Personal Data Security Policy

GDPR information regarding the processing of personal data contained in electronic correspondence

I. Data controller.

Company OVO-TECH Sp. z o.o. in Starachowice, Boczna 43, 27-200 Starachowice, Poland, NIP: 664-214-74-52, is an administrator of recipient data and electronic message senders. You can contact the administrator:

• at mailing address: Boczna 43/1, 27-200 Starachowice, Poland
• at email address: [email protected]

II. Purposes and time of processing of personal data.

The Administrator processes contact information about senders and recipients of e-mail correspondence contained in the content of this correspondence, in order to:

• Allow for e-mail contact with the administrator and to make contact with the addressees;
• Documenting arrangements with customers, contractors and other persons;
• The receiving of letters, applications and applications in electronic form, e.g. complaints, claims, other requests;
• To defend against claims and to assert any claims.

The administrator stores aforementioned correspondence for a year, unless the messages contain content that is relevant to a claim or to protect against claims. In such a case, the administrator reserves the right to store the selected messages for up to 3 years, that is, until the expiration date of the claims in accordance with The Civil Code.

III. Legal basis for the processing of personal data.

The legal basis for processing the data contained in e-mail correspondence is:

• Legitimate interest of the data controller and electronic message senders (Article 6 §1 point (f) of the GDPR) – in relation to incidental correspondence, to enable electronic contact with the controller;
• Necessity for the purpose of realizing a contract with our customers or contractors (art. Article 6 (a) 1 (b) (b) GDPR) – for correspondence carried out for the performance of a contract;
• Voluntarily expressed consent – if special categories of data are included in the correspondence sent. If the sender has not expressed consent in his correspondence, we will ask for a separate grant, as this is a prerequisite for the GDPR-compliant processing of the special category data. The consent may be withdrawn at any time, without stating a reason, but without prejudice to the lawfulness of its processing prior to its withdrawal;
• Voluntarily expressed consent through a clear affirmative action – if the sender of the message asks for information concerning the brand of the administrator, its products or services, the reply given to the sender will contain the information requested by the sender, and the sending of a request will mean the consent for the controller to send the commercial information to the e-mail address provided by the sender to the extent necessary for the provision of information (art. 10 of the act on the provision of services by electronic means); The consent can be withdrawn at any time, without stating a reason, but the commercial information sent after the request has been made, and before the revocation of the consent, will be lawfully sent; Withdrawal of consent may prevent the full answer to the question asked;
• A legitimate interest of the Administrator to assert claims or defend against claims – in accordance with generally applicable laws, in particular the Civil Code (art. Article 6 §1 point (f) and Article 9 §2 point (f) of the GDPR).

IV. Recipients of the personal data contained in the correspondence.

1. The administrator may disclose the content of correspondence solely for the purpose of asserting his claims in the proceedings and the entities cooperating with the Administrator on the basis of written agreements entrusting the processing of personal data, in order to carry out the tasks and services specified in a contract with Controller, in particular in the field of e-mail or traditional mail handling, hosting, IT services, recovery, legal or advisory services, administrative services.
2. The Administrator does not plan to transfer personal data to third countries (i.e. countries outside the European Economic Area, including the European Union, Norway, Liechtenstein and Iceland) and international organisations.
3. Personal data contained in correspondence will not be subject to automated decision-making, including profiling.

V. Rights of the persons to whom personal data relates.

Subject to the limitations of the GDPR and other legal provisions, each data subject has the right to:

• Access the data – in order to confirm whether personal data are being processed. (Art. 15 of the GDPR);
• Obtain a copy of the data – obtain a copy of the data subject to processing (Art. 15 §3 of the GDPR);
• Rectification – rectification of personal data which are inaccurate or incomplete (Art. 16 of the GDPR);
• Erasure of the data – to request the erasure of personal data (Art. 17 of the GDPR);
• Restriction of processing – to request restriction of the processing of personal data (Art. 18 of the GDPR);
• Data portability – (Art. 20 of the GDPR);
• Objection to the processing of his/her personal data (Art. 21 of the GDPR).

In order to exercise the aforementioned rights, the data subject should contact, using the contact details provided, with the Administrator and inform him of which rights and to what extent he wishes to exercise.

V. President of the Office for Personal Data Protection.

The data subject has the right to bring a complaint to the supervisory authority, which in Poland is the President of the Office for Personal Data Protection with its registered office in Warsaw, Rates 2, which can be contacted in the following ways:

• By post: Rates 2, 00-193 Warsaw;
• Via the electronic feed box available at: www.uodo.gov.pl/pl/p/kontakt;

• By phone: +48 (22) 531 03 00.

VI. Data protection officer.

In any case, the data subject may also contact the Administrator’s data protection officer directly at:

• E-mail address: [email protected];
• To the abovementioned mailing address with the note: Data protection officer.

VII. The legal acts cited in the policy

1) GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 On the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EW (Dz.Urz. UE L 2016 Nr 119, s. 1);
2) Art. 10 of the law from July 18th 2002. On the provision of electronic services (i.e. Dz.U. of 2017 position 1219 with later changes);
3) Art. 118 and an update of the law from April 23rd 1964 – the Civil Code (i.e. Dz.U. of 2018 position 1025 with later changes).