Privacy Policy
We take care of your data security. We have adopted solutions to meet the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR).
1. General Information
The Privacy Policy indicates how personal data is processed, presents the ways in which the protection of personal data of those natural persons whose data are processed by the Administrator can be implemented, and how a breach of personal data processing can be reported.
2. Scope of Application
1. The purpose of this document is to ensure compliance of the personal data processing by the Administrator with the principles stemming from the GDPR.
2. The addressees of the Policy are:
a) all natural persons whose personal data are processed by the Administrator
b) all persons authorized to process personal data by the Administrator, including the Administrator’s employees and associates.
3. The Privacy Policy applies with respect to all personal data processing and all personal data processed by the Administrator regardless of the form of processing (traditionally processed and IT systems) and whether the personal data are or can be processed in data sets.
3. Definitions
1. Administrator – GP FMCG SP. Z O.O.
2. Policy – this Privacy Policy adopted by the Administrator.
3. Personal data – any information about an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of such data as: name, surname, mailing address, e-mail address or one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
4. Processor – an entity which processes personal data on behalf of the Administrator.
5. Processing of personal data – an operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, limiting, erasure or destruction.
6. A person authorized to process personal data – a person authorized by the Administrator or the Processor to process personal data to the extent specified by the authorization.
7. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
8. Act – Act of 10 May 2018 on the protection of personal data (i.e. Journal of Laws 2018, item 1000; as amended).
9. President of the UODO – President of the Office for the Protection of Personal Data; Polish supervisory authority in the field of personal data processing.
10. Violation of personal data protection – security breach leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.
11. User – an entity using the Administrator’s website by means of a computer or other terminal device.
4. Personal data processing regulations
1. The obligation to obey the principles of personal data processing specified in the Privacy Policy is imposed on all addressees of the Policy, as well as entities with whom the Administrator has concluded agreements on entrustment of personal data processing, unless other principles of observing the regulations concerning personal data processing have been established in the agreement on entrustment of personal data processing or other legal instruments and which do not violate the regulations of the GDPR.
2. The processing of personal data is based on the following principles set out in the Article 5 of the GDPR. These are:
a) the principle of lawfulness – personal data is processed lawfully, fairly and in a manner which is transparent to the data subject
b) the principle of purpose limitation – personal data is collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes
c) the principle of accuracy – personal data is collected correctly and, where necessary, updated; in the case of incorrect processing in the light of the purposes of processing, every reasonable step must be taken to ensure that the data are immediately deleted or rectified
d) the principle of data integrity and confidentiality – personal data is processed in such a way as to ensure appropriate security of personal data, including protection against unlawful or incompatible processing and accidental loss, destruction or damage, by appropriate technical or organisational measures
e) the principle of minimalism – personal data is processed in an adequate, relevant and limited way and for the purposes for which they are processed
f) the principle of storage limitation – personal data is kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed; personal data may be kept for longer, provided that they are processed solely for archiving purposes in the public interest, for scientific or historical research or for statistical purposes under Article 89(1) of the GDPR, on condition that appropriate technical and organisational measures required under the GDPR are implemented to protect the rights and freedom of data subjects
g) the principle of accountability – it means the possibility of demonstrating compliance with the principles set out in this point.
3. The Administrator, when obliged to do so by law, or if he or she is willing to do so, maintains a register of processing activities. If the Administrator is also a Processor, in a situation when he or she is obliged to do so or if he or she is willing to do so, he or she maintains a register of categories of processing activities.
4. The Administrator maintains the necessary documentation and applies appropriate technical and security measures for the proper processing of personal data.
5. The Administrator grants authorization to persons who, in the performance of their duties, process personal data. At the same time, each of the authorized persons is obliged to maintain the confidentiality of all information that they have obtained in the performance of their duties.
6. Each person authorized to process personal data is obliged to:
a) process the personal data only to the extent and for the purpose provided for in the tasks entrusted
b) keep the personal data to which he or she has an access confidential
c) not use the personal data for purposes incompatible with the scope and purpose of the tasks entrusted
d) keep the methods of personal data protection confidential
e) protect personal data against accidental or unlawful destruction, loss, modification, unauthorized disclosure, unauthorized access to personal data and processing
f) report in the case of finding or suspecting a breach of personal data protection, in accordance with the principles of reporting violations.
7. The Administrator provides for the application of technical and organisational measures necessary to ensure the confidentiality, integrity, accountability and continuity of the data processed and supervises compliance with personal data protection rules.
8. The Administrator, in the course of its business activities, may outsource the processing of personal data to other entities. In such a case the detailed rules for entrusting the processing of personal data are regulated by the contract of entrustment of data processing or other legal instrument.
9. The Administrator takes into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing and the risk of violation of the rights or freedoms of natural persons of varying degrees of probability and importance resulting from the processing, by implementing appropriate technical and organizational measures (privacy by design).
10. The Administrator implements appropriate technical and organisational measures with regard to the personal data he or she processes, so that, by default, only those personal data are processed which are necessary to achieve each specific purpose of the processing (privacy by default).
11. Connections to the Administrator’s website are encrypted using SSL protocol.
12. If the processing of personal data requires a permission, the Administrator processes these data only for the purpose and to the extent to which the permission has been given.
13. In case of entrusting the processing of personal data, the Administrator uses only the services of such a Processor, which provides sufficient guarantees of implementation of appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR and the rights of the data subjects.
5. Principles of execution of natural persons’ rights
1. As a result of granting a number of rights to natural persons whose personal data are processed, the Administrator provides for their execution whenever possible. The rights of natural persons that the Administrator exercises are:
a) the right of access to data
b) the right to rectify the data
c) the right to erase the data
d) the right to restrict the processing
e) the right to data transfer
f) the right to object
g) the right of withdrawal of consent.
2. The Administrator has implemented organizational and technical measures to ensure the execution of the above mentioned rights so that the data subjects’ requests can be executed without undue delay and not later than one month from receiving the request of the individual.
3. In the case of a complex request or a significant number of requests, the Administrator will inform the individual concerned about the extension of the deadline by a maximum of two more months, together with the reasons for the delay within one month from receiving the request of the individual.
4. If the request of the natural person cannot be accepted (e.g. is contrary to law), the Administrator will inform the natural person within the above mentioned deadlines about the refusal to fulfill the request and the reasons for the refusal.
5. Actions taken by the Administrator in response to the requests are free of charge. Exceptionally, if the demands of a natural person are clearly excessive, the Administrator has the right to charge a fee in the amount including the costs of providing a response.
6. The demands of natural persons may be addressed to the Administrator:
a) in writing to the address: GP FMCG SP. Z O.O., ul. Kościelna 1A, 65-064 Zielona Góra
b) by e-mail to the following address: mail@gp-fmcg.eu
7. If a request is submitted to an employee or co-worker of the Administrator, that person is obliged to submit the request immediately to the following address: mail@gp-fmcg.eu.
8. In justified cases, the Administrator may seek to verify the identity of the natural person before executing the right of a natural person.
9. The execution of the rights of natural persons whose data are processed is performed in written or documentary form (including electronic form).
10. In order to defend possible claims, the Administrator reserves the right to process any correspondence related to the execution of the rights of individuals whose data are processed until the expiry of the period of limitation of claims.
11. The Administrator may refuse to request the termination of processing of personal data, on the basis of:
a) the existence of important legitimate grounds for the processing of data, overriding the interests, rights and freedoms of the data subject, or
b) the existence of grounds for establishing, investigating or defending claims.
12. Where the processing of personal data is based on the consent of an individual, the individual has the right to withdraw his or her consent to the processing of personal data at any time.
6. Reporting of violations
1. In the case of a violation, the person who detected the violation is obliged to immediately report it to the Administrator.
2. A notification of violation may also be made in electronic form, at the following address: mail@gp-fmcg.eu.
3. The person reporting a violation, is required to send a report. Failure to report a violation by a person who has become aware of the violation may be classified as a serious breach of employee obligations or grounds for termination of a civil law contract for important reasons.
4. The Processor is also obliged to report the breach in accordance with the principles contained in the contract of entrustment of data processing, or other legal instrument on the basis of which the processing of personal data was entrusted.
5. The person reporting the breach, in addition to the obligation to report the breach immediately, is obliged to take all possible measures to minimize the effects of the breach, including to restrain from starting or continuing work, if its performance could lead to an increase in the scale of the breach or make it difficult or impossible to determine its cause.