Information Clause

When processing personal data, we always abide by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).

We do our utmost to ensure that your personal data is properly secured by the latest technologies. We train our personnel and raise awareness in the area of personal data protection.

We also do everything to act openly and transparently. This site is for you to learn the most relevant information about our processing of personal data.

If you have questions regarding the method and scope of personal data processing by Asseco Business Solutions S.A., as well as regarding your rights, please contact the Company at: ul. Konrada Wallenroda 4c, 20-607 Lublin, Poland, or get in touch with our Data Protection Officer, Ms Ewa Iwanko, via e-mail at: odo@assecobs.pl

Information Clause on the processing of personal data by Asseco Business Solutions S.A. in connection with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).

Controller
The controller of your personal data is Asseco Business Solutions S.A., having its registered office in Lublin (20-607), at ul. Konrada Wallenroda 4C, reg. no. KRS: 0000028257, business ID REGON: 017293003, tax ID NIP: 5222612717 (hereinafter “Controller”).
Contact in matters related to personal data processing
For any matters related to personal data processing, please, contact the Controller via the designated Data Protection Officer at: Asseco Business Solutions S.A. ul. Konrada Wallenroda 4C, 20-607 Lublin or by e-mail by writing to: odo@assecobs.pl.
Purpose of processing Legal basis
If you are a natural person and a sole proprietor who has entered into an agreement with Asseco BS, your personal data will be processed for the following purposes:
  • to perform under an agreement that you have entered into with the Controller;
  • Article 6(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR);
  • for the Controller to comply with the legal obligations, in particular related to tax law and accounting regulations;
  • Article 6(1)(c) GDPR – legal obligation;
  • resulting from the Controller’s legitimate interests, in particular to maintain contact with a party concluding an agreement and during the term of the same; to carry out direct marketing of the Controller’s products and services, including, if you consent to it, the distribution of commercial information by electronic means (such as invitations to events organised by the Controller or information about its products and services); to monitor and improve the quality of services provided, including the handling of complaints, and to establish, exercise or defend against legal claims.
  • Article 6(1)(f) GDPR – legitimate interests.
If you are or may be a party to an agreement (order), your personal data will be processed for the following purposes:
  • conclusion, performance, and settlement of the agreement (order), including the Controller’s provision of a user account in one of its websites;
  • Article 6(1)(b) and (c) GDPR – performance of an agreement to which the data subject is a party and a legal obligation;
  • establishment, exercise, and defence against legal claims.
  • Article 6(1)(f) GDPR – legitimate interest.
If you are a contact person, agent, or another person representing an entity that has entered into an agreement with the Controller or another person involved in the performance of an agreement with the Controller, your personal data will be processed for the following purposes:
  • resulting from the Controller’s legitimate interests, in particular to maintain contact with a party concluding an agreement with the Controller,  to verify whether any person who contacts the Controller is authorised to take action on behalf of that party; to ensure the proper performance under the said agreement, and to defend against any claims;
  • Article 6(1)(f) GDPR – legitimate interests;
  • for the Controller to comply with the legal obligations, in particular related to tax law and accounting regulations.
  • Article 6(1)(c) GDPR – legal obligation.
If you participate in a recruitment procedure held by Asseco BS, your personal data will be processed for the following purposes:
  • to carry out the recruitment process involving your submission of application documents;
  • Article 6(1)(b) GDPR – to take action at the request of the data subject prior to concluding an agreement;
  • Article 6(1)(c) GDPR – a legal obligation under Article 221 § 1 of the Polish Labour Code and the Regulation of the Minister of Family, Labour and Social Policy on employee documentation (applicably only to persons applying for a position that requires the conclusion of a contract of employment);
  • Article 6(1)(a) GDPR – data subject’s consent to the processing of his or her personal data other than provided for in labour law (e.g. a photo in a CV);
  • Article 9(2)(a) GDPR – data subject’s consent if the application contains special categories of personal data (sensitive data);
  • Article 10 GDPR – data processing is allowed by EU or Member State law if recruitment for a specific position requires the disclosure of personal data relating to convictions or offences;
  • future recruitment procedures carried out by the Controller;
  • Article 6(1)(a) GDPR – data subject’s consent;
  • establishment, exercise or defence against legal claims.
  • Article 6(1)(f) GDPR – legitimate interest.
If you are a recipient of commercial information and marketing communications distributed by Asseco BS or visit the Asseco BS website, your personal data will be processed for the following purposes:
  • direct marketing of the Controller’s products and services;
  • the processing of application forms;
  • distribution of commercial information by electronic means, in particular newsletters, invitations to events organised by the Controller, information about the Controller’s operations and services, and the offering of the Controller’s products and services;
  • distribution of information about the Controller’s operations, services, and events, and other information that may be of interest to users;
  • Article 6(1)(f) GDPR – legitimate interest;
  • Commercial information will be sent only to persons who have agreed to receive it from Asseco BS within Article 10(2) of the Act of 18 July 2002 on the Provision of Services by Electronic Means;
  • Direct marketing via a telecommunications terminal device (telephone) will be addressed only to persons who have consented to it in accordance with Article 172(1) of the Act of 16 July 2004 Telecommunications Law;
  • making software available in a demo mode;
  • Article 6(1)(a) GDPR – data subject’s consent;
  • administration and management of the Controller’s website (in particular, confirmation and authentication of identity and prevention of access by unauthorised persons);
  • aggregation (statistics) of data for the purpose of analysis and enhancements in the operation of the website;
  • Article 6(1)(f) GDPR – legitimate interest;
  • Cookies are small text files saved in your computer while you are visiting a website to enable a more personalised user experience upon further visits. If you do not wish to receive cookies, you can manage and control them in your browser settings. Before getting registered on our website, you must accept cookies. Upon leaving our website, you can delete cookies from your browsing history (cache memory). For more information, please go to the dedicated cookies tab (Cookies Policy);
  • establishment, exercise or defence against legal claims.
  • Article 6(1)(f) GDPR – legitimate interest.
If you participate in events (conferences, demos, fairs, webinars) held by Asseco BS, your personal data will be processed for the following purposes:
  • organisation of events (conferences, demos, fairs, webinars);
  • Article 6(1)(a) GDPR – data subject’s consent;
  • sharing personal data with the event organiser(s) (e.g. to inform about the time and venue of the event); this applies to situations where an event is held by an entity other than the Controller;
  • Article 6(1)(f) GDPR – legitimate interest;
  • establishment, exercise or defence against legal claims.
  • Article 6(1)(f) GDPR – legitimate interest.
If you are a user of our profiles, pages, or social media channels, Asseco BS will process your personal data for the following purposes:
  • running profiles, pages, or channels for, in particular:
    • image building through, but not only: advertising, establishing cooperation, promotion, and presentation of the Controller in social networks;
    • publishing job offers;
    • building and maintaining a community through communication via the available functionalities of social media pages (comments, chat, messages, likes, etc.).
  • Social media are used to promote the Controller, including its experts, products, events, and success stories. They represent one of the Controller’s external communication channels. The Controller uses such services as: Twitter, Linkedln, Facebook, Instagram, YouTube;
  • The Controller’s cooperation with social media operators is based on the terms and conditions set out by these operators. We inform about our activity, promote our events, our brand, products and services pursuant to these terms and conditions;
  • Article 6(1)(a) GDPR – consent; the basis for the processing of your personal data is, in most cases, your implied consent expressed by joining the Controller’s profile in social media;
  • Browsing our profiles, websites, or social media channels also enables linking to websites, social networks, applications and other functions that are not owned by the Controller. By doing so you will cause your personal data to be processed by entities independent of the Controller, in particular the operators of the aforesaid websites that are beyond Controller’s control, and the Controller cannot be held liable for them. We make every effort to protect your personal data properly, hence we recommend rational use of unknown functionalities and applications; before using them, be advised to read their privacy policy;
  • establishment, exercise or defence against legal claims.
  • Article 6(1)(f) GDPR – legitimate interest.
Transfer of personal data to other entities

The recipients of your personal data, only in cases where it is necessary and to the extent necessary, may be:

  • public authorities or other lawfully authorized entities;
  • persons authorized by the Controller;
  • processors commissioned by the Controller to perform the Controller’s obligations, whereby such processors process data pursuant to an agreement with the Controller and only on Controller’s instructions,
  • entities cooperating with the Controller as service providers and supporting the Controller’s ongoing business processes, in particular entities providing IT, legal, and courier services and other entities acting on behalf of the Controller (external suppliers supporting Controller’s business),
  • partners in our business projects (the list of partners is available here)
  • members of the Asseco Group listed at https://pl.asseco.com/o-asseco/grupa-kapitalowa/
  • social media operators in accordance with the terms and conditions set by them.
Categories of personal data concerned
We process the following categories of personal data: name and surname along with any of the following categories: e-mail address, telephone number, fax number, geographical address, data that you disclose in social media services (in accordance with the profile set-up), data transferred voluntarily in messages, and, if an agreement has been concluded, also the relevant personal identifier, such as PESEL or NIP; in each case, the processing will be limited only to this data that is necessary to achieve a specific purpose.
Transfer of personal data to a third country
Your personal data will be stored on servers in the European Union and may be transferred, on the basis of standard data protection clauses, to a third country in connection with the use by the Controller of cloud solutions provided by Microsoft. The standard contractual clauses used by Microsoft in accordance with the model terms approved by the European Commission are available at: www.microsoft.com/en-us/licensing/product-licensing/products.aspx under “Online Services Terms (OST).”
Storage of personal data
Your personal data will be processed throughout the term of an agreement concluded with the Controller, and after this period, for the period of limitation of any claims under generally applicable law.

If the processing is necessary for the Controller to fulfil a legal obligation, your personal data will be processed for the period provided for in generally applicable law, in particular tax law and accounting regulations.

If the processing is necessary for the purposes of the Controller’s or third party’s legitimate interests, your personal data will be processed for a period not longer than necessary for the purposes for which the processing takes place or until an objection to the processing is raised, subject to the Controller or a third party claiming legitimate grounds for processing which override your interests, rights and freedoms or grounds for establishing, exercising or defending against claims.

If your personal data is processed based on your consent, it will be processed for a period not longer than necessary for the purposes for which the processing takes place or until the consent is withdrawn, as well as for the period necessary to safeguard the enforcement of civil law claims that could arise in connection with the subject of the consent.
What rights can you exercise in connection with personal data processing?
If you are a natural person and a sole proprietor who has entered into an agreement with the Controller, you have the right to demand:
  • access to your personal data
  • rectify your personal data
  • deletion of your personal data
  • restrict the processing of your personal data;
  • transfer of your personal data, including the right to receive it and send it to another controller or to demand, if technically possible, that the data be transferred directly to another controller, to the extent provided for the agreement
  • the lodging of a complaint to a supervisory authority, i.e. to the President of the Office for Personal Data Protection.
Besides, you have the right to object to the processing of your personal data as regards the processing based on the Controller’s legitimate interest.
If you are a contact person, agent, or another person representing an entity that has entered into an agreement with the Controller or another person involved in the performance of an agreement with the Controller, you will have the right to demand:
  • access to your personal data
  • rectify your personal data
  • deletion of your personal data
  • restrict the processing of your personal data;
  • transfer of your personal data, including the right to receive it and send it to another controller or to demand, if technically possible, that the data be transferred directly to another controller, to the extent provided for the agreement (however, due to the fact that the Controller does not process your personal data on the basis of Article 6(1)(a-b) GDPR, you will not be able to exercise this right)
  • the lodging of a complaint to a supervisory authority, i.e. to the President of the Office for Personal Data Protection.
Besides, you have the right to object to the processing of your personal data as regards the processing based on the Controller’s legitimate interest.
Is the provision of personal data obligatory?
If you are a natural person and a sole proprietor who has entered into an agreement with the Controller, the provision of personal data is voluntary, yet necessary to enter into that agreement.

In some cases, the law may impose on the Controller an obligation to obtain your personal data, e.g. for tax or accounting purposes. In the remaining cases, your provision of personal data is voluntary but failure to provided it may make it impossible to achieve the purposes listed above (e.g. the Controller will not be able to send you any commercial communication about its products).
If you are a contact person, agent, or another person representing an entity that has entered into an agreement with the Controller or another person involved in the performance of an agreement with the Controller, the provision of personal data is voluntary, yet necessary to establish contact and ensure proper performance of the agreement concluded with the Controller.

In some cases, the law may impose on the Controller an obligation to obtain your personal data, e.g. for tax or accounting purposes.
Automated decision-making
Under no circumstances may the Controller use your personal data for automated decision-making that may affect your legal situation. However, your provided personal data may be processed in order to adapt our transferred marketing content, offers, or information to your interests and business or professional activity. If you use our profiles, web pages, or social media channels, your personal data may be profiled in accordance with the terms of use of social media operators.
Source of personal data
If you are a contact person, agent, or another person representing an entity that has entered into an agreement with the Controller or another person involved in the performance of an agreement with the Controller, the Controller has obtained your personal data as a result of its provision in the following circumstances: (i) you were named as the person authorised to represent an entity that had entered into an agreement with the Controller or the contact person in an agreement concluded with the Controller, (ii) your personal data was transferred in a different way during the term of an agreement concluded with the Controller for the purposes of proper performance under the agreement, or (iii) your personal data was obtained from publicly available sources (e.g. Central Register and Information on Economic Activity).