For recipients of commercial communications by electronic means

INFORMATION ON THE PROCESSING OF PERSONAL DATA
FOR RECIPIENTS OF COMMERCIAL COMMUNICATIONS BY ELECTRONIC MEANS (ARTICLES 13 AND 14 OF THE GDPR)

Information Clause on the Processing of Personal Data for Individuals Receiving Newsletters and Other Commercial Communications by Electronic Means

[Controller and contact details] The controller of personal data is “PROMAR” Przedsiębiorstwo Produkcyjno-Handlowe sp. z o.o., with its registered office at ul. Cerefisko 2, 42-400 Zawiercie, Poland, entered in the Register of Entrepreneurs maintained by the District Court Katowice-Wschód in Katowice, 8th Commercial Division of the National Court Register, under KRS number 0000063171, VAT ID 1180010695, REGON NO. 008052670, with a share capital of PLN 1,000,000.00.
[Contact with the controller] The controller can be contacted by traditional mail at the registered office address indicated above or by email at info@promar.pl.
[Sources and categories of personal data] The personal data has been obtained directly from the sender of the correspondence, or has been provided by the sender in the content of the correspondence, or by your employer, principal, or contracting party. In certain situations, the representative’s personal data may be obtained from publicly available sources (such as public registers, websites, etc.). The scope of the data processed generally includes: full name, position or function, email address, telephone number, company name and contact details, as well as the content of the correspondence.
[Purposes and legal bases of processing]
The purpose of processing personal data is:
sending commercial and marketing information by electronic means regarding the Controller’s products and services – including information tailored to the industry or business profile of the entity you represent.
The data is processed:
on the basis of consent, i.e. Article 6(1)(a) of the GDPR, in conjunction with Article 398(1) and (2) of the Act of 7 July 2023 – the Electronic Communications Law, or
on the basis of the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in sending information about products and services to contact persons representing contractors, within the framework of existing business relationships – until an objection is raised (Article 21 of the GDPR).
archiving documentation and communications, including correspondence generated by the Controller in the course of its business activities, based on its legitimate interest in retaining evidence of its operations, inter alia in compliance with applicable regulations, and in using the archived material for the purpose of establishing, pursuing, or defending against legal claims (pursuant to Article 6(1)(f) of the GDPR).
[Data Recipients] The Controller has the right to transfer your personal data to other recipients if it is necessary to achieve the purpose of the processing, including: entities providing IT support services to the Controller, such as the operation and maintenance of IT systems, data hosting, and cloud services; our authorized employees and associates; postal operators and couriers; law firms; auditors; banks; insurers; entities responsible for data archiving or destruction; and companies within the capital group for internal administrative purposes (pursuant to Article 6(1)(f) of the GDPR).
[Processing outside the EEA] Your personal data may be transferred to a third country, i.e. a country outside the European Economic Area (EEA). Such transfer of your personal data may occur on the basis of standard contractual clauses (pursuant to Article 46(2)(c) and (d) of the GDPR), or on the basis of another lawful mechanism that legitimizes the transfer and provides appropriate safeguards for the protection of personal data in accordance with applicable data protection laws. The transfer to the United States occurs on the basis of the European Commission’s decision of 10 July 2023, recognising the adequate level of protection of personal data provided under the EU – US Data Privacy Framework (pursuant to Article 45 of the GDPR).
[Data Retention Period] Personal data shall be processed for the duration of the consent or until an objection is raised to the processing of data for marketing purposes, and thereafter for the period necessary to establish, exercise, or defend against legal claims.
[Rights of Data Subjects] You have the right to request from the Controller access to your personal data, as well as the rectification, erasure, restriction of processing, and portability of your data.
[Right to object] You have the right to object to the processing of your personal data for the purposes of pursuing the Controller’s legitimate interests. However, this right may not be exercised if there are compelling legitimate grounds for the processing which override your interests, rights, and freedoms.
If personal data is processed for direct marketing purposes, the objection shall result in the immediate cessation of such processing – without the need to provide any justification.
An objection may be submitted at any time by sending an email to: info@promar.pl.
[Right to Lodge a Complaint with a Supervisory Authority] You have the right to lodge a complaint with the competent supervisory authority concerning the Controller’s actions, in particular in the country of your habitual residence, place of work, or the place of the alleged infringement. In Poland, the competent supervisory authority is the President of the Personal Data Protection Office, ul. Moniuszki 1A, 00-014 Warsaw.
[Voluntary Provision of Data] Providing your personal data in the course of correspondence is voluntary; however, failure to do so may make it impossible to contact the Controller. Providing personal data may be necessary for the conclusion of a contract between the entity you represent and the Controller and, in such case, constitutes a contractual requirement. Failure to provide the data may result in the inability to conclude or perform the contract.
[Profiling] In certain cases, we may tailor marketing content to the specific industry you represent, based on general contact details (e.g., an email address within a company domain) or existing business relationships. These activities may constitute profiling within the meaning of the GDPR; however, they do not result in automated decision-making producing legal effects concerning you.