Brenntag Polska sp. z o. o. takes privacy concerns that its service users, including website visitors, may have very seriously.
PERSONAL DATA PROTECTION
Personal data are supplied voluntarily by website users. “Personal data” means any information relating to an identified or identifiable natural person who can be identified, by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including image, voice recording, contact details, location data, information contained in correspondence, collected by means of recording equipment or any similar technology.
The data controller (the “Controller”) is Brenntag Polska sp. z o. o.
- contact details: Brenntag Polska Sp. z o.o. ul. J.Bema 21, 47-224 Kędzierzyn-Koźle
- email: email@example.com
DATA PROCESSING BY THE CONTROLLER
In connection with its business, the Controller collects and processes personal data in compliance with relevant regulations, in particular with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (the “GDPR”) and the rules for processing personal data specified therein.
The Controller ensures the transparency of data processing, in particular by informing the data subjects, at the time of collection or after the data is received, that the data would be processed; of the purpose and legal basis of the processing - e.g. when signing a contract. The Controller ensures that the data is collected only to the extent required for the indicated purpose, and processed only for as long as it is necessary.
When processing data, the Controller ensures that data is processed in compliance with applicable laws. If despite security measures applied, a personal data breach has occurred resulting in a high risk to the rights and freedoms of any individual (e.g. data leakage or loss), the Controller shall notify the supervisory authority and all affected individuals in the manner as required by applicable law.
CONTACTING THE CONTROLLER
The Controller may be contacted by email at: firstname.lastname@example.org or by conventional mail at the correspondence address of the Controller.The Controller has appointed a data protection officer who can be contacted by email or by conventional mail at the correspondence address of the Controller in any matters relating to the data processing.
In connection with business purposes, personal data is disclosed to third parties, including specifically to IT and monitoring services suppliers, providers of legal, advisory and audit services, couriers, postal operators, brokers, insurers and marketing or recruitment agencies. Data is also disclosed to Brenntag group companies.
The Controller reserves the right to disclose selected information about a given data subject to the competent authorities or third parties who submit a request for such information, based on the relevant legal basis and in accordance with applicable laws.
TIME LIMIT FOR THE PROCESSING OF PERSONAL DATA
The time limit for the processing of data may be processed depends on the type of service provided and the purpose of the processing. In addition, the time limit may result from legal regulations, if they are the basis for the processing.
In the event where data is processed based on the Controller’s legitimate interest, data can be processed for a period required to accomplish that interest or until an effective objection is filed with respect to the data processing. If the processing is based on a consent, the data may be processed until the consent is withdrawn. If the data processing is necessary for the conclusion or performance of a contract, data may be processed until the contract is terminated.
The time limit for the data processing may be extended, if the processing is necessary for the establishment, exercise or defence of legal claims and thereafter, only if and to the extent that it is required by legal regulations. After the end of the time limit, data is irretrievably erased or rendered anonymous.
A data subject is a natural person whose personal data is processed by the Controller, e.g. a person visiting the Controller’s premises or sending an email inquiry.
Data subjects have the following rights:
- Right to information about personal data processing – on this basis the Controller is required to provide, at request, a confirmation that the personal data is being processed, and specifically the information on the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, the scope of data, the recipients of the personal data, and the estimated time at which the data will be erased;
- Right to receive a copy of the data – on this basis, the Controller is required to provide a copy of the data that is being processed at request;
- Right to rectification – the Controller is required to remove any possible discrepancies or inaccuracies in the personal data being processed and complete it, if such need arises;
- Right to erasure – on this basis the data subject may request erasure of the data, which is no longer necessary in relation to the purposes for which it is collected;
- Right to restriction of processing – the data subject may request the Controller to cease processing personal data – except for the operation to which the data subject has already give his or her consent and to cease its storage in accordance with the adopted data retention policy or until the circumstances for restricting processing are resolved (e.g. the supervisory authority issues a decision permitting the further processing of data);
- Right to data portability – on this basis – where the processing is based on a contract or on consent – the Controller shall deliver to the data subject the data that has been provided, in a machine-readable format. The data subject may request that his or her data be transmitted to a third party, on the condition, hoverer, that it is technically possible on the part of the Controller and the third party;
- Right to object to processing of data for marketing purposes – the data subject may object at any time to processing of personal data for marketing purposes, without the need to provide any reasons for such objection;
- Right to object to processing of data for other purposes – the data subject may object at any time to processing of personal data for the purposes of the legitimate interests pursued by the Controller (e.g. for analytical or statistical purposes or for the purposes related to the protection of property). An objection in this respect should contain a reason;
- Right to withdraw consent – where processing is based on consent, the data subject may withdraw such consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
- Right to lodge a complaint – if the data subject decides that the processing of personal data is in breach of the GDPR or other regulations concerning personal data protection, he/she can file a complaint to the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
In order to exercise the aforementioned rights, the data subject must contact the Controller or is delegated employee using the contact details provided in this document.
REQUESTS WITH RESPECT TO THE RIGHTS
Requests with respect to the rights may be made:
- by conventional mail: Brenntag Polska Sp. z o. o. ul. J.Bema 21, 47-224 Kędzierzyn-Koźle
- by email: email@example.com
If the Controller is unable to identify the individual making the request, it will request further information.
The Controller must respond immediately, but no later than within one month from the receipt of the request. If the deadline for reply needs to be extended, the Controller must inform the individual making the request about the reasons for delay.
Replies are given by conventional mail unless a request is submitted by email or the individual specifically requested that he or she prefers.
PURPOSES AND LEGAL BASES OF DATA PROCESSING BY THE CONTROLLER
Email and conventional correspondence
When an e-mail or conventional mail, unrelated to any services provided to the sender or another contract with the sender, is sent to the Controller, the personal data contained in such correspondence is processed only to communicate and address with the issue to which that correspondence pertains.
The legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) which involves exchanging business correspondence addressed to the Controller. The Controller processes only such personal data that is material for the issue to which the correspondence pertains. The entire correspondence is kept in a manner that ensures security of the personal data contained therein and other information, and is disclosed to authorised persons only.
Contact by phone
When the Controller is contacted by phone, in matters unrelated to a signed contract or provided services, personal data can be demanded only when this is necessary to address the issue, to which the contact pertains. The legal basis in this case is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) which involves specifically addressing the issue connected with its business.
Visual monitoring and access control
To ensure the safety of people and property, the Controller uses visual monitoring and controls access to the premises and area managed by it. The data collected in this way is not used for any other purposes.
Personal data in the form of monitoring recordings and data collected in the register of entries and exits is processed to ensure security and order on the premises and, possibly, to defend against or seek claims. The legal basis for the processing of personal data is in the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) which involves ensuring safety of the Controller’s security and protecting its rights.
As a part of recruitment processes, the Controller expects to be provided with personal data (e.g. in a CV or a job application) only to the extent set out in the labour law. Therefore, information in any broader scope should not be provided. When the received applications contain any additional data, such data will not be used or taken into consideration in the recruitment process without the consent of the data subject.
Personal data is being processed:
- to carry out the recruitment process with respect to the data, which are not required by law, and for the purpose of future recruitment processes – the legal basis for the processing is the consent (Article 6(1)(a) of the GDPR);
- to perform the legal obligations related to the employment process, including specifically from the Polish Labour Code – the legal basis for the processing is the Controller’s legal obligation (Article 6(1)(c) of the GDPR in conjunction with the Labour Law);
- to identify, seek or defend possible claims – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR).
The Administrator collects and processes personal data in the form of name, surname, vehicle registration number and (e.g. in the case of drivers) PESEL number or passport number/ residence card for the purpose of identification necessary to perform the contract by the Administrator (sale, delivery, transport, etc.) and to fulfil public and legal obligations.
COLLECTING DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR PERFORMANCE OF OTHER CONTRACTS
If data is collected for the purposes connected with performance of a specific contract, upon the execution of such contract the Controller will provide to the data subject detailed information concerning the processing of his or her personal data.
Collecting data on other occasions
In connection with its business, the Controller collects personal data on other occasions, for instance during business meetings, at industry events or when exchanging business cards – for purposes related to the initiation and maintenance of business contacts. The legal basis for processing in this case consists in the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) which involves creation of a network of contacts in connection with the conducted business.
The personal data collected on such occasions is processed solely for the purpose, for which it is collected, and the Controller provides appropriate protection for such data.
To ensure integrity and confidentiality of the data, the Controller has implemented procedures that allow access to personal data only to authorised persons and only to the extent as it is required for performing their duties. The Controller applies organisational and technical measures appropriate to ensure that all the operations on the personal data are recorded and performed only by authorised persons.
Furthermore, the Controller takes all necessary measures to ensure that its subcontractors and other business partners provide sufficient guarantee to apply appropriate security measures every time when they process personal data at the request of the Controller.
The Controller performs risk analysis on a regular basis and monitors the adequacy of applied data safeguards to the identified risks. If necessary, the Controller implements additional measures to increase the security of data.
TRANSMITTING THE DATA OUTSIDE THE EEA
The level of personal data protection beyond the European Economic Area (the “EEA”) differs from the protection level ensured by European law. Therefore, the Controller transfers personal data beyond the EEA only when this is necessary, with appropriate protection level provided in compliance with the GDPR.
The Controller communicates its intention to transfer personal data beyond the EEA at the stage of collecting data.