Who is the controller of your personal data?
The controller of your personal data is Bista Standard Sp. z o. o. in Bydgoszcz, address: ul. Smoleńska 29, 85-871 Bydgoszcz.
We care about your privacy.
Bista Standard pays particular attention to personal data protection and respect of privacy. We feel responsible for the safety of the personal data processed by us in connection with our business operations. Our goal is to provide the highest quality services while properly informing people whose data we process about the legal bases for this, the ways in which personal data is collected and used by us, as well as the rights that they have.
When is this personal data protection policy applied?
What are personal data and what does processing of personal data mean?
Personal data means any information relating to an identified or an identifiable natural person by reference to one or several factors specifying the physical, physiological, genetic, psychological, economic, cultural or social identity, including their image, voice recording, contact details, data concerning the location, information contained in correspondence, information gathered using recording equipment or similar technology.
Processing of personal data is in principle every activity carried out on personal data, irrespective of whether or not performed in an automated manner, e.g., the collection, storage, recording, organisation, modifying, review, use, making available, restricting, and deleting or destruction thereof.
Data protection pillars that serve as our guide.
LEGALITY - we foster privacy protection and process personal data in accordance with the law.
COMPLIANCE WITH OBJECTIVES AND ADEQUACY OF DATA - we process personal data within the processes linked to the business that we run, solely and exclusively for the purposes for which they were collected. We are guided by the principle of minimisation of personal data. We limit ourselves to collecting only those personal data that are necessary to achieve a set goal, about which we notify you at the time of collecting your data. We take care to ensure that only data, which is absolutely necessary from the point of view of a specific processing goal, is collected.
DATA ACCURACY - we take special care to ensure the substantive accuracy of the data. We take action in order to ensure that incorrect personal data is promptly rectified or deleted.
LIMITED RETENTION - we store personal data no longer than necessary to achieve the objective for which they were collected. Data, whose scope of use is limited as time passes, are removed. However, we can store personal data for longer for archiving purposes in the public interest, for the purpose of scientific or historical research or for statistical purposes, which is recognised as being in line with the provisions of personal data protection laws.
SECURITY - we provide an adequate level of protection of your personal data. We have implemented safeguards for personal data that are adequate to the threats present. We carry out an analysis of the risks on an ongoing basis in order to ensure that your personal data will be processed in a way that is safe. Only authorised persons have access to your personal data and solely and exclusively in the scope necessary to perform the relevant tasks by them. We take all necessary actions to ensure that our subcontractors and other partners provide adequate personal data security guarantees.
RIGHTS OF DATA SUBJECTS - we enable the people whose data is processed by us (data subjects) the exercise of their rights and we enforce their rights.
ACCOUNTABILITY - we document the way in which we meet the duties and obligations resulting from personal data protection law so as to be able to demonstrate compliance with the law at all times.
Personal data collected by us - information provided of your own accord.
We collect or request the provision of personal data in particular in the following circumstances:
- When you contact us by e-mail, telephone, post or in any other way;
- When you request a quote or offer, assistance, or files to download or any other information;
- When you buy a product, service or other solution;
- When you are our subcontractor or other partner;
- When you take part in our recruitment process when applying for a job at our company;
- When you are our employee associate.
The types of personal data that we can request will usually be obvious to you at the time of their provision and may include your name and surname and contact details (e.g., address of residence, e-mail address, and telephone number).
How we use your personal data?
We process personal data for various purposes and different methods of collecting, legal bases for their processing and making available and different periods for storage are applied depending on the purpose. We would like to point out that whenever we process your personal data pursuant to our legitimate interests, we try to analyse and balance our interests and potential impact that it may have on you (both positive and negative) and your rights resulting from personal data protection provisions. We do not process personal data based on our legitimate interests if we conclude that the impact that it would have on you would outweigh our interests (we can then process personal data if, for instance, we obtain your consent or if permitted or required by applicable law).
Personal data obtained from you is used only for the purposes described in this Personal Data Protection Policy or similar purposes specified at the time of collecting the personal data, in particular purposes related to the following:
- The provisions of responses to questions put by telephone, to any correspondence sent us by electronic mail or post;
- The conclusion and execution of contracts and agreements;
- The performance of direct marketing, in particular making offers concerning our products and services;
- The provision of accounting and financial reporting services;
- The conduct or employee recruitment services and their hire;
- The conduct of claims litigation or defence from and against claims;
- The provision of corporate website services, their operation and management;
- The provision of security services in relation to property and persons at company facilities.
What legal bases do we have to process your personal data?
Our legal bases to collect and use the personal data described hereinabove depends on the type of personal data and the specific purpose for which it was collected or requested by us. Nevertheless, we usually only collect personal data if:
- This data is necessary for us to provide our services or perform a contract or agreement concluded with you;
- We have your consent;
- We are legally required to collect your personal data;
- The processing of data is in our legitimate interests and is not contrary to your interests in the scope of personal data protection or your basic rights and freedoms.
How long is personal data processed by us?
The length of time for which we can process your personal data depends on the legal bases constituting a legal premise for us to process your personal data:
- When processing personal data based on your consent, the processing period lasts until the moment you withdraw your consent;
- When processing personal data in connection with the performance of an agreement, the processing period lasts until the completion or termination of the agreement;
- When processing personal data on the basis of our legitimate interests, the processing period lasts until the aforementioned interests cease (e.g., limitation period that apply for bringing civil law claims) or until you object against such processing – in situations where you are entitled by law to submit such objections;
- When processing personal data due to requirements laid down by law, the data processing period for this purpose is defined by the relative provisions of the law (e.g., the duty of storing documents relating to employment).
Conventional and e-mail correspondence.
If you sent correspondence to us by e-mail or conventional post that is not connected with an agreement concluded with you or services rendered to you, the data in such correspondence will be processed by us for communication purposes and until the matter, which they concern, is resolved. We only process personal data that is significant to the matter that the correspondence concerns in a manner ensuring their safety.
The legal basis for the processing is legitimate interests of ours consisting of handling the correspondence sent to us in connection with the operations conducted by us (Article 6.1(f) GDPR) and your consent expressed in the form of a clear action in the form of correspondence sent to us (Article 6.1(a) GDPR).
Your data can also be processed with the purpose of the possibility to assert or defend against claims which execute our legitimate interests of safeguarding information in the event of a legal need to demonstrate facts (Article 6.1(f) GDPR).
Video monitoring and access control.
In order to ensure the safety of persons and property, we use access control to the site of our facilities using a video surveillance system. The basis for the processing of personal data is our legitimate interest of ensuring the safety of persons and property (Article 6.1(f) GDPR). We do not use the data collected in this manner for any other purposes. The visual records from the surveillance cameras will not be stored by us for periods longer than 3 months from the date of the recording in conditions safeguarding against unauthorised access thereto.
Recruitment of staff.
Within recruitment processes, we expect personal data to be provided (e.g., CV) only in the scope specified by labour law. If you also provide us any other data not required by us, we will consider that you have given consent to their processing. You can also withdraw such consent at any time, without affecting the lawfulness of the processing performed before the withdrawal of consent. In such a case, the relevant data will not be taken into account in the recruitment process.
The purposes for processing personal data in the recruitment process include:
- The process of recruitment for a specific job post - the legal bases for the processing of personal data is the necessity of actions to be taken before the conclusion of the employment agreement (Article 6.1(b) GDPR) and the fulfilment of obligations resulting from the provisions of the law relating to the recruitment process including, above all, the Labour Code (Article 6.1(c) GDPR); in the scope of data not required by the provisions of the law, the legal basis for the processing is your consent (Article 6.1( a) GDPR);
- Carrying out future recruitment processes on the basis of the consent expressed by you (Article 6.1(a) GDPR);
- Possible assertion or defence against claims, which execute our legitimate interests of safeguarding information in the event of a legal need to demonstrate facts (Article 6.1(f) GDPR).
If we are processing your data based on the consent expressed by you, you can withdraw it at any time, without affecting the lawfulness of the processing performed before the withdrawal of consent. For the purpose of carrying out future recruitment processes, your personal data will be removed not later than after one year unless you withdraw your consent earlier.
Performance of services or enforcement of agreements.
If we are collecting data for purposes relating to the performance of services or enforcement of agreements by us, the detailed information concerning the processing of your personal data will be provided at the time of conclusion of the agreement.
Performance of direct marketing.
We can process your personal data for purposes relating to direct marketing. The bases for processing are our legitimate interests relating to the agreement concluded with you or consisting of striving to the conclusion of an agreement by notifying you of our products and services (Article 6.1(f) GDPR). The sending of trade information to you by electronic means in the form of an e-mail to the address provided by you and in the form of a text message to the telephone number provided and use for this purpose of the telecommunications terminal equipment - electronic mail and telephone takes place on the basis of your consent.
We can process data for the purposes of direct marketing until you object to their processing for this purpose or withdraw your consent for the performance of direct marketing using telecommunications terminal equipment, including means of electronic communication.
Other cases of data collection.
We also collect personal data within the business operations conducted by us, e.g., during business meetings or by means of exchange of business cards. The personal data obtained in this way is processed by us for the purposes of striving to conclude an agreement - the legal bases for the processing of such data is the necessity of actions to be taken before the conclusion of an agreement (Article 6.1(b) GDPR) and for the purposes relating to the initiation and upkeep of business contacts – the legal bases for data processing in this case are our legitimate interests (Article 6.1(f) GDPR), consisting of creating a network of contacts in connection with the business conducted by us.
Data collected in this way can also be processed with the purpose of the possibility to assert or defend against claims which execute our legitimate interests of safeguarding information in the event of a legal need to demonstrate facts (Article 6.1(f) GDPR).
When and how do we make personal data available to third parties? We provide your personal data to third parties solely and exclusively when the provisions of the law permit. Therefore, we may make your personal data available to the following categories of recipients:
- External service providers, that is, entities providing hosting services to us, IT firms, subcontractors rendering software supply services, software or equipment maintenance services, or companies providing accounting, human resource management services, couriers, law firms, debt collection agencies, auditors and statutory auditors, and tax advisors;
- Authorities supervising adherence to the law, regulatory authorities, and other public administration authorities, if we recognise that making your personal data available is necessary (i) in connection with the binding and applicable provisions of the law and in accordance with those rules, (ii) in order to exercise, establish or defend our rights or (iii) in order to safeguard your essential interests or the interests of third parties;
Do we transfer data to third countries?
Your personal data can be transferred and processed in countries other than the country of your residence, including in countries outside the European Economic Area (EEA). There may be different regulations regarding personal data protection in those countries than in the EU and, in certain cases, these provisions may be less restrictive. Our web servers and other servers are located in Poland. This means that we do not transfer your personal data to any third countries.
Your rights and how you can exercise them.
You have specific rights concerning your personal data and we, as the controller of the said data are responsible for the exercise of your rights in compliance with the applicable law. Should you have any further questions or concerns concerning the scope and exercise of your rights, please do not hesitate to contact us. We will reply by e-mail or by post unless the request/enquiry was sent by e-mail or a reply by electronic means was specifically requested. In order to protect your privacy and ensure safeguarding of your data, we reserve the right to implement the rights hereunder only after successfully verifying your identity.
Access to Personal Data
You have the right to access your personal data, which is stored by us, as the controller of personal data, and the right to obtain a copy of them.
Change of Personal Data
You have the right to update your personal data and to change it if the personal data held by us is incorrect or incomplete.
Withdrawal of Consent
In the case of your personal data being processed by us on the basis of your consent, you are free to withdraw such consent at any time. The withdrawal of consent will not affect the lawfulness of the processing of your personal data conducted before this withdrawal of consent. We notify you of this right of yours every time your consent is requested and we provide you with the possibility of withdrawing your consent as easily as it was granted.
Right to Restrict Personal Data Processing
You have the right to restrict the processing of your personal data. This right is valid in the following circumstances:
- When you question the correctness of your personal data – for the period required for us to verify their correctness;
- When you object to us deleting your data;
- When you need us to store your personal data because you need them for the purpose of establishing, pursuing or defence against claims.
In the event of such a request being made, we will ensure that it will be limited solely and exclusively to the storage of your personal data until such reasons for the restriction cease to exist.
Right to Object
You may object to the processing of your personal data in the following circumstances:
- When we are processing your personal data on the bases of legitimate interests or for statistical purposes and your objection is justified by a special situation in which you have found yourself.
- Your personal data is processed for the purposes of direct marketing, including their profiling for this purpose.
Right to Request Deletion of Personal Data and Right to Transfer Personal Data
You can exercise your right to delete data when, for instance, your personal data will no longer be necessary for the purposes for which we collected them, or if you withdraw your consent to us processing your personal data. Furthermore, should you file your objection to the processing of your personal data or if your personal data will be processed unlawfully. We will also remove your personal data in order to fulfil obligations resulting from the provisions of the law.
You can exercise your right to transfer your personal data when we are processing your personal data on the basis of your consent or an agreement concluded with you, and when the processing is automated.
Right to Lodge a Complaint
You also have the right to lodge a complaint to a supervisory authority, namely, to the President of the Data Protection Authority (address: Prezes Urzędu Ochrony Danych Osobowych (former GIODO), ul. Stawki 2, 00-193 Warsaw).
How to contact us to obtain more information about the processing of your personal data?
Detailed information concerning the processing of your personal data is provided at the time of their collection. If you have any questions about your personal data and the exercise of your rights, please do not hesitate to contact us at:
E-mail address: email@example.com
Postal address: Bista Standard Sp. o. o., ul. Smoleńska 29, 85-871 Bydgoszcz
We have appointed a Data Protection Supervisor who can be contacted at:
E-mail address: firstname.lastname@example.org
Postal address: Bista Standard Sp. o. o., ul. Smoleńska 29, 85-871 Bydgoszcz
Is this personal data protection policy subject to change and, if so, under what circumstances? We undertake to regularly review our Personal Data Protection Policy and any amendments thereto as required or whenever necessary in light of the following: new legislation, new guidelines/recommendation of bodies responsible for supervision over personal data protection processes, best practices in the field of personal data protection (Codes of Good Practice, should we be bound by such Codes, which you will be informed about). We also reserve the right to amend this Personal Data Protection Policy in the event of any change in technologies used to process personal data (provided this change affects the wording of this document), as well as any changes to the means, objectives and legal bases for the processing of personal data by us.
This document was last updated on 24 May 2018.