1. Definitions

1.1. Controller – Perła – Browary Lubelskie S.A. (joint-stock company) with its registered office in Lublin (20-950), Bernardyńska 15 Street.
1.2. Personal Data – any information about a natural person, identified or identifiable by one or several specific factors defining his/her physical, physiological, genetic, psychic, economic, cultural or social identity, including the image, voice recording, contact data, location data, information included in correspondence and information collected through recording equipment or other similar technologies.
1.3. Policy – this Personal data processing policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
1.5. Data subject – any natural person whose personal data are processed by the Controller, e.g. a person visiting the Controller’s premises or sending it an inquiry by email.

2. Data processing by the Controller

2.1. In connection with the conducted business activity, the Controller collects and processes personal data in compliance with relevant laws, especially the GDPR and the data processing principles provided therein.
2.2. The Controller ensures transparency of data processing, in particular by always informing about data processing at the moment of their collection, including the purpose and legal basis of the processing, e.g. while entering into a sales agreement for commodities or services. The Controller makes every effort to collect data only to the extent necessary for the indicated purpose and process them only as long as it is necessary.
2.3. While processing personal data, the Controller ensures their security and confidentiality and an access to information about the processing to the data subjects. If, in spite of the applied security measures, there is a personal data breach (e.g. a data leak or loss), the Controller shall inform data subjects about the event in compliance with laws and regulations.

3. Contact with the Controller

3.1. The Controller may be contacted by e-mail kodo@biuro.perla.pl or by letter sent to the mailing address:
Data Protection Coordinator, Lublin (20-950), Bernardyńska 15 Street.

3.2. The Controller has appointed a Data Protection Coordinator that may be contacted by e-mail kodo@biuro.perla.pl in any matter concerning personal data processing.

4. Personal data security

4.1. To ensure data integrity and confidentiality, the Controller has implemented procedures making access to personal data possible only to authorized persons and only to the extent necessary for them to perform their tasks. The Controller applies organizational and technical solutions to ensure that all the operations on personal data are recorded and performed only by authorized persons.
4.2. In addition, the Controller takes any necessary actions so that also its subcontractors and other cooperating entities guaranteed the application of appropriate security measures in each case when they process personal data on the Controller’s behalf.
4.3. The Controller performs risk analysis on an ongoing basis and monitors the adequacy of applied data protection mechanisms to the identified threats. If necessary, the Controller implements additional measures to increase data security.

5. Purposes and legal basis of data processing
EMAIL AND TRADITIONAL CORRESPONDENCE

5.1. If the Controller receives correspondence, by email or traditional mail, unconnected with the services provided for the sender or another agreement executed with them, the personal data found in the correspondence shall be processed only for the purpose of communicating and resolving the issue which is the subject of the correspondence.
5.2. The legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) to carry on correspondence sent to it in connection with its business activity.
5.3. The Controller processes only the personal data relevant to the issue that the correspondence is about. All the correspondence is stored so as to ensure security of the personal data (and other information) found therein and disclosed only to authorized persons.
CONTACT BY TELEPHONE
5.4. If the Controller is contacted by telephone about issues unconnected with an executed agreement or provided services, the Controller may require that personal data should be provided only if this is necessary to handle the issue that the telephone conversation was about. In such a case, the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) involving the need to resolve an issue connected with its business activity.
5.5. Telephone conversations may be also recorded – in such a case, relevant notification is provided at the beginning of a call. Conversations are recorded to monitor the quality of the provided service and verify the work of consultants, and also for statistical purposes. The recordings are available only to the Controller’s employees and persons handling the Controller’s call center.
5.6. Personal data in the form of conversation recordings are processed:
5.6.1. for purposes connected with the service to clients and the public via the information hotline if the Controller provides such a service – the legal basis for the processing is that the processing is necessary for providing the services (Article 6(1)(b) GDPR);
5.6.2. to monitor the service quality and verify the work of consultants handling the information hotline as well as for analytical and statistical purposes – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) GDPR) involving caring for the highest service quality for clients and the public as well as the work of consultants and performing statistical analyses of communication by telephone.
VIDEO MONITORING AND ENTRY CONTROL
5.7. To ensure security of persons and property, the Controller uses video monitoring and controls entries to the premises and the area managed by it. The data collected in this way are not used for any other purposes.
5.8. Personal data in the form of video recordings and the data collected in the register of entries and exits are processed to ensure security and order in the area of the facility and to defend itself against or pursue possible claims. The legal basis for the personal data processing is the legitimate interest pursued by the Controller (Article 6(1)(f) GDPR) involving ensuring security of the Controller’s property and protecting its rights.
RECRUITMENT
5.9. Within recruitment processes, the Controller expects provision of personal data (e.g. in a CV or a resume) only to the extent defined in the labor law. Accordingly, no wider range of information should be provided. If the sent applications include additional data with regards to the recruitment process, those will not be used or taken into consideration in the recruitment process.
5.10. Personal data are processed:
5.10.1. to fulfil the obligations resulting from the legal provisions related to the recruitment process, including in particular provisions of the Polish Labour Code – the lawful ground for processing is derived from a legal obligation imposed upon the Controller (Article  6(1)(c) GDPR in connection with provisions of the Polish Labour Code);
5.10.2. to run a recruitment process with regard to data not required by law and also for the purpose of future recruitment processes – the legal basis for the processing is an individual’s consent (Article 6(1)(a) GDPR);
5.10.3. to establish or pursue possible claims or defend against such claims – the lawful ground for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) GDPR).
DATA COLLECTION RELATING TO THE PROVISION OF SERVICES OR PERFORMANCE OF OTHER AGREEMENTS
5.11. If data are collected for the purposes connected with performing a specific agreement the Controller shall provide the Data Subject with detailed information about processing his or her personal data at the moment of entering into the agreement.
DATA COLLECTION IN OTHER CASES
5.12. In connection with conducted business activity, the Controller collects personal data also in other cases, e.g. by enhancing and benefitting from long-term mutual business contacts (networking) during business meetings, at business events or by exchanging business cards, for purposes connected with initiating and maintaining business contacts. The legal basis for the processing in such a case is the Controller’s legitimate interest (Article 6(1)(f) GDPR) involving building a network of contacts in connection with its business activity.
5.13. The personal data collected in such cases are processed only for the purpose for which they were collected and the Controller guarantees their appropriate protection.

6. Data recipients

6.1. In connection with conducting business activity which requires processing, personal data are disclosed to third parties, including in particular vendors responsible for the operation of IT systems and hardware (e.g. CCTV equipment), entities providing legal or accounting services, couriers and marketing or recruitment agencies.
6.2. The Controller reserves the right to disclose selected information items referring to the data subject to relevant authorities or third parties which will demand that they are provided such information pursuant to an appropriate legal basis and in compliance with the applicable laws.

7. Transfer of data outside the EEA

7.1. The level of personal data protection outside the European Economic Area (EEA) differs from that guaranteed by the European law. For this reason, the Controller transmits personal data to places outside the EEA only when necessary and ensuring an adequate protection level, mainly by:
7.1.1. cooperating with personal data processors in the states with respect to which a relevant decision of the European Commission has been issued;
7.1.2. application of standard contractual clauses issued by the European Commission;
7.1.3. application of binding corporate principles approved by the relevant supervisory authority;
7.1.4. if data is transferred to the US – cooperation with entities participating in the Privacy Shield program, approved by a decision of the European Commission.
7.2. At the data collection stage, the Controller informs the User of the intention to transmit personal data outside the EEA.

8. Period of personal data processing

8.1. The period of data processing by the Controller depends on the type of provided service and the purpose of the processing. The data processing period may also follow from laws when these are the basis for the processing. If data are processed on the basis of the Controller’s legitimate interest, e.g. for security reasons, the data are processed for the period making it possible to satisfy the interest or until the data subject has effectively objected against the data processing. If data are processed on the basis of a consent, the processing will be performed until the consent is withdrawn. If data are processed on the basis of the necessity to enter into and perform an agreement, the data will be processed until its termination.
8.2. The data processing period may be extended if processing is necessary to establish or pursue possible claims or defend against such claims and, after that time, only when and to the extent required by law. After the elapse of the processing period, the data are irreversibly deleted and anonymized.

9. Rights connected with personal data processing
DATA SUBJECTS’ RIGHTS

9.1. Data subjects have the following rights:
9.1.1. The right to information on personal data processing – on that basis, the Controller provides the person making the request with information about data processing, including first of all about the purposes and legal grounds for the processing, the scope of the data held, entities to which they are disclosed and the planned date for deleting the data;
9.1.2. The right to receive a copy of the data – on that basis, the Controller provides a copy of the data processed to a person making the request;
9.1.3. The right to rectification – the Controller is obligated to remove any non-compliance or errors in personal data processed and supplement them if they are incomplete;
9.1.4. The right to erasure – on that basis, one may demand deleting the data whose processing is no longer necessary to achieve any of the purposes for which they were collected;
9.1.5. The right to restriction of the processing – if such a request is made, the Controller stops performing any operations on the personal data except for those to which the data subject has given consent and except storing them in accordance with the adopted retention rules or until the reasons for restricting the processing disappear (e.g. the supervisory authority issues a decision permitting further data processing);
9.1.6. The right to data portability – on this basis, to the extent that the data are processed in connection with an executed contract or given consent, the Controller delivers the data provided by the data subject in a machine-readable format. Is it also allowed to request that the data are transmitted to another entity on condition, though, that both the Controller and the other entity have the technical capabilities to do so;
9.1.7. The right to object to personal data processing for marketing purposes – the data subject has the right to object at any time to personal data processing for marketing purposes without the obligation to justify such an objection;
9.1.8. The right to object to data processing for other purposes – the data subject may object at any time to personal data processing carried out on the basis of the Controller’s legitimate interest (e.g. for analytical or statistical purposes or for reasons connected with protecting property); such an objection should include a justification;
9.1.9. The right to withdraw consent – if data are processed on the basis of a given consent, the data subject may withdraw it at any time, which does not have, however, any effect on the lawfulness of processing based on consent before its withdrawal.
9.1.10. The right to complain – if the data subject believes that the personal data processing breaches the provisions of GDPR or other personal data protection regulations, the data subject has the right to lodge a complaint with the President of the Personal Data Protection Authority.
NOTIFICATION OF REQUESTS ASSOCIATED WITH EXERCISING THE RIGHTS
9.2. A request regarding the exercise of the rights of data subjects may be submitted:
9.2.1. in writing to the address: Data Protection Coordinator, Lublin (20-950), Bernardyńska 15 Street;
9.2.2. by e-mail to the address: kodo@biuro.perla.pl
9.3. If the Controller is unable to identify the person filing a request on the basis of the notification made, the Controller will ask the petitioner for additional information.
9.4. The request may be filed in person or through an attorney-in-fact (e.g. a family member). In view of data security, the Controller encourages data subjects to use a power-of-attorney in the form certified by a notary public or an authorized legal counsel or attorney-at-law, which will significantly accelerate verification of the request’s authenticity.
9.5. A reply to the request should be provided within one month of its receipt. If it is necessary to extend the deadline, the Controller shall inform the applicant about reasons for the delay.
9.6. The response is provided by traditional mail, unless the request is made by e-mail or the response is required in an electronic form.
CHARGING PRINCIPLES
9.7. Proceedings regarding submitted requests are free of charge. Charges may only be collected if:
9.7.1. making a request to provide the second and each further copy of the data (the first copy is free of charge); in such a case, the Controller may demand that fees are paid in the amount of 200 PLN.
The above fee includes administrative expenses connected with recognizing the request.
9.7.2. making requests by the same person that are excessive (e.g. extremely frequent ones) or manifestly unfounded; in such a case, the Controller may demand that fees are paid in the amount of 500 PLN.
The above fee includes costs of carrying on communication and costs connected with taking requested actions.
9.8. If the data subject challenges the decision to charge fees, the person may lodge a complaint with the President of the Personal Data Protection Office.

10. Amendments to the Personal Data Processing Policy

10.1. The policy is verified on an ongoing basis and updated when needed.
10.2. The present version of the Policy was adopted on 25th May, 2018.