Information clause for Contractors

The Personal Data Administrator’s information clause for Contractors

1. Malwina Jurczyk conducting business activity under the company "BK TURISMO MALWINA JURCZYK" with its headquarters at the address Wrocław 86/2 Mrągowska Street, 54-111, Wrocław post office, entered in the Central Register and Information on Economic Activity, Tax Identification Number: 6731840516, National Business Registry Number: 361397503 is the Personal Data Administrator (hereinafter referred to as the Administrator) of her contractors with whom she has concluded cooperation Agreements (B2B), hereinafter referred to collectively as the Contractors.
2. Respecting the rights of the Contractors as personal data subjects (data subjects) and respecting the laws in force, including in particular the Regulation of the European Parliament and Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (the General Data Protection Regulation) hereinafter referred to as the GDPR, the Act of 10 May 2018 on protection of personal data (Journal of Laws 2018.1000) hereinafter referred to as the Act, the Act of 10 May 2018 on protection of personal data (Journal of Laws 2018.1000) hereinafter referred to as the Act, and other relevant regulations on personal data protection, the Administrator is committed to maintain the security and confidentiality of the personal data obtained from the Contractors. All employees have been professionally trained in the processing of personal data, and the Personal Data Administrator implemented appropriate safeguards and also technical and organizational measures to ensure the highest level of personal data protection. The Administrator have procedures and Personal Data Protection Policies in accordance with the GDPR and the Act, which ensure the lawfulness and reliability of data processing, as well as the enforceability of any rights the Contractors may have as data subjects. Additionally, if necessary, the Administrator cooperates with the supervisory authority in the Republic of Poland, which is the President of the Personal Data Protection Office (hereinafter referred to as UODO).
3. The Contractors' personal data are processed by the Administrator to perform the agreements between the Administrator and the Contractors. In accordance with the principle of minimization expressed in the GDPR regulations, the Administrator processes only those categories of personal data which are necessary to achieve the purposes referred to in the preceding sentence.
4. The provision of personal data is voluntary but necessary for the conclusion and execution of the agreements concluded by the Administrator with the Contractors.
5. The Administrator shall process personal data for the period necessary to achieve the objectives set out in point 3 above considering the legally justified interest of the Administrator referred to in point 7 letter b above. Personal data may be processed for a longer period than indicated in the preceding sentence, if such an entitlement or obligation imposed on the Administrator results from specific provisions of law or from the Administrator's legally justified interest referred to in point 7 letter c, below (for the limitation period for claims or the completion of relevant proceedings, if they have been initiated during limitation period).
6. The sources of personal data processed by the Administrator are Contractors who are the data subjects. The Administrator may also process the data of her Contractors’ employees on the basis of the access, if the agreement concluded with the Contractor requires the necessity to act through them.
7. The legal basis for processing Contractors’ personal data is:
   a) Article 6(1)(b) GDPR – necessity for the performance of an Agreement concluded between the Administrator and the Contractor or in order to take steps at the request of the data subject prior to entering into an Agreement, or
   b) Article 6(1)(c) GDPR - necessity for compliance with a legal obligation to which the Administrator is subject, or
   c) Article 6(1)(f) GDPR - the legitimate interest of the Administrator to establish, pursue or defend claims for their limitation period or until the relevant proceedings, if any, have been instituted within that period, or
   d) Article 6(1)(a) GDPR – Contractors’ consent to the processing of personal data for specific purposes when other laws for processing personal data do not apply.
8. Contractors’ personal data are not transferred to a third country or an international organization within the meaning of the rules of GDPR. When personal data are transferred to a third country or an international organization, Contractors will be informed in advance and the Administrator will apply safeguards referred to in Chapter V of the GDPR.
9. The Administrator does not make any personal data available to third parties without the explicit consent of the data subject. Personal data without the data subject’s consent may be disclosed only to public law bodies, which are authorities and administrative authorities (e. g. tax authorities, law enforcement agencies and other entities with a mandate under common law, such as the Polish Social Insurance Institution or the Inland Revenue).
10. Personal data may be entrusted for processing to Entities processing such data on behalf of the Administrator. In such a situation, the Administrator concludes an agreement with the Entity to entrust the processing of personal data. The Entity processing the entrusted personal data shall process the entrusted data but only for the needs to the extent and for the purposes indicated in the entrustment agreement referred to in the preceding sentence. Without entrusting personal data for processing, the Administrator could not conduct her business activity and execute concluded agreements. The Administrator entrusts personal data of the Contractors’ to:
    a) IT companies providing hosting services, operating Internet domains and handling computer systems used by the Administrator,
    b) companies providing postal, courier and transport services to the Administrator – in order to deliver correspondence,
    c) companies providing other services to the Administrator, which are necessary for the Administrator's current operations.
11. The personal data of the Contractors are not subject to profiling by the Administrator within the meaning of the provisions of the GDPR.
12. According to the provisions of the GDPR, the Contractors have the right to:
    a) be informed about the processing of personal data referred to in Article 12 GDPR,
    b) to access their personal data, referred to in Article 15 GDPR,
    c) to correct, supplement, update, rectify personal data referred to in Article 16 GDPR,
    d) the erasure of data (right to be forgotten), as referred to in Article 17 GDPR,
    e) restrictions of processing referred to in Article 18 GDPR,
    f) the data portability referred to in Article 20 GDPR,
    g) to object to the processing of personal data as referred to in Article 21 GDPR,
    h) in the case of the legal basis referred to in point 7 letter d above - the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal,
    i) not to be subject to the profiling referred to in Article 22 in conjunction with Article 4 point 4 GDPR,
    j) lodge a complaint with a supervisory authority (to the President of the Personal Data Protection Office), referred to in Article 77 GDPR,
    considering the rules of using and realizing these rights under the GDPR regulations.
13. If the Contractors wish to exercise their rights referred to in the previous point, please send a message by e-mail or in writing to the e-mail address or correspondence address referred to in point 14 below.
14. All inquiries, requests and complaints concerning the processing of personal data by the Administrator, hereinafter referred to as Applications, should be sent to Administrator’s e-mail address info@bkturismo.com in accordance with headquarters of the company.
15. The content of the Application must clearly indicate:
    a) the person(s) concerned by the Application,
    b) the event that is the reason for the Application,
    c) your demands and the legal basis for those demands,
    d) the expected way the matter will be handled.
16. Each identified case of breach of security is documented and in the event of one of the situations specified in regulations of GDPR or the Act, the data subjects are informed about such a breach of regulations of personal data protection and, if applicable, UODO.