DATA PROCESSING REGULATIONS AT EXTREGO S.A.
In connection with the implementation of a transport or forwarding order (further referred to as the order), the Parties transfer and process the personal data of their employees, subcontractors, contractors who will participate in the implementation of the order.
In connection with the above, it became necessary to determine the principles of personal data processing.
The Parties agree that the processing principles set out below regulate their rights and obligations related to the processing of personal data. The Parties have identical rights and obligations to the extent that they transfer personal data to each other for processing.
- Under the conditions set out in these regulations and in accordance with the conditions of cooperation between the Parties, the Parties process personal data (within the meaning of the GDPR). The Parties act as individual administrators of personal data in connection with the processing of personal data, the processing of which is carried out for the purpose necessary to perform the obligations arising from the order and only in accordance with the instructions received.
- The Parties declare that they have a legal basis for the processing of personal data they provide, and have also undertaken all actions required by law.
- The Parties declare that they are aware that the data provided by them may be further transferred outside the European Economic Area (EEA) as long as it is necessary for the implementation of individual orders, and in particular to such countries as, among others: Switzerland, Ukraine, Turkey , Serbia, Morocco, Bosnia and Herzegovina, Macedonia, etc.. In the case of some of the abovementioned the Commission has identified an inadequate level of protection by a third country, territory or specific sector or specific sectors in those third countries or international organizations to which personal data will be transferred. The Parties apply appropriate and relevant safeguards for the personal data provided. The Parties may obtain a copy of the data or information about the place of access to data transferred outside the EEA.
- The Parties declare that in connection with the arrangements contained in item 3, they informed all entities whose data they transfer about its transfer outside the EEA, and provided them with relevant information required by law.
- The processing will be carried out during the period in which the Parties remain in economic relations, or until the consent to the processing of personal data is withdrawn.
- Personal data will be processed in order to perform services consisting in the implementation of orders, facilitating and supervising their performance, enabling the contact of the Parties and their subcontractors with employees, subcontractors, contractors, and also enabling specific legal actions if necessary.
- The processing will include personal data necessary to provide services. Data processing will concern the following categories of people: employees, subcontractors, contractors, members of the Management Board. Data processed by the Parties includes identification data, identity details and contact details.
- The Parties have the following obligations:
- Compliance with the GDPR;
- Restricting access to data only to persons whose access to data is needed to carry out the order and who have the appropriate authorization (art. 25 sec. 2 GDPR);
- Staff training. The Parties are required to provide persons authorized to process data with appropriate training in the field of personal data protection.
- The Parties are obliged to cooperate in the implementation of the Regulations, provide explanations in case of doubts as to the legality of processing, as well as fulfill their specific obligations in a timely manner.
- The Parties ensure and undertake that they will comply with the provisions of generally applicable law and the provisions of these Regulations.
- The Parties shall inform each other of any suspected breach of data protection, but no later than within 24 hours of the first notification of such breach. Thus, enabling participation in explanatory activities and informing about the findings as soon as they are made, in particular about the finding of a breach or lack thereof.
- The Parties are responsible for damages caused by their actions in connection with a failure to comply with obligations that the GDPR imposes directly on the Parties. The Parties are also responsible for damages caused by the application or non-application of appropriate security measures.
- The Parties are obliged to retain documents constituting evidence of data processing in accordance with applicable regulations and in relation to services provided for appropriate periods of detention after cooperation.
- Data transfer is carried out under the conditions set out in these Regulations. It includes personal data required to complete orders.
- Data transfer results from the nature of the relations between the Parties, it consists in particular in the need to execute orders and supervise their execution, enabling contact between one Party (contractor) and their contractors and subcontractors with subcontractors and contractors of the other Party.
- The Administrator of your personal data pursuant to art. 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC is Extrego spółka akcyjna (joint-stock company) with its registered office in Świlcza, Świlcza 146E, 36-072 Świlcza, entered into the National Court Register of Entrepreneurs under number 0000735176, NIP (Tax Identification Number): 8133781093, REGON (Polish Business Registry Number): 38020291800000.
- The administrator has appointed a data protection officer. The officer’s contact details: e-mail: firstname.lastname@example.org.
- Your data is processed to the extent that it results from the essence of relations between you and the Administrator, in particular the provision and facilitation of the provision of services by the Administrator for the implementation of transport orders and supervising their implementation, enabling the contact of the Administrator and their contractors with you, issuing and delivery of VAT invoices and other accounting and legal documents, pursuant to Art. 6 sec. 1 letter b and c of the GDPR.
- Personal data will be processed for the period in which the Parties remain in economic relations, or until revocation of consent to the processing of personal data, as well as for the period required by applicable law.
- The basis for data processing:
- your consent,
- a transport or forwarding contract or order concluded with the Service Provider,
- generally applicable law.
- The Administrator declares that your data may be further transferred outside the European Economic Area (EEA) as long as it is necessary for the implementation of individual orders, and in particular to such countries as, among others: Switzerland, Ukraine, Turkey, Serbia, Morocco, Bosnia and Herzegovina, Macedonia, etc.. In the case of some of the abovementioned the Commission has identified an inadequate level of protection by a third country, territory or specific sector or specific sectors in those third countries or international organizations to which personal data will be transferred. The Administrator applies appropriate and relevant safeguards for the personal data provided. You may obtain a copy of the data or information about the place of access to data transferred outside the EEA.
- You have the right to inspect the content of your data, assert liability in connection with the Administrator’s violation of the law and the contract, the right to rectify it, raise a reasoned objection to its further processing and its transfer, and in disputes, to raise objections to the personal data protection supervision authority.
- You also have the right to withdraw your prior consent, but without affecting the processing that took place before the consent was withdrawn.
- The data may be made available to entities that are authorized on the basis of legal provisions and entities to which the Administrator has entrusted data for the proper provision of services for the purpose and scope necessary for these activities, including, if necessary, subcontractors, ferry and tunnel managers, etc., as well as entities related to the Administrator who receive your data to enable the Administrator to meet contractual obligations (such as accounting offices, legal advisers, etc.).
- Providing data is voluntary, but necessary to carry out the activities described in item 4.
- In order to exercise the rights referred to in item 8-9 you should contact the Data Protection Officer.