OBLIGATORY DISCLOSURE ON THE PROTECTION OF PERSONAL DATA
- Personal data
We are publishing this document in order to explain the purposes for which we collect and process personal data as part of our business activities:
- What is personal data?
Personal data is any kind of information that allows to discern a person from other people with relatively low effort. This information may refer to that person explicitly (e.g. first and last names, identification number, sometimes even e-mail address or an account on the internet) but it may also not describe the person directly (e.g. it may regard the person’s features, health status, beliefs, place of residence, addictions, race, or religion.
- What kind of personal data is it in our case?
We process data that our Clients, Counterparties, and Employees provide to us in relation with using our services, cooperating with us, or being employed by us.
- What does data processing mean?
Processing is any activities we can do that pertain personal data – related to both their active use such as collecting, downloading, recording, combining, altering, or making available, as well as passive use, such as storing, restricting, erasing, or destroying.
- Who is the Data Controller (i.e. who has influence on the processing and safety of data)?
The Controller of your data is Port Lotniczy Bydgoszcz S.A. with its registered office in Białe Błota, ul. Paderewskiego 1, 86-005 Bydgoszcz, National Court Register No. 0000121056, REGON 091230462, VAT Id. No. 554-030-92-29, represented by the Management, tel. + 48 52 365-46-20, e-mail address: [email protected].
- On what legal basis and for what purpose do we process your data?
All processing of your data must be supported by a relevant legal basis conforming to applicable regulations. Such a legal basis may take the form of your consent to data processing or other provisions of law that allow this contained in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (also known as “GDPR”) or in other national legislation such as acts or regulations.
Your data may be collected through various means of communication, including in writing, by e-mail, or over the phone. The data may be provided to us in various situations, for example as part of our cooperation in the course of performing agreements regarding the provision of our services. The data may also be collected by us from other sources, such as your counterparties, with whom we may also cooperate as contractors. The data may be processed by us for various purposes, for example:
- You may provide us your data by sending an e-mail. Your data is then processed by us on the basis of your consent, which you automatically give when you send us your data (e.g. e-mail address). Your consent is voluntary – remember that you can always withdraw it. In such a case we will immediately delete all information provided by you, provided that you have not become our Client.
- If you are our Client or if you are interested in using services we provide, your Data is processed on the basis of an agreement between us or as part of preparations for conclusion of such an agreement. This is always done with your knowledge and consent. When expressing the intent to conclude the agreement, you know what personal data will be required for its conclusion, and after it is concluded you are ware of what data you provided for this purpose or what data you will provide at a later date.
- We may also process your data for the purpose of providing you with answers to any questions or requests directed to us and with the purpose of continuing communication within this scope, or for marketing and for contacting you regarding other information and services, as well as to comply with our legal obligations, or for the purpose of ascertaining, defending, and asserting claims, for processing of warranty claims, for provision of technical support, or for dealing with matters of accounting, including issuing financial documents.
- If you are a User of our Services, e.g. a recipient of commercial or marketing data prepared by us – your data shall be processed on the basis of consent provided by you. You can give such consent orally over the phone, by responding positively to our inquiry to present our offer to you, or by subscribing to our newsletter. Your consent is voluntary – remember that you can withdraw it at any time. In such a case we will cease to provide you our services and we will immediately delete all data you provided.
- We may also process your data in connection with the necessity to ensure safety of people and property (inter alia in the form of surveillance of the airport’s area), security of our computer network and data, and for ascertaining, defending, and asserting liabilities or claims. This falls within the scope of our legitimate interest.
- If you are interested in undertaking employment with us, your data is processed in the form of the application or CV provided by you. This happens with your knowledge and with your written consent, which you may withdraw at any time. In such a case your application will not be considered by us, and we will immediately delete all your data. Whereas if you become employed with us, all further matters regarding data processing and the obligation to provide the data and how we process it are regulated by the provisions of the labour law.
- Who do we transfer your data to?
In accordance with the applicable law, we can transfer your data to entities that process it on our behalf, e.g. entities such as: Domain Name Registers or Certifying Authorities and other suppliers of IT services, postal operators, other entities providing us consulting services, or legal, tax, or account assistance, as well as shipping and transporting services, or mail or courier services.
We also have the obligation to make your data available upon request of entities properly authorised on the basis of other provisions of the law (e.g. courts or law enforcement agencies). However, the data shall be disclosed only when the abovementioned entities formally request it from us, indicating the legal basis that permits such a request.
We do not consider the possibility of transferring your data to any third countries or international organisations, that is outside of the European Economic Area. Should a transfer to a place outside the EEA occur in the future, we shall undertake all appropriate measures to ensure protection of such Data, particularly by:
- applying certain contractual clauses referred to as ‘standard contractual clauses’ which have been approved by the European Commission; or
- transferring to countries for which the European Commission has issued a decision declaring an adequate level of protection.
In such case you will be entitled to receive the copy of the appropriate security measures.
In the European Union you are provided with equal protection for your personal data in all member states on account of GDPR. The GDPR is available at:
- How long will we process your personal data?
We make a strong commitment to limit the scope of personal data collected by us to minimum, same as with the duration we process it for. For this purpose, we systematically review all our physical and electronic documentation, removing redundant data the period of usability of which has expired. Keep in mind that depending on the legal basis for the processing of data, the duration for which we process your data is decided by separate legal provisions which are beyond our control, and which may obligate us to store your data, regardless of your will or preference. Examples of such laws include the labour code, social security law, or accounting law.
If you personally used our services and we concluded an agreement to that end, accounting laws provide that we shall keep and process your personal data in the thusly created financial-accounting documentation for the period of 5 calendar years, starting on the date of purchase/agreement conclusion.
If your personal data were to be used for purposes other than the purposes such data was collected for, you will always be notified by us of this fact so that you can object to it.
- What rights do you have regarding your personal data?
If we process your personal data, you are always entitled to:
- request access to your data – within the scope of art. 15 GDPR,
- rectify your data – within the scope of art. 16 GDPR,
- request erasure of your data – within the scope of art. 17 GDPR,
- restrict the processing of your data – within the scope of art. 18 GDPR,
- object to the processing of your data – within the scope of art. 21 GDPR,
- exercise your right to personal data portability, which includes acquisition of its copy – within the scope of art. 20 GDPR.
All these rights are described in detail in art. 15 to 21 GDPR, available at:
You may also withdraw your consent to the processing of personal data, in which case we will immediately erase your personal data, provided that we are under no legal obligation to process them further.
If you deem that we have in any way infringed on your rights – which we do not want, of course – or otherwise failed to secure your personal data, you have the right to lodge a complaint with a supervisory entity, the role of which is currently held by the President of the Office for Personal Data Protection.
- Automated decision-making and disclosure on profiling.
Your personal data is not used for us to make any decisions that may be deemed as automated, that is occurring without human intervention. We also do not undertake any activities that may aim to profile you.
- How do we protect your personal data?
In order to ensure security of your personal data we utilise legally required organisational and technical measures. Our registered office is equipped with the necessary physical protection to prevent access of unauthorised persons. Our employees hold the necessary authorisations and are limited in the ways they can process the personal data, i.e only to the extent that is necessary for them to perform their professional duties correctly.
The security of your personal data that is transferred electronically is ensured by a 256-bit TLS security protocol, version 1.2. Its graphical sign may be a green padlock displayed by the web browser next to the website’s address. Encryption of the webpage ensures the webpage you are accessing has not been modified on its way to you.
Internal procedures implemented by us guarantee that the collected personal data is:
- processed in accordance with the law, fairly, and in a way that is transparent to the person whom the data pertains;
- collected for concrete, explicit, and legally justifiable purposes and not further processed in a manner outside the scope of these purposes;
- adequate, appropriate, and limited to the minimum that is necessary for the purposes for which the data is being processed;
- correct and, if necessary, updated;
- stored in a way that allows identification of the person whom the data pertains, for a period no longer than necessary for the purposes for which the data is being processed;
- processed in a way that guarantees appropriate security of the data, including protection from unlawful or illegal processing, as well as accidental loss, erasure, or damage, by appropriate technical or organisational means.
- Protection of privacy of minors
Our website does not monitor or verify any data regarding the age of its users, senders and recipients of messages, or persons interested in receiving notifications about our activities, including the newsletter. Contact details received from the visitors (such us phone numbers or e-mail addresses of the users) are used for fulfilment of orders, sending information about our company, and advertising our commercial offer.
Underage persons should not send any information or commission any orders or subscribe to services provided by our company without consent of their parents or their legal guardians. Such consent will be required by us whenever we become aware that the user is an underage person (a “child”) within the meaning of art. 8 of GDPR, that is, that they are under 16 years old.
- Contact details of the person responsible for the processing of personal data
In all matters regarding the protection of personal data we are represented by Mr Sławomir Rzepecki who performs the function of Personal Data Protection Inspector. He may be contacted via e-mail at [email protected] or in writing by post at the address provided in point I.4.
- Video surveillance
- Legal basis:
The legal basis for using visual surveillance means is the legitimate interest exercised by us as the Data Controller (art. 6(1)(f) GDPR), and it stems in particular from the necessity of ensuring safety of property, clarification of disputes in connection with filed complaints, identification of perpetrators, and for collection of evidence in case a need arises to demonstrate the facts or to defend from possible claims.
- The purpose of video surveillance:
We use video surveillance for the purpose of:
- ensuring safety and protecting health and lives of our employees, clients, and other persons within the area of our Company;
- ensuring security of movable and immovable property in the area of our Company, including preventing stealing and vandalism;
- maintaining confidentiality of information disclosure of which may compromise the Company.
- Form of surveillance:
We use video surveillance in the form of cameras to record the image of people on the premises of the Company. The monitored area is distinctly marked with pictograms and information containing our contact details. Such pictograms are placed at all entrances to the monitored area.
- The scope of the processed personal data:
The scope of data that may be processed in relation to the image recorded by the monitoring device includes:
- image of natural persons,
- license plate of a vehicle,
- place and time of the event covered by the surveillance,
- behaviour of the persons whose image has been recorded by the device.
- Duration of data storage and its accessibility:
Recordings from the surveillance are processed exclusively for the purposes for which they have been collected and are stored for no longer than 30 days. This time may be extended by periods resulting from legal obligations or for the purpose of protecting the rights of the Controller or third parties, including assertion of claims and defending against claims.
The recordings may only be made available to our specifically authorised employees and entities authorised to access the video recordings on the basis of the provisions of law.
We do not plan to transfer your personal data to a third country or international organisation. The registered data is not subject to profiling and is only viewed in the event of a breach or suspected breach of security or in connection with a complaint – warranty claim.
- Rights of persons whose image has been recorded:
The persons who are recorded in the material obtained by video surveillance are entitled to the same rights as the ones listed in point I.8.