Processing of personal data

Personal Data Administrator:
 ELS POLAND  sp. z o.o., ul. Tadeusza Ważewskiego 66, 30-499 Kraków, Poland.
 You can contact us by phone: +48 508 898 946, or by e-mail: biuro@elspoland.pl
 For matters related to data protection, please contact us at: biuro@elspoland.pl

Purpose, Legal Basis, and Data Processing Period

Contact and proper execution of the contract – Processing is necessary for the performance of a contract or taking steps prior to entering into a contract (Article 6(1)(b) GDPR) – from the moment of establishing contact and for the duration of the contract.

Responding to inquiries sent by e-mail – Article 6(1)(f) GDPR – legitimate interest of the Controller – until a response to the inquiry is given, for a maximum of 12 months.

Sale of products offered by the Controller – Processing of personal data is necessary for the performance of a sales contract or to take steps prior to entering into it (Article 6(1)(b) GDPR). Data are processed from the moment of placing an order or establishing contact for the purpose of purchasing a product, and for the period of contract performance and any applicable warranty or guarantee period.

Operation of an online store – Processing is carried out on the basis of the Controller’s legitimate interest (Article 6(1)(b) GDPR) consisting in enabling the operation of the sales system, user accounts, and communication with customers via the website. Data are stored for the period of account use or until its deletion/closure, but not longer than 5 years from the last activity.

Establishing, pursuing, or defending against claims – Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR) – until the expiry of the statute of limitations, i.e., 3 years from the end of the financial year in which the last invoice was issued.

Enabling the transmission of documents electronically – invoices – Legal basis: consent (Article 6(1)(a) and (c) GDPR) – for the duration of the service, but no longer than until the withdrawal of previously given consent.

Conducting the current recruitment process:

  • Processing necessary for the performance of a contract or taking steps prior to entering into a contract (Article 6(1)(b) GDPR).

  • Processing necessary to comply with a legal obligation (Article 6(1)(c) GDPR).

  • Legal basis: freely given consent (Article 6(1)(a) GDPR and Article 9(2)(a) GDPR) – until the recruitment process ends.

Conducting the current recruitment process for minors:

  • Processing necessary for the recruitment process (Article 6(1)(f) GDPR).

Conducting future recruitment processes – Legal basis: freely given consent (Article 6(1)(a) GDPR and Article 9(2)(a) GDPR) – for a maximum of 12 months or until the withdrawal of previously given consent.

Execution of an employment relationship between you and the Controller – Processing necessary for the performance of a contract in accordance with legal requirements (Article 6(1)(b) and (c) GDPR). In the case of data not required by law – legal basis: freely given consent (Article 6(1)(a) GDPR or Article 9(2)(a) GDPR) – for the duration of the employment contract.

Keeping accounting and tax documentation – Processing necessary to comply with a legal obligation (Article 6(1)(c) GDPR) – 5 years from the end of the financial year in which the last invoice was issued.

Monitoring access to the premises – CCTV – Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR) – recordings kept for up to 3 months from recording. (If recordings may be used to establish, pursue, or defend claims, they may be processed for a period determined by separate regulations or until the end of proceedings.)

Operation of the Employee Capital Plan (PPK) – Processing based on applicable legal provisions in accordance with Article 6(1)(c) GDPR in conjunction with the Act of 4 October 2018 on Employee Capital Plans – personal data will be stored for the duration of the employment relationship and for statutory periods, in particular: 10 years (Article 125a(4a) of the Act on Pensions from the Social Insurance Fund and Article 94(9b) of the Labour Code), 50 years pursuant to Article 125a(4) of the Act on Pensions from the Social Insurance Fund. A written declaration of resignation from the PPK will be stored for 4 years.

Tracking e-mail openings with offers – For the purpose of analysing the effectiveness of business communication, the e-mail sending system allows tracking whether the message was opened by the recipient (by using tracking markers, e.g., invisible pixels). Legal basis: legitimate interest of the Controller in optimising communication with the customer (Article 6(1)(f) GDPR). Data stored for no longer than 12 months from sending the message or until an effective objection to processing is raised.

Use of Google Custom Audiences – The Operator uses the Custom Audiences function available in Google Ads (Google Inc., USA). This function allows ads to be targeted to users who have previously visited the website or expressed interest in the offer, based on data collected via cookies or remarketing tags. The Operator does not transfer any personal data to Google in plain form. Legal basis: legitimate interest of the Controller in carrying out marketing activities (Article 6(1)(f) GDPR). Data are processed until an effective objection is lodged or cookies are blocked by the user.

Use of Facebook Custom Audiences – The Operator uses the Custom Audiences function offered by Meta Platforms Inc. (Facebook, USA). This tool enables ads to be targeted to users who have previously visited the website or interacted with the Operator’s content on Facebook. Data are collected via the Facebook pixel and cookies stored on the user’s device. The Operator does not transfer any personal data directly to Facebook. Legal basis: legitimate interest of the Controller in carrying out direct marketing (Article 6(1)(f) GDPR). Data are processed until an effective objection is lodged or cookies are blocked in the browser.

If another purpose arises that is not listed above, we will provide you with the relevant information directly in the form or at the first activity directed towards you.

Data Recipients

Data may be:

  • Entrusted to technology partners providing services such as hosting, e-mail delivery, statistical services, social media management, and software development and maintenance;

  • Disclosed to law enforcement authorities and public administration bodies in legally justified cases.

Rights Related to Personal Data Processing

If the legal basis is Article 6(1)(a) or (b) GDPR: right of access to data, right to rectification, right to erasure (“right to be forgotten”), right to restriction of processing, right to data portability.

If the legal basis is Article 6(1)(c) GDPR: right of access to data, right to rectification, right to restriction of processing.

If the legal basis is Article 6(1)(e) or (f) GDPR: right of access to data, right to rectification, right to erasure (“right to be forgotten”), right to restriction of processing, right to object to processing.

Right to withdraw consent: If processing is based on your consent (Article 6(1)(a) GDPR), we will process the data until its withdrawal. Consent may be withdrawn at any time by sending an e-mail to the above address or in person at the Controller’s registered office. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. After withdrawal of consent, information regarding the granting and withdrawal of consent will be processed for the purpose of defending against claims (Article 6(1)(f) GDPR) for 3 years.

Right to lodge a complaint with a supervisory authority: If you believe the Controller has violated data processing security regulations, you have the right to lodge a complaint with the supervisory authority responsible for personal data protection.