Privacy Notice on Personal Data Processing
- The controller of your personal data is ALAN SYSTEMS Sp. z o.o. (formerly: ALAN Systems Sp. z o.o. Sp. k.) with its registered office in Rybnik, ul. Południowa 22, registered under KRS: 0001189203, REGON: 242833764, NIP: 6423178783, hereinafter referred to as the "Controller" or "ALAN SYSTEMS".
- The Controller has appointed a Data Protection Officer (DPO), who can be contacted via e-mail at: iodo@alan-systems.com
- The personal data is processed for the following purposes:
- In the case of the Controller's contractors: to perform a contract concluded with the Controller and to take steps prior to entering into a contract, pursuant to Art. 6(1)(b) of the GDPR (where the party to the contract is a natural person) or Art. 6(1)(f) of the GDPR (where the party to the contract is another entity);
- To settle the aforementioned contract and to exercise rights and obligations resulting from tax regulations, social security regulations (if applicable), or others, pursuant to Art. 6(1)(c) of the GDPR;
- To protect against and pursue claims arising from concluded contracts or other events, as well as to conduct satisfaction surveys regarding the quality of service provided by the Controller and to handle related complaints – which constitutes the legitimate interests of the Controller pursuant to Art. 6(1)(f) of the GDPR;
- To conduct the Controller's business operations, including obtaining orders, establishing and maintaining cooperation with contractors – which constitutes the legitimate interest of the Controller pursuant to Art. 6(1)(f) of the GDPR;
- In the case of marketing activities (promotion of the Controller) – which constitutes the legitimate interest of the Controller pursuant to Art. 6(1)(f) of the GDPR; and in the case of direct marketing – based on voluntary consent granted in each instance, i.e., pursuant to Art. 6(1)(a) of the GDPR;
- In the case of CCTV (video surveillance) recordings – to protect the property and intangible assets of the Controller and to control access to the Controller's premises and infrastructure, including IT infrastructure – which constitutes the legitimate interest of the Controller pursuant to Art. 6(1)(f) of the GDPR;
- To respond to inquiries submitted via the website or e-mail – which constitutes the legitimate interest of the Controller pursuant to Art. 6(1)(f) of the GDPR;
- In the case of recruitment processes conducted by the Controller, or when personal data is provided in a CV or other application documents – to carry out the recruitment process, based on the employer's authority under Art. 22¹ § 1 of the Polish Labor Code and pursuant to Art. 6(1)(c) of the GDPR;
- Other purposes, such as:
- Publication of your image via the Controller's social media or website;
- Processing personal data provided in application documents during recruitment other than those specified in Art. 22¹ § 1 of the Polish Labor Code;
- Processing personal data for the purposes of future recruitment;
- Basis: in each such case, processing is based on voluntarily granted consent for a specific purpose – pursuant to Art. 6(1)(a) of the GDPR.
- Personal data will or may be transferred to the following third parties:
- Tax authorities, public administration bodies, law enforcement, or judicial authorities – to the extent that it is the Controller's obligation under generally applicable laws;
- Entities cooperating with and providing support services to the Controller, including: providers of advisory and auditing services, legal, financial, accounting, and tax services, as well as recruitment agencies.
- Should the Controller use the services of other entities, personal data may be disclosed to them based on Data Processing Agreements (DPA), and such entities shall be bound to maintain the confidentiality of the processed data.
- Providing personal data is voluntary but necessary to take actions related to the purpose for which the data is provided.
- If the Controller did not receive the data directly from the data subject, the data was obtained from:
- A contractor – in connection with establishing cooperation/concluding a contract; such data includes: identification data, contact details, and data regarding the organization you represent;
- Recruitment service providers – such data includes: identification data, contact details, employment history, and education data, including qualifications, skills, and experience.
- If the processing of personal data is based on consent (Art. 6(1)(a) GDPR), you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- Personal data is processed by the Controller for the following periods:
- During cooperation and contract performance, and after its termination – for the period resulting from generally applicable laws (including tax law) and for the time necessary to protect or secure claims arising from such cooperation/contract, as well as the period required by law for the storage of financial and accounting records;
- For the period necessary to protect or secure claims due to the Controller or pursued against the Controller – until the expiry of the statute of limitations;
- For the duration of handling an inquiry or pursuing/defending against related claims;
- CCTV recordings (image data) – processed solely for the purposes for which they were collected and stored for a period up to 3 months from the date of recording, subject to exceptions provided by applicable law;
- For the duration of the recruitment process – regarding data obtained for recruitment; if the applicant consents to processing after the process ends, then until the withdrawal of consent. If application documents are submitted solely on the applicant's initiative and no recruitment process is initiated, the data is deleted immediately, unless the applicant consents to processing for future recruitment (then until the withdrawal of consent).
- You have the right to:
- Access your personal data and receive information on how it is processed;
- Request rectification (correction) of data;
- Request erasure of data (the "right to be forgotten") – however, considering the limitations in Art. 17(3) of the GDPR, we may not always be able to fulfill such a request;
- Request the restriction of processing;
- Object to the processing of data;
- Withdraw consent for further processing where consent is the legal basis.
- Individual rights can be exercised by contacting the Data Protection Officer in ALAN SYSTEMS.
- Decisions will not be made in an automated manner, including profiling, within the meaning of Art. 22 of the GDPR, based on the data provided.
- You have the right to lodge a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office (PUODO) – in writing to the address: ul. Stawki 2, 00-193 Warsaw, or via the ePUAP platform.
