1. Initial information

The purpose of this Privacy Policy is to inform you about how Ecovis System Rewident Sp. z o.o. collects and processes your personal data when you use our services or our websites. This includes all personal data you provide to Ecovis System Rewident Sp. z o.o. through this website, for example when you provide your personal data by e-mail in the form of an enquiry about our services, but also if you provide us with any personal data in other form. In this Privacy Policy, the terms “Ecovis System Rewident Sp. z o.o.”, “Controller”, “we” or “our” (and the like) mean Ecovis System Rewident Sp. z o.o. with its registered office in Warsaw (Poland), i.e. the entity which is responsible for the processing of your personal data.

2. Personal Data Controller

Our full details are: Ecovis System Rewident Sp. z o.o. with its registered office in Warsaw, ul. Garażowa 5a, 02-651 Warsaw, entered in the Register of Entrepreneurs kept by the District Court for the capital city of Warsaw in Warsaw, 13^th Commercial Division of the National Court Register, under No 0000054522, with the share capital of PLN 250,000.00, Tax ID No (NIP): 5261036755

Contact details for matters related to personal data protection: piotr.perlowski@ecovis.pl

3. Definitions

Controller (also Personal Data Controller) – the responsible entity: Ecovis System Rewident Sp. z o.o. with its registered office in Warsaw, ul. Garażowa 5a, 02-651 Warsaw.

Portal – www.ecovis.com/pl/ website (also operating under the “ecovis.pl” domain names)

Cookies – small files that remember site settings (e.g. language), login settings, etc., stored via browser,

User – a natural person, legal person or unincorporated organisational unit that uses our website or our services;

Employee – a person employed at Ecovis System Rewident Sp. z o.o. with its registered office in Warsaw under an employment contract or other civil law agreement;

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

4. Collection of personal data

Ecovis System Rewident Sp. z o.o. collects data for specified and lawful purposes, processes it lawfully and does not further process it contrary to those purposes. Data is collected only within the adequate, essential and necessary scope in relation to the purposes for which it is processed.

Ecovis System Rewident Sp. z o.o. makes every effort to protect  data against unauthorised access by third parties and, in this respect, it applies high-level organisational and technical security measures, which are described further in this Policy. Ecovis System Rewident Sp. z o.o. does not make data available to any recipients that are not authorised to receive the same in accordance with the mandatory provisions of law.

5. Purposes of personal data processing

Your data will be processed for the purpose of service provision by Ecovis System Rewident Sp. z o.o., and in the case of Employees – for the purpose of establishing and conducting the employment process, on the basis of your freely given consent and an employment contract or other civil law agreement concluded with you;

With your consent, data may be processed for marketing purposes.

Moreover, your data may also be processed for the purpose of detecting bots and frauds, as well as for statistical measurements and improving the services of Ecovis System Rewident Sp. z o.o.

6. Grounds for the processing of personal data

When processing personal data, we may rely on various types of legal grounds for the processing, depending on the categories of personal data we process and the purpose of processing. We process data, inter alia:

– the legal basis for the processing of your data for marketing purposes is your freely given consent to the data processing, including profiling (Article 6(1)(a) of the GDPR).

– for the purpose of detecting frauds and for statistical measurements, as well as to improve the services of Ecovis System Rewident Sp. z o.o. (Article 6(1)(f) of the GDPR – legitimate interest of the controller);

– personal data of persons who use or wish to use our services and send us a message in this regard is processed by us because this is necessary for the performance of an agreement (6(1)(b) of the GDPR);

– personal data collected for the purpose of the establishment and conduct of the employment process, on the basis of your freely given consent and an employment contract or other civil law agreement concluded with you (i.e. pursuant to Article 6(1)(a) and (b) of the GDPR)

– sometimes we are required by law to process certain personal data, e.g. for tax and accounting purposes (6(1)(c) of the GDPR);

Please do not send us special categories of personal data (such as information about race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health information, genetic data, biometric data, information about sexual life or sexual orientation and criminal history) via websites or e-mail. If, for any reason, you provide such information, this will mean that you expressly consent to our collecting and using such information in the manner set forth herein or as specified in the place where such information is disclosed.

At the same time, we would like to inform you that “consent”, within the meaning of the GDPR, is a freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her;  The GDPR uses the term “indication of whishes”; such an expression is of key importance, especially in the context of recital 32 of the GDPR, where it is indicated that consent may consist in: (1) ticking a selection box when visiting a website, (2) choosing technical settings to use information society services, and (3) any other statement or conduct which, in a given context, clearly indicates that a data subject has acceptance the proposed processing of his/her personal data. Therefore, when you voluntarily provide us with your personal data, e.g. in the form of an e-mail inquiry, we obtain your consent to the processing of the personal data provided to us.

7. Period for which your personal data will be processed

The period for which we may process personal data depends on the legal basis forming a legitimate rationale for the processing of personal data. We never process personal data for longer than it follows from the above-mentioned legal bases and the purpose for which the data was collected. Therefore, we inform you that:

1. where data is processed on the basis of consent, the processing period continues until the consent is withdrawn by the user;
2. where Ecovis System Rewident Sp. z o.o. processes personal data on the basis of a legitimate interest of the data controller, the processing period continues until cessation of the interest (e.g. a period of limitation of civil-law claims) or until the data subject objects to further processing – in situations where he/she is entitled to such an objection in accordance with the law;
3. where your personal data is collected for the purpose of performance of an agreement (including an agreement with an Employee), we process such personal data for the period necessary for the agreement performance and, where appropriate, after its performance, however, only if this is permitted or required under applicable law, e.g. for statistical or billing purposes or in order to pursue claims. If this is the case, the data will only be processed for the period necessary for fulfilling the relevant purposes;
4. where we process personal data because it is necessary due to applicable laws, the processing periods for this purpose are laid down in those laws.

8.  Cookies

“Cookies” should be understood as IT data, in particular text files, stored on users’ terminal devices and enabling the use of websites. These files allow the identification of a user’s device and properly display a website in a form tailored to his/her individual preferences.  “Cookies” typically contain the name of the website they originate from, the time they are stored on a terminal device, and a unique number.

“Cookies” are used to tailor the content of websites to user preferences and to optimise the use of websites. They are also used for creating anonymous, aggregated statistics that help us understand how a user use the websites, which lets us improve their structure and content, excluding personal identification of a user.

We use two types of cookies – “session” and “persistent”. The first type is temporary files that are stored on a user’s device until he/she logs out of the website or closes the software (web browser). “Persistent” cookies are stored on a user’s device for a period specified in the cookie parameters or until they are manually removed by the user.

Personal data gathered by means of cookies may be collected only for the purpose of performing specific functions for a user. Such data is encrypted in such a way that it cannot be accessed by unauthorised persons.

By default, software used to browse websites allows cookies to be placed on a terminal device. These settings can be changed so as to block automatic support of cookies in the web browser settings or so as to inform about each transfer of a cookie to a user’s device. Restricting the use of cookies may affect certain functionalities available on the Portal.

9. Requirement to provide personal data

The provision of personal data for marketing purposes (including profiling) is voluntary. If you do not consent to the processing of personal data provided by you in the course of using the websites, services and other functionalities (including data saved in cookies), your personal data will not be processed for that purpose.

The provision of data for the purpose of concluding a service agreement is necessary for its performance. Failure to provide this data will render the service performance impossible.

The provision of personal data collected for the purpose of the establishment and conduct of the employment process is necessary for the proper compliance with the Employer’s obligations.

The processing of data for the purpose of detecting bots and frauds, as well as for statistical measurements and improvement of our services is necessary to ensure the provision of high quality services. Failure to collect your personal data for these purposes may render the proper provision of the services impossible.

The processing of data for the purpose of participation in Internet measurements is necessary for the collection of statistical information on users of the websites, the Portal and other functionalities, as well as for sharing statistics regarding them and to understand how they are used by the Internet users. The processing is necessary to ensure the quality of our services. Failure to collect your personal data for these purposes may render the proper provision of the services impossible.

10. Recipients of your personal data

Your data may be transferred to entities processing personal data  by order of the controller, such as: IT service providers, legal service providers, Polish Post [Poczta Polska] and courier service providers, and in the case of Employees – also to entities such as: insurers, healthcare entities, external auditors, external trainers (including OHS trainers), lessors and other entities – with a stipulation that such entities process the data on the basis of an agreement with the controller and only in accordance with the controller’s instructions.

Your data may also be transferred to entities authorised to obtain the data under applicable law

11. Transfer of your personal data outside the European Economic Area

We do not transfer and do not intend to transfer your data outside the European Economic Area.

12. Your rights related to the processing of personal data

All data subjects have the following rights:

Right to information on the processing of personal data – the person making such a request is informed by the Controller about the processing of personal data, including in particular the purposes and legal grounds for the processing, the scope of data held, the entities to whom the personal data is disclosed, as well as the planned date of its erasure;

Right to obtain a copy of data – if such a request is made, the Controller provides a copy of the processed data concerning the requesting person. If subsequent requests for a copy of data are made by the same person, the Controller may charge additional fees related to the fulfillment of such requests;

Right to rectification – after making such a request, the Controller removes any inconsistencies or errors concerning the processed personal data, or completes or updates the data if it is incomplete or has changed;

Right to erasure – on this basis, you can request the erasure of data the processing of which is no longer necessary for the purposes for which it was collected;

Right to restriction of processing – in the event of such a request, the Controller ceases to perform operations on personal data (except for operations approved by the data subject) and its storage, in accordance with the adopted retention rules, or until the reasons for restriction of data processing cease to exist;

Right to data portability – on this basis, insofar as data is processed in connection with a concluded agreement or with consent, the Controller releases the data provided by a data subject in a format readable by an electronic device. You can also request that such data be sent to another entity – provided, however, that there exist the requisite technical capabilities on the part of both the Controller and that other entity;

Right to object to the processing of personal data for marketing purposes – a data subject may at any time object to the processing of personal data for marketing purposes without having to justify such an objection;

Right to object to other purposes of data processing – a data subject may at any time object to the processing of personal data on the basis of a legitimate interest of the Controller (e.g. for analytical or statistical purposes or for purposes related to the protection of property). An objection in this regard should contain a justification and is subject to assessment by the Controller;

Right to withdraw consent – if we process your personal data on the basis of your consent, you may withdraw your consent at any time – at your sole discretion.

If you wish to exercise the aforementioned rights, you need to send a relevant request to the Controller. Such a request may be made by post or e-mail, by writing to the address (or e-mail address) of the Controller indicated in section II of this Policy.

The request should, as far as possible, precisely describe the demand, i.e. in particular who submits the request, which of the above rights the requestor wishes to exercise, what purposes of processing the request refers to or simply indicate that the request is withdrawal of consent. If the Controller is unable to determine the content of the request or to identify the requestor based on the request, the Controller will ask the requestor for additional information. The request will be responded to immediately, but not later than within one month of its receipt. If it is necessary to extend this time limit, the Controller will inform the requestor about the reasons for the extension. The response will be sent to the sender’s (postal or e-mail) address, unless it follows from the content of the request that the response should be sent in a different manner (e.g. in the case of a request made by post, you can request that the response be sent by e-mail and vice versa).

13. Safeguarding of your personal data

Ecovis System Rewident Sp. z o.o. applies appropriate technical, physical and administrative safeguards to ensure proper protection of a User’s personal data against its loss, misuse, unauthorised access, disclosure and alteration. These safeguards cover your personal data through multiple encryption methods, password-protected access to databases and their maintenance in certified server rooms.

14. Automatic collection of data

The information we collect in connection with your use of our Portal may be processed by automated means, however, this will not produce any legal effects on an individual or similarly significantly affect his/her situation.

15. Children’s personal data

Ecovis System Rewident Sp. z o.o. does not, either voluntarily or actively, collect, use or disclose personal data of juveniles (this does not apply to family members of Employees that are being declared for insurance purposes or for registration with healthcare entities, etc.), in accordance with age requirements in a given jurisdiction, without first obtaining the consent of the parents or legal guardians of such juveniles. If we become aware that we have collected a juvenile’s personal data without obtaining confirmable consent of his/her parent, we will take steps to erase this information without delay.

16. Information on the right to lodge a complaint with a supervisory authority

If you believe that your personal data is being processed unlawfully, you may lodge a complaint with the President of the Personal data Protection Office.

This Privacy Policy enters into force on 25 May 2018.