This Privacy Policy for Employees and Associates, including contractors, interns, trainees, and other individuals cooperating on a basis other than an employment contract (hereinafter collectively referred to as "Employees"), applies to individuals performing work or services for the companies belonging to the VEAN BUSINESS GROUP in Poland. These companies include Vean Poland Sp. z o.o., VEAN KRAKÓW Sp. z o.o., Vean Częstochowa Sp. z o.o., Vean Olsztyn Sp. z o.o., and VEAN Białystok Sp. z o.o. The Policy explains how the administrator processes personal data, including collection, use, sharing, and other forms of personal data processing (hereinafter also referred to as personal information). Personal data is processed in accordance with this Privacy Policy and the provisions of the Regulation of the European Parliament and the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR"), as well as labor law regulations.
The entity responsible for processing personal data is the entity employing the Employees, that is, Vean Poland Sp. z o.o., VEAN KRAKÓW Sp. z o.o., Vean Częstochowa Sp. z o.o., Vean Olsztyn Sp. z o.o., VEAN Białystok Sp. z o.o., and additionally, Vean Poland Sp. z o.o. to the extent that it processes personal data of Employees for their promotion and marketing on the website www.vean-tattoo.pl and on profiles managed on social media platforms (hereinafter each entity is referred to as the Administrator).
We process personal data related to Employees for the following purposes:
a) People management: e.g., managing work and personnel in general, including evaluations, promotions, succession and career planning, salary allocation, managing payments, assessments, payroll, and other benefits such as stock options, shares, and bonuses; health protection, life insurance, and other benefits, social security, retirement plans, and savings plans, training (including distribution of company policies and training materials to Employees), leave, sickness, work-related injuries, promotions, transfers, replacements, and the use of other contractual benefits, loans, disciplinary procedures, dismissals, and coordinating business trips.
Processing personal data is necessary for the performance of the contract or to comply with legal obligations to which we are subject. The legal basis is Article 6(1)(b) and (c) of the GDPR.
Special categories of personal data (sensitive personal information) are processed for the above purposes only when necessary to fulfill obligations and exercise specific rights by us as the administrator or by you as the data subject in the context of employment, social security, and social protection, or when processing is necessary for the establishment, exercise, or defense of legal claims, or when you have given your explicit consent. The legal basis is Article 9(2)(a), (b), or (f) of the GDPR.
Health information is processed in connection with statutory health checks and exams. The legal basis is the Social Security System Act of October 13, 1998, consolidated text, Journal of Laws of 2022, item 1009.
b) Business management: e.g., operating and managing IT and communication systems, allocating human resources, creating employee directories, conducting situational checks, conducting employment analysis and planning, strategic planning, financial management, and reporting.
Processing is necessary to pursue our legitimate interest in effectively planning, managing, and organizing our Employees to best support our business strategy. The legal basis is Article 6(1)(f) of the GDPR.
c) Marketing and public communication: e.g., publishing contact information on our website and in social media according to the overall external communication strategy.
Processing data is necessary to fulfill our legitimate interest in external communication of the identity and contact details of our Employees and in promoting our services. The legal basis is Article 6(1)(f) of the GDPR.
d) Internal communication: e.g., facilitating communication with Employees, ensuring business continuity, protecting the health and safety of Employees and other persons, facilitating communication in emergencies.
Processing data is necessary to fulfill our legitimate interest in facilitating internal communication within our group and protecting the safety of our Employees and other individuals. The legal basis is Article 6(1)(f) of the GDPR.
e) Handling settlements: e.g., income tax and social security deductions, record-keeping, and reporting obligations.
Processing data is necessary to fulfill legal obligations to which we are subject, to comply with employment, social security, and social protection laws, or for the establishment, exercise, or defense of legal claims. The legal basis is Article 6(1)(c) and (f) of the GDPR. In the case of special categories of personal data, the legal basis is Article 9(2)(b) and (f) of the GDPR.
For the purposes listed above in section 2, we only process personal information necessary for those purposes. We may process the following categories of your personal data:
a) Remuneration-related data: e.g., bank details, base salary, bonuses, awards, salary reviews, and tax identification data.
b) Personal and contact information: e.g., name, maiden name, email address, telephone number, home address, date of birth, personal identification number, gender, marital status, dependents, emergency contact information, passport and visa details, and photograph; CV, previous employment details, references, education history, professional qualifications, languages, and other skills, performance evaluations, personality test results, development plans, and willingness to relocate.
c) Employment history and work data: e.g., description of current position, job title, salary plan, salary grades or levels, department/unit, location, supervisor and subordinates, employee ID number, employment status and type, employment terms, employment contracts, employment history, reemployment, and termination dates, seniority, retirement eligibility, promotions, and disciplinary records.
d) Work schedule data: e.g., work time records (including leaves, sick leave, and other absence-related documents, leave status, working hours, and standard working hours), overtime, shift work, and termination records.
To the extent necessary for the purposes mentioned above in section 2, we may process the following categories of sensitive personal information:
- Health data, including information about the psychological work environment.
- Criminal record information.
We may collect personal information in the following ways:
a) Directly from the Employee, e.g., from information provided to us in connection with employment or service provision on a basis other than employment.
b) During your work, e.g., from work results and interactions with other employees, customers, or other individuals.
We may share Employee personal data with the following entities:
- External professional advisors and other parties providing us with products or services, such as service providers, IT system providers, support services, financial institutions, and consulting firms.
- Public authorities, including tax authorities, the Social Insurance Institution (ZUS), police, and government administrative bodies.
- Entities providing us with services: administration, management functions, payment processing, benefits administration, including health insurance in connection with your employment.
When we engage a data processor to process personal data on our behalf, we assign such processing in writing, select a data processor that provides sufficient guarantees regarding technical and organizational security measures appropriate for the processing, obligate the data processor to act on our behalf and according to our instructions, and comply with all applicable legal provisions regarding the actions of data processors.
The Administrator does not currently transfer Employee personal information to countries outside the EU/EEA.
As a general rule, we retain data for 5 years from the end of the year in which the employment relationship ended, except for employee records, which, according to the law, must be retained for 50 years from the termination of employment. We may also retain personal information for a longer period if we have a legal obligation to do so or if it is necessary for the establishment, exercise, or defense of legal claims.
The Administrator maintains appropriate technical and organizational measures to protect against unauthorized or unlawful processing of personal data, or accidental loss, alteration, disclosure, or access, as well as accidental or unlawful destruction or damage to personal data.
The HR department stores records in a secure environment. We also keep an automatic record of Employee personal information. Additionally, we store personal data in various human resources-related applications, including payroll, benefits, talent management, and performance management systems.
Access to personal data is restricted to those individuals who need such access for the purposes mentioned above or in cases required by law, including HR department members, management, and authorized employees.
Employee data is processed and secured in accordance with the Administrator’s current Data Processing and Protection Policy.
In accordance with applicable procedures, the Employee has the following rights:
- The right to access, request rectification, or deletion of personal data.
- The right to object to the processing of personal data and to restrict its processing.
- If the processing of personal data is based on consent, the Employee has the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- The right to receive personal information in a structured, commonly used, and machine-readable format (data portability).
If the Employee requests the deletion of their personal data, we will no longer be able to provide employment-related services.
The Employee has the right to lodge a complaint with the supervisory authority, specifically the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw, if the data processing violates applicable legal provisions.