General Data Protection Notice

In accordance with Article 13(1)−(2) and Article 26(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, p. 1) – hereinafter referred to as the GDPR – we hereby inform you that:

I. Data Controller

The Data Controller determining the purposes and means of processing personal data is: Optimum Process Spółka z ograniczoną odpowiedzialnością, seated in Poland, Warsaw (02-222), al. Jerozolimskie 181B, NIP 5213786607, KRS 0000684901, REGON 367693875.

II. Contact for Data Protection Matters

You may contact the Data Controller by email at: [email protected] or by post at: al. Jerozolimskie 181B, 02-222 Warsaw, Poland.

III. Collection, Processing, and Use of Personal Data

The manner and scope of personal data collection depends on the purpose for which the data was collected and the legal basis for its processing.

We process personal data for the following purposes and on the following legal bases (legal basis – Article 6(1)(a)–(c) and (f) GDPR):

  1. Entering into and performing individual orders, including ensuring proper service quality (legal basis – Article 6(1)(b) GDPR) – “performance of a contract”.
  2. Fulfilling legal obligations, e.g. issuing and storing invoices or handling complaints (legal basis – Article 6(1)(c) GDPR) – “legal obligation”.
  3. Pursuing potential claims (legal basis – Article 6(1)(f) GDPR) – “legitimate interest”.
  4. Marketing of own services during the term of the contract (legal basis – Article 6(1)(f) GDPR) – “legitimate interest”.
  5. Marketing conducted via electronic communications, where consent to use data for this purpose has been given (legal basis – Article 6(1)(a) GDPR) – “consent”.

We process the personal data provided to us for the period necessary to fulfill the purposes described above. Depending on the legal basis, this will be:

  1. The duration of legal obligations and the period during which applicable law requires the Data Controller to retain data, e.g. tax regulations.
  2. The period after which any contractual claims become time-barred.
  3. Until consent is withdrawn.

IV. Sharing Personal Data with Third Parties

Subject to appropriate data security guarantees, we may share personal data with other entities, including:

  1. Persons authorized by the Data Controller to process data.
  2. Entities entrusted with data processing, such as technical service providers and advisory service providers.
  3. Other data controllers, such as courier companies.

Entities to whom user data is disclosed may use it only in the manner and to the extent necessary to fulfill the purpose defined by the Data Controller. The Data Controller also works with advisors who are required to comply with applicable data protection regulations and security standards. The Data Controller enters into data processing agreements with individual entities, setting out the terms of their use of personal data.

V. Data Security

To ensure the confidentiality of data, the Data Controller has implemented procedures and organizational and technical measures that restrict data access to authorized persons who process it in connection with their assigned responsibilities. Necessary steps are taken to ensure that subcontractors and other cooperating entities also guarantee the application of appropriate security measures whenever they process data on behalf of the Data Controller.

VI. Rights of the Data Subject

Every person whose personal data is held by the Data Controller has the right to access their personal data, to data portability, to rectification of data, and to erasure or restriction of processing of personal data. Any limitations on these rights may only arise from applicable law.

In addition to the rights listed above, every data subject may object to the processing of their data where the legal basis for such processing is legitimate interest. Upon receipt of such a request, the Data Controller is obliged to cease processing the data for the specified purpose.

Withdrawal of consent to the processing of personal data does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

To exercise any of these rights, please send an email to: [email protected].

Every data subject also has the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) if they believe that the processing of their personal data by the Data Controller violates applicable law.

Communication with the Data Controller is conducted in English only.

VII. Profiling

Personal data will not be processed in an automated manner, including in the form of profiling.