Personal Data Processing Policy
(TRANSPARENCY POLICY)

1. DEFINITIONS
1.1. Controller – Oknoplast Sp. z o. o. with its registered office in Ochmanów, Ochmanów 117, 32-003 Podłęże.
1.2. Personal data – all information about a natural person who is identified or identifiable by reference to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity, including his/her image, voice recording, contact data, location data, information contained in correspondence, information collected by means of recording equipment or similar technology.
1.3. Policy – this Personal data processing policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5. Data subject – any natural person whose personal data is processed by the Controller, e.g. a person visiting the Controller’s premises or sending an e-mail request to the Controller.

2. DATA PROCESSING BY THE CONTROLLER
2.1. In connection with its economic activity, the Controller collects and processes personal data in accordance with the relevant provisions, including in particular the GDPR, and the principles of data processing set forth there.
2.2. The Controller shall ensure transparency of data processing and shall, in particular, always inform about the processing of data upon its collection, and also about the purpose and legal basis for the processing, e.g. when concluding a contract for the sale of goods or services. The Controller shall ensure that data is collected only within the scope necessary for the indicated purpose and processed only for as long as necessary.
2.3. When processing data, the Controller shall ensure its security and confidentiality and also provide information on the processing to data subjects. If, despite the security measures applied, a personal data breach has occurred (e.g. a data “leakage” of data loss), the Controller will communicate the fact to the data subject in a manner consistent with the laws.

3. CONTACT WITH THE CONTROLLER
3.1. You can contact the Controller at the following e-mail address: biuro@oknoplast.com.pl or correspondence address: Oknoplast Sp. z o.o., Ochmanów 117, 32-003 Podłęże.

4. SECURITY OF PERSONAL DATA
4.1. In order to ensure integrity and confidentiality of data, the Controller has implemented procedures rendering access to personal data possible only to authorised persons and only to the extent necessary for them to perform their tasks. The Controller shall apply organisational and technical solutions to ensure that all operations on personal data are recorded and carried out by authorised persons exclusively.
4.2. Additionally, the Controller shall take all necessary steps to ensure that its subcontractors and other cooperators also guarantee the use of appropriate security measures, whenever they process personal data by order of the Controller.
4.3. The Controller shall conduct ongoing risk analysis and monitor the adequacy of applied data safeguards to identified risks. If necessary, the Controller shall implement additional measures to enhance data security.

5. PURPOSES AND LEGAL BASES FOR PROCESSING
E-MAIL AND CONVENTIONAL CORRESPONDENCE
5.1. If any correspondence unrelated to the services provided for the sender or unrelated to any other contract concluded with him/her is sent to the Controller via e-mail or conventional mail, the personal data contained in this correspondence shall be processed solely for the purpose of communication and handling of the matter contemplated in the correspondence.
5.2. The legal basis for the processing is the legitimate interest of the Controller (Article 6 (1)(f) of the GDPR) consisting in handling of correspondence addressed to it in connection with its economic activity.
5.3. The Controller shall process only such personal data which is relevant to the matter contemplated in the correspondence. All correspondence shall be stored in a manner ensuring security of the personal data (and other information) contained there. The correspondence shall be disclosed to authorised persons only.
TELEPHONE CONTACT
5.4. If the Controller is contacted by telephone, in matters unrelated to a concluded contract or performed services, the Controller may request that personal data be provided only if it is necessary for handling of the matter in question. In this case, the legal basis is the legitimate interest of the Controller (Article 6 (1)(f) of the GDPR) consisting in the necessity to handle a reported issue related to its economic activity.
CCTV AND ACCESS CONTROL
5.5. In order to ensure security of persons and property, the Controller uses a CCTV system and controls access to the premises and the area managed by it. The data thus collected is not used for any other purpose.
5.6. Personal data in the form of CCTV recordings and data collected in connection with access control shall be processed in order to ensure security and order in the facility, protection of property and protection from claims (if any) and their exercise, as well as to detect, prevent and prosecute criminal acts. The legal basis for the personal data processing is the legitimate interest of the controller (Article 6 (1)(f) of the GDPR) consisting in ensuring security of the Controller’s property and protection of its rights.
RECRUITMENT
5.7. In the context of recruitment processes, the Controller expects to receive personal data (e.g. in a CV or résumé) only within the scope specified in the labour law or required by the Controller on the basis of its legitimate interest. Therefore, more extensive information should not be provided. If sent applications contain additional data, the data will not be used or taken into account in the recruitment process without the relevant consent of the data subject.
5.8. Personal data is processed:
5.8.1. in order to comply with employment-related obligations arising from the law (including in particular the Labour Code) – the legal basis for the processing is the legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR in conjunction with the provisions of the Labour Code);
5.8.2. in order to conduct a recruitment process on the basis of employment under a civil law contract – the legal basis is steps to be taken, at the request of the data subject, prior to entering into a contract (Article 6(1)(b) of the GDPR);
5.8.3. in order to verify qualifications and skills and establish conditions of the cooperation – the legal basis for the processing of data is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR);
5.8.4. in order to conduct a recruitment process for data not required by law or optional data not required by the Controller for employment under a civil law contract, as well as for future recruitment processes – the legal basis for the processing is consent (Article 6(1)(a) of the GDPR);
5.8.5. in order to establish, exercise or defend against claims (if any) – the legal basis for the processing of data is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR);
COLLECTION OF DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR PERFORMANCE OF OTHER CONTRACTS
5.9. If data is collected for the purposes related to the performance of a specific contract, the Controller shall provide the data subject with detailed information about the processing of his/her personal data at the time of conclusion of the contract.
DATA COLLECTION IN OTHER CASES
5.10. In connection with its business activity, the Controller collects personal data also in other situations – e.g. during business meetings, at industry events or by exchange of visiting cards – in order to establish and maintain business contacts. In this case, the legal basis for the processing is the legitimate interest of the Controller (Article 6 (1)(f) of the GDPR) consisting in networking in connection with the conducted business activity.
5.11. Personal data collected in such circumstances is processed only for the purpose for which it has been collected and the Controller ensures its proper protection.

6. DATA RECIPIENTS
6.1. On account of conducting business activity which requires processing, personal data is disclosed to external entities, including in particular providers and service technicians responsible for the operation of information systems and equipment (e.g. CCTV equipment), entities responsible for the protection of persons and property, providers of legal, tax, financial or advisory services, couriers and postal operators, banks, insurers, brokers, pension funds, debt collection companies, accommodation service providers, trade partners, agents, event, marketing or recruitment agencies. Data is also disclosed to affiliates of the Controller, including companies in its capital group, such as WnD sp. z o.o., Oknoplast Deutschland GmbH and Oknoplast France sas. The following companies are the Controller’s agents: Oknoplast Deutschland GmbH, Oknoplast France sas, Antenore Srl., Contact International Bt., Trade Contact International Kft., REM Trade International Bt. The current list of trade partners of the Controller is available:
6.1.1. in the “Where to buy?” tab on the www.oknoplast.com.pl website – in the case of trade partners operating in the territory of Poland.
6.1.2. after clicking “SEZNAM” link in the “Contacts” tab on the www.oknoplast.cz website – in the case of trade partners operating in the territory of the Czech Republic.
6.1.3. after clicking “ZOZNAM” link in the “Contacts” tab on the www.oknoplast.sk website – in the case of trade partners operating in the territory of Slovakia.
6.1.4. after clicking “LISTA” link in the “Contacts” tab on the www.oknoplast.hu website – in the case of trade partners operating in the territory of Hungary.
6.1.5. in the “Contact” tab on the www.oknoplast.com website – in the case of trade partners operating in the territory of Northern Ireland and the USA.
6.1.6. in the “Kontakta oss” tab on the www.oknoplast.se website – in the case of trade partners operating in the territory of Sweden.
6.1.7. in the “Kontakt” tab on the www.oknoplast.no website – in the case of trade partners operating in the territory of Norway.
6.2. The Controller reserves the right to disclose selected information regarding the data subject to the competent authorities or third parties who request such information, relying on the relevant legal basis and in accordance with the applicable laws.

7. TRANSFER OF DATA OUTSIDE THE EEA
7.1. The level of protection of personal data outside the European Economic Area (EEA) is different from that provided by the European law. For this reason, the Controller shall transfer personal data outside the EEA only if necessary and ensuring adequate level of protection, in particular by:
7.1.1. cooperation with processors of personal data in countries for which a relevant decision of the European Commission has been issued;
7.1.2. the application of standard contractual clauses issued by the European Commission;
7.1.3. application of binding corporate rules approved by the competent supervisory authority;
7.1.4. if data is transmitted to the USA – cooperation with entities participating in the Privacy Shield Program approved by decision of the European Commission.
7.2. The Controller shall always communicate its intention to transfer personal data outside the EEA at the stage of its collection.

8. PERSONAL DATA PROCESSING PERIOD
8.1. The period of data processing by the Controller depends on the nature of the service provided and the purpose of processing. The processing period may also result from regulations, if they serve as the basis for the processing. If data is processed on the basis of a legitimate interest of the Controller – e.g. for security reasons – the data shall be processed for a period which allows the pursuit of the interest or an effective objection to the data processing. If processing is carried out on the basis of consent, the data shall be processed until the consent is withdrawn. Where the basis for processing is the necessity for the conclusion and performance of a contract, the data shall be processed until the contract is terminated.
8.2. The processing period may be extended where processing is necessary for the establishment, exercise or defence against claims and, after that period, only if (and as far as) required by laws. At the end of the processing period, the data shall be irretrievably removed or anonymised.

9. RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA
RIGHTS OF DATA SUBJECTS
9.1. Data subjects enjoy the following rights:
9.1.1. right to be informed about the processing of personal data – on this basis, the Controller shall inform the person making the request about the processing of data, including above all, about the purposes and legal bases of the processing, the scope of data in its possession, the entities to which the data is disclosed and the planned date of its erasure;
9.1.2. right to obtain a copy of data – on this basis, the Controller shall provide a copy of the processed data relating to the person making the request;
9.1.3. right to rectification – the Controller shall remove any discrepancies or errors of the processed personal data and supplement the data if it is incomplete;
9.1.4. right to data erasure – on this basis, a person may requests deletion of data which is no longer necessary for any of the purposes for which it was collected;
9.1.5. right to restriction of processing – if such a request is made, the Controller shall cease operations performed on personal data – except for the operations to which the data subject has consented – and shall also cease the data retention, in accordance with the accepted retention rules, or until the causes of the data processing have ceased (e.g. a decision of the supervisory authority allowing further processing of data has been issued);
9.1.6. right to data portability – on this basis – to the extent that data is processed in connection with a concluded contract or expressed consent – the Controller shall release the data provided by the data subject in a machine-readable format. It is also possible to request that such data be transferred to another entity – provided, however, that there are technical possibilities in this regard, both on the part of the Controller and the other entity.
9.1.7. right to object to the processing of data for marketing purposes — the data subject may at any time object to the processing of personal data for marketing purposes, without having to justify the objection;
9.1.8. right of object to other purposes of data processing – the data subject may at any time object to the processing of personal data which is based on a legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons connected with the protection of property); an objection in this respect shall contain justification;
9.1.9. right to withdraw consent – if data is processed on the basis of consent, the data subject may withdraw the consent at any time, which shall not affect the lawfulness of processing based on consent before its withdrawal.
9.1.10. right to lodge a complaint – if it is found that the processing of personal data violates the GDPR provisions or other personal data protection regulations, the data subject may lodge a complaint with the President of the Personal Data Protection Office.
REQUESTS RELATING TO THE EXERCISE OF RIGHTS
9.2. Requests for the exercise of data subjects’ rights may be submitted:
9.2.1. in writing to the address: Ochmanów 117, 32-003 Podłęże;
9.2.2. by e-mail to: privacy@oknoplast.com.pl.
9.3. If the Controller is unable to identify the person making the request on the basis of the submitted notification, the Controller will ask the requesting person for additional information.
9.4. The request may be made either personally or through an attorney-in-fact (e.g. a family member). For data security reasons, the Controller encourages the use powers of attorney which are certified by a notary, an authorised legal adviser or a lawyer, which will significantly speed up the verification of the request authenticity.
9.5. A response to the notification shall be given within one month of its receipt. If this time limit needs to be extended, the Controller will inform the requesting person about the reasons for the delay.
9.6. The response shall be given by conventional mail, unless a request has been made by e-mail or it has been requested that the response be given in electronic form.
CHARGING RULES
9.7. The procedure for handling submitted requests is free of charge. Fees may only be charged if:
9.7.1. a request for the issue of a second and any subsequent copy of data is made (the first copy of data is free); in such a case, the Controller may request the payment of the following fees:
a) PLN 6.25 – if the request is made in writing, unless it has been requested that the response be given in electronic form
b) PLN 1.50 – if the request is made in electronic for or it has been requested that the response be given in electronic form.
This fee includes administrative costs related to the handling of the request.
9.7.2. the same person makes excessive (e.g. extremely frequent) or manifestly unfounded demands; in such a case, the Controller may request the payment of a fee of PLN 15 from each copy of data.
This fee includes the costs of communication and the costs associated with taking the requested action.
9.8. If a decision on the imposition of a charge is challenged, the data subject may lodge a complaint with the President of the Personal Data Protection Office.

10. CHANGES IN THE PERSONAL DATA PROCESSING POLICY
10.1. The Policy is verified on an ongoing basis and, if necessary, updated. The current version of the Policy was adopted on 18 May 2018.