Principles of Personal Data Protection
in Locaris Sp. z o.o.
- Administrator – LOCARIS Sp. z o.o., having its registered office in Warsaw (03-236), ul. Annopol 4B.
- Personal data – all information about a natural person identified or identifiable by one or several particular factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including the image, voice recording, contact data, data about location, information included in correspondence, information collected via recording equipment or other similar technology.
- RODO – Regulation of the European Parliament and the European Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons in connection with processing personal data and on the free flow of such data and repealing Directive 95/46/EC.
- A person, whom the data relates to – any natural person whose personal data are processed by the Administrator, e.g. person visiting premises or the Administrator or making an inquiry thereto in the form of an e-mail.
Data processing by the Administrator
- In connection with the conducted business activity, the Administrator collects and processes personal data, in accordance with relevant provisions, in particular with RODO, and the principles of data processing stipulated therein.
- The Administrator ensures transparency of data processing, in particular always informs about data processing at the time of their collection, including about the purpose and legal grounds for processing – e.g. at accommodating a guest in facilities belonging to the Administrator. The Administrator makes every effort to ensure the data are collected only within the scope necessary for the indicated purpose and processed only for the period in which it is necessary.
- When processing the data, the Administrator provides their safety and confidentiality as well as access to the information on processing to persons whom the data relate to. If, despite the applied security measures, there occurred a violation of personal data protection (e.g. "leakage" of data or their loss), the Administrator shall notify such an event to persons whom the data relate to, in a manner consistent with legal provisions.
Contact with the Administrator
Safety of the personal data
- In order to provide integrity and confidentiality of the data, the Administrator has implemented procedures enabling access to the personal data only by persons authorized and only if necessary due to the tasks performed thereby. The Administrator applies the organizational and technical solutions in order to ensure that all operations on the personal data are recorded and performed only by authorized persons.
- In addition, the Administrator undertakes all necessary actions, so that also other entities cooperating therewith provided the guarantee of application of suitable safety measures in each case when they are processing the personal data entrusted thereto by the Administrator.
- The Administrator conducts ongoing analysis of risk and monitors the adequacy of the applied protections of data to the identified hazards. When necessary, the Administrator implements additional measures aimed at increasing the personal data security.
Processing objectives and legal grounds
Personal data of all persons using the web site of the Administrator, including IP addresses or other identifiers and the information collected via cookies or other similar technology, are processed:
a. In order to provide services electronically within the scope of sharing the contents collected on the website with the users – then the legal grounds for processing is the indispensability of processing to execute the contract (Article 6 (1) letter b RODO);
b. For analytical and statistical purposes – then the legal grounds for processing is the justified interest of the Administrator (Article 6 (1) letter f RODO) consisting in conducting users activity analyses, as well as their preferences in order to improve the functionalities used and the services provided;
c. For possible determination and pursuit, the claims or defence against them – the legal grounds for processing is the justified interest of the Administrator (Article 6 (1) letter f RODO) consisting in the protection of its rights
- User's activity on the website of the Administrator, including its personal data, is registered in system logs (special computer software used for storing chronological recording containing information on events and activities concerning the IT system used for providing services by the Administrator). The information collected in the logs is processed, first of all, for the purposes related to the provision of services. Additionally, the Administrator processes them for technological, administrative purposes, in order to provide the IT system security and manage this system, as well as for analytical and statistical purposes – in this respect the legal grounds for processing is the legally justified interest of the Administrator (Article 6 (1) letter f RODO).
Cookies and similar technology
- Cookies are small text files installed on the device of the user browsing the service. Cookies collect information facilitating using the website – e.g. by means of memorization visits of the user on the site and activities performed thereby. The legal grounds for processing of such data are the legally justified interest of the Administrator (Article 6 (1) letter f RODO).
a. Cookies with the data entered by the user (session identifier) for the duration of the session (user input Cookies);
b. Authentication cookies used for authentication for the duration of the session (authentication cookies);
c. Cookies used to ensure safety e.g. used to detect transgressions regarding authentication (user-centric security cookies);
d. Session cookies of multimedia players (e.g. flash player cookies), for the duration of the session (multimedia player session cookies);
e. Permanent cookies used for personalization of the user's interface for the duration of the session or slightly longer (user interface customization cookies), f. Cookies used for monitoring the traffic on the web site, i.e. data analytics, including Google Analytics cookies (these are files used by the Google company to analyse the manner of using the service by the user, to create statistics and reports on functioning of the service). Google Analytics tool can also be used for providing users with the behavioural advertisement. Google does not use the collected data for identification of the user nor does links such information to enable identification. Detailed information on the scope and terms of data collection in relation to this service are available in the service google.pl in the section "Privacy and conditions".
E-mail and traditional correspondence
- In the case of sending a correspondence to the Administrator via e-mail or the traditional mail, personal data contained in this correspondence are processed solely for the purpose of communication and resolution for the issue, which the correspondence applies to.
The legal grounds for processing are as follows:
a. execution of the contract, a party to which is the person, whom the data relates to or undertaking activities upon request of the person the data relates to, before entering into the contract (Article 6 (1) letter b RODO)
b. a justified interest of the Administrator (Article 6 (1) letter f RODO) consisting in sending correspondence addressed thereto in connection with its business activity
- Additionally, the Administrator processes only the personal data essential for the issue, which the correspondence applies to. The whole correspondence is stored in a manner ensuring the safety of the personal data (and other information) contained therein and disclosed only to authorized persons.
- In the case of contacting the Administrator by phone, the Administrator may demand specification of personal data only, when it is necessary for handling the issue, which the contact applies to. In such a case, the legal grounds are the justified interest of the Administrator (Article 6 (1) letter f RODO) consisting in the possibility for handling the requests and providing the answers to questions asked by persons interested in services of the Administrator.
Vision monitoring and access control
- To ensure the safety of people and property, the Administrator or the entity providing physical protection services of the facilities of the Administrator use vision monitoring and may control entrance to the facilities and to the area managed by the Administrator. The data collected that way are not used for any other purposes.
- Personal data in the form of monitoring recordings and the data collected in other registers of personal flow are processed in order to ensure safety and order within the facilities and possibly for the purpose of defence against claims or their enforcing. The basis for processing the personal data is the justified interest of the Administrator (Article 6 (1) letter f RODO) consisting in providing safety of the property of the Administrator and protection of its rights.
- As part of recruitment, the Administrator expects provision of personal data (for instance in CV or resume) only to the extent specified in provisions of labour law. Consequently, the broader scope of information should not be provided. In the event when the sent applications will contain additional data, they shall not be used or considered in the recruitment process.
Personal data are processed:
a. In order to perform obligations resulting from the legal provisions, related to the process of employment, first of all of the Labour Code – the legal grounds for processing is the legal obligation imposed on the Administrator (Article 6 (1) letter c RODO in connection with provisions of the Labour Code);
b. For the purpose of conducting recruitment with regard to the data not required by legal provisions, as well as for the purposes of future recruitment processes – the legal grounds for processing is the consent (Article 6 (1) letter a RODO); c. In order to determine or enforce any possible claims or defend against such claims – the legal grounds for data processing is the legally justified interest of the Administrator (Article 6 (1) letter f RODO).
Collecting data in connection with the provision of services or execution of other contracts
- In the event of data collection for the purposes related to the execution of a specific contract, the Administrator provides the person, whom the data relates to, a detailed information concerning the processing of its personal data at the time of entering into the contract.
Data collection in other cases
- In connection with the conducted activities, the Administrator collects personal data also in other cases – e.g. during business meetings or by exchanging business cards – for the purposes related to establishing and maintenance of business contacts. The legal grounds for processing, in this case is the justified interest of the Administrator (Article 6 (1) letter f RODO), consisting of networking in connection with the conducted activities.
- Personal data collected in such cases are processed solely for the purpose, for which they were collected, and the Administrator ensures their appropriate protection.
- In association with conducting operations requiring processing, personal data are disclosed to external entities, in particular to suppliers responsible for handling IT systems and equipment (e.g. CCTV equipment, GPS location services), entities providing legal services or accounting, couriers, tourist agencies or recruitment agencies.
- The Administrator reserves the right to disclose selected information concerning the person whom the data relates to, to competent authorities or to third parties which raise a request for provision of such information, relying on appropriate legal grounds and according to binding legal regulations.
The cross-border transferability of data outside the European Union
- The Administrator does not transfer the personal data outside the European Economic Area.
Personal data storage period
- The period of data processing by the Administrator depends on the type of services provided and the purpose of processing. The period of data processing may also result from legal provisions when they are the basis for such processing. In the case of processing data on the basis of the justifiable interest of the Administrator – e.g. for safety purposes – the data are processed for the period enabling execution of such interest or raising effective objection against data processing. If processing is conducted on the basis of a consent, data are processed until withdrawal thereof. When the basis for such processing is the indispensability for entering into and execution of the contract, the data are processed until its termination.
- The period of data processing may be prolonged in the case when processing is necessary for determining or pursuing claims or defence against such claims and after this period – only in the case and to the extent which is required by legal provisions. After elapsing of such processing period, the data are irreversibly removed or anonymised.
Entitlements related to the processing of personal data, reporting and handling requests
Persons whom the data relate to, shall have the following rights:
a. The right to information on personal data processing – on this basis, the person raising the request is provided by the Administrator with information on data processing, mainly about the objectives and legal grounds of such processing, the scope of the data held, entities which they are disclosed to, and the intended date of removing of the data;
b. The right to obtain copies of the data – on this basis, the Administrator shall transfer a copy of the processed data concerning the person raising the request;
c. The right to correct – the Administrator is obliged to remove any possible inconsistencies or mistakes in the processed personal data and supplement them if they are incomplete;
d. The right to remove the data – on this basis, it is possible to request the removal of the data processing of which is no longer necessary for pursuing any of the purposes for which they were collected;
e. The right to limit the processing – in the event of raising such a request the Administrator stops performing operations on the personal data – except for operations agreed with the person, whom the data relates to – and their storage, according to the adopted principles of retention or until the causes of limitation of the data processing has been removed (e.g. the decision of the supervisory body will be issued, permitting further processing of the data);
f. The right to transfer the data – on this basis – to the extent in which the data are processed in connection with the contract entered into or expressed consent – the Administrator releases the data delivered by a person to whom they relate to, in the format enabling reading thereof by means of a computer. It is also possible to request sending these data to another entity – provided that there are technical possibilities in this respect both on the side of the Administrator as well as the other entity;
g. The right of objection against data processing for marketing purposes – the person, whom the data relates to, may at any time protest against processing the data for marketing purposes, without the need to justify such an objection;
h. The right of objection against other data processing purposes – the person, whom the data relates to, may at any time protest against personal data processing which is conducted on the basis of the justifiable interest of the Administrator (e.g. for analytical or statistical purposes or for reasons related to property protection); objection in this respect should be justified;
i. The right to withdraw a consent – if the data are processed on the basis of an expressed consent, a person, whom the data relates to, has the right to the withdraw it at any time, which, however, does not affect compliance with the law of such processing conducted before withdrawal of the consent. The right to raise a complaint – in the case of acknowledging that personal data processing violates provisions of RODO or other provisions concerning personal data protection, a person, whom the data relates to may submit a complaint to the President of the Office of Personal Data Protection.
- If the Administrator is unable to identify the applicant on the basis of the sent notification, it shall ask the applicant for additional information.
- The application may be submitted in person or through an authorized representative (e.g. a family member). Due to the reasons of data safety, the Administrator encourages to use the power of attorney in the form authenticated by a notary or an authorised legal counsel or an attorney, which will substantially accelerate the verification of authenticity of the application.
- An answer to the notification should be provided within one month after receipt thereof. When it is necessary to extend this period, the Administrator informs the applicant about the reasons for such a delay.
- The answer is provided via traditional mail unless the application has been submitted by e-mail or electronic transfer of the answers was requested.
Principles for charging fees
Proceedings concerning submission of applications are free of charge. Fees may be collected only in the following case:
a. Raising a request for issuing a second and every subsequent copy of the data (the first copy of the data is free of charge); in such case, the Administrator may request payment in the amount of PLN 30; the fee contains administrative costs related to the execution of the request.
b. Raising excessive (e.g. extremely frequent) or clearly unjustified requests by the same person; in such case, the Administrator may request payment in the amount of PLN 100; the fee contains the costs of communication and the costs related to undertaking the requested activities.
- In the event of questioning the decision on imposing the fees, the person, whom the data relates to, may submit a complaint to the President of the Office of Personal Data Protection.
- This regulation is verified on a current basis and updated, if necessary.
The current version is available:
a. On the website of the Administrator www.locaris.pl
b. In the registered office of the Administrator