Personal data and privacy protection is important to us and is one of the priorities of our business. We take all possible measures to adequately safeguard your personal data and transparently present to you how we use them. As of 25 May 2018, new European data protection legislation, namely Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (known as the General Data Protection Regulation or “GDPR”) (Official Journal of the EU L 119 of 4 May 2016, p. 1), applies in Poland.
Therefore, we would like to inform you about the processing of your personal data and the principles of their processing as part of the Controller’s marketing activities.
1. Who is responsible for your personal data? (Controller)
The Controller of your personal data is Scalio sp. z o.o., with its registered office in Orzeszkowo, Orzeszkowo 32, 64-420 Kwilcz, entered in the Register of Entrepreneurs of the National Court Register kept by the Poznań - Nowe Miasto and Wilda District Court in Poznań, 9th Business Division of the National Court Register, under number: KRS 0000018290, NIP tax code: 7870023833, REGON statistical code: 630226995.
2. Contact details of the Controller
You can contact the Controller on matters concerning the processing of your personal data by sending:
a) a traditional letter to the following address: Scalio Sp. z o.o., Orzeszkowo 32, 64-420 Kwilcz;
b) an e-mail to the following address: firstname.lastname@example.org.
3. Legal basis and purpose of processing of your personal data
If you have a business relationship with the Controller, your personal data are processed by us or third parties based on the legitimate interests (Article 6.1 (f) of the GDPR). Legitimate interests should be understood as direct marketing of services provided by the Controller or third parties.
Your personal data may also be processed by us on the basis of your voluntary consent (Article 6.1 (a) of the GDPR).
Your personal data may also be processed for the purpose of concluding and performing a contract for the provision of services offered by us. In that case, the basis for data processing is Article 6.1 (b) of the GDPR, i.e. the processing is necessary for the performance of the contract and for taking steps prior to entering into the contract.
If you give your consent, the Controller is entitled to process your personal data for marketing purposes also after the termination of the contract between you and the Controller. The Controller will not process your personal data if you withdraw your previously given consent. Processing carried out prior to the withdrawal of consent continues to be lawful.
4. Your rights due to processing of your personal data by us
Under the GDPR, you have a number of rights in relation to your personal data. We describe and explain your rights below:
a) Right of access to your personal data: you can exercise your right of access to your data at any time;
b) Right to rectification and completion of your data: you have the right to request the Controller to immediately rectify your inaccurate personal data as well as to request the Controller to complete incomplete personal data;
c) Right to erasure: you have the right to request the Controller to immediately erase your personal data in any of the following cases:
• where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• where the data subject has withdrawn the consent on which the processing is based and where there is no other legal ground for the processing;
• where the data subject objects to the processing of data referred to in section (e) below and there are no overriding legitimate grounds for the processing;
• where the personal data have been unlawfully processed;
• where the personal data have to be erased for compliance with a legal obligation in European Union or Polish law;
• where the personal data have been collected in relation to the offer of information society services.
However, the Controller will not be able to erase your personal data to the extent that the processing is necessary:
• for exercising the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing by European Union or Polish law;
• for establishment, exercise or defence of claims.
d) Right to restriction of processing: you have the right to obtain from the Controller restriction of processing where one of the following applies:
• you contest the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• the Controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of claims;
• you have objected to the processing, referred to in section (e) below, pending the verification whether the legitimate grounds of the Controller override your grounds for the objection.
e) Right to object: you have the right to object to the processing of your personal data where the Controller processes the data for legitimate interests, i.e. where personal data are processed for direct marketing purposes. The Controller may disregard your objection if it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or grounds for the establishment, exercise or defence of claims.
f) Right to withdraw consent: where the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent will not affect the lawfulness of the processing based on consent before its withdrawal.
g) Right to data portability: where the data are processed for the purpose of entering into and performing a contract or the processing is based on consent and is carried out by automated means, you have the right to receive your personal data, which you have provided prior to or in the course of your relationship with the Company, from the Controller in a structured, commonly used and machine-readable format. You also have the right to transmit those personal data to another controller.
h) Right to lodge a complaint: you have the right to lodge a complaint about the processing of your personal data by the Controller with the supervisory authority, which in Poland is the President of the Office for Personal Data Protection.
The rights, referred to in sections (a) through (g) above, can be exercised by contacting the Controller / our Data Protection Officer by sending:
• a traditional letter to the following address: Scalio Sp. z o.o., Orzeszkowo 32, 64-420 Kwilcz;
• an e-mail to the following address: email@example.com.
The right to lodge a complaint, referred to in section (h) above, may be exercised by contacting the supervisory authority directly.
5. Processing of sensitive personal data
The Controller does not process your sensitive personal data.
6. Provision of personal data
The direct provision of personal data by you is voluntary. However, refusal to provide personal data may, depending on the context in which the data are processed, prevent us from contacting you or sending you marketing content, including newsletters.
7. Entities to whom we disclose your personal data
We may disclose your personal data to the following recipients or categories of recipients:
a) service providers which provide services on our behalf or for us. We require compliance with applicable data protection laws in our contracts with such service providers;
b) other third parties, in particular to authorised state authorities, to the necessary extent if such obligation arises from mandatory legal provisions.
8. Transfer of personal data to third countries
In the case of transfer of your personal data to third countries, i.e. to recipients located outside the European Economic Area or Switzerland in countries which, according to the European Commission, do not ensure sufficient data protection (third countries not ensuring an adequate level of protection), the Controller transfers the data using mechanisms in accordance with applicable law, which include, among others, (1) EU “Standard Contractual Clauses”, (2) third-party certification of Privacy Shield compliance (where based in the United States), (3) where the transfer is to a third country for which the European Commission has decided that the third country ensures an adequate level of protection. For more information on the existing safeguards implemented by the Controller to ensure that personal data are processed in accordance with the relevant provisions and on how to obtain a copy of the data or where the data can be accessed, please contact us as indicated in section 2 above.
9. Personal data storage period
The Controller makes all efforts to ensure that your personal data are processed adequately and for as long as necessary for the purposes for which they were collected. With this in mind, the Controller stores your personal data for no longer than necessary to achieve the purposes for which they were collected or, if necessary, to comply with applicable law, in particular for the contract performance period and the period of limitation of claims.
10. Automated decision-making
The Controller carries out automated decision-making, including profiling, based on the personal data provided in the form of cookies on the Controller’s website.