Privacy Policy
This Privacy Policy is intended to tell you what personal information we collect, for what purposes, how we use it, and who we are. It is also intended to indicate the rights you have in connection with our processing of your personal data.
Definitions.
Administrator - a natural or legal person, public authority, unit or other entity that alone or jointly with others determines the purposes and means of processing personal data.
Personal data - all information about a natural person identified or identifiable by one or more specific factors, including device IP, location data, Internet identifier and information collected through cookies and other similar technology.
Policy - this Privacy Policy.
RODO - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
Policy - this Privacy Policy.
Service - the website maintained by the Administrator at www.gpph-group.com/shop/eur/.
User - any natural person visiting the Website or using one or more of the services or functionalities described in the Policy
Who is the Personal Data Administrator.
Krzysztof Rzeźnik and Wieslaw Piechota - partners in a civil partnership operating under the name: GPPH s.c., ul. Raclawicka 7, 39-300 Mielec with NIP number: 8172185047, REGON: 368399534 , are Administrators of Users' personal data. The Administrators perform co-administration of the Users' personal data and are hereinafter referred to in this Policy as Co-Administrators, Administrators/Administrator or GPPH.
Common arrangements between Administrators.
As part of the joint arrangements, the Administrators agreed on the scope of their responsibilities regarding the fulfillment of their obligations under RODO, in particular, they agreed that:
- a) they are jointly responsible for the performance towards the Users of the information obligation.
- b) they are jointly obliged to ensure the security of the processing of personal data through the implementation of appropriate technical and organizational measures, adequate to the type of personal data and the risk of violation of the rights of the data subjects.
- c) in terms of responding to the data subject's requests (in particular, this applies to requests and statements regarding the right to information and transparent communication, access to personal data, rectification, erasure, restriction of processing, portability of personal data, objection to the processing of personal data), the Joint Controller who received the request or statement in question will be competent. If the request is addressed to both Joint Administrators, both Joint Administrators will be obliged to respond to the aforementioned request, having first agreed on a common position. Notwithstanding the above, the Joint Administrators are obliged to cooperate with each other in responding to the data subject's requests. To this end, the Joint Controller shall promptly inform the other Joint Controller of any request from an authorized person in the exercise of that person's rights under the RODO, and shall provide the other Joint Controller with all necessary information in this regard.
- d) in terms of the Joint Administrators' fulfillment of their obligations regarding the management of personal data protection breaches and their reporting to the supervisory authority and the data subject, the Joint Administrator who identified the breach will be competent. In the event that a breach is identified by both Joint Administrators (e.g., when it has been reported to both Joint Administrators), the Joint Administrator from whose act or omission the breach arose will be competent to perform the obligations set forth in Articles 33 - 34 of the RODO. Notwithstanding the foregoing, the Joint Administrators are obliged to cooperate with each other in fulfilling the obligations set forth in Articles 33 - 34 RODO.
Point of contact
The Joint Administrators have agreed to establish a common point of contact that the Participant may contact on data protection matters at the email address kontakt@gpph.pl or in writing at the address of the joint registered office of the partnership business indicated in paragraph 1) above.
Personal data security.
The administrator conducts a risk analysis on an ongoing basis to ensure that personal data is processed by the administrator in a secure manner - ensuring, first and foremost, that only authorized persons have access to the data and only to the extent necessary for the tasks they perform. The administrator shall ensure that all operations on personal data are recorded and performed only by authorized employees and associates.
The administrator shall ensure that all operations on personal data are recorded and performed only by authorized employees and associates.
The Administrator shall take all necessary measures to ensure that also its subcontractors and other cooperating entities provide a guarantee of the application of appropriate security measures whenever they process personal data on behalf of the Administrator.
The Administrator shall take all necessary measures to ensure that also its subcontractors and other cooperating entities provide a guarantee of the application of appropriate security measures whenever they process personal data on behalf of the Administrator.
In order to ensure the security of all personal data processed by us, and in particular to ensure confidentiality and integrity, we have implemented appropriate technical and organizational measures, such as, among others:
- We conduct risk analysis on an ongoing basis in order to properly tailor solutions to potential risks of breaches,
- access to data is granted only to authorized persons and only to the extent necessary to perform their tasks,
- On an ongoing basis, we sign entrustment agreements with entities to which we outsource the processing of personal data, but we also ensure that these entities guarantee the highest level of security,
- access to systems is strictly controlled, in accordance with our security procedures.
- The Service uses SSL or TLS encryption for security reasons and to protect personal and confidential information transmitted. The user can recognize an encrypted connection by changing the page address in the browser from "http://" to "https://" and a padlock icon appears next to it.
If SSL or TLS encryption is activated, the data transmitted, will not be read by third parties.
Whose personal data we process.
As a personal data controller, we process, in particular, personal data of the following categories of persons:
- our customers - recipients of our products,
- our contractors - suppliers,
- the entities whose data we receive in the implementation of cooperation,
- persons representing entities with whom we cooperate,
- entities with whom we will want to cooperate or have a business relationship,
- users.
Types of personal data.
Administrator collects data to the extent necessary to provide the various services offered, as well as information about the User's activity on the Site.
Data provided by customers, contractors
In connection with the sale of our products, cooperation between us, and the provision of electronic services, we may process the personal data you provide, such as:
- name, company, business and mailing addresses, delivery addresses,
- numbers held in relevant registries (e.g., NIP or REGON number),
- contact information, such as email address or phone or fax number,
- IP address and other server log files,
- the position you hold within a customer or contractor organization,
- bank account number.
In case of concluding a contract directly between you and the Administrator, providing the data specified above is voluntary, but necessary for the purpose of concluding the contract and cooperating with us. In case you do not conclude a contract directly with us, providing personal data may be your business obligation.
The consequence of failing to provide personal data is that the Administrator will not be able to provide it to you.
The consequence of failure to provide data is that you will not be able to complete your order, cooperate with us or use the Service.
Data collected from other sources
We may obtain personal data from publicly available sources such as CEIDG or KRS business registers, REGON register to verify information provided by customers and contractors. The scope of the processed data in such a case will be limited to the data publicly available in the relevant registers.
We may also obtain your personal data from entities where you are employed or represented. The scope of the processed data in such case will include information necessary for the performance of the contract between us and such entity, such as information about a change of contact details or a change of official position.
Using the Service, including using the Administrator's services, placing orders and entering into contracts is voluntary. Similarly, the related provision of personal data is voluntary, subject to the following exceptions:
- entering into agreements with the Administrator - failure to provide, in the cases and to the extent indicated in the Service, in the Rules and Regulations of the Online Store and in this Policy, the personal data necessary to enter into and perform an agreement with the Administrator results in the impossibility of entering into that agreement. The provision of personal data in such a case is a contractual requirement, and if the data subject wishes to conclude a given contract with the Administrator, he/she is obliged to provide the required data. In each case, the scope of the data required to conclude a contract is indicated in advance on the Website and in the Terms and Conditions of the Online Shop;
- Statutory obligations of the Administrator - providing personal data is a statutory requirement under generally applicable laws imposing an obligation on the Administrator to process personal data (e.g., processing of data for tax or accounting purposes), and failure to provide such data will prevent the Administrator from performing such obligations.
What data are required to be provided by the Administrator?
What are our purposes and grounds for processing personal data.
The following describes the specific principles and purposes of processing personal data collected by the Administrator.
What is the basis for processing personal data?
1) Data processing in connection with the use of the Service.
In connection with the User's use of the Website, the Administrator collects data to the extent necessary to provide the individual services offered, as well as information about the User's activity on the Website. The detailed rules and purposes of processing personal data collected during the User's use of the Service are described below.
Personal data is collected by the Administrator.
Cookies (cookies)
Our Service uses cookies. Cookies are small text files stored on the User's computer and saved by the User's browser. Cookies do not harm the User's computer and do not contain viruses. Cookies make our Service more User-friendly, efficient and secure.
Most of the cookies we use are so-called "session cookies." They are automatically deleted after the User's visit to our Service ends. Other cookies remain in the memory of the device until they are deleted by the User. These cookies make it possible to recognize the browser when the User revisits our Service.
The use of session cookies is not restricted to the User's device.
The use of cookies on the Service is not intended to identify Users. The Policy governs the processing of data related to the use of our own cookies.
Non-privileged COOKIES
Administrator uses necessary cookies primarily to provide Users with the services and functionalities of the Website that the User wishes to use.
Non-necessary cookies
Non-essential cookies may only be installed by the Administrator through the Service.
The legal basis for the use of cookies is the User's right to use them.
The legal basis for the processing of data in connection with the use of necessary cookies is the necessity of the processing for the performance of the contract (Article 6(1)(b) RODO).
FUNCTIONAL AND ANALYTIC COOKIES
Functional cookies are used in order to remember and customize the Service according to the User's choices in terms of, among other things, language preferences.
Functional cookies are used in order to remember and customize the Service according to the User's choices in terms of language preferences.
Analytical cookies enable the acquisition of information such as the number of visits and sources of traffic to the Service. They are used to determine which pages are more and which are less popular, and to understand how Users navigate the Site by keeping statistics on traffic on the Site. The processing is done to improve the performance of the Website. The information collected by these cookies is aggregated, so they are not intended to determine the identity of the User.
The legal basis for the processing of personal data in connection with the use of necessary and analytical cookies by the Administrator, for this purpose, is its legitimate interest (Article 6(1)(f) of the RODO), which is to ensure the highest quality of services provided on the Service.
Processing of personal data in connection with the use of functional and analytical cookies is subject to the User's consent to the use (separately) of functional and analytical cookies through the cookie consent management tools. This consent can be withdrawn at any time through these tools.
MARKETING COOKIES
Marketing cookies are used to track Users on websites. These types of cookies may be used on the Website to provide the User with social features in connection with the use of the services of our Social Partners, who may use them for marketing purposes and to track Users' use of embedded services. Partners may combine this information with other data received from the User or obtained when using their services and use it for marketing purposes.
The legal basis for the processing of personal data in connection with the use of marketing cookies by the Administrator, for this purpose, is its legitimate interest (Article 6(1)(f) RODO), which is to ensure the highest quality of services provided on the Website.
Processing of Personal Data in connection with the use of marketing cookies is possible after obtaining the User's consent to the use of consent through consent management tools. This consent can be withdrawn at any time through these tools.
Personal Data processing in connection with the use of marketing cookies is possible.
Server logger files
Administrator automatically collects and stores information that the user's browser automatically sends to us in the form of "server log files". These include:
- browser type and version
- operating system used
- reference URL
- the hostname of the connecting computer
- the exact date and time of the request by the server
- IP address
The data will not be merged with data from other sources.
The legal basis for the processing of personal data is the legitimate interest of the Administrator (Article 6(1)(f) RODO) consisting of the need to ensure the proper operation of the Website and to analyze how the Website is used by Users.
2) Other purposes and grounds for the Administrator's processing of personal data in connection with its operations.
We process personal data that we receive from you in connection with the use of services provided by us, but also when you contact us. Personal data, are processed by the Administrator:
§ for the purpose of concluding and performing a sales or cooperation agreement concluded through the Service (including by means of an order form, which makes it possible to place an order for the Administrator's products in the Online Store) - the Administrator's processing in this case is necessary to conclude and perform the agreement to which the User is a party, or to take action at the User's request, prior to the conclusion of the agreement (Article 6(1)(b) RODO);
§ for the purpose of entering into or performing an agreement between the Administrator and the entity the User represents - the legal basis for processing will be the Administrator's legitimate interest in ensuring reliable identification of the counterparty and the person representing it, as well as enabling efficient ongoing performance of the agreement (Article 6(1)(f) RODO);
§ for the purpose of providing services electronically in terms of providing Users with access to content collected on the Website-then the legal basis for processing is the necessity of processing for the performance of the agreement (Article 6(1)(b) RODO);
§ for analytical and statistical purposes - in that case, the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) RODO) consisting in conducting analyses of Users' activities, as well as their preferences in order to improve the functionalities used and services provided;
§ for marketing purposes, in which case the legal basis for processing is the Administrator's legitimate interest (Article 6(1)(f) of the RODO) in supporting the sale of products and services.
§ for the purpose of possibly establishing and asserting claims or defending against them - the legal basis for processing is the Administrator's legitimate interest (Article 6(1)(f) RODO) in protecting its rights.
§ If a data subject sends us questions, an offer or other correspondence via a contact form or email, we will collect the data entered via email, including the contact information provided, in order to respond to the email. In such situations, personal data is processed by the Administrator in order to handle the request or answer the question sent via e-mail - the legal basis for processing will be the Administrator's legitimate interest (Art. 6 (1) lit. (f) RODO); the legitimate interest of the Administrator is to enable the handling of requests and to provide answers to questions posed by persons interested in the Administrator's services or cooperation with us, and follows the legitimate interest of the Administrator (Art. 6(1)(f) RODO) to support the sale of products and services or to provide reliable identification of the customer, contractor and the person representing them, as well as to enable the efficient ongoing performance of the concluded agreement, including the processing of complaints.
Rights of data subjects.
You are entitled to:
- access to your personal information processed by the Administrator. If you believe that any information concerning you is incorrect or incomplete, you may submit a request for rectification;
- withdrawal of consent in case the Administrator obtained such consent to process personal data. If the processing of personal data was carried out on the basis of consent, revocation of consent does not make the processing of personal data up to that point illegal. In other words, revocation of consent does not affect the legality of previous processing;
- request deletion of personal data in cases specified by the provisions of the RODO;
- request to restrict the processing of personal data in cases specified by the provisions of the RODO;
- objection to processing. The Data Subject has the right to object to the processing of data for marketing purposes, if the processing is carried out in connection with the legitimate interest of the Controller, as well as - for reasons related to the particular situation of the Data Subject - in other cases where the legal basis for the processing is the legitimate interest of the Controller (e.g. in connection with the implementation of analytical and statistical purposes).
Individuals have the right to restrict processing or object to the processing of their personal data at any time, based on their particular situation, unless processing is required by law. In this case, we will no longer process the personal data or will restrict the processing as long as we can demonstrate a legitimate basis for the processing or for establishing, exercising or defending our rights.
- transfer of data, i.e. to receive personal data provided to the Administrator in a structured, commonly used and machine-readable format and to request the transfer of such personal data to another personal data controller, without hindrance from the Administrator and subject to the Administrator's own confidentiality obligations;
- submit a complaint to the competent supervisory authority.
The above rights are not absolute; the regulations provide for exceptions to their application.
To exercise the above rights, you only need:
- send an email to: kontakt@gpph.pl, or
- send a letter directly to the Personal Data Administrator at: GPPH s.c., 7 Raclawicka St., 39-300 Mielec, marked "RODO".
To whom we may provide your personal information.
- We may transfer your data to related parties of the Administrator, in connection with cooperation between related parties.
- As most entrepreneurs, in our business we also use the assistance of other entities, which often involves the transfer of personal data. Accordingly, we transfer your personal data to the following recipients, if necessary:
- to entities that provide marketing services to us;
- entities that operate our information technology and data communications systems;
- entities that provide us with IT and ICT systems;
- entities that provide us with hosting service;
- entities conducting payment activities (banks, payment institutions);
- entities engaged in lending (banks), leasing, factoring;
- entities engaged in insurance activities;
- entities engaged in postal, courier, transportation activities;
- entities providing services to us regarding security of persons and property;
- entities providing consulting, auditing, legal, tax, collection services to us.
- Other entities, whether public or private such as, among others, the Social Insurance Institution, the Tax Office, the National Tax Administration, etc., may also have to provide your personal data on the basis of, for example, a relevant provision of law or a decision of a competent authority.
How long can we keep your personal information.
- In accordance with applicable laws, we process your personal data for the time it takes to achieve the stated purpose of processing. After this period, your personal data will be irreversibly deleted or anonymized.
- With regard to the individual processing periods, we inform you that we process your personal data for a period of time:
- the duration of the contract, but also after its termination, but no longer than for a period of 6 years - with regard to personal data processed for the purpose of concluding and performing the contract;
- for a period of up to 10 years - with respect to personal data processed for the purpose of establishing, asserting or defending claims, but for no longer than is required by applicable law;
- up to 3 years - with respect to personal data that were collected in connection with the referral of an offer, while the immediate conclusion of a contract did not occur;
- up to 6 years - with regard to personal data involving the fulfillment of obligations under tax law, e.g., storage of invoices, receipts;
- until the consent is withdrawn or the purpose of the processing is achieved, but no longer than the period of the statute of limitations for claims- with regard to personal data processed on the basis of consent;
- until you successfully object or achieve the purpose of the processing, but no longer than the period of the statute of limitations for claims- with respect to personal data processed on the basis of the Administrator's legitimate interest;
- We count periods in years from the end of the year in which we began processing personal data to streamline the process of deleting or destroying personal data. Counting the period separately for each event would involve significant organizational and technical difficulties, as well as a significant financial outlay, so establishing a single date for the deletion or destruction of personal data allows us to manage the process more efficiently.
- In case you exercise your right to forget, such situations are handled on a case-by-case basis.
Final provisions
- To the extent not covered by this Policy, the data protection regulations shall apply.
- You will be notified of any changes made to this Policy through a notice on our website.
- This Privacy Policy is effective as of 30/11/2022.