provisions of law.
  3. CONTACT WITH THE CONTROLLER
    1. 3.1. Contact with the Controller is possible via email address at ungc@ungc.org.pl or the correspondence address: Warsaw (00-688), Emilii Plater 25/64.
  4. SECURITY OF PERSONAL DATA
    1. 4.1. In order to ensure data integrity and confidentiality, the Controller has implemented procedures allowing access to Personal Data only to authorised persons and only to the extent necessary for the tasks they perform. The Controller shall use organisational and technical arrangements to ensure that all operations on personal data are recorded and performed only by authorised persons.
    2. 4.2. In addition, the Controller shall take all necessary measures to ensure that its subcontractors and other collaborators also guarantee the application of appropriate security measures whenever they process Personal Data at the request of the Controller.
    3. 4.3. The Controller shall conduct, on an ongoing basis, an analysis of the risk associated with the processing of Personal Data and monitor the adequacy of data security measures taken to tackle identified threats. If necessary, the Controller shall implement additional measures to enhance data security.
  5. PURPOSES AND LEGAL BASIS OF PROCESSING
    1. EMAIL AND TRADITIONAL CORRESPONDENCE
      5.1. In the event that correspondence is sent to the Controller, which is not related to services provided to the sender, another contract made with the sender or otherwise unrelated to any relationship with the Controller, the Personal Data contained in such correspondence shall be processed solely for the purpose of communication and resolution of the case to which the correspondence relates.
    2. 5.2. The legal basis for processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR), consisting in handling correspondence addressed to the Controller in connection with its business activity.
    3. 5.3. The Controller shall process only Personal Data relevant for the case to which the correspondence relates. All correspondence shall be stored in such a way as to ensure the security of the Personal Data (and other information) contained therein and it shall be disclosed only to authorised persons.
      TELEPHONE CONTACT
      5.4. Where the Controller is contacted by telephone, in matters not related to a contract concluded or services provided, the Controller may request the provision of Personal Data only if it is necessary to handle the case to which the contact relates. In such a case, the legal basis is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR), consisting in the need to resolve a reported case related to its business activity.
      VIDEO MONITORING AND ACCESS CONTROL
    4. 5.5. Due to the need to ensure the security of persons and property, the Controller shall apply video monitoring and control access to premises and to the area managed by the Controller. The data thus collected shall not be used for any purposes other than those described below.
    5. 5.6. Personal Data in the form of monitoring recordings and data collected in the entry and exit register are processed in order to ensure the security of persons and property and to maintain order on the premises, and possibly for the purpose of defence against claims brought against the Controller or to enable the Controller to establish and pursue claims. The legal basis for Personal Data processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR), consisting in ensuring the security of persons and property on premises managed by the Controller and the protection of its rights.
    6. 5.7. The area covered by the Controller’s monitoring system shall be marked with appropriate graphic signage.
    7. RECRUITMENT
      5.8. As part of recruitment processes, the Controller expects the transfer of Personal Data (e.g. in a CV) only to the extent specified in the provisions of labour law. Therefore, more extensive information should not be provided. In the event that applications submitted contain additional data beyond the scope indicated by the provisions of labour law, their processing will be based on the candidate’s consent (Article 6 (1) (a) of the GDPR), expressed through an unambiguous confirmation act, which is the submission of application documents by the candidate. If applications submitted contain information not relevant to the purpose of recruitment, they shall not be used or taken into account in the recruitment process.
    8. 5.9. Personal data shall be processed:
    9. 5.9.1. if the preferred form of employment is a contract of employment – in order to fulfil obligations arising from the provisions of law related to the employment process, including, in particular, the Labour Code – the legal basis for processing is the legal obligation to which the Controller is subject (Article 6 (1) (c) of the GDPR in conjunction with the provisions of labour law);
    10. 5.9.2. if the preferred form of employment is a civil law contract – for the purposes of the recruitment process – the legal basis for the processing of data contained in the application documents is the need to take steps at the request of the Data Subject prior to entering into a contract (Article 6 (1) (b) of the GDPR);
    11. 5.9.3. for the purposes of the recruitment process with regard to data not required by law or by the Controller, as well as for the purposes of future recruitment processes – the legal basis for processing is consent (Article 6 (1) (a) of GDPR);
    12. 5.9.4. in order to verify the qualifications and skills of a candidate and to determine the terms of engagement – the legal basis for data processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR). The Controller’s legitimate interest is to verify job candidates and define the terms of possible engagement;
    13. 5.9.5. in order for the Controller to determine or pursue any claims or defence against claims brought against the Controller – the legal basis for data processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR).
    14. 5.10. To the extent that personal data are processed on the basis of consent, such consent may be withdrawn at any time, without affecting the lawfulness of any processing performed prior to its withdrawal. Where consent is given for the purposes of future recruitment processes, personal data shall be erased after a period of two years, unless consent has been withdrawn earlier.
    15. 5.11. The provision of data as specified in Article 22(1) of the Labour Code is required by law, in particular, by the Labour Code where the candidate prefers employment on the basis of a contract of employment, and by the Controller where employment is preferred on the basis of a civil law contract. The consequence of not to provide such data is the inability to consider the candidature concerned in the recruitment process. The provision of other data is voluntary.
    16. DATA COLLECTION IN CONNECTION WITH THE PROVISION OF SERVICES OR THE PERFORMANCE OF OTHER CONTRACTS
      5.12. In the case of data collection for purposes related to the performance of a specific contract, the Controller shall provide the Data Subject with detailed information concerning the processing of the Data Subject’s personal data at the time of entering into the contract or at the time of obtaining personal data where the processing is necessary for the Controller to take steps at the request of the Data Subject prior to entering into the contract.
    1. PROCESSING OF PERSONAL DATA OF THE PERSONNEL OF CONTRACTORS OR CLIENTS WORKING WITH THE CONTROLLER
      5.13. In connection with the conclusion of commercial contracts as part of its statutory activity, the Controller shall obtain from contractors / clients data of persons involved in the performance of such contracts (e.g. authorised contact persons, persons authorised to place orders, execute orders, etc.). The scope of the data provided shall in any event be limited to the extent necessary for the performance of a contract and shall normally not include information other than the name and official contact details.
    1. 5.14. Such personal data shall be processed for the purpose of fulfilling the legitimate interest of the Controller and its counterparty (Article 6 (1) (f) of the GDPR), consisting in enabling the proper and effective performance of the contract. Such data may be disclosed to third parties involved in the performance of the contract, as well as to parties having access to data on the basis of public disclosure rules and public procurement procedures, to the extent provided for by those rules.
    2. 5.15. Data shall be processed for the period necessary for the performance of the above interests and for the performance of obligations arising from the provisions of law.
    3. COLLECTION OF DATA IN OTHER CASES
      5.16. In connection with its activity, the Controller collects Personal Data also in other cases – e.g. by establishing and using permanent mutual business contacts (networking) during business meetings, industry events or by exchanging business cards – for the purposes of initiating and maintaining business contacts. In such a case, the legal basis for processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR), consisting in networking in connection with its activities.
    4. 5.17. Personal data collected in such cases shall be processed solely for the purpose for which they have been collected and the Controller shall ensure that they are adequately protected.
  6. RECIPIENTS OF DATA
    1. 6.1. In connection with activities that require processing, Personal Data shall be disclosed to third parties, including in particular providers responsible for the operation of IT systems and hardware (e.g. CCTV video monitoring equipment), legal or accounting service providers, couriers, marketing or recruitment agencies. Data are also disclosed to entities related to the Controller, including the Global Compact based in New York. The UN Global Compact based in New York has put in place safeguards for the processing of personal data and a method of processing thereof in compliance with the GDPR. More information on personal data processing by UN Global Compact can be found here: https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.unglobalcompact.org%2Fprivacy-policy%3Ffbclid%3DIwAR1S93otvf2Lxd1YyJiNtTmQ4dcpFqErJ6n5LueuJtllKIGUhQVkbigE1ZE&h=AT3hw_LBJxQMRKSV6dKS8MKsLEFkOvthWzcwS2lGY4jl9KkNk8SqocsVOv93rSFnQgVJdmsiPRALjxorkfrGhi-OEiGfnba–thPbFAFSoN6KXekrlzgXWyZBjASnuaHNFpFjk9S.
    2. 6.2. The Controller reserves the right to disclose selected information concerning the Data Subject to competent authorities or third parties who request such information, based on an appropriate legal basis and in accordance with the provisions of applicable law.
  7. DATA TRANSFER OUTSIDE THE EEA
    1. 7.1. The level of personal data protection outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller shall transfer personal data outside the EEA only if necessary and with an adequate level of protection, solely to the Global Compact.
  8. PERIOD OF PERSONAL DATA PROCESSING
    1. 8.1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. The period of data processing may also result from regulatory provisions where such provisions form the basis for processing. In the case of data processing on the basis of the legitimate interest of the Controller (e.g. for security reasons), data shall be processed for a period enabling such interest to be exercised or an effective objection to data processing to be made. If processing takes place on the basis of consent, data shall be processed until its withdrawal. Where the processing is based on its necessity for the conclusion and performance of a contract, data shall be processed until its termination.
    2. 8.2. The period of data processing may be extended where processing is necessary for the establishment or enforcement of claims or defence against claims, and after that period only if and to the extent required by law.
  9. RIGHTS OF DATA SUBJECTS RELATED TO PERSONAL DATA PROCESSING
    1. 9.1. Data Subjects shall have the following rights:
    2. 9.1.1. the right of information on the processing of personal data – on this basis, the Controller shall provide the requesting natural person with information on the processing of data, including, in particular, the purposes and legal basis for the processing, the scope of data held, the parties to whom they are disclosed and the planned date of data erasure;
    3. 9.1.2. the right to obtain a copy of the data – on this basis, the Controller shall provide a copy of the processed data concerning the requesting natural person;
    4. 9.1.3. the right to rectification – the Controller is obliged to rectify any incompatibilities or errors in the processed Personal Data and to supplement them if they are incomplete;
    5. 9.1.4. the right to erasure – on this basis, the erasure of data can be requested, the processing of which is no longer necessary for the fulfilment any of the purposes for which they have been collected;
    6. 9.1.5. the right to restriction of processing – if such a request is made, the Controller shall cease to perform operations on Personal Data – except for operations authorised by the Data Subject and the storage of data, in accordance with the retention rules adopted – or until the reasons for the restriction of data processing cease to exist (e.g. a decision is issued by the supervisory authority permitting further processing of data);
    7. 9.1.6. the right to data portability – on this basis, to the extent to which data are processed automatically in connection with a contract or consent – the Controller shall deliver data provided by the Data Subject in a computer-readable format. The Data Subject shall also have the right to have the personal data transmitted to another party, however, provided that this is technically feasible both for the Controller and for designated party;
    8. 9.1.7. the right to object to the processing of data for marketing purposes – the Data Subject may at any time object to the processing of Personal Data for marketing purposes, without having to justify such objection;
    9. 9.1.8. the right to object to other purposes of data processing – the Data Subject may at any time object – for reasons related to the Data Subject’s specific situation – to the processing of Personal Data which takes place on the basis of the legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons related to property protection); the objection in this regard should contain a statement of reasons;
    10. 9.1.9. the right to withdraw consent – if data are processed on the basis of consent, the Data Subject shall have the right to withdraw it at any time, which, however, does not affect the lawfulness of processing performed prior to its withdrawal;
    11. 9.1.10. the right to lodge a complaint – if the processing of Personal Data is found to infringe the provisions of the GDPR or other provisions concerning the protection of Personal Data, the Data Subject may lodge a complaint with the authority supervising the processing of Personal Data having jurisdiction over the Data Subject’s place of habitual residence, place of work or place of the alleged infringement. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
    12. MAKING REQUESTS RELATED TO THE EXERCISE OF RIGHTS
      9.2. A request concerning the exercise of the rights of Data Subjects may be submitted:
    13. 9.2.1. in writing to the address: Warsaw (00-688), Emilii Plater 25/64
    14. 9.2.2. via electronic means to the email address: ungc@ungc.org.pl
    15. 9.3. If the Controller is unable to identify a natural person on the basis of a request, it shall ask the requesting party to provide additional information. Provision of such data is not mandatory, but failure to provide such data will result in refusal to act on the request.
    16. 9.4. A request may be made in person or through a representative (e.g. family member). For reasons of data security, the Controller encourages the use of a power of attorney in a form certified by a notary public or an authorised attorney at law or legal counsel or barrister, which will significantly speed up the verification of the authenticity of the request.
    17. 9.5. A reply to a request should be given within one month of its receipt. If it is necessary to extend this time limit, the Controller shall inform the requesting party of the reasons for such measure.
    18. 9.6. If a request has been addressed electronically to the Controller, a reply shall be given in the same form, unless the requesting party has requested a reply in another form. In other cases, replies shall be given in writing. If the time limit for acting on a request makes it impossible to respond in writing, and the scope of the requesting party’s data processed by the Controller enables contact via electronic means, the reply shall be given electronically.
    19. 9.7. The Controller shall keep information on a request made and the person who made the request in order to ensure that compliance can be demonstrated and to establish, defend or pursue any claims of Data Subjects. The request register shall be kept in such a way as to ensure the integrity and confidentiality of the data contained therein.
  10. AMENDMENTS TO THE PERSONAL DATA PROCESSING POLICY
    1. 10.1. The policy shall be reviewed on an ongoing basis and updated, as necessary.
    2. 10.2. The current version of the Policy was adopted on 27 January 2020.