1. The data administrator is Multistal & Lohmann sp. z. o.o. Based in Poznań, ul. Nad Wierzbakiem 17/1, Poland.
2. Personal Data Protection Officer contact details: IODO@multistal.com.pl.
3. Data processing purpose and legal bases:
a) Data collection for the purposes of service provision
The Administrator shall process the personal data of customers in accordance with the offered services, in order to provide and settle them. The Administrator shall be obligated to keep accounts, therefore making him subject to tax obligations. Moreover, the Administrator shall be entitled to exercise his rights to file claims and protect his rights under the conducted business. The legal basis for the processing your personal data is Article 6 (1)(b, c and f) of Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and on suspending the Directive 95/46/EC (hereinafter “GDPR”).
b) Data collection in business relations
The Administrator, as part of his operations, shall collect personal data also in the following cases: e.g. during business meetings, industry events, cooperation with business partners. The legal basis for the processing in such cases is the Administrator’s legitimate interest (Article 6 (1)(f) of GDPR), consisting of networking as a part of his operations. We can send information on our products as well. In that case, the basis for data processing shall be the consent given beforehand.
c) Data processing in IT systems
Personal data is processed in an IT environment, implying that it can be temporarily stored and processed in order to maintain the security and proper functioning of IT systems or websites. The rules pertaining to data processing in the Administrator’s web services (including data related to cookies) can be found here.
d) Data processing for sending newsletters or contact forms
The Administrator shall collect data provided via the contact form or newsletter subscriptions. The legal basis for the processing is your consent (Article 6 (1)(a) of GDPR).
e) Video surveillance
In order to ensure the safety of individuals and property, the Administrator shall use a video surveillance system and control the access to his headquarters and the premises under his supervision. The personal data in the form of surveillance recordings shall be processed in order to ensure the safety and order on site, and potentially for the purposes of exercising legal defence and claims. The legal basis for the processing of personal data is the Administrator’s legitimate interest (Article 6 (1)(f) of GDPR), consisting of ensuring the security of the Administrator’s property and the protection of his rights.
Within the recruitment processes, the Administrator expects personal data (e.g. in CVs or résumés) to be provided only to the extent as stated in the labour law provisions. Therefore, information in any larger scope should not be provided. In cases, where submitted applications contain such additional data, the Administrator will assume that the candidate consents to its processing for the purposes of recruitment. The candidates’ personal data shall be processed in order to fulfil the obligations according to the applicable laws pertaining to the employment process, including foremost the Labour Code – the legal basis for the processing is the legal requirements assumed by the Administrator (Article 6 (1)(c) of GDPR in relation to the provisions of the Labour Code). If the Administrator does not conduct the recruitment procedure or has announced another one, we can process your data only on the basis of the given consent (Article 6 (1)(a) of GDPR).
4. As part of the operations requiring data processing, the data gets disclosed to third parties, especially including: suppliers responsible for providing and handling the IT systems to entities providing legal, accounting and audit services, and recruitment agencies (based on data entrustment agreements). Personal data can be also disclosed to competent authorities or third parties that submit a request for such information, rooted in the relevant legal basis and according to the provisions of applicable laws. Moreover, the recipients of personal data may be Companies belonging to the Capital Group.
5. The Administrator informs that personal data shall not be provided to countries outside EEA.
6. The period of data processing by the Administrator depends on the types of service provided and the purpose of the processing. The defined period of data processing can also result from the regulations in case they constitute the basis for the processing. For data processing based on the Administrator’s legitimate interest – e.g. for security reasons – data shall be processed for a period sufficient for the fulfilment of this purpose or filing a successful objection to data processing. If the processing is done on the basis of consent, data shall be processed until this consent gets withdrawn. In a case where the grounds for the processing is necessary for conclusion and performance of an agreement, data shall be processed until said agreement is terminated, and afterwards, for a duration indicated by the generally applicable regulations. The data processing period may be extended in case the processing is necessary to determine, exercise or defend any possible claims, and afterwards, only in cases and to the extent required by the provisions of law. After the processing period expires, data shall be irretrievably deleted or anonymized. Data processed in relation to ongoing visual surveillance shall be processed no longer than 3 months.
7. As part of data processing by the Administrator, you are entitled to the following rights:
– the right to access your data and obtain a copy;
– the right to rectify (correct) your data if it is inaccurate or outdated, and the right to delete it in case the processing is not done to comply with the obligation under the provisions of law;
– the right to restrict or object the data processing;
–the right to lodge a complaint to the President of PDPA (to the following address of the Personal Data Protection Agency: ul. Stawki 2, 00-193 Warsaw, Poland).
8. Provision of personal data is voluntary, however, necessary for the purposes listed above. Not providing personal data shall result in failure to fulfil the purpose for which it is supposed to be processed. Your data shall not be subject to automated decision making, including in the form of profiling.
9. Data can be collected from public sources as well (KRS, CEiDG).