Privacy policy –
REGISTERED ACCOUNTANT BASED IN KRAKOW KRS: 0000878480

I. General provisions

The administrator of personal data is Polecony Księgowy spółka z ograniczoną odpowiedzialnością with its registered office in Krakow, address: ul. Czyżówka 14/0.3, 30-526 Kraków, entered in the Register of Entrepreneurs of the National Court Register, whose documentation is kept by the District Court for Kraków-Śródmieście in Kraków under KRS number: 0000878480, NIP 6793210622, REGON: 38792716800000, with share capital of PLN 5,000.00
This Privacy Policy sets out the rules for the processing of personal data obtained by the Company when handling e-mail correspondence, complaints, claims and requests, and applications for positions offered by the Administrator, and also constitutes an information clause regarding the processing of personal data by the Company within the above scope.
The Company processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”).
The Company makes every effort to protect the privacy of its contractors, customers, applicants for positions offered by the Company, and any other persons contacting the Administrator by e-mail, as well as all data and information obtained from them. It selects and applies technical protection measures, both programming and organisational, with due diligence, thus ensuring complete protection against their disclosure, loss, destruction, unauthorised modification or processing in violation of applicable law.
The data collected by the Company is processed in accordance with the law, respecting the principles of fairness and transparency, collected to the minimum extent necessary for the specified purposes and processed in accordance with them, not further processed in a manner incompatible with those purposes, adequate and factually correct in relation to the purpose, and stored in a manner that allows the identification of data subjects.
Personal data may be disclosed to third parties only if it is necessary for the purposes specified in II. paragraph 1, if requested by a competent authority in accordance with its functions, or if required by law. Personal data may be disclosed primarily to the following entities: law firms, IT service providers, and accounting service providers.
The transfer of personal data in e-mail correspondence implies that you have read and understood the rules described in this Privacy Policy. The basis for data processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) or the necessity to take action prior to entering into a contract (Article 6(1)(b) of the GDPR), the fulfilment of obligations incumbent on the Controller (Article 6(1)(c) of the GDPR) or consent to the processing of personal data for one or more purposes (Article 6(1)(a) of the GDPR).
The personal data controller declares that the Privacy Policy serves an informational purpose, which means that it does not constitute a source of rights and obligations for persons contacting the Company by e-mail. Its purpose is to define the actions taken by the Company as a data controller.

II. Personal data processed, purpose of data processing and legal basis for processing

Providing personal data is voluntary, but necessary for purposes related to:
1. corresponding with the Administrator via the online store for purposes related to products, contracts or other matters related to the online store – pursuant to Article 6(1)(a), (b) and (f) of the GDPR,
2. selling products via an online store without creating an account – Article 6(1)(b) of the GDPR,
3. using the account creation service – Article 6(1)(a) of the GDPR,
4. handling claims, complaints and requests submitted or brought by the Company’s customers or by the Company – pursuant to Article 6(1)(b), (c) and (f)
5. providing commercial information from the Administrator – Article 6(1)(a) and (f),
6. ensuring the proper functioning of the online store, including maintaining the user’s session, shopping basket and login security – Article 6(1)(a) and (f).
The company processes the following personal data for purposes related to
1. correspondence with the Administrator via the online shop for purposes related to products, contracts or other matters related to the online shop – name and surname, email address, telephone number, description of the matter or other data voluntarily provided in the correspondence,
2. selling products via an online shop without creating an account – name and surname, e-mail address, telephone number, residential address, company name, tax identification number, payment details or other information voluntarily provided in the order,
3. using the account creation service – first and last name, email address, telephone number, company name,
4. handling claims, complaints and requests submitted or brought by the Company’s customers or by the Company – name and surname, email address, telephone number, address of residence, description of the case, information about the purchased product or other data voluntarily provided in the correspondence,
5. providing the Administrator with commercial information – e-mail address,
6. ensuring the proper functioning of the online store, including maintaining user sessions, shopping carts, and login security – IP address, session and device identifiers, data on user activity on the website, data on the browser and operating system used, data on the source of entry to the website.
The processed personal data will not be subject to automated decision-making, including profiling.
A person who has voluntarily provided personal data to the Controller has the right to withdraw their consent to the processing of their personal data at any time. Withdrawal of consent does not affect the processing of data carried out prior to withdrawal of consent.
Personal data will not be transferred outside the European Economic Area.

III. Period of storage of personal data

The Company retains personal data for no longer than is necessary for the purposes for which the personal data was collected. The Company retains data for purposes related to:
1. correspondence with the Administrator via the online shop for purposes related to products, contracts or other matters related to the online shop – for a period of 3 years from the resolution of a specific matter,
2. selling products via an online shop without creating an account – for a period of 3 years from the date of a specific sale,
3. using the account creation service – for the period of having an account in the online shop until the account is deleted,
4. providing commercial information from the Administrator – for the duration of the consent to provide commercial information, until it is withdrawn by the person who gave the consent,
5. ensuring the proper functioning of the online store, including maintaining the user’s session, shopping basket and login security – IP address, session and device identifiers, data on user activity on the website, data on the browser and operating system used, data on the source of entry to the website.

unless specific provisions provide otherwise.

If processing is based on the consent of the data subject, personal data shall be processed until such consent is withdrawn,
unless further processing is necessary for compliance with a legal obligation to which the Controller is subject or for the establishment, exercise or defence of legal claims.

IV. Rights of data subjects.

Administrator:
1. informs the person about the processing of their data when obtaining data from that person, including the purposes and grounds for processing;
2. informs the person about the planned change in the purpose of data processing; informs the person about the right to access personal data (Article 15 of the GDPR), rectify data (Article 16 of the GDPR), erase data (Article 17 of the GDPR), restriction of processing (Article 18 of the GDPR), data portability (Article 20 of the GDPR), objection to processing (Article 21 of the GDPR) and on the exercise of these rights;
3. informs the person about their right to object to data processing at the latest upon first contact with that person;
4. notify the individual of the personal data breach without undue delay.
The Personal Data Controller shall inform the person that it does not process data concerning them if such person has submitted a request concerning their rights. The Controller shall inform the person, within one month of receiving the request, of its refusal to consider the request and of the person’s rights in this regard if the request is unlawful.
At the request of a person regarding access to their data, the Controller shall inform the person whether they are processing their data and shall inform the person about the details of the processing, in accordance with Article 15 of the GDPR, and shall also grant the person access to their data.
Correction of data:
The controller shall correct inaccurate data at the request of the data subject. The controller has the right to refuse to correct the data unless the data subject reasonably demonstrates the inaccuracy of the data to be corrected. In the event of correction of the data, the controller shall inform the data subject of the recipients of the data, at the request of the data subject.
Completing data:
The administrator completes and updates data at the request of the person, and has the right to refuse to complete the data if doing so would be inconsistent with the purposes of data processing. The controller may rely on the data subject’s statement regarding the supplemented data, unless this is insufficient in light of the procedures adopted by the controller, the law, or there are grounds to consider the statement unreliable.
Data deletion:
At the request of the data subject, the Controller shall delete the data when:
1. the data are not necessary for the purposes for which they were collected or processed for other purposes;
2. consent to their processing has been withdrawn and there is no other legal basis for processing;
3. the individual has successfully objected to the processing of such data;
4. the data was processed unlawfully;
5. the necessity to delete the data results from a legal obligation incumbent on the Controller.
Restriction of processing:
The controller shall restrict the processing of data at the request of the data subject where:
1. the person questions the accuracy of the data – for a period allowing for verification of its accuracy
2. the processing is unlawful and the data subject opposes the erasure of the personal data, requesting the restriction of their use instead
3. The company no longer needs the personal data, but it is required by the data subject for the establishment, exercise or defence of legal claims.
4. the person has objected to the processing on grounds relating to their particular situation – until it is determined whether the Company has legitimate grounds that override the grounds for the objection.
Data transfer:
At the request of the data subject, the Controller shall issue, in a structured, commonly used and machine-readable format, or transfer to another entity, if possible, data concerning that data subject which the data subject has provided to the Controller, processed on the basis of the data subject’s consent or for the purpose of concluding or performing a contract with the data subject, in the Controller’s IT systems.
Objection to data processing:
If a person raises an objection to the processing of their data on grounds relating to their particular situation, and the data is processed by the Controller on the basis of the Controller’s legitimate interest or a task entrusted to the Controller in the public interest, the Controller shall take the objection into account, unless there are legally justified grounds for processing on the part of the Controller that override the interests, rights and freedoms of the person raising the objection, or grounds for establishing, pursuing or defending claims.
If a person objects to the processing of their data by the Controller for direct marketing purposes, the Controller shall take the objection into account and cease such processing.
In order to exercise the rights under the GDPR, the Company may, in case of reasonable doubts as to the identity of the person making the request, ask for additional information necessary to confirm it. Verification is carried out using proportionate measures and in accordance with the principle of data minimisation.

V. Complaint to the supervisory authority

Any person who considers that the processing of their personal data infringes the provisions of the GDPR has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence or the place of the alleged infringement. In Poland, the supervisory authority within the meaning of the GDPR is the President of the Personal Data Protection Office.

VI. Contact details of the data controller

Polecony Księgowy spółka z ograniczoną odpowiedzialnością
KRS: 0000878480
NIP 6793210622
REGON: 38792716800000
e-mail: sklep@poleconysystem.pl
phone: +48 12 311 52 22

Privacy policy –REGISTERED ACCOUNTANT BASED IN KRAKOW KRS: 0000878480

Table of contents: