Privacy Statement
Privacy Statement Candidate Privacy Notice
Effective as of July 2024
Introduction
The controller of your data is the ROCKWOOL Global Business Service Center sp. z o.o., hereafter referred to as ‘RGBS’, which is part of the international ROCKWOOL Group (hereafter: ‘ROCKWOOL Group’).
RGBS is committed to safeguarding your privacy. The protection of personal data is important to us, and we only process personal data in compliance with the applicable data protection requirements, in particular the General Data Protection Regulation (“GDPR“). For that reason, ROCKWOOL Group has implemented a set of Binding Corporate Rules (“BCRs“), introducing data protection requirements to be complied with by the ROCKWOOL Group worldwide.
In connection with our business activities we, as data controller, process the personal data of our customers, suppliers, users of our websites and apps as well as visitors and other third parties as described further in Section C.
This Privacy Statement will inform you on what personal data we process, how we collect it, the legal basis, the purpose of our processing, and the retention period. Furthermore, we will inform you about your rights as data subject.
This Privacy Statement is provided in a layered format so you can navigate to the specific areas set out below.
A. The data controller
B. Contact
C. Information on the processing of personal data.
D. Marketing and Advertising practices
E. Transfers within the ROCKWOOL Group
F. Disclosure and transfer to third parties
G. Your rights as data subjects
H. Changes to this Privacy Statement
A. The data controller
ROCKWOOL Global Business Service Center sp. z o.o.
Wierzbięcice 1B
61-569 Poznań
Poland
E-mail: dataprotection@rockwool.com
Company reg. no.: KRS 0000616494
B. Contact
In case of any questions regarding this Privacy Statement and/or our processing of your personal data please feel free to contact us on:
E-mail: dataprotection@rockwool.com
C. Information on the processing of personal data
Depending on your relationship with entities from the ROCKWOOL Group, we will process different categories of your personal data for various purposes. Please see below for details of the purposes and means of processing your personal data.
Who? | Categories of personal data | Purposes of processing | Legal basis | Retention period |
Customers and their representatives
| First and last name, address, telephone number, e-mail, position and place of work, NIP, REGON, PESEL, number and series of identity document. | To conduct normal customer relations, i.e.: administration of payments, general communication, management of day-to-day operations in accordance with legitimate and fair business practices (including planning, execution, and management of cooperation; statistics, analysis). | In the case of representatives, the data will be processed based on a legitimate interest related to the fulfilment of business relationships and contracts (Article 6(1)(f) GDPR).
| Until the designated purpose has been fulfilled, but no longer than 10 years after the last purchase of our products or services.
|
To prevent fraud and to secure payment. | Legitimate interests in protecting interests of the company (Article 6 (1) (f) GDPR). | |||
To establish, defend or assert legal claims. | ||||
Suppliers of goods or services and their representatives | First and last name, business telephone number, e-mail, position and place of work, NIP, REGON, PESEL, citizenship. | To conduct normal supplier relations, i.e.: administration of payments, general communication, management of day-to-day operations in accordance with legitimate and fair business practices (including planning, execution, and management of collaborations, as well as statistics and analysis). | Performance of the contract (Article 6(1)(b) GDPR) - in the case of suppliers who are natural persons. Legitimate interest to conclude and perform the contract concluded with the supplier, to establish, defend or assert claims (Article 6(1)(f) GDPR). | Until the designated purpose has been fulfilled, but no longer than 10 years after the last purchase of products or services.
|
Sourcing and locating suppliers. Concluding and implementing the provisions of concluded contracts. | Legitimate interest of meeting business needs and conducting regular business activities (Article 6(1)(f) GDPR). | |||
Visitors to physical locations | First and last name, company name, e-mail address, vehicle registration number, date, and time of visit | Ensuring the security of our physical locations, protecting confidential information, and preventing crime at our physical locations. | Legitimate interest to ensure security on the premises and to protect employees, visitors, information, and property (Article 6(1)(f) GDPR).
| Up to 90 days from the date of registration or as long as necessary in connection with an ongoing case. |
Video surveillance recordings, including image, date, and location of recording. | ||||
Users of contact forms | First and last name, e-mail, telephone number | Providing a response. Providing the contacted person with the necessary information upon request. | If the enquiry concerns the (potential) conclusion of a contract, the legal basis will be to take the steps necessary to conclude a contract or to perform an existing contract (Article 6(1)(b) GDPR). If the enquiry does not relate to a contract or an offer, the legal basis will be our legitimate interest in handling the enquiry (Article 6(1)(f) GDPR). | Until the contact is ended and then for the period necessary for our documentation purposes.
|
Visitors of social media profiles | Information publicly available on a user's profile, including first and last name, gender, marital status, place of work, interests, image and city; whether the user has ‘liked’ or applied other reactions to our profile; comments left on our posts; content shared with the company with the intention of interacting; the fact that you have visited our profile; your IP address. | To improve our products and services, including our social media profiles and pages; * Platform providers may process your personal data for their own purposes – please keep in mind this is outside of our control
| Legitimate interests in communicating with and direct marketing communication to you on our social media profiles and our legitimate interest in improving our products and services (Article 6 (1) (f) GDPR). | Retention periods are set out by social media platform providers and can be found in their privacy policies: Meta (Facebook): https://www.facebook.com/privacy/policy/?entry_point=facebook_help_center_ig_data_policy_redirect&locale=pl_PL LinkedIn: https://pl.linkedin.com/legal/privacy-policy?
|
D. Marketing and Advertising practices
Description | When? | Categories od personal data | Purposes of processing | Legal basis | Retention period |
Cookies, pixels, social media tools and other technologies used by our websites and apps | When you visit our websites or apps and have provided us with consent to use cookies or similar technologies. . | IP-address, MAC address, type of browser and devices, webpage that led you to the website or app, search terms entered in a search engine which led you to our website, browsing history, click-behaviour and use and navigation of websites and apps* * The categories depend on the consent given in the cookie banner. This can be changed at any time here:
| To run marketing activities, especially to facilitate your use of the websites and apps; for service development, statistics, and analysis; to deliver personalized content and search. | Legitimate interests in providing a website and app that works, marketing, developing, and providing statistics, evaluating, promoting, and selling our products and services through first-party cookies, (Article 6 (1) (f) GDPR). Consent for the processing of personal data in relation to marketing cookies and third-party statistical cookies (Article 6 (1) (a) GDPR). In addition, we always obtain valid cookie consent with exemption of strictly necessary cookies and other technologies.
| Personal data obtained through cookies, pixels, similar technologies, and social media tools are deleted as described in the cookie declaration () |
E. Transfers within the ROCKWOOL Group
Your personal data may be transferred between ROCKWOOL Group companies for the purposes for which it was collected, provided that such transfer is not prohibited or restricted by law. The transfer of personal data between ROCKWOOL Group companies (both in Poland and abroad) is carried out based on Binding Corporate Rules (BCR), approved by the Danish data protection supervisory authority Binding Corporate Rules.
An overview of the ROCKWOOL Group is available at https://www.rockwool.com/group/privacy-Statement/rockwool-group-companies/.
F. Disclosure and transfer to third parties
Your personal data may be entrusted to service providers necessary for the fulfilment of our processing purposes indicated above, that is, among others, to:
- IT suppliers,
- Social media suppliers,
- Email suppliers,
- Hosting suppliers,
- Cookie and similar technology suppliers,
- Online seminar vendors,
- Customer learning platform vendors,
- Customer support platform vendors,
- Customer relation platform vendors,
- Website vendors,
- Audit companies,
- Debt collection firms,
- Consulting companies.
In certain circumstances and under the law, it may be necessary to transfer your personal data also to e.g. the following categories of data controllers:
Categories of controllers | Type of personal data | Legal basis |
Public authorities, law enforcement authorities, courts, lawyers, and external auditors. | Information required by law or relating to the establishment, protection, or assertion of claims. | Our obligation under the law (Article 6(1)(c) GDPR) or our legitimate interests (Article 6(1)(f) GDPR). |
Payment acquirers. | Payment information. | Performance of the contract (Article 6(1)(b) of the GDPR), legal obligations (Article 6(1)(c) of the GDPR). |
Where you have consented to the use of cookies or similar technologies for marketing purposes, your data may also be shared with other parties, in accordance with our Cookie declaration ()
If we transfer your personal data to recipients (both controllers and processors) whose registered offices are located in a third country, for which the European Commission has not adopted an adequacy decision, such transfer is based on the Data Privacy Framework (for companies based in the USA) or the EU Commission’s Standard Contractual Clauses (for other countries), which you may obtain a copy of by contacting us as stated above (Section B).
RBGS commits to have in place the appropriate security measures to safeguard the security of your personal data and our website has security measures in place to protect against the loss, misuse, and/or alteration of the personal data under our control.
Cooperation with social media platform providers.
Facebook and LinkedIn
For Facebook (owned by Meta Platforms Ireland Ltd.), RGBS together with the social media provider are joint data controllers for the processing of personal data collected in connection with your interactions with the profiles, including postings on an interaction with our page profiles’. However, Meta acts as data processor on our behalf when Meta processes your personal data for the purpose of creating target groups (lookalike and custom audiences).
For LinkedIn, ROCKWOOL together with the platform provider are joint data controllers for the processing of personal data for statistical purposes.
ROCKWOOL and the providers of LinkedIn, Instagram and Facebook have entered into agreements on the allocation of the data protection tasks. According to these agreements, the entities (such as ROCKWOOL) and the social media providers are each responsible for the tasks associated with the processing undertaken. The overview of the division of responsibilities can be found here:
- LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum
- Meta: https://www.facebook.com/legal/terms/page_controller_addendum
G. Your rights as data subject
- Right to access (Article 15 GDPR), i.e., right to obtain confirmation whether we process your personal data, including obtaining a copy of the data.
- Right to rectification (Article 16 GDPR), i.e., right to receive the rectification of inaccuracies of your personal data and completion of incomplete personal data.
- Right to erasure (Article 17 GDPR), i.e., the right to erasure your personal data without undue delay. Please keep in mind that this is not an absolute right, and certain exemptions apply, g., where the legislation requires further processing.
- Right to restriction of processing (Article 18 GDPR), i.e., right to restrict further processing of your personal data if one of the conditions specified in Article 18 (1) GDPR applies.
- Right to data portability (Article 20 GDPR), i.e., right to receive your personal data in structured, machine-readable format for your own use or to have it transmitted by us directly to another controller.
- Right to object (Article 21 GDPR) gives you a possibility to object to processing of your personal data whenever the legal basis for such processing is our legitimate interest (Article 6 (1) (f) GDPR). This is not an absolute right and in certain cases we may override your request and inform you about the reasons. This applies, among other things, when we process your information for marketing purposes based on the legitimate interest rule.
- Right to withdraw consent (Article 7 (3) GDPR) whenever the processing is based on it. When you withdraw your consent, we will stop processing your personal data for the purposes to which your consent was given. The withdrawal of your consent does not affect the legitimacy of the processing of your data carried out based on your consent prior to its withdrawal.
- Right to lodge a complaint (Article 77 GDPR) with competent supervisory authority, if you deem, we have infringed your right to personal data protection.
Prezes Urzędu Ochrony Danych Osobowych
- Stawki 2
00-193 Warszawa
Poland
kancelaria@uodo.gov.pl, hotline: 606-950-000
H. Changes to this Privacy Statement
Due to technical developments, new data processing activities or changes in legal requirements, we reserve the right to amend the Privacy Policy. If the changes to the Privacy Policy are deemed significant and substantial, you will be informed of them on our website. The current version of the Privacy Policy will always be available at https://www.rockwool.com/pl/o-nas/rockwool_gbs/rockwool_gbs_pl/privacy-statement/.