Personal data processing policy

POLICY OF PERSONAL DATA PROCESSING WASKO S.A.

DEFINITIONS
1.1. Administrator – WASKO S.A. with its registered office in Gliwice (ul. Berbeckiego 6, 44-100 Gliwice), entered in the entrepreneurs’ register (KRS) kept by the District Court in Gliwice, X Economic Department of the National Court Register under the KRS number 0000026949, REGON: 276703584, NIP: 9542311706.

1.2. Personal data – information about an identified or identifiable natural person through one or several specific factors determining physical, physiological, genetic, mental, economic, cultural, or social identity, including image, voice recording, contact details, location data, information contained in correspondence, information collected through recording equipment, or other similar technology.

1.3. Policy – this Personal Data Processing Policy.

1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.5. Data subject – a natural person whose personal data is processed by the Administrator, e.g., a person visiting the Administrator’s premises or sending an email inquiry.

DATA PROCESSING BY THE ADMINISTRATOR
2.1. In connection with business activities, the Administrator collects and processes personal data in accordance with applicable regulations, especially GDPR, and the processing principles provided therein.

2.2. The Administrator:

2.2.1. ensures transparency in data processing;

2.2.2. always informs about data processing at the time of collection, especially about the purpose and legal basis for processing personal data, unless separate regulations do not require it;

2.2.3. ensures that data is collected only to the extent necessary for the specified purpose and processed only for the period necessary.

2.3. When processing data, the Administrator ensures their security and confidentiality, and access to information about data processing for the data subjects. If, despite security measures, a breach of personal data protection occurs (e.g., a “leak” of data or their loss), and such a breach could pose a high risk to the rights or freedoms of data subjects, the Administrator will inform data subjects in accordance with the regulations.

CONTACT WITH THE ADMINISTRATOR AND DATA PROTECTION OFFICER
3.1. Contact with the Administrator is possible via email at wasko@wasko.pl or by mail to: WASKO S.A., ul. Berbeckiego 6, 44-100 Gliwice.

3.2. The Administrator has appointed a Data Protection Officer, who can be contacted via email at iod@wasko.pl or by mail to: WASKO S.A., ul. Berbeckiego 6, 44-100 Gliwice, regarding any matters related to the processing of personal data.

PERSONAL DATA SECURITY
4.1. To ensure the integrity and confidentiality of data, the Administrator has implemented procedures that allow access to personal data only to authorized individuals and only to the extent necessary for the tasks they perform. The Administrator employs organizational and technical solutions to ensure that all operations on personal data are recorded and carried out only by authorized persons.

4.2. The Administrator takes all necessary actions to ensure that its subcontractors and other cooperating entities also guarantee the use of appropriate security measures whenever they process personal data on behalf of the Administrator.

4.3. The Administrator conducts ongoing risk analysis and monitors the adequacy of the data security measures in place to identified threats. If necessary, the Administrator implements additional measures to enhance data security.

OBJECTIVES AND LEGAL GROUNDS FOR PROCESSING EMAIL AND TRADITIONAL CORRESPONDENCE
5.1. When directed to the Administrator via email or traditional correspondence unrelated to services provided to the sender or any other agreement, personal data contained in such correspondence is processed solely for communication and resolution of the matter addressed in the correspondence.

5.2. The legal basis for processing is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR), which involves conducting correspondence related to its business activities.

5.3. The Administrator processes only personal data relevant to the matter of the correspondence. The entire correspondence is stored in a way that ensures the security of the contained personal data (and other information) and is disclosed only to authorized persons.

PHONE CONTACT

5.4. In the case of contacting the Administrator by phone, for matters unrelated to a concluded agreement or provided services, the Administrator may request personal data only when necessary to handle the specific matter. The legal basis, in this case, is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR) in resolving reported issues related to its business activities.

CONTACT FORMS

5.5. The Administrator provides the option to contact them using electronic contact forms on its websites. Using the forms requires providing personal data necessary to establish contact with the data subject and respond to the inquiry. The data subject may also provide other data to facilitate contact or handle the inquiry. Providing mandatory data is required to accept and process the inquiry; failure to provide them results in the inability to provide assistance. Providing additional data is voluntary.

5.6. Personal data is processed to identify the sender and handle their inquiry submitted through the provided form. The legal basis for processing is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR) in resolving reported issues related to its business activities; for facultative data, the legal basis is consent (Art. 6(1)(a) GDPR).

5.7. If personal data collected through the contact form on the Administrator’s website is processed for purposes other than those mentioned above, information about these additional purposes is provided in the Privacy Policy of the respective website.

PROFILES ON FACEBOOK, LINKEDIN, AND INSTAGRAM

5.8. The Administrator has public profiles on the social media platforms Facebook and LinkedIn. Therefore, data left by visitors on these profiles (e.g., comments, likes, internet identifiers) is processed.

5.9. Personal data of such individuals is processed:

5.9.1. to enable their activity on the profiles;

5.9.2. for efficient profile management, by providing users with information about the Administrator’s initiatives and other activities, and promoting various events, services, and products;

5.9.3. for statistical and analytical purposes;

5.9.4. optionally, for asserting claims and defending against claims.

5.10. The legal basis for processing personal data is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR), which includes:

5.10.1. promoting its own brand and improving the quality of provided services;

5.10.2. if necessary, asserting claims and defending against claims.

NOTE: The above information does not apply to the processing of personal data by the administrators of the platforms (Facebook, LinkedIn, Instagram).

RECRUITMENT

5.11. In the recruitment process, the Administrator expects the submission of personal data (e.g., in CVs or resumes) only within the scope defined by labor law. Therefore, information beyond that scope should not be provided.

5.12. Personal data is processed:

5.12.1. in the case of a preferred employment contract – to fulfill legal obligations related to the employment process, primarily according to the Labor Code – the legal basis for processing is the legal obligation incumbent on the Administrator (Art. 6(1)(c) GDPR in connection with labor law provisions);

5.12.2. in the case of a preferred civil law contract – to conduct the recruitment process – the legal basis for processing data in application documents is the performance of pre-contractual actions at the request of the data subject (Art. 6(1)(b) GDPR);

5.12.3. for processing data not required by law or by the Administrator, as well as for future recruitment processes – the legal basis for processing is consent (Art. 6(1)(a) GDPR);

5.12.4. to verify the qualifications and skills of the candidate and determine the terms of cooperation – the legal basis for processing data is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR). The legitimate interest is to verify job candidates and determine the conditions of potential cooperation;

5.12.5. to establish or defend against potential claims by the Administrator – the legal basis for processing data is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR).

5.13. To the extent personal data is processed based on explicit consent, it can be withdrawn at any time without affecting the lawfulness of processing before the withdrawal. If consent is given for future recruitment processes, personal data is deleted no later than 12 months after the consent is given unless withdrawn earlier.

5.14. Providing data within the scope defined by art. 22(1) of the Labor Code is mandatory. Failure to provide this data, especially if preferred employment is based on an employment contract, results from legal requirements, primarily those of the Labor Code, and the Administrator. Failure to provide other data is voluntary.

COLLECTING DATA RELATED TO THE PROVISION OF SERVICES OR OTHER AGREEMENTS

5.15. When collecting data for purposes related to the execution of a specific agreement, the Administrator provides detailed information to the data subject about the processing of their personal data at the time of entering into the agreement or obtaining personal data when processing is necessary to take action at the request of the data subject, before concluding the agreement.

PROCESSING PERSONAL DATA OF EMPLOYEES OF CONTRACTORS OR CLIENTS COLLABORATING WITH THE ADMINISTRATOR

5.16. In connection with entering into agreements within the conducted business activities, the Administrator obtains from contractors/clients the data of individuals involved in the execution of such agreements (e.g., individuals authorized to contact, carrying out orders, etc.). The scope of the provided data is limited to the extent necessary for the execution of the agreement and usually includes only the name and surname and official contact details.

5.17. Such personal data is processed to fulfill the legitimate interest of the Administrator and its contractor (Art. 6(1)(f) GDPR), which consists of enabling the proper and effective execution of the agreement. This data may be disclosed to third parties involved in the execution of the agreement.

5.18. The data is processed for the period necessary to fulfill the above interests and perform obligations arising from legal provisions.

COLLECTING DATA IN BUSINESS CONTACTS

5.19. In connection with the conducted activities, the Administrator also collects personal data in other cases – e.g., during business meetings or through the exchange of business cards – for purposes related to initiating and maintaining business contacts. The legal basis for processing, in this case, is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR) in creating a network of contacts in connection with its business activities.

5.20. Personal data collected in such cases is processed only for the purpose for which it was collected, and the Administrator ensures its appropriate protection.

COLLECTING DATA IN BUSINESS CONTACTS

5.20. Personal data collected in such cases is processed only for the purpose for which it was collected, and the Administrator ensures its appropriate protection.

ORGANIZATION OF ONLINE EVENTS

5.21. In connection with organizing online events, the Administrator obtains personal data from individuals registering for events and participating in them. The scope of provided data is limited to the extent necessary for organizing the event and usually includes only information such as name, job title, place of employment, and email address.

5.22. Such personal data is processed for the identification of event participants, communication with them, and handling their participation in the event. In this case, the legal basis for data processing is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR) in organizing the event in connection with the submitted event participation application.

5.23. Personal data will also be processed for purposes related to assessing satisfaction with participation in the event and for statistical purposes. In this case, the legal basis for processing is the legitimate interest of the administrator (Art. 6(1)(f) GDPR) in conducting analyses to improve the quality of organized events.

5.24. Online events may be recorded – in each case, participants will be informed about this fact, especially in a message displayed within the tool used by the Administrator to organize the online event. Recordings may be made available to event participants.

WEBSITES

5.25. Personal data of all individuals using the websites (including IP address or other identifiers and information collected through cookies) is processed by the Administrator:

5.25.1. to provide electronic services in the scope of making content available to the data subject on the website – in this case, the legal basis for processing is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR) in promoting its own brand;

5.25.2. for analytical and statistical purposes – to conduct analyses of the data subject’s activity and preferences to improve the functionalities and services provided; in this case, the legal basis for processing is the data subject’s consent (Art. 6(1)(a) GDPR);

5.25.3. for marketing purposes of the Administrator and other entities – in this case, the legal basis for processing is the data subject’s consent (Art. 6(1)(a) GDPR).

In some cases of marketing activities, the Administrator uses profiling. This means that through automatic data processing, the Administrator assesses selected factors related to the data subject’s behavior or makes predictions for the future. This allows for better matching of displayed content to individual preferences and interests of the data subject; in such cases, the legal basis for processing is the data subject’s consent (Art. 6(1)(a) GDPR).

5.25.4. to establish and assert claims or defend against claims – the legal basis for processing is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR), consisting of protecting its rights.

DATA RECIPIENTS
6.1. In connection with conducting activities that require the processing of personal data, personal data may be disclosed to external entities, including, in particular, suppliers responsible for the operation of information systems and equipment, entities providing accounting services, postal operators, couriers, marketing or recruitment agencies.

6.2. The Administrator reserves the right to disclose selected information about the Data Subject to the competent authorities or third parties who request such information, based on the appropriate legal basis and in accordance with the applicable law.

TRANSFER OF DATA OUTSIDE THE EEA
7.1. The level of protection of personal data outside the European Economic Area (“EEA”) differs from that provided by European law. For this reason, the Administrator transfers personal data outside the EEA only when necessary and with an adequate level of protection, primarily through:

7.1.1. cooperation with entities processing personal data in countries for which an appropriate decision of the European Commission has been issued regarding the determination of an adequate level of protection of personal data;

7.1.2. the use of standard contractual clauses issued by the European Commission;

7.1.3. the use of binding corporate rules approved by the relevant supervisory authority.

7.2. The Administrator always informs about the intention to transfer personal data outside the EEA at the stage of their collection.

DATA PROCESSING PERIOD
8.1. The processing period of data by the Administrator depends on the type of service provided and the purpose of processing. The data processing period may also result from regulations when they constitute the basis for processing. In the case of processing data based on the legitimate interest of the Administrator, for example, for security reasons, data is processed for a period that allows the realization of this interest or until an effective objection to data processing is raised. If processing is based on consent, data is processed until the consent is withdrawn. If the processing is based on the necessity of concluding and performing a contract, the data is processed until the contract is terminated.

8.2. The data processing period may be extended if processing is necessary to establish or assert claims or defend against claims, and after this period, only to the extent and scope required by law. After the processing period, data is irreversibly deleted or anonymized.

RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA SUBJECT RIGHTS
9.1. Data subjects have the following rights:

9.1.1. the right to information about the processing of personal data – on this basis, the Administrator provides the individual submitting the request with information about the processing of data, including, in particular, the purposes and legal grounds for processing, the scope of data held, recipients to whom they are disclosed, and the planned data deletion period;

9.1.2. the right to obtain a copy of the data – on this basis, the Administrator provides a copy of the processed data concerning the individual submitting the request;

9.1.3. the right to rectification – the Administrator is obliged to remove any inconsistencies or errors in the processed personal data and supplement them if they are incomplete;

9.1.4. the right to erasure of data – on this basis, one can request the deletion of data, the processing of which is no longer necessary for any of the purposes for which it was collected;

9.1.5. the right to restrict processing – if such a request is made, the Administrator stops processing operations on personal data – except for operations for which the Data Subject has given consent – and their storage, according to the adopted retention principles or until the reasons for restricting data processing cease (e.g., a decision of the supervisory authority allowing further data processing);

9.1.6. the right to data portability – on this basis, to the extent that data is processed automatically in connection with a concluded contract or given consent, the Administrator issues data provided by the person to whom they relate in a format allowing for data reading by a computer. It is also possible to request the transfer of this data to another entity, provided that there are technical possibilities on both the side of the Administrator and the designated entity;

9.1.7. the right to object to the processing of data for marketing purposes – the Data Subject can object to the processing of personal data for marketing purposes at any time, without the need to justify such objection;

9.1.8. the right to object to other purposes of processing data – the Data Subject may object at any time, for reasons related to his particular situation, to the processing of personal data carried out on the basis of the legitimate interest of the Administrator (e.g., for analytical or statistical purposes or for reasons related to the protection of property); such objection should include justification;

9.1.9. the right to withdraw consent – if data is processed based on consent, the Data Subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of processing carried out before its withdrawal;

9.1.10. the right to lodge a complaint – if it is believed that the processing of personal data violates the GDPR or other regulations concerning the protection of personal data, the Data Subject may lodge a complaint with the supervisory authority for the processing of personal data, competent due to the place of habitual residence of the Data Subject, his place of work, or the place of the alleged violation. In Poland, the supervisory authority is the President of the Office for Personal Data Protection.

SUBMISSION OF REQUESTS RELATED TO THE EXERCISE OF RIGHTS

9.2. Requests regarding the exercise of the rights of Data Subjects can be submitted:

9.2.1. in writing to the address: WASKO S.A., ul. Berbeckiego 6, 44-100 Gliwice;

9.2.2. by e-mail to the address: wasko@wasko.pl.

9.3. If the Administrator is unable to identify the individual based on the submitted request, the Administrator will ask the applicant for additional information. Providing such data is not mandatory, but failure to provide it will result in a refusal to fulfill the request.

9.4. The request can be submitted personally or through a proxy (e.g., a family member). Due to data security, the Administrator encourages the use of a power of attorney certified by a notary or an authorized legal adviser or lawyer, which will significantly expedite the verification of the authenticity of the request.

9.5. A response to the request should be provided within one month from its receipt. If necessary, the Administrator informs the applicant about the reasons for extending this deadline.

9.6. In the event that the request is addressed to the Administrator electronically, the response is given in the same form unless the applicant has requested a response in a different form. In other cases, responses are provided in writing. If the processing period of the request makes it impossible to provide a written response and the scope of data of the applicant processed by the Administrator allows contact electronically, the response should be provided electronically.

9.7. The Administrator keeps information about the submitted request and the person who submitted the request to ensure the possibility of demonstrating compliance and for the purpose of establishing, defending, or pursuing any claims of data subjects. The register of requests is stored in a way that ensures the integrity and confidentiality of the data contained therein.

CHANGES TO THE PERSONAL DATA PROCESSING POLICY
10.1. The policy is regularly reviewed and updated as needed.

10.2. Any changes made to the document entitled “Personal Data Processing Policy” will be published on the website https://www.wasko.pl/polityka-przetwarzania-danych-osobowych/.

Cookie	Duration	Description
__hssc		HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
__hstc	6 months	Hubspot set this main cookie for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
__hstc	6 months	Hubspot set this main cookie for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	2 years	Google Analytics sets this cookie to store and count page views.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
hubspotutk	6 months	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.