Personal data administrator
The administrator of personal data is the company Warszawska Fabryka Platerów HEFRA S.A. with its registered office in Legnica (59-220), ul. [street] Żeglarska 8, entered into the Register of Entrepreneurs kept by the District Court for Wrocław-Fabryczna in Wrocław, 9th Commercial Department of the National Court Register under the National Court Register number [in Polish: KRS] 0000040919, share capital in the amount of: PLN 5,348,900.20, Tax Identification Number [in Polish: NIP] 5270206010.
On what basis and for what purpose do we collect and process personal data:
The basis for the processing of personal data by us are the provisions of the Regulation of the European Parliament and of the Council (EU) 2016/679 regarding the processing of personal data (in short: "GDPR"), and its full text in Polish is available at this address: https://eur- lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679.
Depending on the specific circumstances in which we obtain data, we process personal data for the following purposes:
- Communication with customers
We process data for the purpose of conducting communication established by the customer or potential customer through any communication channel (including e-mail, telephone, social networking sites) - which is the legitimate interest of the administrator (Article 6 (1) (f) of the GDPR) consisting in the possibility of responding to correspondence addressed to him/her;
- Implementation of contracts concluded with customers and actions taken at customers' request before concluding the contract
We process data to implement contracts concluded with our customers regarding, for example, the sale of products offered by us, providing account functionality in our online store (Article 6 (1) (b) of the GDPR), which includes both the performance of the contract and other services on our side in connection with its conclusion, e.g. consideration of a claim or rendering of a service; we also process data to take action at the request of the customer before the conclusion of the contract (Article 6 (1) (b) of the GDPR), e.g. when the customer, using the contact form, orders to contact him/her to present them our offer.
- Implementation of contracts concluded with contractors
We process data in order to implement contracts concluded with our contractors with whom we cooperate as part of our business operations - e.g. by purchasing products which they manufacture or using their services (Article 6 (1) (b) of the GDPR);
- Maintaining contacts with contractors and their staff
We process data in order to contact or maintain contacts with employees and associates authorized by our contractor in order to perform the contract concluded with him/her - which is the legitimate interest of the administrator (Article 6 (1) (f) of the GDPR) consisting in enabling proper and effective performance of the contract;
- Conducting marketing of own products and services
We process data in order to conduct marketing of our own products or services - in various forms - including by phone or e-mail contact, as well as the presentation of marketing content on the potential customer’s end device - which is the legitimate interest of the administrator (Article 6 (1) (f) of the GDPR);
- Performing legal obligations incumbent on the administrator
We process data to comply with legal obligations that are incumbent upon us, e.g. on the basis of tax regulations or consumer law (Article 6 (1) (c) of the GDPR);
- Determining and pursuing claims, defence against claims
We process data in order to determine and assert claims which we are entitled to as well as to protect against claims of third parties as well as for evidentiary purposes, in the event of a possible audit of authorized state authorities - which is the legitimate interest of the administrator (Article 6 (1) (f) of the GDPR);
- Other cases
We process data in connection with our business activities also in other cases, e.g. in connection with the use of business contacts during business meetings, industry events etc., including through the exchange of business cards in the above scope - to initiate and maintain business contacts - which is the legitimate interest of the administrator (Article 6 (1) (f) of the GDPR) consisting in creating and maintaining a business-related network of contacts.
What personal data do we process:
We process personal data related to our business activities, in particular in connection with the sale of products or services rendered. These can be the following categories of personal data: identification data (e.g. name and surname, company name), contact details, a delivery address, data of persons designated to contact or collect goods, an IP number from which the customer was registered or logged in to his/her account, a bank account number.
How long do we process personal data:
We process personal data throughout the entire period of cooperation or providing services, if it is of a permanent nature. If the basis for data processing is the will of the customer, expressed in the form of consent, e.g. by subscribing to the newsletter – then until the consent is withdrawn. After the cessation of cooperation or withdrawal of consent, we process data for the period required by law or for a period corresponding to the limitation period for claims due to prior cooperation or the period in which the data may be needed for evidentiary purposes in the event of an audit by authorized state authorities. Basically, the period of data processing after the termination of the contract is 6 years from the end of the calendar year in which the contract was terminated.
To whom and why do we transfer personal data:
Personal data may be transferred to other entities cooperating with us in the scope and for the purpose for which we use the support of these entities in the area of IT services, including in particular suppliers of equipment, software and programming services, hosting services and website presentation, as well as in the field of services, i.e. banks, payment operators, entities providing accounting, courier or marketing services.
Notwithstanding the foregoing, the data may be transferred to public entities, if it results from applicable law and in the manner and to the extent described in these provisions.
Information on the rights of persons whose data we process
Each person whose data we process:
- has the right to request information whether and what his/her data we process and to access this data;
- has the right to request rectification of personal data concerning him/her;
- has the right to request the restriction of the scope of processing of his/her data - including the request to stop profiling or make decisions based on profiling;
- may at any time request the cessation of processing of his/her data by us and by entities to whom the data has been entrusted by us (implementation of the so-called "right to be forgotten");
- has the right to object to the processing of data by us for marketing purposes;
- has the right to object for reasons related to its particular situation regarding the processing of his/her data for the purpose resulting from the implementation of our legitimate interests;
- has the right to request the transfer of his/her personal data in an automated manner to the indicated recipient - to the extent that the data are processed in an automated manner in connection with the concluded contract or consent;
- has the right to lodge a complaint with the President of the Personal Data Protection Office (address: ul. [street] Stawki 2, 00-193 Warsaw, www.uodo.gov.pl) - if he/she considers that we process his/her data unlawfully;
In the event of withdrawal of consent to data processing or filing an objection, this shall not affect actions taken on the basis of consent before the withdrawal of such consent or the acceptance of objection by the administrator.
In the case of persistently repeated requests for providing information by the same person, we can make the provision of further information subject to prior payment of the costs associated with the preparation of this information.
Similarly, in the case of a request for the transfer of personal data, if the implementation of this request would involve financial costs on our side – we can make the implementation of the request subject to prior coverage of these costs.
In addition, we may make the implementation of some of the aforementioned requests conditional upon proving that the person making the request is actually entitled to do so (e.g. providing proof that the person is the holder of the e-mail address to which the request relates - and in this particular situation we will accept a request sent from that address as proof.)
The consequence of a request to limit the scope of processing or filing an objection regarding data processing may be the necessity to stop providing services by the administrator or to limit the functionality and scope of these services.
Data profiling and data transfer outside the EEA:
We do not use automated data profiling within the meaning of the GDPR, nor we make automated decisions based on profiling. It may happen that the administrator will direct specific activities (e.g. marketing offers) to a group of people selected due to their previous activity (e.g. purchase history or website activity) or based on geographical or similar criteria.
We do not transfer personal data in an organized way outside the European Economic Area. However, such a situation may take place due to the technical characteristics of IT solutions, e.g. based on data processing in the so-called "cloud." In this situation, data is entrusted only to a third country for which the Commission has determined that it provides an adequate level of protection, and in the case of transferring data to the United States - only to companies that are participants of the Privacy Shield agreement.
Administrator contact details:
In any case regarding the personal data we process, you can contact us by sending a message to our correspondence address or to the e-mail address: [email protected]
Additional information about the processing of personal data: INFORMATION ON THE PROCESSING OF PERSONAL DATA