|
This privacy policy constitutes a set of rules for the processing of personal data on the website warsaw.icbc.com.cn.
This Policy is addressed to all persons who visit the Service or contact the Personal Data Controller. The Policy defines the rules for processing and protecting personal data of persons using the Service. The purpose of the Policy is, among other things, to fulfill the information obligation referred to in art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter: "GDPR".
1. DEFINITIONS
1.1 Controller– Industrial and Commercial Bank of China (Europe) S.A. Poland Branch with its registered office in Warsaw.
1.2 Personal Data – information about an identified or identifiable natural person through one or several specific factors defining physical, physiological, genetic, mental, economic, cultural or social identity, including the device's IP address, location data, internet identifier, and information collected through cookies and other similar technology.
1.3. Data Subject – a natural person visiting the Service or using one or more services or functionalities of the Service described in the Policy.
1.4. Policy – this Privacy Policy.
1.5. GDPR – Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive).
1.6. Service – a website run by the Controller at warsaw.icbc.com.cn.
1.7. User – any natural person visiting the Service or using one or more services or functionalities described in the Policy.
2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE SERVICE
2.1. In connection with its business activities, the Controller collects and processes Personal Data in accordance with applicable legal provisions, including in particular the GDPR, and the data processing principles provided therein.
2.2. The Controller ensures transparency in the processing of Personal Data, in particular always informing about data processing at the time of its collection, including the purpose and legal basis for processing. The Controller ensures that data is collected only to the extent necessary to achieve the indicated purpose and processed only for the period for which it is necessary.
2.3. When processing Personal Data, the Controller ensures their security and confidentiality and access to information about processing for data subjects. If, despite the security measures applied, a Personal Data breach occurs (e.g., data "leak" or loss), the Controller will inform the Data Subjects of such an event in accordance with the regulations.
2.4. In connection with the User's use of the Service, the Controller collects data to the extent necessary for the provision of individual services offered, as well as information about the User's activity on the Service. Detailed rules and purposes of processing Personal Data collected during the User's use of the Service are described below.
3. PURPOSES AND LEGAL BASES FOR DATA PROCESSING ON THE SERVICE
USE OF THE SERVICE
3.1. The Personal Data of all persons using the Service (including IP address or other identifiers and information collected via cookies or other similar technologies) are processed by the Controller:
3.1.1. for the purpose of providing electronic services in the scope of making content collected on the Service available to Users – in this case, the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) GDPR);
3.1.2. for analytical and statistical purposes – in this case, the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in conducting analyses of Users' activity, as well as their preferences, to improve the functionalities used and services provided;
3.1.3. for the purpose of possible establishment and assertion of claims or defense against claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the protection of their rights;
3.2. User activity on the Service, including their Personal Data, is recorded in system logs (a special computer program used to store a chronological record containing information about events and actions concerning the IT system used to provide services by the Controller). The information collected in the logs is processed primarily for purposes related to the provision of services. The Controller also processes them for technical, administrative purposes, to ensure the security of the IT system and to manage this system, as well as for analytical and statistical purposes – in this regard, the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in delivering and improving the functionalities offered to Users.
CONTACT
3.3. In the case of correspondence sent to the Controller via e-mail or traditional mail not related to the services provided or another concluded agreement, personal data contained in this correspondence are processed solely for the purpose of communication and resolving the matter to which the correspondence relates.
3.4. Personal data are processed for the purpose of:
3.4.1. conducting correspondence and resolving any matter to which the correspondence relates – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR) consisting in conducting correspondence addressed to them in connection with their business activity;
3.4.2. establishing or pursuing claims or defending against such claims by the Controller – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR) consisting in protecting their business interests.
TELEPHONE CONTACT
3.5. In the case of contacting the Controller by phone, concerning matters not related to a concluded agreement or services provided, the Controller may request the provision of Personal Data only when it is necessary to handle the matter to which the contact relates.
3.6. Personal data are processed for the purpose of:
3.6.1. ensuring contact and handling the request – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR) consisting in the need to resolve the reported matter related to their business activity;
3.6.2. establishing or pursuing claims or defending against such claims by the Controller – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR) consisting in protecting their business interests.
DATA COLLECTION IN THE CONTEXT OF BUSINESS CONTACTS
3.7. In connection with its business activities, the Controller also collects personal data in other cases – e.g., during business meetings or through the exchange of business cards – for purposes related to initiating and maintaining business contacts. In this case, the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR) consisting in creating a network of contacts in connection with the conducted activity.
RECRUITMENT
3.8. The legal basis for processing personal data for recruitment purposes is the legitimate interest of the Controller, the User's voluntary consent, and the provisions of the Labor Code.
3.9. Your personal data will be processed:
3.9.1. in the case of preferring employment based on an employment contract – for the purpose of fulfilling obligations arising from legal provisions related to the recruitment process, including primarily the Labor Code – the legal basis for processing is a legal obligation incumbent on the Controller (Article 6(1)(c) of the General Data Protection Regulation No. 2016/679 (GDPR) in connection with the provisions of the Labor Code); for the purpose of conducting the recruitment process in the scope of data not required by law – the legal basis for processing is consent (Article 6(1)(a) GDPR);
3.9.2. in the case of preferring employment based on a civil law contract – the legal basis for processing data contained in application documents is the legitimate interest of the Controller (Article 6(1)(f) GDPR). The legitimate interest is to conduct the recruitment process and select a person for concluding a cooperation agreement;
3.9.3. for the purpose of verifying your qualifications and skills and determining the terms of cooperation – the legal basis for data processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR). The legitimate interest of the Controller is to verify candidates for work and determine the terms of possible cooperation with you;
3.9.4. for the purpose of possible establishment and assertion of claims or defense against claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the protection of their rights.
3.10. To the extent that personal data are processed on the basis of expressed consent, this consent can be withdrawn at any time, without affecting the legality of the processing carried out before its withdrawal. In the case of consent for future recruitment processes, personal data are deleted after two years – unless the consent was withdrawn earlier.
4. COOKIES AND SIMILAR TECHNOLOGY
4.1. Cookie files are small text files installed on the User's device browsing the Service. Cookies collect information that facilitates the use of the website – e.g., by remembering User visits to the Service.
4.2. The Controller uses so-called service cookies primarily to provide electronic services to the User and to improve the quality of these services. In this regard, the Controller and other entities providing analytical and statistical services on its behalf use cookie files, storing information or gaining access to information already stored on the User's telecommunications device (computer, phone, tablet, etc.). Cookie files used for this purpose include permanent cookie files for personalizing the User interface for the duration of the session or slightly longer (ang. user interface customization cookies).
4.3. Cookie files are divided into permanent and session – depending on how long they are stored, and into necessary and optional – depending on the purposes for which they are used.
PERMANENT AND SESSION COOKIE FILES
|
TYPE
|
DESCRIPTION
|
|
Session cookies
|
Some cookies are temporary files, stored until logging out, leaving the site, or turning off the web browser. These types of cookies help the Controller analyze network traffic, enable identification and resolution of technical problems, and make it easier to navigate the Service.
|
|
"Permanent" cookies
|
"Permanent" cookies are stored for a specified period in their parameters or until they are deleted by the User. They help the Controller remember User settings and preferences to make their next visit more convenient (e.g., they will not have to re-enter login data).
|
NECESSARY AND OPTIONAL COOKIE FILES
|
TYPE
|
DESCRIPTION
|
|
Necessary cookies
|
These cookie files are installed to ensure access to the Service and its basic functions and therefore do not require User consent. Without necessary cookies, the Controller would not be able to provide services to the User within the Service.
|
|
Optional cookies
|
These cookie files are installed to ensure access to the Service and its basic functions and therefore do not require User consent. Without necessary cookies, the Controller would not be able to provide services to the User within the Service.
|
5. MANAGING COOKIE SETTINGS
5.1. The use of cookie files to collect data through them, including access to data stored on the User's device, requires the User's consent. This consent can be withdrawn at any time.
5.2. Permission is not required only for cookie files whose use is necessary for the provision of a telecommunications service (data transmission for content display).
5.3. The User can withdraw consent for the use of cookies through their internet browser settings. Cookie settings can be changed by the User in their browser's options or preferences. Detailed information on how to manage cookies is available in the help section of the browser the User is using.
5.4. The User can at any time verify and change the status of their current cookie privacy settings using available industry tools for managing advertising preferences and User’s web browser settings.
5.5. Some cookie files are necessary for the Service to function, so changing browser settings may cause some services not to work properly, or even prevent the User from using the Service.
6. PERIOD OF PERSONAL DATA PROCESSING
6.1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. As a rule, data are processed for the duration of the service provision, until the withdrawal of expressed consent or the filing of an effective objection to data processing in cases where the legal basis for data processing is the legitimate interest of the Controller.
6.2. The data processing period may be extended if processing is necessary for the establishment and assertion of possible claims or defense against claims, and after this period only in cases and to the extent required by law. After the processing period, the data are irrevocably deleted or anonymized.
7. USER RIGHTS
7.1. The User has the right to access their data, request their rectification, erasure, restriction of processing, the right to data portability, the right to object to data processing, and the right to lodge a complaint with the supervisory authority responsible for personal data protection.
7.2. To the extent that the User's data are processed on the basis of consent, this consent can be withdrawn at any time, without affecting the validity of the declaration made before the consent was withdrawn.
7.3. The User has the right to object to the processing of data for marketing purposes if the processing takes place in connection with the legitimate interest of the Controller, as well as for reasons related to the User's specific situation in other cases where the legal basis for data processing is the legitimate interest of the Controller (e.g., in connection with the realization of analytical and statistical purposes).
7.4. Requests mentioned in the above points can be made by contacting the Controller by post, writing to: Industrial and Commercial Bank of China (Europe) S.A. Poland Branch ,Pl. Trzech Krzyży 18, 00-499 Warsaw or electronically, using the email address: iod@pl.icbc.com.cn
8. RECIPIENTS OF DATA
8.1. In connection with the provision of services, Personal Data will be disclosed to external entities, including in particular providers responsible for the operation of IT systems, entities such as other banks and payment operators, entities providing accounting services.
8.2. Personal data may also be disclosed to external entities that provide services to the Controller in the field of legal or tax advice, couriers, postal operators, document archiving entities, teleinformatic service providers, recruitment agency service providers, IT service providers.
8.3. With the User's consent, their data may also be made available to other entities for their own purposes, including marketing purposes.
8.4. The Controller reserves the right to disclose selected information about the User to appropriate authorities or third parties who request such information, based on an appropriate legal basis and in accordance with applicable law.
9. TRANSFER OF DATA OUTSIDE THE EEA
9.1. The level of protection of Personal Data outside the European Economic Area (EEA) differs from that ensured by European law. For this reason, the Controller transfers Personal Data outside the EEA only when necessary, and with an adequate level of protection, primarily through:
9.1.1. cooperation with processors of Personal Data in countries for which the European Commission has issued an adequacy decision confirming a sufficient level of Personal Data protection (these decisions are available on the European Commission's website);
9.1.2. implementing standard contractual clauses issued by the European Commission; together with any required supplementary safeguards, these ensure that Personal Data receives the same level of protection as it does within the European Union (templates of these standard contractual clauses are available on the European Commission's website).
9.2. The Controller always informs about the intention to transfer Personal Data outside the EEA at the stage of their collection.
10. SECURITY OF PERSONAL DATA
10.1. The Controller continuously conducts risk analysis to ensure that Personal Data processed by them is secure – ensuring primarily, that only authorized persons have access to data and only to the extent necessary due to the tasks they perform. The Controller ensures that all operations on Personal Data are recorded and performed only by authorized employees and associates.
10.2. The Controller takes all necessary measures to ensure that its subcontractors and other cooperating entities also guarantee the use of appropriate security measures in every case where they process Personal Data on behalf of the Controller.
11. CONTACT DETAILS
11.1 Contact with the Controller is possible via email address info@pl.icbc.com.cn or correspondence address Industrial and Commercial Bank of China (Europe) S.A. Poland Branch, Pl. Trzech Krzyży 18, 00-499 Warsaw.
11.2 Detailed information regarding the data protection safeguards for data transfers outside the EEA is available upon request by emailing iod@pl.icbc.com.cn.
11.3 The Controller has appointed a Data Protection Officer, who can be contacted via email iod@pl.icbc.com.cn or by writing to the Controller's registered office address in any matter concerning the processing of Personal Data.
12. CHANGES TO THE PRIVACY POLICY
12.1. The Policy is continuously reviewed and updated if necessary.
12.2. The current version of the Policy was adopted and is effective from 31.12.2025.
|