Logo
Contact Us
Case studies

Privacy policy of candidates' personal data

1. Who we are and how to find us

Controller of personal data is GGS IT CONSULTING Sp. z o.o. with its registered office in Krakow (address: ul. Cystersów 13A/3, 31-553 Krakow), entered in the register of entrepreneurs of the National Court Register by the District Court for Krakow-Śródmieście in Krakow, 11th Economic Department of the National Court Register under number: 0001009100, identifying itself with REGON number: 363572070 and NIP number: 9452190015 (hereinafter: "GGS"). You can contact us via email: contact@ggsitc.com.

2. Why we process your personal data

If we consider you to be a good candidate to work or cooperate with us, we will process your personal data to ensure your participation in recruitment. We will process your personal data to:

  1. contact you for the recruitment process,
  2. assess your qualifications for the position,
  3. assess your abilities and skills needed for the position,
  4. select the right person for the job.
RECRUITMENT INITIATED BY A JOB CANDIDATE

It is likely that your candidacy came to us directly, along with documents by you via email or through specialized job portals in response to job offers published by us. We process your personal data only for the purpose of recruitment indicated in the job offer and, if you have given the appropriate consent, also for future recruitment. The legal basis for the processing of your personal data, which you provide to us yourself by applying to job offers published by us, to the extent indicated in the labor law, is Article 6 (1) (b) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, hereinafter: "GDPR"), which applies when the processing is necessary for the conclusion of a contract. Other data will be processed on the basis of your consent (Article 6(1)(a) GDPR, i.e. the data subject has consented to the processing of his/her personal data for one or greater number of specified purposes), which may be revoked at any time. You should know, however, that in such a case we sometimes supplement the personal data you sent us by reviewing your publicly available profiles, including those on business or professional social media. Based on Article 6(1)(f) of the GDPR (processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party), we therefore have a legitimate interest in supplementing this information on our own, from publicly available sources. If sensitive data is among the data you provide to us, we may process it only on the basis of your express and separate consent. Your consent can be revoked at any time. In the absence of it, the data will be deleted by us immediately.

RECRUITMENT INITIATED BY GGS

Such recruitment is divided into two stages, important from the point of view of protecting your personal data. At first, we search for you. At that time, you don't yet know that we are processing your data, but we must do so - otherwise we could not assess whether you might be interested in the position, nor could we contact you. Processing is therefore necessary for the purposes of legitimate interests pursued by the Controller of personal data (Article 6(1)(f) GDPR, i.e. processing is necessary for the purposes of legitimate interests pursued by the controller). We do our best to make this first stage as short as possible, not to include unnecessary data and not to surprise you. In the next stage of the recruitment process you are already participating in a fully informed manner. We contact you, write an email, invite you to an interview. Along with the first contact, we provide you with all the information contained in this Privacy Policy (e.g. by sending you an email link).

OTHER RECRUITMENTS

If you will want your resume (and other data contained in your recruitment application and collected in connection with your participation in the recruitment process for a given job position) to be used for the purposes of future recruitments or as part of other recruitments currently conducted by us, your data will be processed on the basis of your voluntary consent, i.e. based on Article 6(1)(a) GDPR (the data subject has consented to the processing of his/her personal data for one or greater number of specified purposes).

CONTACT

By contacting us, you provide us with your personal data, including data contained in the body of your correspondence, in particular: email address, telephone number and name. Providing this data is voluntary, but often necessary to contact us. The legal basis for such processing of your personal data that you provide yourself by contacting us is Article 6(1)(f) of the GDPR (processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party). This legitimate interest is the desire to get in touch with people interested in working or cooperating with GGS and to answer questions related to the offers we publish.

HANDLING OF CLAIMS

The content of your correspondence with us may be subject to archiving and we are unable to determine with certainty when it will be deleted. You have the right to request the history of correspondence you have had with us (if it was subject to archiving), as well as to request its deletion, unless its archiving is justified due to our overriding interests. The legal basis for processing your personal data after your contact with us has ended is our legitimate interest in ensuring that we can prove certain facts in the future. We may therefore process your personal data for the purpose of investigating and defending against claims on the basis of Article 6(1)(f) GDPR (processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party).

3. What personal data we process

We may process the following personal data of candidates:

  1. first and last name;
  2. mailing address;
  3. email address;
  4. telephone number;
  5. image (e.g., photo in resume);
  6. education;
  7. history of previous employment;
  8. professional specialization;
  9. publicly available data on business or professional social media;
  10. financial salary expectations with the new employer;
  11. level of foreign language skills;
  12. the period of notice of termination of the contract of employment with the current employer;
  13. other data required by law.

4. To whom we disclose your personal data

Your personal data is processed in a computer system, located in part in the so-called public cloud, for the purpose of storing data on a server and operating an email server. Some of the operations described above involve the transfer of your personal data to so-called third countries (outside the European Economic Area), where the GDPR does not apply. However, this always takes place on the basis of the legal instruments provided for in the GDPR, which guarantee adequate protection of your rights and freedoms. Occasionally, we may transfer information about you to entities that, as part of their business, are professionally engaged in conducting recruitment and talent search processes or provide tools or software to improve these processes. Such situation occurs in connection with our use of the SmartRecruiters tool (provided by SmartRecruiters, Inc. based in San Francisco (USA) and SmartRecruiters Inc. (Spółka Akcyjna) Branch in Poland with its headquarters in Krakow (Poland). Occasionally, we may also publish job offers through specialized online job portals. You can find detailed information regarding the processing of your personal data in the privacy policies posted on these websites. In the case of transfer of personal data to a third country within the meaning of the GDPR, when the European Commission has not issued a decision on the adequate protection of personal data for those countries (in accordance with Article 45 of the GDPR), we take appropriate measures to ensure an adequate level of data protection in case of transfer. These include the European Union's standard contractual clauses or binding internal data protection regulations. Where this is not possible, we base the transfer of data on the exceptions described in Article 49 of the GDPR, in particular on express consent or the necessity to transfer data in order to fulfill the terms of the contract or to perform pre-contractual activities. The legal basis for data transfers to third countries is therefore, unless otherwise stated, the consent referred to in Article 6 (1) (a) GDPR in conjunction with Article 49 (1) (a) GDPR. At the same time, we would like to inform you that in the case of sending data to a third country for which no decision on adequate protection of personal data or adequate guarantees have been issued, there is a possibility and risk that authorities in the third country will gain access to the transferred data for the purpose of data collection and analysis, and that the possibility of enforcing the rights of data subjects cannot be guaranteed.

5. How long we will process your personal data

Your personal data is processed until the end of the recruitment process for the position you applied for. With regard to personal data processed for future recruitment processes, based on consent, your personal data will be stored for a period of 24 (twenty-four) months from the date of your consent. Sensitive data we have received from you, the processing of which has not been provided to us with express and separate consent, will be deleted immediately. Please note, however, that we may also retain some of your personal data for the purposes of establishing, investigating or defending against claims related to the recruitment process for a period of three (3) years calculated from the end of the recruitment process in which you participated.

6. How we enable you to exercise your rights

We make every effort to ensure that you are satisfied with your cooperation with us. Remember, however, that you have a number of rights that will allow you to influence the way we process your personal data and, in some cases, cause us to stop such processing. These rights are: - right to access your personal data (regulated in Article 15 of the GDPR)

Article 15

Data subject's right of access

*1. The data subject is entitled to obtain confirmation from the Controller of personal data relating to him, and if this is the case, he is entitled to access the data and the following information: a) the purposes of the processing;

b) the categories of personal data involved;

c) information about the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

d) where possible, the intended period of storage of the personal data, and where this is not possible, the criteria for determining this period;

e) information about the right to request from the controller rectification, erasure or restriction of the processing of personal data concerning the data subject, and to object to such processing;

f) information about the right to lodge a complaint with a supervisory authority;

g) if the personal data was not collected from the data subject - any available information about its source;

h) information on automated decision-making, including profiling as referred to in Article 22 (1) and (4), and, at least in these cases, relevant information on the principles of such decision-making, as well as on the significance and anticipated consequences of such processing for the data subject.

2. If personal data are transferred to a third country or an international organization, the data subject shall have the right to be informed of the relevant safeguards referred to in Article 46 related to the transfer.

3. The controller shall provide the data subject with a copy of personal data subject to processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject requests a copy by electronic means, and unless he or she indicates otherwise, the information shall be provided by common electronic means.

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

- right to rectification of data (regulated in Article 16 of the GDPR)

Article 16

Right to rectification of data

The data subject shall have the right to request the Controller of personal data concerning him/her that are inaccurate to be rectified without delay. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by presenting an additional statement.

- right to erasure (regulated by Article 17 of the GDPR)

Article 17

Right to erasure ("right to be forgotten")

*1. The data subject has the right to demand from the controller the immediate erasure of personal data concerning him, and the controller is obliged to erase the personal data without undue delay if one of the following circumstances exists:

a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

b) the data subject has withdrawn the consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a), and there is no other legal basis for the processing;

c) the data subject objects under Article 21(1) to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects under Article 21(2) to the processing;

d) the personal data have been processed unlawfully;

e) the personal data must be erased in order to comply with a legal obligation under Union law or the law of a Member State to which the controller is subject;

f) the personal data were collected in connection with the offering of information society services referred to in Article 8 (1).

2. If a controller has made personal data public, and is obliged under paragraph 1 to delete such personal data, the controller shall, taking into account the available technology and the cost of implementation, take reasonable measures, including technical measures, to inform controllers processing such personal data that the data subject requests such controllers to delete any links to such data, copies of such personal data or replications thereof.

*3. Paragraphs (1) and (2) shall not apply to the extent that the processing is necessary:

a) to exercise the right to freedom of expression and information;

b) to comply with a legal obligation requiring processing under Union law or the law of a Member State to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);

d) for archival purposes in the public interest, scientific or historical research, or statistical purposes in accordance with Article 89 (1), insofar as the right referred to in paragraph 1 is likely to prevent or seriously impede the purposes of such processing; or

e) to establish, assert or defend claims.

- right to restrict processing (regulated in Article 18 of the GDPR)

Article 18

Right to restrict processing

1. The data subject has the right to request the controller to restrict processing in the following cases:

a) the data subject disputes the accuracy of the personal data - for a period of time that allows the controller to verify the accuracy of the data;

b) the processing is unlawful and the data subject objects to the erasure of the personal data, requesting instead the restriction of its use;

c) the controller no longer needs the personal data for the purposes of the processing, but they are needed by the data subject to establish, assert or defend claims;

d) the data subject has objected under Article 21(1) to the processing - until it is determined whether the controller's legitimate grounds override the data subject's grounds for objection.

2. Where processing has been restricted pursuant to paragraph 1, such personal data may be processed, with the exception of storage, only with the consent of the data subject, or to establish, assert or defend claims, or to protect the rights of another natural or legal person, or for compelling reasons of public interest of the Union or a Member State.

3. Before lifting a restriction on processing, the controller shall inform the data subject who requested the restriction under paragraph 1.

- right to object to processing (regulated in Article 21 of the GDPR)

Article 21

Right to object

1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her based on Article 6(1)(e) or (f), including profiling under these provisions. The Controller of personal data shall no longer be allowed to process such personal data unless the Controller demonstrates the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or grounds for establishing, asserting or defending claims.

2. If personal data are processed for the purposes of direct marketing, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, including profiling, to the extent that the processing is related to such direct marketing.

3. If the data subject raises an objection to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.

4. At the latest on the occasion of the first communication with the data subject, the data subject shall be clearly informed of the right referred to in paragraphs (1) and (2), and shall be presented clearly and separately from any other information.

5. In connection with the use of information society services and without prejudice to Directive 2002/58/EC, the data subject may exercise the right to object through automated means using technical specifications.

6. If personal data are processed for scientific or historical research purposes or for statistical purposes under Article 89(1), the data subject has the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out in the public interest.

- right to data portability (regulated by Article 20 of the GDPR)

Article 20

Right to data portability

1. The data subject shall have the right to receive in a structured, commonly used machine-readable format the personal data concerning him or her which he or she has provided to the Controller, and shall have the right to send such personal data to another Controller without hindrance from the Controller to whom the personal data were provided, if:

a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a), or on contract pursuant to Article 6(1)(b); and.

b) the processing is carried out by automated means.

2. In exercising the right to data portability under paragraph 1, the data subject shall have the right to request that the personal data be sent by the controller directly to another controller, insofar as this is technically possible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

To exercise any of the rights described, please contact us by email, at the address through which we have contacted you, or at contact@ggsitc.com.

7. Complaint to the supervisory authority

Pursuant to Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place where the alleged violation was committed, if you believe that the processing of personal data concerning you violates the provisions of the GDPR. In Poland, the supervisory authority is the President of the Personal Data Protection Office - you can file a complaint, among others, by regular mail to ul. Stawki 2, 00-913 Warsaw, or by email to kancelaria@uodo.gov.pl, or you can get more detailed information at: https://uodo.gov.pl/.

8. Whether providing data is necessary to conclude a contract with us

We do not conclude any contract with you at this stage. Provision of data is necessary in order to participate in the recruitment.

9. where we got your personal data from

It is likely that you yourself responded to our advertisement using the application form on the website or through a specialized job portal, or by writing us an email. In that case, we got the first part of your data from you. However, we may want to complete them from publicly available sources, such as by browsing your profiles on business social networks. There is also the possibility that we searched for information about you, for example, by browsing your publicly available profiles on business or professional social networks, or someone recommended you to us as a good specialist. Sometimes we use the services of professional entities that, as part of their business, deal professionally with recruitment processes and talent search. In this case, a recruitment company will first contact you on our behalf, and your candidacy will be presented to us at a later stage.

10. Automated processing and profiling

We do not process your data in an automated manner and we do not carry out profiling as defined by the GDPR.