Privacy

Legal Information and Personal Data Protection


Preamble
The protection of the personal data of employees, job applicants, customers, contractors, suppliers and other cooperating persons is of particular importance to the SWIETELSKY companies. Therefore, personal data are processed in accordance with applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), as well as national regulations concerning personal data protection and electronic communications.
The terms used in this policy shall be understood in accordance with the definitions set out in Article 4 of the GDPR.

 
1. Scope of Application
Subject-matter scope
This Privacy Policy sets out the rules for the processing of personal data by the SWIETELSKY companies indicated below, in particular in connection with the use of the website, business contact, contract performance, recruitment processes and business cooperation.

 
Personal scope
This Policy applies to the personal data of:

  • employees,
  • job applicants,
  • customers,
  • contractors,
  • suppliers,
  • business partners,
  • website users,
  • other persons contacting the SWIETELSKY companies.

Temporal scope
This Privacy Policy applies from the date of its publication on the website and constitutes the minimum standard of personal data protection applied by the companies indicated herein.

 2. Principles of Data Processing
Personal data are processed in accordance with the following principles:

Lawfulness, fairness and transparency
Data are processed lawfully, fairly and transparently in relation to the data subject.

 Purpose limitation
Data are collected only for specific, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes.

Data minimisation
We process only such data as are adequate, relevant and necessary for the relevant purpose.

Accuracy
We make every effort to ensure that the data are accurate, complete and up to date.

Storage limitation
We store data no longer than necessary for the purpose of processing and to comply with legal obligations.

 Integrity and confidentiality
Personal data are protected against unauthorised access, loss, destruction, disclosure or unlawful alteration by means of appropriate technical and organisational measures.

3. Data security

Protecting the confidentiality, integrity and availability of data is one of the basic obligations of the SWIETELSKY companies. This applies both to personal data and to trade secrets, customer information and other confidential information.
For this purpose, appropriate technical and organisational measures have been implemented and are continuously developed in line with market best practices and internal security procedures.

 
4. Data Confidentiality
Persons authorised to process personal data, including employees, associates and entities acting on behalf of the SWIETELSKY companies, are obliged to maintain confidentiality and are regularly trained in the secure processing of data.

 5. Continuous Improvement
The SWIETELSKY companies attach great importance to the quality of their processes and their continuous improvement. This also includes regular assessments of compliance with personal data protection regulations and of the effectiveness of the security measures applied.

 I. Information Required Pursuant to Article 13 GDPR
1. Purpose of this Policy
The purpose of this Privacy Policy is to inform website visitors and other data subjects about:

how personal data are processed,
the scope and purposes of processing,
the legal bases for processing,
data recipients,
the rights to which they are entitled.
 
2. Controllers of Personal Data
Depending on the matter concerned, the controllers of personal data are respectively:

 1) Swietelsky Rail Polska Sp. z o.o.
Wielicka 250, 30-663 Kraków
Tax ID (NIP): 677 001 20 48
REGON: 003914858
BDO No.: 000125851
National Court Register (KRS) No.: 0000100179
District Court for Kraków-Śródmieście in Kraków, 11th Commercial Division of the National Court Register
Legal form: limited liability company

 2) SWIETELSKY Spółka z ograniczoną odpowiedzialnością
Jana Pawła II 17, 20-535 Lublin, Poland
Tax ID (NIP): 9441932714
REGON: 357135640
National Court Register (KRS) No.: 0000056239
District Court Lublin-Wschód in Lublin with its seat in Świdnik
Division: 6th Commercial Division of the National Court Register
Legal form: limited liability company

Depending on which company is concerned by the contact, form, recruitment process, contract or business relationship, the relevant company acts as the controller of the data. If, in a specific scope, both companies jointly determine the purposes and means of processing personal data, they may act as joint controllers.

 3. Contact Regarding Data Protection
For matters concerning personal data protection, you may contact the controller at the following e-mail addresses:
krakow@swietelsky.com.pl
centrala@swietelsky.pl

If a Data Protection Officer has been appointed within the organisational structure, their contact details will be provided separately on the website or in the information addressed to the data subject.

 4. Legal Bases for Data Processing
Personal data are processed solely on one or more of the following legal bases:

Article 6(1)(a) GDPR – consent of the data subject,
Article 6(1)(b) GDPR – necessity for entering into or performing a contract,
Article 6(1)(c) GDPR – compliance with a legal obligation to which the controller is subject,
Article 6(1)(f) GDPR – the legitimate interests pursued by the controller.
 
In the case of special categories of personal data, processing may also be based on:

Article 9(2)(a) GDPR – explicit consent,
Article 9(2)(b) GDPR – carrying out obligations and exercising specific rights in the field of employment, social security and social protection law.
 
II. Purposes, Scope and Legal Bases of Data Processing
1. Data of Business Partners, Customers, Suppliers and Contractors
Personal data of contact persons, representatives of contractors, customers, suppliers and business partners are processed for the purpose of:

  • preparing offers,
  • conducting negotiations,
  • entering into and performing contracts,
    managing business cooperation,
  • fulfilling tax, accounting and legal obligations,
  • establishing, pursuing or defending legal claims.

Legal basis

Article 6(1)(b) GDPR,
Article 6(1)(c) GDPR,
Article 6(1)(f) GDPR.
 
Retention period
Data are stored for the duration of the contract and subsequently for the period required by law or until the expiry of limitation periods for claims.

 
2. Contact with the Controller
If you contact us by telephone, e-mail, contact form or in any other way, the personal data provided will be processed for the purpose of:

  • responding to your inquiry,
  • handling your request,
  • taking steps prior to entering into a contract,
  • further communication related to the matter raised.

Legal basis
Article 6(1)(b) GDPR – where the contact concerns entering into or performing a contract,
Article 6(1)(f) GDPR – the legitimate interest of the controller consisting in handling correspondence and communication.
 
Retention period
Data will be stored until the matter has been finally resolved, and thereafter for the period necessary to secure any potential claims, as a rule no longer than 3 years from the last contact, unless legal provisions require a longer retention period.

 3. Recruitment
If a job application is submitted, the controller processes the personal data of candidates for the purpose of conducting the recruitment process.

 
Scope of data
The data processed may include the information contained in the CV, cover letter, recruitment form or other documents submitted by the candidate.

  • Legal basis
    Article 6(1)(b) GDPR – taking steps prior to entering into a contract,
    Article 6(1)(c) GDPR – obligations arising from labour law,
    Article 6(1)(a) GDPR – consent, if the candidate provides additional data not required by law,
    Article 9(2)(a) GDPR – explicit consent, in the case of voluntary provision of special category data,
    Article 9(2)(b) GDPR – if the processing of such data is necessary to fulfil obligations arising from labour law.
    Sharing data within Swietelsky Group
    If recruitment is conducted within the capital group or for the needs of several SWIETELSKY companies, data may be transferred to relevant group entities solely to the extent necessary for carrying out the recruitment process or administering employment.

Retention period
-data processed for the purpose of the current recruitment process – for the duration of the recruitment process and for up to 6 months after its completion in order to defend against potential claims,
-data processed for the purpose of future recruitment processes – until consent is withdrawn, but no longer than for the period indicated in the consent clause or internal recruitment rules.
 
4. Server Logs and Access Data
For technical reasons, in particular in order to ensure the security and proper functioning of the website, technical data transmitted by the user’s browser are processed automatically.
This may include in particular:

  • IP address,
  • date and time of the request,
  • referrer URL,
  • browser type and version,
  • operating system,
  • visited subpages,
  • amount of data transferred,
  • host name of the end device.

 Purpose of processing
ensuring website security,
detecting and preventing abuse,
diagnosing technical errors,
administering the website.
 
Legal basis
Article 6(1)(f) GDPR – the legitimate interest of the controller consisting in ensuring the security and stability of the website.

 Retention period
Server logs are stored for no longer than necessary to achieve the purpose, as a rule for up to 120 days, unless a longer retention period is necessary for evidentiary purposes or to clarify a security incident.

 III. Data Recipients and Data Transfers
1. Data Recipients
Personal data may be transferred only to authorised recipients, in particular:

  • entities within the SWIETELSKY group,
  • providers of IT, hosting, e-mail and technical support services,
  • subcontractors, suppliers and partners cooperating in the performance of services or contracts,
  • law firms, tax advisers, auditors and statutory auditors,
  • insurance companies,
  • banks and financial institutions,
  • accounting and HR service providers,
  • public administration authorities, courts and other institutions authorised under the law.

 The controller does not sell personal data to third parties or disclose them for marketing purposes without a legal basis.

2. Disclosure of Personal Data to Third Parties
Personal data may be disclosed to third parties only if:

  • the data subject has given consent,
  • this is necessary to perform a contract or to take steps prior to entering into a contract,
  • the controller is obliged to do so under the law,
  • this is necessary to protect the legitimate interests of the controller, including the establishment,
  • pursuit or defence of legal claims.
     
    3. Transfers of Data Outside the EEA
    As a rule, data are processed within the European Economic Area (EEA). However, if, in connection with the use of specific services or technological tools, data are transferred outside the EEA, such transfer takes place solely in accordance with applicable law, in particular on the basis of:
  • a European Commission adequacy decision,
  • standard contractual clauses,
  • other appropriate safeguards provided for by the GDPR.
     
    When using services of providers such as Google or social media operators, data may be transferred to third countries, in particular to the United States, under the rules specified by those providers and in accordance with the mechanisms legalising such data transfers.

 IV. Rights of Data Subjects
The data subject has the following rights:

the right of access to data – Article 15 GDPR,
the right to rectification – Article 16 GDPR,
the right to erasure – Article 17 GDPR,
the right to restriction of processing – Article 18 GDPR,
the right to data portability – Article 20 GDPR,
the right to object to processing – Article 21 GDPR,
the right to withdraw consent at any time – Article 7(3) GDPR,
the right to lodge a complaint with a supervisory authority – Article 77 GDPR.
 
To exercise your rights, you may contact the controller at the e-mail address indicated in this policy. The controller may request additional information necessary to confirm the identity of the person submitting the request.

Right to lodge a complaint
If you believe that the processing of your personal data violates the law, you have the right to lodge a complaint with the supervisory authority.
In Poland, the supervisory authority is:

President of the Personal Data Protection Office
ul. Stawki 2, 00-193 Warsaw
www.uodo.gov.pl

 V. Cookies
Our website uses cookies and similar technologies to ensure its proper operation, improve functionality, analyse traffic and, depending on the user’s settings, carry out marketing activities.

 1. What are cookies
Cookies are small text files stored on the user’s device when using the website. They make it possible to recognise the user’s device and display the website accordingly.

 2. Types of cookies used
Depending on their purpose, the following categories of cookies may be used:

necessary cookies – ensure the proper operation of the website and its basic functions,
analytical or statistical cookies – help us understand how users use the website,
marketing cookies – make it possible to tailor advertising content,
functional cookies – remember user preferences.
 
3. Legal basis
necessary cookies – Article 6(1)(f) GDPR and the legal provisions applicable to electronic communications, to the extent permitted without consent,
analytical, functional and marketing cookies – Article 6(1)(a) GDPR, i.e. the user’s consent.
 
4. Managing cookies
The user may at any time:

change cookie settings via the cookie banner,
withdraw the consent given,
change browser settings,
delete stored cookies.
 
Restricting the use of cookies may affect certain functions of the website.

 VI. Google Tools
The following provisions apply only if a given tool is actually used on the website.

 1. Google Analytics
The website may use Google Analytics, an analytics tool provided by Google, which helps analyse how the website is used.
Google Analytics may collect, among other things, information about:

duration of visits,
visited subpages,
source of traffic,
the user’s device and browser,
anonymised IP address.
 
Legal basis
The processing of data within Google Analytics is carried out solely on the basis of the user’s consent, i.e. Article 6(1)(a) GDPR.

 Additional information
If IP anonymisation is enabled on the website, the user’s IP address is shortened before further processing. Detailed information can be found in Google’s Privacy Policy.

 2. Google Tag Manager
The website may use Google Tag Manager, which is used to manage tags and scripts implemented on the website. As a rule, Google Tag Manager itself does not store users’ personal data, but it enables the operation of other tools that may process such data in accordance with the consents granted.

 3. Google Maps
The website may use Google Maps in order to present locations. Loading the map may result in the transfer of user data to Google, including the IP address and information about the use of the website.

 Legal basis
If the map is loaded from Google’s external servers only after acceptance, the legal basis for processing is the user’s consent – Article 6(1)(a) GDPR.

 VII. Social Media and Third-Party Tools
The website may contain links, plug-ins or embedded content from social media services or other external providers, such as LinkedIn, Facebook, YouTube or Instagram.
Using these functions may involve the transfer of data to the operators of these platforms. The controller recommends reviewing the privacy policies of these providers.
If the controller maintains profiles on social media, the data of users visiting these profiles may also be processed by the operators of those services under the rules set out in their own terms and privacy policies. In certain cases, the controller and the platform operator may act as joint controllers with regard to statistical data related to users’ activity.

 VIII. SSL and TLS Encryption
In order to ensure the security of transmitted data, the controller uses up-to-date technical solutions, including encrypted connections using the SSL/TLS protocol. An encrypted connection can be recognised by the “https://” symbol in the browser’s address bar.

 IX. Changes to the Privacy Policy
The controller reserves the right to introduce changes to this Privacy Policy, in particular in the event of:

changes in legal regulations,
technological changes,
organisational changes,
implementation of new website services or functionalities.
 
The current version of the Privacy Policy is always published on the website.

 Legal Information – Company Registration Details
Swietelsky Rail Polska Sp. z o.o.
Wielicka 250, 30-663 Kraków
Tax ID (NIP): 677 001 20 48
REGON: 003914858
BDO No.: 000125851
National Court Register (KRS) No.: 0000100179
District Court for Kraków-Śródmieście in Kraków, 11th Commercial Division of the National Court Register
Legal form: limited liability company

 
“SWIETELSKY” Spółka z ograniczoną odpowiedzialnością
Jana Pawła II 17, 20-535 Lublin, Poland
Tax ID (NIP): 9441932714
REGON: 357135640
National Court Register (KRS) No.: 0000056239
District Court Lublin-Wschód in Lublin with its seat in Świdnik
Division: 6th Commercial Division of the National Court Register
Legal form: limited liability company