Fulfilling the legal duty regulated by the provision of article 13 of the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as ‘GDPR’), Madejski spółka komandytowa with its registered seat in Kraków (hereinafter referred to as ‘the Company’) informs that in order to lead its activity, the Company collects and uses personal data, including information about Contractors of the Company.

INFORMATION CONCERNING PROCESSING OF PERSONAL DATA

Data controller

The data controller (hereinafter: ‘the Controller’) is Madejski spółka komandytowa with its registered seat in Kraków, address: Makuszyńskiego street 28, 31-752 Kraków, entered into the register of entrepreneturs of the National Court Register under KRS no. 0000941265, for which the files are kept by the District Court in Kraków, XI Commercial Division of the National Court Register, tax identification number (NIP) 6781010745, National Business Registry Number (REGON): 350828050.

Contact data

As the Controller, we have not appointed the Data Protection Officer. In all matters concerning processing of personal data by the Company and exercise of rights related to data processing, we can be contacted to the e-mail address: rodo@madejski.com.pl, or in written form to the address of the Controller, with a mention ‘Personal data’.

Scope of information

The Company informs that it processes personal data of physical persons being:

a) contractors of the Company, including possible contractors and/or

b) shareholders, employees, statutory representatives, proxies or representatives of such contractors, and or

c) other persons whose data are processed by the Company for the purpose of performance of an agreement concluded between the Company and Contractors, also within the scope of issuance of invoices and/or bills and performance of deliveries and/or orders within the framework of agreements with Contractors, hereinafter jointly as ‘Contractors’.

Kinds of personal data

In connection with cooperation between Contractors and the Company, the Company will process personal data given thereby, such as:

a) name and surname, business name, address of commercial activity and address(es) for correspondence, and/or b) numbers possessed in given registers (for instance tax identification number – NIP, or National Business Registry Number – REGON), and/or c) contact data, including e-mail address and/or phone number and/or fax number, and/or d) post occupied within the framework of an organization of Contractors. Giving the aforementioned data is optional, but necessary for performance of contractual relationship and cooperation between Contractor and the Company. Refusal of making the data available is tantamount to lack of possibility to perform stipulations of an agreement by the Company (for instance, refusal to make the data available may entail lack of possibility of payment of an invoice).

Your personal data may be collected from publicly available sources, such as registers of entrepreneurs CEIDG or KRS, for the purpose of verification of information indicated by Contractors. In such case the scope of processed data will be limited to data that are publicly available in those registers.

We may also obtain personal data from entities you are employed by or which you represent or cooperate with on the basis of separate agreements. The scope of processed data encompass in such case information necessary for performance of an agreement between the Company and such entity, for instance information about termination of employment relationship of a given entity, change of contact data or change of a work post.

Purpose of processing/Basis of processing:

Taking necessary actions before conclusion of an agreement, conclusion and performance of an agreement and provision of services in accordance with an agreement.

Article 6 section 1 letter b and f of GDPR, as so-called legally justified interest of the controller, which is assertion of claims and defense of its rights .

For marketing purposes of the Controller, including profiling for marketing and analytical purposes.

Article 6 section 1 letter b and f of GDPR, as so-called legally justified interest of the controller, or article 6 section 1 letter a – granted consent.

For marketing purposes, including analytical purposes and profiling of third persons, including partners of the Controller.

Article 6 section 1 letter a of GDPR – a consent, and in case of lack of a consent, personal data are not processed for that purpose.

Fulfillment of legal duties encumbering the Controller, resulting from applicable legal provisions.

Article 6 section 1 letter c of GDPR – processing is indispensable for fulfillment of legal requirements the Controller is subject to.

Possibly for the purpose of assertion of claims related to an agreement concluded with you / provided services.

Article 6 section 1 letter b and f of GDPR, as so-called legally justified interest of the controller, which is assertion of claims and defense of its rights.  

Specific purpose and basis of processing are indicated in a separate notification addressed to persons concerned by the data.

Period of data storage

Your personal data will be stored up to the moment of prescription of claims resulting from an agreement/ provision of services or up to the moment of expiry of a duty to store the data resulting from legal provisions, in particular the duty to store accountancy documents concerning an agreement. All data processed for the purpose of accountancy and due to tax considerations are processed by us for the period of 5 years counted as of the end of a calendar year when the legal duty arose. After the lapse of the aforementioned periods, your personal data are removed or subject to anonymisation.

In case when personal data are processed on the basis of justified interest of the Controller, personal data will not be processed for a specific purpose if you submit an objection with regard to such processing.

If the data are processed on the  basis of your consent, personal data will be processed up to the moment of its withdrawal.

Data recipients

Personal data may be transferred to recipients and other legal entities for the purposes mentioned in section 6, within the scope they are necessary for them to perform tasks ordered by the Company or if a legal provision so requires.

Recipients of personal data may be:

a) entities processing personal data upon order of the Company, such as suppliers of IT systems, providers of service within the scope of IT, entities providing services of archiving of documents and other entities performing tasks for the Company, related to maintenance of continuity of its activity.

Processing of personal data by the aforementioned entities takes place solely within the scope it is necessary for leading of activity by the Company;

b) state authorities, legal protection bodies (the police, public prosecutor offices, courts) or local government bodies in connection with the proceedings pending, and/or

c) clients, if on the basis of separate agreements it is necessary to present them appropriate attestations and certificates of conformity;

d) providers of courier or mail services.

Transfer of data outside of the European Economic Area

Collected personal data will not be transferred to recipients located in states outside of the European Economic Area (Member States of the European Union, as well as Iceland, Liechtenstein and Norway).

Measures securing personal data

In order to protect processed personal data in accordance with article 32 of GDPR, the Company has implemented appropriate technical and organizational measures aimed at securing of processed personal data against accidental or illegal destruction, loss, modification of personal data, unauthorized disclosure of personal data and unauthorized access to personal data.

The security measures, referred to hereinabove, have been implemented taking into account the state of technology, costs of implementation, threats related to processing and character of personal data, with sensitive data in particular consideration.

Automated processes of decision taking within the scope of personal data protection

Processed personal data will not be subject to automated processes of decision taking by the Company, including profiling while performing an agreement between the Company and the Contractor.

Rights of a person concerned by the data

You are vested with the right of access to your data, as well as the right to demand its correction, removal, limitation of processing. If the basis of processing of personal data is legally justified interest of the Controller, you may submit an objection against processing for the purposes of direct marketing, including profiling and for analytical purposes.

Within the scope the basis of processing of personal data is the consent, you have right to withdraw the consent. Withdrawal of the consent does not have impact on legality of processing which was made on the basis of the consent before its withdrawal.

Within the scope your data are processed for the purpose of conclusion and performance of a contract / performance of services or processed on the basis of a consent – you also have the right to transfer personal data. In such case, you will receive from the Company your personal data in a structured, commonly used, machine readable format.

You are also vested with the right to file a complaint with a competent authority for protection of personal data.

Giving personal data in connection with concluded agreement / services provided on the basis thereon is voluntary, but necessary for conclusion and performance of an agreement – without indication of personal data it is not viable to conclude a contract / provide services. Giving personal data for marketing purposes is voluntary.