FULFILLMENT OF GDPR INFORMATION OBLIGATION BY TRANSLAND TSL SP.Z O.O. SPK IN CHORZÓW, Katowicka 162e
CHAPTER 1
GENERAL INTRODUCTION FOR ALL PROCESSED PERSONAL DATA
Transland TSL Sp.z o.o. Spk in Chorzów, Katowicka 162e, hereinafter referred to as TRANSLAND, informs that it is the data controller of employees, clients, contractors, and other individuals cooperating or contacting TRANSLAND.
What does the term Administrator mean? Administrator is an entity that independently or jointly with others determines the purposes and means of processing personal data.
What does the term processing mean? It means: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. These may be all activities performed or one of them. Without possessing personal data and carrying out processing activities on this data, it is not possible to conduct business, as every company has contact with individuals’ data.
Every data subject has the right to request access to their personal data from TRANSLAND, their copying, correction if they are incorrect, deletion if it is lawful or processed based on consent, transfer if the data is processed based on consent or contract, restriction of processing if there is an ongoing dispute or the right to object to their processing if they are processed based on the legitimate interest of the Administrator.
Every data subject has the right to exercise the above rights at the seat of TRANSLAND (address as above) from 9.00 to 15.00 or by email to: dorota.kokoszka@translandtsl.pl
Personal data is processed based on Art. 6(1) of the European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals concerning the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as GDPR).
What does the mentioned Art. 6(1) mean? It means the permissible basis for their processing (consent, contract, legal obligation, vital interests, or legitimate interests of the Administrator).
What does legitimate interest of the Administrator mean? It means a situation in which the Administrator needs personal data for its activities, but processing them in no way violates the rights and freedoms of individuals.
Personal data is processed outside the European Economic Area (EEA) only in explicitly specified cases below in this information, they are not processed in an automated manner, i.e., without human involvement, and they are not profiled, which means TRANSLAND does not assess certain personal factors of the individual to perform any analyses, except for situations clearly described below.
TRANSLAND informs about the right to lodge a complaint with the Office for Personal Data Protection in Warsaw, ul. Stawki 2, in case of finding that the processing of this data is not in accordance with the applicable national and European law.
Contact person for data protection at TRANSLAND: dorota.kokoszka@translandtsl.pl TRANSLAND has not appointed a Data Protection Officer.
Below are presented groups of personal data, scope, purpose, and duration of their processing by the Administrator, as well as indicated possible recipients of personal data and optionally information on automation, profiling, or transfer outside the EEA. Recipients are understood as persons or entities other than the Administrator himself, his employees, or the data subjects themselves.
CHAPTER 2
EMPLOYEES
Personal data of TRANSLAND employees, including representatives of the Company’s Bodies, employees on civil-law contracts or other cooperation based on agreements:
- In the scope of employment contracts or other civil-law contracts, data are processed to fulfill the provisions of the contract based on Article 6(1)(b) of the GDPR.
- In the scope of fulfilling obligations arising from legal provisions (Labor Code and related acts, PPK, insurance services, accounting, customs, regulations related to the delegation of employees, judicial, control, regulatory, etc.), including financial settlements with employees based on concluded employment contracts or civil-law contracts, as well as data resulting from the Commercial Companies Code regarding the Company’s Management and Supervisory Bodies, are processed based on Article 6(1)(c) of the GDPR.
- Special category data may only be processed based on Article 9(2)(b) of the GDPR, and their processing is always possible based on the voluntary consent of the employee according to Article 9(2)(a) of the GDPR (e.g., Employee Welfare and Social Benefits Fund, if the employee voluntarily provides excessive documentation containing such data, it indicates consent, considering it beneficial, and TRANSLAND does not require such data to make decisions).
- In the scope of fulfilling legal provisions related to anti-corruption activities, including protecting whistleblowers or reporting any irregularities, as well as combating discrimination, harassment, and bullying, personal data are processed based on Article 6(1)(c) of the GDPR.
- In the scope of additional data, such as contact details for employees or other data for which the employee or the Company’s Bodies (e.g., detailed information about a person, containing more than required by law) have separately consented, data are processed based on Article 6(1)(a) of the GDPR.
- In the scope of data for notification in case of workplace accidents or other random situations, personal data are processed based on Article 6(1)(f) of the GDPR.
- In the scope of monitoring company vehicles, data are processed based on Article 6(1)(f) of the GDPR to ensure work organization allowing full utilization of working time and proper use of tools provided to employees, for a period of 3 months from the end of the month in which the monitoring was registered.
- In the scope of testing employees’ sobriety, personal data of a special category are processed according to the rules specified in the Work Regulations to ensure the protection of employees’ lives and health or the protection of property, based on legal provisions, i.e., Article 6(1)(c) of the GDPR, and Article 9(2)(b) of the GDPR concerning special category data in connection with Article 221c of the Labor Code. In case of alcohol use or intoxication, the employer keeps the sobriety test information in the employee’s personal files for a period not exceeding one year from the date of collection, and in the event of a penalty imposed according to Article 113 of the Labor Code.
The scope of processed personal data arises solely from legal provisions or internal regulations imposing legal obligations on the Administrator or from a legitimate interest, from the content and scope of civil-law contracts, and in other cases, it arises from the content of consent. Contact details for accident reporting are processed in the legitimate interest of the Administrator and the employee, provided voluntarily by the employee, and the contact person has the right to object to the processing of their personal data.
Data from vehicle monitoring are processed in an automated manner, and GPS data are collected. In this case, the right to object also applies, as well as the right to request a decision involving human intervention if the decision affects the data subject’s legal rights or significantly affects them in a similar manner. These are ordinary data.
Providing data for employment is a statutory requirement, and failure to provide it prevents full-time employment or signing a civil-law contract. Regarding other personal data processed based on consent or legitimate interest, it is possible to request the deletion of this data without affecting the employees’ employment status or to object (as above).
Recipients of personal data: entities authorized to obtain them according to legal provisions, and entities to which data transfer will be necessary to perform contracts binding these entities with TRANSLAND, e.g., advisory or auditing firms, IT and GPS service providers, video surveillance service providers, legal service providers, training companies, banks, insurers, stores for issuing VAT invoices, WhatsApp Ireland Limited, Microsoft (Europe), Booking.com B.V., and other justified entities, including entities regarding the execution of contracts and economic events in which a TRANSLAND employee acts as a contact person or as a person performing tasks based on economic relations. Additionally, with the employee’s consent or in cases where performing a specific function requires it, data may be publicly disclosed on the TRANSLAND website. Data of the Company’s Bodies are also provided to the National Court Register (KRS) and are publicly available.
Personal data will be processed for a maximum of 50 years as required by law from the termination of employment or for a shorter period according to applicable legal provisions, depending on the date of employment and the type of data (employees hired from January 1, 2019, on an employment contract for a maximum period of 10 years from the termination of employment).
CHAPTER 3
EMPLOYEE CAPITAL PLANS (PPK)
Personal data of employees will also be processed based on Article 6(1)(c) of the GDPR in connection with the implementation of the Act of October 4, 2018, on Employee Capital Plans (Journal of Laws of 2018, item 2215).
The scope of personal data of the aforementioned individuals includes: first name(s), last name, residential address, correspondence address, telephone number, email address, PESEL number, or date of birth for individuals without a PESEL number, series and number of identity card or passport, or other document confirming identity for individuals without Polish citizenship. For individuals not participating in PPK, TRANSLAND will process data found in the resignation declaration.
Recipients of the aforementioned personal data may include: state supervisory authorities, external IT service providers supporting TRANSLAND, and the selected financial institution managing PPK funds, namely UNIQA Emerytura Specialized Open Investment Fund managed by UNIQA Towarzystwo Funduszy Inwestycyjnych SA.
The data will be processed for the duration of employment and for 10 years from the end of the calendar year in which the employment relationship was terminated or expired, unless separate regulations provide for a longer period of retention.
CHAPTER 4
FAMILY MEMBERS OF EMPLOYEES OR PERSONS DESIGNATED FOR ACCIDENT NOTIFICATION
Personal data of the aforementioned groups of individuals are processed for purposes related to providing social benefits, allowances, or confirming additional days off for employees and are processed based on Article 6(1)(c) of the GDPR. The data have been obtained from a family member of an employee employed at TRANSLAND or a retiree/pensioner at TRANSLAND. The scope of processed personal data arises solely from legal provisions or internal regulations (e.g., Social Benefits Fund Regulations).
In the case of persons designated for accident notification in the event of a workplace accident or other random situation, data are processed based on Article 6(1)(f) of the GDPR. The data have been obtained from a family member of an employee at TRANSLAND and include their first name, last name, and contact phone number.
Failure to provide data to receive social benefits, allowances, additional days off, or for accident notification prevents the fulfillment of the mentioned entitlements to employees. In the case of data for the contact person in the event of an accident, they have the right to object to the processing of data at any time.
Recipients of personal data are solely defined in legal provisions (see information obligation towards employees) or internal regulations (e.g., Social Benefits Fund Regulations).
Personal data will be processed for a maximum of 50 years from the termination of employment at TRANSLAND or for a shorter period, for newly hired employees since January 1, 2019, for 10 years from the termination of employment, in accordance with legal provisions.
By providing data of other individuals to TRANSLAND, the employee undertakes to fulfill, on behalf of TRANSLAND, the information obligation towards these individuals by referring to the provisions on this website.
CHAPTER 5
JOB APPLICANTS
Personal data of job applicants are processed at TRANSLAND for purposes related to employment:
- In the scope of recruitment process implementation, data are processed based on Article 6(1)(c) of the GDPR, or additional data provided with voluntary consent based on Article 6(1)(a) of the GDPR.
- In case of additionally expressing voluntary consent for the realization of future processes unknown on the date of submission of recruitment documents, data are processed based on Article 6(1)(a) of the GDPR – meaning consent must be given.
The scope of processed personal data arises solely from legal provisions, including Article 22`1 paragraph 1 of the Labour Code (Journal of Laws of 1974 No. 24, item 141 of June 26, 1974, as amended).
Providing data as mentioned in the above legal provision is voluntary but necessary to participate in the recruitment process (Article 6(1)(c) of the GDPR). Providing any additional data based on Article 22`1a of the Labour Code (Journal of Laws of 1974 No. 24, item 141 of June 26, 1974, as amended) constitutes a completely voluntary expression of consent to their processing (Article 6(1)(a) of the GDPR) and does not affect the possibility of participating in the recruitment (it will not be the basis for unfavorable treatment of the candidate and will not constitute a reason for refusal of employment). The consent also applies to cover letters and other additional documents submitted by the job applicant.
Recipients of personal data are solely defined in legal provisions or may include IT companies, HR consulting firms (including job portal pracuj.pl), and law firms.
Personal data mentioned in the recruitment point are collected for the purpose of implementing the recruitment process and will be processed for a period of 1 month from the end of the recruitment procedure.
Personal data collected based on consent will be processed for a period of one year – counting from the date of receipt of the document with data or until the consent is withdrawn. Withdrawal of consent does not affect their processing prior to the withdrawal of consent.
CHAPTER 6
CLIENTS AND CONTRACTORS
Personal data of TRANSLAND’s clients or contractors are processed for the following purposes:
- Business cooperation, mainly involving the provision of transportation services or the purchase/sale of goods and services under the concluded sales or other contracts, orders, or business transactions based on Article 6(1)(b) of the GDPR.
- Fulfillment of obligations arising from legal provisions (including tax purposes, accounting, claims enforcement, market protection, supervision of financial flows, anti-corruption regulations, customs regulations) data are processed based on Article 6(1)(c) of the GDPR.
- Debt collection and legal assistance, as well as for evidential purposes arising from legal provisions requiring TRANSLAND to exercise due diligence, data are processed based on Article 6(1)(f) of the GDPR.
- Direct marketing of own services, personal data are processed based on Article 6(1)(f) of the GDPR.
- Data are also collected from the form on the website HTTPS://www.translandtsl.com based on voluntary consent (Article 6(1)(a) of the GDPR).
The scope of processed personal data includes: name, surname, client/contractor name, address, contact details (phone, email), including the name and surname of contact persons for contract implementation, data regarding the product or service, extracts from the CEIDG register, KRS, VIES, tax identification number (NIP), REGON, or other data arising from legal provisions or internal regulations, e.g., documents confirming professional qualifications of the contractor or their employees, references, as well as economic and financial data related to existing or planned business cooperation, etc.
Data are obtained from various publicly available sources, including transport exchanges, or directly from data owners.
Recipients of personal data are defined by legal provisions, including customs offices, and also include companies operating IT systems, advisory firms, legal services, banks, insurance companies, debt collection companies, marketing firms, companies providing auxiliary products or services, including foreign transport, logistics, and forwarding companies, WhatsApp Ireland Limited, Microsoft (Europe).
Data may be transferred outside the European Economic Area (EEA), where an adequate level of protection has not been established. In such cases, an analysis in accordance with the GDPR is applied, and appropriate procedures in compliance with legal provisions are established, including procedures based on Article 49(1)(b) or Article 49(1)(c) of the GDPR.
Providing data for cooperation is necessary for the execution of the sales or other contract and failure to provide them prevents its execution, invoice issuance, or pursuit of any claims.
Personal data will be processed for a maximum period of 10 years, counted from the end of the year in which the business transaction took place, but not less than 6 years from the last business event confirmed by an invoice or from the end of the contract duration.
CHAPTER 7
PERSONS PARTICIPATING IN CONTRACT EXECUTION
Personal data of individuals participating in the execution of contracts, obtained from the other Party to the contract, are processed for the purpose related to the conclusion and execution of the concluded contract, and the data are processed based on Article 6(1)(b) of the GDPR. Data may also be processed based on Article 6(1)(f) of the GDPR if there is a legitimate interest, including, for example, claims or debt collection proceedings.
The scope of data depends on the role performed during the execution of the contract and includes ordinary category data: name, surname, identity confirmation, contact details, and possibly professional qualifications. Data of employees of the other Party to the contract performing the contract are obtained from representatives of the other Party to the contract.
In the case of compliance with anti-corruption regulations, including those related to whistleblowers, as well as based on other industry-specific legal provisions, personal data will be processed based on Article 6(1)(c).
Providing personal data of persons signing and executing the contract is a condition for concluding the contract and a legal requirement to fulfill legal obligations, as well as a condition for its proper execution. Failure to provide personal data prevents the conclusion or proper execution of the contract.
Any processing of personal data outside the EEA may result solely from the execution of a specific contract outside the EEA, about which the other Party to the contract is informed. Otherwise, data are not transferred outside the EEA.
Recipients of the above personal data and the duration of their processing are specified in Chapter 6.
CHAPTER 8
SUPPLIERS AND RECIPIENTS OF GOODS – DRIVERS OF FOREIGN COMPANIES AND EMPLOYEES EMPLOYED AT TRANSLAND AS DRIVERS
Personal data of individuals authorized to deliver or receive goods are processed based on Article 6(1)(f) of the GDPR for purposes arising from TRANSLAND’s legitimate needs, i.e., ensuring the delivery of goods to the authorized person or picking up goods from the authorized person, determining transportation details, handling current and emergency matters during the provision of transportation services.
Personal data of authorized persons, employees of foreign transport companies, are obtained from TRANSLAND’s clients or from freight forwarding or logistics companies or from Internet portals, mainly from transport exchanges, and include ordinary category data (name, surname, phone contact, or other type of contact, vehicle registration number, driver’s identity document number). In the case of foreigners, the data catalog may be broader, depending on the requirements of the supplier or recipient of goods.
It is assumed that the data of individuals participating in transportation services obtained from another company or, for example, from a transport exchange are business data, and if they are private data, the owner’s consent to their further transfer to another recipient has been obtained. TRANSLAND does not have the ability to verify this fact on a transport exchange or based on the received email for a specific order.
Any processing of personal data outside the EEA may result solely from the execution of a specific contract outside the EEA, about which the other Party to the contract is informed and aware of the applicable legal provisions in international transport. By agreeing to travel outside the EEA as a driver, the person agrees to this by concluding an employment contract or civil law contract specifying the scope of duties as a driver working for a transport company.
The principles of processing personal data of drivers of foreign companies are also described in Chapter 7.
Regarding drivers employed full-time at TRANSLAND, the same rules apply as for the source of data acquisition – employee data (see Chapter 2 regarding employees).
Personal data of full-time drivers are additionally transferred outside the EEA, in connection with delegations-accommodations, through known and verified Internet portals, mainly booking.com.
Personal data of full-time drivers using TRANSLAND’s fleet will always be transferred to public authorities in the country or outside the borders, including outside the EEA, in the event of an accident/traffic collision or if the driver violates the law, or if TRANSLAND receives a penalty notice requiring the identification of the driver, their address, and other data resulting from legally binding forms. This is based on national or international legal provisions, and data transfer in such a situation falls within the concept of sharing based on Article 6(1)(c) of the GDPR and does not require consent. In the event that TRANSLAND receives a penalty notice, it will first contact the driver to confirm the situation, and if the driver confirms or TRANSLAND is certain about the fact of driving by that specific driver, the data will be provided to the public authorities requesting this information.
Recipients of the above personal data and the duration of their processing are specified in the preceding chapters.
CHAPTER 9
MARKETING
Personal data of TRANSLAND’s clients or contractors are also processed based on Article 6(1)(a) of the GDPR for the purpose of maintaining constant contact with the client, providing marketing services to the client, or delivering requested commercial information to the client. In this case, the client’s or contractor’s consent must be obtained, which can also be revoked at any time, and failure to express consent prevents TRANSLAND from making marketing contacts other than direct marketing of its own services. In the case of direct marketing, personal data of clients or contractors are processed based on Article 6(1)(f), and the client may object to their processing.
Recipients of personal data of TRANSLAND’s clients or contractors may include IT service providers, marketing companies, couriers, etc. The data will be processed until 10 years after the last contact or until consent is revoked or objection is lodged. Revoking consent or lodging an objection does not affect their processing prior to the revocation of consent or objection.
CHAPTER 10
E-MAIL AND TELEINFORMATION CONTACT
Personal data is also processed by TRANSLAND based on Article 6(1)(f) of the GDPR for the purpose of fulfilling the legitimate interest of the Administrator, which is contact.
In the case of e-mail, e-mail addresses, sender/recipient’s name, surname, or company name, as well as message content containing personal data, are processed.
In the case of a company phone, the name, surname, or company name, phone number, as well as text message content, are processed.
Providing data is necessary for quick contact, and failure to provide it limits contact to traditional methods such as mail or courier.
Personal data has been obtained from various sources and includes ordinary data, namely:
– Directly from you, which we consider as expressing consent by performing a specific activity or signing consent for teleinformation contact.
– From public websites, employers, or other entities cooperating with TRANSLAND (categories: ordinary data, email address, phone number, name or company name, address).
The above data are not shared with anyone without the person’s consent, unless it concerns a private phone or email for which consent has been given, unless sharing is required to handle matters in the legitimate interest of the Administrator and the data owner. It is assumed that data of individuals participating in transportation services obtained from another company or, for example, from a transport exchange, are business data, and if they are private data, the owner’s consent for their further transfer has been obtained. TRANSLAND does not have the ability to verify this fact on a transport exchange or based on the received email for a specific order.
Regarding technical correspondence support, data are provided to Poczta Polska, couriers, hosting service providers, and telecommunication operators.
Personal data related to email will be provided to other recipients for further transmission of mail on a specific topic within a larger group of people and to hosting service providers.
The above data are processed until a claim for removal of the email address or phone number is received, but not longer than 10 years from the end of the calendar year in which 10 years have elapsed since the last contact.
CHAPTER 11
DAY-TO-DAY BUSINESS OPERATIONS
Personal data is also processed in TRANSLAND for purposes related to the day-to-day operation of the company based on Article 6(1)(f), such as in address books, registers, postal books, etc.
The scope of processed personal data arises from the current needs of the Administrator or internal regulations. Providing data is necessary for the execution of business cooperation, and failure to provide it would hinder the execution of a specific business event.
Recipients of personal data are defined in internal procedures, and they also include companies servicing IT systems. Personal data will be processed for 10 years from the date of the last contact or entry.
CHAPTER 12
VIDEO MONITORING
The purpose of collecting personal data through video monitoring is:
– Ensuring the safety of employees
– Protection of property
which constitutes the legally justified interest of the Administrator, and personal data are processed based on Article 6(1)(f) of the GDPR.
Starting work at TRANSLAND or entering TRANSLAND’s premises is equivalent to the processing of personal data in video form. Images are collected without sound.
Data will not be transferred to third parties except for external IT support/conservation companies or persons participating in an incident related solely to the situations described in the Video Monitoring Regulations regarding the purpose of video monitoring, if these individuals request it for evidentiary purposes and have appropriate justification.
Additionally, recipients may include law enforcement agencies and courts, along with law firms or advisory firms.
Personal data will be processed according to the technological capabilities of the video monitoring system, but not longer than 90 days. In the event of a security incident, they will be processed until its resolution.
Further information on the functioning of video monitoring is available in the Video Monitoring Regulations available at the company’s headquarters and on the website HTTPS://www.translandtsl.com, and it also constitutes an attachment to the Work Regulations.