Data controller
The controller of personal data is IPD POLAND sp. z o.o. with its registered office in Wrocław, address: ul. Mińska 38-40, 54-610 Wrocław, KRS: 0001117129, NIP: 5273121573: zamowienia@ipd2004.pl, tel: +48 574 738 358; +48 577 675 333.
Person Responsible for Data Protection
Personal data protection matters within the Controller’s organization are coordinated by the appointed Responsible Person, who can be contacted at zamowienia@ipd2004.pl.
Scope and sources of personal data
The Controller obtains the following categories of personal data:
• Data provided directly - identification and contact details (e.g. first name, last name, e mail, phone), company details, billing data, contents of correspondence, data necessary for service provision,
• Data provided indirectly - equivalent to data provided directly, except that they are made available by an entity authorized to do so, rather than directly by the data subject,
• Data collected automatically - server logs, online identifiers, device and browser information, privacy/cookie settings and - upon consent – analytics and marketing data.
Purposes and legal bases for processing personal data
Personal data are processed for the following purposes and on the following legal bases:
• Communication and contact forms – handling inquiries and correspondence, including requests for quotations – Article 6(1)(f) GDPR or Article 6(1)(b) GDPR,
• Data and organizational security and claims handling – ensuring system integrity, preventing abuse, establishing and pursuing claims, as well as defending against claims – Article 6(1)(f) GDPR,
• Analytics and statistics – measuring and improving the service (website) – on the basis of the data subject’s separate, explicit, and voluntary consent, i.e. Article 6(1)(a) GDPR,
Obligation to provide personal data
Providing personal data is voluntary but may be necessary to conclude and perform a contract, respond to an inquiry, or tailor displayed content. Failure to provide personal data may wholly or partially prevent the performance of these activities or their proper execution.
Recipients of personal data
Personal data may be disclosed or entrusted to: IT and hosting providers, e mail services, security tools, payment services, system administrators, business, accounting and legal advisors, product delivery providers (in particular courier companies), as well as providers of mailing systems, CRM, online analytics and advertising, and anti spam tools.
The disclosure or entrustment of personal data takes place under agreements and within the Controller’s documented instructions, with appropriate technical and organizational measures in place to ensure the protection of personal data.
Transfers outside the EEA
Personal data are not transferred outside the EEA.
Retention periods
Personal data are stored for the following periods:
• Correspondence and inquiries – up to [period] from resolving the given inquiry or sending the last message in the correspondence, unless limitation periods justify a longer term.
• Marketing or analytics data – until consent is withdrawn or a valid objection is raised.
• Data necessary for pursuing claims and ensuring security – until the expiry of limitation periods.
Rights of data subjects
Each data subject has the following rights exercisable vis a vis the Controller:
• Right of access – includes the right to request confirmation as to whether personal data are processed, to obtain access to their content, and to receive information, including about purposes, categories of data, recipients, retention periods, and the source of data if not collected from the data subject. The data subject may receive a copy of the data (additional copies may be subject to a fee corresponding to administrative costs).
• Right to rectification – the data subject may request the correction of inaccurate data and completion of incomplete data, including by submitting an additional statement.
• Right to erasure (the “right to be forgotten”) – available, among others, where data are no longer necessary for the purposes for which they were collected, where the data subject withdraws consent and there is no other legal basis, where the data subject successfully objects, where data have been processed unlawfully, or where erasure results from a legal obligation. Note: this right may be limited by generally applicable laws (GDPR/Polish Data Protection Act), e.g. the Controller’s obligations related to accounting or the defense of claims.
• Right to restriction of processing – available where the data subject contests the accuracy of the data (for a period enabling verification), or where processing is unlawful but the data subject opposes erasure, or where the Controller no longer needs the data but they are required by the data subject for the establishment, exercise or defense of claims, or where the data subject has objected – in which case processing will be restricted pending verification whether the Controller’s legitimate grounds override those of the data subject.
• Right to data portability – the data subject may receive the data provided to the Controller in a commonly used, machine-readable format and request their transmission to another controller, where processing is based on consent or a contract and is carried out by automated means, and where technically feasible.
• Right to object to processing based on Article 6(1)(e) or (f) GDPR – the data subject may object on grounds relating to their particular situation. The Controller will then cease processing unless it demonstrates compelling legitimate grounds overriding the interests, rights and freedoms of the data subject or grounds for the establishment, exercise or defense of claims.
• Right to object to direct marketing – if data are processed for direct marketing purposes, the data subject has the right to object at any time; after objection, the data will no longer be processed for this purpose.
• Right to withdraw consent at any time – withdrawal does not affect the lawfulness of processing based on consent before its withdrawal; it may, however, prevent the provision of services that require consent (e.g. newsletter, personalization).
• Right to information at collection and during processing – includes transparent information about the Controller, purposes, legal bases, recipients, retention periods, rights, and transfers to third countries.
• Right to lodge a complaint with a supervisory authority – the data subject may lodge a complaint with the President of the Personal Data Protection Office (PUODO) or another competent supervisory authority in the EU, in particular in the state of habitual residence, place of work, or place of the alleged infringement.
Automated decisions and profiling
Marketing profiling is possible only on the basis of the data subject’s express and informed consent.
No automated decisions producing legal effects concerning the data subject are made without human involvement.
Data security
Organizational and technical measures described in the internal policies of IPD POLAND sp. z o.o. have been implemented, including, among others, authorizations and appointments, training, permission reviews, incident reporting procedures, as well as technical measures such as data encryption, multifactor authentication, and protection against DDoS attacks. Secure password principles, IT approved password managers, and rules for the secure transfer of media and files are applied.