The following privacy policy defines the principles of personal data processing adopted in the company to ensure transparency and compliance with the provisions of the carried out processing processes.
DATA ADMINISTRATOR The Administrator of your personal data is KBJ S.A. with its registered office in Warsaw (01-161), at Obozowa 57, entered into the Register of Entrepreneurs of the National Court Register by the District Court for the Capital City of Warsaw, XIII Commercial Division of the National Court Register under the number 0000387799, NIP: 7262571799.
All inquiries regarding the processing of personal data should be sent to the following e-mail address: rodo@kbj.com.pl or by traditional mail to the address of the Administrator's seat. The Administrator declares that he is the owner of the website www.kbj.com.pl, whose resources are made available to users (i.e. any natural person visiting a given website) interested in using the Administrator's services.
The processing of collected personal data takes place in accordance with applicable law, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. data and repealing Directive 95/46 / EC (hereinafter: GDPR).
COLLECTION AND PROCESSING OF PERSONAL DATA In connection with the conducted activity, the Administrator collects and processes personal data in accordance with the relevant provisions, including in particular the GDPR.
The Administrator ensures transparency of data processing, in particular, always informs about data processing at the time of collection, including the purposes and legal basis of processing.
The Administrator ensures that personal data is collected to a minimum extent, adequately to the indicated purpose and processed only for the period in which it is necessary.
Using the Administrator's website In connection with the use of the website www.kbj.com.pl by users, the Administrator collects personal data to the extent necessary to provide individual services offered, as well as information about users' activity on the website.
The Administrator processes personal data of website users: a. The administrator processes the personal data of website users: provided via the provided contact forms, including: recruitment forms and dedicated forms (e.g. for marketing events organized by the Administrator); b. collected via cookies or other similar technologies (including IP address or other identifiers).
Cookies The administrator uses the so-called service cookies primarily to provide users with services provided electronically and to improve the quality of these services. Therefore, the Administrator and other entities providing analytical and statistical services to him use cookies by storing information or accessing information already stored in the user's telecommunications end device (computer, telephone, tablet, etc.). Cookies used for this purpose include: a) cookies used to ensure security, e.g. used to detect fraud in the field of authentication (user centric security cookies); b) multimedia player session cookies (e.g. flash player cookies), for the duration of the session (multimedia player session cookies); c) cookies used to monitor traffic on the website, i.e. data analytics, including Google Analytics cookies (files used by the Google company to analyze the way the website is used by the user, to create statistics and reports on the operation of the website). Detailed information on the scope and principles of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners. The full content of the information obligation for website users can be found here.
E-mail and traditional correspondence If a query is sent to the Administrator via e-mail or traditional mail, the personal data contained in the above-mentioned correspondence, if it does not concern services provided to the sender, are processed solely for the purpose of handling the communication and resolving the matter to which the correspondence relates.
Recruitment As part of recruitment processes, the Administrator processes personal data of job candidates (e.g. in a CV or cover letter, contact form) only to the extent specified in the provisions of labor law. In connection with the above, applicants should not provide information to a greater extent than required by the administrator contained in the job advertisement and provided for by law. If the candidate also provides other data not required by the Administrator, it is considered that he has consented to their processing.
To the extent that personal data are processed based on the consent given, it can be withdrawn at any time, but without affecting the lawfulness of the processing carried out before its withdrawal. In a situation where the submitted applications contain information inadequate to the purpose of recruitment, they will not be used or taken into account in the recruitment process. The full content of the information obligation towards candidates can be found here.
Processing of personal data of staff members of clients / contractors In connection with the conclusion of commercial contracts as part of business activities, the Administrator obtains personal data from staff members of their clients / contractors involved in the implementation of such contracts (e.g. contact persons). Personal data collected in this way are processed for the purpose of effective and efficient cooperation in the implementation of concluded commercial contracts. The full content of the information obligation for persons whose data was collected as part of the contract can be found here.
Investor Relations The administrator, as a public entity listed on the WSE, processes the personal data of the company's shareholders who are party to the contract, as well as in connection with the performance of public and legal obligations resulting from concluded contracts, the company's status and the regulations governing the operation of companies on the public market. The full content of the shareholders' disclosure obligation is available here
PURPOSES AND LEGAL BASIS FOR PROCESSING Personal data is processed by the Administrator for purposes related to the implementation of concluded contracts, providing the offered services, handling recruitment processes, enabling the use of websites owned by the administrator, handling other services not related to the services provided: in particular: a) in order to provide users with services delivered by electronic means and to improve the quality of these services (use of cookies): • the legal basis for processing is the necessity of processing to perform the contract (Article 6 (1) (b) of the GDPR); b) in order to provide electronic services in the field of providing users with the content collected on the website: · the legal basis for processing is the necessity of processing to perform the contract (Article 6 (1) (b) of the GDPR); c) for analytical and statistical purposes: • the legal basis for processing is the legitimate interest of the administrator (Article 6 (1) (f) of the GDPR) consisting in conducting analyzes of users' activity, as well as their preferences in order to improve the functionalities used and the services provided; d) in order to identify senders and handle inquiries sent using electronic contact forms, also for analytical and statistical purposes: • the legal basis for processing is the necessity of processing to perform the service contract (Article 6 (1) (b) of the GDPR), and • the legitimate interest of the administrator (Article 6 (1) (f) of the GDPR) consisting in keeping statistics of inquiries submitted by users via the website in order to improve its functionality; e) in order to communicate and resolve the matter to which the correspondence relates, in the case of traditional and e-mail: • the legal basis for processing is the legitimate interest of the administrator (Article 6 (1) (f) of the GDPR) consisting in correspondence addressed to him in connection with his business activity; f) in order to prepare, negotiate and implement business contracts regarding the products and services offered by the Administrator: · the legal basis for processing is the necessity of processing to perform the contract (Article 6 (1) (b) of the GDPR); g) in order to register an application for a marketing event organized by KBJ: • the legal basis for processing is the legitimate interest of the administrator (Article 6 (1) (f) of the GDPR) consisting in promoting own products, services provided and building a professional image and supporting your own brand; h) in order to fulfill obligations resulting from legal provisions related to the employment process, including in particular the Labor Code: • the legal basis for processing is the legitimate interest of the administrator (Article 6 (1) (f) of the GDPR) consisting in the willingness to hire new employees, and • the legal obligation of the administrator (Article 6 (1) (c) of the GDPR in connection with the provisions of the Labor Code); i) in the case of employment on the basis of a contract other than an employment contract - data are processed in order to carry out the recruitment process: • the legal basis for processing is the necessity of the data to conclude and perform the contract (Article 6 (1) (b) of the GDPR); and • legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) consisting in the willingness to hire new employees; j) in order to carry out future recruitment processes and in the field of data not required by law: • the legal basis for processing is the consent of the data subject (Article 6 (1) (a) of the GDPR); k) in order to organize and handle marketing events (e.g. webinar, training): • the legal basis for processing is the performance of a contract to which the data subject is a party (Article 6 (1) (b) of the GDPR), and • consent of the data subject (Article 6 (1) (a) of the GDPR, to the extent that the provision of data is optional; l) in order to promote the Administrator's own products and services, including for analytical purposes: • the legal basis for processing is the Administrator's legitimate interest (Article 6 (1) (f) of the GDPR); m) in order to possibly establish and pursue claims or defend against them: • the legal basis for processing is the Controller's legitimate interest (Article 6 (1) (f) of the GDPR) consisting in the protection of its rights.
PERSONAL DATA TRANSFER The Administrator does not transfer personal data outside the European Economic Area (EEA) without prior notification and obtaining the consent of the data subject, and only when it is necessary for the performance of the contract to which the Administrator and the data subject are parties. The transfer takes place with an adequate level of protection, in particular in accordance with the provisions of Art. 45, 46, 47 GDPR.
Personal data may be transferred to third countries to the extent necessary for the use by KBJ S.A. from cloud services provided by global providers of such services, the transfer will take place in accordance with the relevant legal provisions regulating the principles of personal data protection, in particular on the basis of standard contractual clauses, in accordance with the templates approved by the European Commission.
PERSONAL DATA STORAGE PERIOD The period of personal data processing depends on the legal obligations incumbent on the Administrator, as well as the purposes for which they were collected. As a rule, personal data is processed for the period of service provision or the time needed to perform the order / contract, until the consent is withdrawn or an effective objection is raised. Withdrawal of consent for processing does not affect the lawfulness of the processing that was carried out before its withdrawal. a) In the case of consent to the processing of data for the purposes of future recruitment processes, personal data is deleted after twelve months - unless the consent has been withdrawn previously or consent for further storage has not been obtained. b) In the case of consent to the processing of data for marketing purposes, personal data is processed until the consent is withdrawn or an effective objection is raised. c) In the case of data processing on the basis of the Controller's legitimate interest (e.g. for security reasons), the data is processed for a period enabling the implementation of this interest or until an effective objection to data processing is raised. If the processing is based on consent, the data is processed until it is withdrawn. The data processing period may be extended if the processing is necessary to establish or pursue claims or defend against them, and after this period - only if and to the extent that it will be required by law. After the expiry of the processing period, the data is irreversibly deleted or anonymized.
DATA RECIPIENTS Personal data may be made available to external entities that process data on behalf of the administrator on the basis of contracts, for the purposes and to the extent necessary to implement the above-mentioned contracts, in particular: suppliers responsible for the operation of IT systems, other entities providing IT, consulting, legal, accounting services or transport companies.
Personal data processed by the administrator may also be disclosed to entities related to the Administrator, i.e. KBJ Services Sp. z o.o., Albit Software Sp z o.o., BTech Sp. z o.o., JRH Consulting, Roemer & Szczepkowski Group Sp. z o.o., Softy Labs Sp. z o.o.
AUTOMATED PROCESSING OF PERSONAL DATA The collected personal data will not be used for the purpose of automated decision-making (including profiling), i.e. no decisions will be made as a result of processing, causing legal effects for persons who are the subject of personal data.
RIGHTS OF PERSONS WHO THE DATA CONCERNS Persons whose personal data is processed by the Administrator have the following rights: a)the right of access - each person whose data is processed has the right to obtain information on the processing, in particular: about the purposes and legal grounds, the scope of the data held, entities to which they are disclosed, and the planned date of data deletion; b)the right to obtain a copy of the data; c)the right to rectify - the Administrator is obliged to remove any possible inconsistencies or errors in the processed personal data and update and supplement them if they are incomplete; d)the right to delete data - if, in certain situations, the data cannot be permanently deleted due to the administrator's obligations, e.g. resulting from legal provisions, the Administrator will inform the person who is the subject of personal data about this fact, providing all necessary information regarding the processing; e)the right to limit processing - in the event of such a request, the Administrator ceases to perform operations on personal data, with the exception of operations for which the data subject has consented - and their storage, in accordance with the adopted retention rules or until the reasons for limiting data processing (e.g. a decision of the supervisory authority is issued authorizing further processing of the data); f)the right to data portability; g)the right to object to the processing of data for marketing purposes - the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such objection; h)the right to object to other purposes of data processing - the data subject may at any time object to the processing of personal data, which takes place on the basis of the legitimate interest of the Administrator (e.g. for analytical or statistical purposes or for reasons related to the protection of property); objection in this respect should contain a justification; i)the right to withdraw consent - if the data is processed on the basis of expressed consent, the data subject has the right to withdraw it at any time; the withdrawal of consent does not affect the lawfulness of the processing carried out before its withdrawal; j) the right to lodge a complaint - if it is found that the processing of personal data violates the provisions of the GDPR or other provisions on the protection of personal data, the data subject may submit a complaint to the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.