Transparency policy

1.1. Administrator – Budimex SA with its registered office in Warsaw (01-204) ul. Transylvanian 9

1.2. Personal data – information about a natural person identified or identifiable by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact details, location data, information contained in correspondence, information collected through recording equipment or other similar technology.

1.3. Policy – this Policy on the transparency of personal data processing.

1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.5. Website – the website run by the Administrator at https://budimex.pl/

1.6. User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.

2.1. In connection with its business activity, the Controller collects and processes Personal Data in accordance with the relevant provisions of law, including in particular the GDPR and the data processing rules provided therein.

2.2. The Administrator ensures transparency of the processing of Personal Data, in particular always informs about the processing of data at the time of their collection, including the purpose and legal basis of the processing (e.g. when concluding a contract). The Administrator makes sure that the data is collected only to the extent necessary to achieve the indicated purpose and processed only for the period in which it is necessary.

2.3. When processing Personal Data, the Controller ensures their security and confidentiality as well as access to information about the processing to data subjects. If, despite the security measures in place, a Personal Data breach occurs (e.g. data “leakage” or loss) resulting in a high risk of violation of the rights and freedoms of data subjects, the Controller shall inform the Data Subjects of such an event in a manner consistent with the regulations.

3.1. Contact with the Administrator is possible by phone at +48 22 623 60 00 or in writing to the address of the Administrator’s registered office.

3.2. The Controller has appointed a Data Protection Officer who can be contacted via e-mail address dane.osobowe@budimex.pl in any matter related to the processing of personal data.

4.1. In order to ensure the integrity and confidentiality of data, the Controller has implemented procedures enabling access to Personal Data only to authorised persons and only to the extent that it is necessary due to the tasks performed by them. The Administrator uses organizational and technical solutions to ensure that all operations on personal data are registered and performed only by authorized persons.

4.2. The Controller also takes all necessary steps to ensure that its subcontractors and other cooperating entities guarantee the application of appropriate security measures in each case when they process Personal Data on behalf of the Controller.

4.3. The Controller conducts an ongoing analysis of the risk associated with the processing of Personal Data and monitors the adequacy of the data security measures used to the identified threats. If necessary, the Controller implements additional measures to increase data security. More information about safety
HERE.

E-MAIL AND TRADITIONAL CORRESPONDENCE

5.1. In the case of sending to the Administrator via e-mail or traditional correspondence not related to the services provided to the sender or any other contract concluded with him, the personal data contained in this correspondence are processed only for the purpose of communication and solving the matter to which the correspondence relates.

5.2. The legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in conducting correspondence addressed to him in connection with his business activity.

5.3. The Administrator processes only Personal Data relevant to the matter to which the correspondence relates. All correspondence is stored in a manner that ensures the security of the Personal Data (and other information) contained therein and disclosed only to authorized persons.

CONTACT

5.4. In the case of contacting the Administrator by phone, in matters not related to the concluded contract or services provided, the Administrator may request the provision of Personal Data only if it is necessary to handle the matter to which the contact relates. In such a case, the legal basis is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in the need to resolve the reported matter related to the Controller’s business activity.

5.5. Telephone conversations may also be recorded – in this case, at the beginning of the conversation, the relevant information is provided to the natural person. Conversations are recorded in order to monitor the quality of the service provided and verify the work of consultants, as well as for statistical purposes. The recordings are available only to the Administrator’s employees and persons operating the Administrator’s hotline.

5.6. Personal data in the form of a recording of the conversation is processed:

5.6.1. for purposes related to servicing contractors and interested parties via the hotline, if the Administrator provides such a service – the legal basis is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) consisting in conducting communication with its contractors and responding to requests sent to the Administrator;

5.6.2. in order to monitor the quality of service and verify the work of consultants operating the hotline, as well as for analytical and statistical purposes – the legal basis for the processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) consisting in taking care of the highest possible quality of service for contractors and clients, as well as the highest quality of consultants’ work and conducting statistical analyses of telephone communication;

5.6.3. in order to establish or pursue possible claims by the Administrator or defend against claims made against the Administrator – the legal basis for data processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR).

VIDEO SURVEILLANCE AND ACCESS CONTROL

5.7. Due to the need to ensure the safety of people and property, the Administrator uses video surveillance and controls access to the premises and the area managed by him. The data collected in this way is not used for any other purposes, as described below.

5.8. Personal data in the form of CCTV recordings and data collected in the register of entries and exits are processed in order to ensure the safety of people and property and to maintain order on the premises of the facility and, possibly, to defend against claims made against the Administrator or to establish and pursue claims by the Administrator. The legal basis for the processing of personal data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) consisting in ensuring the safety of persons and property located in the area managed by the Administrator and the protection of its rights.

5.9. The area covered by the monitoring by the Administrator is marked with appropriate graphic signs.

RECRUITMENT

As part of the recruitment processes, the Controller expects the provision of Personal Data (e.g. in CVs or CVs) only to the extent specified in the provisions of the labour law. Therefore, information should not be provided more broadly. If the submitted applications contain additional data exceeding the scope indicated by the provisions of the labour law, their processing will be based on the candidate’s consent (Article 6(1)(a) of the GDPR), expressed by an unambiguous confirmation action, i.e. sending application documents by the candidate. If the submitted applications contain information that is inadequate to the purpose of recruitment, it will not be used or taken into account in the recruitment process.

5.10. Personal data is processed:

5.10.1. if the preferred form of employment is an employment contract – in order to perform obligations resulting from the provisions of law, related to the employment process, including in particular the Labour Code – the legal basis for the processing is the legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR in connection with the provisions of the Labour Law);

5.10.2. if the preferred form of employment is a civil law contract – for the purpose of conducting the recruitment process – the legal basis for the processing of data contained in application documents is taking action before concluding the contract at the request of the data subject before concluding the contract (Article 6(1)(b) of the GDPR),

5.10.3. in order to carry out the recruitment process in the scope of data not required by law or by the Administrator, as well as for the purposes of future recruitment processes – the legal basis for the processing is consent (Article 6(1)(a) of the GDPR);

5.10.4. in order to establish or pursue possible claims by the Administrator or defend against claims made against the Administrator – the legal basis for data processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR).

5.11. To the extent that Personal Data is processed on the basis of consent, it may be withdrawn at any time, without affecting the lawfulness of the processing carried out before its withdrawal. If consent has been given for the purposes of future recruitment processes, personal data is deleted after five years – unless consent has been withdrawn earlier. The consent may be withdrawn by contacting the individual companies using the communication channels indicated in the introduction to this Policy (information about the correct e-mail address, telephone number and address of the Administrator’s registered office can be found above, in the link placed in the introduction to this Policy

COLLECTION OF DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR PERFORMANCE OF OTHER CONTRACTS

5.12. In the event of collecting data for the purposes related to the performance of a specific contract, the Administrator provides the Data Subject with detailed information on the processing of their personal data at the time of concluding the contract or at the time of obtaining personal data in the event that the processing is necessary for the Administrator to take action at the request of the Data Subject, prior to the conclusion of the contract.

PROCESSING OF PERSONAL DATA OF STAFF MEMBERS OF CONTRACTORS OR CUSTOMERS COOPERATING WITH THE CONTROLLER

5.13. In connection with concluding contracts as part of its business activity, the Controller obtains from contractors/customers the data of persons involved in the performance of such contracts (e.g. persons authorized to contact, placing orders, performing orders, etc.). The scope of the data transferred is in any case limited to the extent necessary for the performance of the contract and usually does not include information other than your name and business contact details.

5.14. Such personal data is processed in order to pursue the legitimate interest of the Administrator and its contractor (Article 6(1)(f) of the GDPR), consisting in enabling the proper and effective performance of the contract. Such data may be disclosed to third parties involved in the performance of the contract, as well as to entities obtaining access to data based on the provisions on the disclosure of public information and proceedings conducted on the basis of the public procurement law, to the extent provided for in these regulations.

5.15. The data is processed for the period necessary to pursue the above interests and perform the obligations resulting from the regulations.

DATA OF ONE-TIME SUPPLIERS

5.16. In connection with the one-off provision of services to suppliers running sole proprietorships and the need to issue invoices for the services performed, the Administrator, in connection with legal obligations resulting from the accounting regulations, will process the personal data of suppliers in order to record accounting documents. The scope of processed data will include: name, surname, business name, NIP number, REGON number, address of the registered office.

5.17. Such personal data is processed in order to comply with legal obligations imposed on the Administrator by accounting regulations (Article 6(1)(c) of the GDPR). Your personal information may be disclosed.

DATA COLLECTION IN OTHER CASES

5.18. In connection with its business, the Controller also collects Personal Data in other cases – e.g. by building and using lasting mutual business contacts (networking) during business meetings, at industry events or by exchanging business cards – for purposes related to initiating and maintaining business contacts. The legal basis for the processing in this case is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in creating a network of contacts in connection with the conducted activity.

5.19. Personal data collected in such cases are processed only for the purpose for which they were collected, and the Administrator ensures their appropriate protection.

ONLINE MEETINGS

5.20. As part of the organization of online meetings by the Administrator, personal data of meeting participants are processed in order to conduct the online meeting. The legal basis for such processing is the legitimate interest of the Administrator consisting in organizing and conducting a remote meeting with invited participants. (Article 6(1)(f) of the GDPR). Providing data for the indicated purpose is voluntary, but necessary to carry out the online meeting. Without providing data, it will be impossible to participate in the online meeting.

5.21. To organize online meetings, the Administrator uses the Microsoft Teams tool, which is related to the processing of users’ personal data by Microsoft.
You
can read Microsoft’s Privacy Policy HERE. When using this tool, there is no transfer of data outside the EEA.

6.1. In connection with conducting activities requiring processing, Personal Data is disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and equipment (e.g. CCTV equipment in the field of video surveillance), entities providing legal or accounting services, couriers, marketing or recruitment agencies, as well as entities providing IT services. The data is also disclosed to entities related to the Controller, including companies from its capital group. More information about of the Administrator’s capital group can be found HERE.

6.2. Personal data may be made available to investors with whom the Administrator cooperates. The Controller provides the Data Subject with detailed information on the sharing of their Personal Data at the time of concluding the contract or at the time the Data Subject joins projects requiring such processing of Personal Data.

6.3. The Administrator reserves the right to disclose selected information about the Data Subject to competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with the provisions of applicable law.

7.1. The level of protection for personal data outside the European Economic Area (“EEA”) differs from that provided by European law. For this reason, the Controller transfers personal data outside the EEA only when it is necessary and with an adequate level of protection, primarily by:

7.1.1. Cooperation with entities processing Personal Data in countries in relation to which an appropriate decision of the European Commission has been issued regarding the determination of ensuring an adequate level of protection of Personal Data;

7.1.2. Use of standard contractual clauses issued by the European Commission;

7.1.3. Application of binding corporate rules approved by the competent supervisory authority.

7.2. application of technical measures recommended by the European Data Protection Board to transfers outside the EEA
(position of the European Data Protection Board: https://edpb.europa.eu/sites/default/files/consultation/edpb_recommend tions_202001_supplementarymeasurestransferstools_en.pdf). The Controller informs about the intention to transfer Personal Data outside the EEA at the stage of their collection.

8.1. The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. The period of data processing may also result from the regulations when they constitute the basis for processing. In the case of data processing on the basis of the legitimate interest of the Administrator (e.g. for security reasons), the data is processed for a period enabling the implementation of this interest or until an effective objection to the processing of data is raised. If the processing is based on consent, the data is processed until its withdrawal. If the basis for the processing is the necessity to conclude and perform a contract, the data is processed until its termination.

8.2. The period of data processing may be extended if the processing is necessary to establish or pursue claims or defend against claims, and after this period – only in the case and to the extent required by law. After the expiry of the processing period, the data is irreversibly deleted or anonymized.

9.1. Data subjects have the following rights:

9.1.1. the right to information about the processing of personal data – on this basis, the Administrator provides the natural person submitting the request with information about the processing of data, including, above all, the purposes and legal grounds for the processing, the scope of the data held, the entities to which they are disclosed and the planned date of data deletion;

9.1.2. the right to obtain a copy of the data – on this basis, the Controller provides a copy of the processed data concerning the natural person submitting the request;

9.1.3. the right to rectification – the Administrator is obliged to remove any inconsistencies or errors of the processed personal data and supplement them if they are incomplete;

9.1.4. the right to delete data – on this basis, you can request the deletion of data, the processing of which is no longer necessary to achieve any of the purposes for which they were collected;

9.1.5. the right to restrict processing – in the event of such a request, the Controller ceases to perform operations on Personal Data – except for operations to which the data subject has consented – and to store them, in accordance with the adopted retention rules or until the reasons for restricting data processing cease to exist (e.g. a decision of the supervisory authority is issued allowing further data processing);

9.1.6. the right to transfer data – on this basis – to the extent that the data is processed in an automated manner in connection with the concluded contract or the consent given – the Controller issues the data provided by the data subject in a format that allows them to be read by a computer. It is also possible to request that this data be sent to another entity, provided that there are technical possibilities in this respect both on the part of the Administrator and this other entity;

9.1.7. the right to object to the processing of data for marketing purposes – the Data Subject may object to the processing of Personal Data for marketing purposes at any time, without the need to justify such an objection;

9.1.8. the right to object to other purposes of data processing – the Data Subject may at any time object – for reasons related to their particular situation – to the processing of personal data that takes place on the basis of the legitimate interest of the Administrator (e.g. for analytical or statistical purposes or for reasons related to the protection of property); the objection in this respect should include a justification;

9.1.9. the right to withdraw consent – if the data is processed on the basis of the consent given, the Data Subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before the consent was withdrawn.

9.1.10. the right to lodge a complaint – if you believe that the processing of Personal Data violates the provisions of the GDPR or other provisions on the protection of Personal Data, the Data Subject may lodge a complaint with the authority supervising the processing of Personal Data, competent for their habitual residence, place of work or place of the alleged infringement. In Poland, the supervisory authority is the President of the Office for Personal Data Protection.

MAKING REQUESTS RELATED TO THE EXERCISE OF RIGHTS

9.2. A request regarding the exercise of the rights of Data Subjects can be submitted to the e-mail address dane.osobowe@budimex.pl in any matter concerning the processing of your personal data.

9.3. The inability to identify a natural person on the basis of the submitted request will result in the refusal to implement the request by the Administrator.

9.4. The request can be made in person or through a representative (e.g. a family member). For data security reasons, the Controller encourages the use of a power of attorney in a form certified by a notary or an authorised legal advisor or advocate, which will significantly speed up the verification of the authenticity of the request.

9.5. A response to the report should be provided within one month of receiving it. If it is necessary to extend this period, the Administrator informs the applicant of the reasons for this action.

9.6. If the request has been addressed to the Company electronically, the response shall be given in the same form, unless the applicant has requested a response in another form. In other cases, the answers are given in writing. If the deadline for the implementation of the request makes it impossible to respond in writing, and the scope of the applicant’s data processed by the Administrator allows for contact by electronic means, the response should be provided electronically. If the content of the request does not require a written or electronic response, the response may be provided in the same form in which the data subject’s request was submitted.

9.7. The procedure regarding the submitted applications is free of charge.

10.1. The policy is reviewed on an ongoing basis and updated if necessary. The current version of the Policy was adopted on June 1, 2024.