Data Protection Policy

For matters concerning the security of data processing at Vavatech, please contact the Data Protection Officer.

Contact details: Małgorzata Topyła-Komosa, e-mail: iod@vavatech.pl

 

GENERAL INFORMATION CLAUSE

Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”), we hereby inform you that:

1. The Administrator of your personal data is Vavatech, represented by Mirosław Makaroś – President of the Management Board.

2. Supervision of proper data processing in the company is exercised by the Data Protection Officer: Małgorzata Topyła-Komosa, e-mail: iod@vavatech.pl.

3. Vavatech processes personal data solely for specific, explicit, and legitimate purposes and does not process data further in ways incompatible with those purposes. The data processing period directly results from legal regulations and is adequate to the purposes arising from:

  • Conducting activities based on granted consents, e.g., participation in training (legal basis: Article 6(1)(a) or Article 9(2)(a) GDPR);
  • Ongoing contact related to contract performance or activities leading to contract conclusion (legal basis: Article 6(1)(b) GDPR);
  • Assertion of potential claims (legal basis: Article 6(1)(f) GDPR);
  • Marketing and promotion of the company’s products and services (legal basis: Article 6(1)(a) and Article 6(1)(f) GDPR);
  • Fulfilling legal obligations imposed on the Administrator, e.g., storing accounting evidence (legal basis: Article 6(1)(b) GDPR in conjunction with tax regulations);
  • Tasks within the legitimate interest of the Administrator, including internal administrative purposes, statistics, reporting, and customer satisfaction research (legal basis: Article 6(1)(f) or Article 9(2)(f) GDPR);
  • Compliance with obligations arising from legal regulations, including employment-related tasks (legal basis: Article 6(1)(c) or Article 9(2)(b) and (j) GDPR);
  • Protection of vital interests of the data subject or another natural person (legal basis: Article 6(1)(d) or Article 9(2)(c) GDPR);
  • Ensuring safety and security of individuals, property, premises, and internal administrative, analytical, and statistical purposes (legal basis: Article 6(1)(f) or Article 9(2)(f) GDPR).

4. Recipients of personal data for the purposes specified in point 3 may include:

  • Authorized individuals such as employees or associates of the Administrator;
  • Entities to whom the Administrator has entrusted data processing (processors) based on contracts and in compliance with applicable legal regulations;
  • Entities affiliated with the Administrator;
  • Entities obligated to access data under legal provisions;
  • Data recipients such as courier companies, banks, legal offices, and clients.

5. Personal data will be processed by the Administrator for the period necessary to achieve the purposes specified in point 3:

  • For contract execution, until its termination, and subsequently for a duration required by legal provisions, particularly for storing accounting evidence and securing claims;
  • For marketing activities, until the withdrawal of consent for such processing.

6. Your personal data will not be shared with entities other than those authorized under the law.

7. In accordance with GDPR, individuals whose data is processed have the following rights:

  • The right to access their personal data;
  • The right to request correction, supplementation, deletion, or restriction of personal data processing, and to object to such processing in situations provided by law;
  • The right to withdraw consent to personal data processing at any time, without affecting the legality of processing carried out based on consent before its withdrawal;
  • The right to file a complaint with the supervisory authority, the President of the Personal Data Protection Office, if they believe that personal data processing violates GDPR.

8. Personal data processing under GDPR does not involve automated decision-making, including profiling.

INFORMATION CLAUSE: MONITORING

  1. The administrator of your personal data is Vavatech Sp. z o.o., represented by Mirosław Makaroś, President of the Management Board.
  2. Oversight of the proper processing of personal data at Vavatech is carried out by the Data Protection Officer: Małgorzata Topyła-Komosa, email: iod@vavatech.pl.
  3. The implementation of monitoring on the premises is based on the legitimate interests of the administrator and the obligations imposed on the administrator (Article 6(1)(c) and (f)) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR,” as well as Article 22(2) §1 of the Labour Code Act of 26 June 1974 (Dz.U.2019.01.01 with subsequent amendments).
  4. To ensure the safety of employees and clients, protect property, or maintain the confidentiality of information whose disclosure could harm the employer, prevent theft and aggression, record incidents enabling the identification of perpetrators of damage or theft and recovery of lost property, or pursue potential claims, the President has implemented specific oversight measures within the company premises in the form of technical means allowing for video surveillance (monitoring).
  5. Monitoring does not cover sanitary facilities, changing rooms, canteens, or premises provided to workplace trade unions, unless monitoring in these areas is necessary to achieve the purpose outlined in point 1 and does not infringe on the dignity or other personal rights of employees, as well as the principle of freedom and independence of trade unions, particularly by employing techniques that prevent the identification of persons in these areas.
  6. The President of the Management Board processes video recordings exclusively for the purposes for which they were collected and stores them for no longer than one month from the date of recording. Recordings are made on a “loop,” meaning they are automatically and irreversibly deleted and replaced with new recordings.
  7. In cases where video recordings constitute evidence in proceedings conducted under the law or where the employer becomes aware that they may constitute such evidence, the retention period specified in point 3 is extended until the proceedings are finally concluded.
  8. After the periods referred to in points 3 or 4 have elapsed, video recordings obtained through monitoring that contain personal data are destroyed unless other provisions dictate otherwise.
  9. The employer has marked monitored rooms and areas in a visible and legible manner using appropriate signs.
  10. The provision in point 6 does not infringe the provisions of Articles 12 and 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 04.05.2016, p. 1).
  11. In the event of unlawful data processing, you have the right to file a complaint with the supervisory authority, i.e., the President of the Personal Data Protection Office.

INFORMATION CLAUSE: RECRUITMENT OF EMPLOYEES/INTERNSHIPS/TRAINEESHIPS

1. The administrator of your personal data is Vavatech Sp. z o.o., represented by Mirosław Makaroś, CEO.

2. Supervision over the proper processing of personal data at Vavatech is carried out by the Data Protection Officer, Małgorzata Topyła-Komosa, e-mail: iod@vavatech.pl.

3. Purpose and Legal Basis for Data Processing:

  • The recruitment of candidates for employment at Vavatech Sp. z o.o. and the entities it serves aims to select individuals for available positions or to conclude agreements for graduate internships, practical training, or apprenticeships.
  • The legal basis for processing personal data during recruitment for positions is Article 6(1)(b) of the GDPR in connection with Article 22¹§1 of the Labor Code of June 26, 1974.
  • For recruitment for graduate internships, the legal basis is Article 6(1)(b) of the GDPR in connection with the Act of July 17, 2009, on Graduate Internships (Journal of Laws 2018, item 1244).

4. Data Retention Period

  • Your personal data will be retained for the period necessary to achieve the purposes for which it was collected. Applications submitted by candidates who are not selected during the recruitment process will be destroyed in accordance with the official protocol, as per the Office Instructions.
  • The Data Controller does not intend to process candidates’ personal data for purposes other than those for which it was originally collected, unless the candidate provides explicit consent. In such cases, the data will be processed for future recruitment purposes for no longer than one year. Providing consent is voluntary.

5. Recipients or Categories of Recipients of Personal Data

  • The recipients of personal data may only include authorities or entities authorized under separate legal provisions.

6. Rights of Data Subjects

  • You have the right to access your data, request its rectification, and request the deletion of data that is unlawfully processed in accordance with applicable regulations. You also have the right to withdraw consent for the processing of your personal data at any time (within the scope outlined above). Withdrawal of consent will not affect the legality of the processing carried out based on consent prior to its withdrawal.
  • Furthermore, you have the right to lodge a complaint with the supervisory authority, the President of the Personal Data Protection Office (contact details are available at: https://uodo.gov.pl/), if you believe that the processing of your personal data violates the GDPR or other applicable data protection regulations.

7. Transfer of Personal Data to Third Countries or International Organizations

  • Your personal data will not be transferred to any third country or international organization.

     

8. Obligation to Provide Data

  • Providing data during the recruitment process is necessary to achieve the purposes for which it was collected. Failure to provide the required data will result in the inability to consider your application submitted during the recruitment process.

9. Automated Decision-Making, Including Profiling

  • Personal data of job candidates at Vavatech Sp. z o.o. will not be processed in an automated manner or subjected to profiling.

Additionally, please note that application documents submitted outside of announced recruitment processes will be immediately destroyed, and the personal data contained therein will not be processed due to the lack of a legal basis for processing the data included in the CV.

Example consent text for recruitment purposes: I consent to the processing of my personal data contained in this document for the purposes of the recruitment process in accordance with the Act of May 10, 2018, on the Protection of Personal Data and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).