As required by Article 32, paragraph 1 of the General Data Protection Regulation, the data controller follows the principle of personal data protection. It takes appropriate technical and organizational measures to protect the personal data that it processes in its work.
The data controller wants you to give them your personal information, but it's up to you if you want to work with them.
Identifiers (name and surname, the name of the company or organization they work for) and contact information (e-mail address and phone number) are among the types of personal data that the data controller collects and stores. The data controller also collects and stores information about people who have been chosen to be contacted.
Processing personal data for a specific reason and on specific grounds
To do the following things, the data controller uses personal data:
Customers who want to buy something from the company will be asked to give their personal information to make that happen (Article 6 of the GDPR says that this is in the data controller's best interest).
In this case, the service will be provided by e-mail through the Web Portal, based on a contract (Article 6 of the GDPR).
Based on Article 6 paragraph 1 point c of the GDPR, the data controller must handle the complaint process.
Article 6 of the GDPR says that "Accounting" is a term that refers to the issuance and acceptance of accounting documents based on tax law rules, such as the Accounting Act of 29 September 1994 and the Value-Added Tax Act of 11 March 2004.
The legitimate interest of the person who owns the data (Article 6 paragraph 1 point f of the GDPR) is the archiving of data for the possible establishment, investigation, or defense of claims or the need to prove facts.
Article 6, paragraph 1 point f of the GDPR says that the data controller has a "legitimate interest" in contacting people by phone or e-mail.
In the data controller's best interest is to send technical information about how the Portal and its services work, which is a legitimate interest (see Article 6, paragraph 1 point f of the GDPR).
People who have given their permission for their data to be used for marketing purposes (Article 6 paragraph 1 point f of the GDPR) or other legitimate purposes (Article 6 paragraph 1 point an of the GDPR) (Article 6 paragraph 1 point a of the GDPR).
III. People who get data. Transfer of data to other people
The people who get personal data from the data controller maybe those who work with the data controller to make sure the contract with the data subject is made.
There may also be subcontractors who help the data controller with the processing of personal data, such as accounting offices, law firms, and IT service providers. The data recipients may also be people who have access to the data (including hosting services).
The data controller may have to give personal data to other people or groups because of the law, such as giving them access to personal data.
Based on the right legal protections, personal data may be sent to an entity outside the European Economic Area, such as Google LLC, as a provider of Google Analytics and Google AdWords. These are standard contractual clauses of personal data protection that the European Union has approved.
Billing documents, such as invoices, must be kept for the time required by the law on goods and services tax and accounting.
If you give your permission for your personal information to be used in marketing, the data controller must keep it for ten years. If you don't, the data controller must keep it until you do or until you object to it.
To use personal information other than the reasons outlined in paragraphs 1 to 3, the data controller must keep it for three years, unless the data subject has already said no, and the data can't be used for any other reason than consent. The data controller must keep it for that long even if the data subject has already said no.
The rights of the person who has given us their information
The right: Every person who has information about you has the same rights.
To see – to find out from the data controller if their data are being used. A person who has their data processed has the right to see them and get the following information:
- What personal data is being used for.
- What recipients or groups of recipients are getting them.
- How long the data will be kept.
- How they can be changed, deleted, or limited.
They also have the right to have the data corrected, deleted, or limited.
to obtain a copy of the data – to obtain a copy of the data to be processed, the first copy is free of charge, and for subsequent copies, the data controller may charge a reasonable fee resulting from the administrative costs (Article 15 paragraph 3 of the GDPR);
To correct – to ask for the correction of personal data that isn't correct or to add information that isn't there (Article 16 of the GDPR).
A person can ask for their data to be erased if the data controller doesn't have a legal reason to keep them or the data are no longer needed for processing (Article 17 of GDPR).
In Article 18 of the GDPR, it's possible to ask that personal data not be used for certain purposes.
And for a while, so that data controllers can check the accuracy of the data if the data subject questions whether the personal data is correct.
Processing is illegal, and the person who owns the data doesn't want them to be deleted by asking for a restriction on how they can be used.
– the data controller no longer needs these data, but the data subject needs them to make, pursue, or defend claims.
– if the data subject has objected to the processing until it can be found out whether the legitimate interests of the data controller outweigh those of the data subject; or for the transfer of data – to receive in a structured, commonly used machine-readable format personal data concerning them which he/she has provided to the data controller, and to request that the data be sent to another data controller if the data are processed based on the data subject's consent, or a contract concluded with them and if the data are processed by automated means (Article 20 of the GDPR);
In this case, they can say no to the processing of their data for any legitimate reason, including profiling, on grounds relating to their situation, and they can say no. So, the data controller should look for important legitimate grounds for processing that outweigh the rights and freedoms of the data subjects or grounds for defending claims. If the data subject's interests are more important than the data controller's interests, the data controller must stop using the data for these purposes. This is what the law says (Article 21 of the GDPR).
For example, the data subject can use the contact information provided to get in touch with the data controller and tell them which rights they want to use and how much.
The data subject has the right to complain to the head of the Office for Personal Data Protection in Warsaw, which is the President of the Office for Personal Data Protection in the city.
There may be some automated processing of personal data that the data controller obtains. This could be in profiling or other types of automated processing. People who have their data profiled by a data controller do this by analyzing and predicting their personal preferences and interests, for example, by providing them with a personalized offer. This is called personal data profiling.
The data subject will not be able to sue the data controller because the data controller will not be able to process the data automatically. Whenever the data subject doesn't like how their data is being used, they can say no.
The data controller uses Google Analytics, which is a way to look at how people use the Internet. Google LLC makes this tool. Cookies are text files stored on a user's computer and can be used to track how they use a website. Google Analytics also uses "cookies." This is how it works: The cookie stores information about how you use the website and sends that information to a Google server in the United States, where it is stored.
Google Analytics is used by the data controller to keep track of how the Portal is used and to make changes to it regularly. This is possible thanks to all the information that has been gathered. It can make the offer better and more interesting for the Users. People's data can only be sent to the United States in very rare cases. Google is bound by a contract called the EU-US Privacy Shield. Because of Article 6 paragraph 1 letter f, the Administrator can use Google Analytics even though it's against the law.