OUR GDPR POLICY

PERSONAL DATA PROTECTION POLICY (GDPR)

NORDIN

MASTER VERSION – CORE POLICY + REGISTERS + PROCEDURES

PURPOSE, SCOPE AND NATURE OF THE DOCUMENT

This Personal Data Protection Policy (“GDPR Policy”) defines the general and detailed rules for processing, securing, and managing personal data within NORDIN Sp. z o.o.

This document is:

superior,

binding,

strategic and operational in nature.

The Policy applies to all employees, collaborators, partners, and entities acting on behalf of NORDIN.

The document covers all forms of data processing: electronic, paper-based, verbal, and automated (including AI-based processing).

LEGAL BASIS

Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR),

Polish Personal Data Protection Act,

Polish Labour Code and specific regulations (tax, social security, sector-specific),

Principles of: privacy by design, privacy by default, accountability.

DATA CONTROLLER

NORDIN SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ
ul. Świętojańska 43 / 23
81-391 Gdynia, Poland

KRS: 0001179220
NIP: 5862418757
REGON: 542022513
E-mail: [email protected]

DATA PROCESSING PRINCIPLES

NORDIN processes personal data in accordance with Article 5 GDPR, in particular observing the principles of:

lawfulness and transparency,

purpose limitation,

data minimization,

accuracy,

storage limitation,

integrity and confidentiality,

accountability.

CATEGORIES OF DATA SUBJECTS AND DATA

Job candidates,

Employees and collaborators,

Leased and posted workers,

Clients and contractors,

Business partners,

Users of systems and platforms.

The scope of data includes, among others: CVs, contracts, payslips, contact data, HR data, payroll data, operational data, and all other data necessary for contract execution.

LEGAL GROUNDS FOR DATA PROCESSING

Personal data is processed based on Article 6(1) GDPR:

consent,

performance of a contract or pre-contractual actions,

legal obligation,

legitimate interest of the controller.

Special categories of data are processed in accordance with Article 9 GDPR.

HR, RECRUITMENT AND PAYROLL

Candidate and employee data is processed in compliance with labour law and GDPR.

Transfer of HR data to clients:

takes place based on consent or legal provisions,

is documented,

is limited to the minimum necessary scope.

Upon receiving data, the client becomes an independent data controller.

AUTOMATION AND ARTIFICIAL INTELLIGENCE

Automation, chatbots, and voicebots serve a supportive role only.

NORDIN does not make decisions producing legal effects solely through automated processing (Article 22 GDPR).

Data is not used to train public AI models and is not sold.

Every individual has the right to human intervention, objection, and information.

DATA SECURITY

Applied measures include:

access control,

encryption,

backups,

IT monitoring.

Business Continuity Plans (BCP) and data recovery procedures are in place.

RIGHTS OF DATA SUBJECTS

NORDIN ensures the exercise of rights under Articles 12–22 GDPR.

Contact: [email protected]

Response time: up to 30 days.

DATA BREACHES

Each breach is recorded and analyzed.

If required, it is reported to the Polish Data Protection Authority (UODO) within 72 hours.

Procedure complies with Articles 33–34 GDPR.

TRANSFERS OUTSIDE THE EU/EEA

Transfers are carried out strictly in accordance with GDPR requirements (SCCs, risk assessment, documentation).

TRAINING AND AUDITS

Regular GDPR training,

Internal audits and process reviews.

FINAL PROVISIONS

This document is effective as of the publication date.

It is subject to periodic updates.

It constitutes the foundation of NORDIN’s personal data protection system.

RECORD OF PROCESSING ACTIVITIES (ROPA)

The register includes, for each processing activity:

process name,

purpose,

categories of data subjects and data,

legal basis,

data recipients,

transfers outside the EU/EEA,

retention period,

security measures,

process owner.

GDPR REQUEST HANDLING PROCEDURE

Channel: [email protected]

identity verification,

deadline: 30 days (possible extension by +60 days),

each request is registered and archived.

DATA BREACH PROCEDURE

incident identification,

risk analysis,

breach register,

notification to the supervisory authority (if required),

notification of affected individuals.

DPIA PROCEDURE (DATA PROTECTION IMPACT ASSESSMENT)

DPIA is conducted, among others, for:

AI and automation,

large-scale processing,

new technologies.

DPIA scope includes:

process description,

risk assessment,

mitigating measures,

implementation decision.

FINAL INFORMATION

The detailed Record of Processing Activities and all additional information regarding the Personal Data Protection Policy are available upon request, in accordance with GDPR provisions.

📧 Contact: [email protected]