PRIVACY POLICY

PRIVACY POLICY (https://baltics.totalenergies.com/lv)

This Privacy Policy aims to explain the processing of your personal data and provides information on your basic rights in relation to the processing of your personal data.

1. Personal data controller

The controller of your personal data is TotalEnergies Marketing Polska sp. z o. o. with its registered office in Warsaw, Al. Jana Pawła II 80 (00-175 Warsaw), entered into the Register of Entrepreneurs of the National Court Register under KRS no. 0000019835, NIP 5220100798, REGON: 010013868 (hereinafter also "TEMP").

2. Contact

You can contact the Controller by post at al. Jana Pawła II 80, 00-175 Warsaw.

If you have any questions regarding the processing of your personal data, we kindly ask you to contact us via e - mail at [email protected].

3. Personal data

Personal data is information about a natural person identified or identifiable by one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, Internet identifier and information collected through cookies and other similar technology.

When collecting and using personal data, we wish to be transparent about the basis and manner of processing.

Personal data shall be processed by the Controller in accordance with the principles defined in the data protection legislation, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) - hereinafter referred to as "GDPR" - and Polish regulations issued in connection with GDPR, including the Act of 10 May 2018 on the protection of personal data.

TEMP takes the security of all the data we hold very seriously, keeping personal data confidential and securing it from unauthorised access by third parties, in accordance with the principles indicated in the aforementioned legislation.

4. Aims and legal basis for personal data processing

The controller, in the course of its business activities, processes personal data for the following purposes depending on the specific facts:

Purpose of processing

Legal basis and data retention period

If you contact us - the staff will ask you about this within the contact forms available on the Website.

Article 6(1)(f) GDPR as the fulfilment of the Controller's legitimate interest in responding to requests and enquiries.
Personal data will be stored for the duration of the preparation and response to the addressees of the message. However, for no longer than a period of 3 years.

If you have entered into a contract with us or are preparing to enter into a contract with us - the conclusion and execution of a contract with a client or contractor.

Article 6(1)(b) GDPR - processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
Article 6(1)(c) GDPR - processing necessary for the Controller to comply with legal obligations including accounting or tax obligations.
Personal data will be retained for the duration of the contract and, after the end of the contract, until the expiry of any claims arising therefrom, in principle 3 years, with a maximum of 6 years.

If you are an employee, collaborator of our contractor or supplier and your data has been made available to us in connection with the conclusion or performance of a contract.

Article 6(1)(f) GDPR as the fulfilment of the Controller's legitimate interest in servicing the contract.
The source of data acquisition is then your employer.
Personal data will be retained for the duration of the contract and, after the end of the contract, until the expiry of any claims arising therefrom, in principle 3 years, with a maximum of 6 years.
We obtained the contact details and position from your employer/contractor, who is our client.

If you wish to make a complaint.

Article 6(1)(f) GDPR - as the fulfilment of the Controller's legitimate interest in investigating a complaint from a Controller’s supplier concerning, in particular, an unpaid invoice and taking the necessary action following a complaint.
Personal data will be stored for 6 years from the date of the complaint.

If you visit our social media, you interact with us, for example by sending a message or leaving a comment.

Article 6(1)(f) GDPR as the fulfilment of the Controller's legitimate interest to communicate with social network users.
Your personal data will be stored for the duration of your observation of our social networks and, if you ask a question, for the duration of the answer and then until the statute of limitations for claims.

If we are conducting a dispute or enforcing a claim.

Article 6(1)(f) GDPR as the fulfilment of the Controller's legitimate interest to assert or defend against claims.
Personal data will be stored for the duration of the proceedings in respect of the asserted claims, i.e. until their final conclusion, and in the case of enforcement proceedings until the final settlement of the asserted claims.

If you enter our premises, i.e. access control, including monitoring on the data controller's premises for the purposes of increasing the security of the persons on the premises and the protection of property and the confidentiality of information.

Article 6(1)(f) GDPR as the fulfilment of the Controller's legitimate interest in carrying out access control for persons on the Controller's premises.
Personal data will be stored until an objection is lodged, up to a maximum of one year.
Video recordings shall be processed only for the purposes for which they were collected and shall be stored for a period not exceeding 3 months from the date of the recording, unless the recording constitutes evidence in proceedings, in which case until the proceedings are finally concluded or until an objection is lodged.

If you take part in competitions and promotional activities, as well as in events organised by us.

Article 6(1)(f) GDPR as the fulfilment of the Controller's legitimate interest in running competitions and promotional campaigns, as well as organising events.
Article 6(1)(c) GDPR as the fulfilment of TEMP's legal obligations for competitions and promotions that are subject to tax accounting.
Personal data will be kept until an objection is lodged. With regard to the fulfilment of legal obligations - 6 years.

If you are taking part in the recruitment

Article 6(1)(c) GDPR as the fulfilment of TEMP's legal obligations - in the case of employee recruitment.
Article 6(1)(b) GDPR - processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract - in the case of civil law contracts.
Article 6(1)(a) GDPR on the basis of consent - whenever a candidate provides TEMP with more information than is necessary for the recruitment process.
We will process your data for a period of 6 months from the end of the recruitment process.

If you are our employee

Article 6(1)(b) GDPR, i.e. the processing is necessary for the performance of the employment contract (purpose of conclusion and performance),
Article 6(1)(c) of the GDPR, i.e. the processing is necessary for the fulfilment of the Employer's obligations such as, for example, maintaining and archiving employee files, recording working time, performing health and safety duties, and for the purpose of keeping financial accounts, including tax accounts,
Article 6(1)(c) of the GDPR in order to comply with legal obligations, including but not limited to, maintaining employee files or the Employee Benefit Fund.
Article 6(1)(f) GDPR, i.e. the processing is necessary for the purposes of the Controller's legitimate interests, such as the possible need to ward off or pursue claims related to the employment contract concluded, the video surveillance/email monitoring/Internet monitoring/ monitoring of the location of company vehicles used,
Article 9(2)(b) GDPR insofar as the processing is necessary for the fulfilment of the employer's obligations and the exercise of specific rights in the field of employment law, including the processing of data for the assessment of the employee's fitness for work.
We process employees' personal data for a period of 50 or 10 years after termination of employment. In the case of data from the Employee Benefit Fund, one year after collection verifies the need for further processing. Data will not be processed for longer than 6 years.

5. Information on your rights

To the extent provided for by law, persons whose data we process have the right to access their personal data, to request rectification, erasure or restriction of processing, as well as the right to object to processing and the right to data portability, and the right to lodge a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection (Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw).

If your personal data is processed on the basis of consent, you have the right to withdraw it by any means, at any time, which does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal.

6. Recipients of personal data

The recipients of your personal data, i.e. the entities to which the Controller may transfer personal data, may be as follows:

  • state authorities or other entities authorised to access the data to the extent and for the purpose specified in specific legislation,
  • Polish Post and courier companies,
  • banks when settlements are required,
  • entities providing the Controller with services supporting its functioning within the scope of the provided services, i.e., among others, IT service providers, auditing entities, entities providing accounting services, entities providing services supporting the recruitment process, entities providing marketing services - whereby such entities process data on the basis of an entrustment agreement and only in accordance with the Controller's instructions,

7. Transfers of data outside the EEA

The Controller transfers Personal Data outside the European Economic Area (EEA) only when necessary and with an adequate degree of protection, primarily by:

  • cooperation with processors of personal data in countries for which a relevant decision of the European Commission has been issued as to whether an adequate level of personal data protection is ensured;
  • the use of standard contractual clauses issued by the European Commission;
  • the application of binding corporate rules approved by the competent supervisory authority.

8. Final provisions

We recognise that transparency is an ongoing obligation, so we will regularly review and update this document. Any changes we make to the Privacy Policy in the future will be published on the Website.

Last updated: 16 February 2024.