Privacy policy / GDPR

    1. The controller of your personal data is GFS Poland sp. z o.o. with its registered office in Bielsko-Biała at ul. Komorowicka 110, tel: +48 33 333 90 92, e-mail: biuro@gfsp.pl.
    2. You can contact the personal data controller:
      1. at the address: GFS Poland sp. z o.o., 43-300 Bielsko-Biała, ul. Komorowicka 110
      2. by telephone: +48 33 333 90 92
      3. at the e-mail address: biuro@gfsp.pl
    3. Personal data of our contractors and their representatives, as well as of others who contact us about other matters, will be processed for the following purposes:
      1. the performance of a sales contract, pursuant to Art. 6(1)(b) of the Regulation and Art. 535 of the Civil Code,
      2. the provision of information or responding to your enquiries, pursuant to Art. 6(1)(b) of the Regulation or Art. 6(1)(f) of the Regulation as a legally justified interest of the controller, which is ensuring appropriate customer service,
      3. receiving, processing and carrying out of complaints, pursuant to Art. 6(1)(b) of the Regulation or Art. 6(1)(f) of the Regulation as a legally justified interest of the controller, which is ensuring appropriate customer service and enabling customers to execute their rights,
      4. receiving, processing and carrying out of the return of goods, pursuant to Art. 6(1)(b) of the Regulation or Art. 6(1)(f) of the Regulation as a legally justified interest of the controller, which is ensuring appropriate customer service and enabling customers to execute their rights,
      5. claim assertion against customers or by customers, pursuant to Art. 6(1)(b) of the Regulation or Art. 6(1)(f) of the Regulation as a legally justified interest of the controller, which is claim assertion against customers and defence against customers’ claims,
      6. transmitting the newsletters ordered by you – Art. 6(1)(b) of the Regulation or Art. 6(1)(f) of the Regulation as a legally justified interest of the controller, which is the marketing of its own services
      7. conducting competitions, publication of competition results, award distribution – Art. 6(1)(b) of the Regulation,
      8. the shipment, receipt and records of correspondence – Art. 6(1)(b) of the Regulation or Art. 6(1)(f) of the Regulation as a legally justified interest of the controller, which is ensuring appropriate customer service.
    4. Personal data are obtained in the following way:
      1. based on the User’s explicit consent and in the cases when legal provisions authorise the Controller to process personal data.
      2. by electronic means,
      3. in a telephone conversation,
      4. via the websites www.gfsp.pl, www.incola.com.pl and www.gfsprofessional.pl through:
        1. contact forms,
        2. complaint forms,
        3. collection of cookies (see cookies policy).
    5. Personal data are never made available to other controllers.
    6. Personal data may be disclosed to processing entities by order and on behalf of the controller in order to ensure appropriate organisation, service and contract performance for:
      1. ICT service providers,
      2. marketing service providers,
      3. courier or postal services,
      4. payment intermediary companies,
      5. legal and advisory service providers, legal firms and debt collection offices in particular,
      6. HR-accounting service providers
    7. Because the data controller uses services of hosting companies, such as Microsoft and Google, and the Facebook, Instagram and LinkedIn platforms, personal data may be forwarded outside the European Union territory, therefore the data controller verifies whether the above-mentioned companies provide documents confirming the safeguards recommended by GDPR on their websites.
    8. Personal data are processed for a period necessary for the contract implementation, and in the case of claim assertion, for a period under civil law. Data necessary for accounting and for tax reasons are processed for a period of 5 years from the end of the calendar year in which the tax liability arose. Thereafter, data are erased or anonymised.
    9. Concluding a contract with the personal data Controller and the processing of data, including record keeping, must be in line with the law, therefore provision of your personal data may be a condition for concluding a contract. The Controller is obliged to process data due to a statutory obligation due to the accounting process. Non-provision of data may result in a refusal to conclude the contract due to the impossibility of executing it and issuing an accounting document, such as a sales invoice.
    10. Provision of your personal data may be a contractual obligation or a condition for contract execution. Also for accounting and tax reasons, the Controller is legally obliged to process your data, which means that, in this case, the data provision is a statutory requirement.
    11. The Data Controller will not use automated profiling of personal data or automated decision-making.
    12. Personal data are processed only for the purpose they were collected for.
    13. Based on the GDPR, each data subject shall have the right:
        1. of access – to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. Where that is the case, the data subject shall be authorised to obtain access to the personal data and the following information: the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, the period for which the personal data will be stored or the criteria used to determine that period, the right to request rectification, erasure or restriction of processing of personal data concerning the data subject or to object to such processing (Art. 15 of the GDPR);
        2. to rectification – to request rectification of personal data concerning the data subject, which are inaccurate or to have incomplete personal data completed (Art. 16 of the GDPR);
        3. to data erasure – to request the erasure of personal data concerning him or her if the controller no longer has a legal basis for their processing or the data are no longer necessary for the processing purposes (Art. 17 of the GDPR);
        4. to restriction of processing – to request restriction of personal data processing (Art. 18 of the GDPR), where one of the following applies:
          1. the accuracy of the personal data is contested by the data subject – for a period enabling the controller to verify the accuracy of the personal data,
          2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
          3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims,
          4. the data subject has objected to processing pending verification of whether the legitimate grounds of the controller override those of the data subject;
        5. to data portability – to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller if the processing is based on consent or on a contract and if the processing is carried out in an automated manner (Art. 20 of the GDPR);
        6. to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent will result in an obligation of the data controller to cease processing the data for the purpose for which the consent was given.

      In order to exercise the aforementioned rights, the data subject should contact the controller using the contact details provided and inform him/her which right and to what extent he/she wishes to exercise.

      The data subject shall have the right to lodge a complaint to a supervisory authority, which, in Poland, is the President of the Personal Data Protection Office based in Warsaw at 2 Stawki St., who can be contacted in the following way:

        1. by letter: ul. Stawki 2, 00–193 Warszawa;
        2. via electronic mailbox available at: https://www.uodo.gov.pl/pl/p/kontakt;
        3. By telephone: (22) 531 03 00.