Personal data protection policy of Velvet CARE sp.z o.o.

This document, entitled “Personal Data Protection Policy,” hereinafter referred to as the Policy, governs the rules for the processing of personal data by the company under the business name of Velvet CARE sp. z o.o., with its registered office in Klucze, Klucze-Osada 3, 32-310 Klucze, hereinafter referred to as Velvet CARE.

This Policy is a personal data processing policy within the meaning of the Regulation of the European Parliament and of the Council (UE) 2016/679 of 27 April 2016 on the protection of natural persons as regards personal data processing and free movement of such data and repealing the Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR.

§ 1. DEFINITIONS.

1. Policy – this “Personal Data Protection Policy”, in force as of 25 May 2018;
2. Velvet CARE – the company under the business name of Velvet CARE sp. z o.o., with its registered office in Klucze, KluczeO sada 3, 32-310 Klucze;
3. GDPR – the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons as regards personal data processing, on the free movement of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation);
4. Controller – Velvet CARE sp. z o.o., with its registered office in Klucze, Klucze-Osada 3, 32-310 Klucze;
5. Employee – a person employed at Velvet CARE under an employment agreement,
6. Customer – a natural or legal person related to Velvet CARE under a civil law agreement governing mutual rights and responsibilities of the parties within a specific scope,
7. Guest – a natural person who is not an Employee, entering the premises of the facility
   in Klucze,
8. personal data – information on an identified or identifiable natural person; the identifiable natural person can be directly or indirectly identified, especially based on such identifiers as the full name, identification no., data on location, Internet identifier or special factor(s) to determine the physical, physiological, genetic, psychological, economic, cultural or social identity of the natural person;
9. processing – an operation or set of operations performed on personal data or personal data sets whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
10. data set – a structured set of personal data accessible pursuant to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
11. processor – a natural or legal person, public authority, unit or another entity processing personal data on behalf of Velvet CARE;
12. recipient – a natural or legal person, public authority, unit or another entity with whom/which personal data is shared;
13. consent – a freely given, specific, informed and unambiguous indication, in the form of a declaration or clear affirmative action, of the data subject’s consent to the processing of their personal data;
14. personal data protection breach – an infringement of security leading to an accidental or illegal destruction, loss, modification, unauthorised disclosure or unauthorised access to personal data transmitted, stored or otherwise processed.

§ 2. PERSONAL DATA PROTECTION AT VELVET CARE..

1. The Controller of the personal data the subjects of which are Employees, Customers and Guests, in other words the entity specifying the purposes and methods of personal data processing, is Velvet CARE.
2. You may contact the Controller within the scope of personal data processing in the following manners:
   1) by registered mail delivered to the address of Velvet CARE sp. z o.o., Klucze-Osada 3, 32-310 Klucze,
   2) by e-mail delivered to the address: dane.osobowe@velvetcare.pl.
3. For the fulfilment of the overriding objective, which is the respect of the privacy of data subjects, Velvet CARE ascertains that it exercises due diligence so that the personal data of such individuals is properly secured against unauthorised interference or access of third parties.
4. Velvet CARE has acquired the Employees’ personal data based on the applicable legal provisions, especially under Art. 221 (1) and (2) of the Labour Code.
5. As regards a specific Employee, Velvet CARE processes their personal data upon entering the Employment Agreement with the Employee.
6. Within the scope related to the processing of personal data, Velvet CARE applies the following rules:
   1) lawfulness – Velvet CARE processes personal data according to generally applicable law,
   2) purposefulness – Velvet CARE processes personal data only for the explicit and legitimate purpose,
   3) security – Velvet CARE ensures the application of sufficient technical and organisational measures, which guarantee the high level of security of such personal data, through the regular performance of control activities within this scope,
   4) respect for the individual’s rights – Velvet CARE allows its Employees to exercise their rights specified in generally applicable legal provisions and exercises such rights;
   5) adequacy – Velvet CARE assures that it processes only such personal data as may be necessary for the fulfilment of the purpose for which it is collected;
   6) substantive correctness – at the Employee’s request, Velvet CARE updates or corrects personal data subject to processing throughout the statutory period;
   7) limitation of personal data storage – Velvet CARE stores the personal data of its former Employees only for the period necessary pursuant to generally applicable legal provisions;
   8) transparency – Velvet CARE declares full readiness and availability for raising the consciousness among its Employees as regards all risks, rules, protection measures and rights related to personal data processing, and for showing its Employees all methods in which they can exercise their rights due to such personal data processing by Velvet CARE;
   9) accountability – Velvet CARE is sufficiently prepared to demonstrate at any moment that it complies with the aforementioned rules of personal data processing.
7. Velvet CARE processes personal data especially for the following purposes:
   1) in relation to its Employees – for the purposes related to their employment and, at the express request of a specific Employee, for other purposes, such as for instance:
   a) deduction on behalf of the Employee of the contribution due to the membership in the trade union from the remuneration to which the specific Employee is entitled,
   b) when the specific Employee benefits from the Employee Savings and Loan Association,
   c) when the specific Employee benefits from the Company Social Benefits Fund,
   d) when the specific Employee participates in an incentive scheme for employees recommending candidates for work at Velvet CARE
   e) when the specific Employee benefits from additional services provided by third parties, such as insurance, medical care, use of sports and recreational facilities, etc.;
   2) in relation to its Customers – for purposes related to the proper performance of agreements executed by Velvet CARE with such Customers;
   3) in relation to its Guests – for purposes related to ensuring the sufficient level of security of people and property on the premises of the facility based in Klucze.
8. Velvet CARE stores personal data for periods determined on the basis of the following criteria:
   1) in relation to its Employees or former Employees – for periods throughout which Velvet CARE is obliged to store the personal data of its former Employees pursuant to generally applicable legal provisions;
   2) in relation to its Customers and former Customers – for the term of the agreement executed with a specific Customer or so, until the satisfaction of all claims to which Velvet CARE is entitled from the Customers or former Customers or until such claims are barred by statute of limitations;
   3) in relation to its Guests – until the satisfaction by the Guests of all potential claims to which Velvet CARE may be entitled from the Guests (e.g. when the Guest causes damage to Velvet CARE) or until such claims are barred by statute of limitations;
   4) in relation to such individuals who consented to the processing of their personal data – until the effective withdrawal of the consent or when the purpose for which such data is processed expires.
9. Velvet CARE processes personal data only in such cases where at least one of the premises mentioned below occurs:
   1) data subject consents to it,
   2) it is necessary for the performance of the agreement executed by Velvet CARE with the data subject,
   3) it is necessary for Velvet CARE to fulfil the legal obligation imposed on Velvet CARE,
   4) it is necessary for the protection of vital interests of the data subject,
   5) it is necessary for purposes stemming from legally justified interests of Velvet CARE or third party.
10. Velvet CARE may disclose personal data which it processes, at the same time acting as the controller, to third parties only when it is justified due to the original purpose of such data processing, and when it is requisite due to the contents of agreements executed by Velvet CARE with such third parties. Personal data may especially be disclosed by Velvet CARE on behalf of the following categories of recipients:
    1) entities with equity, personal or organisational links to Velvet CARE,
    2) third parties providing counselling services on behalf of Velvet CARE, for instance auditing, consulting or law companies,
    3) insurance companies,
    4) companies leasing passenger cars to be used by Employees,
    5) third parties providing services directly on behalf of Employees, such as medical care, use of sports and recreational facilities, etc.,
    6) advertising and marketing agencies – only in relation to the personal data of natural persons who are not the Employees and who consented to receive from Velvet CARE commercial information related to Velvet CARE products and promotional, advertising or marketing activities carried out by Velvet CARE.
11. Velvet CARE does not intend to send the personal data it processes to third countries or international organisations.
12. Velvet CARE and its trusted advertising partners process the personal data, including personal data collected through the use of cookies and other similar technologies for marketing purposes in connection with presenting persons whose personal data will be processed with targeted behavioural advertising, i.e. advertisements adjusted to preferences of the person whose personal data will be processed. Actions of Velvet CARE may also consist in display of advertisements to persons who have visited Velvet CARE services on other websites and social networks. Personal data processing is performed based on legitimate interests of Velvet CARE, in connection with the consent provided by the person whose personal data will beprocessed to sending information and access to it on their terminal equipment (the so-called cookie consent).
13. Velvet CARE does not intend to process personal data based on automated decision-making, including personal data profiling.

§ 3. RIGHTS OF DATA SUBJECTS.

1. Velvet CARE ascertains that it fully respects and undertakes to exercise all the rights related to or arising from GDPR, to which all data subjects are entitled within the framework of Velvet CARE’s processing of such data. These especially include the following rights:
   1) right to access personal data, including the right to obtain the copy of such data;
   2) right to demand that personal data be rectified (corrected) – in each and every case when such data is incorrect or incomplete;
   3) right to demand that personal data be erased (referred to as “right to be forgotten”) – in each and every case when:
   a) such data is necessary for purposes for which it has been collected or otherwise processed,
   b) data subject objected to the processing of their personal data,
   c) data subject withdrew the consent under which the processing is based and there is no legal basis for the processing,
   d) data is processed unlawfully,
   e) data must be erased in order to fulfil the obligation stemming from legal provisions,
   4) right to demand that the processing of personal data be restricted when:
   a) data subject questions the correctness of their personal data,
   b) data processing is unlawful, and the data subject objects to the erasure of their data, demanding its limitation instead,
   c) controller no longer needs the data for processing, but the data subject needs it to establish, defend against or assert claims,
   d) data subject lodged an objection against data processing – until determined whether the legally justified basis on the part of the controller overrides the objection basis,
   5) right to personal data portability – when the processing is under the agreement executed with the data subject or consent expressed by such a person,
   6) right to object to the processing of personal data, when causes arise related to the special situation of the data subject.
2. The data subject has the right to withdraw the consent within the scope within which it was given for Velvet CARE to process their personal data. The withdrawal of the consent does not affect the lawfulness of the prior processing of such personal data by Velvet CARE.
3. If acknowledged that Velvet CARE’s processing of personal data violates the GDPR provisions, each and every data subject has the right to lodge a complaint with the proper supervisory authority.

§ 4. FINAL PROVISIONS

1. This Policy should also be construed as Velvet CARE’s fulfilment of the information obligation towards data subjects, as specified in Art. 13 GDPR.
2. This policy is available:
   1) at the registered office of Velvet CARE, tj. address: Klucze-Osada 3, 32-310 Klucze;
   2) at the office of Velvet CARE in Warszawa, address: ul. Złota 59, 00-120 Warszawa;
   3) at Velvet CARE website, i.e. www.velvetcare.com, www.velvet.pl
3. This Policy enters into force on 25 May 2018.