Administrator – Dobra Energia dla Olsztyna Sp. z o.o. with its registered office in Olsztyn at Dąbrowszczaków 21, 10-541 Olsztyn.
Personal data – any information about an identified or identifiable natural person through one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, internet identifier and information collected through cookies or other similar technology.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
Service – the Internet service run by the Administrator under the address……… .
User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.
- PURPOSES AND LEGAL BASIS OF DATA PROCESSING IN CONNECTION WITH THE USE OF THE SERVICE
In connection with using the Website by the User, the Administrator collects data to the extent necessary to provide offered services, as well as information on User’s activity on the Website. Detailed principles and purposes of personal data processing while using the Website are as follows.
Unless otherwise stated below, Service Users’ personal data (including IP address or other identifiers and information collected through cookies or other similar technologies) are processed by the Administrator in following cases:
- to carry out informational, educational and promotional activities concerning waste management and ecology related to the Administrator’s activity – the legal basis for data processing is the necessity of processing for purposes deriving from the legally justified interests pursued by the Administrator (Article 6(1)(f) GDPR) and in the public interest or in the exercise of official authority vested in the Administrator (Article 6(1)(e) GDPR);
- to provide services electronically when providing for Users the content collected on the Website – the legal basis for personal data processing is the necessity to proccess for the performance of the agreement (art.6(1)(b) GDPR);
- for statistical and analytical purposes – the legal basis for personal data processing is the Administrator’s legitimate interest consisting in conducting analyses of Users’ activities, as well as of their preferences in order to improve the applied functionalities and provided services (Article 6(1)(b) GDPR);
- to establish, assert or defend against claims (if needed)- the legal basis for data processing is the Administrator’s legitimate interest in protecting your rights (Article 6(1)(f) GDPR).
- The Administrator provides the possibility to contact them on the Website using electronic contact forms. Using the form requires providing personal data necessary to contact the User and answer the enquiry. The User may also provide other data to facilitate contact or handling of the enquiry. Providing data marked as obligatory is required in order to accept and proceed with the enquiry, otherwise it will be impossible to handle it. Providing other data is voluntary.
Personal data are processed in following cases:
- identifying the sender and handling their enquiry sent via provided form – to the extent of the data necessary to establish contact or handle the enquiry – the legal basis for the processing is the necessity to process for the performance of the service contract (Article 6(1)(b) of the GDPR);
- for analytical and statistical purposes – the legal basis for the processing is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR), consisting of analysing the activity and preferences of Users while using the Service and the manner of using the account, in order to improve applied functionalities;
- identifying the sender and handling their enquiry sent via provided form – to the extent of data that are not necessary to establish contact or handle the enquiry – the legal basis for processing is the User’s consent (Art. 6(1)(a) GDPR).
Grievances and requests
The User will be able to submit grievances and requests through Contact Form, in connection with the implementation of the entrusted public task in the form of the Treatment of the combustible fraction from municipal waste by means of thermal treatment with recovery of energy used for ensuring heat supplies to the municipal heating network in Olsztyn, together with design and construction of the Waste Incineration Plant and the Peak Load Boiler House, as well as financing investment expenditures and infrastructure management
In that case, the legal basis for processing the Personal Data is:
- 6(1)(c) GDPR, as processing is necessary for the fulfilment of a legal obligation incumbent on the Administrator,
- 6(1)(e) GDPR, as processing is necessary for the performance of a task carried out in the public interest on the basis of a public-private partnership agreement,
- and Article 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the Administrator).
Period of data storage related to grievances and requests handling: the above mentioned records will be kept for the time necessary to fulfil the public task, and thereafter for the time necessary to enable the Administrator to secure or assert possible claims and to fulfil a legal obligation; the period of personal data processing may be extended each time if there is another legitimate legal need for the Administrator to process the data for a longer period.
Recruitment – tab: “Apply”
Within the framework of recruitment processes, the Administrator expects the transfer of Personal Data (e.g. in a CV or resume) only to the extent specified by the employment law. Consequently, information should not be provided to a wider extent. In case the sent applications contain additional data beyond the scope indicated by the labour law, their processing will be based on candidate’s consent (Article 6(1)(a) of the GDPR), expressed through an unambiguous confirmatory action, which is sending application documents by the candidate. Should the applications sent contain information that is not relevant to the recruitment purpose, they will not be used or taken into account in the recruitment process.
Personal data are processed in following cases:
- where the preferred form of employment is an employment contract – in order to comply with the obligations arising from the provisions of the law, related to the employment process, including in particular the Labour Code – the legal basis for processing is a legal obligation incumbent on the Administrator (Article 6(1)(c) of the GDPR in relation to the provisions of labour law);
- where the preferred form of employment is a civil law contract – in order to conduct the recruitment process – the legal basis for processing the data in application documents is to take action prior to the conclusion of a contract at the request of the data subject (Article 6(1)(b) GDPR);
- in order to carry out the recruitment process to the extent of data not required by law or by the Administrator, as well as for the purposes of future recruitment processes – the legal basis for processing is the consent (Article 6(1)(a) GDPR);
- in order to verify the qualifications and skills of the candidate and to determine the conditions of cooperation – the legal basis for data processing is the legitimate interest of the Administrator (Article 6(1)(f) GDPR). The legitimate interest of the Administrator is to verify job candidates and determine the conditions of possible cooperation;
- in order to establish or assert possible claims by the Administrator or to defend against claims made against the Administrator – the legal basis for data processing is the Administrator’s legitimate interest (Article 6(1)(f) GDPR).
Insofar as the Personal Data are processed on the basis of the consent given, it may be withdrawn at any time, without affecting the lawfulness of the processing carried out before the withdrawal of the consent. Where consent is given for the purpose of future recruitment processes, Personal Data shall be deleted no later than after one year – unless the consent has been withdrawn earlier.
Providing data in the scope specified in Article 22(1) of the Labour Code it is required – in case the candidate prefers the type of employment based on an employment contract – by legal regulations- especially by the Labour Code, and in case the candidate prefers the type of employment based on a civil law contract – by the Administrator. Failing to provide such data will result in excluding such candidate from the recruitment process. Providing other data is voluntary.
Procurement procedures – “Tenders” tab
The administrator, in connection with activities undertaken for the purpose of concluding or implementing a contract, may contact, for a legitimate purpose, employees and associates of contractors designated as so-called “contact persons” or persons involved in implementing the contract in question.
The basis for personal data processing in this regard is Article 6(1)(c) of the GDPR – the processing is necessary for the purposes of complying with a legal obligation to which the Administrator is subject, on the basis of internal archiving procedures in force in the Administrator’s organisation, and Article 6(1)(f) of the GDPR – with regard to data on natural persons provided by a contractor for the purposes of a specific tender procedure (the processing is necessary for purposes resulting from the legitimate interests pursued by the Administrator).
The storage period for personal data processed in connection with the procurement procedure is as follows:
- With regard to the entity whose tender was selected, the Administrator is entitled to keep the documentation for the period of implementation of the contract concluded with the contractor, and then the archiving period resulting from the procedures applicable in the Administrator’s organisation,
- with regard to unsuccessful tenderers, personal data will be stored in accordance with the procedures in force in the Administrator’s organisation for 5 years from the end date of the procurement procedure.
Cookies used for this purpose include:
- cookies containing user input (session ID) for the session duration (user input cookies);
- authentication cookies used for services that require authentication for the duration of a session;
- security cookies, such as those used for detecting authentication abuses (user centric security cookies);
- multimedia player session cookies (e.g. flash player cookies), for the duration of the session;
- persistent cookies used to personalise the user interface for the duration of the session or slightly longer (user interface customisation cookies);
- cookies used to remember the content of your shopping cart for the duration of your session (shopping cart cookies);
- cookies used for monitoring website traffic, i.e. data analytics, including Google Analytics cookies (these are cookies used by Google to analyse how the User uses the Website, to compile statistics and reports on the Website functioning). Google does not use the collected data to identify the User nor does it combine this information to enable identification. Detailed information on the scope and principles of data collection in connection with this service can be found under the link: https://www.google.com/intl/pl/policies/privacy/partners.
- How long is Personal Data processed by the Administrator?
The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. Unless otherwise stipulated in the above-mentioned provisions, as a rule the data are processed for as long as the User uses the Service or while corresponding with the User, or until filing an effective objection to data processing in cases where the legal basis of the data processing is in the legitimate interest of the Administrator.
The period of data processing may be extended if processing is necessary for the establishment and assertion of possible claims or for the defence against them (for the duration of proceedings concerning the asserted claims, until their final conclusion, and in case of enforcement proceedings, until the final settlement of the asserted claims), and thereafter only to the extent required by law. After the end of the processing period, the data are irreversibly deleted or anonymised.
- Recipients of Personal Data
- entities responsible for the operation of IT systems, providing or maintaining the Administrator’s IT infrastructure, entities and persons providing legal services, companies archiving documents; the aforementioned entities have been / will be obliged to maintain confidentiality with regard to the personal data entrusted to them;
- entities entitled under separate regulations, e.g. to conduct inspections, as well as those interested on the basis of regulations on access to public information;
- state authorities or other entities authorised by law;
- in case of data processed within the framework of the procurement procedure – the recipients of the above personal data shall be those entities to which the documentation of the procedure will be made available; the data can be made available to authorised entities to which the documentation of the procedure will be made available, contractors and persons interested on the basis of legal regulations (e.g. access to public information), as well as entities processing data on the basis of concluded agreements related to the subject of the procurement procedure.
- The Administrator reserves the right to disclose selected information concerning the User to competent authorities or third parties who make a request for such information on the basis of an appropriate legal basis and in accordance with the provisions of the applicable law.
The controller acting within the limits of the law shall ensure privacy respect of the persons whose data they process.
- Personal Data processing rights
You have the right to:
- have access to your data and to receive a copy if necessary,
- rectify (amend) your personal data if they are incorrect or incomplete,
- restrict the processing of personal data,
- delete your personal data,
- object to the kind of personal data processing, that takes place on the basis of a legitimate interest of the Administrator; the objection in this respect should contain a justification,
- withdraw your consent – if your data are processed on the basis of your consent;
- lodge a complaint with the President of the Office for Personal Data Protection, 2 Stawki Street, 00-193 Warsaw, if you consider that the processing of your Personal Data violates the provisions of the GDPR.
Request concerning exercising the aforementioned rights, should be submitted to the Company’s address indicated in section 1.1 or by e-mail to the following address: firstname.lastname@example.org
Right to object
Pursuant to Article 21(1) and (2) of the GDPR, you also have the right to object to data processing (Section 5.1.5 above) processed on the basis of the legitimate interests of the Data Controller. If you raise an objection, the Controller shall no longer be permitted to process your personal data unless she or he demonstrates that there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of claims.
- Security of Personal Data
The Administrator conducts risk analysis on an ongoing basis in order to ensure that they process Personal Data in a secure manner – ensuring in particular that only authorised persons have access to the data and only to the extent necessary for the performance of their tasks. The Administrator shall ensure that all operations on personal data are recorded and performed only by authorised employees and associates.
The Controller shall take all necessary measures to ensure that also its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the Controller.
- Information on profiling
Your personal data will not be subject to profiling or automated processing.
- Transfers of personal data outside the EEA
Your personal data will not be transferred to recipients in a third country outside the EEA or an international organisation.
The Policy is kept under review and updated if necessary. The current version of the Policy is effective from 1 September 2020.