We care about the security of your data. How important it is to us is demonstrated by, among others the fact that we have adopted solutions to meet the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95 / 46 / WE (GDPR).
The Policy contains information on:
- Scope of application
- Principles of personal data processing
- Principles of exercising the rights of natural persons
- Reporting violations
1. General information
2. Scope of application
1. The purpose of this document is to ensure the compliance of the personal data processing by the Administrator with the principles resulting from the GDPR.
2. The addressees of the Policy are:
a) all natural persons whose personal data is processed by the Administrator;
b) all persons authorized to process personal data by the Administrator, including the Administrator’s employees and associates.
3. The policy applies to all personal data processing and all personal data processed by the Administrator, regardless of the form of their processing (traditionally processed and IT systems) and whether the personal data is or can be processed in data sets.
1. Administrator – MAGOREX, a limited liability company sp.k., operating at the address: ul. Pienińska 11, 68-200 Żary, POLAND, with the following tax identification number (NIP): 928-14-14-292;
3. Personal data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of such data like name and surname, mailing address, e-mail address or one or more specific factors determining the physical, physiological, genetic, mental, economic, the cultural or social identity of a natural person;
4. Processor – an entity that processes personal data on behalf of the controller;
5. Processing of personal data – an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, disseminating or otherwise providing, adjusting or combining, limiting, removing or destroying;
6. Person authorized to process personal data – a person having an authorization issued by the administrator or processor to process personal data to the extent specified by the authorization;
7. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46 / EC;
8. Act – the Act of 10 May 2018 on the protection of personal data (i.e. Journal of Laws of 2018, item 1000; as amended);
9. President of the Personal Data Protection Office – the President of the Personal Data Protection Office; Polish supervisory authority in the field of personal data processing.
10. Breach of personal data protection – breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.
11. User – an entity using the Administrator’s website via a computer or other end device.
4. Principles of personal data processing
1. All recipients of the Policy, as well as entities with which the Administrator has concluded contracts for entrusting the processing of personal data, are obliged to comply with the rules for the processing of personal data unless other rules for compliance with the provisions on personal data have been set out in the contract for entrusting the processing of personal or other legal instruments that do not violate the provisions of the GDPR.
2. The processing of personal data is based on the following principles included in art. 5 GDPR. Those are:
a) the principle of legality – personal data are processed lawfully, fairly and transparently for the data subject;
b) the principle of purpose limitation – personal data is collected for specific, explicit and legitimate purposes and not further processed in a manner inconsistent with these purposes;
c) the principle of correctness – personal data are collected correctly and, if necessary, updated; in the event of incorrect data processing in the light of the purposes of their processing, all reasonable steps must be taken to ensure that the data is immediately deleted or rectified;
d) the principle of data integrity and confidentiality – personal data are processed in a manner ensuring adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures;
e) the principle of minimalism – personal data are processed in an adequate, appropriate and limited to what is necessary for the purposes for which they are processed;
f) the principle of limitation of storage – personal data is stored in a form that permits identification of the data subject for no longer than it is necessary for the purposes for which the data are processed; personal data may be stored for a longer period, as long as they are processed solely for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes according to Art. 89 paragraph. 1 GDPR, provided that appropriate technical and organizational measures required under the GDPR are implemented to protect the rights and freedoms of data subjects;
g) the principle of accountability – it means the ability to demonstrate compliance with the principles set out in this point.
3. The administrator, if he is required to do so by law or if he optionally expresses such a desire, keeps a Register of processing activities. If the Administrator is also a processing entity, in a situation where he is obliged to do so or if he optionally wishes to do so, he keeps a Register of categories of processing activities.
4. The administrator keeps the necessary documentation on his own and applies appropriate technical and security measures for the proper processing of personal data.
5. The administrator grants authorizations to persons who process personal data as part of their duties. At the same time, each of the authorized persons is obliged to maintain the confidentiality of all information obtained in the performance of their duties.
6. Each of the persons authorized to process personal data is obliged to:
a) processing of personal data only to the extent and for the purpose provided for in the tasks entrusted;
b) keep the personal data to which he has access confidential;
c) not to use personal data for purposes inconsistent with the scope and purpose of the entrusted tasks;
d) keeping the methods of securing personal data secret;
e) protection of personal data against accidental or unlawful destruction, loss, modification of personal data, unauthorized disclosure of personal data, unauthorized access to personal data and processing;
f) notifications in the event of a breach of personal data protection identified or suspected – in accordance with the breach reporting rules.
7. The administrator ensures the application of technical and organizational measures necessary to ensure confidentiality, integrity, accountability and continuity of the data processed, and supervises compliance with the rules of personal data protection.
8. As part of his business activities, the administrator may entrust personal data to other entities for processing. Detailed rules for entrusting the processing of personal data are governed in this case by the data processing contract or other legal instruments.
9.The administrator, concerning the personal data processed by him, in the scope of their processing, takes into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with a different probability of occurrence and weight resulting from the processing, by implementing appropriate technical and organizational measures (privacy by design).
10. Concerning the personal data processed by him, the administrator implements appropriate technical and organizational measures so that only the personal data necessary for the achievement of each specific processing purpose (privacy by default) are processed by default.
11. Connections to the Administrator’s website are encrypted using the SSL protocol.
12. If the processing of personal data requires consent, the Administrator processes this data only for the purpose and to the extent for which the consent has been given.
13. In the case of entrusting the processing of personal data, the Administrator uses only the services of such a processor that provides sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and ensures the rights of the data subjects.
5. Principles of exercising the rights of natural persons
1. Due to the granting of several rights to natural persons whose personal data is processed, the Administrator ensures their implementation whenever possible. The rights of natural persons that the Administrator exercises are:
a) the right to access data;
b) the right to rectify data;
c) the right to delete data;
d) the right to limit processing;
e) the right to data portability;
f) the right to object;
g) the right to withdraw consent.
2. The administrator has implemented organizational and technical measures to ensure the implementation of the above-mentioned the rights to be able to meet the requests of data subjects without undue delay, no later than within one month of receiving a request from a natural person.
3. In the event of a complex request or a significant number of requests made, the Administrator, within one month of receiving the request of a natural person, will inform the data subject to extend the deadline by a maximum of two months, stating the reasons for the delay.
4. If the request of a natural person cannot be taken into account (e.g. is contrary to the law), the Administrator will inform the natural person in the above-mentioned time limits for the refusal to fulfil the request together with the reasons.
5. Actions taken by the Administrator in response to submitted requests are free of charge. Exceptionally – if the requests of a natural person are excessive – the Administrator has the right to charge a fee in the amount taking into account the costs of responding.
6. Requests of natural persons may be directed to the Administrator:
a) in writing to the following address: MAGOREX, ul. Pienińska 11, 68-200 Żary
b) by e-mail to the following address: firstname.lastname@example.org
7. In the event of a request being made to an employee or associate of the Administrator, this person is obliged to forward the request immediately to the following address: email@example.com.
8. In justified cases, the Administrator, before exercising the right of a natural person, may seek to verify the identity of a natural person.
9. The rights of natural persons whose data are processed are exercised in writing or a documentary form (including in an electronic form).
10. To defend any claims, the Administrator reserves the right to process correspondence related to the exercise of the rights of persons whose data is processed until the expiry of the limitation period for claims.
11. The administrator may refuse the request to stop processing personal data, referring to:
a) the existence of legally valid grounds for data processing that override the interests, rights and freedoms of the data subject, or
b) the existence of grounds for establishing, investigating or defending claims.
12. If the basis for the processing of personal data is the consent of a natural person, the natural person has the right to withdraw consent to the processing of personal data at any time.
6. Reporting Violations
1. In the event of a breach, the person who has detected the breach is obliged to immediately report the breach to the Administrator.
2. Reporting of a violation may also be made in electronic form, to the following address: firstname.lastname@example.org.
3. The person reporting the violation is obliged to send the notification. Failure to report a breach by a person who becomes aware of the breach may be classified as a serious breach of employee duties or a basis for termination of a civil law contract for important reasons.
4. The processor is also obliged to notify the breach, in accordance with the principles set out in the data processing agreement or another legal instrument based on which the processing of personal data was entrusted.
5.The person reporting the violations, apart from the obligation to immediately report the violation, is obliged to take all possible measures to minimize the effects of the violation, including refraining from starting or continuing work, if its performance could contribute to increasing the scale of the violation or hinder or hinder the violation. make it impossible to determine its cause.