INFORMATION on the processing of personal data by STALEXPORT AUTOSTRADY S.A. with its registered office in Mysłowice
Thus far, your data has been processed pursuant to the Act of 29 August 1997 on Data Protection, whereas as of 25 May 2018 all personal data is being processed pursuant to the Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR) and on the basis of the Act of 10 May 2018 on Personal Data Protection (Dz. U. 2018, item 1000). Below you can find information required by the aforementioned legal regulations.
ControllerThe controller* of your personal data is STALEXPORT AUTOSTRADY S.A. with its registered office in Mysłowice at ul. Piaskowa 20, 41-404 Mysłowice, NIP (Taxpayer Identification Number): 634 013 42 11, www.stalexport-autostrady.pl. For matters related to personal data, you can contact the data protection officer designated in our company:
- by sending correspondence to the aforementioned address of the Company’s registered office - preferably with an annotation reading “Personal data”;
- by sending an e-mail to the following address:
- by phone at the following number: 32 76 27 512
*Controller, pursuant to Article 4 of the GDPR - means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- Supervisory body
The body monitoring compliance with personal data protection regulations in Poland is the President of the Personal Data Protection Office.
- For what purpose, on what legal grounds and for what duration do we process personal data?
In relation to pursued activities - for the purpose of day-to-day management of the Company, sale and purchase of goods and services, and investment activities we process the following data of the following categories of individuals: job candidates, employees, customers, suppliers, employees or partners of our suppliers and customers, potential customers, counterparties, suppliers, persons who contact or are contacted by Stalexport Autostrady S.A., data of shareholders - we do so on the basis of specific legal grounds:
- pursuant to Article 6 (1)(a) of the GDPR, i.e. on the basis of consent of the data subject, e.g. for marketing purposes, to streamline contact with a candidate during the recruitment process - to this extent we process data until such time as consent is withdrawn or the purpose of processing for which consent has been obtained is achieved,
- pursuant to Article 6 (1)(b) of the GDPR, i.e. due to the fact that processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (e.g. contract concluded with suppliers, counterparties, lessees, persons cooperating with the Company under a civil law contract) - data processed to this extent will be processed for the entire term of the contract (whereas data required under law, e.g. fiscal data, will be processed until the obligation to retain this data expires);
- pursuant to Article 6 (1)(c) of the GDPR, i.e. due to the fact that processing is necessary for compliance with a legal obligation to which the Controller is subject, e.g. to keep a share register, store accounting records, collect data for purposes related to the settlement of government levies - data to this extent is processed for the period set out in law;
- pursuant to Article 6 (1)(f) of the GDPR, i.e. due to the fact that the processing is necessary for the purposes of the legitimate interests pursued by the Controller, which include processing for the purpose of seeking and defending against claims, drawing up statements, analyses, reports and statistics for purposes related to the operation of the Company and entities comprising the capital group, archiving, direct marketing, conducting audits, performing internal obligations related to reporting and accounting, preventing and detecting irregularities in the area related to anti-corruption policy - we process personal data to this extent until such time as the specified purpose of processing is achieved or data retention period specified in the Company expires, but in any case not longer than permitted by law whereas in the case of direct marketing not longer than until an objection to the processing of personal data is lodged.
- Transfer of personal data to entities or authorities
Personal data may be transferred:
- to state authorities authorised under law;
- to employees and partners of the Collector authorised to process personal data referred to in paragraph 3;
- to entities providing support to the Company in the implementation of purposes referred to in paragraph 3 and entities cooperating with the company to the extent of personal data processing - providing IT support, accounting, advisory, legal, and courier services, postal operator, Companies that belong to the Capital Group.
Personal data cannot be transferred outside the EEA. Should such need arise in relation to activities pursued by the Company, the transfer of data may take place exclusively on the basis of principles set out in the GDPR.
In relation to the processing of personal data, the Controller does not make decisions based exclusively on automated processing, including profiling, of personal data.
- Provision of personal dataProvision of personal data
Depending on the purpose for which personal data is processed, the need to provide personal data may arise from a statutory obligation or a contract or may represent a condition that must be met in order to enter into a contract. The provision of personal data is voluntary, however failure to provide this data may result in the inability to enter into a contract or hinder the implementation of a specific activity.
- Rights of the data subject
Depending on the legal grounds for the processing of personal data and conditions referred to in Articles 12-13 of the GDPR, each person has the right to:
- access their data;
- rectify their personal data or have it deleted;
- request the controller to limit processing in the following cases:
- when the accuracy of personal data is questioned - for a period that enables the controller to verify the accuracy of this data;
- when processing is in violation of the law and the data subject objects to the deletion of personal data, requesting instead that its use be limited;
- when the controller no longer requires personal data for the purposes of processing, but it is necessary to the data subject in order to establish, seek or defend against a claim;
- when the data subject has objected to the processing pursuant to Article 21 (1) - until such time as it is determined whether the legitimate grounds of the controller take precedence over the grounds for the objection lodged by the data subject;
- transfer their data, if data is processed on the basis of consent within the meaning of Article 6 (1)(a) of the GDPR or under a contract within the meaning of Article 6 (1)(b) of the GDPR;
- lodge an objection - for reasons related to his/her particular situation - to the processing of personal data relating to him/her on the basis of Article 6 (1)(e) or (f) at any time;
- withdraw consent at any time, without affecting the lawfulness of the processing, which was carried out on the basis of consent before its withdrawal;
- lodge a complaint with the supervisory authority - the President of the Personal Data Protection Office.