Personal Data Processing
Information on the processing of personal data
If you are interested in participating in the recruitment process or providing services to the Controller on the basis of civil law contracts, please read in advance the information on the processing of personal data in connection with the planned participation in the recruitment process or the planned transfer of personal data to the Controller, including transfer of personal data to the Controller outside the recruitment process.
Information on the processing of personal data in the recruitment process based on the Labor Code
- Pursuant to Art. 13 of the GDPR (https://uodo.gov.pl/pl/404/224), we would like to inform you that:
- The Data Controller in relation to persons applying for employment is Qloc S.A., 02-255 Warszawa, 36 Krakowiaków Street, KRS: 341922.
- Contact details to the Controller:
- e-mail: iod@q-loc.com
- or by traditional mail to the above-mentioned address
- Please be advised that the Data Protection Officer has not been appointed.
- Please be advised that in the case of selected recruitment processes, there may be joint controllership of personal data (Article 26 of the GDPR). In the event of the joint controllership process, information on joint controllership will be provided to the data subject in a separate communication.
- Please be advised that personal data is or may be processed for the following purposes:
- in order to carry out the recruitment process – the legal basis for the processing of personal data is the Act of June 26, 1974, the Labor Code, art. 22’1 (Article 6 (1) (c) of the GDPR). Please be noted that providing personal data is statutory and results from art. 22’1 of the Labor Code (Journal of Laws 1974 No. 24 item 141 (as amended), the Act of June 26, 1974. Labor Code). Please be advised that failure to provide personal data will result in the inability to participate in the recruitment process,
- in order to verify the professional qualifications indicated by the participant in the recruitment process (if applicable) – the legal basis for the processing of personal data is the Act of June 26, 1974, the Labor Code, art. 22’1 (Article 6 (1) (c) of the GDPR). Please be advised that providing personal data is statutory and results from art. 22’1 of the Labor Code (Journal of Laws 1974 No. 24 item 141 (as amended), the Act of June 26, 1974, the Labor Code). Please be advised that failure to provide personal data will result in the inability to verify professional qualifications and thus the inability to participate in the recruitment process. Please be advised that the verification of professional qualifications may be preceded by the submission by the person applying for employment of a declaration of confidentiality of all information provided – the legal basis for the processing of personal data is art. 6 (1) f) GDPR – legitimate interest pursued by the Controller. Please be advised that the legitimate interest pursued by the Controller is to ensure confidentiality and secrecy in relation to the information provided. Please be advised that failure to provide personal data will result in the inability to submit a confidentiality statement and thus, the inability to verify the professional qualifications of the person applying for employment,
- in connection with the processing of personal data in future recruitment processes conducted by the Controller. If you agree to participate in future recruitments conducted by the Controller, please include the following clause in the application documents:
- “I consent to the processing of my personal data contained in the application documents for future recruitment processes planned by the Controller.
- personal data processed in connection with the verification of sanction lists – the sanctions lists published inter alia by the United Nations Security Council (UN), the European Union, the United States of America (such as the Office of Foreign Assets Control), and the People’s Republic of China (such as the People’s Bank of China, the Ministry of Public Security, the Ministry of Commerce, the Ministry of Foreign Affairs) and country related lists provided by competent authorities based on applicable law (https://www.biznes.gov.pl/pl/portal/001568) – the lawfulness (legal basis) is art. 6 (1) c) GDPR.
- Please be advised that the legal basis for the processing of personal data is the consent of the data subject for the processing of his personal data in the recruitment processes planned by the Controller (Article 6 (1) (a) of the GDPR). Please be informed that the consent is voluntary, and the consent may be withdrawn at any time, without affecting other provisions resulting from participation in the recruitment process. In the event of withdrawal of the consent, personal data will not be taken into account in future recruitments conducted by the Controller. Please be advised that refusing to consent to participation in the future recruitment process will result in the inability to participate in the future recruitment process.
- Please be noted that the scope of personal data processed in the recruitment process results from art. 22’1 § 1 of the Labor Code. Pursuant to Art. 22’1 § 1, the employer requires the applicant to provide personal data, including:
- first name (names) and surname
- date of birth,
- contact details (indicated by the person taking part in the recruitment),
- education,
- professional qualifications,
- the course of previous employment.
- The employer requests personal data in the scope of: name (s) and surname, date of birth, contact details indicated by such person, education or other personal data in this particular category of personal data – when it is necessary to perform a specific type of work or in a specific position or when it results from applicable law. The additional scope of personal data that may be processed by the Controller (if applicable), may involve the verification of professional qualifications and may relate to ordinary data in the scope of: user ID (e.g. computer IP) and the result of the conducted verification professional.
- If it has not been indicated in the content of the recruitment advertisement, we ask persons interested in participating in the recruitment process not to provide a specific category of personal data in the content of the application documents. Pursuant to Art. 9 GDPR, the following personal data (sensitive data) are: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sexuality or sexual orientation and information indicated in art. 10 GDPR, i.e. information on criminal convictions and offenses or related security measures.
- A person applying for employment may, on their own initiative, provide the employer with a wider range of data than it results from Art. 22’1 § 1 of the Labor Code, including:
- ordinary data, e.g. image captured in a photo or other information,
- sensitive data (of a special category of personal data) indicated in art. 9 or article. 10 GDPR (special categories of personal data / sensitive data are: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sexuality or sexual orientation and information concerning criminal convictions and offenses or related security measures). The processing of a specific category of personal data provided at the initiative of the job applicant is based on Art. 9 (2) a) GDPR – explicit consent. If a specific category of personal data is transferred to the employer, please include the following clause in the application documents:
- “In connection with participation in the recruitment process, I consent to the processing of a specific category of my personal data contained and provided by me in the application documents.”
- Please be advised that if you provide a specific category of personal data without the abovementioned consent clause for their processing, the data will be anonymized (deleted). Please be advised that the consent is voluntary, and the consent may be withdrawn at any time, without affecting other provisions resulting from the recruitment process,
- data provided by the applicant in the form of a link or links to information about themselves (including links to social media or dedicated websites) – in that case the provision of personal data to a greater extent is considered as a voluntary consent for their processing by the job applicant.
- We would like to inform you that in the case that a person applying for employment provides personal data on his / her own initiative to a greater extent than specified in art. 22’1 of the Labor Code, consent to their processing may be withdrawn at any time without negative effect for the current or future recruitment process.
- Please be advised that personal data is or may be disclosed to recipients of personal data:
- state authorities only under applicable law – if applicable,
- recipients of the data based on art. 28 GDPR – entrusting the processing of personal data. The categories of recipients to whom personal data are disclosed are: external entities providing recruitment services in the form of dedicated recruitment applications or ICT solutions, external companies dealing with the recruitment process at the request of the Controller, other entities providing services supporting the recruitment process conducted by the Controller,
- The Controller, at the request of the data subject, provides a list of all entities to whom personal data is disclosed in the recruitment process.
- Please be advised that personal data are or may be transferred to a third country (i.e. outside the European Economic Area). In the case of transfer of personal data outside the EEA, the provisions of Chapter V of the GDPR shall apply:
- transfer on the basis of an adequacy decision by the European Commission (Article 45 of the GDPR),
- transfer, subject to appropriate safeguards, of standard data protection clauses adopted by the European Commission (Article 46 (2) (c) of the GDPR)
- At the request of the data subject, the Controller provides a list of entities outside the EEA to which personal data is disclosed – if applicable.
- Please be advised that personal data is or may be processed:
- for the period specified for the candidates to send application documents – in accordance with the date indicated in the job advertisement or until their withdrawal from participation in the recruitment process or their withdrawal of the consent,
- in order to conduct ongoing recruitment after receiving applications from candidates – for a period not longer than 6 months from the end of the application period or until the withdrawal from participation in the recruitment process or the withdraw of the consent,
- for the purpose of processing personal data in connection with future recruitment – for no longer than 12 months from the end of the recruitment process or until the consent granted for the processing of personal data in future recruitment is withdrawn,
- in connection with the verification of sanction lists – for a period determined by the regulations.
- The Controller informs that the abovementioned period of personal data processing may change depending on the circumstances that may result in the need of change of the abovementioned period. In the event of a change in the abovementioned period of personal data processing, the Controller will inform the candidates participating in the recruitment process about such a change.
- We would like to inform you about the right to request the Controller to exercise the following rights:
- the right to access personal data relating to the data subject,
- the right to rectify personal data,
- the right to delete personal data,
- the right to limit the processing of personal data,
- the right to object to the processing,
- the right to transfer data,
- the right to receive a copy of your personal data.
- Please be advised that due to the individual purposes of processing, listed above, the exercise of the rights of data subjects may be fully or partially limited, e.g. due to applicable law, which obliges the Controller to their processing.
- We would like to inform you about the right to lodge a complaint with the supervisory body, ie the President of the Personal Data Protection Office in Warsaw. Contact details of the supervisory body: Office for Personal Data Protection, 2 Stawki Street, 00-193 Warsaw or via the contact details available on the authority’s website: https://uodo.gov.pl/pl/p/kontakt.
- Please be advised that personal data processed in connection with recruitment or future recruitment are not subject to profiling, automated profiling or automated decision making, including profiling.
- Please be advised that the Controller does not plan any other purpose for the processing of personal data than the one indicated above. In the event of other purposes, the Controller will inform about these purposes in a separate communication.
- Please be advised that in order to protect privacy and personal data, the Controller has implemented appropriate technical and organizational measures to ensure the security of personal data processing.
- Please be advised that the recruitment process may be based on:
- personal data coming directly from the data subject – provided in the content of the application documents,
- personal data coming indirectly from the data subject (from other sources). In the case of obtaining personal data from sources other than directly from the person applying for employment, the Controller, in accordance with art. 14 (3) GDPR, informs the data subject about the processing of his personal data within a reasonable time after obtaining the personal data – no later than within one month, and if the personal data are to be used for communication with the data subject – at the latest – at the first such communication with the person the data subject. Please be advised that another source from which the candidate’s personal data may come may be external recruitment agencies cooperating with the Controller, which disclosed the candidates’ personal data to the Controller,
- personal data published on the sanctions lists
Information on the processing of personal data in connection with the provision of services to the Controller based on civil law contracts
Pursuant to Art. 13 of the GDPR (https://uodo.gov.pl/pl/404/224), we would like to inform you that:
- The Data Controller in relation to persons applying for employment is Qloc S.A., 02-255 Warszawa, 36 Krakowiaków Street, KRS: 341922.
- Contact details to the Controller:
- e-mail: iod@q-loc.com
- or by traditional mail to the above-mentioned address.
- Please be advised that the Data Protection Officer has not been appointed.
- Please be advised that in the case of selected recruitment processes, there may be joint controllership of personal data (Article 26 of the GDPR). In the event of the joint controllership process, information on joint controllership will be provided to the data subject in a separate communication.
- Please be advised that personal data is or may be processed for the following purposes:
- in connection with the Controller receiving information about an offer regarding provision of services to the Controller on the basis of civil law contracts – the legal basis for the processing of personal data is art. 6 (1) a) GDPR – consent of the data subject. Please be advised that the processing of personal data is voluntary and that you have the right to withdraw your consent at any time. Please be advised that failure to provide personal data or withdrawal of consent will result in the inability to participate in the bidding process regarding provision of services to the Controller on the basis of civil law contracts,
- in order to verify the professional qualifications indicated by the participant in the bidding process (if applicable), including:
- submitting a declaration of confidentiality of all provided information – the legal basis for the processing of personal data is art. 6 (1) f) GDPR – legitimate interest pursued by the Controller. The legitimate interest pursued by the Controller is considered to be confidentiality and secrecy in relation to the provided information. Please be advised that providing personal data is voluntary, and failure to provide personal data will result in the inability to submit a confidentiality declaration and thus the inability to participate in the bidding process regarding the provision of services to the Controller on the basis of civil law contracts,
- verification of professional qualifications in connection with the submission of an offer regarding the provision of services to the Controller on the basis of civil law contracts, the legal basis for the processing of personal data is art. 6 (1) f) GDPR – legitimate interest pursued by the Controller. Please be advised that the legitimate interest pursued by the Controller is the verification of the professional qualifications of the person participating in the bidding process. Please be advised that providing personal data is voluntary, and failure to provide personal data will result in the inability to verify professional qualifications and thus the inability to participate in the bidding process regarding the provision of services to the Controller on the basis of civil law contracts,
- in connection with the preparation, conclusion and implementation of provisions resulting from the cooperation agreement concluded between the parties – the legal basis for the processing of personal data is art. 6 sec. 1 lit. b) – processing is necessary for the conclusion and implementation of the contract and art. 6 (1) c) GDPR – processing is necessary in order to fulfill the obligations imposed on the Controller under applicable law. Please be advised that providing personal data is of a contractual and statutory nature, and failure to provide personal data will result in the inability to prepare, conclude and implement the provisions of the contract concluded between the parties,
- personal data processed in connection with the verification of sanction lists – the sanctions lists published inter alia by the United Nations Security Council (UN), the European Union, the United States of America (such as the Office of Foreign Assets Control), and the People’s Republic of China (such as the People’s Bank of China, the Ministry of Public Security, the Ministry of Commerce, the Ministry of Foreign Affairs) and country related lists provided by competent authorities based on applicable law (https://www.biznes.gov.pl/pl/portal/001568) – the lawfulness (legal basis) is art. 6 (1) c) GDPR.
- Please be advised that personal data may be processed based on the legitimate interest pursued by the Controller (Article 6 (1) (f) of the GDPR), i.e. for purposes related to:
- claims that may arise between the parties for failure to maintain confidentiality and secrecy in relation to the provided information,
- for archival and statistical purposes necessary to manage the bidding process and perform contracts in relation to the services provided to the Controller on the basis of civil law contracts.
- Please be advised that personal data may be disclosed:
- recipients of data pursuant to art. 28 GDPR – entrusting the processing of personal data. Please be noted that the categories of recipients may be entities providing IT, accounting and tax, legal and other services, supporting the organizational processes of the Controller. The list of processing entities entrusted by the Controller with the processing of personal data is available at the request of the data subject,
- recipients of personal data are or may be public and state authorities to which the Controller is obliged to disclose personal data on the basis of currently applicable legal provisions (eg the Tax Office, Social Insurance Institution). The list of entities to which personal data is disclosed is available at the request of the data subject,
- recipients of personal data are or may be entities to which personal data is disclosed in order to implement the provisions of the contract, and which, after their disclosure, become separate Controllers. The categories of such entities are Poczta Polska (Polish Post), couriers, bank, law firm. The list of entities to which personal data is disclosed is available at the request of the data subject.
- We would like to inform you about the right to request the Controller to exercise the following rights:
- the right to access personal data relating to the data subject
- the right to rectify personal data,
- the right to delete personal data,
- the right to limit the processing of personal data,
- the right to object to the processing,
- the right to transfer data,
- the right to receive a copy of your personal data.
- Please be advised that due to the individual purposes of processing, listed above, the exercise of the rights of data subjects may be fully or partially limited, e.g. due to applicable law, which obliges the Controller to process them.
- We would like to inform you about the right to lodge a complaint with the supervisory body, i.e. the President of the Personal Data Protection Office (UODO) with its seat at 2 Stawki Street in Warsaw, https://uodo.gov.pl/pl, https://uodo.gov.pl/pl/83/155.
- Please be advised that personal data are or may be processed for the period of:
- in connection with the Controller receiving the information about the offer regarding the provision of services to the Controller on the basis of civil law contracts – for the duration of the bidding process and for a period of 10 years after the end of the bidding period,
- in order to verify the professional qualifications indicated by the participant in the bidding process (if applicable), including:
- submitting a declaration of confidentiality of all provided information – for an indefinite period,
- verification of professional qualifications in connection with the submission of an offer regarding the provision of services to the Controller on the basis of civil law contracts – for the period of providing the Controller with given services, for a minimum period of 10 years from the end of providing the Controller with the given services, for a minimum 3 years after the end of the bidding process for the provision of services to the Controller
- in order to prepare, conclude and implement the provisions of the concluded contract – for the duration of the preparation, conclusion and validity of the contract, for a minimum period of 10 years from the completion of the contract,
- for purposes that claims may arise between the parties (if applicable) – for a period of 3 years from the end of the bidding process or from the end of the provision of the services to the Controller,
- for internal purposes (management, archival) – for a period of 10 from the end of the passing of the resolution or from the moment of completing the provision of services to the Controller,
- in connection with the verification of sanction lists – for a period determined by the regulations.
- Please be advised that personal data are or may be transferred to a third country (i.e. outside the European Economic Area). In the case of transfer of personal data outside the EEA, the provisions of Chapter V of the GDPR shall apply:
- transfer on the basis of an adequacy decision by the European Commission (Article 45 of the GDPR),
- transfer, subject to appropriate safeguards, of standard data protection clauses adopted by the European Commission (Article 46 (2) (c) of the GDPR).
- At the request of the data subject, the Controller provides a list of entities outside the EEA to which personal data is disclosed – if applicable.
- Please be informed that personal data processed in connection with the offer is not subject to profiling, automated profiling or automated decision making, including profiling.
- Please be advised that the Controller does not plan any other purpose of personal data processing than the one indicated above. In the event of other purposes, the Controller will inform about these purposes in a separate communication.
- Please be noted that in order to protect privacy and personal data, the Controller has implemented appropriate technical and organizational measures to ensure the security of personal data processing.
- Please be advised that in the case of sole proprietorship, personal data may be obtained from publicly available registers (CEIDG, sanctions lists) in order to verify the person before concluding a cooperation agreement.
- Please be informed that the category of relevant personal data are: natural persons who are a party to the contract in connection with the preparation and conclusion of a cooperation agreement with persons conducting sole proprietorship.
Information for persons providing personal data to the Controller outside the recruitment or bidding process
We would like to inform that in the case of sending to the Controller an application or offers containing personal data at the time when the Controller does not conduct and does not plan to conduct the recruitment or bidding process:
- received applications or offers are immediately deleted by the Controller,
- if the following clause is included in the application documents, personal data will be processed for a period not longer than 12 months from receipt of the application documents or until the consent is withdrawn or an objection to the processing of personal data is raised. In this case, please include the following clause in the content of the application documents in the recruitment process based on the Labor Code:
“I consent to the processing of my personal data contained in the application documents for future recruitment processes planned by the Controller.”
Information on the processing of personal data PL
If you are interested in participating in the recruitment process or providing services to the Controller on the basis of civil law contracts, please read in advance the information on the processing of personal data in connection with the planned participation in the recruitment process or the planned transfer of personal data to the Controller, including transfer of personal data to the Controller outside the recruitment process.
Information on the processing of personal data in the recruitment process based on the Labor Code
- Pursuant to Art. 13 of the GDPR (https://uodo.gov.pl/pl/404/224), we would like to inform you that:
- The Data Controller in relation to persons applying for employment is Qloc S.A., 02-255 Warszawa, 36 Krakowiaków Street, KRS: 341922.
- Contact details to the Controller:
- e-mail: iod@q-loc.com
- or by traditional mail to the above-mentioned address
- Please be advised that the Data Protection Officer has not been appointed.
- Please be advised that in the case of selected recruitment processes, there may be joint controllership of personal data (Article 26 of the GDPR). In the event of the joint controllership process, information on joint controllership will be provided to the data subject in a separate communication.
- Please be advised that personal data is or may be processed for the following purposes:
- in order to carry out the recruitment process – the legal basis for the processing of personal data is the Act of June 26, 1974, the Labor Code, art. 22’1 (Article 6 (1) (c) of the GDPR). Please be noted that providing personal data is statutory and results from art. 22’1 of the Labor Code (Journal of Laws 1974 No. 24 item 141 (as amended), the Act of June 26, 1974. Labor Code). Please be advised that failure to provide personal data will result in the inability to participate in the recruitment process,
- in order to verify the professional qualifications indicated by the participant in the recruitment process (if applicable) – the legal basis for the processing of personal data is the Act of June 26, 1974, the Labor Code, art. 22’1 (Article 6 (1) (c) of the GDPR). Please be advised that providing personal data is statutory and results from art. 22’1 of the Labor Code (Journal of Laws 1974 No. 24 item 141 (as amended), the Act of June 26, 1974, the Labor Code). Please be advised that failure to provide personal data will result in the inability to verify professional qualifications and thus the inability to participate in the recruitment process. Please be advised that the verification of professional qualifications may be preceded by the submission by the person applying for employment of a declaration of confidentiality of all information provided – the legal basis for the processing of personal data is art. 6 (1) f) GDPR – legitimate interest pursued by the Controller. Please be advised that the legitimate interest pursued by the Controller is to ensure confidentiality and secrecy in relation to the information provided. Please be advised that failure to provide personal data will result in the inability to submit a confidentiality statement and thus, the inability to verify the professional qualifications of the person applying for employment,
- in connection with the processing of personal data in future recruitment processes conducted by the Controller. If you agree to participate in future recruitments conducted by the Controller, please include the following clause in the application documents:
- “I consent to the processing of my personal data contained in the application documents for future recruitment processes planned by the Controller.
- personal data processed in connection with the verification of sanction lists – the sanctions lists published inter alia by the United Nations Security Council (UN), the European Union, the United States of America (such as the Office of Foreign Assets Control), and the People’s Republic of China (such as the People’s Bank of China, the Ministry of Public Security, the Ministry of Commerce, the Ministry of Foreign Affairs) and country related lists provided by competent authorities based on applicable law (https://www.biznes.gov.pl/pl/portal/001568) – the lawfulness (legal basis) is art. 6 (1) c) GDPR.
- Please be advised that the legal basis for the processing of personal data is the consent of the data subject for the processing of his personal data in the recruitment processes planned by the Controller (Article 6 (1) (a) of the GDPR). Please be informed that the consent is voluntary, and the consent may be withdrawn at any time, without affecting other provisions resulting from participation in the recruitment process. In the event of withdrawal of the consent, personal data will not be taken into account in future recruitments conducted by the Controller. Please be advised that refusing to consent to participation in the future recruitment process will result in the inability to participate in the future recruitment process.
- Please be noted that the scope of personal data processed in the recruitment process results from art. 22’1 § 1 of the Labor Code. Pursuant to Art. 22’1 § 1, the employer requires the applicant to provide personal data, including:
- first name (names) and surname
- date of birth,
- contact details (indicated by the person taking part in the recruitment),
- education,
- professional qualifications,
- the course of previous employment.
- The employer requests personal data in the scope of: name (s) and surname, date of birth, contact details indicated by such person, education or other personal data in this particular category of personal data – when it is necessary to perform a specific type of work or in a specific position or when it results from applicable law. The additional scope of personal data that may be processed by the Controller (if applicable), may involve the verification of professional qualifications and may relate to ordinary data in the scope of: user ID (e.g. computer IP) and the result of the conducted verification professional.
- If it has not been indicated in the content of the recruitment advertisement, we ask persons interested in participating in the recruitment process not to provide a specific category of personal data in the content of the application documents. Pursuant to Art. 9 GDPR, the following personal data (sensitive data) are: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sexuality or sexual orientation and information indicated in art. 10 GDPR, i.e. information on criminal convictions and offenses or related security measures.
- A person applying for employment may, on their own initiative, provide the employer with a wider range of data than it results from Art. 22’1 § 1 of the Labor Code, including:
- ordinary data, e.g. image captured in a photo or other information,
- sensitive data (of a special category of personal data) indicated in art. 9 or article. 10 GDPR (special categories of personal data / sensitive data are: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sexuality or sexual orientation and information concerning criminal convictions and offenses or related security measures). The processing of a specific category of personal data provided at the initiative of the job applicant is based on Art. 9 (2) a) GDPR – explicit consent. If a specific category of personal data is transferred to the employer, please include the following clause in the application documents:
- “In connection with participation in the recruitment process, I consent to the processing of a specific category of my personal data contained and provided by me in the application documents.”
- Please be advised that if you provide a specific category of personal data without the abovementioned consent clause for their processing, the data will be anonymized (deleted). Please be advised that the consent is voluntary, and the consent may be withdrawn at any time, without affecting other provisions resulting from the recruitment process,
- data provided by the applicant in the form of a link or links to information about themselves (including links to social media or dedicated websites) – in that case the provision of personal data to a greater extent is considered as a voluntary consent for their processing by the job applicant.
- We would like to inform you that in the case that a person applying for employment provides personal data on his / her own initiative to a greater extent than specified in art. 22’1 of the Labor Code, consent to their processing may be withdrawn at any time without negative effect for the current or future recruitment process.
- Please be advised that personal data is or may be disclosed to recipients of personal data:
- state authorities only under applicable law – if applicable,
- recipients of the data based on art. 28 GDPR – entrusting the processing of personal data. The categories of recipients to whom personal data are disclosed are: external entities providing recruitment services in the form of dedicated recruitment applications or ICT solutions, external companies dealing with the recruitment process at the request of the Controller, other entities providing services supporting the recruitment process conducted by the Controller,
- The Controller, at the request of the data subject, provides a list of all entities to whom personal data is disclosed in the recruitment process.
- Please be advised that personal data are or may be transferred to a third country (i.e. outside the European Economic Area). In the case of transfer of personal data outside the EEA, the provisions of Chapter V of the GDPR shall apply:
- transfer on the basis of an adequacy decision by the European Commission (Article 45 of the GDPR),
- transfer, subject to appropriate safeguards, of standard data protection clauses adopted by the European Commission (Article 46 (2) (c) of the GDPR)
- At the request of the data subject, the Controller provides a list of entities outside the EEA to which personal data is disclosed – if applicable.
- Please be advised that personal data is or may be processed:
- for the period specified for the candidates to send application documents – in accordance with the date indicated in the job advertisement or until their withdrawal from participation in the recruitment process or their withdrawal of the consent,
- in order to conduct ongoing recruitment after receiving applications from candidates – for a period not longer than 6 months from the end of the application period or until the withdrawal from participation in the recruitment process or the withdraw of the consent,
- for the purpose of processing personal data in connection with future recruitment – for no longer than 12 months from the end of the recruitment process or until the consent granted for the processing of personal data in future recruitment is withdrawn,
- in connection with the verification of sanction lists – for a period determined by the regulations.
- The Controller informs that the abovementioned period of personal data processing may change depending on the circumstances that may result in the need of change of the abovementioned period. In the event of a change in the abovementioned period of personal data processing, the Controller will inform the candidates participating in the recruitment process about such a change.
- We would like to inform you about the right to request the Controller to exercise the following rights:
- the right to access personal data relating to the data subject,
- the right to rectify personal data,
- the right to delete personal data,
- the right to limit the processing of personal data,
- the right to object to the processing,
- the right to transfer data,
- the right to receive a copy of your personal data.
- Please be advised that due to the individual purposes of processing, listed above, the exercise of the rights of data subjects may be fully or partially limited, e.g. due to applicable law, which obliges the Controller to their processing.
- We would like to inform you about the right to lodge a complaint with the supervisory body, ie the President of the Personal Data Protection Office in Warsaw. Contact details of the supervisory body: Office for Personal Data Protection, 2 Stawki Street, 00-193 Warsaw or via the contact details available on the authority’s website: https://uodo.gov.pl/pl/p/kontakt.
- Please be advised that personal data processed in connection with recruitment or future recruitment are not subject to profiling, automated profiling or automated decision making, including profiling.
- Please be advised that the Controller does not plan any other purpose for the processing of personal data than the one indicated above. In the event of other purposes, the Controller will inform about these purposes in a separate communication.
- Please be advised that in order to protect privacy and personal data, the Controller has implemented appropriate technical and organizational measures to ensure the security of personal data processing.
- Please be advised that the recruitment process may be based on:
- personal data coming directly from the data subject – provided in the content of the application documents,
- personal data coming indirectly from the data subject (from other sources). In the case of obtaining personal data from sources other than directly from the person applying for employment, the Controller, in accordance with art. 14 (3) GDPR, informs the data subject about the processing of his personal data within a reasonable time after obtaining the personal data – no later than within one month, and if the personal data are to be used for communication with the data subject – at the latest – at the first such communication with the person the data subject. Please be advised that another source from which the candidate’s personal data may come may be external recruitment agencies cooperating with the Controller, which disclosed the candidates’ personal data to the Controller,
- personal data published on the sanctions lists
Information on the processing of personal data in connection with the provision of services to the Controller based on civil law contracts
Pursuant to Art. 13 of the GDPR (https://uodo.gov.pl/pl/404/224), we would like to inform you that:
- The Data Controller in relation to persons applying for employment is Qloc S.A., 02-255 Warszawa, 36 Krakowiaków Street, KRS: 341922.
- Contact details to the Controller:
- e-mail: iod@q-loc.com
- or by traditional mail to the above-mentioned address.
- Please be advised that the Data Protection Officer has not been appointed.
- Please be advised that in the case of selected recruitment processes, there may be joint controllership of personal data (Article 26 of the GDPR). In the event of the joint controllership process, information on joint controllership will be provided to the data subject in a separate communication.
- Please be advised that personal data is or may be processed for the following purposes:
- in connection with the Controller receiving information about an offer regarding provision of services to the Controller on the basis of civil law contracts – the legal basis for the processing of personal data is art. 6 (1) a) GDPR – consent of the data subject. Please be advised that the processing of personal data is voluntary and that you have the right to withdraw your consent at any time. Please be advised that failure to provide personal data or withdrawal of consent will result in the inability to participate in the bidding process regarding provision of services to the Controller on the basis of civil law contracts,
- in order to verify the professional qualifications indicated by the participant in the bidding process (if applicable), including:
- submitting a declaration of confidentiality of all provided information – the legal basis for the processing of personal data is art. 6 (1) f) GDPR – legitimate interest pursued by the Controller. The legitimate interest pursued by the Controller is considered to be confidentiality and secrecy in relation to the provided information. Please be advised that providing personal data is voluntary, and failure to provide personal data will result in the inability to submit a confidentiality declaration and thus the inability to participate in the bidding process regarding the provision of services to the Controller on the basis of civil law contracts,
- verification of professional qualifications in connection with the submission of an offer regarding the provision of services to the Controller on the basis of civil law contracts, the legal basis for the processing of personal data is art. 6 (1) f) GDPR – legitimate interest pursued by the Controller. Please be advised that the legitimate interest pursued by the Controller is the verification of the professional qualifications of the person participating in the bidding process. Please be advised that providing personal data is voluntary, and failure to provide personal data will result in the inability to verify professional qualifications and thus the inability to participate in the bidding process regarding the provision of services to the Controller on the basis of civil law contracts,
- in connection with the preparation, conclusion and implementation of provisions resulting from the cooperation agreement concluded between the parties – the legal basis for the processing of personal data is art. 6 sec. 1 lit. b) – processing is necessary for the conclusion and implementation of the contract and art. 6 (1) c) GDPR – processing is necessary in order to fulfill the obligations imposed on the Controller under applicable law. Please be advised that providing personal data is of a contractual and statutory nature, and failure to provide personal data will result in the inability to prepare, conclude and implement the provisions of the contract concluded between the parties,
- personal data processed in connection with the verification of sanction lists – the sanctions lists published inter alia by the United Nations Security Council (UN), the European Union, the United States of America (such as the Office of Foreign Assets Control), and the People’s Republic of China (such as the People’s Bank of China, the Ministry of Public Security, the Ministry of Commerce, the Ministry of Foreign Affairs) and country related lists provided by competent authorities based on applicable law (https://www.biznes.gov.pl/pl/portal/001568) – the lawfulness (legal basis) is art. 6 (1) c) GDPR.
- Please be advised that personal data may be processed based on the legitimate interest pursued by the Controller (Article 6 (1) (f) of the GDPR), i.e. for purposes related to:
- claims that may arise between the parties for failure to maintain confidentiality and secrecy in relation to the provided information,
- for archival and statistical purposes necessary to manage the bidding process and perform contracts in relation to the services provided to the Controller on the basis of civil law contracts.
- Please be advised that personal data may be disclosed:
- recipients of data pursuant to art. 28 GDPR – entrusting the processing of personal data. Please be noted that the categories of recipients may be entities providing IT, accounting and tax, legal and other services, supporting the organizational processes of the Controller. The list of processing entities entrusted by the Controller with the processing of personal data is available at the request of the data subject,
- recipients of personal data are or may be public and state authorities to which the Controller is obliged to disclose personal data on the basis of currently applicable legal provisions (eg the Tax Office, Social Insurance Institution). The list of entities to which personal data is disclosed is available at the request of the data subject,
- recipients of personal data are or may be entities to which personal data is disclosed in order to implement the provisions of the contract, and which, after their disclosure, become separate Controllers. The categories of such entities are Poczta Polska (Polish Post), couriers, bank, law firm. The list of entities to which personal data is disclosed is available at the request of the data subject.
- We would like to inform you about the right to request the Controller to exercise the following rights:
- the right to access personal data relating to the data subject
- the right to rectify personal data,
- the right to delete personal data,
- the right to limit the processing of personal data,
- the right to object to the processing,
- the right to transfer data,
- the right to receive a copy of your personal data.
- Please be advised that due to the individual purposes of processing, listed above, the exercise of the rights of data subjects may be fully or partially limited, e.g. due to applicable law, which obliges the Controller to process them.
- We would like to inform you about the right to lodge a complaint with the supervisory body, i.e. the President of the Personal Data Protection Office (UODO) with its seat at 2 Stawki Street in Warsaw, https://uodo.gov.pl/pl, https://uodo.gov.pl/pl/83/155.
- Please be advised that personal data are or may be processed for the period of:
- in connection with the Controller receiving the information about the offer regarding the provision of services to the Controller on the basis of civil law contracts – for the duration of the bidding process and for a period of 10 years after the end of the bidding period,
- in order to verify the professional qualifications indicated by the participant in the bidding process (if applicable), including:
- submitting a declaration of confidentiality of all provided information – for an indefinite period,
- verification of professional qualifications in connection with the submission of an offer regarding the provision of services to the Controller on the basis of civil law contracts – for the period of providing the Controller with given services, for a minimum period of 10 years from the end of providing the Controller with the given services, for a minimum 3 years after the end of the bidding process for the provision of services to the Controller
- in order to prepare, conclude and implement the provisions of the concluded contract – for the duration of the preparation, conclusion and validity of the contract, for a minimum period of 10 years from the completion of the contract,
- for purposes that claims may arise between the parties (if applicable) – for a period of 3 years from the end of the bidding process or from the end of the provision of the services to the Controller,
- for internal purposes (management, archival) – for a period of 10 from the end of the passing of the resolution or from the moment of completing the provision of services to the Controller,
- in connection with the verification of sanction lists – for a period determined by the regulations.
- Please be advised that personal data are or may be transferred to a third country (i.e. outside the European Economic Area). In the case of transfer of personal data outside the EEA, the provisions of Chapter V of the GDPR shall apply:
- transfer on the basis of an adequacy decision by the European Commission (Article 45 of the GDPR),
- transfer, subject to appropriate safeguards, of standard data protection clauses adopted by the European Commission (Article 46 (2) (c) of the GDPR).
- At the request of the data subject, the Controller provides a list of entities outside the EEA to which personal data is disclosed – if applicable.
- Please be informed that personal data processed in connection with the offer is not subject to profiling, automated profiling or automated decision making, including profiling.
- Please be advised that the Controller does not plan any other purpose of personal data processing than the one indicated above. In the event of other purposes, the Controller will inform about these purposes in a separate communication.
- Please be noted that in order to protect privacy and personal data, the Controller has implemented appropriate technical and organizational measures to ensure the security of personal data processing.
- Please be advised that in the case of sole proprietorship, personal data may be obtained from publicly available registers (CEIDG, sanctions lists) in order to verify the person before concluding a cooperation agreement.
- Please be informed that the category of relevant personal data are: natural persons who are a party to the contract in connection with the preparation and conclusion of a cooperation agreement with persons conducting sole proprietorship.
Information for persons providing personal data to the Controller outside the recruitment or bidding process
We would like to inform that in the case of sending to the Controller an application or offers containing personal data at the time when the Controller does not conduct and does not plan to conduct the recruitment or bidding process:
- received applications or offers are immediately deleted by the Controller,
- if the following clause is included in the application documents, personal data will be processed for a period not longer than 12 months from receipt of the application documents or until the consent is withdrawn or an objection to the processing of personal data is raised. In this case, please include the following clause in the content of the application documents in the recruitment process based on the Labor Code: