Information statement for the Clients
Privacy notice for the Business Clients of Compass Group Poland Sp. z o.o.
1. Data Controller
Compass Group Poland Sp. z o.o. with registered seat in Warsaw (00-102), at ul. Jana Olbrachta 94 (further referred to as Compass).
Compass is responsible for the processing of personal data for the purposes and pursuant to legal basis which are specified in this notice, including with relation to performance of contract and management of relations with a client/vendor, marketing and sales activities undertaken at Group level, purchase management, finance management and other administrative and business issues, as well as analysis and development of products and services.
2. Purpose and legal basis for the processing of personal data
The processing of personal data takes place on the following legal basis:
- Performance of a contract concluded between Compass and its client, vendor or business partner (further: Business Clients) and fulfillment of requests of the data subject before the conclusion of contract, e.g. requests for information or offer, subscription of newsletters or purchase orders (Article 6 section 1 b) of the GDPR);
- Management of relationships with Business Clients or with similar entities, maintained with relation to legitimate interest of the Controller (Article 6 section 1 f) of the GDPR);
- Legitimate interest of the Controller, tied to directing product and services marketing activities to contact persons designated by Business Clients (Article 6 section 1 f) of the GDPR);
- Fulfillment of legal obligations of the Controller in the light of regulations in force at the country of business (Article 6 section 1 c) of the GDPR).
The processing of personal data takes place for the following purposes:
- Supply of products and provision of services;
- Establishment, management and development of relations between Compass and Business Clients;
- Development of products and services;
- Communication with Business Clients, including collecting of feedback from Business Clients, e.g. through satisfaction surveys;
- Detection, prevention and verification of frauds and other offences;
- Analysis, segmentation and creation of statistics for the purposes explained above
3. Data subjects and categories of personal data
Compass processes data of persons being sole proprietors of businesses and of contact persons designated by its potential, current and former Business Clients. For the purposes described above, the following categories of personal data are processed:
- Basic information on the data subject, e.g.: first name and surname, title and profession, position at the Company, Company details, contact details regarding employment;
- Marketing data, e.g.: positions and actions in the Company and in public service; preferences and professional interests; other interests and information provided by the data subject; marketing activities undertaken; participation in events; marketing permits and consents (acceptance), limitations and bans (rejection);
- Data regarding contacts and communication, e.g.: requests for contact and feedback, e-mail messages, digital forms, chat discussions;
- Analytical data, e.g.: marketing segments and profiles, developed on the basis of data described above and obtained from standard sources through analysis and application of patterns, such as calculation of potential interests of the Company/the data subject or including the Company/the data subject within a specific group of companies/data subjects.
For the purposes of direct marketing, targeted at contact persons at potential or former Business Clients, only the basic and marketing data, described above, is processed.
4. Sources of information
Personal data is collected directly from the data subject when the data subject sends a request for contact or information, or completes a form, makes a purchase or submits an order, concludes a contract, participates in events or makes other, personal, telephone or digital contact with Compass. Personal data of persons designated for contact by potential, current and former Business Clients are obtained directly from Business Clients. It is also possible to collect and update personal data with the use of websites of Business Clients, public and private registers, public institutions. Data from such sources is acquired according to the applicable provisions of the law on personal data protection.
5. Disclosure and transfer of data
Data will not be disclosed to other external entities, unless this is necessary due to legal obligations imposed upon Compass. Compass may commission activities in the area of ICT, marketing, communication and other to external suppliers or other subcontractors. In such case Compass may disclose personal data to these subcontractors, in the scope necessary for the provision of services commissioned to them. These subcontractors will process personal data on behalf of Compass and must follow instructions provided by Compass. Compass shall apply appropriate contractual means to ensure that personal data is processed in a lawful manner.
Personal data shall not be transferred outside the European Union or the European Economic Area. If however it turns out necessary to transfer the data outside the EU or the EEA, Compass will make sure whether the country to which data is transferred is recognized by the European Union as ensuring proper privacy protection, or shall conclude with the entity to which data is to be transferred an agreement based on Standard Contractual Clauses issued by the European Commission.
6. Data protection and storage
Access to personal data will be given only to authorized persons who need to process data as part of their work or other obligations. Digital data is protected with firewalls, passwords and other technical and organizational means. All data is kept in locked premises, protected with physical access control mechanisms.
Personal data shall be stored for the period for which they are necessary to fulfill specific purposes. After the expiry of relationship between Compass and the Business Client, or when Compass obtains information that the data subject is no longer a contact person for a Business Client, the personal data shall be removed, subject to the following exceptions:
- Anonymized data can be stored without a time limit;
- Marketing data can be stored until the time the data subject withdraws the consent, or objects to the processing of personal data;
- If the applicable provisions of the law allow for storage of data for a longer period. For example, in the case of purchase orders.
7. Access to data, right to correct them and other rights of the data subject
Data subjects have the right to:
- access their data and to obtain copies of their personal data being processed;
- demand the deletion of their data (the right to be forgotten) in the event of circumstances described in Article 17 of the GDPR;
- demand the limitation of processing of their data in the cases indicated in Article 18 of the GDPR;
- protest against the processing of their data in the cases indicated in Article 21 of the GDPR;
- transfer their data processed by automated means.
In case where the data subject believes his personal data is processed in a manner contrary to the law, he may file a complaint with the supervisory authority (UODO - Personal Data Protection Office, ul. Stawki no. 2, Warsaw).
If you wish to obtain additional information on personal data protection or to exercise your rights, contact us:
Data Protection Officer: Maria Hryniewicz, firstname.lastname@example.org