Personal Data Protection Policy
In this Personal Data Protection Policy, we inform you how personal data are collected by the Data Controller (see below), for what purposes, and how the data are used by the Data Controller. The Policy also provides for rights of persons whose personal data are collected by the Data Controller.
This document is an instruction referred to in Art. 13.1 and 13.2 of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the “GDPR”.
The Data Controller is Betafence Sp. z o.o., with its registered office in Kotlarnia, ul. Dębowa 4, entered in the register of companies of the National Court Register kept by the District Court in Opole, 8th Commercial Division of the National Court Register, under the number 0000241242, VAT No (NIP) 7491989655, statistical ID (REGON) 160041472, share capital (fully paid-up): PLN 7,070,000.00 (hereinafter referred to as the “Data Controller”).
Contact data of the Data Controller:
- if by mail to: Betafence Sp. z o.o., ul. Dębowa 4, 46-246 Kotlarnia,
if by e-mail to: firstname.lastname@example.org
Data Protection Officer
The Data Controller appointed a Data Protection Officer to whom all inquiries or demands concerning personal data should be addressed:
- if by mail to: Bożena Krawczuk, Inspektor Ochrony Danych Osobowych (Data Protection Officer), Betafence Sp. z o.o., ul. Dębowa 4, 46-246 Kotlarnia,
if by e-mail to: email@example.com
Purpose of personal data processing
Personal data disclosed to the Data Controller during the execution and performance of a sales agreement are used for the following purposes:
- to enter and perform the sales agreement (legal basis: Art. 6.1.b of the GDPR):
- to identify pages of the sales agreement entered into in the Internet shop of Betafence sp. z o.o.;
- to deliver goods;
- to handle complaints;
- to handle correspondence addressed to the Internet shop of Betafence sp. z o.o. (e.g. via a contact form);
- to fulfil the Data Controller’s legal obligation (legal basis: Art. 6.1.c of the GDPR), e.g. by sharing personal data with competent public administration authorities, including at a request of a court, the police, etc.;
- to meet the Data Controller’s legitimate interest (legal basis: Art. 6.1.f of the GDPR), e.g.:
- to administer payment services offered at the Internet shop of Betafence sp. z o.o.;
- to handle correspondence addressed to the Internet shop of Betafence sp. z o.o. (e.g. via a contact form);
- to take part in court, arbitration and mediation proceedings (e.g. to collect debts);
- to store personal data for archiving purposes;
- to examine, identify and prevent breaches of law and abuses;
- to achieve goals based on the consent of a person that disclosed their personal data to the Data Controller (legal basis: Art. 6.1.a of the GDPR), e.g.:
- to use newsletter services of Betafence sp. z o.o.;
- to enable Betafence sp. z o.o. deliver information about products, services and promotions;
- to enable Betafence sp. z o.o. deliver information about various events and actions (e.g. promotional, social, charity actions), which can be shared electronically (e-mail, newsletter), by phone (conversation, text message) or by mail (traditional mail).
Is the disclosure of personal data obligatory?
- Personal data are disclosed voluntarily.
- However personal data that are necessary to enter into and perform the sales agreement must be given so that the sales agreement could be entered into at the Internet shop.
- In any case where based on applicable legal regulations (e.g. on tax obligations) the Data Controller must give another scope of personal data of its Internet shop customer, the Data Controller will request such data and those data must be given so that the sale agreement (or another sales agreement) could be entered into and performed.
- Providing the personal data for marketing purposes is optional. Such data are not necessary to enter into the sales agreement.
Transfer of personal data
The Data Controller may transfer personal data to the following entities (in each case, the scope of personal data transfer will be minimised as necessary to achieve the following goals):
- employees and business partners who must access the data to fulfil the obligations stemming from the sales agreement;
- entities that process the data on behalf of the Data Controller and take part in:
- the sale of goods and services of Betafence Sp. z o.o. or the organisation of marketing services;
- the operation of telecommunications and IT systems or tools;
- the performance of certain activities connected with the performance of the sales agreement (e.g. supplier, entity verifying complaints);
- the provision of consultancy, audit, legal services for the Data Controller;
- other data controllers that process the data on their own behalf:
- entities cooperating with the Data Controller in the organisation of marketing actions or customer service;
- entities providing payment services (banks, entities handling electronic payments);
- entities providing consultancy, audit, legal services to the Data Controller to the extent to which they become data controllers;
- public authorities, e.g. courts, prosecutor’s office, tax authorities, police.
Transfer of personal data outside of the European Economic Area
At present the Data Controller neither transfer nor intends to transfer personal data outside of the European Economic Area.
Personal data retention period
- If the personal data are used on the basis of the data subject’s consent, they can be used until the consent is withdrawn.
- The personal data disclosed in connection with the sales agreement can be retained for the period during which claims connected with the performance of such an agreement can be pursued, however for no more than 6 years of the sales agreement date or, if a court dispute has been initiated, for 6 years after the court ruling comes into effect.
- All data will be also stored for periods set out in regulations (e.g. tax regulations) if such periods are longer than specified above. The same applies to circumstances where a longer data retention period is necessary to secure against negative legal consequences of non-compliance.
- Personal data profiling consists in data processing (in an automated way, as well) by using the data to assess certain information, including the analysis or forecast of personal preferences and interests of a data subject.
- For that purpose, the data will only be used on the basis of the data subject’s consent. However, no decisions will be made in an automated way. This will neither bring any legal consequences to the data subject nor have any material impact on the data subject’s situation.
Rights of data subjects
- Data subjects have the following rights:
- right of access to their personal data;
- right to obtain information about their personal data;
- right to obtain copies of their personal data;
- right of rectification if their personal data are incorrect;
- right to supplement their personal data if they are incomplete;
- right to have their personal data erased;
- right to restrict the personal data processing;
- right to data portability;
- right to lodge a complaint with a personal data protection authority if the personal data processing is found to illegal (protection authority: Chairman of the Personal Data Protection Office, address: ul. Stawki 2, 00-193 Warsaw),
- right to withdraw their personal data processing consent at any time without reason;
- right to object to the personal data processing for marketing purposes, including profiling;
- right to object to the personal data processing for purposes arising from legitimate interests (see: Purpose of personal data processing in Section 3) for reasons connected with their special circumstances.
- The data subject may file any of the requests referred to in Section 1 with the Data Controller at any time by sending the request to the Data Protection Officer (to the address specified above).
- Having received such a request, the Data Controller will inform the data subject about actions taken immediately, however no later than within .. of the receipt of the request. If reasonable, given the complicated character of the request and the number of requests, the above deadline may be extended by 2 months, which the data subject will be informed about.
- If the Data Controller has reasonable doubts about the identity of the requesting person, it may request further information that is necessary to identify that person. .
- Within the time limit set out in Section 3, the Data Controller will inform the data subject about reasons for not taking actions as requested and the requesting person’s right to lodge a complaint with the Chairman of the Personal Data Protection Office and use legal measures before a competent common court.
- The requesting person will receive the information referred to in Sections 3-5 in one of the following ways, as chosen by the Data Controller:
- in writing by registered mail to the requesting person’s mailing address;
- by e-mail to the e-mail address given by the requesting person;
- the requesting person delivers their request by e-mail and does not request a response to be delivered in a different form; then the information referred to in Sections 3-5 will be sent to that e-mail;
- the requesting person requests that the information should be delivered verbally, provided that the person has been identified and in that case the information will be delivered verbally.
- As a rule, all requests and actions of the Data Controller are free of charge. If, however a request is obviously unreasonable or excessive (e.g. due to its repetitive character), the Data Controller can:
- charge a fee, including administrative costs of response, communication or requested actions; or
- refuse to take actions in relation to the request.
- If the request to rectify, supplement, erase or restrict the processing of personal data is reasonable, the Data Controller will take relevant actions in that extent and notify each entity to which the personal data has been transferred (data recipient) of the implementation of the request. Such entities will not be informed if it is not possible (e.g. a given entity does not exist anymore) or it requires excessive efforts (e.g. due to the lack of an ordinary contact with data recipients).
- At a request of the data subject, the Data Controller will inform the data subject about data recipients to which the information given in Section 8 have been transferred and data recipients which the Data Controller has not managed to contact (second sentence in Section 8).