2. The controller of the user’s personal data within the meaning of GDPR is: Carriere Contracting International Recruitment Polska Sp. z o.o with its registered office in Wrocław, 53-332 Wrocław, ul. Powstańców Śląskich 7A, entered into the Register of Entrepreneurs of the National Court Register under No. 0000183647, Tax ID No. (NIP): 754-275-77-08 and National Business Registry No. (Regon): 532415172, hereinafter referred to as the “Company”.
3. Personal data is any information that identifies or allows the identification of the data subject. A distinction is made between:
- general personal data, which include:
- first and second names and surname;
- other identifying information: gender, marital status, height, weight, date and place of birth, mailing and residential address, e-mail address, landline/mobile phone number;
- data on the place of residence and employment abroad (location);
- bank account number;
- profession and professional experience;
- Dutch Tax Identification Number (BSN);
- qualifications (forklift truck, driving licence);
- command of foreign languages;
- number and series of identity card or passport, date of issue of the identity card or passport, expiry date of the identity card or passport;
- specific personal data – with the consent of the data subject, the Company processes information on their health status in order to adapt job offers presented to the person’s health-related needs and possibilities.
The Company processes personal data where the data subject has consented to the processing or where the Company has another legal basis allowing the processing of the data, with the basis depending on the category of data:
- general personal data may be processed by the Company in cases where:
- express consent of the data subject is granted;
- the Company takes steps to select and present a suitable job offer to a foreign employer or to execute an agreement concluded with the Company;
- the Company fulfils a legal obligation;
- the Company has a legitimate interest in doing so (for example, in cases where: the Company searches for the most suitable job offer for the data subject, investigates the satisfaction of persons using the intermediary services provided by it, conducts direct marketing activities for the benefit of itself and entities that belong to its capital group, prepares statistics and internal reports, as well as determines and asserts or defends against claims.
- Specific personal data may be processed by the Company if it has the relevant consent of the data subject.
4. Registration and provision of personal data to the Company is voluntary and involves only necessary personal data. Once the candidate has provided the Company with their personal data, they complete the registration process in person at our office or in a remote recruitment interview using electronic technical means of direct remote communication. Only in this way is our Company able to find and present the most suitable job offer. In situations where a candidate lives or resides outside the territory of Poland and states that they are unable to meet the formal requirements of the recruitment process conducted by the Company, then, with the candidate’s consent, the Company may transfer their personal data to a potential foreign employer for that foreign employer to conduct a direct recruitment procedure for the candidate.
5. The collection of personal data by the Company takes place from the moment the candidate provides the Company with a set of their data contained in the registration form or in any other form. The personal data obtained is processed by our Company; the Company does not use the personal data for purposes other than those provided by law, and this data is not transferred, sold or made available to other persons or institutions, except with the consent of the person to whom the personal data relates and in cases where it is necessary for the purpose for which the data was collected and is processed. Personal data is safe in physical terms – the Company uses effective technological protection measures available on the market including anti-virus software and secure protocols for encrypted data transmission (SSL).
6. The candidate has several rights in connection with the processing of their personal data:
- The right of access to personal data
- The candidate, as a data subject, has the right to be informed by the Company whether it processes their personal data, as well as:
- why the Company processes the data;
- what types of data the Company processes;
- to which recipients or categories of recipients the Company has disclosed or may disclose the data;
- how long the Company intends (as far as can be determined) to process the data or on the basis of which criteria this time can be determined.
- The right to rectification or completion of data
- The candidate may request that the Company rectify inaccurate personal data or complete incomplete data without delay.
- The right to erasure (right to “be forgotten”)
- The data subject may request that the Company erase their data if:
- the data is no longer necessary to fulfil the purpose for which the Company collected it,
- the data was not processed in accordance with the GDPR or other legal provisions. A candidate who wishes to have their data erased may submit a request to the Company specifying their requests; the Company will grant the requests when, in its opinion, there are no legitimate grounds to continue processing the data. If the Company erases the data of the person requesting it, then the Company will be entitled to retain information on whose request this erasure was effected.
- The right to restrict the processing of personal data. The data subject may request that the Company restrict the processing of their data, which may relate to the following situations:
- the data subject indicates that the data processed by the Company is incorrect, in which case the Company will verify whether the data is correct and propose its correction.
- the data subject believes that the Company processes the data unlawfully and requests the Company to restrict the use of the data – the Company will restrict the processing of such data and mark the relevant data without erasing it until the person who made the request revokes it.
- the Company no longer needs the personal data to achieve its intended purpose, but the data subject objects to the erasure of the data because they need it to assert or defend their claims, in which case the Company will ask for an indication of the extent of the personal data that the data subject needs and the anticipated duration of its continued storage (if this can be determined).
- the data subject wishes to object on grounds relating to their particular situation (where the Company processes the data on the basis of the Company’s legitimate interest) – the Company will review the situation and propose to the candidate that they indicate the specific purpose to which they object. Please note: There may be situations where the Company will continue to process data, despite the data subject’s request to restrict the processing of their data – this may apply in particular if the Company is establishing, investigating or enforcing claims or defending itself against claims.
- The right to data portability Any data subject has the right to data portability – in which case this data will be provided by the Company directly to the person who requests it so that they can transfer it to another entity.The Company will provide the data in an encrypted e-mail message.
- The right to object to processing The data subject may object to the processing of their personal data by the Company where the Company carries out such processing on the basis of the Company’s legitimate interests. The person concerned should indicate in each case what specific objection they make, e.g. an objection to the marketing of the Company’s services will cause the Company to cease any marketing activities, including the preparation and presentation of offers, for the person making the objection.
7. Personal data protection breach
If the Company, as a data controller, accidentally or unlawfully destroys, loses, modifies, discloses or shares personal data, it is deemed to be a personal data protection breach. In such cases, the Company will inform the following parties:
- the data subject – if the risk of a violation of the rights and freedoms is estimated by the Company to be high – immediately,
- the supervisory authority – if the Company finds that there may have been (with more than low probability) a violation of the rights or freedoms of natural persons – immediately, as far as technically possible, no later than within 72 hours.
8. Transfer of personal data
Pursuant to the GDPR, the Company may provide the candidates’ personal data to foreign employers with whom it cooperates as a job brokerage agency facilitating work abroad with foreign employers, to the State Labour Inspectorate in the course of its audits, and to entities with which the Company has entered into service contracts (outsourcing contracts).
9. Data Protection Officer
The Company has appointed a Data Protection Officer who ensures and is responsible for ensuring compliance with data protection legislation across the Company and who is happy to answer, on a confidential basis, any questions as the Company’s priority is the security of the data of those who use its services. The Data Protection Officer can be contacted:
- by e-mail – at firstname.lastname@example.org
- by post, to the following address:
Data Protection Inspector Carriere Contracting International Recruitment Polska Sp. z o.o. With its registered office in Wrocław
ul. Powstańców Śląskich 7A
10. The GDPR provides six principles for processing personal data:
- the principle of legality, reliability, and transparency – which means that the Company processes personal data in accordance with the provisions of the law and that we inform about all related issues comprehensively in a plain and understandable language;
- the principle of data minimisation and adequacy – the Company processes only the data which is necessary for the fulfilment of the purpose or purposes of personal data processing;
- the principle of data accuracy – the Company ensures that the data processed is truthful, up-to-date and accurate. Therefore, the Company requests that, from time to time, the persons whose data is processed check and update their data and inform the Company of any changes to their personal data;
- the principle of limitation of the purpose and storage of processed data – personal data is collected only for a specified, clear, and legitimate purpose which the Company could not achieve otherwise. The Company stores data in such a way that the data subject can be identified, and the data is only processed for as long as necessary to fulfil the purpose for which the Company obtained the data (unless further processing is required by law);
- the principle of data integrity and confidentiality – the Company ensures such IT and organisational solutions which ensure that the personal data processed is secure; this means that the Company protects data against unauthorised or unlawful processing as well as accidental loss, destruction or damage;
- the principle of accountability – the Company has taken steps to demonstrate that, as far as personal data is concerned, it acts in accordance with the law and takes data protection into account when seeking a job offer for a candidate.
11. The Company collects personal data directly from the data subject, in which case the Company immediately provides the data subject with information regarding the processing of their personal data. Where the data originates from another person, the Company provides this information to the data subject:
- within a reasonable time, but no later than one month after the data was obtained;
- at the latest at the first communication with the data subject (if the Company uses the data for the communication with this very data subject), unless the provision of information proves impossible or would involve a disproportionate effort.
Information regarding the processing of personal data may be provided by the Company:
- in information clauses included in documents provided to the data subject;
- either in person or by telephone during a conversation with an employee of the Company;
- by electronic means, including by posting this information on the Company’s website.
12. Duration of personal data processing
The Company processes personal data for the time necessary to achieve the purpose of the processing. The specific period depends on the situation of the data subject:
- A person provided the Company with their personal data, but no contract for employment abroad with a foreign employer was concluded between the Company and that person – this will be 3 years from the date of providing the Company with the personal data; in the event that the person fills in the registration form again or sends an update of their personal data, then their data will be updated and the process of the Company’s services consisting in attempting to secure employment with a foreign employer will be restarted.
- A person provided the Company with their personal data and a contract was concluded between the Company and that person with respect to sending them to work abroad with a foreign employer, but the person did not conclude a contract with the foreign employer or concluded such a contract but without commencing employment with the foreign employer – this will be 3 years from the date when the contract with the foreign employer was to be concluded or the person commenced employment with the foreign employer;
- A person provided the Company with their personal information and a contract was concluded between the Company and that person with respect to sending the person to work abroad for a foreign employer and the person then commenced employment with the foreign employer – this will be 3 years from the date the person’s employment with the foreign employer ended.
The Company applies a retention restriction on personal data which protects the data from being processed for an unlimited period. Once the Company has achieved the purpose of the processing, it then erases or anonymises the data, which takes place in particular when:
- the data subject withdraws their consent to the processing of their personal data (where consent was the basis for the processing);
- the data subject successfully objects to further processing (where the processing was based on the Company’s legitimate interest);
- the statute of limitations for possible claims has expired (if the Company processed the data to perform a contract);
- Time limits that result from other regulations (e.g. Accounting Act, etc.) have elapsed.
Contact is possible:
- with the Company as the controller of the candidate’s personal data by contacting the Company’s consultants or employees of our Company’s offices by telephone if it concerns making an instruction regarding personal data;
- with the Data Protection Officer if it concerns the manner or extent to which the Company processes the data held (compare with item 9 above);
- with the President of the Office for Personal Data Protection (formerly the Inspector General for Personal Data Protection) if it concerns a complaint about how personal data is processed by the Company.
In case of any questions or concerns, or any requests or objections relating to the Company’s processing of personal data, please contact email@example.com or by calling one of our offices. If an individual suspects that their data is being processed in breach of the GDPR, they may lodge a complaint with the data protection supervisory authority in the manner indicated on that supervisory authority’s website at www.uodo.gov.pl