Privacy Policy

PRIVACY POLICY

1. DEFINITIONS

1.1. Administratorem danych jest OT PORT GDYNIA Sp. z o.o. z siedzibą w Gdyni (81-336), ul. Indyjska 13. The data controller is OT PORT GDYNIA Sp. z o.o. with its registered office in Gdynia (81-336), ul. Indyjska 13.

1.2. Personal data – all information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact details, location data, information contained in correspondence, information collected through recording equipment or other similar technology.

1.3. Policy – this Privacy Policy.

1.4. RODO – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.5. Data subject – any natural person whose personal data is processed by the Data Controller, e.g. a person visiting the Data Controller’s website or sending an inquiry to the Data Controller by email.

2. DATA PROCESSING BY THE DATA CONTROLLER

2.1. In connection with its activities, the Data Controller collects and processes personal data in accordance with the relevant regulations, in particular the GDPR, and the data processing principles provided for therein.

2.2. The Data Controller ensures transparency of data processing, in particular, always informs about data processing at the time of collection, including the purpose and legal basis of processing – e.g. when concluding contracts for the provision of services. The Data Controller always ensures that data are collected only to the extent necessary for the indicated purpose and processed only for the period for which it is necessary.

2.3. When processing data, the Data Controller ensures their security and confidentiality as well as access to information about processing to data subjects. If, despite the security measures in place, there is a breach of personal data protection (an incident resulting in data leakage or loss), the Data Controller will inform data subjects about such an event in a manner consistent with the regulations.

3. CONTACT THE DATA CONTROLLER

3.1. Correspondence address OT PORT GDYNIA Sp. z o.o. ul. Indyjska 13, 81-336 Gdynia

3.2. The Data Controller has appointed a Data Protection Inspector who can be contacted via email iod@otpg.pl on any matter regarding the processing of personal data.

4. SECURITY OF PERSONAL DATA

4.1. In order to ensure the integrity and confidentiality of data, the Data Controller has implemented procedures enabling access to personal data only to authorized persons and only to the extent necessary due to the tasks performed by them. The Data Controller uses organizational and technical solutions to ensure that all operations on personal data are registered and performed only by authorized persons.

4.2. The Data Controller also takes all necessary actions to ensure that its subcontractors and other cooperating entities guarantee the use of appropriate security measures whenever they process personal data on behalf of the Data Controller.

4.3. The Data Controller conducts ongoing risk analysis and monitors the adequacy of the data security measures used to the identified threats. If necessary, the Data Controller implements additional measures to increase data security.

5. PURPOSES AND LEGAL BASIS OF PROCESSING

5.1. Personal data of all persons using the Data Controller’s website (if made available and operated by the Data Controller), including IP addresses or other identifiers and information collected via cookies or other similar technologies, are processed:

5.1.1. in order to provide services electronically in the scope of making content collected on the website available to users – then the legal basis for processing is the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR);

5.1.2. for analytical and statistical purposes – then the legal basis for processing is the legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR), consisting in conducting analyses of users’ activity as well as their preferences in order to improve the functionalities used and the services provided;

5.1.3. in order to possibly determine and pursue claims or defend against them – the legal basis for processing is the legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR) consisting in the protection of his rights;

5.1.4. for marketing purposes of the Data Controller and other entities – the principles of processing personal data for marketing purposes are described in the “Direct marketing” section below.

DIRECT MARKETING

5.2. The Data Controller processes users’ personal data in order to carry out marketing activities based on the expressed consent, which may consist in:

5.2.1. conducting activities related to direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities).

COOKIES AND SIMILAR TECHNOLOGY

5.3. Cookies are small text files installed on the device of the user browsing the website.
Cookies collect information that facilitates the use of the website – e.g. by remembering the user’s visits to the website and the activities performed by the user. The legal basis for the processing of such data is the legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR).

5.4. The Data Controller uses cookies primarily to provide the user with services provided electronically and to improve the quality of these services. Therefore, the Data Controller and other entities providing analytical and statistical services to the Data Controller use cookies to store information or gain access to information already stored in the user’s telecommunications end device (computer, telephone, tablet, etc.).

EMAIL AND TRADITIONAL CORRESPONDENCE

5.5. If sent to the Data Controller via e-mail or traditional correspondence, personal data contained in this correspondence are processed solely for the purpose of communication and solving the matter to which the correspondence relates.

5.6. The legal basis for processing is the legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR), consisting in conducting correspondence addressed to the Data Controller in connection with the Data Controller’s activities.

5.7. The Data Controller only processes personal data relevant to the matter to which the correspondence relates. All correspondence is stored in a manner that ensures the security of the personal data contained therein (and other information) and disclosed only to authorized persons.

VIDEO MONITORING AND ADMISSION CONTROL TO THE PORT AREA

5.8. In order to ensure the safety of persons and property, the Data Controller uses video monitoring and controls access to the premises and the area managed by the Data Controller.

5.9. Data collected in this way is not used for any other purposes.

5.10. Personal data in the form of recordings and data collected in the register of entries and exits from the Port premises are processed in order to defend against or pursue claims.

5.11. The legal basis for the processing of this data is the legitimate interest of the Data Controller, consisting in ensuring the safety of the Data Controller’s personnel and property (Article 6(1)(f) of the GDPR).

RECRUITMENT OF EMPLOYEES

5.12. As part of recruitment, the Data Controller expects the transfer of personal data (e.g. in a CV or curriculum vitae) only to the extent specified in labour law provisions. Therefore, information should not be provided in a broader scope. If the submitted or delivered applications contain additional data, they will not be used or taken into account in the recruitment process.

5.13. Personal data are processed as part of the recruitment process:

5.13.1. in order to perform obligations arising from legal provisions related to the employment process, in particular the Labour Code – the legal basis for processing is the legal obligation imposed on the Data Controller (Article 6(1)(c) of the GDPR in connection with the provisions of the Labour Code);

5.13.2. in order to carry out the recruitment process regarding data not required by law, as well as for the purposes of future recruitment processes – the legal basis for processing is consent (Article 6(1)(a) of the GDPR);

6. DATA RECIPIENTS

6.1. In connection with running a business that requires processing, personal data are disclosed to external entities, in particular contractors, suppliers responsible for operating IT systems and equipment, entities providing legal or accounting services, couriers, marketing or recruitment agencies.

6.2. The Data Controller reserves the right to disclose selected information about the data subject to competent authorities or third parties who request such information, based on an appropriate legal basis and in accordance with the provisions of applicable law.

7. TRANSFER OF DATA OUTSIDE THE EEA

7.1. The Data Controller transfers personal data outside the EEA only when necessary and ensuring an adequate level of protection, primarily by:

7.1.1. use of standard contractual clauses;

7.1.2. application of binding corporate rules approved by the relevant supervisory authority;

7.1.4. in the event of data transfer to the USA – cooperation with entities participating in the Privacy Shield program approved by the European Commission.

7.2. The Data Controller always informs data subjects about the intention to transfer personal data outside the EEA at the stage of data collection.

8. PERSONAL DATA PROCESSING PERIOD

8.1. The period of data processing by the Data Controller depends on the type of service provided and the purpose of processing. The data processing period may also result from regulations when they constitute the basis for processing. In the case of data processing based on the legitimate interest of the Data Controller – e.g. for security reasons – the data are processed for a period enabling the exercise of this interest or until an effective objection to data processing is submitted. If the processing is based on consent, the data are processed until the consent is withdrawn. When the basis for processing is the necessity to conclude and perform the contract, the data are processed until its termination.

8.2. The data processing period may be extended if the processing is necessary to establish or pursue claims or defend against claims, and after this period – only if and to the extent required by law. After the processing period, the data are irreversibly deleted or anonymized.

9. RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA

9.1. Data subjects have the following rights:

9.1.1. the right to information about the processing of personal data  – on this basis, the Data Controller provides the person submitting the request with information about data processing, including, in particular, the purposes and legal basis for processing, the scope of data held, entities to which the data are disclosed, and the planned date of data deletion;

9.1.2. the right to obtain a copy of the data – – on this basis, the Data Controller provides a copy of the processed data regarding the person submitting the request;

9.1.3. the right to rectification  – the Data Controller is obliged to remove any possible inconsistencies or errors in the processed personal data and supplement them if they are incomplete;

9.1.4. the right to delete data  – on this basis, you can request the deletion of data whose processing is no longer necessary to achieve any of the purposes for which the data were collected;

9.1.5. the right to limit processing  – if such a request is made, the Data Controller ceases to perform operations on personal data – except for operations to which the data subject has consented – and to store them, in accordance with the adopted retention principles or until the reasons for limiting data processing no longer exist (e.g. a decision of the supervisory authority is be issued authorizing further data processing);

9.1.6. the right to transfer data  – on this basis – to the extent that the data are processed in connection with the concluded contract or consent – the Data Controller issues the data provided by the data subject in a format that allows them to be read by a computer. It is also possible to request that the data be sent to another entity – provided, however, that there are technical possibilities in this respect on the part of both the Data Controller and the other entity;

9.1.7. the right to object to the processing of data for marketing purposes – the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such an objection;

9.1.8. the right to object to other purposes of data processing  – the data subject may at any time object to the processing of personal data that are processed on the basis of the legitimate interest of the Data Controller (e.g. for analytical or statistical purposes or for reasons related to the protection of property); objections in this respect should include justification;

9.1.9. the right to withdraw consent  – if data are processed on the basis of expressed consent, the data subject has the right to withdraw the consent at any time, which, however, does not affect the lawfulness of the processing carried out before the withdrawal of the consent.

9.1.10. the right to complaint  – if it is considered that the processing of personal data violates the provisions of the GDPR or other provisions on the protection of personal data, the data subject may submit a complaint to the President of the Office for Personal Data Protection.

SUBMITTING REQUESTS RELATED TO THE EXERCISE OF THE RIGHTS

9.2. An application regarding the exercise of the rights of data subjects may be submitted:

9.2.1. in writing to the following address: ul. Indyjska 13, 81-336 Gdynia;

9.2.2. by email to the following address: iod@otpg.pl.

9.3. If the Data Controller is unable to identify the person submitting the application based on the submitted notification, the Data Controller will ask the applicant for additional information.

9.4. The application may be submitted in person or through a representative (e.g. a family member).

9.5. A response to the notification should be provided within 30 days of its receipt. If it is necessary to extend this deadline, the Data Controller informs the applicant about the reasons for the delay.

10. CHANGES TO THE PRIVACY POLICY

The policy is verified on an ongoing basis and updated as needed.