Information concerning processing of personal data for employees and persons cooperating with IdoBooking

Information on personal data processing for IdoBooking employees

  1. The controller of the Candidate's personal data is IdoBooking sp. z o. o. (also referred to as "Operator") with its registered office at 30 Piastów Avenue, 71-064 Szczecin, entered in the Register of Entrepreneurs kept by the District Court Szczecin-Centrum in Szczecin, XIII Economic Division of the National Court Register under the number 00001118562 NIP: 8522710288; REGON: 529324888; with the share capital of PLN 200,000.00. IdoBooking may be contacted by e-mail: sales@idobooking.com and by phone: +48 91 443 66 00.
  2. The Data Protection Inspector at IdoBooking is Rafał Malujda, e-mail address: gdpr- inspector@idobooking.com.

Personal data shall be processed for the purpose of establishing and performing the relationship. Personal data will be processed, in writing and in electronic systems, on the basis of:
Article 6(1)(c) and Article 9(2)(b) GDPR, i.e. where the processing is necessary for the fulfilment of a legal obligation incumbent on the employer and the processing is necessary for the fulfilment of obligations and the exercise of specific rights by the controller or the data subject in the field of labour law, social security and social protection, including in connection with the performance of obligations imposed:
Article 22(1)(1) and (3) of the Labour Code, i.e. requiring an applicant for employment and an employee to provide certain personal data;
Article 22(1c) et seq. Labour Code, i.e. performing sobriety checks on employees;
Articles 94(13) and 103(1) et seq. Labour Code, i.e. to carry out training of employees necessary to perform a certain type of work or work on a certain position, as well as to improve professional qualifications of an employee;
Articles 234 and 235 of the Labour Code in conjunction with § 7 of the Regulation of the Council of Ministers of 1 July 2009 on establishing the circumstances and causes of accidents at work, i.e. the fulfilment of duties in connection with an accident at work, in particular establishing the circumstances and causes of the accident, keeping a register of accidents at work, preparing and storing other post-accident documentation, as well as the fulfilment of the duty to recognise and report a suspected occupational disease of an employee;
Articles 1, 6 and 6a of the Act of 13 October 1998 on the social insurance system, i.e. covering employees by compulsory pension and disability insurance;
Article 6(1)(b) of the GDPR - processing is necessary for the conclusion and performance of a contract to which the data subject is a party,
Article 6(1)(f) GDPR - processing is necessary for the purposes of the legitimate interests pursued by the controller, viz:
carrying out specific surveillance of the premises of the workplace or of the area around the workplace in the form of technical measures enabling the recording of images (monitoring) based on Article 22(2) of the Labour Code,
conducting telephone call recording in order to increase security and improve the quality of the services provided, safeguarding the legal interest of the person whose personal data has been recorded in the telephone call recording system and of the Controller in the event of a legal need to prove facts, for possible defence, investigation or establishment of claims based on art. 22(3) par. 4 of the Labour Code,
to carry out checks on the performance of remote work by an employee, health and safety checks or checks on compliance with security and information protection requirements, including procedures for the protection of personal data in relation to an employee performing remote work based on Article 68(28) of the Labour Code;
Article 6(1)(a) of the GDPR, i.e. on the basis of the consent given for the purposes specified each time in the consent forms provided, in particular for the purposes of realising employee benefits declared by the employee, processing the image for promotional, advertising, information purposes, building the company's image and brand, as well as to enable the proper administration of the company's employee data.

  1. Recipients of the personal data processed by IdoBooking are IdoBooking's business partners, hosting companies, software providers, marketing agencies, online and card payment operators, accounting firms, law firms and other entities to which IdoBooking entrusts the employee's personal data or makes them available under an appropriate contract for the purpose of providing services.
  2. IdoBooking transfers personal data outside the European Economic Area - to the USA. The entity to which the data is transferred is a member of the EU-US Data Privacy Framework. By decision of the European Commission, personal data can be securely transferred from the EU to US companies participating in the aforementioned programme, without the need for additional data protection safeguards.
  3. IdoBooking providers declare that they may transfer personal data outside the European Economic Area, such as to the USA. If a country has not been recognised by the European Commission as providing an adequate level of protection for personal data, the provider implements appropriate safeguards to ensure an adequate level of data protection. These include, in particular, standard contractual clauses approved by the European Commission and binding corporate rules approved by the competent supervisory authority.
  4. The Employee's personal data will be retained for 50 years from the termination of the employment relationship, or 10 years from the end of the calendar year in which the Employee terminates his or her employment, in the case of employment after 31 December 2018 or where an information report has been filed as referred to in Article 4(6a) of the Social Security Act of 13 October 1998.

Personal data processed in the form of surveillance recordings and telephone conversations will be stored for a period not exceeding 3 months from the date of recording. Where the recordings constitute evidence in proceedings under the law or the employer has become aware that the recordings may constitute evidence in the proceedings, the term personal data will be stored until the proceedings are legally concluded.
Specific personal data (i.e. the Employee's sobriety information) will be kept for a period not exceeding one year from the date of collection; and in the case of the application of a disciplinary sanction against an employee, until the sanction is considered null and void. Where the Employee's sobriety information may constitute or constitute evidence in a proceeding conducted by state authorities and the employer is a party to that proceeding or has become aware of the filing of a lawsuit or the commencement of a proceeding, the storage period of such data shall be extended until the proceeding is legally concluded.

  1. The employee has the right to require the Controller to access, rectify, erase or restrict processing of his/her personal data, as well as the right to data portability and the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal.
  2. The right to data portability allows data subjects to have access to their personal data in a structured, commonly used and machine-readable format and to have it transferred to another controller without hindrance from the original controller. This right is available in situations where the legal basis for the processing is: the consent of the data subject (Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR), or

the performance of a contract to which the data subject is party (Article 6(1)(b) GDPR). Data covered by the right to portability must be processed by technical means, e.g. in IT systems. This right does not apply to data processed in paper form. This right only covers personal data that the person has provided to the controller, such as data entered during account registration, data in online forms or data collected during the use of services (e.g. purchase history, user preferences). The data subject may request that the data be transferred directly to another controller if this is technically possible. The right to data portability does not affect the rights and freedoms of others - if the rights of others could be affected by the data portability, the controller may limit the scope of the portability. The right to data portability does not extend to situations where the processing is based on a legal ground other than consent or contract, e.g. a legal obligation of the controller or a task carried out in the public interest.

  1. The Employee has the right to lodge a complaint with the supervisory authority, which is the President of the Office for the Protection of Personal Data, if the Employee considers that the processing of his/her personal data by the Controller violates the provisions on personal data protection.
  2. The provision of personal data by the Employee, as specified in the applicable regulations, is a statutory requirement and is necessary for the conclusion of the employment contract. Failure to provide the data will result in a refusal to establish an employment relationship.