INFORMATION ON PERSONAL DATA PROCESSING BY ePM SP. Z O.O.
The present document (hereinafter: “Rules”) contains information on the rules of processing your personal data by ePM Sp. z o.o. (hereinafter: “ePM”). You will find here the purposes and the period of your personal data processing or further processing by ePM. Furthermore, it defines the categories of persons who may be given the access to your personal data as well as the rights which are vested in the person whose data are processed by us. Scope of information you give us shall comply with the requirements of the European Union regulations concerning personal data protection, i.e. Regulation No. 2016/679 issued by the European Parliament and Council (EU), also referred to as the General Data Protection Regulation (hereinafter: “GDPR”).
Administrator; Data Protection Inspector
1. Administratorem Państwa danych osobowych jest ePM Sp. z o.o. z siedzibą w Krakowie: adres: ul. Podole 60, 30-394 Kraków. telefon: (+48) 530 884 904, e-mail: firstname.lastname@example.org
2. ePM – jako administrator danych – dołoży wszelkich starań, aby w jak najpełniejszym stopniu zrealizować wymogi RODO i w ten sposób chronić Państwa dane osobowe.
3. Możecie Państwo kontaktować się z Administratorem we wszystkich sprawach związanych z przetwarzaniem Waszych danych osobowych, także w razie wątpliwości co do Waszych praw.
Purpose and period of processing your personal data
4. ePM guarantees that your personal data will be processed only for the purposes which are defined, explicit, and legitimate and that such data will not be further processed in a manner inconsistent with the said purposes. The purpose of data processing is a motive behind our initiative. Should ePM want to process your personal data for the purposes other than specified herein, you will be notified of such new purpose of processing. Shown below are the purposes of data processing. Each of them has been carefully evaluated by ePM with regard to consistency with the provisions of GDPR and other regulations applicable to ePM business. The summary mentioned below indicates the purpose of data processing in each case as well as the applicable legal basis. Your personal data shall be stored for a period of time necessary to achieve such purposes.
I. Purpose: Execution, due performance, and termination of agreements or other transactions necessary to perform the agreement between you and ePM.
Explanation: This refers to any and all preliminaries which precede: execution and performance of the agreement; analyses and evaluation of client’s paying reliability; investigation of complaints; provision of “help centre” services; termination of the agreement; archiving; other legal transactions connected with the agreement, and transactions necessary to sign agreements with other persons by the agency of ePM. Legal basis: GDPR, art. 6.1.b.
Period of data processing: Until the termination of the agreement; afterwards, for other legitimate purposes connected with the agreement, e.g. for the period of securing potential claims, i.e. 5 years. Absence of agreement: until the end of provision of a service and for 5 years to secure potential complaints and claims.
II. Purpose: Compliance with the obligations resulting from the applicable law or with public interest duties.
Explanation: In this case, ePM will process personal data to comply with the duties pursuant to the law or public interest. Specifically, we refer to ePM’s liability for its business to the extent of fiscal, accounting, and statistical regulations as well as performance of actual agreements and archiving. Legal basis: GDPR, art. 6.1.c and detailed provisions requiring ePM to comply with the obligations specified in the Explanations or in GDPR, art. 6.1.e.
Period of data processing: Until ePM’s full compliance with the obligations defined in particular provisions of the law or with the duties connected with public interest.
III. Purpose: ePM product and service marketing.
Explanation: We refer to ePM marketing, specifically the marketing conducted by means of transmission, display, or transfer of commercial information via traditional mail or using electronic or phone telecommunications devices subject to the acquisition of necessary consent. Moreover, the marketing may take the form of profiling, which means processing, for marketing purposes, information containing Client’s features, behaviours, or preferences. The use of profiling may be adapted by ePM to your interests and needs on the basis of the existing co-operation. Legal basis: GDPR, art. 6.1.f.
Period of data processing: Until the date of submission of objection to such processing or until the expiration of agreements with ePM.
IV. Purpose: Transactions on the basis of acquired consents.
Explanation: For instance, ePM trade partner’s product and service marketing; processing data considered as trade secrets (including for the purpose of evaluation of Client’s paying reliability) upon the expiration of liability. In each case, our application for your consent will specify, among other items, the purpose why we want to process your data on the basis of your consent. Legal basis: GDPR, art. 6.1.a.
Period of data processing: Until the withdrawal of consents.
V. Purpose: Communication or provision of services via ePM web pages and sites as well as mobile application.
Explanation: Similarly, we will process your data to be able to communicate or provide services via ePM web pages, web sites, and mobile applications. In this case, we will process, among other items, identifications, such as e.g. IP address of the device or geographical location data. Legal basis: GDPR, art. 6.1.b or art. 6.1.f.
Period of data processing: For the period of actual communications or service provision, no more, however, than until the submission of an effective objection. For the period of agreement validity and afterwards, for other legitimate purposes connected with the agreement, e.g. period of securing potential claims, i.e. 5 years.
VI. Purpose: Other purposes classified into the category of “data administrator’s legitimate interest”.
Explanation: The purposes classified into the category of “data administrator’s legitimate interest” are connected with the agreement we sign with you or, in the absence of such agreement, on the basis of provision of goods or services: 1) ePM personnel and property security, including ePM head office monitoring, subject to respect of human privacy and dignity; 2) commercial transaction security, specifically prevention of abuses; 3) adaptation of marketing contents of ePM web pages depending on behaviours of the persons who display the content; 4) protection from claims and pursuance of receivables; 5) own administrative, accounting, analytical, and statistical purposes. Our evaluation of legitimate nature of such purposes includes, among other aspects: a) any and all interrelations between the purposes of personal data collection and the purposes of further processing thereof; b) context of personal data collection, specifically the relations between data subjects and the administrator; c) nature of personal data; d) potential consequences of processing in the future; e) availability of suitable protections. Legal basis: GDPR, art. 6.1.f.
Period of data processing: Until full compliance with ePM’s legitimate interests being the basis for the said processing or until the date of submission of the objection to the said processing, no more, however, than for the period of 5 years. In the case of dispute or proceedings in progress, specifically judicial proceedings, the period of data storage will begin on the date of termination of the dispute or valid settlement of the proceedings.
Sources of your personal data
5. ePM shall process your personal data acquired directly from you (e.g. data entered into any printed form) as well as from other sources in compliance with the law and pursuant to the agreements with our partners. Sources of personal data may be, among others, public registers: records held by the National Court Register (KRS) and Central Register of Business (CEIDG) as well as limited access sources, e.g. Commercial Information Office (BIG) and National Register of Debtors (KRD). In each case, ePM shall carefully validate its legal basis for personal data processing.
Categories of personal data to be processed
6. Depending on your relationships with ePM we may specifically process the categories of personal data we acquire from you or from third parties; they are:
a) personal data (e.g. first and last name; registered address);
b) contact data (e.g. phone number; address for delivery; e-mail address);
c) identification data (e.g. identity card number; personal identification number PESEL);
d) transaction data (e.g. payment details);
e) agreement data (e.g. details on actual agreements);
f) behavioural data (e.g. data on purchased products or services and methods of use thereof);
g) communication data (e.g. data on our communication with you);
h) audio and video data (e.g. data records from conversations or images, for the purposes of security and evidence);
i) publicly available data or data acquired from third parties (e.g. data acquired from CEIDG or BIK [Credit Information Office]);
j) technical data (e.g. data on your device for using our mobile services);
k) viewing past data (e.g. data necessary for maintenance of regular exchange of information between the server and the browser for the purpose of using ePM web sites and pages).
Recipients of your personal data
7. Within our business structure, the access to your personal data will be given only to the employees authorised by ePM and only to the necessary extent. In certain cases, however, we may disclose your personal data to third parties outside ePM. At that point, we shall always examine carefully the legal basis for disclosure of personal data. To avoid any misunderstanding, we explain that in compliance with the provisions of GDPR, data recipient may be a party which processes personal data for and on behalf of ePM as well as a party to which data are made available for that party own purposes (e.g. public administration agencies). Shown below are potential recipients of your personal data:
a) public agencies, institutions, or third parties authorised to access or to receive personal data pursuant to applicable laws, e.g. Courts, Ministry of Finance, Treasury Office, Court Arbitrator;
b) parties which process personal data to ePM’s order pursuant to valid agreements, e.g. courier delivery service providers, trade partners (e.g. agents, call centre, sponsors), mail operators, carriers, communication printing companies or operators of communications from the clients, document archiving companies, client opinion polling companies, partners in provision of technical services (e.g. development and maintenance of IT systems and Internet sites), IT and other service providers who process data for and on behalf of ePM;
c) banks, financial or credit institutions or other institutions which may receive personal data in connection with trade relationships between you and ePM (e.g. agents in lease agreements or in other financial agreements of similar nature) as well as on the basis of the provisions of applicable laws, commercial information offices (KRD, BIG);
d) electronic payment operators, e.g. Visa, MasterCard, PayU, PayPal and other parties who operate financial settlements, e.g. KIR, Swift, etc.
e) telecommunication service providers;
f) consulting & auditing service providers, e.g. auditing companies;
g) parties which process data in order to recover bad debts or which represent clients in proceedings at law, e.g. lawyer’s offices;
h) insurance companies (e.g. in order to insure a transaction or a delivery);
i) other parties you approve of as your personal data recipients and processors.
Exercise of rights
8. Detailed information on your rights:
a) you have the right to access your personal data, including the acquisition of such data copies;
b) you have the right to correct or supplement your personal data in the case you consider data processed by ePM are inconsistent with actual data;
c) you have the right to request the removal of your personal data in cases warranted by the provisions of the law;
d) you have the right to request the limitation of your personal data processing;
e) you have the right to object to your personal data processing in the case of processing for the purpose of ePM legitimate interest;
f) moreover, you have the right to receive your personal data from ePM in a structured format as well as to transfer your personal data to another administrator, if this is feasible in technical terms. In the case of data transfer, the provisions of the law may request the acquisition of your consent or another person’s consent or the consistency with other conditions pursuant to such provisions;
g) you have the right to elude the decision which is based on automated processing only, including profiling, such processing having legal effects or other essential impact on you, unless such decision is necessary for performance of the agreement, lawful or admissible pursuant to your prior explicit consent;
h) where processing is based on your consent, you have the right to withdraw your consents to particular processing purposes at any moment. The consent may be withdrawn at the ePM head office, via phone, on web sites and pages as well as by e-mail transmission. Withdrawal of your consent shall have no impact on legitimate nature of processing until the date of withdrawal.
9. Personal data are indispensable for signing an agreement or a transaction.
10. If you consider that processing your personal data by ePM infringes the provisions of GDPR, you shall have the right to complain to a supervisory authority. The President of Personal Data Protection Office became such authority on 25 May, 2018.
11. If you have signed the agreement with ePM or want to sign such agreement, your personal data processing may become automatic. This may bring about automated decision making process, including the decisions based on profiling. It specifically applies to the evaluation of Client’s paying reliability for the purpose of a transaction or an agreement with ePM, the said evaluation being based on your order and using data contained therein, data from own ePM bases as well as third party databases (BIG, KRD, etc.); the result of such profiling may be the decision to terminate the transaction or the agreement.