Eurocash Group data processing transparency policy

1.1. admin — a company from the Eurocash Group, with which you are bound by a relationship resulting in the need to process your personal data.
‍
SEE THE IDENTITY OF THE COMPANIES OF THE EUROCASHORAZ GROUP WITH THEIR CONTACT DETAILS AND IOD DATA
 
‍1.2. Personal data — information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact details, location data, information contained in correspondence, information collected through recording equipment or other similar technology.

‍1.3. politics — this Policy on transparency of the processing of personal data.

‍1.4. SHOWS — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

‍1.5. Service — website maintained by the Administrator at www.grupaeurocash.pl.

‍1.6. User — any natural person visiting the Website or using one or more services or functionalities described in the Policy.
‍

2.1. In connection with the conducted business activity, the Controller collects and processes Personal Data in accordance with the relevant legal provisions, including in particular the GDPR and the data processing rules provided for therein.

2.2. The Controller ensures transparency of the processing of Personal Data, in particular always informs about the processing of data at the time of their collection, including the purpose and legal basis of the processing (e.g. when concluding a contract for the sale of goods or services). The controller ensures that the data are collected only to the extent necessary for the realization of the indicated purpose and processed only for the period in which it is necessary.

2.3. By processing Personal Data, the Administrator ensures their security and confidentiality and access to information about the processing of the data to the persons concerned. If, despite the security measures applied, there is a violation of the protection of Personal Data (e.g. “leakage” of data or their loss) causing a high risk of violation of the rights and freedoms of the data subjects, the Controller will inform the Data Subjects about such event, in a manner consistent with the regulations.
‍

3.1. Contact with the Administrator is possible via e-mail address or correspondence address: indicated in relation to each of the companies of the Eurocash Group in link in the introduction to this Transparency Policy.
‍
3.2. The Administrator has appointed a Data Protection Officer, who can be contacted by e-mail, by phone or in writing to the address of the Controller's registered office in any matter concerning the processing of Personal Data by the Administrator. The contact details for the Data Protection Officer can be found above, in the link provided in the introduction to this Transparency Policy.
‍

4.1. In order to ensure the integrity and confidentiality of data, the Controller has implemented procedures allowing access to Personal Data only to authorized persons and only to the extent necessary for the tasks performed by them. The controller applies organizational and technical solutions to ensure that all operations on personal data are recorded and carried out only by authorized persons.
‍
4.2. In addition, the Controller takes all necessary measures so that its subcontractors and other cooperating entities guarantee the use of appropriate security measures in each case when they process Personal Data on the Controller's request.

4.3. The Controller carries out an ongoing analysis of the risks associated with the processing of Personal Data and monitors the adequacy of the applied data protection to the identified threats. If necessary, the Controller implements additional measures to increase data security.
‍

5.1. In the case of addressing the Controller via e-mail or traditional correspondence not related to the services provided to the sender or any other contract concluded with him, the personal data contained in this correspondence are processed exclusively for the purpose of communication and resolution of the matter to which the correspondence relates.
‍
5.2. The legal basis for processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR) consisting in conducting correspondence addressed to him in connection with his business activities.

5.3. The Administrator processes only Personal Data relevant to the matter to which the correspondence relates. All correspondence is stored in a manner that ensures the security of Personal Data (and other information) contained therein and disclosed only to authorized persons.
‍

5.4. In case of contacting the Administrator by telephone, in matters not related to the concluded contract or services provided, the Administrator may request the provision of Personal Data only if it is necessary to handle the matter to which the contact relates. The legal basis in this case is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR) consisting in the need to resolve the reported case related to the business activity carried out by him.
‍
5.5. Telephone calls can also be recorded — in this case, at the beginning of the conversation, relevant information is provided to the natural person. Calls are recorded in order to monitor the quality of the service provided and verify the work of consultants, as well as for statistical purposes. Recordings are available only to employees of the Administrator and persons operating the Administrator's hotline.
‍‍
5.6. Personal data in the form of a recording of a conversation are processed:
‍‍

5.6.1. for purposes related to serving customers and interested parties through the hotline, if the Administrator provides such a service — the legal basis is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR) consisting in communicating with its customers and responding to requests sent to the Administrator;

5.6.2. in order to monitor the quality of service and verify the work of consultants operating the hotline, as well as for analytical and statistical purposes — the legal basis for processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR) consisting in ensuring the highest quality of service for customers and interested parties, as well as the highest quality of work of consultants and conducting statistical analyses concerning telephone communications;

5.6.3. in order to establish or pursue possible claims by the Controller or defence against claims made against the Controller — the legal basis for data processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR).
‍

5.7. Due to the need to ensure the safety of persons and property, the Administrator applies video surveillance and controls access to the premises and to the area managed by him. The data collected in this way are not used for any other purposes described below.
‍
5.8. Personal data in the form of surveillance recordings and data collected in the register of entrances and exits are processed in order to ensure the safety of persons and property and to maintain order on the premises and possibly in order to defend against claims made against the Administrator or to establish and pursue claims by the Administrator. The legal basis for the processing of personal data is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR) consisting in ensuring the safety of persons and property located on the territory managed by the Administrator and the protection of their rights.

5.9. The area covered by the monitoring by the Administrator is marked with appropriate graphic signs.
‍

5.10. Personal data is processed:
‍

5.10.1. in the event that the preferred form of employment is an employment contract — in order to fulfil the obligations arising from legal provisions related to the employment process, including primarily the Labour Code — the legal basis for processing is a legal obligation incumbent on the Controller (Article 6 (1) (c) of the GDPR in conjunction with the provisions of labour law);
‍
5.10.2. in the event that the preferred form of employment is a civil law contract — in order to conduct the recruitment process — the legal basis for processing the data contained in the application documents is to take action prior to the conclusion of the contract at the request of the data subject before the conclusion of the contract (Article 6 (1) (b) of the GDPR),

5.10.3. in order to carry out the recruitment process in the field of data not required by law or by the Administrator, as well as for the purposes of future recruitment processes — the legal basis for processing is consent (Article 6 (1) (a) of the GDPR);

5.10.4. in order to establish or pursue possible claims by the Controller or defence against claims made against the Controller — the legal basis for data processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR).
‍‍

5.11. To the extent that Personal Data is processed on the basis of consent, it can be withdrawn at any time, without affecting the lawfulness of the processing carried out before its withdrawal. If consent is given for the purposes of future recruitment processes, personal data are deleted after two years — unless the consent has been withdrawn beforehand. The consent can be withdrawn by contacting the communication channels indicated in the introduction to this Policy to individual companies (you will find information about the correct e-mail address, telephone number and registered office address of the Administrator above, in the link placed in the introduction to this Policy
‍

5.12. In case of data collection for the purposes related to the performance of a specific contract, the Administrator provides the Data Subject with detailed information regarding the processing of his personal data at the time of conclusion of the contract or at the time of obtaining personal data in the event that the processing is necessary in order to take action by the Administrator at the request of the Data Subject, before concluding the contract.‍
‍

5.13. In connection with the conclusion of commercial contracts as part of the conducted business activity, the Administrator obtains from contractors/customers the data of persons involved in the implementation of such contracts (e.g. persons authorized to contact, placing orders, executing orders, etc.). The scope of the data transmitted is in any case limited to the extent necessary for the performance of the contract and usually does not include information other than name and business contact details.
‍
5.14. Such personal data are processed in order to fulfill the legitimate interest of the Controller and its counterparty (Article 6 (1) (f) of the GDPR), consisting in enabling the correct and effective performance of the contract. Such data may be disclosed to third parties involved in the performance of the contract, as well as to entities obtaining access to the data on the basis of the provisions on public disclosure and procedures conducted on the basis of public procurement law, to the extent provided for by those provisions.
‍
5.15. The data are processed for the period necessary for the realization of the above interests and the fulfillment of the obligations arising from the regulations.
‍

5.16. In connection with the one-time provision of services, to suppliers conducting sole proprietorship activities and the need to issue invoices for services performed, the Administrator, in connection with legal obligations arising from the accounting regulations, will process personal data of suppliers in order to record accounting evidence. The scope of the processed data will include: name, surname, name, NIP number, REGON number, address of the registered office of activity.
‍
5.17. Such personal data are processed in order to fulfill the legal obligations imposed on the Administrator by the accounting regulations (Article 6 (1) (c) of the GDPR). Take personal data may be disclosed.
‍

5.18. In connection with the activity carried out, the Controller also collects Personal Data in other cases — e.g. by building and using permanent mutual business contacts (networking) during business meetings, at industry events or by exchanging business cards — for purposes related to initiating and maintaining business contacts. The legal basis for the processing in this case is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR) consisting in the creation of a network of contacts in connection with the activity carried out.
‍
5.19. Personal data collected in such cases are processed only for the purpose for which they were collected, and the Controller ensures their adequate protection.
‍

5.20. As part of the organization of online meetings by the Administrator, the personal data of the participants of the meeting are processed in order to implement the online meeting. The legal basis for such processing is the legitimate interest of the Administrator consisting in organizing and conducting a remote meeting with invited participants. (Article 6 (1) (f) GDPR). Providing data for the indicated purpose is voluntary, but necessary for the implementation of the online meeting. It will not be possible to participate in the online meeting without providing your data.
‍
5.21. To organize online meetings, the Administrator uses the Microsoft Teams tool, which involves the processing of users' personal data by Microsoft. HERE You can read the Microsoft Privacy Policy. As part of the use of this tool, no data is transferred outside the EEA.
‍

6.1. In connection with the conduct of activities requiring processing, Personal Data are disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and equipment (e.g. CCTV equipment in the field of video surveillance), entities providing legal or accounting services, couriers, marketing or recruitment agencies, as well as entities providing IT services. The data are also disclosed to entities associated with the Controller, including companies from its capital group. More information about the Administrator's capital group can be found HERE.

6.2. Personal data may be made available to suppliers or manufacturers of goods with which the Administrator cooperates. The Controller provides the Data Subject with detailed information regarding the provision of his Personal Data at the time of conclusion of the contract or when the Data Subject joins promotional actions or other initiatives requiring such processing of Personal Data.

6.3. The Controller reserves the right to disclose selected information concerning the Data Subject to the competent authorities or third parties that request such information, based on an appropriate legal basis and in accordance with the provisions of applicable law.
‍‍

7.1. Level of protection of personal data outside the European Economic Area (“SALMON”) This is different from that provided by European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and with an adequate level of protection, in particular by:
‍

7.1.1. cooperation with processors of Personal Data in countries for which an appropriate decision of the European Commission has been issued on the determination to ensure an adequate level of protection of Personal Data;

7.1.2. the application of standard contractual clauses issued by the European Commission;

7.1.3. the application of binding corporate rules approved by the competent supervisory authority. ,
‍‍

7.2. the use of technical and organisational measures recommended by the European Data Protection Board for transfers outside the EEA (position of the European Data Protection Board: https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf). The Controller always informs about the intention to transfer Personal Data outside the EEA at the stage of their collection.
‍

8.1. The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. The period of data processing may also be due to regulations where they form the basis for processing. In the case of data processing on the basis of the Controller's legitimate interest (e.g. for security reasons), the data are processed for a period enabling the realization of this interest or for filing an effective objection to the processing of data. If the processing takes place on the basis of consent, the data is processed until its withdrawal. When the basis for processing is the necessity for the conclusion and performance of the contract, the data are processed until its termination.
‍
8.2. The period of data processing may be extended if the processing is necessary for the establishment or exercise of claims or defense against claims, and after this period — only if and to the extent required by law. After the end of the processing period, the data is irretrievably deleted or anonymized.
‍

9.1. Data subjects have the following rights:
‍‍

9.1.1. right to information about the processing of personal data — on this basis, the Administrator provides information about the processing of data to the natural person making the request, including, first of all, the purposes and legal bases of the processing, the scope of the data held, the entities to whom they are disclosed and the planned date of deletion of the data;

9.1.2. the right to obtain a copy of the data — on this basis, the Administrator provides a copy of the processed data concerning the natural person making the request;

9.1.3. right to rectification — The Controller is obliged to remove any inconsistencies or errors in the processed personal data and to supplement them if they are incomplete;

9.1.4. right to erasure — on this basis, it is possible to request the deletion of data whose processing is no longer necessary to fulfil any of the purposes for which they were collected;

9.1.5. right to restriction of processing — in the event of such a request, the Controller ceases to perform operations on Personal Data — with the exception of operations to which the data subject has consented — and their storage, in accordance with the adopted retention rules or until the reasons for the restriction of data processing cease (e.g. a decision of the supervisory authority authorizing further processing of data will be issued);

9.1.6. right to data portability — on this basis — to the extent that the data are processed in an automated manner in connection with the concluded contract or given consent — the Controller issues the data provided by the data subject in a format that allows them to be read by a computer. It is also possible to request the sending of these data to another entity, however, provided that there are technical possibilities in this regard both on the part of the Controller and this other entity;

9.1.7. right to object to the processing of data for marketing purposes — The data subject may at any time object to the processing of Personal Data for marketing purposes, without having to justify such objection;

9.1.8. right to object to other purposes of data processing — The data subject may at any time object — for reasons related to his particular situation — to the processing of personal data, which is carried out on the basis of a legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons related to the protection of property); the objection in this regard should contain a justification;

9.1.9. right to withdraw consent — if the data is processed on the basis of the consent given, the Data Subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before the withdrawal of consent.

9.1.10. right to complain — in the event that the processing of Personal Data violates the provisions of the GDPR or other provisions on the protection of Personal Data, the Data Subject may lodge a complaint with the supervisory authority competent for his/her place of habitual residence, his/her place of work or the place of commission of the alleged infringement. In Poland, the supervisory authority is the President of the Office for Personal Data Protection.
‍‍‍

9.2. A request regarding the exercise of the rights of Data Subjects can be submitted using the communication channels indicated in the introduction to this Policy to individual companies (information about the correct e-mail address and the address of the Controller's registered office can be found above, in the link in the introduction to this Transparency Policy.

9.3. The inability to identify a natural person on the basis of the submitted request will result in the refusal of the Administrator to fulfill the request.

9.4. The request can be made in person or through a proxy (e.g. a family member). For the sake of data security, the Administrator encourages the use of a power of attorney in the form certified by a notary or an authorized legal adviser or attorney, which will significantly speed up the verification of the authenticity of the request.

9.5. The response to the application should be given within one month of its receipt. If it is necessary to extend this deadline, the Administrator informs the applicant of the reasons for this action.

9.6. In the case where the request is addressed to the Company electronically, the reply shall be given in the same form, unless the applicant has requested a reply in a different form. In other cases, the answer is given in writing. In the event that the deadline for the execution of the request makes it impossible to answer in writing, and the scope of the applicant's data processed by the Administrator allows contact by electronic means, the answer must be given electronically. If the content of the request does not require a written or electronic response, the reply may be given in the same form as the request of the data subject.
‍‍‍

9.7. The procedure for applications submitted is free of charge. Charges can only be charged in the case of:
‍‍‍

‍9.7.1. submitting a request for the issuance of the second and each subsequent copy of the data (the first copy of the data is free of charge); in this case, the Administrator may request payment of a fee of PLN 250. The above fee includes the administrative costs associated with the execution of the request.

9.7.2. reporting excessive (e.g. extremely frequent) or manifestly unjustified requests by the same person; in this case, the Administrator may demand payment of a fee of PLN 250.

The above fee includes the costs of conducting communication and the costs associated with taking the requested actions.

9.7.3. In the event of a challenge to the decision to impose a fee, the data subject may lodge a complaint with the supervisory authority responsible for his or her habitual residence, place of work or place of the alleged infringement. In Poland, the supervisory authority is the President of the Office for Personal Data Protection.
‍

10.1. The policy is reviewed on an ongoing basis and updated as necessary. The current version of the Policy was adopted on July 03, 2021.
‍