Privacy Policy

Definitions

  • Controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Personal Data/Data: any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Policy: this Privacy Policy containing information on the processing of Personal Data.
  • GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  • Service: the Controller’s website available at the domain arche-consulting.pl.
  • Candidate: a natural person whose data is processed in connection with recruitment processes conducted by the Controller, including a person whose data is stored in the candidate database (ATS/ATM system).
  • Employer Representative: a natural person acting on behalf of an employer/client or potential client of the Controller (e.g. an employee, contractor, contact person), whose data is processed in connection with cooperation or sales and marketing activities.
  • Data Subject: any natural person whose personal data is processed by the Controller (in particular a Candidate, Employer Representative, a person contacting the Controller, or a person visiting the Service).

General Information

The purpose of this Policy is to provide important information on how we process personal data when you visit the Service, order our services, participate in recruitment processes, or contact us in any way and via any communication channel, including in particular: in person, by phone, by post, via a contact form, by email or via social media.

Below we explain how we use information about data subjects, who is responsible for its protection, and what rights you have in relation to the processing of personal data.

Controller of Your Personal Data and Contact Details

The Controller of personal data is:
Arche Consulting Sp. z o.o., with its registered office in Katowice (40-112), ul. Morelowa 25, entered in the register of entrepreneurs of the District Court in Katowice, 8th Commercial Division of the National Court Register under KRS no. 0000904332, REGON: 242781524, NIP: 9542734358.

Data Protection Officer

The Controller has appointed a Data Protection Officer, who can be contacted regarding all matters related to the processing of personal data and the exercise of related rights.

Contact with the Data Protection Officer is possible:

  • by email: odo@arche-consulting.pl
  • by post: Arche Consulting Sp. z o.o., ul. Morelowa 25, 40-112 Katowice, with the note “Data Protection Officer”.

For What Purpose, for How Long, and on What Legal Basis Do We Process Your Data?

Within the Controller’s activities, personal data may be processed in various situations related to the use of services, communication, and implementation of processes carried out by the Controller. Data may be obtained directly from the data subject, from activity in the Service (e.g. technical data, identifiers, cookies), from communication channels, and in justified cases also from publicly available sources (in particular contact data related to professional roles).

Below are the main processing operations along with their purposes, legal bases, and retention periods.

Use of the Service

User data (e.g. IP address, email address, identifiers, cookies) is processed for:

  • Ensuring proper functioning of the Service and security (including fraud prevention).
    Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
    Retention: as necessary, generally up to 12 months.
  • Analytics and statistics (traffic measurement, improving functionality).
    Legal basis: consent (where required) or legitimate interest.
    Retention: until consent withdrawal or up to 36 months.
  • Establishing, pursuing or defending claims.
    Legal basis: legitimate interest.
    Retention: limitation period or until proceedings end.

Recruitment Processes

The Controller processes Candidate data for purposes including:

  • Conducting recruitment and concluding contracts (Art. 6(1)(b) GDPR).
  • Fulfilling legal obligations (e.g. labor law requirements).
  • Processing voluntarily provided data (consent).
  • Managing recruitment logistics (legitimate interest).
  • Supporting candidate matching using AI-assisted tools (no solely automated decisions).
  • Future recruitment (consent, up to 7 years).
  • Verifying criminal records where required by law.
  • Conducting skills assessments.
  • Processing special category data (e.g. health) where disclosed.
  • Remote identity verification (including video).
  • Defending or pursuing claims.

Sharing Data with Employers

Data may be shared with employers to assess candidate suitability.
Legal basis: consent and/or legitimate interest.
Retention: duration of recruitment and claims limitation period.

Electronic Communication

Data is processed to:

  • Handle inquiries and correspondence
  • Maintain communication records
  • Defend against claims
  • Send marketing information (with consent)

Marketing and Sales

Processing includes:

  • Direct marketing (legitimate interest)
  • Initial outreach (prospecting)
  • Continued marketing communication (consent)
  • Business relationship management
  • Lead generation and profiling (no automated decisions)

Social Media

Data processed for:

  • Managing profiles and publishing content
  • Communication with users
  • Marketing and analytics
  • Advertising campaigns
  • Handling claims

Social media providers process data under their own policies.

Satisfaction Surveys

Data may be processed to:

  • Conduct surveys and improve services
  • Contact participants regarding surveys

Retention: generally up to 12 months.

Suppliers and Third Parties

Data is processed for:

  • Cooperation and communication
  • Contract performance
  • Legal obligations (e.g. accounting)
  • Archiving and claims handling

Whistleblowing Reports

Data is processed to:

  • Handle and investigate reports
  • Maintain documentation
  • Fulfill legal obligations
  • Process sensitive or criminal data where necessary

Data Subject Rights

You have the right to:

  • Withdraw consent
  • Access your data
  • Rectify data
  • Erase data (“right to be forgotten”)
  • Restrict processing
  • Data portability
  • Object to processing
  • Lodge a complaint with a supervisory authority

Requests can be submitted:

Response time: up to 1 month (extendable to 3 months).

Obligation to Provide Data

Providing data is generally voluntary, but may be required:

  • by law
  • to conclude or perform a contract
  • to handle inquiries
  • based on consent

Failure to provide required data may prevent certain actions.

Data Recipients

Data may be shared with:

  • public authorities
  • employers/clients
  • service providers (IT, analytics, legal, etc.)
  • partners and subcontractors

Data Transfers Outside the EEA

Data may be transferred outside the EEA using safeguards such as:

  • adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • other GDPR-compliant mechanisms

Cookies

Cookies are used for:

  • Service functionality and security
  • analytics
  • marketing (with consent)

Types include:

  • necessary cookies
  • functional cookies
  • analytical cookies
  • marketing cookies

Users can manage cookies via browser or settings panel.

Data Security

The Controller applies appropriate technical and organizational measures to ensure:

  • confidentiality
  • integrity
  • availability
  • resilience

Access is limited to authorized persons, and safeguards are regularly reviewed.

Final Provisions

This Privacy Policy is informational and may be updated due to legal or operational changes. Updates are published on the Service.

If any provision is invalid, the remaining provisions remain effective.

This Privacy Policy is effective from the date of its publication on the Service.