Privacy Policy for Suppliers

Transcription

1 Privacy Policy for Suppliers What is the purpose of this privacy policy for suppliers? This Supplier Privacy Policy gives you information about the processing of your personal information in connection with your business relationship with MS POS Poland Sp. z o.o. and its affiliates. This statement also includes a summary of your rights in relation to your personal information. Some terms used in this Privacy Policy are explained in the glossary. Names and contact details of the Data Protection Officer and his/her representative MS POS Poland Sp. z o.o. and its affiliates (hereafter "MS POS") are responsible for the processing of all personal data. Legally represented by the managing director: Konstantin Gergianakis Contact details: Giesserallee 1, Willich, Germany. kontakt@mspos.net Data Protection Officer: Niels Wosnitza Contact details: Giesserallee 1, Willich, Germany. datenschutz@mspos.net 1. Data Within the Scope of the Supplier Portal / ERP System What personal data does MS POS process within the scope of the supplier portal / ERP system? Within the scope of the supplier portal / ERP system, MS POS processes the following personal data: Employer Surname First name Gender Date of birth Address address Phone number Occupation Bank details Credit rating information, including scoring Sanction lists What is the origin of the data within the supplier portal / ERP system? Data within the scope of the supplier portal / ERP system is collected from: Suppliers: Suppliers provide information within the scope of establishing a business relationship and update it within the duration of the relationship Employees of Suppliers: Employees of Suppliers provide information within the scope of establishing a business relationship and update it within the duration of the relationship Public Sources: Information is obtained from publicly available sources (for example, commercial registers, population registers, media, internet, directories) Economic information institutions Does the data - within the scope of the supplier portal / ERP system - include special categories of personal data as laid out by the GDPR? No. For what purpose does MS POS process data within the scope of the supplier portal / ERP system? MS POS processes data within the scope of the supplier portal / ERP system: for the general preservation of supplier relationships to carry out business processes Strona 1 z 6

2 On which legal basis does MS POS process data within the scope of the supplier portal / ERP system? As far as MS POS processes personal data based on legitimate interests, what are the legitimate interests of MS POS and third parties? MS POS processes data within the scope of the supplier portal / ERP system on the following legal basis: The processing is necessary for the possible establishment of a business relationship between the supplier and MS POS (Article 6 (1) (b) GDPR) The processing is necessary in order to safeguard the legitimate interests of MS POS in maintaining business relationships with suppliers (Article 6 (1) (f) GDPR) Who is the recipient of the data in the supplier portal / ERP system? Data is transmitted to the following categories of recipients within the scope of the supplier portal: Employees of MS POS Customers of MS POS Is the data transmitted to a third country within the scope of the supplier portal / ERP system? Yes, as far as the supplier instructs that payments are to be directed to a third country. How long will the data be stored within the scope of the supplier portal / ERP system? MS POS stores data within the scope of the supplier portal for the longest of the following periods: The duration of a continuing business relationship The duration of commercial and taxation record-keeping periods The period during which claims from the business relationship can be asserted by or against MS POS 2. Data Within the Scope of Order Processing? Within the scope of order processing, MS POS uses the following personal data: Employer Surname First name Gender Date of birth Address address Phone number Occupation Bank details Credit rating information, including scoring Sanction lists What is the origin of the data within the scope of order processing? Data within the scope of order processing is collected from: Suppliers: Suppliers provide information within the scope of establishing a business relationship and update it within the duration of the relationship Employees of Suppliers: Employees of Suppliers provide information within the scope of establishing a business relationship and update it within the duration of the relationship Public Sources: Information is obtained from publicly available sources (for example, commercial registers, population registers, media) Economic information institutions Strona 2 z 6

3 Does the data - within the scope of order processing - include special categories of personal data as laid out by the GDPR? No. For what purpose does MS POS use data within the scope of order processing? MS POS processes data within the scope of order processing: to be able to place orders On which legal basis does MS POS use data within the scope of order processing? As far as MS POS processes personal data based on legitimate interests, what are the legitimate interests of MS POS and third parties? MS POS uses data within the scope of order processing on the following legal basis: The processing is necessary for the placing of orders from MS POS to suppliers (Article 6 (1) (b) GDPR) The processing is necessary in order to safeguard the legitimate interests of MS POS in maintaining business relationships with suppliers (Article 6 (1) (f) GDPR) Who is the recipient of the data within the scope of order processing? Data is transmitted to the following categories of recipients as a part of order processing: Employees of MS POS Customers of MS POS Is the data transmitted to a third country as a part of order processing? No, unless this is explicitly required for processing the order (export). How long will the data be stored within the scope of order processing? MS POS stores data within the scope of order processing for the longest of the following periods: The duration of a continuing business relationship The duration of commercial and taxation record-keeping periods The period during which claims from the business relationship can be asserted by or against MS POS 3. Data Within the Scope of Payment Transactions What personal data does MS POS process as a part of payment transactions? Within the scope of payment transactions, MS POS processes the following personal data: Employer Surname First name Gender Date of birth Address address Phone number Occupation Bank details Credit rating information, including scoring Sanction lists What is the origin of the data within the scope of payment transactions? Data within the scope of payment transactions is collected from: Suppliers: Suppliers provide information within the scope of establishing a business relationship and update it within the duration of the relationship Employees of Suppliers: Employees of Suppliers provide information within the scope of establishing a business relationship and update it within the duration of the relationship Public Sources: Information is obtained from publicly available sources (for example, commercial registers, population registers, media) Economic information institutions Strona 3 z 6

4 Does the data - within the scope of payment transactions - include special categories of personal data as laid out by the GDPR? No. For what purpose does MS POS process data within the scope of payment transactions? MS POS processes data within the scope of payment transactions: in order to fulfil demands for payment On which legal basis does MS POS process data within the scope of Invoicing and Accounts Receivable? As far as MS POS processes personal data based on legitimate interests, what are the legitimate interests of MS POS and third parties? MS POS processes data within the scope of Invoicing and Accounts Receivable on the following legal basis: The processing is necessary for maintaining a business relationship between the supplier and MS POS (Article 6 (1) (b) GDPR) The processing is necessary in order to safeguard the legitimate interests of MS POS in maintaining business relationships with suppliers (Article 6 (1) (f) GDPR) Who is the recipient of the data within the scope of payment transactions? Data is transmitted to the following categories of recipients within the scope of Invoicing and Accounts Receivable: Employees of MS POS Financial institutions Is the data transmitted to a third country within the scope of payment transactions? Yes, as far as the supplier instructs that payments are to be directed to a third country. How long will the data be stored within the scope of payment transactions? MS POS stores data within the scope of Invoicing and Accounts Receivable for the longest of the following periods: The duration of a continuing business relationship The duration of commercial and taxation record-keeping periods The period during which claims from the business relationship can be asserted by or against MS POS Strona 4 z 6

5 Your Rights as a Data Subject As a data subject, you have the following rights with respect to your personal information. The Right of Access You have the right to ask MS POS for confirmation of whether your personal information is processed; If this is the case, you have a right to information about such personal data and to detailed information on how the personal data is processed. The Right to Rectification You have the right to ask MS POS to rectify any incorrect personal data without delay. Taking into account the purposes of processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement. The Right to Deletion ("The right to be forgotten") You have the right to ask MS POS to immediately delete your personal information if certain conditions are met. The Right to the Restriction of Processing You have the right to require MS POS to restrict processing if certain conditions are met. The Right to Object You have the right, for reasons arising from your own particular situation, at any time, to file an objection to the processing of your personal data according to Article 6 (1) (e) or (f) of the GDPR. Right to Portable Data You have, under certain circumstances, the right to receive personal information that you have provided to MS POS, in a structured, mainstream and machine-readable format, and you have the right to pass on that information to another person without any hindrance from MS POS. Right to Revoke Consent If the processing is based on your consent, you have the right to revoke your consent at any time. Right to Appeal You have the right to complain to a supervisory authority - this is the respective data protection officer in your state. Strona 5 z 6

6 Glossary Data Protection Officer The natural or legal person, public authority, institution or other body that, alone or together with others, decides on the purposes and means of processing personal data. Data Transfer Agreement Agreement containing standard data protection clauses adopted by the European Commission within the scope of Art. 46 (2) (c) GDPR. Data Subject Identified or identifiable natural person to whom the personal data refers. GDPR General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament). BDSG German Federal Data Protection Act (Bundesdatenschutzgesetz) of (BGBl. I p. 2097). Legal Basis Processing is only legal if at least one of the conditions according to the GDPR and / or BDSG is satisfied. The conditions in question within an employment contract are summarized: the data subject has given their consent to the processing of personal data concerning them processing is for the fulfilment of a contract to which the data subject is a party the processing is necessary to fulfil a legal obligation the processing is necessary to protect the vital interests of the data subject or any other natural person processing is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data prevail (legitimate interest). Personal Data Any information relating to an identified or identifiable natural person; a natural person is considered as being identifiable, directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics expressing the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person. Processing Any process or series of operations related to personal information, performed with or without the aid of automated procedures, such as collection, organization, storage, adaptation or modification, reading, retrieval, use, disclosure by submitting, distributing or otherwise providing, comparing, linking, limiting, erasing or destroying. Special Categories of Personal Data Personal data showing racial and ethnic origin, political opinions, religious or spiritual beliefs, membership of a trades union, or the processing of genetic data, biometric data to uniquely identify a natural person, health data or data on sexual behaviour or orientation. Strona 6 z 6