In compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), we would like to inform you about the following principles for processing personal data:

Information Clause

Data Controller (ADO)
MCPOLSKA.PL Limited Liability Company Limited Partnership

1. Wschodnia 5A, 62-080 Swadzim

tel. 61 822 65 61

Data Protection Officer (DPO)
Katarzyna Ślusarek, email address: iod@mcpolska.pl

ADO processes your data for the purpose of:

1. Employee recruitment

Legal basis: Article 6(1)(b) GDPR, Article 22⁽¹⁾ of the Labor Code, and Article 9(2)(b) GDPR (sensitive data). Providing this data is a statutory requirement necessary for the recruitment process. You are obliged to provide it, and failure to do so will result in the inability to participate in the recruitment process. Other personal data not required by law (e.g., interests) are processed based on Article 6(1)(a) GDPR, i.e., your voluntary consent, and their provision does not affect the possibility of participating in the recruitment.

Period of personal data retention: Your personal data will be processed until the end of the recruitment process, and if you have given consent to participate in future recruitments, no longer than 12 months from the date of sending the application documents.

2. Employee employment

Legal basis: Article 6(1)(b) GDPR, Article 22⁽¹⁾ of the Labor Code, and Article 9(2)(b) GDPR (sensitive data) – processing is necessary for the performance of the contract, Article 6(1)(c) GDPR – processing is necessary for compliance with a legal obligation, Article 6(1)(f) GDPR – the legal basis for processing is the legitimate interest of the Administrator, and Article 6(1)(a) GDPR – in the scope of personal data not required by law – the legal basis for processing is your consent.

Period of personal data retention: depending on the purpose for which personal data is processed, the period of their storage is: 50 years or 10 years for contracts concluded after January 1, 2019 (depending on the date of employment) from the end of the year in which the employment relationship ended. For contracts concluded after December 31, 1998, and before January 1, 2019, the employer may submit a special information report to ZUS, as referred to in Article 4(6a) of the Act of October 13, 1998, on the social insurance system, in which case the period may be shortened to 10 years from the end of the calendar year in which the information report was submitted.

3. Cooperation with external companies with which ADO has a service contract

Legal basis for processing: Article 6(1)(b) GDPR – processing is necessary for the performance of the contract or to take steps prior to entering into a contract, providing data is necessary for cooperation.

Period of personal data retention: for the period necessary to implement the contracts and principles specified therein. At least 5 years from the end of the year in which the last invoice/accounting document was issued.

4. Contract execution

Source: Data of employees and associates provided in the course of cooperation by the entity that is a party to the contract.

Legal basis for processing: Article 6(1)(f) GDPR, for contact purposes related to the performance of the main contract, for administrative purposes, including organizing cooperation and supervising the performance of services or other obligations or rights exercised based on the main contract, for evidentiary purposes related to the performance of the main contract, for pursuing claims related to the implementation of the main contract.
Period of personal data retention: Your personal data will be stored by the Administrator for at least the period of validity of the contracts concluded between the companies, and if necessary for evidentiary purposes, personal data may also be stored until the expiration of claims from business activities or the completion of court proceedings related to the aforementioned contracts.

5. Provision of services

Legal basis for processing: Article 6(1)(b) GDPR – processing is necessary for the performance of the contract that connects you with the Office, Article 6(1)(c) GDPR – for the purpose of maintaining accounting and tax records, and Article 6(1)(f) GDPR – for the purpose of potential determination, assertion of claims, or defense against claims.

Period of personal data retention: Your data will be stored for the duration of the contract. A maximum of 6 years from the end of the financial year in which the last invoice was issued.

6. Future claims enforcement

Legal basis for processing: Article 6(1)(f) GDPR.
Period of personal data retention: for the limitation period of claims under the relevant contract type: contract for specific work, order – 2 years, cooperation agreement – 3 years.

7. Conducting marketing activities related to the business

Legal basis for processing: Article 6(1)(a) GDPR and Article 6(1)(f) GDPR. Providing data is voluntary.

Period of personal data retention: Until consent is withdrawn or an objection is raised by the data subject.

8. Responding to inquiries sent by email
   Legal basis for processing: 6(1)(f) GDPR – legitimate interest of ADO. Providing data is voluntary.

Period of personal data retention: until the inquiry is answered, a maximum of 12 months.

9. Protection of persons and property located on ADO premises

Source of data: data from monitoring.
Legal basis for processing: Article 6(1)(f) GDPR.
Period of personal data retention: from the moment of recording for a maximum period of 3 months.

If a purpose other than those listed above arises, the information obligation will be provided to you directly in the form or during the first action directed to you.

Rights related to the processing of personal data:

• If the legal basis is Article 6(1)(a) or (b) GDPR:
• right to access data
• right to rectify data
• right to erase data (right to be forgotten)
• right to restrict data processing
• right to data portability
• If the legal basis is Article 6(1)(c) GDPR:
• right to access data
• right to rectify data
• right to restrict data processing
• If the legal basis is Article 6(1)(e) or (f) GDPR:
• right to access data
• right to rectify data
• right to erase data (right to be forgotten)
• right to restrict data processing
• right to object to data processing

Right to withdraw consent:
If processing is based on your consent (Article 6(1)(a) GDPR), we will process the data until it is withdrawn. Consent can be withdrawn at any time by sending an email to the address provided above or in person at the Administrator’s office. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

After the consent is withdrawn, the data will be processed to protect against claims (Article 6(1)(f) GDPR) for a period consistent with the relevant legal provisions

, up to a maximum of 3 years.

Right to lodge a complaint with a supervisory authority:
If you notice any violations by ADO regarding the security of data processing, you can file a complaint with the supervisory authority responsible for personal data protection, i.e., the President of the Personal Data Protection Office. The current address of the supervisory authority is: President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw.

Data security:
Your personal data will be processed in accordance with the provisions of GDPR, in writing or electronically, for the purposes specified above and using appropriate methods to ensure the security and confidentiality of personal data in accordance with Article 32 GDPR. The cooperation between our company and business entities is regulated by relevant legal provisions.

Data recipients:

In connection with data processing, your personal data may be shared with other recipients or categories of recipients, such as:

• Authorities and institutions, and relevant public administration and local government entities to the extent and for purposes arising from generally applicable law.
• Companies providing services to ADO, particularly in the areas of personal data protection, audit services, IT support, software, financial services, insurance, device servicing, correspondence services.
• Other entities that process personal data for the administrator based on relevant agreements.

Your data will not be processed in an automated manner, including profiling. Your data is not processed outside the EEA.