Personal Data Protection Policy

Dated: 25 May 2018, updated on:

  • 6 April 2020
  • 1 May 2021
  • 1 July 2021
  • 4 April 2025

§ 1. Controllers and Definitions  

  1. This Personal Data Protection Policy (hereinafter: “the Policy”) constitutes a general regulation of principles and requirements concerning personal data protection (hereinafter also: “Data Protection”) of the Controller: IT Professionals Sp. z o.o. Prosta 51, 00-838 Warsaw, entered in the Register of Entrepreneurs kept by the District Court for the capital city of Warsaw in Warsaw, 12TH Commercial Division of the National Court Register under KRS (National Court Register) no. 0000626275, NIP (Tax Identification Number) 7010592655, REGON (National Business Registry Number) 364872181, entered in KRAZ (National Register of Employment Agencies) under number 21150.
  2. This Policy along with the documents cited therein concerning data protection constitutes “data protection policy” within the meaning of Article 24(1-2) of the General Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union L 119, page 1) (hereinafter: “the GDPR”).
  3. Detailed principles of data protection and procedures accepted have been described in a separate documentation which constitutes an integral part of our Policy and is the proof of accountability referred to in Article 5(2) of the GDPR. Detailed personal data protection policies describing technical and organizational measures applied are confidential and are not communicated to the general public.
  4. Personal data (hereinafter: “Personal Data” or “Data”) mean, pursuant to the GDPR, information about identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  5. Personal data within the meaning of the GDPR also mean the data of the natural person running business activity.
  6. Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
  7. Consent in this Policy is understood in line with the GDPR as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  8. Cross-border processing means:
    a) processing of personal data which takes place in Union in the context of the activities of establishments in more than one Member State of the Controller or the Processor in the Union where the Controller or the Processor is established in more than one Member State; or
    b) processing of personal data which takes place in the Union in the context of the activities of a single establishment of the Controller or the Processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
  9. Personal data processing means, according to the GDPR, any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  10. Restriction of processing – means marking of stored personal data with the aim of limiting their processing in the future.
  11. Personal data protection breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  12. International organization – means an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

§ 2. Liable Entities

  1. The person liable for implementation and maintenance as well as supervision and monitoring of compliance with this Policy and personal data protection principle is the Controller.
  2. All members of the Company’s staff are responsible for application of the Set of Policies and data protection principles.
  3. Members of the Staff, within the meaning of the Set of Policies, are the following persons remaining in the Controller’s structures:
    • employees within the meaning of the labor law,
    • persons employed based on civil-law agreements,
    • co-workers running business activity.
  4. Members of the Staff are hereinafter also referred to in the Set of Policies as “the Employees”/”Co-workers”.

§ 3. Data protection principles

  1. The data processed are:

·        processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

·        collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is, in accordance with Article 89(1), not considered to be incompatible with the initial purposes (“purpose limitation”);

·        adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);

·       accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased

·        or rectified without delay (“accuracy”);

·        kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);

·        processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

  1. Any activities concerning personal data protection should take into consideration the accountability principle formulated in the GDPR which requests the Controller to document how the obligations are met in order to be able to demonstrate compliance with the GDPR at any time.
  2. Processing of data concerning convicting judgments is unacceptable.

§ 4. Authorization for data processing

  1. All the persons performing personal data processing may act only on the basis and within the limits of the order and authorization issued by the Controller.
  2. The Controller keeps the register of issued orders and authorizations.
  3. External entities (hereinafter: “Processing Entities”), that is the entities which do not decide about the purposes and manners of data processing, perform personal data processing only on the basis and within the limits of a personal data processing agreement entered into with the Controller/Controllers.
  4. Registers of personal data protection agreements are maintained.

§ 5. Rights and obligations concerning natural person’s rights

  1. Any information directed to the persons whose data are processed by the Controller indicate the legal basis for processing. Provisions of the GDPR allow for the possibility of personal data processing only in strictly determined cases as follows:
    • when the data subject agreed to that pursuant to Article 6(1)(a) of the GDPR (e.g. for the purposes of recruitment or in order to leave his or her data for the purposes of future recruitment). Such agreement will also be understood as voluntary action of a natural person;
    • when the data subject agreed to that in writing pursuant to Article 9(2)(a) of the GDPR;
    • when the processing is necessary for the performance of a contract which the data subject is party to or in order to take steps at the request of the data subject prior to entering into a contract; pursuant to the Article 6(1)(b) of the GDPR (e.g. personal data processing in order to conclude employment agreement within the scope of data indicated in Article 221 of the Labor Code), in addition to personal data of service providers and customers;
    • when processing is necessary in order to protect vital interests of the data subject or of another natural person;
    • processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;
    • processing is necessary in order to fulfill the obligations and perform specific rights by the Controller or a data subject in the field of labor law, social security and social protection, provided that it is allowed by the law of the Union or the law of the Member State, or the collective agreement pursuant to the law of the Member State foreseeing relevant safeguards for fundamental rights and interests of the data subject, pursuant to Article 9(2)(b) of the GDPR, e.g. as regards referring employees to occupational health examinations.
  1. The Controller fulfills disclosure requirements with respect to the data subjects by handing over the information required by law while collecting data (information clauses).

2.1. Informacion for Candidates [here]

2.2. Information for Contractors [here]

2.3. Information for the persons following the fan page [here]

  1. The person whose data are processed may withdraw the consent for data processing at any time. Withdrawing the consent has an effect only on the future. In the case of persons who have a contract with the Controller, appropriately secured data may be stored in the amount that is necessary in order to seek in the future claims from entered into and executed contract, however not longer than the statute of limitations of claims or separate tax provisions.  Withdrawal of the consent does not influence the lawfulness of processing which was performed before its withdrawal.
  2. In the event of breach of personal data protection consisting in particular in:
    • a breach of security leading to accidental or unlawful destruction, loss or alteration of personal data;
    • a breach of security leading to unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, there is a procedure strictly determined in the GDPR on reporting data breach and notifying data subjects. Breach register is maintained as required by the provisions of Article 33(5) of the GDPR;
    • the Controller applies the procedure of evaluating breach gravity recommended the Personal Data Protection Office based on the methodology prepared by the European Union Agency for Cybersecurity (ENISA).
  3. Pursuant to Article 15 of the GDPR, every natural person has the right to access his or her personal data and obtain their copy, and pursuant to Article 16 of the GDPR, the right to rectify personal data (update).
  4. The data subject has the right to be forgotten. That right consists in:
    • the possibility to request by the data subject of erasure of his or her personal data by the Controller,
    • the possibility to request that the Controller informs other data controllers to whom they disclosed or entrusted the personal data that the data subject requests that his or her data be permanently deleted along with existing copies.
  1. Pursuant to Article 18 of the GDPR, every natural person has the right to request restriction of personal data processing if:
    • he or she contests the accuracy of his or her data,
    • the processing is unlawful,
    • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims,
    • the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the Controller override those of the data subject.
  2. The data subject has the right to transmit the data. That right consists in the possibility to request:
    • to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format;
    • the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided.
  3. The right to transmit data may be exercised only when:
    • the processing is based on consent or on a contract and
    • the processing is carried out by automated means. The right to transmit the data covers only the personal data processed using information systems and does not cover traditional sets of data, e.g. in a paper form.
  4. The right to object e.g. (if personal data processing occurs based on legitimate interest of the Controller).
  5. The right not to be subject to automated decision-making, including profiling.
  6. The right to report presumption of violation of personal data protection provisions by the Controller, including the principles of their processing, to the President of the Personal Data Protection Office with its registered seat in Warsaw (00-193) at ul.  Stawki 2.

§ 6. Period of personal data storage

  1. If consent is the basis for personal data processing, personal data may be processed as long as the consent is not withdrawn, unless detailed policies state otherwise (such information is provided every time in the disclosure requirement during personal data collection). A procedure for deleting or archiving personal data is applied according to the principle of timeliness of data processing in correlation with applicable provisions resulting e.g. from the Labor Code, Civil Code, the Act on Accounting, etc.
  2. If execution of agreement is the basis for personal data processing, personal data may be processed as long as it is necessary to execute the agreement, and afterwards, for the period of time resulting from the obligation to store accounting and bookkeeping data (pursuant to the provisions in force) or for the period of time necessary in order to seek claims or for statute of limitation of claims that may be raised by the Controller or that may be raised with respect to them.
  3. In other cases, the period of data storage is regulated by separate provisions respected by the Controller.

§ 7. Personal data security

  1. It needs to be taken into account that the GDPR provisions do not provide specific means of securing personal data. However, they introduce the principle that selection of security measures should be based on:
    • the state of technical knowledge,
    • implementation cost,
    • nature, scope, context and purposes of processing,
    • risk of breaching the rights or freedoms of natural persons of various probability of occurrence and threat scale.
  2. Taking into account the purpose and context of personal data processing, the Controller performed evaluation and analysis of risks connected with processing; based on that, they applied appropriate technical and organizational measures securing the data (including in particular procedures, policies, cryptographic measures, pseudonymization).
  3. The Controller implemented a number of procedures aimed at continuity of operation. Such procedures constitute integral part of this policy and are confidential due to security measures described and applied.
  4. The personal data of work candidates who sent their application documents via the website itprofessionals.com.pl will be processed by the Processor according to the terms and conditions determined in the applicable privacy policy. More information may be found at [here].

§ 8. Personal data sources

  1. Personal data Controller obtains personal data directly from personal data entities and fulfills disclosure requirements pursuant to Article 13(1) and (2) of the GDPR.
  2. Personal data Controller may also obtain personal data from other sources such as LinkedIn platform – by performing the obligations levied by Article 14 of the GDPR; the National Court Register and other sources in order to check the entities with whom them will establish commercial relations.
  3. The Controller also processes personal data of the persons who follow and/or like, comment, etc. Facebook fan page named: recruitment. More information may be found in § 5, paragraph 2.2

 § 9. Cookies Policy

1. Introduction

This policy regarding cookies explains what cookies are and how we use them. You need to familiarize yourself with these principles in order to understand what cookies are, how we use them, what type of cookies we use, e.g. what information we collect using cookies and how that information is used and how to control preferences concerning cookies. More information on the manner in which we use, store and secure your personal data may be found in our Privacy Policy.

Find out more about who we are, how to contact us and how we process personal data in our Privacy Policy.

Your consent concerns the following domains: itprofessionals.com.pl

2. What are cookies?

Cookies are small text files which serve to store information necessary for a web application to operate. Such files are saved on a user’s device after loading a website into their browser. Such files help us to ensure correct functioning of a website, increase its security, facilitate using  a website and understanding its operation, as well as in the analysis of what works and what requires fixing.

3. How do we use cookies?

As most of the online services, our website uses cookies. The cookies which we use are necessary for correct functioning of the website and do not collect any personal data.

4. What cookies do we use?

In this section you will find information on cookies used on our website.

Necessary

Necessary cookies are absolutely needed for a proper functioning of the website. In this category there are only those cookies which ensure basic functions and safeguards of the website. These cookies do not store any personal data.

COOKIE

DESCRIPTION

Storage time on the terminal device

 

remember

Contains information that may be used by the application’s server to automatically authenticate a user during a next visit to the instance.

 

laravel_session XSRF_token

Used to track sessions. Tracks user’s data such as authentication data of a logged-in person.

XSRF_token is used to stop cross-site postscripts and to set a form’s lifetime for security reasons.

 

viewed_cookie_policy

Set by the GDPR Consent Cookie plug-in and is used to store whether a user agreed for using cookies. It does not store any personal data.

 

cookielawinfo-checkbox-necessary

Set by the GDPR Cookie Consent plug-in. it is used to store a user’s consent on cookies in the “Necessary” category.

 

5. How may I control my preferences concerning cookies?

You may modify cookies management at any moment with your browser’s settings. Withdrawal of the consent will disenable using all cookies and may influence some functions of the website: itprofessionals.com.pl leading to total or partial blocking of some of its functions.

If you wish to change browser’s settings regarding cookies, you may use the following instructions:

The above types of browsers have been indicated as an example. Due to big variability of browsers used, there may be some differences in setting them in such a way that will make it impossible to install cookies. Usually, information about cookies may be found in the menu “Tools” or “Options”. More detailed information in that regard may be most often found on the website of a given browser’s producer.