In relation to the entry into life, as of 25 May 2018, of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, we hereby ask you to read the information on personal data storage by REFSYSTEM Sp. z o.o. with its registered office in Grudziądz.

I.GENERAL PROVISIONS

1.1 This Privacy Policy is for information purposes only. The Privacy Policy primarily contains rules concerning the processing of personal data by the Controller, including the legal bases, purposes and scope of personal data processing as well as the rights of data subjects.

1.2 The Controller of your personal data (hereinafter referred to as: the “Controller”) is REFSYSTEM Sp. z o.o., 86-300 Grudziądz, ul. Metalowców 5, NIP [Tax Identification Number] 876-23-25-897. Contact with the Controller is possible by mail to the following address: 86-300 Grudziądz, ul. Metalowców 5 or by email at: sekretariat@refsystem.pl.

1.3 Your personal data are processed as far as is necessary for the purposes of legitimate interests pursued by the Controller or by a third party. Personal data are processed by the Controller in accordance with the applicable legal regulations, in particular in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) - hereinafter referred to as “GDPR” or “GDPR Regulation”, as well as the provisions of the Act on Personal Data Protection of 10 May 2018 (Journal of Laws 2018.1000 as amended).

1.4 The Controller shall exercise due care in protecting the interests of persons whose personal data are processed, and in particular they shall be responsible for and ensure that the collected data are processed lawfully; collected for specified and legitimate purposes and not further processed in a way incompatible with those purposes; and substantially accurate and adequate in relation to the purposes for which they are processed; stored in a form which allows the identification of data subjects for no longer than it is necessary to achieve the purpose of processing; and processed in a manner which ensures adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical and organisational measures.

1.5 The Controller shall implement appropriate technical and organisational measures to process the data in accordance with the Regulation and to be able to demonstrate this, taking into account the nature, scope, context and purposes of the processing and the risk of infringement of the rights or freedoms of individuals with different degrees of probability and seriousness of the risk. These measures shall be reviewed and updated as necessary. The Controller shall apply in particular the following technical measures to prevent unauthorised access and modification of personal data sent electronically.

II. BASES FOR DATA PROCESSING

2.1 The Controller shall be entitled to process personal data where, and to the extent that, one or more of the following conditions are met: (1) the data subject has given consent to the processing of his/her personal data for one or more specified purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation the Controller is subject to; or (4) processing is necessary for the purposes of legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.

2.2. The processing of personal data by the Controller shall in each case require the existence of at least one of the grounds indicated under item 2.1 of the Privacy Policy. Specific bases for processing the Client’ personal data by the Controller are indicated in the next section of the Privacy Policy - with reference to a given purpose of personal data processing by the Controller.

III. PURPOSE, BASIS, DURATION AND SCOPE OF DATA PROCESSING ON THE WEBSITE

3.1 Each time, the purpose, basis, period and scope as well as recipients of the personal data processed by the Controller result from the activities undertaken by the given Client on the Website.

3.2 The Controller processes personal data of natural persons who:
a) are users of the website and communicate through the website by means of an application form;
b) are entrepreneurs whose data come from publicly available sources, including public registers;
c) are potential clients, contractors or suppliers of the Company;
d) are customers, contractors or suppliers of the Company;
e) act as persons authorised to represent legal persons or other organisational units;
f) are parties to applications, complaints, claims or other letters addressed to the Company;
g) may, in accordance with the relevant provisions of law, be recipients of marketing correspondence.

3.3 The Company may process personal data for the following purposes:
a) preparation of commercial offers - name and surname; e-mail address; contact telephone number; address of residence/business premises; company name and tax identification number (NIP) of the Entrepreneur; REGON; KRS.
b) for informational purposes, related to the dissemination of information about business activities - name and surname; email address; contact telephone number; address of residence/ conduct of business/site; company name and Tax Identification Number (NIP) of the Entrepreneur; REGON; KRS; bank account number.
c) handling general inquiries, preparing offers - name and surname; e-mail address; contact telephone number; address of residence/ conduct of business/ office; company name and Tax Identification Number (NIP) of the Entrepreneur; REGON; KRS, CEiDG (Business Register and Inquiries) entry.
d) direct marketing of products and services (sending commercial and marketing information by e-mail, telephone and orally) - name and surname; e-mail address; contact telephone number.
e) performance of sales contract, including the preparation of trade offers, determining and clarifying the details of orders, processing of orders, recording and financial settlement of services, products and materials supplied to and by the Company - name and surname; e-mail address; contact telephone number; address of residence / business / headquarters; company name and tax identification number (NIP) of the Entrepreneur; REGON; KRS,; bank account number.
f) the investigation of claims (including the monitoring of claims) and defence against claims - name and surname; e-mail address; contact telephone number; address of residence / business / headquarters; company name and tax identification number (NIP) of the Entrepreneur; REGON; KRS,; bank account number.
g) perform duties arising from the law, including in particular tax and accounting, and verify the client's payment reliability based on information from economic information offices - name and surname; e-mail address; contact telephone number; address of residence / conduct of business / business premises; company name and tax identification number (NIP) of the Entrepreneur; REGON; KRS,; bank account number.
h) performance of the sales contract (including authorization necessary to execute orders, issue/collection of products and materials) - name and surname; PESEL number; number and series of identity card (date of issue, by whom issued); contact telephone number; address of residence / business / headquarters; company name, tax identification number (NIP) of the Entrepreneur, REGON, KRS.
i) handling requests, complaints, claims or other letters addressed to the Company - name and surname; e-mail address; contact telephone number; address of residence/ conduct of business/ office; company name and Tax Identification Number (NIP) of the Entrepreneur; REGON; KRS.
j) expressing by the Client an opinion on the concluded Sales Agreement - e-mail address
k) bookkeeping - first and last name; address of residence/business/office, company name and tax identification number (NIP) of the Customer of Client, bank account details. This also includes data necessary for the settlement of the service - all order data (order history).
l) to establish, assert or defend claims that may be raised by the Controller or against the Controller - name and surname; contact telephone number; e-mail address; address (street, house number, flat number, postal code, city, country), address of residence/business/office, PESEL no. For Clients who are not consumers, the Controller may additionally process the company name and tax identification number (NIP) of the Customer or Client.
m) establish data characterising the use of the service provided electronically (ensuring the quality parameters of services, maintaining security measures, handling requests, determining cases of unauthorised use of the service and transferring data to authorised bodies) - Name and surname; contact telephone number; e-mail address; address (street, house number, flat number, postal code, city, country), address of residence / business / office, PESEL number. For Clients who are not consumers, the Controller may additionally process the company name and tax identification number (NIP) of the Customer or Client.

IV. GENERAL PROVISIONS ON RECIPIENTS OF PERSONAL DATA

4.1 For the proper functioning of the Website, including execution of concluded Agreements, it is necessary for the Controller to use services of external entities (such as e.g. payment service provider, entities maintaining subscriber registers, marketing companies, legal service, accounting service, auditors, couriers). The Controller may only use the services of such Processors which provide sufficient guarantees that appropriate technical and organisational measures shall be implemented to ensure that the processing meets the requirements of the GDPR and protect the rights of data subjects.

4.2 The transfer of data by the Controller does not take place in every case and not to all recipients or categories of recipients indicated in the Privacy Policy - the Controller transfers data only if it is necessary to achieve a given purpose of personal data processing and only to the extent necessary for its achievement.

4.3 The Clients’ personal data may be transferred to the following recipients or categories of recipients:

  1. carriers / forwarders / courier brokers - in the case of a Client who uses the method of delivery of an item by mail or courier, the Controller shall make the collected personal data of the Client available to the selected carrier, forwarder or broker executing the shipment on the order of the Controller to the extent necessary to perform the delivery of the Product to the Client,
  2. entities processing electronic or card payments - in case of a Client who uses the electronic or card payment method, the Controller shall make the collected personal data of the Client available to a selected entity processing the aforementioned payments upon the order of the Controller to the extent necessary to handle the payment made by the Client,
  3. service providers who supply the Controller with technical, IT and organisational solutions enabling the Controller to conduct their business activity - the Controller shall make the collected personal data of the Client available to the chosen provider acting on its behalf only in the case and to the extent necessary to achieve the given purpose of the data processing compliant with this Privacy Policy.
  4. providers of accounting, legal and advisory services ensuring the Controller with accounting, legal or advisory support (in particular an accounting office, a law firm or a debt collection agency) - the Controller makes the collected personal data of the Client available to the chosen provider acting on its behalf only in the case and to the extent necessary to carry out the given purpose of data processing in accordance with this Privacy Policy.

V. PROFILING

5.1 The GDPR Regulation requires the Controller to notify of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR Regulation and, at least in these cases, of relevant information on the principles of making such decisions as well as on the significance and the envisaged consequences of such processing for the data subject. With this in mind, the Controller provides information on possible profiling in this section of the Privacy Policy.

5.2 The Controller may use profiling on the Website for direct marketing purposes, but decisions taken on its basis by the Controller do not concern conclusion of or refusal to conclude the Agreement. The use of profiling may, for example, result in a person receiving a discount, being sent a discount code, being offered a Service that may match the person’s interests or preferences, or being offered better terms compared to a standard offer on the Website. Despite the profiling, it is up to the individual to decide freely whether they want to take advantage of the discount or better offer conditions received in this way.

5.3 Profiling involves the automatic analysis or prediction of a person’s behaviour on the Website, e.g. by selecting a particular Service, viewing a description of a particular Service, or by analysing the history of Services purchased to date. The condition of such profiling is that the Controller has the personal data of the given person in order to be able to send him/her e.g. a discount code.

5.4 The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

VI. ONLINE MARKETING - GOOGLE ADS

6.1 The Controller uses Google Ads advertising program operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA to conduct advertising campaigns, including remarketing. The Controller performs activities in this scope based on its legitimate interest, consisting in marketing its own products or services.

6.2 When visiting the website, a Google remarketing cookie is automatically left on the person’s device, which, with the help of a pseudonymised identifier (ID) and based on the pages visited by the person, enables interest-based advertising to be displayed. Further processing of the information only takes place if the person have agreed with Google to associate their browsing and application usage history with their account and to use the information from their Google account to personalise the ads that are displayed on the websites.

6.3 If, in this case, the person is logged in when visiting the website on Google, Google will use the data together with Google Analytics data to create and define target group lists for remarketing on different devices. For this purpose, Google temporarily combines the collected information with Google Analytics data to create target groups.

6.4 When using Google Ads, the Controller does not collect any data that would identify a person. Using Google Ads, the Controller is only able to define the groups of recipients whom they would like his ads to reach. Based on this, Google decides when and how it will present the ad to the person.

6.5 In order to use Google Ads, a special Google Ads conversion pixel has been implemented in the website code. The pixel uses cookies from Google LLC for the Google Ads service. From the level of the Controller’s website, these cookies can be disabled by means of a mechanism used to manage cookies. It is possible to manage the ad settings directly from Google: https://adssettings.google.com/.

VII. ONLINE MARKETING - FACEBOOK PIXEL

7.1. In order to conduct effective marketing campaigns and promotion of products and services, the Controller uses the “Facebook Pixel”option, which is provided by Facebook, a social networking service operated by Facebook Inc., 1601 S. California Ave., Palo Alto, CA 94304, USA or, for users who are EU residents - Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).

7.2 The Facebook Pixel is a piece of code placed on a website. It allows Facebook to identify visitors to the web content as a target group for the display of Facebook advertisements on their social media profiles (e.g. as part of sponsored advertising), which is understood as a legitimate interest (Art. 6(1)(f) GDPR).

7.3 As part of the Facebook Pixel function, it is therefore possible to display advertisements published by the Controller on Facebook only to Facebook users who have shown interest in the services or who have certain common coefficients (such as interest in certain topics or products determined on the basis of the website tabs visited, products viewed) that are transmitted to Facebook,

7.4 The Facebook Pixel function helps to understand the effectiveness of Facebook ads for statistical and market research purposes, showing whether users have been redirected to services after clicking on a Facebook ad (so-called conversion, allowing to determine on which devices the user performs the action), to create so-called similar audiences and to obtain comprehensive statistics on website usage.

7.5 During the user’s visit to the website, the Facebook Pixel establishes a direct connection to the Facebook servers. In this way, the Facebook server is notified that the user have visited the website and Facebook assigns this information to the personal Facebook user account.

7.6 Further information about Facebook’s data collection and use, as well as the user’s privacy rights and options, can be found in Facebook’s data protection policy at https://www.facebook.com/privacy/explanation.

7.7 Specific information and details about the Facebook Pixel feature and how it works are available in the Facebook Help section at https://www.facebook.com/business/help/651294705016616.

7.8 This feature can be disabled as shown at either https://www.facebook.com/business/help/565426757256022 or https://www.facebook.com/settings?tab=ads. To do this, you need to log into Facebook.

VIII. RIGHTS OF THE DATA SUBJECT

8.1 Right of access, rectification, restriction, erasure or portability - The data subject has the right to request from the Controller access to his/her personal data, rectification, erasure (“right to be forgotten”) or restriction of processing and has the right to object to processing, and has the right to data portability. Detailed conditions for the exercise of the rights indicated above are indicated in Articles 15-21 of the GDPR Regulation.

8.2 Right to withdraw consent at any time - the person whose data are processed by the Controller on the basis of expressed consent (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR Regulation) has the right to withdraw consent at any time, without affecting the legality of the processing performed on the basis of consent before its withdrawal.

8.3 Right to lodge a complaint to the supervisory authority - the person whose data are processed by the Controller has the right to lodge a complaint to the supervisory authority in the manner and according to the procedure specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Office for the Protection of Personal Data.

8.4 Right to object - The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the controller), including profiling under these provisions. The Controller shall in that case no longer be permitted to process such personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of claims.

8.5 Right to object to direct marketing - where personal data are processed for the purposes of direct marketing, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, including profiling, insofar as the processing is related to such direct marketing.

8.6 The right to obtain human intervention from the Controller, to express one’s views and to contest a decision based on automated processing. In order to exercise the rights referred to in this section of the Privacy Policy, you can contact the Controller by sending a proper message in writing or by e-mail to the Controller’s address indicated at the beginning of the Privacy Policy or by using the contact form available on the Website.

IX. WEBSITE COOKIES, USAGE DATA AND ANALYTICS

9.1 Cookies are small information in the form of text files sent by a server and stored on the device of the person visiting the Website (e.g. on the hard drive of a computer, laptop or smartphone memory card - depending on the device used). Detailed information about cookies, as well as the history of their creation can be found, among others, here: http://pl.wikipedia.org/wiki/Ciasteczko.

9.2 The Controller may process data contained in Cookies when visitors use the Website for the following purposes:

  1. to adapt the content of the Website to the individual preferences of a given person and to optimise the use of the Website,
  2. keep anonymous statistics showing how the Website is used;
  3. remarketing, i.e. studying the behavioural characteristics of visitors to the Website by analysing their actions anonymously (e.g. repeated visits to specific pages, keywords, etc.) in order to create a profile and provide them with advertisements tailored to their predicted interests, also when they visit other websites on the advertising network of Google Inc. and Facebook Ireland Ltd;

9.3 By default, most web browsers available on the market accept the storage of cookies. You can determine the conditions for the use of cookies through the settings of your web browser. This means that you can, for example, partially limit (e.g. temporarily) or completely disable the possibility to save cookies - in the latter case, however, this may affect some functionalities of the Website.

9.4 The settings of the Internet browser regarding cookies are important from the point of view of consent to the use of cookies - according to the regulations, such consent may also be expressed through the settings of the Internet browser. If you do not agree to this, please change your browser’s cookie settings accordingly. Detailed information about how to change the settings for cookies and to delete them in the most popular web browsers are available in the help section of your web browser and on the following pages:

- for Chrome
- for Firefox
- for Internet Explorer
- for Opera
- for Safari
- for Microsoft Edge

X. FINAL PROVISIONS.

The Controller shall make every effort to provide the stored personal data with adequate measures of physical, technical and organisational protection against its accidental or intentional destruction, accidental loss, alteration, unauthorised disclosure, use or access, in accordance with all relevant provisions.