1.1. The Controller – Perła – Browary Lubelskie S.A.
1.2. Personal Data – all information about a natural person identified or identifiable by one or more factors referring to physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact data, location data, information contained in correspondence, information collected through recording equipment or other similar technology.
1.3. Policy – this Personal data processing policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5. Data subject – any natural person whose personal data is processed by the Controller, e.g., a person visiting the Controller’s premises or sending an e-mail enquiry to the Controller.
Data processing by the Controller
2.1. In connection with its business activity, the Controller collects and processes personal data in accordance with the applicable legislation, including in particular GDPR, and the data processing rules provided for therein.
2.2. The Controller shall ensure the transparency of data processing. In particular, the Controller shall make it clear, at all times upon collection, that the collected data will be subject to processing, stating the purpose and legal basis of such processing, e.g., upon concluding a contract for the sales of goods or services. The Controller shall ensure that data is collected only to the extent necessary for the stated purpose and processed only for the period as needed.
2.3. While processing personal data, the Controller shall ensure its security and confidentiality as well as provide access to information about data processing to the data subjects. If a breach of personal data security occurs despite the security measures in place (e.g., data leakage or loss of data), the Controller shall inform the data subjects of such an event in accordance with the applicable regulations.
Contact with the Controller
3.1. The Controller can be contacted via e-mail firstname.lastname@example.org or the mailing address: Koordynator Danych Osobowych [Personal Data Coordinator], ul. Bernardyńska 15, 20-950 Lublin.
3.2. The Controller has appointed the Personal Data Coordinator who can be contacted via e- mail: email@example.com on any matter concerning the processing of personal data.
Security of personal data
4.1. To ensure data integrity and confidentiality, the Controller has implemented procedures to allow access to personal data only to authorised persons and only to the extent necessary for the tasks they perform. The Controller has implemented organisational and technical solutions to ensure that all operations involving personal data are recorded and performed only by authorised persons.
4.2. The Controller has further taken all necessary measures to ensure that its subcontractors and other cooperating entities also guarantee the use of appropriate security measures whenever they process personal data on behalf of the Controller.
4.3. The Controller conducts risk analyses on an ongoing basis and reviews whether the data security measures implemented are adequate for the identified risks. Where necessary, the Controller implements additional measures to enhance data security.
Purposes and legal bases of data processing
E-MAIL AND TRADITIONAL MAIL
5.1. If any correspondence is sent to the Controller by e-mail or traditional mail which is unrelated to the services provided to the sender, or to any other contract concluded with the sender, the personal data included in such correspondence shall be processed solely for communication purposes and with the aim to resolve the matter to which the correspondence relates.
5.2. The legal basis for such processing is the Controller’s legitimate interest (Article 6.1.f of GDPR) which is to enable the Controller to exchange correspondence in connection with its business activities.
5.3. The Controller shall process only that personal data which is relevant for the matter to which the correspondence relates. The entire correspondence shall be stored in a manner ensuring the security of personal data (and other information) it contains, and shall be disclosed only to authorised persons.
5.4. When contacting the Controller via telephone on matters unrelated to the contract concluded or the services provided, the Controller may demand the provision of personal data only if it proves indispensable to handle the matter to which the contact relates. The legal basis in this case is the Controller’s legitimate interest (Article 6.1.f of GDPR) connected with the need to resolve the reported matter related to its business activity.
5.5. Telephone conversations may also be recorded – in this case, appropriate information shall be provided at the beginning of the call. The calls are recorded with the aim of monitoring the quality of the service provided and verifying consultants’ work, as well as for statistical purposes. The recordings are available only to the Controller’s employees and hotline operators.
5.6. Personal data in the form of call recordings is processed:
5.6.1. for the purpose of serving customers and clients via the hotline, if the Controller provides such a service – the legal basis for such processing is the need to process data in connection with providing the service (Article 6.1.b of GDPR);
5.6.2. for the purpose of monitoring the quality of service and verifying the work of hotline consultants, as well as for analytical and statistical purposes – the legal basis for such processing is the Controller’s legitimate interest (Article 6.1.f of GDPR) which is to ensure top-quality customer service and consultants’ work, and to conduct statistical analyses concerning communication by phone.
VISUAL MONITORING AND ACCESS CONTROL
5.7. To ensure the safety of persons and property, the Controller uses visual monitoring and controls access to the premises and the area under its supervision. The data collected in this way is not used for any other purpose.
5.8. Personal data in the form of visual monitoring recordings and data collected in the register of entries and exits is processed to ensure the safety and order on the premises, and possibly to defend against or investigate claims. The basis for such processing of personal data is the Controller’s legitimate interest (Article 6.1.f of GDPR), which is to ensure the safety of the Controller’s property and to protect its rights.
5.9. As part of recruitment processes, the Controller expects the transfer of personal data (e.g., in a CV or resume) only to the extent specified in labour law. Therefore, no additional information should be provided. If the application sent contains any additional data, it will not be used or taken into account in the recruitment process.
5.10. Personal Data is processed:
5.10.1. for the purpose of complying with the obligations arising from legal regulations, related to the employment process, in particular the Labour Code – the legal basis for such processing is the Controller’s legal obligation (Article 6.1.c of GDPR in connection with the provisions of the Labour Code);
5.10.2. for the purpose of carrying out the recruitment process in respect of data not required by law, as well as future recruitment processes – the legal basis for such processing is the consent (Article 6.1.a of GDPR);
5.10.3. for the purpose of establishing or investigating potential claims or defending against them – the legal basis for such processing is the Controller’s legitimate interest (Article 6.1.f of GDPR).
COLLECTION OF DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR PERFORMANCE OF OTHER CONTRACTS
5.11. If data is collected for the purpose of performing a specific contract, the Controller shall provide the data subject with details of the processing of his/her personal data upon conclusion of the contract.
OTHER CASES OF DATA COLLECTION
5.12. In connection with its activities, the Controller also collects personal data in other cases, e.g., during business meetings, industry events or through the exchange of business cards, for the purposes of establishing and maintaining business contacts. The legal basis in this case is the Controller’s legitimate interest (Article 6.1.f of GDPR) connected with establishing a network of contacts in relation to its business activity.
5.13. Personal data collected in such cases is processed only for the purpose for which it was collected and the Controller shall ensure adequate protection thereof.
6.1. In connection with conducting any activities involving data processing, personal data may be disclosed to external entities, in particular suppliers responsible for the operation of IT systems and equipment (e.g., CCTV equipment), entities providing legal or accounting services, couriers, marketing or recruitment agencies.
6.2. The Controller reserves the right to disclose selected information concerning the data subject to the competent bodies or third parties who make a request for such information by referring to the appropriate legal basis, in accordance with the provisions of the applicable law.
Provision of data outside the EEA
7.1. The level of personal data protection outside the European Economic Area (EEA) differs from that envisaged by European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and with an adequate level of protection, primarily by:
7.1.1. cooperating with the processors of personal data in countries for which a relevant decision of the European Commission has been issued;
7.1.2. applying standard contractual clauses issued by the European Commission;
7.1.3. applying binding corporate rules approved by the competent supervisory body;
7.2. The Controller shall always disclose its intent to transfer personal data outside the EEA upon its collection.
Period of personal data processing
8.1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. The period of data processing may also result from legal regulations if these provide the basis for such processing. If data is processed on the basis of the Controller’s legitimate interest, e.g., for security reasons, such processing shall continue for the period that enables the fulfilment of this interest or until an effective objection to the processing is raised. If data is processed on the basis of the consent, such processing shall continue until the consent is withdrawn. If the basis for processing is the need to conclude and perform a contract, such processing shall continue until the contract is terminated.
8.2. The period of data processing may be extended where such processing is necessary for establishing and investigating claims or defending against them, and thereafter only if and to the extent as required by law. After the expiry of the processing period, the data shall be irreversibly deleted or anonymised.
Rights arising in connection with the processing of personal data
RIGHTS OF DATA SUBJECTS
9.1. The following rights are vested in data subjects:
9.1.1. the right to be informed on the processing of personal data – the Controller shall provide the person making the request with information about data processing, including in particular the purposes and legal bases for such processing, the scope of the data retained, the entities to which the data is disclosed, and the planned date of data erasure;
9.1.2. the right to obtain copies of data – the Controller shall provide the person making the request with copies of the processed data;
9.1.3. the right to rectify data – the Controller shall eliminate any inconsistencies or errors in the personal data being processed, and to complete it when necessary;
9.1.4. the right to erase data – the data subject may demand the erasure of data whose processing is no longer necessary for the fulfilment of any of the purposes for which it was collected;
9.1.5. the right to restrict processing – if such a request is made, the Controller shall cease to perform operations on personal data – with the exception of operations to which the data subject has given his/her consent – and to store such data in accordance with the retention rules adopted or until the reasons for restricting the processing cease to apply (e.g., a decision is issued by a supervisory authority allowing for the further processing of data);
9.1.6. the right to data portability – to the extent that the data is processed in connection with the concluded agreement or under consent, the Controller shall supply the data provided by the data subject in a computer-readable format. It is also possible to request that the data be sent to another entity, provided that both the Controller and the entity concerned have the technical capacities to do so;
9.1.7. the right to object to data processing for marketing purposes – the data subject may at any time object to the processing of his/her personal data for marketing purposes, without having to justify such objection;
9.1.8. the right to object to other data processing purposes – the data subject may at any time object to the processing of his/her personal data which takes place in connection with the Controller’s legitimate interest (e.g., for analytical or statistical purposes, or for reasons connected with property protection); such objection should be made along with providing justification;
9.1.9. the right to withdraw the consent – if the data is processed under the consent, the data subject has the right to withdraw it at any time; however, this shall not affect the lawfulness of the processing carried out before the withdrawal of the consent;
9.1.10. the right to file a complaint – if the processing of personal data is considered to be in breach of the provisions of GDPR or other data protection legislation, the data subject may file a complaint with the President of the Personal Data Protection Office.
REPORTING A REQUEST CONCERNING THE EXERCISE OF RIGHTS
9.2. A request for the exercise of data subjects’ rights can be made:
9.2.1. in writing to the following address; Koordynator Danych Osobowych [Personal Data Coordinator], ul. Bernardyńska 15, 20-950 Lublin;
9.2.2. by e-mail to the following address: firstname.lastname@example.org
9.3. If the Controller is unable to identify the person making the request on the basis of the request, it shall require that person to provide additional information.
9.4. The request may be filed in person or through an attorney-in-fact (e.g. a family member). In view of data security, the Controller encourages data subjects to use a power-of-attorney in the form certified by a notary public or an authorized legal counsel or attorney-at-law, which will significantly accelerate verification of the request’s authenticity.
9.5. A reply to the request should be provided within one month of its receipt. If it is necessary to extend this deadline, the Controller shall inform the requesting persons of the reasons for the delay.
9.6. The reply shall be provided by post unless the request is made by e-mail or unless electronic transmission is requested.
FEE COLLECTION PRINCIPLES
9.7. Proceedings regarding submitted requests are free of charge. Charges may only be collected if:
9.7.1. making a request to provide the second and each further copy of the data (the first copy is free of charge); in such a case, the Controller may demand that fees are paid in the amount of 200 PLN. The above fee includes administrative expenses connected with recognizing the request.
9.7.2. submitting excessive (e.g., very frequent) or clearly groundless requests by the same person; in such cases, the Controller may charge PLN 500.00.
The aforementioned fee includes the costs of communication and the costs related to taking the requested action;
9.8. If the decision to impose the fee is contested, the data subject may file a complaint with the President of the Personal Data Protection Office.
Amendments to the Personal Data Protection Policy
10.1. The Policy is updated on an ongoing and as needed basis. The current version was adopted on 16 July 2020.