The GDPR – DOIT.BIZ Sp. z o.o.

The GDPR

To whom it may concern,

on 25 May 2018, Act of 10 May 2018 on the Protection of Personal Data, Dz.U. [Journal of Laws] 2018 item 1000, entered into force. The Act regulates the protection of your personal data in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).

Who is the controller of your personal data?

The controller of your personal data is DOIT.BIZ Sp. z o.o. with its registered office at ul. Wrzosowa 28, 62-023 Borówiec, NIP [Tax Identification Number]: 7773307804, REGON [National Business Registry Number]: 369454650, KRS [National Court Register] no.: 0000731305 (hereinafter referred to as the “Company” or the “Controller”).

How to contact us for information about your personal data?

The Controller can be contacted in writing by mail to the address indicated above or by e-mail at: office@doit.biz.pl.

How do we keep your personal data secure?

We apply all physical, technical and organisational measures to protect personal data against accidental or wilful destruction, accidental loss, alteration, unauthorised disclosure, use or access in accordance with all applicable legislation.

What is the purpose and legal basis for the processing of your personal data?

We process personal data for the following purposes:

Actions to conclude and perform a contract and conduct business operations:

  • performance of a contract (including for the purposes of contact, billing and payment necessary for the performance of the contract) or taking action at your request in order to conclude the contract (Article 6(1)(b) of the GDPR) or contacting the contractor’s employees for the purposes of performance of the contract (Article 6(1)(f) of the GDPR – a legitimate interest consists in the performance of the contract),
  • archiving of data after the contract has been performed (pursuant to Article 6(1)(c) of the GDPR in connection with the applicable law and pursuant to Article 6(1)(f) of the GDPR for data stored in archives and backup copies – a legitimate interest consists in pursuing or protecting against claims and ensuring data integrity),
  • after-sales service, in particular handling of complaints or other claims and conducting debt recovery processes (Article 6(1)(f) of the GDPR – a legitimate interest consists in pursuing or protecting against claims),
  • fulfilment of legal obligations arising from business operations, including obligations under tax or civil law, e.g., concerning accounting and taxation (Article 6(1)(c)).

The provision of data is a contractual requirement and/or a condition for concluding a contract. It is voluntary, but necessary for the conclusion and execution of the contract. Certain processing activities that are part of the performance of the contract are regulated by law. The provision of data subject to such processing is necessary for the performance of the contract.

Contact and correspondence, including by electronic means (e-mail and contact form available on the website)

  • responding to queries or messages sent on the basis of consent, i.e. under Article 6(1)(a) of the GDPR,
  • sending information, including marketing content, if you have given your consent to this, under Article 6(1)(a) of the GDPR,
  • responding to an enquiry regarding an offer or replying to an offer sent to us and carrying out the activities you have requested, under Article 6(1)(b) of the GDPR,
  • for the purpose of correspondence in connection with the application of the law, e.g., in the course of a complaint process or in exercising rights under the GDPR, e.g. the right of access to data (Article 6(1)(c)).

The provision of data is voluntary, but necessary in order to respond to an enquiry, provide the requested content or fulfil your requests. In some cases, the provision of data may be a legal requirement, e.g., where we are required to verify the requesting party before making data available to them. Consent may be withdrawn at any time by making an appropriate request through the same communication channel. The withdrawal of consent does not affect the lawfulness of the processing carried out before its withdrawal.

Other processing on the basis of consent

  • in the case of processing on the basis of consent – for the purposes specified in each individual consent (Article 6(1)(a)). The provision of data is voluntary, but necessary to fulfil the purposes indicated in the consent. Consent may be withdrawn at any time in the manner specified by the Controller when obtaining consent. The withdrawal of consent does not affect the lawfulness of the processing carried out before its withdrawal.

Franchise

  • responding to an enquiry regarding an offer or replying to an offer sent to us and carrying out the activities you have requested, under Article 6(1)(b) of the GDPR. The provision of data is a contractual requirement and/or a condition for concluding a contract. It is voluntary, but necessary for the conclusion and execution of the contract.

Website provision

  • researching user preferences and behaviour on the Site using cookie technology, creating statistics on Site users and using them to customise/improve the service (Article 6(1)(a) of the GDPR),
  • creating a user profile and sending personalised advertising (Article 6(1)(a) of the GDPR),
  • technical delivery of content, maintenance and technical support of the service, ensuring the security of the service, fraud prevention and debugging, tailoring the service to users’ needs (Article 6(1)(f) of the GDPR).

The provision of data is voluntary, but necessary for the fulfilment of the above-mentioned purposes. Please refer to the Privacy Policy for detailed data processing rules applicable to our website.

Social media

  • responding to queries or messages sent on the basis of consent, i.e. under Article 6(1)(a) of the GDPR,
  • sending information, including marketing content, if you have given your consent to this, under Article 6(1)(a) of the GDPR,
  • responding to an enquiry regarding an offer or replying to an offer sent to us and carrying out the activities you have requested, under Article 6(1)(b) of the GDPR,
  • creating a user profile and sending personalised advertising (Article 6(1)(a) of the GDPR).

The provision of data is voluntary, but necessary for the fulfilment of the above-mentioned purposes. Detailed data processing rules applicable to social media can be found in the privacy policies of the individual social media sites.

Recruitment

  • carrying out the current recruitment process (pursuant to Article 6(1)(c) of the GDPR, including in connection with the provisions of Article 22(1)(1) and Article 229 of the Labour Code and implementing acts and pursuant to Article 6(1)(a) of the GDPR and Article 9(2)(a) of the GDPR for data not covered by the aforementioned provisions) and, on the basis of your consent, also in subsequent recruitment processes,
  • providing information on the progress of the ongoing recruitment process – based on your consent (Article 6(1)(a) of the GDPR).

The provision of data is voluntary, but necessary in order to take part in the recruitment process to the extent set out in the applicable provisions of law.

Your personal data are or may also be processed on the basis of Article 6(1)(f) of the GDPR, if the processing is necessary for the following purposes arising out of the legitimate interests pursued by the Controller:

  • internal administration and organisation of work, including carrying out internal monitoring and reporting (a legitimate interest consists in ensuring the optimal functioning of the company),
  • ensuring the security of networks and IT processes (a legitimate interest consists in the protection of persons and property).

What rights do you have in relation to your data that we process?

You have the right to request the following from the Controller: access to your personal data and to receive a copy of your personal data; rectification (correction) of your personal data; erasure of your personal data where the processing does not take place in order to comply with an obligation arising from applicable law; restriction of the processing of your personal data; objection to the processing of your personal data based on Article 6(1)(e) or 6(1)(f); portability of your personal data; lodging a complaint with the President of the Personal Data Protection Office (contact details on the Office’s website at www.uodo.gov.pl) in the case you consider the processing of your personal data as violating the provisions of the GDPR.

Who may be the recipient of your personal data?

We share your personal data only with entities through which we can guarantee high quality service. These are primarily: accounting and office software providers (including Microsoft), maintenance or IT service companies, a hosting company, courier and/or postal services, an accounting office, a bank. If you have given the appropriate consent, this will also include a photo studio, Facebook Ireland Ltd, LinkedIn Ireland Unlimited and/or Google Ireland Ltd. These entities process data on the basis of contracts they have concluded with us and exclusively by our order. We do not share your data with any external parties for their own use – only for the execution of the tasks specified above. All partners that process your personal data ensure data security and comply with all personal data protection obligations. We also share your personal data with authorised employees of the Company who perform tasks related to the processing of your data on behalf of the Controller.

What are the rules for transferring your personal data outside the EEA?

Except where you have given the appropriate consent, your personal data are not transferred to recipients in third countries, i.e. outside the European Economic Area (EEA) or to international organisations. If you have given the appropriate consent, your personal data may or will be made available to Facebook Ireland Ltd, LinkedIn Ireland Unlimited and/or Google Ireland Limited (“Websites”). Due to the transnational nature of data flows within these Websites, there is a transfer of your data outside the EEA, including to countries with respect to which the European Commission has not determined an adequate level of protection. Data protection is primarily ensured by the use of Standard Contractual Clauses with appropriate safeguards (including data encryption). For more information on data processing on these Websites, please refer to the privacy policies of the respective Websites (at: https://pl-pl.facebook.com/privacy/explanation and https://policies.google.com/). These data are processed in this way for marketing purposes (we use marketing tools and social media plug-ins on our website) and to maintain communication with clients (social media: Facebook, YouTube, LinkedIn). The data are only transferred on the basis of your explicit consent.

How long do we keep your personal data for?

We only keep your personal data for the time necessary to achieve the purposes for which the data were collected (e.g., the duration/performance of the contract) or for the period prescribed by law. In the case of data processed on the basis of consent – until it is withdrawn. In the case of processing for the purpose of answering a question – for one year following the end of the correspondence. In other cases, the statute of limitations on claims or other periods prescribed by law shall apply.

How may we make decisions based on your personal data?

Based on your personal data, we may carry out profiling and make automated decisions (about the display of advertising) as referred to in Article 22(1) and 22(4) of the GDPR. This occurs in the following systems: the www.doit.biz.pl website and the Facebook fanpage. Profiling is performed for the purpose of marketing of own services. You have the right to appeal against such a decision by communicating your position to us through the communication channels indicated above.

Video surveillance

Video surveillance is carried out on the premises of the building in which our offices are located. Detailed information in this regard is available at the reception of the building.