Data protection declaration
Herkules sp. z o.o. attaches great importance to the protection of your personal data and other information obtained by us in connection with the use of our websites. Your data is collected, processed and used only in accordance with the following rules and in accordance with the applicable provisions of law, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter “GDPR”).
This document contains information about what data is collected through our website and how it is processed and used. We also describe technical and organizational measures we take to protect your data.
A. Data controller and service provider
The controller of data related to the operation of this website and the service provider is
Herkules Sp. z o.o (hereinafter “Herkules”)
ul. Św. Walentego 44
Phone +48 61 29 28 400
represented by the Managing Director: Marek Cygan.
B. Personal data
Personal data means any information concerning an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
C. The scope of data collected and the manner of using the data
I. Visits on the site
When visiting our website you are not required to provide any personal data. We only collect and process data that your web browser sends to us automatically. Those include:
- Date and time of your visit to the site,
- Type of your browser,
- Settings of your browser and
- IP address from which you connect to our site.
IP address is a number assigned by the Internet service provider to a computer of the person who visits our site. The IP number allows you to access the Internet. In most cases, it is assigned dynamically to the computer, i.e. it changes every time you connect to the Internet and therefore it is commonly regarded as non-personal identifying information. Linking that information to a specific natural person is very difficult. However, according to the provisions of the GDPR, it is considered a type of personal data.
We use the data provided by browsers to ensure the technical possibility to access our website; we also use it for statistical purposes and for the purpose of improving the functioning and appearance of our website.
They are mostly “session cookies”: after completing a session of the browser or turning off the computer, the information saved is removed from the device’s memory. The mechanism of session cookies does not allow the collection of any personal data nor any confidential information from the Customers’ computers.
Some cookies generate information that enable automatic recognition of people visiting our website. This is possible because the cookies contain your IP address. Information obtained that way allows us to optimize our offer and to facilitate your access to our website. “Persistent cookies” are stored in the memory of your device and remain there until they are deleted or expired. The mechanism of persistent cookies also does not allow the collection of any personal data nor any confidential information from the Customers’ computer.
There is an option in your browsers allowing you to restrict or disable the access of cookies to your computers. If you use this option, you will still be able to use the website, however, not all functionalities of the website may be available.
D. Data recipient
Data collected by Herkules may be made available to Herkules personnel and to the entities that process data at the request of Herkules. They include hosting services providers and the entities providing systems for the website traffic analysis.
E. Legal basis and rights of data subjects.
The legal basis for the processing of the above-described data is the legitimate interest of the data controller, pursuant to Art. 6 letter f) of GDPR, which consists in improving the functionality of our websites.
You have the right to object to the processing of your personal data at any time – for reasons related to your particular situation.
You have the right to access data and request correction of incorrect data. In case of questioning the correctness of the data being processed, you may demand to limit the processing of such data – for a period sufficient to check the correctness of that data. Once the data are no longer needed for the purposes for which they were collected or processed, you can request their removal or restriction of their processing (if they are needed to establish, assert or defend claims). If the processing is found to be unlawful, you can request the restriction of processing or the removal of data. If you believe that the processing of your personal data will violate the provisions of GDPR, you will have the right to lodge a complaint with the supervisory body – the President of the Office for Personal Data Protection.
This document applies to the use of the Herkules website only. It does not apply to websites of other service providers which might be referenced on our website. We are not responsible for the actions of other entities which are not related to our website.
Date of the latest change: 1 July 2018
Rules for the processing of personal data in the company Herkules sp. z o.o. with its registered office in Jastrowo
Herkules Sp. z o.o. with its registered office in Jastrowo (hereinafter referred to as “Herkules” or “Controller“) collects and processes personal data of various categories of persons in the course of its business activities. The purpose of this document is to provide information about the scope, purpose and legal grounds for the processing of such data, the period for which they are processed and potential recipients of the data as well as to indicate the rights of data subjects.
Personal data are processes in accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation- hereinafter “GDPR”)
II. Controller contact information
Herkules sp. z o.o
Jastrowo ul. Św. Walentego 44
Telephone: +48 61 29 28 400
The controller is represented by the member of the Management Board: Marek Cygan.
III. Categories of people whose data are processed
Herkules processes personal data concerning, in particular, the following categories of people:
1) job candidates,
2) employees and former employees,
3) temporary staff,
4) persons to be notified in the event of an employee’s accident,
5) persons being customers, suppliers or contractors of Hercules,
6) persons being the employees of Herkules’ customers and contractors,
7) persons within the range of video surveillance system.
IV. Purpose, period and legal basis for the processing of personal data
1. Data of job candidates
Personal data provided in the recruitment application are processed in order to carry out the recruitment process as part of which the application was submitted. The data are processed until that process ends, but no longer than 6 months from the date of sending in the recruitment application.
Separate consent must be provided to allow the use of personal data also for future recruitment purposes. In such case, the data will also be processed for the purposes related to the recruitment processes conducted by Hercules in the future, however, for a period not longer than 6 months from the date of sending in the application.
Personal data including name, surname, date of birth, address of residence (for correspondence), education and the course of previous employment are processed on the basis of Art. 221 of the Labor Code. It is obligatory to provide those data. Failure to provide them may constitute the reason for not considering the application in the recruitment process.
Providing other data is voluntary and their processing may take place on the basis of a separate consent. In the absence of additional information or in the case of a consent withdrawal, such data will not be taken into consideration in the recruitment process. Lack of consent or its withdrawal cannot be the basis of unfavorable treatment and cannot cause any negative consequences, in particular it cannot be the reason for justifying the refusal to employ a person.
2. Data of employees and former employees
Employee personal data include the data provided to the employer in connection with the employment process. They are processed in order to fulfill the obligations of Hercules arising from the employment relationship. Data are processed for the duration of the employment relationship, and after its completion they are processed for archiving purposes and for the purposes related to the determination of pension entitlement for a period of 50 years (in the case of contracts concluded after 01.01.2019 for a period of 10 years).
The legal basis for the processing of Employee’s personal data are the provisions of Art. 221 of the Labor Code in conjunction with special regulations, including those under Art. 49 sec. 2 of the Act on the social insurance system, Art. 50 of the Act on general protection obligation and Art. 125 sec. 4 of the Act on retirement and disability pensions from the Social Insurance Fund.
In the scope not covered by the abovementioned provisions, the basis for the processing of employee’s personal data is the employee’s consent. It can be withdrawn at any time. Withdrawal of consent does not affect the legality of the processing which took place on the basis of the consent before its withdrawal. Lack of consent or its withdrawal cannot be the basis of unfavorable treatment and cannot cause any negative consequences, in particular it cannot be the reason for justifying the refusal to employ a person, for termination of employment contract or for dissolution of employments contract without notice by the employer.
3. Data of temporary staff
Herkules processes the data of temporary staff covering first name, surname, date of birth, passport number, visa number provided by temporary work agencies.
These data are processed in order to meet obligations arising from the provisions of the Act of 9 July 2003 on the employment of temporary staff (based on Article 6 sec. 1 letter c of GDPR) as well as for the purpose of performing a contract with a temporary work agency and for keeping an internal record of working time, which constitutes the legitimate interest of Hercules in accordance with Art. 6 sec. 1 letter f of GDPR.
The data are processed during the period of temporary work and for the time necessary to perform the contract concluded by Hercules with a temporary employment agency.
4. Data of persons to be notified in the event of an accident
The controller processes personal data covering first name, last name, mailing address and contact phone number of persons to be notified in the event of an accident at work, as provided by the employee to the Controller.
The personal data are processed in order to enable the controller to notify such persons about an accident at work involving the employee, which is a legitimate interest of the Controller and the employee (Art. 6 sec. 1 letter f of GDPR). These data are processed for the duration of the Employee’s employment.
5. Data of customers and contractors
Herkules processes data covering first name, last name, mailing address, e-mail, telephone number of the customers and in case of entrepreneurs also the name, address of registered office, NIP (Tax Identification Number) and REGON (Business Registry Number) of the company. In the case of persons providing services under a contract of mandate or a contract for a specific task, the Controller also processes their PESEL (Personal Identification Number).
Personal data are processed in order to perform contracts concluded by Herkules with data subjects. The basis for the processing of these data is Art. 6 sec. 1 letter b of GDPR. Personal data are processed throughout the term of the contracts, and for the period and to the extent to which, in accordance with the applicable provisions, Hercules is obliged to keep accounting records regarding such contracts.
6. Data of employees and representatives of customers and contractors
Herkules processes the data provided by customers and contractors concerning their employees and representatives, covering first name, last name, position held, business phone number and business e-mail address. These data are processed only to enable the Controller to make contacts on matters regarding cooperation with customers and contractors. These data are processed during the period of cooperation with a particular customer or a contractor.
The basis for the processing of these data is the legitimate interest of the controller (Art. 6 sec. 1 letter f of GDPR), which in this case is the need to perform concluded contracts.
7. Data from video surveillance system
The video surveillance system is used at the Herkules site in Jastrowo. The purpose of its implementation is to ensure the protection of Hercules property and supervision over the production process. The video surveillance does not cover sanitary spaces, cloakrooms, canteens and smoking rooms, nor the premises made available to trade union organization.
Video recordings are processed by the Controller only for the purposes specified above, and they are stored for a period not exceeding 3 months, however, if the image recordings are evidence in the proceedings conducted under the law or Hercules learned that they can be evidence in such proceedings, the above-mentioned three-month term is extended until the proceedings are finally concluded.
The basis for the processing of data in this case is the legitimate interest of the controller (Art. 6 sec.1 letter f of GDPR), which is the need to protect the property of Hercules and supervise the functioning of the enterprise.
V. Data processing for the purposes of investigation and defense against claims
Some personal data may also be processed by Herkules for the purposes of determination, investigation and defense against claims. Only the data necessary to prove the existence of the claim, including the extent of the damage suffered or the circumstances of its occurrence, are processed for that purpose. Those data are processed based on a legitimate interest (Art. 6 sec. 1 letter f of GDPR), consisting in the determination, assertion and enforcement of claims and defense against claims in court proceedings and other state authorities, within the period of claim limitation, and in the event of the initiation of proceedings for the purpose of the enforcement or execution of claims, also for the duration of such proceedings.
VI. Automated decision making
Personal data processed by Hercules are not subject to automated decision making, including profiling.
VII. Data recipients
Personal data can be made available by Herkules to individuals and entities with whom Herkules cooperates in the course of its business, such as employees of Herkules who are authorized to process data, the entities providing accounting, HR and legal services as well as occupational health and safety services.
The data may also be made available to external entities implementing specific works and services for Herkules, such as transport and courier companies.
To the extent provided by law, data may also be made available to authorized state bodies, in particular to the National Fiscal Administration, organizational units of the Prosecutor’s Office, the Police, the President of the Office for Personal Data Protection, the President of the Office of Competition and Consumer Protection, and courts and authorities conducting proceedings involving Herkules.
The data are not shared outside the European Economic Area.
VIII. New rights of data subjects
To the extent that the legal basis for data processing is the legitimate interest of data controller, pursuant to Art. 6 letter f) of GDPR, data subjects have the right to object at any time to the processing of their personal data on that basis – for reasons related to their specific situation. In the event that such objection is made, the Controller is no longer allowed to process such personal data unless they demonstrate the existence of legally valid grounds for the processing which are overriding the interests, rights and freedoms of the data subject, or grounds for establishing, investigating or defending claims.
If the basis for data processing is only the consent of the data subject, such consent may be withdrawn at any time. Withdrawal of consent does not affect the legality of the processing which took place on the basis of consent before it was withdrawn.
If the data is processed in an automated manner, under a contract or on the basis of consent for the processing, data subjects have the right to receive their personal data provided by them to the Controller and then send them to another personal data controller of their choice. They may also request that personal data be sent by the Controller directly to such Controller, if it is technically possible. In such case, the Controller will send the Customer’s personal data in the form of a file in csv format, which is a widely used, machine-readable format that allows sending the received data to another personal data controller.
Data subjects have the right to access data and request correction of incorrect data. In case of questioning the correctness of the data being processed, you can request that the processing of such data is limited – for a period sufficient to check the correctness of that data.
Once the data are no longer needed for the purposes for which they were collected or processed, you can request their removal or restriction of their processing (if they are needed to establish, assert or defend claims).
If the processing is found to be unlawful, you can request the restriction of processing or the removal of data.
If you believe that the processing of your personal data will violate the provisions of GDPR, you will have the right to lodge a complaint with the supervisory body – the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warszawa.