1. The Joint Controllers of Personal Data are:
– Beata Góra Trading and Service Company MADISON, represented by Beata Góra, with its registered office in Starachowice, 27-200 Starachowice, ul. Bohaterów 48, NIP: 6641257322, REGON: 260003652, hereinafter referred to as “Madison”,
– MADISON BIS GÓRA SP. K., registered under NIP: 6642142348, REGON: 383016694, represented by Jacek Góra and Aleksandra Kawalec, with its registered office in Zębiec 1E, 27-200 Starachowice, hereinafter referred to as “Madison Bis”, each individually referred to as the “Controller”. Madison and Madison Bis jointly administer data due to the business relations between the two companies and personal ties.
2. Information obligation
In fulfilling the obligation resulting from the General Data Protection Regulation (GDPR) with respect to:
a) contractors who are parties to concluded agreements (natural persons conducting so-called sole proprietorship, natural persons conducting business in the form of civil law partnerships),
b) persons representing institutional contractors (e.g. partners of partnerships, members of management boards of companies, proxies, attorneys, trustees),
c) persons indicated by contractors for contact and for the performance of the subject of agreements (e.g. coordinators), we inform you that the Joint Controllers of personal data are the entities indicated above, i.e., Madison and Madison Bis. The Controllers of Personal Data can be contacted in all matters concerning the processing of personal data and the exercise of rights related to data processing in writing at the address – Zębiec 1E, 27-200 Starachowice. The Joint Controllers have not appointed a Data Protection Officer.
3. The legal basis for processing your data for the following purposes, depending on your role, is as follows:
3.1. performance of a contract – to the extent necessary to execute the contract (Art. 6(1)(b) GDPR) – for the duration of cooperation;
3.2. carrying out settlements of contract execution between the parties, including execution of payments to the extent necessary to perform the contract (Art. 6(1)(b) GDPR) – for the duration of cooperation;
3.3. performance of obligations related to enforcement of claims – in order to fulfill obligations related to enforcement of receivables arising from the Code of Civil Procedure, the Act on Court Bailiffs (Art. 6(1)(c) GDPR) – for 3 years from the last deduction;
3.4. performance of accounting obligations – in order to fulfill obligations arising from the Accounting Act (Art. 6(1)(c) GDPR) – for 5 years from the end of the year in which the tax event occurred;
3.5. fulfillment of tax obligations – in order to fulfill obligations arising from tax regulations, in particular the Tax Ordinance, the Corporate Income Tax Act, the Value Added Tax Act (Art. 6(1)(c) GDPR) – for 5 years from the end of the tax year in which the tax event occurred;
3.6. pursuing claims or defending against claims – as the legitimate interest of the Controller consisting of pursuing its property or non-property rights, protection against claims against the Controller, in accordance with general provisions, in particular the Civil Code (Art. 6(1)(f) GDPR) – for 3 years after the termination of cooperation;
3.7. analytics and contractor verification – as the legitimate interest of the Controller consisting of analyzing the results of the conducted business activity;
3.8. communication between the Parties – as the legitimate interest of the Controller consisting of ensuring proper communication between the parties to the contract (Art. 6(1)(f) GDPR) – for the duration of cooperation;
3.9. conducting marketing activities for the Controller’s own products and services – as the legitimate interest of the Controller consisting of conducting activities promoting the Controller’s business activity (Art. 6(1)(f) GDPR) – for the duration of cooperation or until an objection is lodged;
3.10. processing your personal data is necessary to conclude and/or properly perform the legal relationship binding the Data Controller.
Recipients of personal data:
4. Recipients of your data may include entities which, on the basis of concluded contracts, process personal data on behalf of the Controllers (service providers in the field of, among others, accounting and HR services, legal, advisory, IT, forwarding and transport services), as well as entities authorized under applicable legal provisions (in particular courts and state authorities).
5. Your data will not be transferred to third countries.
6. Furthermore, we inform you that you have the right to: access your personal data and request rectification of your personal data which is incorrect and to complete incomplete personal data, request restriction of processing of your personal data, object to the processing of your data, due to your particular situation, in cases where we process your data solely on the basis of our legitimate interest or for direct marketing purposes, transfer your personal data, request the deletion of data (except where the Controller processes data in order to establish, pursue or defend its claims), lodge a complaint with the supervisory authority responsible for data protection, i.e., the President of the Personal Data Protection Office, address: ul. Stawki 2, 00-193 Warsaw.
Personal data security:
7. We inform you that we do not use systems for automated decision-making, including profiling, although the processing of personal data itself may be carried out in an automated manner.
8. The Joint Controllers and each Controller individually conduct ongoing risk analysis to ensure that personal data is processed by them in a secure manner – ensuring above all that access to the data is granted only to authorized persons and only to the extent necessary for the performance of their tasks.
9. The Joint Controllers and each Controller individually ensure that all operations on Personal Data are recorded and carried out only by authorized employees and associates.
10. The Joint Controllers and each Controller individually take all necessary measures to ensure that their subcontractors and other cooperating entities also provide guarantees of applying appropriate security measures in every case where they process personal data on their behalf.
Personal data retention period:
11. The period of data processing by the Joint Controllers or individual Controllers depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service provision or order execution, until the consent given is withdrawn or a valid objection to data processing is submitted in cases where the legal basis for data processing is the legitimate interest of the Joint Controllers or each Controller individually.
12. The period of data processing may be extended if processing is necessary to establish and pursue possible claims or defend against claims, and after that time only in cases and to the extent required by law. After the expiration of the processing period, the data is irreversibly deleted or anonymized.
