Information Clause for Customers
Ewa Załuska, conducting business under the name “PODOLOG-Ewa Załuska,” registered in the Central Register and Information on Economic Activity, NIP (Tax Identification Number): 8241821530, REGON (National Business Registry Number): 528509427, correspondence address: Zieleniec 68, 07-140 Sadowne, email: ewa.zaluska69@gmail.com, hereinafter referred to as the “Administrator,” is the controller of the personal data of its customers who have entered into sales agreements or service agreements, hereinafter referred to as “Customers.”
The Administrator has implemented appropriate safeguards, technical and organizational measures, including the Data Protection Policy and procedures, and has trained its employees who process Customers’ personal data within the scope of their duties to ensure an adequate level of protection of personal data, in compliance with applicable laws, including, in particular, the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR,” the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws 2019, item 1781), hereinafter referred to as the “Act,” and other applicable data protection regulations.
The source of the personal data processed by the Administrator is the Customers, i.e., the individuals to whom the data pertains, subject to point 4 below.
The Administrator may process the personal data of the Customer’s employees or collaborators if provided by the Customer, where it is necessary to act through such employees or collaborators as per the agreement. In such cases, the provisions of this information clause apply correspondingly to the Customer’s employees and collaborators, and the Customer is obligated to present this clause to such individuals to enable them to become familiar with its content.
The Customers’ personal data is processed by the Administrator to perform agreements, i.e., for the sale or provision of services and to carry out all settlements arising from the legal relationships between the Administrator and the Customer.
The legal basis for processing Customers’ personal data is: a) Article 6(1)(b) GDPR, i.e., necessity for the performance of a sales or service agreement to which the Customer is a party or to take action at the Customer’s request before entering into such an agreement with the Administrator, or b) Article 6(1)(c) GDPR, i.e., necessity for compliance with legal obligations to which the Administrator is subject, particularly obligations arising from accounting, tax, and archival regulations, or c) Article 6(1)(f) GDPR, i.e., the legitimate interests of the Administrator, such as establishing, pursuing, or defending claims until their limitation period expires or until relevant proceedings are concluded if initiated within that period, particularly concerning any potential claims the Customer may have related to the Administrator’s business activities, or d) Article 6(1)(a) GDPR, i.e., the Customer’s consent for the processing of personal data for specific purposes, or e) Article 9(2)(a) GDPR, i.e., the Customer’s explicit consent to process special categories of personal data (sensitive data) such as health information as referred to in Article 9(1) in conjunction with Article 4(15) GDPR.
Providing personal data by the Customer is voluntary but necessary for the purposes mentioned in point 5 above, and thus it is a condition for entering into and performing a sales or service agreement between the Administrator and the Customer. Failure to provide such data will result in the inability to conclude such an agreement.
In accordance with the principle of data minimization referred to in Article 5(1)(c) GDPR, the Administrator processes only those categories of personal data that are necessary to achieve the purposes mentioned in point 5 above.
The Administrator does not disclose personal data to third parties without the explicit consent of the Customer. Personal data may be disclosed without the Customer’s consent only to entities authorized by applicable law, including administrative authorities, tax authorities, law enforcement agencies, and other authorized entities.
The Customers’ personal data may be entrusted by the Administrator for processing to: a) IT companies providing hosting services, domain management, and computer system maintenance used by the Administrator, b) Companies providing postal, courier, and transport services on behalf of the Administrator to deliver correspondence, c) Companies providing other services necessary for the Administrator’s ongoing operations, collectively referred to as “Processors.” In such cases, the Administrator enters into data processing agreements with the Processors, and the Processors process the entrusted personal data solely for the purposes, scope, and objectives specified in the processing agreement.
The Customers’ personal data is not transferred to third countries or international organizations within the meaning of the GDPR regulations. Should such a transfer occur, the Customers will be informed in advance, and the Administrator will implement the safeguards referred to in Chapter V of the GDPR.
The Administrator processes personal data for the period necessary to achieve the purposes specified in point 5 above. Personal data may be processed for a longer period if such an obligation is imposed on the Administrator by specific legal provisions (e.g., regarding the storage of accounting and tax documentation) or by the legitimate interests of the Administrator as mentioned in point 6(c) above (i.e., until the limitation period for claims expires or relevant proceedings are concluded if initiated within that period).
The Customer has the right to: a) Be informed about the processing of personal data in accordance with Article 12 GDPR, b) Access their personal data in accordance with Article 15 GDPR, c) Rectify, supplement, update, or correct personal data in accordance with Article 16 GDPR, d) Erasure of data (right to be forgotten) in accordance with Article 17 GDPR, e) Restriction of processing in accordance with Article 18 GDPR, f) Data portability in accordance with Article 20 GDPR, g) Object to the processing of personal data in accordance with Article 21 GDPR, h) Not be subject to profiling in accordance with Article 22 in conjunction with Article 4(4) GDPR, in compliance with the principles of exercising and fulfilling these rights as set out in the GDPR.
In the case of the legal basis referred to in point 6(d) above, the Customer has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
In addition to the rights mentioned in the preceding points, the Customer has the right to lodge a complaint with the supervisory authority (i.e., the President of the Personal Data Protection Office – address: ul. Stawki 2, 00-193 Warsaw) as referred to in Article 77 GDPR if they believe that the processing of their personal data by the Administrator violates GDPR provisions.
The Customers’ personal data will not be subject to automated decision-making, including profiling, by the Administrator as defined by GDPR regulations.
Any inquiries, requests, and complaints related to the processing of personal data by the Administrator and the exercise of rights referred to in points 13-14 above, hereinafter referred to as “Submissions,” should be directed to the following email address: ewa.zaluska69@gmail.com or in writing to the Administrator’s address: Zieleniec 68, 07-140 Sadowne.
The Submission should include: the data of the individual or individuals it concerns, the event causing the Submission, and – if possible – the content of the request, the legal basis for the request, and the expected resolution method. Every confirmed case of a security breach is documented, and in the event of incidents specified in the GDPR or the Act, the breach of data protection regulations will be reported – if applicable – to the individuals concerned (i.e., Customers) and to the President of the Personal Data Protection Office.