What terms do we use in Privacy Policy?
Personal data – data of a person who can be identified by the use of such data. This Privacy Policy explains how we use the personal information you provide to us.
TSH/We – The Software House sp. z o.o. with registered office in Gliwice, ul. Dolnych Wałów 8, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court in Gliwice, 10th Commercial NCR Division, REGON (National Official Business Register No.): 146211123, TIN: 5272680543.
You, Yours – any natural person whose Personal data we process and to whom this Privacy Policy applies.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
Website – our website and its subpages: www.tsh.io.
Recipients – entities to whom we may transfer a part of your personal data, in connection with the performance of certain activities or services by them on our behalf. They may not do anything about your personal data until we have instructed them to do so, and only to the extent we have indicated. They will store your personal data securely and only for as long as we indicate or as required by applicable law.
Cookies – the so-called Internet cookies, i.e. tiny information recorded by the server on your computer disc in the form of small text files. Cookies make it possible to recognize the User’s device during the next visit, providing access to certain functions and allow us to understand how he navigated the site.
Privacy Policy – this policy sets forth the principles governing cookies and processing and protection of personal data.
Whose data does the privacy policy apply to?
Privacy Policy defines the method of collecting, processing and storing personal data of:
- job candidates
- employees
- contractors
- clients/suppliers
- employees or persons representing clients
- newsletter subscribers
- correspondents
- participants of meetup events
Who will be your data controller?
The controller of your Personal data: The Software House sp. z o.o. with registered office in Gliwice (hereinafter referred to as “TSH” or “we”) at ul. Dolnych Wałów 8. This means that we decide for what purpose the personal data you have provided to us are processed. We want you to know that we make every effort to keep your personal data safe. We do not provide personal data entrusted to us for a fee. You can contact us directly for information regarding the protection of your personal data at: [email protected].
How do we process personal data?
Personal data is processed in accordance with the GDPR. The Personal data collected by TSH will be:
- processed in accordance with the law
- collected for specified, lawful purposes and not subjected to further processing incompatible with these purposes
- factually correct and adequate in relation to the purposes for which they are processed
- stored no longer than it is necessary to achieve the purpose of processing.
Detailed information on how we process your data in specific processes can be found in the section: “For what purposes, on what legal grounds and for how long do we process your Personal data?”
What data are we talking about?
We collect information about you when you provide it to us yourself or when you use our services, including the services and other functionalities provided by TSH on the Website and stored in cookies that are installed on our website, as well as the data we have obtained from publicly available sources, such as social media or through third parties that have suggested that we contact you. If you then decide to cooperate with us, additionally there will be all personal data you provide us with.
For what purposes, on what legal grounds and for how long do we process your personal data?
Information for job applicants
| Purpose of processing | Legal basis | Period of processing |
|---|---|---|
| Carrying out the recruitment procedure in the scope of data indicated by the provisions of the labor law and taking the necessary actions to conclude a contract with the selected candidate | article 22¹ of the Labor Code and article 6 sec. 1 pt. b) GDPR; | The data will be processed until the end of the recruitment process, no longer than 12 months from the receipt of the candidate’s application by the Controller or for the period indicated in the possible consent for future recruitments (no longer than one year from the end of the recruitment process). |
| Including additional data in the recruitment process based on your consents, including personal data provided other than those resulting from legal provisions | article 6 sec. 1 pt. a) GDPR (ordinary data) or in accordance with article 9 sec. 2 pt. a) GDPR (data of a special category, e.g. data on health or degree of disbility)(consent); | The data will be processed until the end of the recruitment process, no longer than 12 months from the receipt of the candidate’s application by the Controller or for the period indicated in the possible consent for future recruitments (no longer than one year from the end of the recruitment process). |
| Participation in future recruitment processes, based on the expressed consent | article 6 sec. 1 pt. a) GDPR (consent); | The data will be processed until the end of the recruitment process, no longer than 12 months from the receipt of the candidate’s application by the Controller or for the period indicated in the possible consent for future recruitments (no longer than one year from the end of the recruitment process). |
Providing personal data is mandatory based on the law, and in the remaining scope is voluntary.
Information for employees
| Purpose of processing | Legal basis | Period of processing |
|---|---|---|
| Conclusion and performance of an employment contract | article 6 sec. 1 pt. b) GDPR and article 221 of the Labor Code | The data will be processed for the time necessary to perform the concluded contract, the limitation period for claims arising from it and the period of storage of related settlement documents |
| Keeping accounting and tax documentation | article 6 sec. 1 pt. c) GDPR and article 74 of the Accounting Act and others concerning taxpayers (processing is necessary for compliance with a legal obligation to which the controller is subject) | The data will be processed for the time necessary to perform the concluded contract, the limitation period for claims arising from it and the period of storage of related settlement documents |
| Pursuing claims and protection against claims | article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller) | The data will be processed for the period of limitation of potential claims (3 years from the date on which the claim became due) |
| Ensuring the safety of employees, protection of property, as well as maintaining the secrecy of information, the disclosure of which could expose the employer to damage | article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller) | The data will be processed until an effective objection is raised by the data subject |
| Organization of training for employees | article 6 sec. 1 pt. a) GDPR (consent) article 6 sec. 1 pt. b) GDPR (processing is necessary for the performance of a contract of employment) article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller) | The data will be processed until an effective objection is raised by the data subject;until the consent is withdrawn, until the terms of the contract expire, and then for the period of limitation of potential claims (3 years from the date on which the claim became due) |
| Performance of obligations arising from health and safety regulations, i.e. on determining the circumstances and causes of accidents at work | article 6 sec. 1 pt. c) GDPR (processing is necessary for compliance with a legal obligation to which the controller is subject) | The data will be processed for the period resulting from the provisions of law, i.e. for a period of 10 years, counting from the end of the calendar year in which the employment relationship was terminated or expired. |
Providing personal data is mandatory based on the law, and in the remaining scope is voluntary. Without providing mandatory data, it is not possible to conclude an employment contract.
Information for contractors
| Purpose of processing | Legal basis | Period of processing |
|---|---|---|
| Conclusion and performance of an contract | article 6 sec. 1 pt. b) GDPR | The data will be processed: – for the time necessary to perform the concluded contract, the limitation period for claims arising from it and the period of storage of related settlement documents, – for the period required by law in order to fulfill the obligations arising from the regulations until these obligations are fulfilled |
| Keeping accounting and tax documentation | article 6 sec. 1 pt. c) GDPR and article 74 of the Accounting Act and others concerning taxpayers article 6 sec. 1 pt. c) GDPR (processing is necessary for compliance with a legal obligation to which the controller is subject) | |
| Pursuing claims and protection against claims |
Providing personal data is mandatory based on the law, and in the remaining scope is voluntary. Without providing mandatory data, it is not possible to conclude a contract.
Information for clients/suppliers
| Purpose of processing | Legal basis | Period of processing |
|---|---|---|
| Establishment of commercial contacts – sales | article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller) | Until an effective objection is raised in connection with a special situation of the data subject |
| Conclusion and performance of the sales agreement | article 6 sec. 1 pt. b) GDPR | Until the termination/expiry of the agreement subject to the time limits for any claims (6 years after the date of termination) |
| Handling the enquiries of prospective and existing Clients, including claims/complaints | article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller)) | Until the termination/expiry of the agreement subject to the time limits for any claims (6 years after the date of termination) |
| Maintenance of accounting and tax documentation | article 6 sec. 1 pt. c) GDPR and article 74 of the Accounting Act and others concerning taxpayers (processing is necessary for compliance with a legal obligation to which the controller is subject) | 5 years after the end of the calendar year in which the tax was due |
| Debt collection | article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller) | respectively for the period of limitation/expiry of claims inherent in the legal relationship, 6 years after the date of issue of the order |
| Investigation of claims and protection against claims | article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller) | respectively for the period of limitation/extinction of claims inherent in the legal relationship (at least 6 years after the date of termination of cooperation) |
| Direct marketing of own products and services | article 6 par. 1 item a of GDPR in connection with Article 10 of the Act on the provision of electronic services and Article 6 par. 1 item f of GDPR) | until withdrawal of consent. |
Providing personal data is mandatory based on the law, and in the remaining scope is voluntary. Without providing mandatory data, it is not possible to conclude an contract.
Information for employees or persons representing clients
| Purpose of processing | Legal basis | Period of processing |
|---|---|---|
| Ongoing handling of the agreement concluded | article 6 sec. 1 pt. f) GDPR | The data will be processed for the term of the agreement |
| Establishment and investigation of claims and damages, defence against possible claims | article 6 sec. 1 pt. f) GDPR | For the period of limitation of potential claims (6 years after the end of cooperation) |
Providing personal data is voluntary but without providing data, it is not possible to conclude an contract.
If the data were not obtained directly from you, this means that the source of origin of the data is your employer or an entity represented by you.
Information for newsletter subscribers
| Purpose of processing | Legal basis | Period of processing |
|---|---|---|
| Sending messages from various fields in the form of a newsletter which is a form of direct marketing of the Controller’s products or services | article 6 sec. 1 pt. a) GDPR | Until withdrawal of consent by the data subject. Withdrawal of the consent does not affect lawfulness of processing performed prior to the withdrawal. |
Providing personal data is voluntary but without providing data, it is not possible to send a newsletter.
Information for correspondents
| Purpose of processing | Legal basis | Period of processing |
|---|---|---|
| Recording of correspondence and responding – processing is necessary for legitimate purposes of the Controller consisting in fulfilling timely responses to letters, ensuring the quality of cooperation with contractors and other stakeholders | article 6 sec. 1 pt. f) GDPR | Until an effective objection is raised, with due observance of the time limits for possible claims (6 years from the date of termination of contact) |
Information for participants of meetup events
| Purpose of processing | Legal basis | Period of processing |
|---|---|---|
| Organization and running of meetups | article 6 sec. 1 pt. a) GDPR | Until withdrawal of consent by the data subject. Withdrawal of the consent does not affect lawfulness of processing performed prior to the withdrawal. |
Providing personal data is voluntary but without providing data, it is not possible to run meetups.
To whom can we share the data?
Your personal data may be transferred to processing entities that provide services to the Controller on the basis of entrustment agreements concluded with them (IT service providers, including hosting and services supporting HR processes, as well as operators of recruitment portals).Subject to applicable law, we may also transfer your data to other controllers entitled to obtain data under applicable law, such as courts or law enforcement agencies, only if they make a request on an appropriate legal basis, of course.
Is providing personal data voluntary?
Providing your data is mainly voluntary. We require you to provide personal data only at the stage of entering into an agreement with us (e.g. in the scope of sending a newsletter or e-book), and then in connection with the need to settle it (i.e. for accounting, tax or protection against claims). Detailed information in this regard is indicated above in the information for specific categories of persons.
What are your rights regarding your data?
In connection with the processing of personal data, pursuant to the principles set forth in the provisions on the protection of personal data, including the GDPR, you are entitled to certain rights, including:
- the right to access your data, i.e. the right to obtain confirmation from the TSH as to whether or not your personal data is being processed by us, or to obtain a copy of your personal data. This is to ensure that you are aware of and able to check how the TSH uses your personal data. We may refuse to provide a copy of your personal information where this could adversely affect the rights of another person;
- the right to rectification, i.e. the right to request the TSH to rectify any personal data that is inaccurate or incomplete without delay (e.g. where the TSH processes your incorrect name or address);
- the right to delete your data (also known as the “right to be forgotten”) – it enables you to request the deletion of your personal data if, for example, your data was used illegally, or your consent was withdrawn (if it was the only reason for processing your data). However, the “right to be forgotten” does not constitute an absolute right to erasure of personal data as there are certain exceptions to this right, e.g. where we still need to use the data to establish, pursue or defend legal claims or to fulfill a legal obligation (e.g. under accounting or tax law);
- the right to restrict processing – you have the right to prevent us from further using your personal data if, for example, the TSH is in the process of evaluating a request for rectification of your data. If the processing of personal data is restricted, TSH may still store your personal data, but may not further actively use it (e.g. for the purpose of fulfilling a contract);
- the right to data portability – you have the right to receive the personal data concerning you, which you had provided to a us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the us, provided: a) the processing is based on consent or on a contract and b) the processing is carried out by automated means.
To the extent that the processing of your personal data is based on a legitimate interest, you have the right to object to the processing of such data. However, the TSH may continue to process personal data where it is able to demonstrate valid and legitimate grounds for processing overriding your interests, rights and freedoms or where necessary to establish, pursue or defend a claim.
To the extent that the processing of your personal data is based on consent, you have the right to withdraw your consent at any time. The consent withdrawal shall not affect the lawfulness of the processing that has been carried out on the basis of the consent prior to the withdrawal.
If you would like to exercise any of these rights, simply email us at: [email protected].
What is more, you have the right to lodge a complaint with the supervisory authority responsible for the processing of your personal data by us: President of the Personal Data Protection Office (address: Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw).
Do we transfer your data to countries outside the European Economic Area?
As a rule, your personal data will not be transferred outside the EEA or made available to international organizations. However, if the controller uses service providers from outside the EEA area, which have not been recognized by the European Commission as ensuring an adequate level of personal data protection, the transfer of personal data to the above-mentioned entities is carried out ̨ on the basis of standard data protection clauses which ensure appropriate safeguards in the field of protection of privacy and rights and freedoms people whom applies to. A copy of the Standard Contractual Clauses can be obtained from the controller.
Do we process your data automatically?
Please be advised that we do not make automated decisions, including those based on profiling.
What about Cookies?
We use Cookies on the end device of the User (e.g. computer, tablet, smartphone). Cookies may be read by the TSH IT system. We gain access to the information contained in Cookies for statistical purposes and to ensure the proper functioning of the website, in particular to maintain the session after logging in.
Importantly, we want you to know that:
- The internet browser configuration is possible to prevents storage of cookies on the User’s end device.
- The User may delete Cookies after they are saved by the TSH through: relevant features of the web browser, software intended for that purpose or using appropriate tools available under the operating system of the User.
Please be notified however that change to the web browser configuration that prevents or limits the Cookies storage on the User’s end device may impair the functionality of the services provided. Similar effects may occur when deleting the Cookies in the course of the service provision.
Information on how to delete Cookies in the most popular web browsers are included in the following links:
Use of Google Analytics for website analysis
This website operator notifies that in order to collect and analyze aggregated information on the portal use, it uses the Google Analytics service. Please visit this location to learn more about how this service collects and processes data.
Using Disqus for comments
The data is transferred to Disqus on the basis of your agreement with Disqus, which allows you to use Disqus. The purposes and duration of data processing in Disqus are determined by Disqus itself which we cannot influence.
In this case, your data is processed on the basis of your consent resulting from a comment addition. The data is processed solely for the purpose of publishing the comment on the blog. Some of the data (name and surname, profile photo) will be publicly available on the blog next to your comment.
Use of Hubspot for form management, website analysis and users tracking
This website operator notifies that they use the Hubspot platform to collect and analyze aggregated information about website users. Please visit this location to learn more about how this service collects and processes data.
Should I still know something?
For matters not covered by these Policy, provisions of law and particularly of the Act on provision of services by electronic means, the Act on personal data protection, the Civil Code and GDPR shall apply. TSH reserves the right to modify the Policy due to significant reasons. The following shall be deemed significant reasons: introduction of new, amendments to the existing legislation, adaptation to changes introduced by TSH. TSH notifies of the content of the changes by publishing a notice on the change of Policy at www.tsh.io. The competent court for any disputes arising from the application of this Policy shall be the competent court under the applicable laws.
The date of the last version of the policy is March 15th, 2023.
