PRIVACY POLICY
of 21^st May 2018

Our privacy policy determines the terms and conditions of processing and protecting personal data by Izopanel Sp. z o.o. with the seat in Gdańsk as per the requirements of the applicable law, including, in compliance with the Regulation of the European Parliament and of the Council UE 2016/679 of 27^th April 2016 on the protection of natural persons in connection with the processing of personal data and the free movement of such data as well as repealing the Directive 95/46/CE (hereinafter referred to as GDPR).

• DEFINITIONS

1. “DATA CONTROLLER”, “CONTROLLER” shall mean IZOPANEL Sp. z o.o. with the seat in Gdańsk at ul. Budowlanych 36, entered into the Register of Entrepreneurs kept by the District Court Gdańsk-Północ in Gdańsk, 7^th Commercial Division of the National Court Register under the number: 0000073499, Tax ID No. [NIP]: 957-079-60-41, share capital amounting to PLN 3,877,000.
2. “PERSONAL DATA”, “DATA” shall mean the information about an identified or identifiable natural person.
3. “BUYER” shall mean an entity purchasing goods or/and services from the Controller within the framework of business operations or a natural person (hereinafter referred to as the CONSUMER) purchasing goods and services from the Controller for the purpose not directly connected with its professional and business activity (Art. 22¹ of the Civil Code).
4. “NEWSLETTER” shall mean an electronic form of an advertising bulletin sent via email.
5. ”GTS” shall mean the General Terms and Conditions of Sale of goods and services offered by the Controller, available at the www.izopanel.pl webpage, as well as in the commercial establishments of the SELLER or at authorised sellers.
6. “PROCESSOR” shall mean a natural or legal person, public body, unit or other entity processing the personal data in the name of the controller.
7. “PRIVACY POLICY” – this document.
8. “PROFILING” shall mean any form of automated personal data processing which uses the personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
9. “DATA PROCESSING” shall mean an operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
10. “CONTRACT OF SALE” shall mean a contract (of sale, delivery, cooperation, etc.) based on which a purchaser buys from the Controller goods or/and services subject to the GTS.
11. “SET OF DATA” shall mean a structured set of personal data available according to certain criteria, irrespective whether such set is centralised, decentralised or dispersed on a functional or geographical basis.

• GENERAL PROVISIONS

1. The herein Privacy Policy determines the terms and conditions of the processing and protecting of personal data by Izopanel Sp. z o.o. with the seat in Gdańsk, irrespective of the form of such processing.
2. The herein Privacy Policy is valid from 21^st May 2018. The full text of the updated Privacy Policy is available at www.izopanel.pl, as well as in a paper form at the seat of the Controller.
3. The Controller shall perform the activities connected with personal data processing and protection in line with the Privacy Policy, IT System Management Manual, Video-surveillance Terms and Conditions, Trade Credit Granting Terms and Conditions, other internal documents connected with personal data processing and applicable law.
4. The Controller shall process the personal data as per the terms and conditions of personal data processing mentioned in GDPR, in particular:
   • the principle of data processing lawfully, fairly and in a transparent manner in relation to the data subject;
   • the principle to collect data for specified, explicit and legitimate purposes and not processing it further in a way incompatible with those purposes;
   • the principle of data minimisation;
   • the principle of data accuracy;
   • the principle of data storage limitation;
   • the principle of processing in a manner ensuring adequate safety of personal data, including the protection against unauthorised or unlawful processing and accidental loss, destruction or deterioration, by means of relevant technical and organisational measures.
5. For effective fulfilment of the Privacy Policy, the Controller shall ensure relevant technical measures and organisational solutions ensuring the protection of personal data, shall have direct oversight over personal data processing and shall control the applied safety measures. The Controller shall make every effort to ensure all personal data protection measures safeguarding against its accidental or deliberate destruction, accidental loss, alteration, unauthorised disclosure, use or access.
6. The area where the personal data shall be processed by the Controller shall be its seat or its business establishments. Additionally, the area shall also include portable computers and other storage media outside this area.
7. By authorising its employees or partners to process the personal data, the Controller shall commit them to meet the herein Privacy Policy and the applicable law.
8. The personal data processed by the Controller shall be collected in data sets.
9. The Controller shall maintain the register of processing activities, kept in its seat.

• DATA PROCESSING – GENERAL TERMS

1. The Controller shall process the personal data if:
   • such processing is necessary for the performance of a contract of which the data subject is the party or to undertake actions on the demand of the data subject prior to the conclusion of the contract, e.g. to perform the contract of sale concluded between the parties as per the GTS or to handle a complaint, as per the GTS;
   • the data subject has consented to its personal data processing for one or more purposes, e.g. to receive newsletters from the Controller or to make contact with the Controller via its www.izopanel.pl webpage;
   • the processing is necessary to meet the legal obligation to which the Controller is subject;
   • the processing in necessary to protect the vital interest of the data subject or another natural person;
   • the processing is necessary for the purposes resulting from legally justifiable interests exercised by the controller or by a third party, except when the interests or basic laws and rights of the data subject, requiring personal data protection, override such interests.
2. The Controller shall process the personal data if there is a legal basis for this in the European Union law or in Polish law.
3. Each person whose personal data is processed by the Controller shall have the right to free access (review) to his/her personal data, the right to correct, rectify as well as the right to remove (“the right to be forgotten”), the right to limit the processing or the right to object against the processing along with the right to data portability, which should be reported to the Controller.
4. The personal data is not disclosed to other entities for marketing purposes, unless the data subject concerned gives his/her consent.
5. The Controller shall not take any data processing actions which could entail a considerable risk for the rights and freedoms of persons.
6. The Data subject which data is processed by the Controller has the right to lodge a complaint to the supervisory body – the President of the Office for Personal Data Protection.

• DATA PROCESSING – CONTRACTS OF SALE

1. The Controller shall process the personal data, in particular, if such processing is necessary for the performance of the contract of sale if the data subject is the party to such contract.
2. It is voluntary for the Buyer to provide its personal data. However, if the buyer refuses to provide its data or provides incomplete data required to conclude and perform the contract, it may result in the inability to conclude such contract.
3. By concluding the contract, the Buyer consents to its personal data processing, which will be used to:
   • conclude the contract, process the order and issue the documents of sale for the ordered goods and services.
   • perform any complaint related operations, including the terms of the guarantee.
   • potentially recover a payment from the Buyer.
4. The deadline of data erasure depends on the length of limitation periods for the validity of potential claims and the periods indicated by the provisions of tax law (fiscal law).

• DATA PROCESSING – EMPLOYEES AND PARTNERS

1. The Controller shall process the personal data if such processing is necessary in relation to its employees or partners, in particular, for the purposes of recruitment, the performance of work or cooperation contract, including the fulfilment of the obligations determined by law, management, planning and organisation of work, equality and diversity in the workplace, health and safety rules, protection of employer’s or client’s property as well as for the purposes of individual or collective exercise of rights and enjoyment of benefits related to employment, as well as for the purposes of the termination of job relationship or cooperation.
2. The deadline for the erasure of the data depends on the deadlines indicated in the provisions of the labour law, the deadlines indicated in the provisions of tax (fiscal) law and the length of limitation periods for the validity of potential claims.

• DATA PROCESSING – INFORMATION ABOUT GOODS, NEWSLETTER, CONTACT FORM

1. The Controller shall process the personal data, in particular, if the data subject consents to be informed about new goods, services or promotions offered by the Controller.
2. Personal data processing for the purpose of informing the data subject about goods, providing him/her with trade or marketing information (the newsletter, in particular) and to contact by means of contact form, require the consent of such data subject. Such person has the right to withdraw at any moment his/her consent or object against processing with no influence on the lawfulness of the processing performed based on the consent prior to its withdrawal.
3. The timeframe of data erasure depends on the moment the consent to further personal data processing is withdrawn by the data subject.

• DATA PROCESSING – PROFILING

1. The Controller shall process the personal data, in particular, within the extent of advertising campaigns available on www.izopanel.pl by means of profiling as well as for analytical purposes, adjusting webpage content to the preferences as well as for analytical purposes.
2. If the personal data is processed for direct marketing purposes, the data subject has the right to object at any time against his/her personal data processing for the purposes of such marketing, including profiling, within the extent to which such processing is connected with such direct marketing. In particular, a person visiting the izopanel.pl webpage, must consent to the storage of the so-called cookies on the device he/she uses and to use the parameters recorded in such files for the purposes mentioned in section 1 above.
3. The timeframe of data erasure depends on the time when the objection is made or on the time necessary for the achievement of the processing objectives.

• TECHNICAL AND ORGANISATIONAL MEASURES NECESSARY FOR THE PROPER PROCESSING OF PERSONAL DATA, AUTHORISATION OF PROCESSING AND THE VIOLATION OF PERSONAL DATA PROTECTION RULES

1. The Controller shall ensure such technical and organisational measures so that the processing of personal data shall be made in a proper manner, in particular, to ensure confidentiality, integrity, continuity, and accountability of the data.
2. Personal data protection means applied by the Controller shall be adequate for the projected level of risk related to individual systems, types of sets and categories of data, and in particular, the Controller shall:
   • limit access of unauthorised third persons to the premises where the personal data is processed;
   • secure safe access to the documents including the data;
   • ensure permanent and effective data erasure;
   • ensure the protection of ICT infrastructure;
   • ensure the protection of computer equipment used for data processing;
3. Authorisation of personal data processing to other entity as per the provisions of GDPR shall be subject to the terms and conditions determined in the contract for the authorisation of processing.
4. In the event of personal data protection breach, the Controller shall without undue delay, to its capabilities, not later than within 72 hours after the breach is found, notify the supervisory body about it unless it is unlikely that such breach will result in the risk of the violation of rights and freedoms of natural persons. The notification supplied to the supervisory body later than within 72 hours shall be accompanied by the explanation of the reasons for the delay. The Controller shall document all personal data protection violations, including the circumstances of such violation, its impacts and the remedial actions taken. If personal data protection breach may result in a high risk of the violation of the rights and freedoms of natural persons, the controller shall without undue delay notify the data subject about such violation.

• FINAL PROVISIONS AND CONACT DETAILS OF THE CONTROLLER

1. Contact details of the Controller: e-mail: info@izopanel.pl; phone number: +48 58 340 17 17
2. To all matters not regulated by the herein Privacy Policy, applicable provisions of law, in particular the provisions of GDPR, shall apply.