- DEFINITIONS
- Data Controller – Amberstone Associates Sp. z o.o., with its registered seat in Warsaw, pl. Jana Henryka Dąbrowskiego 1, 00-057 Warsaw, entered in the Register of Entrepreneurs maintained by District Court for the Capital City. Warsaw in Warsaw, 12th Business Division of the National Court Register, under No. KRS: 0000419720, Taxpayer’s Identification Number NIP: 5252530912, REGON:146116270, initial capital paid up in full: PLN 120 000.00
- Personal Data – any information relating to an identified or identifiable natural person (an identifiable natural person is one who can be identified, especially by one of several special characteristics, which expresses the physical, cultural or social identity of that natural person, also including the IP of the device, location data, online identifier, information collected through cookie files and other similar technologies;
- Policy – the present Privacy Policy;
- Terms and Conditions – the Terms and Conditions of providing electronic services through websites owned by Amberstone Associates: https://amberstone.pl, https://join.amberstone.pl, https://fteam.pl, https://it-simplicity.pl, https://blueamber.com.pl
- GDPR (General Data Protection Regulation) – Regulation No. 2016/679 of the European Parliament and the Council (EU) of April 27 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
- Website – any of the websites maintained by the Data Controller at the addresses:https://amberstone.pl, https://join.amberstone.pl, https://fteam.pl, https://it-simplicity.pl, https://blueamber.com.pl
- User – any natural person who visits the Website or uses one or more of the services or functionalities described herein.
Capitalised terms that are not defined in this Policy shall be understood as defined in the terms and Conditions.
- DATA PROCESSING IN CONNECTION WITH THE USE OF THE WEBSITE
- In connection with the use of the Website by the User, the Data Controller collects personal data within the scope that is necessary to provide the specific offered Services, as well as information about the User’s activity on the Website. The detailed principles and aims of processing the Personal Data collected during the use of the Website by the User are described below.
- OBJECTIVES AND LEGAL BASIS FOR PROCESSING PERSONAL DATA ON THE WEBSITE
USING THE WEBSITE
- Personal Data of all persons who use the Website (including their IP addresses or other identifiers as well as information collected by cookie files or other similar technologies) are processed by the Data Controller:
- for the purposes of providing electronic services related to providing access to the content of the Website – in this case, the basis for processing is the fact that it is necessary for the performance of a contract (Art. 6 item 1 (b) of the GDPR);
- for analytical and statistical purposes – the legal basis for processing is the legitimate interest pursued by the Data Controller (Art. 6 item 1 (f) of the GDPR), which consists in analysing the users’ activities and preferences in order to improve the functionalities applied and the provided services;
- in order to determine and pursue any potential claims or to defend itself against claims – the legal basis is the legitimate interest pursued by the Data Controller (Art. 6 item 1 (f) of the GDPR, which consists in protecting its rights;
- for marketing purposes of the Data Controller and third party entities, in particular those related with presenting behavioural advertisements (the principles of personal data processing for marketing purposes are provided in the MARKETING section).
- The activity of the User on the Website, including their personal Data, is used in system logs (a special computer program that is used for storing a chronological record of information related to events and actions that refer to the IT system used by the Data Controller to provide services). The information collected in system logs is processed mainly for purposes related to the provision of services. The Data Controller processes such data also for technical and administration purposes, in order to ensure the security of the IT system and to manage the system, as well as for statistical and analytical purposes. Here, the legal basis for data processing is the legitimate interest pursued by the Data Controller (Art. 6 item 1 (f) of the GDPR).
BUSINESS AND RECRUITMENT FORMS AND ENTRY FORMS FOR THE DATABASE OF APPLICANTS
- Personal Data of all persons who use the Business Form or Recruitment Form or the Entry Form for the Database of Applicants (including their IP addresses or other identifiers as well as information collected by cookie files or other similar technologies) are processed by the Data Controller:
- in order to provide electronic services on the terms and conditions for providing the given service (respectively, the Business Form, Recruitment Form, or the Service of Notifications about job offers) described in the Terms and Conditions. Here, the legal basis is the fact that processing is necessary for the performance of a contract (Art. 6 item 1 (b) of the GDPR);
- for analytical and statistical purposes – the legal basis for processing is the legitimate interests pursued by the Data Controller (Art. 6 item 1 (f) of the GDPR), which consists in analysing the users’ activities and preferences in order to improve the functionalities applied and the provided services;
- in order to determine and pursue any potential claims or to defend itself against claims – the legal basis is the legitimate interest pursued by the Data Controller (Art. 6 item 1 (f) of the GDPR, which consists in protecting its rights;
- for marketing purposes of the Data Controller and third party entities, in particular those related with presenting behavioural advertisements (the principles of personal data processing for marketing purposes are provided in the MARKETING section).
- OWN RECRUITMENT PROJECTS
- For own recruitment projects, the Data Controller expects the Users to provide Personal Data (e.g. in a CV or resume) only to the extent specified in the applicable labour law regulations. Due to that, Users should not provide a wider scope of information. If the applications contain additional data, outside the scope specified in the applicable labour law regulations, they will be processed upon the consent of the applicant (Art. 6 item 1 (a) of the GDPR. Submitting application documents by the applicant is considered as the confirmation of such consent. If the submitted applications contain information that is irrelevant for the specific purpose, i.e. recruitment, these data will not be used or considered in the recruitment process.
- personal data are processed:
- if the preferred form of employment is an employment contract – to comply with legal obligations related to the employment process, including, but not limited to, the provisions of the Labour Code. The basis for processing is the legal obligation to which the Data Controller is subject (Art. 6 item 1 (c) of the GDPR, in connection with the provisions of labour law);
- if the preferred form of employment is a civil law contract, for the purposes of the recruitment process. The basis for processing the data contained in the application documents is the need to take to take steps at the request of the data subject prior to entering into a contract (Art. 6 item 1 (b) of the GDPR);
- in order to conduct the recruitment process with respect to data that are not required by the low nor by the Data Controller, as well as for the purposes of future recruitment processes. The basis for processing is the consent (Art. 6 item 1 (a) of the GDPR);
- for the purposes of future recruitment processes, subject to the consent of the applicant to process the data for this purpose. The legal basis for processing is the consent of the applicant (Art. 6 item 1 (a) of the GDPR);
- in order to verify the skills and qualifications of the applicant and to define the terms of cooperation. The legal basis for processing is the legitimate interest pursued by the Data Controller (Art. 6 item 1 (f) of the GDPR).Here, the legitimate interest pursued by the Data Controller is the verification of applicants and the determination of the conditions of potential cooperation.
- in order to identify and pursue any potential claims or to defend the Data Controller against any claims against it. The legal basis for data processing is the legitimate interest pursued by the Data Controller (Art. 6 item 1 (f) of the GDPR).
- To the extent, to which the Personal Data are processed based on a granted consent, the data subject may withdraw the consent at any time, provided that such withdrawal shall not affect the legal compliance of data processing performed before the consent was withdrawn.
- Providing personal data within the scope specified in Art. 22 (1) of the Polish Labour Code is required by the law, including, but not limited to, the provisions of the Labour Code if the applicant prefers employment based on an employment contract. If the applicant prefers employment based on a civil law contract, providing such data is required by the Data Controller. If the applicant fails to provide these data, their application shall not be considered in the recruitment process. Providing other data is optional.
- MARKETING
- The Data Controller may process the Personal Data of Users for marketing purposes, which may include:
- displaying advertising content that does not match the User’s preferences (contextual advertising),
- displaying marketing content that matches the User’s preferences (behavioural advertising).
- The Data Controller may sometimes use profiling for the purposes of conducting marketing activities. This means that the Data Controller uses automated processing of personal data to analyse or predict certain aspects concerning the behaviour of the Users. This allows to better match the displayed content to the individual preferences and interests of the User.
- The Data Controller and its trusted partners process the Personal Data of Users, including Personal Data collected by using cookie files and other similar technologies for marketing purposes, i.e. in order to address behavioural advertisements (advertisements that match the User’s preferences ) to the User. In such cases, the processing of Personal Data also includes profiling Users.
- The Data Controller may process the Personal Data of Users for marketing purposes, which may include:
- SOCIAL MEDIA
- The Data Controller processes the Personal Data of users who visit its profiles maintained on social media (Facebook, LinkedIn). These data are processed only for the purposes of maintaining the profiles, including to inform the Users about the activities of the Data Controller and to promote various types of events, products, and services. The legal basis for the processing of Personal Data for these purposes is the legitimate interest pursued by the Data Controller (Art. 6 item 1 (f) of the GDPR), which consists in promoting its brand.
- COOKIE FILES AND SIMILAR TECHNOLOGIES
- The Data Controller uses cookies mainly in order to provide services electronically for Users and to improve the quality of these services. Due to that, the Data Controller and third party entities that provide analytical and statistical services for the Data Controller use cookies to store information or to obtain access to information that is already stored in a telecommunication terminal device of the User (computer, phone, tablet, etc.). Cookie files on the Website are not used to identify Users. This Privacy Policy regulates the data processing related to using own cookies.
- Cookies are small text files that are installed on the device of the User while browsing the Website. Cookies gather information that facilitates the use of a website, e.g. by remembering the User’s visits to the Website and the actions performed by the User during these visits.
ESSENTIAL COOKIES
- The Data Controller uses essential cookies mainly in order to provide the services and functionalities of the Website that the Users want to use. Essential cookies may only be installed by the Data Controller through the Website.
- The legal basis for the processing of Personal Data in connection with the use of essential cookies is the fact that it is necessary for the performance of a contract (Art. 6 item 1 (b) of the GDPR).
FUNCTIONAL/ANALYTICAL COOKIES
- Functional cookies are used to record the User’s preferences. e.g. regarding the preferred language versions, and to adjust the Website accordingly. Functional cookies may be installed by the Data Controller and its business partners through the Website.
- Analytical cookies enable obtaining such information as the number of visits and sources of traffic on the Website. They are used to determine which pages are more and less popular and to understand how Users navigate the webpage by means of carrying out statistical analyses of traffic on the Website. Data are processed in order to improve the performance of the Website. Information collected by these cookies is aggregated, so that their aim is not to identify the User. Functional cookies may be installed by the Data Controller and its business partners through the Website.
- The legal basis for the processing of Personal Data in connection with the use of functional and analytical cookies by the Data Controller for these purposes is the consent (Art. 6, item 1 (a) of the GDPR).
- The processing of Personal Data in connection with the use of functional and analytical cookies is subject to the consent of the User for the use of functional and analytical cookies (granted separately) through the platform for granting such consent. Such consent may be withdrawn at any time through that platform.
COMMERCIAL COOKIES
- Commercial cookies allow to adjust the displayed advertising content to the interests of the Users within the Website and outside it.The information obtained from these cookies and the User’s activity on other websites constitutes the basis for creating a profile of the User’s interests. Commercial cookies may be installed by the Data Controller and its partners through our Website.
- The legal basis for the processing of Personal Data in connection with the use of commercial cookies by the Data Controller for these purposes is the consent (Art. 6, item 1 (a) of the GDPR).
- The processing of Personal Data in connection with the use of commercial cookies is subject to the consent of the User granted through the consent management platform. Such consent may be withdrawn at any time through that platform.
- ANALYTICAL AND MARKETING TOOLS USED BY THE PARTNERS OF THE DATA CONTROLLER
- The Data Controller and its Partners use various types of solutions and tools for analytical and marketing purposes. The main information about these tools is provided below. Detailed information is available in the Privacy Policy of the relevant partner.
GOOGLE ANALYTICS
- Google Analytics cookies are files used by the Google Company to analyse the way in which the User uses the Website, to generate reports and statistical data concerning the functioning of the Website. Google does not use the collected data to identify Users nor does it combine this information to enable identification. Detailed information about the scope and principles of data collection related to this service is available at: https://www.google.com/intl/pl/policies/privacy/partners.
FACEBOOK PIXEL
- The Facebook Pixel is a tool that enables measuring the efficiency of advertising campaigns conducted by the Data Controller on Facebook. The tool enables advanced data analysis in order to optimise the activities of the Data Controller, also with use of other tools offered by Facebook. Detailed information about personal data processing by Facebook is available at: https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.
- MANAGING COOKIE SETTINGS
- The use of cookies to collect data, including obtaining access to data stored on the device of the User, requires obtaining the consent of the User. On the Website, the Data Controller receives such consent through the platform for managing cookies. The consent may be withdrawn at any time on the terms and conditions specified in item 9.4 below.
- Consent is not required only for those cookies that must be used in order to provide telecommunications services (transmission of data in order to display content). Users who wish to use the Website cannot refuse consent for the use of such cookies.
- In order to receive advertising content that matches the User’s preferences, apart from granting consent for the installation of cookies through the cookie management platform, it is necessary to save the relevant browser settings that allow to store cookies from the Website on the end device of the User.
- The Users may withdraw their consent for the collection of cookies on the Website through the cookie consent management platform. The user may return to the banner by clicking on the button “Manage your cookies” or a button of a similar content that is located in the footer of each page of the Website.
- After the banner is displayed, the User may withdraw consent by clicking on the “COOKIE SETTINGS” button. Then move the slider next to the selected category of cookies and click on the “SAVE SETTINGS”
- The User may also withdraw consent by changing the browser settings. detailed information for specific browsers may be found at the links below:
- Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
- Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
- Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
- Opera: http://help.opera.com/Windows/12.10/pl/cookie.html/
- Safari: https://support.apple.com/kb/PH5042?locale=en-GB.
- The User may verify the status of their current cookie settings for the browser with use of the tools available at the following links:
- In order to exercise the rights to access, rectify, erase, restrict processing, transfer or to object against data processing, to file a complaint or to ask a different question related to cookies, the User should send an inquiry to the contact address of the Data Controller provided herein.
- PERIOD OF PERSONAL DATA PROCESSING
- The period of processing personal data by the Data Controller depends on the type of the service provided and the purpose of processing. In general, data are processed for period of providing the service, until the User withdraws the consent or files an effective objection against data processing in cases, when the legal basis for data processing is the legitimate interest pursued by the Data Controller.
- Personal Data obtained by the Data Controller for the purposes of own recruitment processes will be processed for the duration of the recruitment process for which they were obtained and for 3 months after the end of the process. However, data that are processed based on the consent granted by the User will be processed until such consent is withdrawn, however not longer than for 3 months after the date of closing the recruitment process. If the User granted consent for personal data processing for the purposes of future recruitment processes, the data will be processed until such consent is withdrawn, however not longer than for 2 years after the date of submitting the application.
- The period of data processing may be extended if it is necessary in order to determine and pursue any potential claims or to defend against any claims. After that time, they may be processed only in cases and to the extent that is required by the applicable laws. After the expiry of the period of processing the data are erased irreversibly or anonymised.
- RIGHTS OF DATA SUBJECTS
- Data subjects have the following rights:
- the right to information about the processing of their personal data– based on this right, the Data Controller shall provide a natural person who files a request the information about data processing, including, but not limited to the purposes and legal basis for processing, the scope of data possessed, the entities to which the data are disclosed and the planned time of erasure;
- the right to obtain a copy of the data – the Data Controller shall present the natural person who files the request with a copy of the processed data;
- the right to rectification – the Data Controller shall remove any potential discrepancies or errors in the processed Personal Data and to complete the incomplete data;
- the right to erasure – based on this right, the data subject may demand to erase the data whose processing is no longer necessary for any of the purposes for which they were collected;
- the right to restrict processing – if such request is filed, the Data Controller shall desist from performing any operations on the Personal Data, with the exception of the operations to which the data subject has expressed consent, and from storing such data, in compliance with the adopted retention principles or until the expiration of the reasons from the restriction of data processing (e.g. when the supervision authority issues a decision that allows further processing of data);
- the right to data portability –to the extent to which the data are processed automatically in connection with a concluded agreement or granted consent, the Data Controller shall provide the data received from the data subject in a structured, commonly used and machine-readable format. The data subject shall also have the right to have the personal data transmitted directly from one controller to another, however only where technically feasible both on part of the Data Controller and on part of the specified entity.
- the right to object against personal data processing for marketing purposes – if applicable, the data subject may at any time object to the processing of their Personal Data for marketing purposes, without the need to justify the objection;
- the right to object against personal data processing for other purposes – The data subject may at any time object – due to their specific situation – against the processing of their Personal Data that is based on the legitimate interest pursued by the Data Controller (e.g. for purposes related to property protection). Such objection should, however, be justified;
- the right to withdraw consent: if the data are processed based on the consent, the data subject may withdraw such consent at any time, which, however, does not affect the legal compliance of any processing done before the withdrawal;
- the right to file a complaint: if the data subject considers that their personal data are processed in violation of the provisions of the GDPR or other legal regulations on the protection of personal data, the data subject may file a complaint to the competent supervision authority for the main place of residence of the data subject, their workplace or the place where the alleged violation occurred. In Poland, the competent supervision authority is the President of the Personal Data Protection Office.
- Data subjects have the following rights:
- SUBMITTING REQUESTS CONCERNING THE EXERCISING OF RIGHTS
- Any requests concerning the exercising of rights by Data Subjects may be submitted:
- in written form to the address of the Data Controller;
- electronically to the e-mail address: dataprotection@amberstone.pl
- The request should, if possible, contain the demand, by specifying, in particular:
- the right that the person submitting the request wishes to exercise (e.g. the right to receive a copy of their data, the right to erase data, etc.);
- the element of processing that the request refers to (e.g. the use of a specific service, the activity on a specific website, etc.);
- the purposes of processing to which the request refers (e.g. purposes related to providing services, etc.).
- If the Data Controller is unable to identify the natural person based on the submitted request, it shall ask the person submitting the request to provide additional information. The requesting person is not obliged to provide such data, but if they are not provided, the request will be rejected.
- Such requests may be submitted in person or through an authorised representative (e.g. a family member). Due to the need to protect data security, the Data Controller recommends using powers of attorney certified by a notary public or an authorised legal counsel or attorney at law. Such requests will be verified more quickly.
- The response to the request should be provided within one month after receipt. If it is necessary to prolong this period, the Data Controller will inform the requesting party about the reasons for such extension.
- Answers to requests submitted in electronic form will be given in the same format, unless the requesting party demanded to receive the answer in a different form. In other cases, answers are provided in writing. If it is impossible to respond in written form due to the period for fulfilling the demand, and the scope of data provided by the requesting party enables electronic correspondence, the answer will be provided in electronic form.
- Any requests concerning the exercising of rights by Data Subjects may be submitted:
- DATA RECIPIENTS
- In connection with the provision of Services, Personal Data will be disclosed to third parties, including, but not limited to providers responsible for the operation of IT systems, marketing agencies (for the purposes of providing marketing services) and associated entities of the Data Controller, including companies from the same capital group.
- The Data Controller reserves the right to disclose certain information related to the User to competent authorities or to third parties that submit a demand for disclosure of such data with the relevant legal basis and in compliance with binding legal regulations.
- TRANSFER OF DATA TO THIRD COUNTRIES
- The level of personal data protection outside the European Economic Area (EEA) is different from that guaranteed under EU law. Due to that, Data Controller shall transfer Personal Data to third countries only if the appropriate safeguards are provided, in particular by means of:
- cooperation with in the countries for which the European Commission has decided that the given third country ensures an adequate level of protection (detailed information is available here):
- the application of standard contractual clauses approved by the European Commission; together with the required additional safeguards they ensure the same level of Personal Data protection as that of the European Union. Sample contracts are available here:
- the application of binding corporate rules approved by the competent supervision authority.
- The Data Controller shall always notify the Users about its intent to transfer Personal Data to third countries at the stage of collecting data.
- The level of personal data protection outside the European Economic Area (EEA) is different from that guaranteed under EU law. Due to that, Data Controller shall transfer Personal Data to third countries only if the appropriate safeguards are provided, in particular by means of:
- SECURITY OF PERSONAL DATA
- The Data Controller conducts risk analyses on an ongoing basis in order to ensure that the Personal Data are processed in a secure way, first of all to ensure that only authorised persons may access the data and that the access is limited to the extent necessary due to the performed tasks. The Data Controller ensures that all operations performed on Personal Data are recorded and performed only by duly authorised employees and associates.
- The Data Controller shall take all measures to ensure that its subcontractors and business partners guarantee that appropriate safeguards are applied each time when Personal Data are processed upon the order of the Data Controller.
- CONTACT DATA
- The Data Controller may be contacted by e-mail at: dataprotection@amberstone.plor by mail at the address: Amberstone Associates
z o.o. Warsaw, pl. Jana Henryka Dąbrowskiego 1, 00-057 Warsaw.
- The Data Controller may be contacted by e-mail at: dataprotection@amberstone.plor by mail at the address: Amberstone Associates
- MODIFICATIONS OF THE PRIVACY POLICY
- This Privacy Policy is regularly verified and updated when necessary.
- The current version of the Privacy Policy was adopted and became effective on the 27.09.2022.