General Information

What is the GDPR?

In connection with the application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as the GDPR – from 25 May 2018, we would like to provide you with some important information regarding how we process your personal data and the rights you have in relation to its processing.

What is personal data?

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). This, therefore, includes data such as a first name, surname, address, date of birth, telephone number, or e-mail address (the list is not exhaustive).

Special categories of personal data (sensitive data)

Personal data which is:

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning that person’s health, sex life or sexual orientation, is what is known as sensitive personal data.

Who is the personal data controller?

A personal data controller is an entity which, alone or jointly with others, determines the purposes and means of the processing of personal data – i.e. it decides how your personal data is processed and is responsible for its processing in accordance with the law. The controller of the categories of personal data listed below is the company: itMatch sp. z o.o. sp.k., ul. Na Zjeździe 11, 30-527 Kraków, Poland, VAT ID: PL 6793136280 | National Court Register (KRS): 0000643992 | Statistical Number (REGON): 365814004 – hereinafter referred to as the “Company” or “Data Controller” (correspondence address: ul. Na Zjeździe 11, 30-527 Kraków). If a company affiliated with the Data Controller acts as the controller, this will be clearly stated.

Important notice!

itMatch may also act as a data processor on behalf of the Data Controller (i.e. a potential employer – a client of itMatch), for example, when it conducts recruitment on their behalf (contacts candidates, conducts interviews, or enters personal data on their behalf). In such cases, itMatch will inform you on whose behalf and under what conditions it is collecting personal data.

What rights do you have regarding the processing of your personal data?

You have the right of access to your data, including obtaining a copy of the data, the right to data portability, the right to rectification and erasure of data, the right to restriction of processing, and the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (for more, see: www.uodo.gov.pl). We also encourage you to familiarise yourself with the leaflet on your rights, available at https://www.gov.pl/cyfryzacja/rodo-informator. The merits of any requests made will be assessed by the Data Controller in light of the applicable legal provisions. For example – despite a request for data erasure – in accordance with the GDPR, the Data Controller may continue to process the data to the extent that processing is necessary for the establishment, exercise or defence of legal claims (for the period necessary to achieve these purposes, i.e. until the statute of limitations for claims expires). You also have the right to lodge a complaint with a supervisory authority (President of the Personal Data Protection Office) -> see www.uodo.gov.pl.

The right to object

Please remember that whenever personal data is processed on the basis of Article 6(1)(f) of the GDPR (see below), i.e. in the case of the so-called legitimate interest of the Data Controller, you may, at any time, object to the processing of your personal data on grounds relating to your particular situation. If the Data Controller processes data on this basis, you will always be informed of this (see below). After an objection has been lodged, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. You can lodge an objection in the manner indicated below (in the ‘How to contact us’ section).

Consent

If personal data is processed on the basis of consent, you may withdraw your consent at any time (e.g., by sending a request to the address: ul. Na Zjeździe 11, 30-527 Kraków, to the correspondence address indicated above, or in person at the Data Controller’s registered office). The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Consent can only be given by an adult with full legal capacity. Consent is always voluntary. After consent is withdrawn, the personal data will no longer be processed and will be deleted or anonymised, with the exception of the scope necessary to document the proper fulfilment of obligations related to data processing (including properly documenting the withdrawal of consent) for the purpose of defending against claims (Article 6(1)(f) of the GDPR, the so-called legitimate interest of the Data Controller). In the event of consent withdrawal, the data will be processed (for the purpose of defending against claims) for a maximum period equivalent to the statute of limitations for any related potential claims.

Who has access to personal data?

Only authorised employees acting on our instructions will have access to your personal data. The data may also be disclosed to IT service providers that support the achievement of the Data Controller’s purposes listed below, following the prior conclusion of appropriate data processing agreements with these entities, including Galactica sp.j. Raatz i wspólnicy (recruitment service provider) or HR and accounting service providers. If data is or may be transferred outside the European Economic Area (EEA), you will find information about this below.

How can you exercise your rights or contact us on other data protection matters?

For all matters related to the protection of personal data (including to lodge an objection, withdraw consent, report an observed breach of data protection regulations, or exercise your other rights), you can contact us by email at: rekrutacja@itmatch.pl, by post to the correspondence address: ul. Na Zjeździe 11, 30-527 Kraków, or in person at the Data Controller’s registered office. In response to your request, you may be asked to provide data necessary to identify the personal data (e.g., to locate the information) or to verify your identity. In this case, personal data will only be processed to the extent necessary to document the proper fulfilment of obligations related to data processing (including properly documenting the withdrawal of consent) for the purpose of defending against claims (Article 6(1)(f) of the GDPR, the so-called legitimate interest of the Data Controller) and to comply with obligations arising from the GDPR (including accountability, Article 6(1)(c) of the GDPR). For these purposes, the data will be processed for a maximum period equivalent to the statute of limitations for any related potential claims. Changes to this privacy policy We reserve the right to make changes to the privacy policy of the https://itmatch.pl/ service, which may be influenced by the development of internet technology, possible changes in data protection law, and the development of our website. We will inform you of any changes in a visible and clear manner. External links The https://itmatch.pl/ service may contain links to other websites. These websites operate independently of the service and are not supervised in any way by the https://itmatch.pl/ service. These sites may have their own privacy policies and terms of service, which we recommend you read. If you have any doubts about any of the provisions of this privacy policy, please do not hesitate to contact us – our details can be found in the ‘Contact’ tab. Specific purposes of data processing for selected processes The list below sets out the purposes, legal bases, and periods of data processing, as well as information on whether providing data is voluntary or obligatory, for the following data processing activities:

• A. Contact by email or telephone using the details provided in the ‘Contact’ tab (www.itmatch.pl);
• B. Information for candidates for a job at itMatch;
• C. Information for individuals recruited by itMatch (potential employees of itMatch’s clients);
• D. LinkedIn Recruitment;
• E. Processing of operational data (website traffic) and information about cookies or the use of similar technologies;
• F. Information on the processing of personal data of Clients/contractors and their employees and associates (in connection with the conclusion and performance of contracts).

Re: A. Contact by email or telephone using the details provided in the ‘Contact’ tab (www.itmatch.pl) Personal data will be processed for the following purposes:

• to respond to an enquiry (made via the contact form, the provided email address, or telephone number) and to conduct further correspondence in connection with it (legal basis: Article 6(1)(f) of the GDPR -> the legitimate interest of the Data Controller);
• if further correspondence concerns the process of concluding or performing a contract, personal data will also be processed for this purpose (legal basis: Article 6(1)(b) of the GDPR in the case of natural persons who are party to the contract, or Article 6(1)(f) of the GDPR -> the legitimate interest of the Data Controller, in the case of persons delegated to perform the contract);
• personal data obtained in connection with the correspondence may also be processed for the purpose of establishing, exercising or defending against legal claims (Article 6(1)(f) of the GDPR), the so-called legitimate interest of the Data Controller.

Providing the data is voluntary but necessary for the achievement of the above-mentioned purposes. Personal data will be processed for the period of the statute of limitations for potential claims related to the correspondence, in particular, those arising from the process of concluding and performing a contract. Please note! If the telephone contact concerns recruitment, points B and C below shall apply. Re: B. Information for candidates for a job at itMatch Please note! In the case of recruitment processes conducted via the pracuj.pl service or other such services, itMatch is not the controller of personal data that is processed by the providers of those services for the purpose of delivering electronically supplied services to their users. For example, by Grupa Pracuj sp. z o.o., based on the TERMS AND CONDITIONS for the provision of electronic services within the services belonging to Grupa Pracuj sp. z o.o. (the ‘Terms and Conditions’). If a user of the pracuj.pl service selects the ‘Share profile’ option, the personal data will be obtained by the Data Controller from the service provider (i.e. Grupa Pracuj sp. z o.o.) to the extent specified for that service and based on the Terms and Conditions and the user’s consent. For what purpose and on what basis will your data be processed? General information Below is a list of the purposes (i.e. reasons) for which data may be processed during the recruitment stage. Currently, the Polish Labour Code allows an employer to obtain the following categories of data at the recruitment stage: first name(s) and surname; parents’ first names; date of birth; place of residence (correspondence address); education; course of previous employment. For this data, processing is carried out on the basis of legal provisions (the Labour Code), and the future employer may request that you provide it. If a specific legal provision (i.e. other than the Labour Code) provides a basis for data processing (e.g., for sensitive data), the employer will obtain it on that legal basis (the future employer may request that you provide it). Where there is no legal basis in the Labour Code or specific provisions, the provision of your personal data may be based on your consent, with the proviso that the processing of personal data referred to in Article 9(1) of the GDPR, i.e. sensitive data (see definition above), requires explicit consent, and we will only process such data on your initiative. We only collect information on criminal records when such an obligation arises from legal provisions (consent is not a sufficient basis for processing this data). If you submit more data than is explicitly required by law (i.e. the scope of data listed above from the Labour Code and any specific provisions that oblige an employer to obtain other personal data), we will treat this action as your consent to the processing of your personal data for recruitment purposes. It is important to note that, in the case of sensitive data as referred to in Article 9(1) of the GDPR, explicit consent will be required. This means that you sending this information (on your own initiative) will not be sufficient – we will need your consent. However, if you want your personal data to be used for future recruitment processes, you must give your explicit consent (e.g., by ticking a checkbox) on the recruitment form. Consent (including for the use of data in future recruitments) is always voluntary, and you do not have to give it, especially if you believe it would be disadvantageous for you. If personal data is processed on the basis of consent, a candidate may withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The lack of consent, or its withdrawal, is never a basis for unfavourable treatment of a job applicant or employee, nor can it result in any negative consequences for them; in particular, it cannot constitute a reason justifying a refusal to employ. Personal data that is not required by legal provisions (e.g., the Labour Code) or specific regulations, and at the same time has not been provided voluntarily by the candidate, may, in certain situations, be processed on the basis of the so-called legitimate interest of the data controller (see below). In this case, however, you may lodge an objection. Purposes of processing data obtained during the recruitment stage (detailed list) Main purposes:

• Recruitment for a specific position (including assessment of qualifications and selection of a candidate);
• Use of personal data in future recruitment processes (outside of the current recruitment process or when no process is actively being conducted);

Additional purposes:

• Fulfilling obligations related to maintaining employee records – in the event of employment – to the extent that the obligation to process candidates’ data arises from the provisions of the Regulation of the Minister of Labour and Social Policy on the scope of employers’ documentation in matters related to the employment relationship and the manner of maintaining employees’ personal files;
• Fulfilling obligations arising from data protection regulations (including the rights of candidates);
• The establishment, exercise or defence of legal claims related to the recruitment process.

The list below indicates the legal bases for processing personal data obtained during the recruitment stage for the above-mentioned purposes, and their retention periods. [retention = the maximum period of data processing – after this period expires, the personal data will no longer be used for the given purpose – please note! For different purposes, the same categories of data may have different retention (storage) periods] Re: 1. Recruitment -> retention: 6 months from the date the CV is submitted, or until consent is withdrawn (for additional data), or until an effective objection is lodged (where the basis for processing personal data is Article 6(1)(f) of the GDPR), whichever occurs first -> legal basis:

• For data specified in the Labour Code: legal basis -> Article 6(1)(c) of the GDPR and the Labour Code, i.e. the employer’s legal obligation / consent from the candidate is not required.
• For data specified in other specific legal provisions: legal basis -> Article 6(1)(c) of the GDPR and those specific provisions, i.e. the employer’s legal obligation / consent from the candidate is not required.
• For additional data provided by the candidate with their consent -> the basis is Article 6(1)(a) of the GDPR or Article 9(1) of the GDPR, i.e. the candidate’s voluntary consent – in the case of sensitive data, consent must be explicit.
• For additional data concerning preferred salary -> the basis is Article 6(1)(f) of the GDPR, i.e. the legitimate interest of the Data Controller (the employer has a legitimate economic interest in knowing a candidate’s financial expectations). In this case, providing the data is not a statutory requirement; nevertheless, the future employer may have a legitimate interest in requiring it. This is verified by the employer on a case-by-case basis.
• For personal data ‘generated’ by the employer during the recruitment process, e.g., candidate evaluation forms -> the basis is Article 6(1)(f) of the GDPR, i.e. the legitimate interest of the Data Controller (without this, selecting a suitable candidate may be difficult or even impossible). In this case, providing the data is not a statutory requirement; nevertheless, the future employer may have a legitimate interest in requiring it. This is verified by the employer on a case-by-case basis.

Please note!

If you send us your CV or personal data in another form (even if we are not currently conducting recruitment), the data submitted will be processed for a period of 24 months (unless you withdraw your consent sooner), and we will treat this action as consent for the data to be used in our future recruitment processes. If we are recruiting for a specific position, without your explicit consent, we will not treat the submission of your CV as consent to participate in future recruitments. If there is any doubt as to whether the data (e.g., a CV) was sent for recruitment by us (i.e. for a job at itMatch) or for the recruitment purposes of our Clients (see point C below), you will be asked for clarification on this matter.  2. Future recruitments -> retention: 24 months from the date consent is given for data processing in future recruitment processes, or until it is withdrawn, whichever occurs first -> legal basis: Article 6(1)(a) of the GDPR -> voluntary consent. Re: 3. Documentation obligations (in the event of employment) -> retention: for the period of obligatory processing of data included in employee documentation (personal files) -> legal basis: Article 6(1)(c) of the GDPR (the Data Controller’s legal obligation arising from provisions of law). Re: 4. Fulfilling obligations arising from the GDPR, including the rights of data subjects -> retention: For this purpose, data may be processed only for the period of the statute of limitations for claims (including for the purpose of demonstrating compliance with the GDPR) -> legal basis: Article 6(1)(c) of the GDPR (the Data Controller’s legal obligation arising from provisions of law). Re: 5. Defence against claims concerning the recruitment stage -> retention: For this purpose, data may be processed only for the period of the statute of limitations for claims or until an effective objection is lodged, whichever occurs first; legal basis: Article 6(1)(f) of the GDPR (the legitimate interest of the Data Controller -> without this, defending against or establishing claims would not be possible). Providing the personal data referred to in the Labour Code (listed above, including first name and surname, etc.) and, where applicable to a given recruitment process, data required by other legal provisions – as well as information about your preferred salary – is voluntary, but necessary to take part in the recruitment process. Providing other data and giving the consents mentioned above is voluntary and does not affect your ability to participate in the recruitment process (it will not be a basis for unfavourable treatment of the candidate and will not constitute a reason justifying a refusal to employ). If there is any doubt as to what the withdrawal of consent applies to (e.g., additional data, future recruitments), you may be asked to clarify your request. Re: C. Information for individuals recruited by itMatch (potential employees of itMatch’s clients) Within this process, we obtain the following consents: Content of Consent No. 1: I consent to the processing of my personal data by itMatch sp. z o.o. sp.k., ul. Na Zjeździe 11, 30-527 Kraków, Poland, NIP (Tax Identification Number): PL 6793136280 | KRS (National Court Register No.): 0000643992 | REGON (National Official Business Register No.): 365814004 (the ‘Data Controller’) to the extent contained in my CV, along with my contact details and other information provided by me (e.g., expected salary, availability), for the purpose of taking actions aimed at helping me secure employment through the Data Controller, which may consist of:

• placing my personal data in the Data Controller’s recruitment database;
• requesting my consent (No. 2) to share my data with a client (a potential employer) of the Data Controller;
• presenting this data to the Data Controller’s clients, i.e. potential employers with whom you may gain employment (the ‘Data Controller’s Client’), for their recruitment purposes, based on additional consent;
• contacting me (using the provided contact details) to enquire about the currency of the data held in the database;
• analysing the personal data provided against the requirements of specific Clients of the Data Controller, as well as requesting consent to share the data for the recruitment purposes of a specific Client of the Data Controller.

I acknowledge that:

• Giving the above consent is entirely voluntary, and the consent can be withdrawn at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Consent can be withdrawn by using the following e-mail address: rekrutacja@itmatch.pl. Consent can only be given by an adult. Please note! Without your prior (additional) consent, your personal data will not be shared with the Data Controller’s Clients (potential employers). This means that selected candidates, before their data is shared, will be informed by us of the details of the potential employer (the Data Controller’s Client). If a Client is interested in a specific set of information (which does not relate to an identifiable candidate), such information may be provided to them (as it does not constitute personal data). If the Client wishes to obtain personal data, the candidate will be asked for additional consent to share their personal data with that specific Client of the Data Controller. Content of Consent No. 2: I consent to the sharing of my personal data by itMatch sp. z o.o. sp.k., ul. Na Zjeździe 11, 30-527 Kraków, Poland, NIP (Tax Identification Number): PL 6793136280 | KRS (National Court Register No.): 0000643992 | REGON (National Official Business Register No.): 365814004 (the ‘Data Controller’), to the extent contained in my CV, along with my contact details and other information provided by me (e.g., expected salary, availability), for the purpose of taking actions aimed at helping me secure employment through the Data Controller, to [the specific entity will be indicated here] (the ‘Data Controller’s Client’), for the recruitment purposes of the Data Controller’s Client, who, after obtaining this data, will become a separate data controller and will process the aforementioned personal data for their own purposes. I acknowledge that: Giving the above consent is entirely voluntary, and the consent can be withdrawn at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Consent can be withdrawn by using the following e-mail address: rekrutacja@itmatch.pl. Consent can only be given by an adult. Giving this consent, and the consequent sharing of the specified data with the potential employer, does not preclude itMatch from processing your personal data after it has been shared, in compliance with the requirements arising from legal provisions:
  • continuing to act as a separate data controller -> based on the previously granted consent (No. 1) for the purposes indicated therein, until it is withdrawn;
  • on behalf of the data recipient (the potential employer) for their purposes (as a separate data controller who obtains the data on their own behalf), based on a data processing agreement concluded with them (e.g., when the Employer instructs itMatch to arrange a meeting with you or to carry out other activities on their behalf).

  Purposes and legal bases of data processing. Personal data will be processed –based on consent – for the following purposes:If Consent No. 1 is given ->

  • for the purpose of taking actions aimed at helping me secure employment through the Data Controller, which may consist of:
    • placing my personal data in the Data Controller’s recruitment database;
    • presenting this data to the Data Controller’s clients, i.e. potential employers with whom you may gain employment (the ‘Data Controller’s Client’), for their recruitment purposes, based on additional consent;
    • contacting me (using the provided contact details) to enquire about the currency of the data held in the database;
    • analysing the personal data provided against the requirements of specific Clients of the Data Controller, as well as requesting consent to share the data for the recruitment purposes of a specific Client of the Data Controller.

  If Consent No. 2 is given ->

  • for the purpose of taking actions aimed at helping me secure employment through the Data Controller, by sharing it with a specific itMatch client (the ‘Data Controller’s Client’), for the recruitment purposes of the Data Controller’s Client, who, after obtaining this data, will become a separate data controller and will process the aforementioned personal data for their own purposes.
  Voluntary nature of consent and data provision. Giving the above-mentioned consents is entirely voluntary, and the consent can be withdrawn at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Consent can be withdrawn by using the contact e-mail address provided above or by clicking on the link in the footer of this email. Consent can only be given by an adult. Providing the data is voluntary but necessary for the achievement of the above-mentioned purposes. You are under no legal or contractual obligation to give the above-mentioned consents or to provide personal data. Requesting consent. When the Data Controller initiates contact with a candidate to request the above-mentioned consents, it will use only contact details, and the processing will be based on the legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR), taking into account an assessment of, inter alia:
  • the relationship between the purposes for which the personal data was collected (only data from publicly available sources and professional networking sites will be used) and the purposes of the intended further processing (contacting a potentially interested person);
  • the context in which the personal data was collected (business contacts collected at events, conferences, or from professional networking sites), in particular the relationship between the data subjects and the Data Controller (acting in accordance with the terms of service of the given professional networking site);
  • the nature of the personal data (ordinary personal data, only business contacts);
  • the possible consequences of the intended further processing for the data subjects;
  • the existence of appropriate safeguards, including, where applicable, encryption or pseudonymisation.

  When using professional networking sites (e.g., LinkedIn) to request the above-mentioned consents, we always first verify the operating principles of the given site and whether the person we are contacting can expect such contact, in particular, whether they created an account on that site themselves (whether the site obtains data directly from that person or from another source). Based on our legitimate interest (Article 6(1)(f) of the GDPR), upon the successful completion of the recruitment, we will receive information about this fact from the employer (the Client) for billing purposes. How long do we process personal data for? Personal data will be processed for a maximum period until any of the specified consents are withdrawn, but for no longer than 36 months. After consent is withdrawn, the personal data will no longer be processed and will be deleted or anonymised, with the exception of the scope necessary to document the proper fulfilment of obligations related to data processing (including properly documenting the withdrawal of consent) for the purpose of defending against claims (Article 6(1)(f) of the GDPR, the so-called legitimate interest of the Data Controller). In the event of consent withdrawal, the data will be processed (for the purpose of defending against claims) for a maximum period equivalent to the statute of limitations for any related potential claims. Data recipients The Data Controller may entrust your data to IT service providers that support the achievement of recruitment purposes, including Galactica sp.j. Raatz i wspólnicy. Only authorised employees have access to your data. Your data may be shared with potential employers – if you give the consent specified above. Re: D. Information for individuals recruited via professional networking sites (e.g., LinkedIn) When obtaining data via professional networking sites (e.g., LinkedIn), we always verify the nature of the given platform and, in particular, we do not use data posted on portals for private or personal purposes (e.g., a private Facebook profile). Purpose of data processing: Contacting potential candidates to request their consent for the processing of personal data for the purpose of the Data Controller taking actions aimed at the candidate securing employment. Scope of data processed when using the LinkedIn portal: Data provided by the user on the portal themselves, to which there is open access in accordance with the terms of service of that portal. Outside of the LinkedIn portal, we only contact users who have expressed a desire for this. Legal basis: Article 6(1)(f) of the GDPR, i.e. the legitimate interest of the data controller (see the information below regarding the right to object). We operate on the basis of the LinkedIn User Agreement: https://www.linkedin.com/legal/user-agreement?_l=pl_PL. How long do we process personal data for? Personal data obtained from the LinkedIn portal will be processed for a maximum period until an objection is lodged (in particular, after this time we delete the correspondence history on the LinkedIn portal), with the proviso that:

  • once a year, we review our databases to assess the possibility of further processing personal data (whether the basis under Article 6(1)(f) of the GDPR still exists);
  • in the case of obtaining the consents referred to above (point C), the rules for data processing (including the retention period) are described separately.
  Data recipients The Data Controller may entrust your data to IT service providers that support the achievement of recruitment purposes, including Galactica sp.j. Raatz i wspólnicy. Only authorised employees have access to your data. Your data may be shared with potential employers – if you give your consent (you will be asked for this separately). Providing data is voluntary (it is neither a statutory nor a contractual requirement), but it may be necessary for the Data Controller to take actions aimed at the candidate securing employment. Re: E. Processing of operational data (website traffic) and information about cookies or similar technologies Via the itMatch website, the Company may process the following data characterising the way visitors use the site (so-called operational data):
  • an ID number assigned to the person browsing the website;
  • identifiers of the telecommunications network termination point (e.g., the IP address of the device on which the site is displayed);
  • the ICT system (device type, operating system, web browser) used by the Internet user;
  • information about the start, end, and scope of each use of the website (inter alia, the following information may be collected: the number of bytes sent by the server, the address of the website from which the visitor came to www.itmatch.pl via a link (referrer link).
  The operational data indicated above is not combined with information such as first name and surname, e-mail address, or other data that would allow for the easy identification of the website visitor. The processing is also not used for profiling website visitors. The processing of the above information may or may not be associated with the installation of cookies or similar technologies on the end device used to display it (in this regard, see the information below). If a cookie mechanism is used, the operational data may include the information described below – obtained via these files. The operational data indicated above may constitute personal data within the meaning of the GDPR (General Data Protection Regulation 2016/679) –> if the information indicated above is classified as personal data, we hereby inform you that the Data Controller is itMatch sp. z o.o. sp.k. (for contact details, see above). The processing of the above categories of data is necessary to operate the website and ensure its quality, i.e. for purposes resulting from the legitimate interests of the controller (Article 6(1)(f) of the GDPR) -> in connection with which it is important and necessary to:
  • study the preferences of Internet users, using the results of this research for the purpose of improving the quality of the site;
  • occasionally analyse log files to determine: which browsers visitors are using; which tabs, pages, or subpages are most or least frequently visited or viewed; whether the site structure contains errors;
  • prevent unauthorised access to the website and the distribution of malicious code, interrupt ‘denial-of-service’ type attacks, and prevent damage to computer systems and electronic communication systems.
  Statistics may be created based on the above information; however, they will not contain any information that identifies or allows for the identification of a visitor to www.itmatch.pl. Due to the difficulty in identifying the person using the website, it will not be possible to exercise the rights set out in Articles 15-20 of the GDPR, unless the data subject, for the purpose of exercising their rights under those articles, provides additional information enabling their identification. The Data Controller may entrust personal data to, for example, IT service providers; the data may also be shared among the controller’s authorised employees. You have the right of access to your data, including obtaining a copy of the data, the right to data portability, the right to rectification and erasure of data, and the right to restriction of processing. You also have the right to object (where processing is based on Article 6(1)(f) of the GDPR). You have the right to lodge a complaint with a supervisory authority (the President of the Personal Data Protection Office). Personal data will be deleted or anonymised at the latest after the expiry of the statute of limitations for potential claims related to the use of the site (no later than 2 years from the date of recording), or earlier if you lodge an effective objection. Providing the data is voluntary but necessary for the achievement of the above-mentioned purposes. The Cookie Mechanism Via cookies, the site may store or access information already stored on the device used to display it – solely to the extent necessary to display it. Cookies or similar technologies are not used to obtain information about visitors to the service. They are also not used to track their navigation. The cookies used on the www.itmatch.pl website are not used to store personal data or other information collected from site visitors. Via cookies, the site may store or access information already stored on the device used to display it:
  • for purposes that are strictly necessary to display the site. For this purpose, session cookies may be used on the site’s pages, the installation of which is aimed at the correct display of the site and only until the end of the browser session (i.e. for the time that the page is displayed by the browser);
  • with the consent of the site visitor, so-called third-party (partner) cookies may be installed, i.e. Google Analytics, for the purpose of studying Internet users’ preferences, with the results of this research being used to improve the quality of the site; the following data may be collected and analysed: number of users and sessions; session duration; operating systems; device models; geographic data; first opens; app opens; app updates; in-app purchases -> more information: https://support.google.com/analytics/answer/6318039?hl=pl. The following statistical reports are or may be created on this basis: https://support.google.com/analytics/answer/2799357?hl=pl.

  The operator of this site does not collect information such as first name, surname, or e-mail address via the Google Analytics tool. This data is not combined with other information for the purpose of identifying a site visitor. The installation of cookies can be disabled or restricted at the browser level. How to disable cookies?

  • Firefox;
  • Chrome;
  • Internet Explorer;
  • IOS Safari;
  • Safari.

  Re: F. Information on the processing of personal data of Clients/contractors and their employees and associates (in connection with the conclusion and performance of contracts)

  The personal data of: the contractor/client, i.e. the party to the concluded contract, as well as their representatives and other persons performing the contract, e.g., employees or associates of the client/contractor, will be processed primarily for the purpose of concluding and performing the contract [legal basis for processing the personal data of a natural person who is a party to the contract -> Article 6(1)(b) of the GDPR /// legal basis for processing the data of other natural persons performing the contract on behalf of the contractor/client -> Article 6(1)(f) of the GDPR, i.e. the so-called legitimate interest of the data controller]. Personal data may also be processed for the purpose of the establishment, exercise or defence of legal claims related to the performance of the contract concluded by the Company, as well as for the purpose of direct marketing of the Company’s goods or services during the term of the contract (legal basis -> Article 6(1)(f) of the GDPR, i.e. the so-called legitimate interest of the data controller). In the case of a newsletter, separate consent is obtained, as mentioned above. Personal data may also be used to fulfil obligations arising from legal provisions, including public-law obligations, as well as to exercise the rights set out in the GDPR (Article 6(1)(c) of the GDPR). For the purpose of concluding and performing a contract, including presenting an offer, personal data may be obtained from CEIDG and KRS (to the extent indicated therein – legal basis: Article 6(1)(b) of the GDPR or Article 6(1)(f) of the GDPR in the case of natural persons other than a party to the contract, as well as for the purpose of presenting an offer on the Data Controller’s initiative). For the purpose of presenting an offer based on Article 6(1)(f) of the GDPR, personal data may be obtained at events, conferences, from the website of a potential contractor, and from publicly available sources. Personal data will be deleted or anonymised at the latest after the expiry of the statute of limitations for potential claims related to the performance of the contract (including public-law obligations), in particular claims arising from the process of concluding and performing this contract and public-law obligations. Personal data may be deleted or anonymised sooner if an effective objection is lodged or if consent is withdrawn (if it was obtained). The Data Controller will, in particular, verify whether a basis still exists for processing data obtained for the purpose of presenting an offer, if a contract is not concluded. Providing the data is voluntary but necessary for the achievement of the above-mentioned purposes. In the case of fulfilling public-law obligations, providing data may be obligatory. Given that the Company may receive personal data both directly – in the case of the Contractor’s data, and indirectly – in the case of data of the contractor’s/client’s employees or associates (processed for the purposes mentioned above), the Contractor/client should inform the persons whose data they provide to the Company about the fact, basis, and scope of the data disclosure. The Contractor/client may only share the personal data of their employees/associates with the Company based on a lawful basis for disclosure. If this basis is not consent (but, for example, the legitimate interest of the data controller), the Contractor/client should analyse the existence of the legal basis for processing with due diligence.