Acting pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, the so-called GDPR, FABUD Wytwórnia Konstrukcji Betonowych SA informs that:

1. Data administrator:

The controller of personal data is FABUD Wytwórnia Konstrukcji Betonowych SA (ul. Wyzwolenia 2, 41-103 Siemianowice Śląskie NIP: 643-000-01-58).

2. Categories of personal data processed:

• JOB CANDIDATES:

Personal data are processed:

– in order to conclude an employment contract or at the request of the data subject before concluding an employment contract pursuant to Article 6 paragraph 1 letter b of the GDPR;

– on the basis of the consent of the job candidate pursuant to Article 6 paragraph 1 letter a of the GDPR and Article 9 paragraph 2 letter a of the GDPR, which may also include the processing of personal data for the purposes of subsequent recruitment processes.

The scope of the processed data is limited to information that is required to be provided under labor law, necessary to conclude a contract (name(s) and surname, date of birth, contact details provided by such a person, education, professional qualifications, previous employment history), as well as information provided voluntarily by the job candidate (e.g. image – photo, other contact details, personality and/or psychological tests and fluid intelligence tests, video recording of the interview).

The processing of personal data is necessary to take part in the recruitment process for work with the Administrator.

To the extent that the basis for the processing of personal data is consent, the provision of personal data is completely voluntary.

Personal data are processed during the recruitment process and after its completion until the consent to the processing of personal data is withdrawn, but no longer than for a period of one year.

Every job candidate is entitled to:

• under Article 15 of the GDPR, the right to access personal data;
• under Article 16 of the GDPR, the right to rectify personal data;
• under Article 17 of the GDPR, the right to request the deletion of personal data;
• under Article 18 of the GDPR, the right to request the restriction of the processing of personal data;
• under Article 20 of the GDPR, the right to transfer personal data only to the extent that personal data are processed by automated means;
• the right to lodge a complaint with the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, if it is found that the processing of personal data violates the provisions of the GDPR.

In the event of processing personal data based on consent, the job candidate has the right to withdraw it, which, however, does not affect the validity of actions performed on the basis of consent in the period between its granting and withdrawal.

Due to the nature of the processing of personal data during an online recruitment interview, which is not recorded, there is no right to access the data, the right to receive a copy of the data, the right to delete the data, the right to limit the processing of the data, the right to transfer the data and the right not to be subject to automated decision-making.

The job candidate has no right to object to the processing of personal data under Article 21 of the GDPR, as the legal basis for the processing of personal data is not Article 6 paragraph 1 letter e or f of the GDPR.

• EMPLOYEES:

The scope of processed personal data includes data that must be provided under labor law, the legitimate interest of the Administrator, as well as personal data provided voluntarily by an employee.

Personal data are processed:

• on the basis of voluntary consent to the processing of personal data pursuant to Article 6(1)(a) and Article 9(2)(a) of the GDPR;
• in order to conclude an employment contract pursuant to Article 6(1)(b) of the GDPR;
• in order to fulfil the legal obligations incumbent on the Controller under Article 6 paragraph 1 letter c of the GDPR and Article 9 paragraph 2 letter b of the GDPR, in particular the obligations arising from the provisions of labour law, tax law and social security law;
• in the scope of data processed for the purpose of providing social benefits from the Company Social Benefits Fund pursuant to Article 6 paragraph 1 letter c of the GDPR and Article 9 paragraph 2 letter b of the GDPR;
• in the scope of video monitoring in order to ensure the safety of persons, protection of property, production control and ensuring confidentiality of information, which constitutes the legitimate interest of the Controller under Art. 6 sec. 1 letter f of the GDPR and Art. 22 (2) § 1 of the Labor Code ;
• in the scope of other forms of monitoring used by the Controller in order to ensure the organisation of work enabling full use of working time and proper use of work tools made available to the employee, which constitutes the Controller’s legitimate interest under Article 6 paragraph 1 letter f of the GDPR and Article 22 (3) of the Labour Code .

The processing of personal data is necessary to conclude and implement an employment relationship with the Administrator.

To the extent that the basis for the processing of personal data is consent, the provision of personal data is voluntary.

Personal data are processed during and after employment for as long as required by applicable law or until the consent to the processing of personal data is withdrawn when it constitutes the legal basis for the processing of personal data or until an objection to the processing of personal data is raised in the case of a legitimate interest.

Personal data from video monitoring are stored for no longer than 30 days, and data from other forms of monitoring are stored for the period indicated in IT procedures.

Every employee is entitled to:

• under Article 15 of the GDPR, the right to access personal data;
• under Article 16 of the GDPR, the right to rectify personal data;
• under Article 17 of the GDPR, the right to request the deletion of personal data;
• under Article 18 of the GDPR, the right to request the restriction of the processing of personal data;
• under Article 20 of the GDPR, the right to transfer personal data only to the extent that personal data are processed by automated means;
• the right to lodge a complaint with the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, if it is found that the processing of personal data violates the provisions of the GDPR.

In the event of processing personal data based on consent, the employee has the right to withdraw it, which, however, does not affect the validity of actions performed on the basis of consent in the period between its granting and withdrawal.

Due to the nature of the processing of personal data during online conversations, there is no right to access data, the right to receive a copy of data, the right to delete data, the right to limit data processing, the right to transfer data and the right not to be subject to automated decision-making.

In the case of data processing on the basis of Article 6 paragraph 1 letter f of the GDPR, i.e. for the purpose of pursuing legitimate interests, the employee has the right to object to the processing of data.

• GUESTS:

The scope of personal data includes data necessary for identification, data recorded by monitoring and vehicle data.

Personal data are processed on the basis of Article 6 paragraph 1 letter f of the GDPR solely for the purpose of ensuring the safety of persons and protection of property, production control and ensuring the confidentiality of information, which constitutes the legitimate interest of the Controller.

Providing data is necessary – failure to provide it will result in the impossibility of identification and, consequently, entry to the Administrator’s premises.

Therefore, it is necessary to present an ID card in order to issue a pass – however, the ID card will not be photocopied, scanned or photographed.

Personal data are processed for as long as required by law to ensure the safety of persons and protect property in the scope of determining, pursuing or defending claims or until an objection to the processing of personal data is raised.

Data recorded by video surveillance is stored for a period not exceeding 30 days.

Every person is entitled to:

• under Article 15 of the GDPR, the right to access personal data;
• under Article 16 of the GDPR, the right to rectification;
• pursuant to Article 18 of the GDPR, the right to request that the Controller restrict the processing of personal data;
• the right to lodge a complaint with the President of the Personal Data Protection Office if it is found that the processing of personal data violates the provisions of the GDPR.

Where the legal basis for data processing is Article 6(1)(f) of the GDPR, you have the right to object to the processing of your personal data under Article 21 of the GDPR.

You are not entitled to:

• the right to request the deletion of personal data in accordance with Article 17(3)(b), (d) or (e) of the GDPR;
• the right to transfer personal data, as referred to in Article 20 of the GDPR.

Video surveillance recordings may not be corrected for technical reasons and are not subject to the right to obtain a copy if this could violate the rights and freedoms of other persons who may be included in the recording.

• CUSTOMERS and CONTRACTORS:

The scope of personal data includes identification data, contact data and data contained in publicly available registers and sources or provided by the Client/Contractor, including data of persons authorized to represent and data of proxies and data of persons designated for contact.

Personal data are processed, depending on the legal basis connecting the Parties, for the purpose of:

• concluding a contract or performing its provisions, including by using an order form and a transport order pursuant to Article 6 paragraph 1 letter b of the GDPR;
• taking action before concluding a contract, at the request of the data subject, in particular preparing an offer pursuant to Article 6 paragraph 1 letter b of the GDPR;
• fulfillment of the legal obligation in the scope of tax and accounting obligations pursuant to Article 6 paragraph 1 letter c of the GDPR;
• to pursue the legitimate interest of the Controller consisting in marketing its own goods, conducting correspondence or responding to inquiries made using the Controller’s contact details and conducting debt collection activities and handling complaints if necessary under Article 6 paragraph 1 letter f of the GDPR ;
• in the scope of data processed during the use of the ZOOM platform for the purpose of holding remote meetings, which constitutes the legitimate interest of the Controller under Article 6 paragraph 1 letter f of the GDPR.

In the event of concluding an agreement with an entrepreneur or institution, the Administrator will process the personal data of persons authorized to represent them and persons designated for contact only for purposes related to concluding and performing agreements and conducting possible complaint and debt collection activities, which constitutes the legitimate interest of the Administrator under art. 6 sec. 1 letter f of the GDPR. In such a case, personal data include identification data, contact details, position held and other data available in publicly available registers (e.g. KRS, CEIDG) or provided by the company or institution in order to conclude and perform the agreement.

Providing personal data is necessary to conclude and execute the contract, as well as to take certain actions during and after its term.

Personal data will be stored for the duration of the contract, and also:

• until the limitation period for claims expires in accordance with generally applicable legal provisions;
• in the scope of accounting and tax documentation – for a period of 5 years counted from the end of the calendar year in which the contract was terminated or expired;
• the Administrator recognises the objection as justified in the case of processing personal data solely on the basis of the legitimate interest of the Administrator.

Every person is entitled to:

• under Article 15 of the GDPR, the right to access personal data;
• under Article 16 of the GDPR, the right to rectify personal data;
• under Article 17 of the GDPR, the right to request the deletion of personal data;
• under Article 18 of the GDPR, the right to request the restriction of the processing of personal data;
• under Article 20 of the GDPR, the right to transfer personal data only to the extent that personal data are processed automatically and on the basis of a contract;
• the right to lodge a complaint with the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, if it is found that the processing of personal data violates the provisions of the GDPR.

In the case of data processing on the basis of Article 6 paragraph 1 letter f of the GDPR, i.e. for the purpose of pursuing legitimate interests, the customer/contractor has the right to object to the processing of data.

• CONTACT/CORRESPONDENCE

data are processed for the purpose of answering questions asked via the contact form or by mail, which constitutes the legitimate interest of the Administrator under Article 6 paragraph 1 letter f of the GDPR.

Providing data is necessary to answer the question asked via the contact form or by mail.

Your personal data are processed for the period necessary for the limitation of claims to expire.

Every person is entitled to:

• under Article 15 of the GDPR, the right to access personal data;
• under Article 16 of the GDPR, the right to rectify personal data;
• under Article 17 of the GDPR, the right to request the deletion of personal data;
• under Article 18 of the GDPR, the right to request the restriction of the processing of personal data;
• under Article 20 of the GDPR, the right to transfer personal data only to the extent that personal data are processed by automated means and on the basis of a contract;
• the right to lodge a complaint with the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, if it is found that the processing of personal data violates the provisions of the GDPR.

In the case of data processing on the basis of Article 6 paragraph 1 letter f of the GDPR, i.e. for the purpose of pursuing legitimate interests, the sender or addressee of correspondence has the right to object to the processing of data.

• SHAREHOLDERS:

The Administrator processes the following categories of personal data of shareholders or shareholders’ proxies: identification data, address data, contact data and image.

Personal data of shareholders or proxies may be processed for the following purposes:

1) organising the General Meeting and enabling the exercise of voting rights therein by authorised persons pursuant to Article 6 paragraph 1 letter c of the GDPR,

2) recording and broadcasting the proceedings of the General Meeting pursuant to Article 6 paragraph 1 letter f of the GDPR as part of promoting transparency of the Controller’s activities and equal access to decisions and discussions at the General Meeting,

3) exercising the rights and obligations of the Shareholder pursuant to Article 6 section 1 letter c of the GDPR.

Personal data of shareholders or proxies may be made available by the Administrator:

1) other shareholders in the event that they concern the shareholders of the Administrator pursuant to Article 407 § 1 and § 11 of the Commercial Companies Code,

2) the Polish Financial Supervision Authority (hereinafter referred to as the “PFSA”), pursuant to Article 70 item 2 of the Act on Public Offering and Conditions for Introducing Financial Instruments to Organized Trading, and on Public Companies,

3) the entity processing personal data on behalf of the Administrator, providing the service of handling voting at the General Meeting.

Personal data of shareholders or proxies in the form of their image recorded during the General Meeting will be made available as part of the real-time broadcast and publication of the recording on the Administrator’s website.

Authorised employees/associates of the Administrator, as well as notaries and entities providing IT, legal, courier, postal and auditing services, also have access to the data.

Personal data will be stored for the period of your status as a shareholder of FABUD WKB SA, with the proviso that the data contained in the minutes of the General Meeting and in the documents attached to the minutes (Article 421 § 2 and 3 of the Commercial Companies Code) will be stored until the end of the Administrator’s activity.

In the event of processing your data on the basis of the legitimate interest of the Controller (Article 6 paragraph 1 letter f of the GDPR), they will be stored until this interest ceases, and in particular for the time necessary to secure information in the event of a legal need to prove facts or until the expiry of the limitation period for potential claims.

Each shareholder or proxy is entitled to:

• under Article 15 of the GDPR, the right to access personal data;
• under Article 16 of the GDPR, the right to rectify personal data;
• under Article 17 of the GDPR, the right to request the deletion of personal data;
• under Article 18 of the GDPR, the right to request the restriction of the processing of personal data;
• under Article 20 of the GDPR, the right to transfer personal data only to the extent that personal data are processed by automated means and on the basis of a contract;
• the right to lodge a complaint with the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, if it is found that the processing of personal data violates the provisions of the GDPR.

In the scope of personal data processed under Article 6 paragraph 1 letter f of the GDPR, the shareholder or his/her proxy has the right to object to the processing of personal data under Article 21 of the GDPR.

Due to the nature of the processing of personal data during online meetings, there is no right to receive a copy of the data, the right to delete the data, the right to limit the processing of the data, the right to transfer the data and the right not to be subject to automated decision-making.

Personal data of a shareholder or proxy may come from:

1) from the National Depository for Securities SA system in the event they concern a shareholder of the Administrator,

2) from the principal in the case of a power of attorney granted, when they concern the shareholder’s proxy.

The provision of personal data by a shareholder or proxy is necessary for the purpose specified above, to prepare and forward to the PFSA or another shareholder a list of persons entitled to participate in the General Meeting and to verify the right to participate in the General Meeting.

3. Transfer of personal data outside the European Economic Area:

Employee personal data may be transferred outside the European Economic Area only in the case of business trips. In such a case, the Administrator will ensure proper protection of personal data, in particular by signing appropriate agreements, and will also provide the possibility of obtaining a copy of the data or information about the place where the data is made available.

In cases not mentioned above, personal data are not transferred outside the European Economic Area or to international organisations.

4. Profiling:

Personal data are not used in automated decision-making processes, in particular profiling.

5. Recipients of personal data:

Personal data may be made available to state authorities in connection with proceedings conducted by them under applicable law.

In the remaining scope, access to personal data is also granted to trained and authorized employees or associates of the Administrator, including entities providing services in the field of personal and property protection, legal, advisory, IT, accounting, courier or postal, auditing, programming and insurance services.

6. Contact details of the Data Protection Officer:

If you have any questions or comments regarding the processing of personal data, in particular in order to exercise your rights, please contact the Data Protection Inspector, Mr. Tomasz Cygan, by e-mail: iod@fabudwkb.pl or by post to the Administrator’s address.