Information Clause of the Personal Data Controller for Candidates for employees and partners

1. ATS Display Ltd. with its registered office at the address: Boryszewska St. 22 C, 05-462 Wiązowna, entered in the Register of Entrepreneurs of the National Court Register held by the District Court for the Capital City of Warsaw in Warsaw, XXI Commercial Department of the National Court Register, with the KRS number: 0000075752, NIP: 5321790563, REGON: 017445358, share capital PLN 50,000 (paid in full), leading, is the Personal Data Controller (hereinafter referred to as the Controller) of candidates for employees and partners, hereinafter referred to as Candidates.
2. With respect to the rights of the Candidates as personal data subjects (i.e. people to whom the data relates) and with respect to the mandatory rules of law, including especially the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/WE (General Data Protection Regulation), hereinafter referred to as GDPR, the Personal Data Protection Act of 10 May 2018 (Dz. U. 2018, item 1000), hereinafter referred to as the Act, and other relevant personal data protection regulations, the Controller commits to maintain security and confidentiality of all personal data gathered from Candidates. All employees of the Controller that process personal data within the area of their responsibility have been sufficiently trained in personal data processing and the Controller has utilised proper security, technical and organisational measures to ensure the highest possible level of protection for the personal data. The Controller has introduced appropriate procedures and policies to process personal data in accordance with the GDPR and the Act, so that personal data processing occurs lawfully and reliably and the Candidates, as the data subjects, may execute all their relevant rights. Additionally, if needed, the Controller cooperates with the regulatory body within the territory of the Republic of Poland, i.e. the President of the Data Protection Authority (hereinafter referred to as PDPA).
3. The personal data of Candidates is processed by the Controller for the purposes of:
a) recruitment of employees and partners,
b) any future recruitment processes, subject to the Candidate expressing their consent to such processing.
4. Sharing one’s personal data is not mandatory, but considered necessary for the purposes of the Candidate’s recruitment process. Specifically, the Controller is entitled to demand that Candidates share or document personal data specified in the art. 221 of the Act of 26 June 1974 – Labour Code (i.e. U. 2018, item 917, as amended) or any personal data necessary for the purposes of concluding a civil law agreement.
5. In accordance with the GDPR principle of data minimisation, the Controller processes solely the categories of personal data that are necessary to achieve goals specified in the previous point, unless the Candidate consents (via a declaration or an express confirmatory action) to processing of more data, willingly provided by the Candidate in their CV or cover letter. Lack of such consent or withdrawing one’s consent shall not be considered negatively from the perspective of potential recruitment and shall not result in any negative consequences towards this person (specifically, it shall not be considered as reason to reject one’s application).
6. The Controller processes the personal data for the period of time necessary to achieve goals specified in the point 3 above. Moreover, if the Candidate consents to process personal data for the purposes of future recruitment processes, as per point 3.b above, the Controller shall process such data for this purpose for the period of three years from the moment of expressing such consent or until the Candidate withdraws their consent earlier, which shall not impact the legality of processing their personal data before submitting the withdrawal. The personal data may be processed for a longer period of time only when the Personal Data Controller is required by the relevant mandatory rules of law to do so.
7. The source of the personal data processed by the Personal Data Controller are Candidates, i.e. the persons to whom the data relates.
8. The legal basis for Candidate personal data processing is:
a) art. 6.1.b of the GDPR, i.e. processing is necessary in order to take steps at the Candidate’s request prior to entering into a contract, or
b) art. 6.1.a of the GDPR, i.e. the Candidate consents to process their personal data for specific purposes, when other legal bases for personal data processing are not applicable, which most importantly applies to processing of special categories of data (sensitive data) of the Candidate and processing the Candidate’s data for the purposes of future recruitment processes.
9. The Candidates’ personal data shall not be shared with any third country, as per the GDPR. If the personal data is shared with a third country, the Candidates shall be duly informed thereof, and the Controller shall utilise relevant security measures, as per Chapter V of the GDPR.
10. No personal data is shared with any third parties without express consent of the person to whom the data relates. Personal data may be shared without the consent of the person to whom it relates only with legal public bodies, i.e. government and administrative bodies (e.g. tax offices, judicial authorities and other entities with a mandate stipulated by the relevant mandatory rules of law, such as ZUS [the Polish Social Insurance Institution], or a local Tax Office), in the cases provided for by the mandatory legislation.
11. Personal data may be shared with Entities that process the data on the request of the Controller. In such cases the Controller concludes a contract for personal data processing with such an Entity. The processing Entity processes the shared personal data solely for purposes specified in the aforementioned contract. Personal data is entrusted first and foremost to IT companies providing hosting services, maintaining online domains and computerised systems used by the Controller.
12. The personal data of Candidates is not profiled by the Controller, as per the GDPR.
13. According to the GDPR, the Candidates have the right to:
a) be informed of the personal data processing, as per art. 12 of the GDPR,
b) access their personal data, as per art. 15 of the GDPR,
c) correct or update the personal data, as per art. 16 of the GDPR,
d) delete their data (the right to be forgotten), as per art. 17 of the GDPR,
e) limit the processing, as per art. 18 of the GDPR,
f) transfer the data, as per art. 20 of the GDPR,
g) object to the processing of their personal data, as per art. 21 of the GDPR,
h) In cases of legal bases, as per point 7.b above – the right to withdraw one’s consent at any time, without affecting the legality of the processing conducted on the basis of the previously given consent,
i) restrict profiling, as per art. 22, relating to art. 4 of the GDPR,
j) file a complaints to a supervisory body (i.e. to the President of the Data Protection Authority), as per art. 77 of the GDPR,
subject to the rules of using and realising such rights, as per the GDPR.
14. Should the Candidates wish to exercise any of their above mentioned rights, they should send an e-mail or a traditional mail to the addresses specified in point 15 below.
15. The Administrator designated the Data Protection Inspector, who is Konrad Cioczek. Please send any inquiries, applications and complaints regarding the processing of personal data by the Administrator, further referred to as Applications, to the following e-mail address of the Data Protection Inspector: or in writing to the following address: Boryszewska St. 22 C, 05-462 Wiazowna.
16. The Applications should clearly contain:
a) the data of the person or persons to whom the Application relates,
b) the event that the Application relates to,
c) the filed requests and their legal basis,
d) the desired means of solving the issue.
17. Each ascertained instance of security breach is documented, and should any of the events, as described by the GDPR or the Act, occur, the persons to whom the data relates, as well as the President of Data Protection Authority, if applicable, shall be informed of it.