PERSONAL DATA PROCESSING TRANSPARENCY POLICY OF THE EUROCASH GROUP

At Eurocash Group, it is particularly important for us to take care of the personal data protection of all those who come into contact with Eurocash Group companies. For this reason, Eurocash Group companies are guided by the principles arising from this Transparency Policy when processing personal data. The list of Eurocash Group companies with information about their offices and the ways of communicating with them, as well as contact details of the Data Protection Officer appointed by the companies can be found HERE.
 
1. DEFINITIONS
 

1.1. Controller - a Eurocash Group company with which you are bound by a relationship resultingin the need to process your personal data.

SEE THE IDENTITY OF EUROCASH GROUP COMPANIES, THEIR CONTACT DETAILS AND DATA PROTECTION OFFICER DETAILS
 
1.2. Personal data - information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact data, location data, information contained in correspondence, information collected through recording equipment or other similar technology.

1.3. Policy - this personal data processing Transparency Policy.

1.4. GDPR - Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.5. Data subject - any natural person whose personal data are processed by the Controller.


2. DATA PROCESSING BY THE CONTROLLER

2.1. 2.1. In connection with its business activities, the Controller collects and processes personal data in accordance with applicable laws, including in particular GDPR and the data processing rules provided therein.

2.2. The Controller shall ensure transparency of the personal data processing. In particular, the Controller shall always notify data subjects about the processing of data at the time of their collection, including the purpose and legal basis for processing (e.g. when concluding a contract for the sale of goods or services). The Controller shall ensure that the data are collected only to the extent necessary for the stated purpose and processed only for the required time.

2.3. When processing personal data, the Controller shall ensure their security and confidentiality, as well as provide access to information about the processing to data subjects. If, despite the security measures in place, there is a breach of personal data protection (e.g., data "leakage" or data loss), resulting in a high risk of breaching the rights and freedoms of data subjects, the Controller shall inform the data subjects of such an event, in a manner consistent with the legal regulations.

3. CONTACT WITH THE CONTROLLER

3.1. Contact with the Controller is possible via the email addresses or correspondence addresses, specified for each of the Eurocash Group companies at the link provided in the introduction to this Transparency Policy.

3.2. The Controller has appointed a Data Protection Officer, who can be contacted via email, phone call or in writing at the address of the Controller's registered office on any matter concerning the processing of Personal Data by the Controller. You will find the contact details of the Data Protection Officer above, in the link provided in the introduction to this Transparency Policy.

4. PERSONAL DATA SECURITY

4.1. In order to ensure data integrity and confidentiality, the Controller has implemented procedures to allow access to personal data only to authorised persons and only to the extent necessary due to their tasks. The Controller shall use organisational and technical solutions to ensure that all operations on personal data are recorded and performed only by authorised persons.

4.2. In addition, the Controller shall take all necessary measures to ensure that its subcontractors and other cooperating entities also provide a guarantee of the application of appropriate security measures whenever they process personal data on behalf of the Controller.

4.3. The Controller conducts an ongoing analysis of the risks related the personal data processing and monitors the adequacy of the data security measures used to the identified threats. If necessary, the Controller shall implement additional measures to enhance data security.

5. PURPOSES AND LEGAL BASIS FOR PROCESSING

EMAIL AND TRADITIONAL CORRESPONDENCE

5.1. If the Controller receives (via email or traditional means) correspondence unrelated to the services provided to the sender or any other agreement concluded with the sender, the personal data contained in such correspondence shall be processed solely for the purpose of communication and settlement of the matter to which the correspondence relates.

5.2. The legal basis for processing is the legitimate interest of the Controller (Article 6(1) item f of the GDPR) involving correspondence addressed to the Controller in connection with its business activities.

5.3. The Controller shall only process personal data relevant to the matter to which the correspondence relates. All correspondence shall be stored in a manner that ensures the security of the personal data and other information contained therein and shall be disclosed only to authorised persons.

TELEPHONE CONTACT

5.4. When contacting the Controller by telephone on matters unrelated to the agreement concluded or services provided, the Controller may request providing personal data only if it is necessary to handle the matter to which the phone call relates. In such a case, the legal basis for processing is the legitimate interest of the Controller (Article 6(1) item f of the GDPR), involving the need to handle reported matters related to the business activity conducted.

5.5. Phone calls can also be recorded, in which case the appropriate information is given to the natural person at the beginning of the call. Calls are recorded to monitor the quality of the service provided and verify the work of consultants, as well as for statistical purposes. The recordings are available only to the Controller's employees and the Controller's hotline operators.

5.6. Personal data in the form of a recording of the phone call are processed:

5.6.1. for purposes related to the service of clients and stakeholders via the hotline if the Controller provides such a service – the legal basis is the legitimate interest of the Controller (Article 6(1) item f of the GDPR)  involving communication with its clients and responding to requests directed to the Controller;

5.6.2. to monitor the quality of service and verify the work of hotline consultants, as well as for analytical and statistical purposes - the legal basis for processing is the legitimate interest of the Controller (Article 6(1) item f of the GDPR) involving ensuring the highest possible quality of service to clients and stakeholders as well as the highest quality of consultants' work, and conducting statistical analysis of telephone communication;

5.6.3. in order for the Controller to establish or pursue potential claims or defend against claims made against the Controller - the legal basis for data processing is the Controller's legitimate interest  (Article 6(1) item f of the GDPR).

VIDEO SURVEILLANCE AND ACCESS CONTROL

5.7. Due to the need to ensure the safety of persons and property, the Controller uses video surveillance and controls access to the managed premises and the area. The data collected in this way are not used for any other purposes than those specified below.

5.8. Personal data in the form of surveillance footage and data collected in the entry and exit register are processed to ensure the safety of persons and property and to maintain order on the premises, and possibly to defend against claims made against the Controller or to establish and pursue claims by the Controller. The legal basis for the processing of personal data is the legitimate interest of the Controller (Article 6(1) item f of the GDPR) involving ensuring the safety of persons and property located on the premises managed by the Controller and protecting the Controller's rights.

5.9. The area covered by the Controller surveillance is marked with appropriate visual signs.

RECRUITMENT

As part of the recruitment processes, the Controller expects the transfer of personal data (e.g., in a resume) only to the extent specified in the labour laws. Therefore, information should not be provided in a broader scope. If the submitted applications contain additional data beyond the scope indicated by the labour law, their processing shall be based on the candidate's consent (Article 6(1) item a of the GDPR), expressed through an explicit confirmatory action such as the candidate's submission of application documents. If the submitted applications contain information that is inadequate for the purpose of recruitment, they shall not be used or taken into account in the recruitment process.

5.10. Personal data are processed:

5.10.1. if the preferred form of employment is an employment contract - in order to comply with legal obligations related to the employment process, including primarily the Labour Code - the legal basis for processing is a legal obligation incumbent on the Controller (Article 6(1) item c of the GDPR in connection with labour law regulations);

5.10.2. if the preferred form of employment is a civil law contract - in order to conduct the recruitment process - the legal basis for processing the data contained in the application documents is taking action prior to the conclusion of a contract at the request of the data subject (Article 6(1) item b of the GDPR);

5.10.3. in order to carry out the recruitment process for data not required by law or the Controller, as well as for the purpose of future recruitment processes - the legal basis for data processing is consent (Article 6(1) item a of the GDPR);

5.10.4. in order to establish or pursue potential claims by the Controller or defend against claims made against the Controller - the legal basis for data processing is the Controller's legitimate interest (Article 6(1) item f of the GDPR).

5.11. To the extent that personal data are processed based on consent, the consent may be withdrawn at any time, without affecting the lawfulness of processing carried out before such withdrawal. If consent is given for future recruitment processes, personal data are deleted after two years - unless consent has been withdrawn earlier. Consent may be withdrawn by contacting the individual company through the channels of communication specified in the introduction to this Policy (you will find information about the relevant email address, telephone number and address of the Controller's registered office above, in the link provided in the introduction to this Policy).

COLLECTINGOF DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR PERFOR-MANCE OF OTHER CONTRACTS

5.12. If the data are collected for purposes related to the performance of a specific contract, the Controller shall provide the Data Subject with details of the processing of their personal data at the time of entering into the contract, or at the time of obtaining the personal data in case the processing is necessary for the Controller to take action at the Data Subject's request, prior to entering into the contract.

PROCESSING OF PERSONAL DATA OF STAFF MEMBERS OF CONTRACTORS OR CLIENTS COOPERATING WITH THE CONTROLLER

5.13. In connection with the conclusion of commercial contracts in the course of business, the Controller obtains from contractors/clients data of persons involved in the execution of such contracts (e.g. persons authorised to contact, place orders, execute orders, etc.). The scope of the data transferred is in any case limited to the extent necessary for the performance of the contract and typically does not include information other than full name and business contact details.

5.14. Such personal data are processed in order to pursue the legitimate interests of the Controller and its contractor (Article 6(1) item f of the GDPR), which is to enable the proper and effective performance of the contract. Such data may be disclosed to third parties involved in the execution of the contract, as well as to entities gaining access to the data based on public information disclosure regulations and proceedings conducted under the public procurement law,  to the extent provided by these regulations.

5.15. The data are processed for the period necessary to pursue the above interests and to fulfil regulatory obligations.

DATA OF ONE-TIME SUPPLIERS

5.16. With regard to the one-time provision of services, considering suppliers running sole proprietorships and due to the need to issue invoices for services provided, the Controller, in connection with legal obligations under accounting regulations, shall process personal data of suppliers to record accounting documents. The scope of the processed data shall include full name, business name, tax identification number, REGON number, and address of the registered office.

5.17. Such personal data are processed to fulfil legal obligations imposed on the Controller by accounting regulations (Article 6(1) item c of the GDPR). Such personal data may be disclosed.

DATA COLLECTION IN OTHER CASES

5.18. In connection with its operations, the Controller also collects Personal Data in other cases - for example, by building and using lasting mutual business contacts (networking) at business meetings, industry events, or by exchanging business cards - to initiate and maintain business contacts. In this case, the legal basis for processing is the legitimate interest of the Controller (Article 6(1) item f of the GDPR), involving networking in connection with its business activities.

5.19. Personal data collected in such cases shall be processed only for the purpose for which they were collected, and the Controller shall ensure their adequate protection.

ONLINE MEETINGS

5.20. As part of the online meetings arranged by the Controller, the participants' personal data are processed for the purpose of conducting such meetings. The legal basis for such processing is the Controller's legitimate interest in arranging and conducting a remote meeting with invited participants (Article 6(1) item of the GDPR). Providing data for the indicated purpose is voluntary, but necessary for the online meeting to be carried out. Without providing the data, it will be impossible to participate in the online meeting.

5.21. The Controller uses Microsoft Teams to hold online meetings, which involves the processing of users' personal data by Microsoft. HERE you can read Microsoft's Privacy Policy. When using this tool, there is no transfer of data outside the EEA.

6. DATA RECIPIENTS

6.1. In connection with the activities that require processing, Personal Data are disclosed to external entities, including, in particular, suppliers responsible for the operation of IT systems and equipment (e.g. CCTV equipment for video surveillance), legal service providers or accountants, couriers, marketing or recruitment agencies, and IT service providers. Data are also disclosed to the Controller's affiliates, including its capital group companies. More information about the Controller's capital group can be found HERE.

6.2.
Personal data may be shared with suppliers or manufacturers of goods with whom the Controller cooperates. The Controller shall provide the Data Subject with detailed information regarding the sharing of their Personal Data at the time of entering into a contract or when the Data Subject joins promotional campaigns or other initiatives requiring such processing of Personal Data.

6.3. The Controller reserves the right to disclose selected information concerning the Data Subject to competent authorities or third parties who make a request for such information, based on the relevant legal basis and in accordance with the provisions of applicable law.

7. TRANSFERS OF DATA OUTSIDE THE EEA

7.1. The level of personal data protection outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and with an adequate degree of protection, primarily by:

7.1.1. cooperation with processors of Personal Data in countries for which a relevant decision of the European Commission has been issued regarding the assurance of an adequate level of personal data protection;

7.1.2. use of standard contractual clauses issued by the European Commission;

7.1.3. application of binding corporate rules approved by the relevant supervisory authority;

7.2. applying to transfers outside the EEA the technical and organisational measures recommended by the European Data Protection Board (position of the European Data Protection Board:https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransfer0stools_en.pdf).

The Controller shall always notify about the intention to transfer Personal Data outside the EEA at the stage of collection.

8. PERIOD OF PERSONAL DATA PROCESSING

8.1. The period of data processing by the Controller depends on the type of service provided and the purpose of the processing. The period of data processing may also result from regulations when they are the base of processing. In the case of data processing based on the legitimate interest of the Controller (e.g., for security reasons), the data are processed for a period that allows the fulfilment of this interest or until an effective objection to the data processing is made. If processing is based on consent, the data are processed until the consent is withdrawn. When the basis for processing is necessary for the conclusion and performance of the contract, the data are processed until the contract is terminated.

8.2. The data processing period may be extended if the processing is necessary to establish or pursue claims or defend against them, and after this period - only if and to the extent required by law. After the expiration of the processing period, the data are irreversibly deleted or anonymised.

9. RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA
RIGHTS OF DATA SUBJECTS

9.1. Data subjects have the following rights:

9.1.1. the right to information about the processing of personal data - on this basis, the Controller provides the natural person making the request with information about the processing of data, including, in particular, the purposes and legal grounds for processing, the scope of the data held, the entities to which they are disclosed and the planned date of deletion;

9.1.2. the right to obtain a copy of the data - on this basis, the Controller provides a copy of the processed data concerning the natural person making the request;

9.1.3. the right to rectification - the Controller is obliged to remove any inconsistencies or errors in the processed personal data and complete them if they are incomplete;

9.1.4. the right to delete data - on this basis, the data subject can request the deletion of data, the processing of which is no longer necessary to carry out any of the purposes for which they were collected;

9.1.5. the right to restrict processing - if such a request is made, the Controller shall cease performing operations on personal data - except for operations consented to by the data subject - and their storage, in accordance with the retention rules adopted, or until the reasons for restricting processing cease to exist (e.g., a decision is issued by a supervisory authority authorising further processing);

9.1.6. the right to transfer data - on this basis - to the extent that the data are processed by automated means in connection with a contract concluded or consent given - the Controller shall issue the data provided by the data subject in a computer-readable format. It is also possible to request that this data be sent to another entity, provided, however, that the technical capabilities exist in this regard both on the part of the Controller and that other entity;

9.1.7. right to object to processing for marketing purposes - the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such objection;

9.1.8. the right to object to other purposes of processing - the Data Subject may at any time object - for reasons related to their particular situation - to the processing of personal data that is carried out based on a legitimate interest of the Controller (e.g. for analytical or statistical purposes or reasons related to the protection of property); the objection in this regard should contain a justification;

9.1.9. the right to withdraw consent - if the data are processed based on the consent, the data subject is entitled to withdraw it at any time, which, however, does not affect the lawfulness of the processing performed before the withdrawal of consent;

9.1.10. the right to file a complaint - if the personal data processing is deemed to breach the provisions of the GDPR or other regulations concerning the protection of personal data, the data subject may file a complaint with the authority supervising the processing of personal data and having jurisdiction over the data subject's habitual place of residence, their place of work or the place where the alleged breach was committed. In Poland, the supervisory authority is the President of the Personal Data Protection Office.

MAKING DEMANDS RELATED TO THE EXERCISE OF RIGHTS

9.2. A request for the exercise of Data Subjects' rights can be submitted through the communication channels specified in the introduction to this Policy to individual companies (you will find information about the relevant email address and the address of the Controller's registered office above, in the link provided in the introduction to this Transparency Policy).

9.3. Failure to identify a natural person based on a submitted request will result in the Controller refusing to process the request.

9.4. The request may be made in person or through a representative  (e.g., a family member). For reasons of data security, the Controller recommends to use of a power of attorney certified by a notary public or authorised legal adviser or advocate, which will significantly speed up the verification of the authenticity of the request.

9.5. A response to the request should be provided within one month of its receipt. If it is necessary to extend this time frame, the Controller shall inform the requesting party of the reasons for this action.  

9.6. If a request is addressed to the Company electronically, the response shall be provided in the same form, unless the requesting party has demanded a response in another form. In other cases, the response is given in writing. If the timing of the request makes it impossible to respond in writing, and the scope of the requesting party's data processed by the Controller allows for electronic contact, the response shall be provided electronically. If the content of the request does not require a written or electronic response, the response may be provided in the same form as the data subject's request.

RULES FOR CHARGING

9.7. The processing of submitted requests is free of charge. Fees may be charged only in the case of:

9.7.1. to request the release of the second and each subsequent copy of the data (the first copy of the data is free of charge); in this case, the Controller may charge a fee of PLN 250. The above fee includes administrative costs for processing the request;

9.7.2. submission by the same person of excessive (e.g., extremely frequent) or explicitly unreasonable requests; in such a case, the Controller may charge a fee of PLN 250.

The above fee includes the communication costs and the costs related to taking the requested action.

9.7.3. If the decision to charge a fee is disputed, the data subject may file a complaint with the authority supervising the processing of personal data and having jurisdiction over the data subject's habitual place of residence, their place of work or the place where the alleged breach was committed. In Poland, the supervisory authority is the President of the Personal Data Protection Office.

10. AMENDMENTS TO THE PERSONAL DATA PROCESSING POLICY

10.1. The Policy is reviewed on an ongoing basis and updated as necessary. The current version of the Policy was adopted on 03 July 2021.