Privacy Policy
Privacy Policy
We care about the security of your personal data. The importance we attach to this matter is reflected in the measures we have implemented to comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR).
This Privacy Policy provides information about:
* General information
* Scope of application
* Definitions
* Data Controller and contact details
* Data Protection Officer
* Categories of personal data, purposes of processing and legal bases
* Sources of personal data
* Recipients of personal data
* Transfer of data outside the European Economic Area (EEA)
* Data retention period
* Principles of personal data processing
* Data subject rights
* Voluntary provision of data
* Automated decision-making and profiling
* Reporting data breaches
* Cookies
* Final provisions
General Information
This Privacy Policy explains how and on what basis personal data is processed. It describes the measures implemented to protect personal data of individuals whose data is processed by the Controller and explains how potential data protection breaches can be reported.
This document also fulfils the information obligation under Articles 13 and 14 of the GDPR towards website users, customers, business partners and other individuals whose personal data we process.
Scope of Application
The purpose of this document is to ensure that the Controller’s personal data processing activities comply with the principles set out in the GDPR.
This Policy is addressed to:
all natural persons whose personal data is processed by the Controller;
all persons authorised by the Controller to process personal data, including the Controller’s employees and associates.
This Policy applies to all personal data processing activities and to all personal data processed by the Controller, regardless of the form of processing (including manual processing and processing carried out in IT systems), and regardless of whether the personal data is, or may be, processed in filing systems or data sets.
In particular, this Policy applies to personal data processed in connection with: the use of the Controller’s website, the use of contact forms, requests for quotations submitted to the Controller, email and telephone communications, newsletter subscriptions, participation in marketing and sales activities, and cooperation with contractors.
Definitions
Controller – an entity which, alone or jointly with others, determines the purposes and means of the processing of personal data, in particular decides why and how personal data is processed.
Policy – this Privacy Policy adopted by the Controller.
Personal Data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to such data as a name and surname, correspondence address, email address, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processor – an entity that processes personal data on behalf of the Controller.
Processing of Personal Data – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Authorised Person to Process Personal Data – a person authorised by the Controller or by the Processor to process personal data within the scope specified in such authorisation.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Act – the Act of 10 May 2018 on the Protection of Personal Data (consolidated text: Journal of Laws of 2018, item 1000, as amended).
President of the Personal Data Protection Office (UODO) – the President of the Personal Data Protection Office, being the Polish supervisory authority for personal data protection matters.
Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.
User – an entity using the Controller’s website by means of a computer or other end device.
European Economic Area (EEA) – the area comprising the Member States of the European Union, Norway, Iceland and Liechtenstein.
Automatically Collected Data – data obtained in connection with the use of the Controller’s website, in particular the IP address, device identifiers, browser data, operating system data and website activity data.
Data Controller and Contact Details
The Data Controller is:
MAGOREX Spółka z ograniczoną odpowiedzialnością sp.k.
ul. Pienińska 11
68-200 Żary
Poland
Tax Identification Number (NIP): 928-14-14-292
For any matters related to personal data processing, you can contact the Controller:
info@magorex.pl
by post at the address above.
Data Protection Officer
The Controller has not appointed a Data Protection Officer, as it is not required under Article 37 of the GDPR.
All questions regarding personal data processing can be directed directly to the Controller using the contact details above.
Categories of Personal Data, Purposes of Processing and Legal Basis
The Controller may process the following categories of personal data:
identification data (e.g. name and surname);
contact data (e.g. email address, telephone number, correspondence address);
company-related data (e.g. company name, tax identification number (NIP), details of company representatives);
data related to the content of inquiries or correspondence;
data related to the use of the website (automatically collected data, including cookies);
data related to marketing consents granted by the user.
Personal data is processed for the following purposes and on the following legal bases:
Handling inquiries submitted via contact forms or email – based on Article 6(1)(b) GDPR (taking steps at the request of the data subject prior to entering into a contract) and Article 6(1)(f) GDPR (the Controller’s legitimate interest consisting in responding to inquiries).
Conducting correspondence and telephone communication related to ongoing cooperation, requests for quotations, orders or other business matters – based on Article 6(1)(b) or Article 6(1)(f) GDPR.
Sending newsletters – based on the data subject’s consent (Article 6(1)(a) GDPR).
Carrying out marketing activities, including direct marketing via electronic communication channels and telephone (where separate consents required by law have been given) – based on consent (Article 6(1)(a) GDPR) or the Controller’s legitimate interest (Article 6(1)(f) GDPR).
Conducting statistical analysis and website analytics, including through the use of cookies (e.g. Google Analytics) – based on consent (Article 6(1)(a) GDPR).
Carrying out remarketing activities and displaying personalised advertisements (e.g. using tools such as Meta Pixel or Google Ads) – based on consent (Article 6(1)(a) GDPR).
Compliance with legal obligations, in particular tax and accounting obligations – based on Article 6(1)(c) GDPR.
Establishing, pursuing or defending legal claims – based on Article 6(1)(f) GDPR.
Sources of Personal Data
Personal data processed by the Controller generally comes directly from the data subjects.
In some cases, personal data may originate from other sources, in particular:
entities represented by the individual (e.g. an employer or contractor);
publicly available registers (e.g. CEIDG, KRS);
entities cooperating with the Controller in the performance of agreements.
In such cases, the Controller processes only the data necessary to achieve the specific purpose of processing.
Recipients of Personal Data
Personal data may be shared with entities cooperating with the Controller, in particular:
a) providers of IT and hosting services;
b) entities providing accounting, legal and advisory services;
c) entities providing marketing services, including newsletter and SMS distribution services;
d) providers of analytical and advertising tools (including Google and Meta);
e) other contractors cooperating with the Controller, where this is necessary for the purposes of data processing.
Personal data is transferred to third parties on the basis of appropriate agreements or other legal instruments compliant with the provisions of the GDPR.
Transfer of Personal Data Outside the European Economic Area (EEA)
Personal data may be transferred outside the EEA in connection with the Controller’s use of tools provided by entities located outside the EEA (e.g. analytical and advertising tools provided by Google or Meta, or mailing system providers).
In the event of transfers of personal data outside the EEA, the Controller applies appropriate safeguards required under the GDPR, in particular Standard Contractual Clauses approved by the European Commission or other transfer mechanisms permitted by applicable law.
Personal Data Retention Period
Personal data is processed for the period necessary to fulfil the purposes for which it was collected and subsequently for the period required by law or necessary to secure potential claims.
In particular:
a) data relating to requests for quotations – generally up to 12 months after the end of correspondence, unless further retention is justified on another legal basis (e.g. conclusion of a contract);
b) data processed for the purpose of sending newsletters – until consent is withdrawn;
c) data processed for direct marketing purposes – until an objection is raised or consent is withdrawn, where consent constitutes the legal basis for processing;
d) analytical data and data resulting from cookies – up to 36 months;
e) data related to tax and accounting obligations – for the period required by generally applicable legal provisions (usually 5 years);
f) data processed for the purpose of establishing, pursuing or defending claims – until the limitation period for such claims expires.
Principles of Personal Data Processing
All addressees of this Policy, as well as entities with which the Controller has concluded personal data processing agreements, are obliged to comply with the principles of personal data processing set out in this Policy, unless different rules regarding compliance with personal data protection regulations have been established in the data processing agreement or in other legal instruments, provided that such rules do not violate the provisions of the GDPR.
The processing of personal data is based on the following principles set out in Article 5 of the GDPR:
a) Lawfulness, fairness and transparency – personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject;
b) Purpose limitation – personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) Accuracy – personal data is collected accurately and, where necessary, kept up to date; where personal data is inaccurate having regard to the purposes for which it is processed, all reasonable steps must be taken to ensure that it is erased or rectified without delay;
d) Integrity and confidentiality – personal data is processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
e) Data minimisation – personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
f) Storage limitation – personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods provided that it is processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) GDPR, subject to the implementation of appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of data subjects;
g) Accountability – the ability to demonstrate compliance with the principles referred to in this section.
The Controller maintains a Record of Processing Activities where required by law or where it decides to do so voluntarily. Where the Controller also acts as a processor, it maintains a Record of Categories of Processing Activities where required or where it chooses to do so voluntarily.
The Controller maintains the necessary documentation and implements appropriate technical and organisational security measures to ensure the proper processing of personal data.
The Controller grants authorisations to individuals who process personal data as part of their duties. Each authorised person is also obliged to maintain the confidentiality of all information obtained in the course of performing their duties.
Each person authorised to process personal data is obliged to:
a) process personal data solely within the scope and for the purposes defined in their assigned tasks;
b) maintain the confidentiality of personal data to which they have access;
c) refrain from using personal data for purposes inconsistent with the scope and purpose of their assigned tasks;
d) maintain the confidentiality of the methods used to secure personal data;
e) protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data, unauthorised access to personal data, or other unlawful processing;
f) notify the Controller in the event of detecting or suspecting a personal data breach, in accordance with the applicable breach reporting procedures.
Security Measures and Processing Safeguards
The Controller ensures the implementation of technical and organisational measures necessary to guarantee the confidentiality, integrity, accountability and continuity of processed data, and supervises compliance with personal data protection principles.
In the course of its business activities, the Controller may entrust the processing of personal data to other entities. The detailed rules governing such processing are specified in a data processing agreement or another appropriate legal instrument.
When processing personal data, the Controller takes into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. On this basis, the Controller implements appropriate technical and organisational measures (privacy by design).
The Controller also implements appropriate technical and organisational measures to ensure that, by default, only personal data necessary for each specific purpose of processing is processed (privacy by default).
Connections to the Controller’s website are encrypted using the SSL protocol.
Where the processing of personal data requires consent, the Controller processes such data only for the purpose and within the scope for which the consent was granted.
Where personal data processing is entrusted to another entity, the Controller uses only processors that provide sufficient guarantees of implementing appropriate technical and organisational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of data subjects.
Exercise of Data Subject Rights
Given that individuals whose personal data is processed are granted a number of rights under the GDPR, the Controller ensures the exercise of these rights wherever possible.
The rights that the Controller respects and implements include:
a) the right of access to personal data;
b) the right to rectification of personal data;
c) the right to erasure of personal data;
d) the right to restriction of processing;
e) the right to data portability;
f) the right to object to processing;
g) the right to withdraw consent;
h) the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) if the individual believes that their personal data is processed in violation of the GDPR.
Procedures for Exercising Data Subject Rights
The Controller has implemented organisational and technical measures to ensure the effective exercise of the rights referred to above, so that requests from data subjects can be handled without undue delay and no later than within one month from the date of receiving the request.
In the case of a complex request or a large number of requests, the Controller will inform the data subject within one month of receiving the request about the extension of the response period by up to an additional two months, together with the reasons for the delay.
If a request from a data subject cannot be fulfilled (for example because it would conflict with applicable law), the Controller will inform the data subject within the above-mentioned time limits about the refusal to comply with the request, together with the reasons for such refusal.
Actions taken by the Controller in response to requests from data subjects are free of charge. However, where requests from a data subject are manifestly unfounded or excessive, the Controller may charge a reasonable fee reflecting the administrative costs of providing the information or taking the requested action.
Requests from individuals may be submitted to the Controller:
a) in writing to the address:
MAGOREX
ul. Pienińska 11
68-200 Żary, Poland
b) by email to:
info@magorex.pl
If a request is submitted to an employee or associate of the Controller, that person is obliged to immediately forward the request to: info@magorex.pl
Where justified, the Controller may verify the identity of the individual before fulfilling their request.
The rights of individuals whose personal data is processed may be exercised in written or documentary form, including electronic form.
For the purpose of defending potential claims, the Controller reserves the right to process correspondence related to the exercise of data subject rights until the expiry of the applicable limitation period.
The Controller may refuse a request to cease processing personal data where:
a) there are compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject; or
b) the processing is necessary for the establishment, exercise or defence of legal claims.
Where the legal basis for processing personal data is the consent of the data subject, the individual has the right to withdraw such consent at any time.
Voluntary Provision of Data
Providing personal data is generally voluntary, however it may be necessary in order to use certain services or functionalities, in particular to receive a response to an inquiry, subscribe to a newsletter, or conclude and perform a contract.
Where providing personal data is required by law, the Controller will inform the data subject accordingly and indicate the consequences of failing to provide such data.
Failure to provide personal data may result in the inability to achieve certain purposes, in particular:
the inability to respond to an inquiry;
the inability to conclude or perform a contract;
the inability to receive marketing information or newsletters.
Automated Decision-Making and Profiling
Profiling consists of analysing selected information relating to user activity (such as website usage, inquiry history or previous cooperation) in order to better tailor marketing content.
Such profiling does not produce legal effects nor significantly affect the situation of the data subjects.
The Controller does not apply automated decision-making that produces legal effects with regard to data subjects within the meaning of Article 22 of the GDPR.
Reporting Personal Data Breaches
In the event of a personal data breach, the person who becomes aware of or detects such a breach is obliged to report it to the Controller without undue delay.
A breach may also be reported electronically to the following email address: info@magorex.pl
The person reporting the breach is required to submit the report. Failure to report a breach by a person who becomes aware of it may be considered a serious breach of employee duties or grounds for termination of a civil law contract for valid reasons.
A processor entrusted with the processing of personal data is also obliged to report any breach, in accordance with the rules set out in the data processing agreement or other legal instrument under which the processing of personal data has been entrusted.
In addition to the obligation to report the breach immediately, the person reporting the breach is required to take all possible actions to minimise the consequences of the breach. This may include refraining from starting or continuing work if doing so could increase the scale of the breach or hinder or prevent the determination of its cause.
Cookies
The Controller’s website uses cookies and similar technologies to ensure its proper functioning, conduct statistical analyses and support marketing activities.
Users may at any time:
change cookie settings using the cookie banner,
manage cookies through the settings of their web browser.
Final Provisions
The Controller reserves the right to amend this Privacy Policy, in particular in the event of changes in applicable law, changes in the technologies used or changes in the methods of personal data processing.
The updated Privacy Policy will be published on the Controller’s website together with information about the date on which it becomes effective.
Privacy Policy
We care about the security of your personal data. The importance we attach to this matter is reflected in the measures we have implemented to comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR).
This Privacy Policy provides information about:
* General information
* Scope of application
* Definitions
* Data Controller and contact details
* Data Protection Officer
* Categories of personal data, purposes of processing and legal bases
* Sources of personal data
* Recipients of personal data
* Transfer of data outside the European Economic Area (EEA)
* Data retention period
* Principles of personal data processing
* Data subject rights
* Voluntary provision of data
* Automated decision-making and profiling
* Reporting data breaches
* Cookies
* Final provisions
General Information
This Privacy Policy explains how and on what basis personal data is processed. It describes the measures implemented to protect personal data of individuals whose data is processed by the Controller and explains how potential data protection breaches can be reported.
This document also fulfils the information obligation under Articles 13 and 14 of the GDPR towards website users, customers, business partners and other individuals whose personal data we process.
Scope of Application
The purpose of this document is to ensure that the Controller’s personal data processing activities comply with the principles set out in the GDPR.
This Policy is addressed to:
all natural persons whose personal data is processed by the Controller;
all persons authorised by the Controller to process personal data, including the Controller’s employees and associates.
This Policy applies to all personal data processing activities and to all personal data processed by the Controller, regardless of the form of processing (including manual processing and processing carried out in IT systems), and regardless of whether the personal data is, or may be, processed in filing systems or data sets.
In particular, this Policy applies to personal data processed in connection with: the use of the Controller’s website, the use of contact forms, requests for quotations submitted to the Controller, email and telephone communications, newsletter subscriptions, participation in marketing and sales activities, and cooperation with contractors.
Definitions
Controller – an entity which, alone or jointly with others, determines the purposes and means of the processing of personal data, in particular decides why and how personal data is processed.
Policy – this Privacy Policy adopted by the Controller.
Personal Data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to such data as a name and surname, correspondence address, email address, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processor – an entity that processes personal data on behalf of the Controller.
Processing of Personal Data – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Authorised Person to Process Personal Data – a person authorised by the Controller or by the Processor to process personal data within the scope specified in such authorisation.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Act – the Act of 10 May 2018 on the Protection of Personal Data (consolidated text: Journal of Laws of 2018, item 1000, as amended).
President of the Personal Data Protection Office (UODO) – the President of the Personal Data Protection Office, being the Polish supervisory authority for personal data protection matters.
Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.
User – an entity using the Controller’s website by means of a computer or other end device.
European Economic Area (EEA) – the area comprising the Member States of the European Union, Norway, Iceland and Liechtenstein.
Automatically Collected Data – data obtained in connection with the use of the Controller’s website, in particular the IP address, device identifiers, browser data, operating system data and website activity data.
Data Controller and Contact Details
The Data Controller is:
MAGOREX Spółka z ograniczoną odpowiedzialnością sp.k.
ul. Pienińska 11
68-200 Żary
Poland
Tax Identification Number (NIP): 928-14-14-292
For any matters related to personal data processing, you can contact the Controller:
info@magorex.pl
by post at the address above.
Data Protection Officer
The Controller has not appointed a Data Protection Officer, as it is not required under Article 37 of the GDPR.
All questions regarding personal data processing can be directed directly to the Controller using the contact details above.
Categories of Personal Data, Purposes of Processing and Legal Basis
The Controller may process the following categories of personal data:
identification data (e.g. name and surname);
contact data (e.g. email address, telephone number, correspondence address);
company-related data (e.g. company name, tax identification number (NIP), details of company representatives);
data related to the content of inquiries or correspondence;
data related to the use of the website (automatically collected data, including cookies);
data related to marketing consents granted by the user.
Personal data is processed for the following purposes and on the following legal bases:
Handling inquiries submitted via contact forms or email – based on Article 6(1)(b) GDPR (taking steps at the request of the data subject prior to entering into a contract) and Article 6(1)(f) GDPR (the Controller’s legitimate interest consisting in responding to inquiries).
Conducting correspondence and telephone communication related to ongoing cooperation, requests for quotations, orders or other business matters – based on Article 6(1)(b) or Article 6(1)(f) GDPR.
Sending newsletters – based on the data subject’s consent (Article 6(1)(a) GDPR).
Carrying out marketing activities, including direct marketing via electronic communication channels and telephone (where separate consents required by law have been given) – based on consent (Article 6(1)(a) GDPR) or the Controller’s legitimate interest (Article 6(1)(f) GDPR).
Conducting statistical analysis and website analytics, including through the use of cookies (e.g. Google Analytics) – based on consent (Article 6(1)(a) GDPR).
Carrying out remarketing activities and displaying personalised advertisements (e.g. using tools such as Meta Pixel or Google Ads) – based on consent (Article 6(1)(a) GDPR).
Compliance with legal obligations, in particular tax and accounting obligations – based on Article 6(1)(c) GDPR.
Establishing, pursuing or defending legal claims – based on Article 6(1)(f) GDPR.
Sources of Personal Data
Personal data processed by the Controller generally comes directly from the data subjects.
In some cases, personal data may originate from other sources, in particular:
entities represented by the individual (e.g. an employer or contractor);
publicly available registers (e.g. CEIDG, KRS);
entities cooperating with the Controller in the performance of agreements.
In such cases, the Controller processes only the data necessary to achieve the specific purpose of processing.
Recipients of Personal Data
Personal data may be shared with entities cooperating with the Controller, in particular:
a) providers of IT and hosting services;
b) entities providing accounting, legal and advisory services;
c) entities providing marketing services, including newsletter and SMS distribution services;
d) providers of analytical and advertising tools (including Google and Meta);
e) other contractors cooperating with the Controller, where this is necessary for the purposes of data processing.
Personal data is transferred to third parties on the basis of appropriate agreements or other legal instruments compliant with the provisions of the GDPR.
Transfer of Personal Data Outside the European Economic Area (EEA)
Personal data may be transferred outside the EEA in connection with the Controller’s use of tools provided by entities located outside the EEA (e.g. analytical and advertising tools provided by Google or Meta, or mailing system providers).
In the event of transfers of personal data outside the EEA, the Controller applies appropriate safeguards required under the GDPR, in particular Standard Contractual Clauses approved by the European Commission or other transfer mechanisms permitted by applicable law.
Personal Data Retention Period
Personal data is processed for the period necessary to fulfil the purposes for which it was collected and subsequently for the period required by law or necessary to secure potential claims.
In particular:
a) data relating to requests for quotations – generally up to 12 months after the end of correspondence, unless further retention is justified on another legal basis (e.g. conclusion of a contract);
b) data processed for the purpose of sending newsletters – until consent is withdrawn;
c) data processed for direct marketing purposes – until an objection is raised or consent is withdrawn, where consent constitutes the legal basis for processing;
d) analytical data and data resulting from cookies – up to 36 months;
e) data related to tax and accounting obligations – for the period required by generally applicable legal provisions (usually 5 years);
f) data processed for the purpose of establishing, pursuing or defending claims – until the limitation period for such claims expires.
Principles of Personal Data Processing
All addressees of this Policy, as well as entities with which the Controller has concluded personal data processing agreements, are obliged to comply with the principles of personal data processing set out in this Policy, unless different rules regarding compliance with personal data protection regulations have been established in the data processing agreement or in other legal instruments, provided that such rules do not violate the provisions of the GDPR.
The processing of personal data is based on the following principles set out in Article 5 of the GDPR:
a) Lawfulness, fairness and transparency – personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject;
b) Purpose limitation – personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) Accuracy – personal data is collected accurately and, where necessary, kept up to date; where personal data is inaccurate having regard to the purposes for which it is processed, all reasonable steps must be taken to ensure that it is erased or rectified without delay;
d) Integrity and confidentiality – personal data is processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
e) Data minimisation – personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
f) Storage limitation – personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods provided that it is processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) GDPR, subject to the implementation of appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of data subjects;
g) Accountability – the ability to demonstrate compliance with the principles referred to in this section.
The Controller maintains a Record of Processing Activities where required by law or where it decides to do so voluntarily. Where the Controller also acts as a processor, it maintains a Record of Categories of Processing Activities where required or where it chooses to do so voluntarily.
The Controller maintains the necessary documentation and implements appropriate technical and organisational security measures to ensure the proper processing of personal data.
The Controller grants authorisations to individuals who process personal data as part of their duties. Each authorised person is also obliged to maintain the confidentiality of all information obtained in the course of performing their duties.
Each person authorised to process personal data is obliged to:
a) process personal data solely within the scope and for the purposes defined in their assigned tasks;
b) maintain the confidentiality of personal data to which they have access;
c) refrain from using personal data for purposes inconsistent with the scope and purpose of their assigned tasks;
d) maintain the confidentiality of the methods used to secure personal data;
e) protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data, unauthorised access to personal data, or other unlawful processing;
f) notify the Controller in the event of detecting or suspecting a personal data breach, in accordance with the applicable breach reporting procedures.
Security Measures and Processing Safeguards
The Controller ensures the implementation of technical and organisational measures necessary to guarantee the confidentiality, integrity, accountability and continuity of processed data, and supervises compliance with personal data protection principles.
In the course of its business activities, the Controller may entrust the processing of personal data to other entities. The detailed rules governing such processing are specified in a data processing agreement or another appropriate legal instrument.
When processing personal data, the Controller takes into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. On this basis, the Controller implements appropriate technical and organisational measures (privacy by design).
The Controller also implements appropriate technical and organisational measures to ensure that, by default, only personal data necessary for each specific purpose of processing is processed (privacy by default).
Connections to the Controller’s website are encrypted using the SSL protocol.
Where the processing of personal data requires consent, the Controller processes such data only for the purpose and within the scope for which the consent was granted.
Where personal data processing is entrusted to another entity, the Controller uses only processors that provide sufficient guarantees of implementing appropriate technical and organisational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of data subjects.
Exercise of Data Subject Rights
Given that individuals whose personal data is processed are granted a number of rights under the GDPR, the Controller ensures the exercise of these rights wherever possible.
The rights that the Controller respects and implements include:
a) the right of access to personal data;
b) the right to rectification of personal data;
c) the right to erasure of personal data;
d) the right to restriction of processing;
e) the right to data portability;
f) the right to object to processing;
g) the right to withdraw consent;
h) the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) if the individual believes that their personal data is processed in violation of the GDPR.
Procedures for Exercising Data Subject Rights
The Controller has implemented organisational and technical measures to ensure the effective exercise of the rights referred to above, so that requests from data subjects can be handled without undue delay and no later than within one month from the date of receiving the request.
In the case of a complex request or a large number of requests, the Controller will inform the data subject within one month of receiving the request about the extension of the response period by up to an additional two months, together with the reasons for the delay.
If a request from a data subject cannot be fulfilled (for example because it would conflict with applicable law), the Controller will inform the data subject within the above-mentioned time limits about the refusal to comply with the request, together with the reasons for such refusal.
Actions taken by the Controller in response to requests from data subjects are free of charge. However, where requests from a data subject are manifestly unfounded or excessive, the Controller may charge a reasonable fee reflecting the administrative costs of providing the information or taking the requested action.
Requests from individuals may be submitted to the Controller:
a) in writing to the address:
MAGOREX
ul. Pienińska 11
68-200 Żary, Poland
b) by email to:
info@magorex.pl
If a request is submitted to an employee or associate of the Controller, that person is obliged to immediately forward the request to: info@magorex.pl
Where justified, the Controller may verify the identity of the individual before fulfilling their request.
The rights of individuals whose personal data is processed may be exercised in written or documentary form, including electronic form.
For the purpose of defending potential claims, the Controller reserves the right to process correspondence related to the exercise of data subject rights until the expiry of the applicable limitation period.
The Controller may refuse a request to cease processing personal data where:
a) there are compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject; or
b) the processing is necessary for the establishment, exercise or defence of legal claims.
Where the legal basis for processing personal data is the consent of the data subject, the individual has the right to withdraw such consent at any time.
Voluntary Provision of Data
Providing personal data is generally voluntary, however it may be necessary in order to use certain services or functionalities, in particular to receive a response to an inquiry, subscribe to a newsletter, or conclude and perform a contract.
Where providing personal data is required by law, the Controller will inform the data subject accordingly and indicate the consequences of failing to provide such data.
Failure to provide personal data may result in the inability to achieve certain purposes, in particular:
the inability to respond to an inquiry;
the inability to conclude or perform a contract;
the inability to receive marketing information or newsletters.
Automated Decision-Making and Profiling
Profiling consists of analysing selected information relating to user activity (such as website usage, inquiry history or previous cooperation) in order to better tailor marketing content.
Such profiling does not produce legal effects nor significantly affect the situation of the data subjects.
The Controller does not apply automated decision-making that produces legal effects with regard to data subjects within the meaning of Article 22 of the GDPR.
Reporting Personal Data Breaches
In the event of a personal data breach, the person who becomes aware of or detects such a breach is obliged to report it to the Controller without undue delay.
A breach may also be reported electronically to the following email address: info@magorex.pl
The person reporting the breach is required to submit the report. Failure to report a breach by a person who becomes aware of it may be considered a serious breach of employee duties or grounds for termination of a civil law contract for valid reasons.
A processor entrusted with the processing of personal data is also obliged to report any breach, in accordance with the rules set out in the data processing agreement or other legal instrument under which the processing of personal data has been entrusted.
In addition to the obligation to report the breach immediately, the person reporting the breach is required to take all possible actions to minimise the consequences of the breach. This may include refraining from starting or continuing work if doing so could increase the scale of the breach or hinder or prevent the determination of its cause.
Cookies
The Controller’s website uses cookies and similar technologies to ensure its proper functioning, conduct statistical analyses and support marketing activities.
Users may at any time:
change cookie settings using the cookie banner,
manage cookies through the settings of their web browser.
Final Provisions
The Controller reserves the right to amend this Privacy Policy, in particular in the event of changes in applicable law, changes in the technologies used or changes in the methods of personal data processing.
The updated Privacy Policy will be published on the Controller’s website together with information about the date on which it becomes effective.
Privacy Policy
We care about the security of your personal data. The importance we attach to this matter is reflected in the measures we have implemented to comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR).
This Privacy Policy provides information about:
* General information
* Scope of application
* Definitions
* Data Controller and contact details
* Data Protection Officer
* Categories of personal data, purposes of processing and legal bases
* Sources of personal data
* Recipients of personal data
* Transfer of data outside the European Economic Area (EEA)
* Data retention period
* Principles of personal data processing
* Data subject rights
* Voluntary provision of data
* Automated decision-making and profiling
* Reporting data breaches
* Cookies
* Final provisions
General Information
This Privacy Policy explains how and on what basis personal data is processed. It describes the measures implemented to protect personal data of individuals whose data is processed by the Controller and explains how potential data protection breaches can be reported.
This document also fulfils the information obligation under Articles 13 and 14 of the GDPR towards website users, customers, business partners and other individuals whose personal data we process.
Scope of Application
The purpose of this document is to ensure that the Controller’s personal data processing activities comply with the principles set out in the GDPR.
This Policy is addressed to:
all natural persons whose personal data is processed by the Controller;
all persons authorised by the Controller to process personal data, including the Controller’s employees and associates.
This Policy applies to all personal data processing activities and to all personal data processed by the Controller, regardless of the form of processing (including manual processing and processing carried out in IT systems), and regardless of whether the personal data is, or may be, processed in filing systems or data sets.
In particular, this Policy applies to personal data processed in connection with: the use of the Controller’s website, the use of contact forms, requests for quotations submitted to the Controller, email and telephone communications, newsletter subscriptions, participation in marketing and sales activities, and cooperation with contractors.
Definitions
Controller – an entity which, alone or jointly with others, determines the purposes and means of the processing of personal data, in particular decides why and how personal data is processed.
Policy – this Privacy Policy adopted by the Controller.
Personal Data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to such data as a name and surname, correspondence address, email address, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processor – an entity that processes personal data on behalf of the Controller.
Processing of Personal Data – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Authorised Person to Process Personal Data – a person authorised by the Controller or by the Processor to process personal data within the scope specified in such authorisation.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Act – the Act of 10 May 2018 on the Protection of Personal Data (consolidated text: Journal of Laws of 2018, item 1000, as amended).
President of the Personal Data Protection Office (UODO) – the President of the Personal Data Protection Office, being the Polish supervisory authority for personal data protection matters.
Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.
User – an entity using the Controller’s website by means of a computer or other end device.
European Economic Area (EEA) – the area comprising the Member States of the European Union, Norway, Iceland and Liechtenstein.
Automatically Collected Data – data obtained in connection with the use of the Controller’s website, in particular the IP address, device identifiers, browser data, operating system data and website activity data.
Data Controller and Contact Details
The Data Controller is:
MAGOREX Spółka z ograniczoną odpowiedzialnością sp.k.
ul. Pienińska 11
68-200 Żary
Poland
Tax Identification Number (NIP): 928-14-14-292
For any matters related to personal data processing, you can contact the Controller:
info@magorex.pl
by post at the address above.
Data Protection Officer
The Controller has not appointed a Data Protection Officer, as it is not required under Article 37 of the GDPR.
All questions regarding personal data processing can be directed directly to the Controller using the contact details above.
Categories of Personal Data, Purposes of Processing and Legal Basis
The Controller may process the following categories of personal data:
identification data (e.g. name and surname);
contact data (e.g. email address, telephone number, correspondence address);
company-related data (e.g. company name, tax identification number (NIP), details of company representatives);
data related to the content of inquiries or correspondence;
data related to the use of the website (automatically collected data, including cookies);
data related to marketing consents granted by the user.
Personal data is processed for the following purposes and on the following legal bases:
Handling inquiries submitted via contact forms or email – based on Article 6(1)(b) GDPR (taking steps at the request of the data subject prior to entering into a contract) and Article 6(1)(f) GDPR (the Controller’s legitimate interest consisting in responding to inquiries).
Conducting correspondence and telephone communication related to ongoing cooperation, requests for quotations, orders or other business matters – based on Article 6(1)(b) or Article 6(1)(f) GDPR.
Sending newsletters – based on the data subject’s consent (Article 6(1)(a) GDPR).
Carrying out marketing activities, including direct marketing via electronic communication channels and telephone (where separate consents required by law have been given) – based on consent (Article 6(1)(a) GDPR) or the Controller’s legitimate interest (Article 6(1)(f) GDPR).
Conducting statistical analysis and website analytics, including through the use of cookies (e.g. Google Analytics) – based on consent (Article 6(1)(a) GDPR).
Carrying out remarketing activities and displaying personalised advertisements (e.g. using tools such as Meta Pixel or Google Ads) – based on consent (Article 6(1)(a) GDPR).
Compliance with legal obligations, in particular tax and accounting obligations – based on Article 6(1)(c) GDPR.
Establishing, pursuing or defending legal claims – based on Article 6(1)(f) GDPR.
Sources of Personal Data
Personal data processed by the Controller generally comes directly from the data subjects.
In some cases, personal data may originate from other sources, in particular:
entities represented by the individual (e.g. an employer or contractor);
publicly available registers (e.g. CEIDG, KRS);
entities cooperating with the Controller in the performance of agreements.
In such cases, the Controller processes only the data necessary to achieve the specific purpose of processing.
Recipients of Personal Data
Personal data may be shared with entities cooperating with the Controller, in particular:
a) providers of IT and hosting services;
b) entities providing accounting, legal and advisory services;
c) entities providing marketing services, including newsletter and SMS distribution services;
d) providers of analytical and advertising tools (including Google and Meta);
e) other contractors cooperating with the Controller, where this is necessary for the purposes of data processing.
Personal data is transferred to third parties on the basis of appropriate agreements or other legal instruments compliant with the provisions of the GDPR.
Transfer of Personal Data Outside the European Economic Area (EEA)
Personal data may be transferred outside the EEA in connection with the Controller’s use of tools provided by entities located outside the EEA (e.g. analytical and advertising tools provided by Google or Meta, or mailing system providers).
In the event of transfers of personal data outside the EEA, the Controller applies appropriate safeguards required under the GDPR, in particular Standard Contractual Clauses approved by the European Commission or other transfer mechanisms permitted by applicable law.
Personal Data Retention Period
Personal data is processed for the period necessary to fulfil the purposes for which it was collected and subsequently for the period required by law or necessary to secure potential claims.
In particular:
a) data relating to requests for quotations – generally up to 12 months after the end of correspondence, unless further retention is justified on another legal basis (e.g. conclusion of a contract);
b) data processed for the purpose of sending newsletters – until consent is withdrawn;
c) data processed for direct marketing purposes – until an objection is raised or consent is withdrawn, where consent constitutes the legal basis for processing;
d) analytical data and data resulting from cookies – up to 36 months;
e) data related to tax and accounting obligations – for the period required by generally applicable legal provisions (usually 5 years);
f) data processed for the purpose of establishing, pursuing or defending claims – until the limitation period for such claims expires.
Principles of Personal Data Processing
All addressees of this Policy, as well as entities with which the Controller has concluded personal data processing agreements, are obliged to comply with the principles of personal data processing set out in this Policy, unless different rules regarding compliance with personal data protection regulations have been established in the data processing agreement or in other legal instruments, provided that such rules do not violate the provisions of the GDPR.
The processing of personal data is based on the following principles set out in Article 5 of the GDPR:
a) Lawfulness, fairness and transparency – personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject;
b) Purpose limitation – personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) Accuracy – personal data is collected accurately and, where necessary, kept up to date; where personal data is inaccurate having regard to the purposes for which it is processed, all reasonable steps must be taken to ensure that it is erased or rectified without delay;
d) Integrity and confidentiality – personal data is processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
e) Data minimisation – personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
f) Storage limitation – personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods provided that it is processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) GDPR, subject to the implementation of appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of data subjects;
g) Accountability – the ability to demonstrate compliance with the principles referred to in this section.
The Controller maintains a Record of Processing Activities where required by law or where it decides to do so voluntarily. Where the Controller also acts as a processor, it maintains a Record of Categories of Processing Activities where required or where it chooses to do so voluntarily.
The Controller maintains the necessary documentation and implements appropriate technical and organisational security measures to ensure the proper processing of personal data.
The Controller grants authorisations to individuals who process personal data as part of their duties. Each authorised person is also obliged to maintain the confidentiality of all information obtained in the course of performing their duties.
Each person authorised to process personal data is obliged to:
a) process personal data solely within the scope and for the purposes defined in their assigned tasks;
b) maintain the confidentiality of personal data to which they have access;
c) refrain from using personal data for purposes inconsistent with the scope and purpose of their assigned tasks;
d) maintain the confidentiality of the methods used to secure personal data;
e) protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data, unauthorised access to personal data, or other unlawful processing;
f) notify the Controller in the event of detecting or suspecting a personal data breach, in accordance with the applicable breach reporting procedures.
Security Measures and Processing Safeguards
The Controller ensures the implementation of technical and organisational measures necessary to guarantee the confidentiality, integrity, accountability and continuity of processed data, and supervises compliance with personal data protection principles.
In the course of its business activities, the Controller may entrust the processing of personal data to other entities. The detailed rules governing such processing are specified in a data processing agreement or another appropriate legal instrument.
When processing personal data, the Controller takes into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. On this basis, the Controller implements appropriate technical and organisational measures (privacy by design).
The Controller also implements appropriate technical and organisational measures to ensure that, by default, only personal data necessary for each specific purpose of processing is processed (privacy by default).
Connections to the Controller’s website are encrypted using the SSL protocol.
Where the processing of personal data requires consent, the Controller processes such data only for the purpose and within the scope for which the consent was granted.
Where personal data processing is entrusted to another entity, the Controller uses only processors that provide sufficient guarantees of implementing appropriate technical and organisational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of data subjects.
Exercise of Data Subject Rights
Given that individuals whose personal data is processed are granted a number of rights under the GDPR, the Controller ensures the exercise of these rights wherever possible.
The rights that the Controller respects and implements include:
a) the right of access to personal data;
b) the right to rectification of personal data;
c) the right to erasure of personal data;
d) the right to restriction of processing;
e) the right to data portability;
f) the right to object to processing;
g) the right to withdraw consent;
h) the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) if the individual believes that their personal data is processed in violation of the GDPR.
Procedures for Exercising Data Subject Rights
The Controller has implemented organisational and technical measures to ensure the effective exercise of the rights referred to above, so that requests from data subjects can be handled without undue delay and no later than within one month from the date of receiving the request.
In the case of a complex request or a large number of requests, the Controller will inform the data subject within one month of receiving the request about the extension of the response period by up to an additional two months, together with the reasons for the delay.
If a request from a data subject cannot be fulfilled (for example because it would conflict with applicable law), the Controller will inform the data subject within the above-mentioned time limits about the refusal to comply with the request, together with the reasons for such refusal.
Actions taken by the Controller in response to requests from data subjects are free of charge. However, where requests from a data subject are manifestly unfounded or excessive, the Controller may charge a reasonable fee reflecting the administrative costs of providing the information or taking the requested action.
Requests from individuals may be submitted to the Controller:
a) in writing to the address:
MAGOREX
ul. Pienińska 11
68-200 Żary, Poland
b) by email to:
info@magorex.pl
If a request is submitted to an employee or associate of the Controller, that person is obliged to immediately forward the request to: info@magorex.pl
Where justified, the Controller may verify the identity of the individual before fulfilling their request.
The rights of individuals whose personal data is processed may be exercised in written or documentary form, including electronic form.
For the purpose of defending potential claims, the Controller reserves the right to process correspondence related to the exercise of data subject rights until the expiry of the applicable limitation period.
The Controller may refuse a request to cease processing personal data where:
a) there are compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject; or
b) the processing is necessary for the establishment, exercise or defence of legal claims.
Where the legal basis for processing personal data is the consent of the data subject, the individual has the right to withdraw such consent at any time.
Voluntary Provision of Data
Providing personal data is generally voluntary, however it may be necessary in order to use certain services or functionalities, in particular to receive a response to an inquiry, subscribe to a newsletter, or conclude and perform a contract.
Where providing personal data is required by law, the Controller will inform the data subject accordingly and indicate the consequences of failing to provide such data.
Failure to provide personal data may result in the inability to achieve certain purposes, in particular:
the inability to respond to an inquiry;
the inability to conclude or perform a contract;
the inability to receive marketing information or newsletters.
Automated Decision-Making and Profiling
Profiling consists of analysing selected information relating to user activity (such as website usage, inquiry history or previous cooperation) in order to better tailor marketing content.
Such profiling does not produce legal effects nor significantly affect the situation of the data subjects.
The Controller does not apply automated decision-making that produces legal effects with regard to data subjects within the meaning of Article 22 of the GDPR.
Reporting Personal Data Breaches
In the event of a personal data breach, the person who becomes aware of or detects such a breach is obliged to report it to the Controller without undue delay.
A breach may also be reported electronically to the following email address: info@magorex.pl
The person reporting the breach is required to submit the report. Failure to report a breach by a person who becomes aware of it may be considered a serious breach of employee duties or grounds for termination of a civil law contract for valid reasons.
A processor entrusted with the processing of personal data is also obliged to report any breach, in accordance with the rules set out in the data processing agreement or other legal instrument under which the processing of personal data has been entrusted.
In addition to the obligation to report the breach immediately, the person reporting the breach is required to take all possible actions to minimise the consequences of the breach. This may include refraining from starting or continuing work if doing so could increase the scale of the breach or hinder or prevent the determination of its cause.
Cookies
The Controller’s website uses cookies and similar technologies to ensure its proper functioning, conduct statistical analyses and support marketing activities.
Users may at any time:
change cookie settings using the cookie banner,
manage cookies through the settings of their web browser.
Final Provisions
The Controller reserves the right to amend this Privacy Policy, in particular in the event of changes in applicable law, changes in the technologies used or changes in the methods of personal data processing.
The updated Privacy Policy will be published on the Controller’s website together with information about the date on which it becomes effective.