Personal data protection
I. Personal data
We are publishing this document in order to clarify the reasons for collecting and processing personal data within the scope of our operations:
1. What are personal data?
These are all the information that allows one to easily distinguish one person from others. Personal data may refer directly (like name and surname, ID number, and sometimes even an e-mail address or internet account) or indirectly to a given person. Examples of the latter include health condition, beliefs, address, addictions, race or religion.
2. What personal data are we talking about in our case?
We process data provided to us by customers, business partners, staff and associates in conjunction with using our services, cooperation or employment.
3. What is data processing?
Processing means all the operations which we can perform on personal data – associated both with their active use such as collecting, downloading, saving, combining, modifying or making available as well as passive use such storing, limiting, deleting or destroying.
4. Who is the Data Controller (that is who affects its processing and
Your Data Controller is:.mdd sp. z o. o.
in Sępólno Krajeńskie, at ul. Koronowska 22, 89–400 Sępólno Krajeńskie, TIN 5611437378, National Business Registry Number 092911632, represented by the Company Management Board, Tel. No.: +48 (52) 389 44 00, correspondence address: email@example.com
Data Co-controllers, independently deciding on the purposes and means of data processing, are entities in the .mdd Group, that is companies related by capital and / or persons. Apart from the Data Controller, the .mdd Group consists of:
- • DIRECT DIGITAL Sp. z o.o., with its headquarters at Toruńska 33, 85-023 Bydgoszcz, Poland, National Court Register number 0000915881, TIN 9532784828, National Business Registry Number 38966249000000, that in particular is in independent charge of internet selling products of the .mdd Group.
A corporate Data Protection Officer has been constituted within the .mdd Group. Their contact information is provided in section I. 12 of this Policy.
5. Pursuant to what legal basis and why do we process your
An appropriate legal basis in accordance with the regulations as in force at present has to be behind every processing of your data. This basis may constitute your consent to data processing or other legal provisions allowing for such actions set forth in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (referred to as GDPR) or various national legislation, such as acts or resolutions.
We may process your data for a number of purposes, such as:
• you can make your data available to us by sending an e-mail. Then we process your data on the basis of your consent (Article 6, paragraph 1a of GDPR) which you automatically grant while sending your data (e.g. your e-mail address) to us. Your consent is voluntary – you may retract it at any time. In such case we shall delete all the information you provided, as long as you have not become our customer,
• is you are a customer of ours or interested in our services, then we process your data pursuant to an agreement you signed with us or within the scope of preparations for concluding such an agreement (Article 6, paragraph 1b of GDPR). This always takes place with your knowledge and according to your intention. In expressing an intention to conclude an agreement, you know what personal data will be required to sign it, and once signed you know what data you handed over or shall hand over at a later date,
• if you become a user of our services, a recipient of marketing information which we have put together for example, we will process your data on the basis of your consent (Article 6, paragraph 1a of GRPR). Your consent can be given verbally, during the course of a telephone conversation or by responding to a question sent by us wherein we ask whether you agree to receive information about our products and services. Your consent is voluntary – you may retract it at any time. In such case we shall cease providing our services and delete all the information you handed over immediately,
• we may also process your data in conjunction with the need to ensure the security of our information network. This might come to pass when you use or connect to our IT infrastructure for example by browsing our website or sending messages to us. This comprises our legitimate interest (Article 6, paragraph 1f of GDPR),
• if you are interested in working for us, your data is processed in the form of an application or CV which you sent. This always takes place upon your request (Article 6, paragraph 1b of GDPR) and pursuant to a written consent, which you may retract at any time. In such case we shall not consider your application and delete all the information you handed over immediately. Whereas the moment you become employed with us, further data processing principals and the obligatory scope for their provision and further processing are governed by the provisions of law (Article 6, paragraph 1c of GDPR).
6. Who do we transfer your data to?
According to the law we can transfer your data to subcontracted processors such as: the post operator, accounting firm, internet services provider or those service subcontractors specified in your agreement (for example – distributors, freight forwarder companies and delivery companies). If, as our employee, you have become a member of the Employee Capital Plan, we can provide your data to the managing financial institution. We are also obliged to make your data available to entities authorised pursuant to other provisions of law (such as the courts or enforcement bodies). The data will only be made available if such entities submit a request on the matter, indicating the legal basis pursuant to which such a request is justified.
We do not foresee transferring your data to third countries or international organisations, that is outside of the European Union economic area. Pursuant to GDPR, in the European Union all member states provide the same level of protection for your data. For the Polish language version of GDPR see: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=OJ:L:2016:119:TOC7. How long will we process your data for?
We make every effort to limit the scope of collected data to the necessary minimum, and this includes the processing period. To that end we perform systematic reviews of our documents, both paper and in electronic versions and delete surplus data. Remember that the processing time of your data, depending on the grounds pursuant to which we obtained it, may be governed by separate, independent provisions of law subject to which we may be obliged to store your data regardless of your will or intent. Here the labour law, social insurance law or accounting regulations are just some examples.
We may also obtain your data in conjunction with a training seminar, in which case we may only process it for a short period of time, for purposes associated with financial settlements with the entity which contracted us to perform the training seminar or to issue you with a certificate confirming training participation. After these actions we will delete your data immediately and we will certainly not use them other purposes – such as advertising our services, unless you explicitly and expressly consent to such.
If you were the end recipient of our services and we concluded an agreement on the matter, pursuant to accounting regulations, your data will be held as part of relevant drafted financial and accounting documentation and processed for 5 subsequent calendar years starting from the purchase/agreement date.
If the data we hold are going to be used for any purpose other than that for which they were obtained, we will always inform you and you will have an opportunity to object.
8. What are your rights in relation to your data?
If we are processing your personal data, you always have the right to:
- request access to data – within the scope of GDPR Article 15,
- rectify data – within the scope of GDPR Article 16,
- request an erasure – within the scope of GDPR Article 17,
- or limit data processing – within the scope of GDPR Article 18,
- object to data processing – within the scope of GDPR Article 21
- data portability and to obtain copies of it – within the scope of GDPR Article 20.
All these rights are set forth in detail in Article 15 to 21 of GDPR, for the Polish language version see: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=OJ:L:2016:119:TOC
You can also withdraw your consent to data processing at any time. In such an event we will immediately erase your data unless we are otherwise legally obliged to continue processing.
If you consider that we have breached your rights in any way – we certainly wish this does not happen – or have failed to ensure the security of your data, then you have the right to lodge a complaint with a supervisory authority, currently the President of the Personal Data Protection Office.
9. Automated decision-making and profiling information
We will not make any automated decisions on the basis of your data, that is ones of automated nature, made without human intervention. Also, we do not engage in any activities for the purpose of profiling you.
10. How do we protect your data?
We use the legally required technical and organizational measures to safeguard your data. At our site we have installed the required physical safeguards to prevent unauthorized data access. Our staff hold the required certificates and may process data in a limited manner, that is only within the scope required to perform their professional duties.
The TLS 256 bit security protocol we use in version 1.2, ensures the safety of your data sent electronically. A green padlock in your web browser by our web address may show this. As the site was encrypted before it was sent, you can be sure that you are entering our site which has not been modified in any way en-route to you via the Internet.
11. Protecting the privacy of minors
Our site does not monitor or verify information pertaining to the age of users, senders and recipients of messages or persons interested in receiving our news and updates, including in the form of a newsletter. Contact details for visitors (such as users’ telephone numbers and e-mail addresses) are used to perform orders, send company and marketing information.
Minors should not send any information and should not subscribe to the services rendered by our company, without the consent of their parents or legal guardians. We will require such a consent in each case where we discover that a user is a minor (“child”) in the meaning of GDPR Article 8, i.e. the child is below the age of 16 years.
12. Contact details for the person responsible for personal data
Biuro Doradczo-Usługowe OIN Jerzy Gerszewski, Sławomir Rzepecki Spółka Cywilna in Bydgoszcz, whose representative, Sławomir Rzepecki is the Data Protection Officer for the .mdd Group, shall represent us in all personal data protection issues. His contact details are as follows: e-mail: firstname.lastname@example.org and mobile telephone number: +48 602-734-255.
13. Transferring data outside of the European Economic Area
In principle, data controller does not foresee transferring your data to third countries, that is outside of the European Economic Area. However, due to our websites featuring plugins to our accounts on social media: Facebook, Instagram, LinkedIn, Pinterest and Twitter, Users’ data – in case of using those plugins – can be transferred outside of the EEA, to third countries, that do not provide personal data protection guaranteed by the GDPR.
We inform that the owners of those social media platforms declare, that in the case of possible transfer od personal data outside of the EEA, it will be pursued according to standard contractual clauses issued by the European Commission, according to Article 46, paragraph 2c of GDPR or other equivalent mechanisms foreseen in Chapter V of GDPR.
To obtain current and comprehensive information on the subject, it is every time advised to read detailed announcements concerning the rules of processing personal data issued by every social media platform, published on their websites. Such information is available here:
II. Visual monitoring
1. Legal basis:
The legal basis for monitoring is the legitimate interest pursued by us as the Controller (Article 6, paragraph 1f of GDPR), and in particular it stems from the necessity to protect property, settle conflict situations associated with complaints, to identify perpetrators of incidents and collect evidence in order to demonstrate facts or as defence against possible claims.
2. The purpose of monitoring:
The purpose of our visual monitoring is:
- to ensure safety and to protect the health and life of our members of staff, customers as well as other persons at the premises of our Company;
- to secure moveable and immovable property within the premises of our Company, including to prevent theft and devastation;
- to keep secret information, the disclosure of which could expose our Company to loss.
3. Form of monitoring:
We use visual monitoring in the form of cameras which facilitate the recording of images of persons within premises of the Company. The area subject to monitoring is clearly marked using pictograms together with our contact details. Such pictograms are displayed by all entrances to the area subject to monitoring.
4. Scope of personal data processing:
The scope of possible information processing associated with the images recorded on a device monitoring the site includes:
- images of natural persons,
- vehicle registration number,
- date and location of the event subject to monitoring,
- the behaviour of persons whose images were recorded by the image recording device.
5. Storage period and making data available:
Monitoring records are only processed for purposes for which they were collected and stored for a period of up to 30 days. That time may be extended by periods dictated by statutory obligations or to protect the rights of the Controller or of third parties, including in order to pursue or defend against claims.
The recordings may be made available only to our members of staff who have been authorised by name as well as entities authorised to access the video recordings pursuant to the law.
We have no plans to transfer your personal data to a third country or an international organisation. The recorded data shall not be profiled, and shall only be consulted in the event of a breach or suspected breach of security or in association with a submitted complaint.
6. Rights of persons whose image was recorded:
Persons, whose data constitute part of the materials obtained from monitoring are entitled to the same rights as those specified in item, I.8.
III. Cookie files
1. What are cookie files and what are they used for?
Cookies are text files, saved on your device and used by the server to remember your device when it connects again. Cookies are downloaded every time you “enter” and “exit” a site. Cookies are not used to identify users, but only your device, in order to, amongst others, once the type of browser you are using has been identified, display an image best suited for the performance capabilities (e.g. resolution) or type ( desktop or mobile version) of your hardware.
Cookies are most often used for counters, surveys, Internet shops, pages which require a log-in, adverts and to monitor the activity of visitors. Cookies also make it possible to remember your interests and adjust the site content and adverts displayed accordingly.
More information on cookies (in Polish) can be found at: www.wszystkoociasteczkach.pl
2. What do cookies do?
In general, cookies function as follows:
- they identify the details of the computer and browser used to browse websites – this can be used to find out if a given computer has opened a given site before,
- data obtained from cookies are not associated with the users’ personal data obtained during registration for example,
- they are not harmful to you or your computers or smart phones – they do not impact performance,
- they do not change the configuration of end devices or in the software installed on those devices,
- by default, cookies’ parameters allow them only to be opened by the server which created them,
- they provide the server with information based on your activity on websites which you browse, which is then used to display a site better adjusted to your individual preferences.
3. What types of cookies are there?
There are three basic types of cookies:
“Session cookies” – are temporary files, stored in the memory of the browser until the session ends (or when the browser is closed). These files are required by some applications or functions to work properly. Once the browser is closed, they should be automatically removed from the device used to browse the site,
“Persistent cookies” – make it easier to use sites which are visited often (e.g. they remember the colour layout of the site or the menu layout on your favourite sites). These files are stored in an appropriate folder for longer periods which you can adjust using your browser settings. Every time you visit a given page, information from these files is sent to the server. This type of cookies is sometimes referred to as tracking cookies.
“Third party cookies” – are files usually from advertising servers, search servers, etc., which cooperate with the owner of a given site. They are used to display adverts adjusted to your preferences and habits, which is often the reason elements of a given web service are free. They are also used to record “click rates” for adverts, user preferences, etc.
- a) essential
- b) statistical
- c) marketing
The essential cookies contribute to the usability of the website by providing basic functions, such as navigation and access to secure areas of the website. The website cannot function properly without those cookies. They enable the use of the website e.g. to authenticate the user and to remember the setting of the website chosen by the user, for example by personalising the chosen language and currency.
Statistical cookies help us understand how different users behave on the website by collecting and reporting anonymous information. They collect data about how the site is used, which ultimately enables us to continuously improve the content and structure of our site.
Name Function Expiry date Type _gid registers a unique ID that is used to generate statistical data on how the visitor uses the website 1 day HTTP _ga registers a unique ID that is used to generate statistical data on how the visitor uses the website 399 days HTTP _ga_# used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit. 399 days HTTP
Marketing cookies are used to track users on the website. Their purpose is to display advertisements that are relevant and interesting to individual users and thus more valuable to third-party publishers and advertisers.
Name Function Expiry date Type _gcl_au used by Google AdSense for experimenting with advertisement efficiency across websites using their services. 3 months HTTP _fbp used by Facebook to deliver a series of advertisement products such as real-time bidding from third-party advertisers. 3 months HTTP
Remember, you can manage cookie settings independently. This is made possible both by the information on cookies provided on our website and by changing the settings of the browser that you use(usually by default the mechanism is enabled). The most popular browsers allow you to:
- enable cookie files to take advantage of all the functions of given websites,
- manage cookies on the level of particular websites which you select,
- configure settings for different types of cookies, for example to accept persistent cookies as session cookies, etc.,
- block or delete cookies.
For information on enabling and disabling cookies in the most popular browsers follow these links:
- • Google for Chrome browser settings
- • Microsoft for Microsoft Edge browser setting
- • Mozzilla for Mozilla Firefox browser settings
- • Opera Software for Opera browser settings
- • Apple for Safari browser settings
If you do not change the settings of your browser, cookies will remain enabled. If you block cookies or disable some types of cookies, you may be prevented from using all functions of a given site or interfere in its proper functioning.
Our website uses both session cookies as well as persistent cookies. We use them for the following purposes:
- statistics, facilitating improvement to site content and structure,
- keeping the user’s session open.
In order to function correctly, websites collect the following information: name and version of the browser, language settings, date and time of the server request, IP from which was sent, the requested URL. The data are collected to ensure the website functions correctly.
Google collects data on its servers obtained from cookies it placed on devices and uses this information in order to assess website usage by a user, create reports on website traffic for website operators and to provide other services associated with website traffic and Internet use. Google may also provide this information to third parties if it is obliged to do pursuant to the provision of law or if those entities process such information on behalf of Google.
The data collected by our website are not disclosed or made available to third parties with the exception of enforcement bodies authorised to conduct criminal proceedings instigated in conjunction with a request we submitted. This will only take place if you engage in unlawful activity or activity to our detriment.
Dear Client or Contractor of .mdd Sp. z o.o.,
Below you will find information on how .mdd Sp. z o.o. processes your personal data and possibly the personal data of persons whose data you provide to .mdd.
When sharing your personal data, you are obliged to comply with the information obligation towards Personnel and Representatives under Articles 13 and 14 of the “RODO” (Polish version of the GDPR), by providing these persons with the contents of this information clause.
The terms Personnel and Representatives are explained in the clause below.
.mdd Sp. z o. o. in Sepolno Krajenskie
The information clause of .mdd Sp. z o.o. applies to:
- natural persons conducting business activities to whom .mdd Sp. z o.o. has entered into an agreement (hereinafter “Entrepreneurs”);
- employees and co-workers of clients and contractors of .mdd Sp. z o.o., whose data has been made available to .mdd Sp. z o.o. in connection with the agreement (hereinafter “Personnel”);
- members of the bodies of clients and contractors and counterparties, proxies and attorneys who conclude agreements on behalf of clients and contractors of .mdd Sp. z o.o. (hereinafter “Representatives”).
.mdd Sp. z o.o. in Sepolno Krajenskie, Koronowska Street 22, 89-400 Sepolno Krajenskie, Poland, (hereinafter: „.mdd Sp. z o.o.”) processes your personal data:
- in the case of Entrepreneurs – for the purpose of preparing, concluding and performing the contract to which you are a party;
- in the case of Personnel – for the purpose of performance of the agreement concluded between .mdd Sp. z o.o. and the client of the contractor to whom you are a party, in particular for the purpose of contacting you in connection with the performance of the agreement;
- in the case of Representatives – for the purpose of concluding and performing a contract which you sign on behalf of a client or contractor of .mdd Sp. z o.o.
In accordance with the applicable legislation on the protection of personal data, in particular, Regulation 2016/679 of the European Parliament and of the EU Council of 27th April 2016 in the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Dz. Urz. EU L 119, 04.05.2016, p. 1, as amended), hereinafter: “RODO”, in order to ensure adequate protection of personal data, the data subject must, first of all, be provided with information concerning the processing of his/her personal data as set out in Articles 13 and 14 of the RODO.
In light of the above, we would like to inform you that:
- The Administrator of your Personal Data (hereinafter: „Administrator”) is .mdd Sp. z o.o. in Sepolno Krajenskie, KRS 0000097731, represented by the Board of Directors.
- The Administrator can be contacted: in writing, by post to the address: Koronowska Street 22, 89-400 Sepolno Krajenskie, Poland; by telephone: + 48 52 389 44 00; or by e-mail: email@example.com.
- The Personal Data Protection Supervisor can be contacted via e-mail address: firstname.lastname@example.org or in writing to address Koronowska Street 22, 89-400 Sepolno Krajenskie, Poland.
Your Personal Data is processed on the basis of:
- In the case of Entrepreneurs – Article 6(1)(b) of RODO – the processing is necessary for the conclusion and performance of a contract to which you are a party;
- In the case of Personnel and Representatives – Article 6(1)(f) of RODO – processing is necessary for the purposes of the legitimate interests pursued by the Administrator.
- If you do not wish us to process your data further, please contact us. However, we would like to inform you that your personal data is necessary for the execution of the contract.
- Your Personal Data will be stored by .mdd Sp. z o.o. for the duration of the contract and for the period necessary to establish, assert or defend claims, i.e. until the statute of limitation for claims.
Your Personal Data may be shared with:
- processors who execute on behalf of and for the benefit of .mdd Sp. z o.o.
- subcontractors who support .mdd Sp. z o.o. in the provision of services to the Client or Contractor.
In relation to the processing of Personal Data, you are entitled to:
- demand access to your personal data– within the limits of Article 15 of RODO;
- demand the Administrator to rectify your personal data – within the limits of Article 16 of RODO;
- demand the Administrator to delete your personal data – within the limits of Article 17 of RODO;
- demand the Administrator to restrict the processing of your personal data – within the limits of Article 18 of RODO;
- object to the processing of your Personal Data – within the limits of Article 21 of RODO;
- transfer your Personal Data – within the limits of Article 20 of RODO;
- lodge a complaint with a supervisory authority (the President of the Office for the Protection of Personal Data).
- The Administrator has no intent to transfer your personal data to a third country or an international organisation.
- Your personal data will be subject to automated decision-making processes, including profiling.
Information clause for job applicants
According to Article 13 of “RODO” (Polish version of the GDPR), we inform you that:
- The Administrator of your personal data is .mdd Sp. z o.o. , with its registered office in Sepolno Krajenskie, Poland, at Koronowska Street 22, 89-400 Sępólno Krajeńskie, KRS: 0000097731.
- The Administrator has appointed a Data Protection Officer, whom you can contact on matters of data protection and the exercise of your rights at the email address: email@example.com or in writing to the address given in paragraph 1.
Your personal data will be processed for the purposes of carrying out and concluding the
recruitment process, and, if you have given your consent, also for future requirements
conducted by the Administrator for the purpose of:
- taking action at your request prior to the conclusion of an employment contract, in accordance with Article 6(1)(b) of RODO,
- fulfilling the Administrator’s legal obligations under Article 221 § 1 of the Polish Labour Code of 26 June 1974, in accordance with Article 6(1)(c) of RODO,
- while personal data other than those listed in Article 221 § 1 of the Polish Labour Code of 26 June 1974 will be processed in accordance with Article 6(1)(a) and Article 9(2)(1) of RODO, on the basis of your prior consent.
- Your personal data will be stored for the duration of the recruitment process, and once this has ended, any application documents will be destroyed within 3 months, in the case of your consent for further recruitment processes, the processing time of your data will be 1 year.
- The Administrator may make your personal data available only to entities authorised to obtain personal data on the basis of legal provisions, as well as entities cooperating in the recruitment process, subcontractors, i.e. entities used by the Administrator in the processing of your personal data, including, in particular, entities providing IT services, maintenance services, postal operators or courier companies to the Administrator.
You have the right to request from the Administrator:
- the access to your personal data– within the limits of Article 15 of RODO,
- the rectification of your personal data – within the limits of Article 16 of RODO,
- the erasure of your personal data – within the limits of Article 17 of RODO,
- to restrict the processing of your personal data – within the limits of Article 18 of RODO,
- to withdraw your consent at any time without affecting the lawfulness of the processing that was carried out on the basis of the consent before its withdrawal, if the Administrator processed your personal data on that basis.
- You have the right to make a complaint with the supervisory authority, the President of the Office for the Protection of Personal Data, in the event of a breach of the processing of your personal data.
- It is not compulsory for you to provide your personal data, but it is necessary for the conclusion of the recruitment process.
- The Administrator has no intent to transfer your personal data to a third country or an international organisation.
- Your personal data will be subject to automated decision-making processes, including profiling.