INFORMATION CLAUSE ON PERSONAL DATA PROCESSING
BURY Sp. z o.o.
This Policy applies to the personal data processing principles used by BURY Sp. z o. o. with its registered office in Mielec, ul. Wojska Polskiego 4, 39-300 Mielec, hereinafter referred to as: “the Company” – as the Controller of personal data, the ways and purposes for which the data are processed, as well as the rights of individuals related to the collection and use of such data.
In connection with its business activities, the Company collects and processes personal data following relevant regulations, including, in particular, the regulations of the GDPR.
The Company ensures transparency of data processing; in particular, it always informs about data processing at the time of collection, including the purpose and legal basis of processing.
The Company ensures that data is collected only to the extent necessary for the stated purpose and processed only for the required period.
When processing data, the Company ensures its security and confidentiality, as well as access to information about the processing for data subjects.
To ensure the integrity and confidentiality of the data, the Company has implemented procedures to allow access to personal data only to authorized persons and only to the extent necessary due to their duties. In addition, the Company shall take all necessary measures to ensure that its subcontractors and other cooperating entities also provide guarantees to apply appropriate security measures whenever they process personal data on behalf of the Company.
Under this Policy, we would like to inform you of any use of information that identifies individuals, hereinafter referred to as “personal data” (“processing”), with respect to individuals who are:
- customers, including potential customers of the Company,
- partners, associates, employees, legal representatives, attorneys or agents of such customers and
- other individuals whose data we process for the purpose of performing a contract between customers and the Company, including for the purpose of issuing or processing invoices (collectively referred to in this Policy as “you” or “customers”).
as well as:
- about the purpose and manner in which the Company collects, uses and stores your personal data;
- on what legal basis the personal data are processed, and
- determining your rights and our obligations in connection with the processing of your personal data.
Personal Data Controller
The administrator of your personal data is BURY Spółka z ograniczoną odpowiedzialnością with its registered office in Mielec, ul. Wojska Polskiego 4, 39-300 Mielec, Poland. Contact with the Controller is possible through the email address: rodo(at)bury.com, or postal address: ul. Wojska Polskiego 4, 39-300 Mielec (hereinafter referred to as the “Controller”, “Company” or “we”).
Types of personal data
Data provided by customers
In connection with the cooperation between you and the Company, as well as cooperation through intermediary entities, including affiliates within the BURY Group, we may process the personal data you provide, such as:
- name, company, business address and mailing addresses,
- numbers held in relevant registries (e.g., TIN or National Business Registry Number),
- identification numbers such as PESEL,
- contact information, such as your email address or telephone or fax number,
- the position you hold within your organization,
- bank account number.
In the case of concluding an agreement directly between you and the Company, providing the data specified above is voluntary but necessary for the purpose of concluding the agreement and cooperation between the Customer and the Company. If you do not enter into an agreement directly with the Company, providing personal information may be your business obligation. The consequence of failing to provide data is the inability to cooperate between the Company and the Customer.
Secondary Data Collection
We may obtain your personal data from publicly available sources, such as the Central Register and Information on Economic Activity (CEIDG) or the National Court Register (KRS), and the National Business Register (REGON), to verify the information provided by customers. The scope of the processed data will then be limited to the data publicly available in the relevant registers.
We may also obtain your personal data from entities where you are employed or of which you are a representative. The scope of the processed data in such an instance will include information necessary for the execution of the agreement between the Company and such entity, i.e. information about a change in contact details or a change in an official position.
We may also obtain your data from internal databases maintained by our group affiliates. It applies to data enabling contact with a specific customer who was a recipient or supplier of products of one of the Company’s affiliates.
Legal bases for processing personal data
We may process personal data if we have a valid legal basis for doing so. Therefore, we process personal data only if:
a) The processing is necessary to fulfill contractual obligations to you if you are a party to an agreement with the Company or you place orders for the Company’s products or services, or you fulfill the Company’s orders for your products or services;
b) The processing is necessary to fulfill our legal obligations, such as the obligation to issue an invoice or other document required by law, or we are directly ordered to do so by law;
c) The processing is necessary for the legitimate interests of the Company or a third party and does not unduly affect your interests or fundamental rights and freedoms, e.g. for:
- concluding and executing contracts with Customers who are unincorporated business entities or legal entities;
- establishing or asserting civil law claims by the Company in the course of its business, as well as defending against such claims;
- verifying Customers in public registers;
- contacting Customers, including maintaining internal Customer records to enable contact with Customers;
- exchanging customer data within a group of affiliates of the Company.
Processing time periods for personal data
Personal data are processed only for the specified purpose and to the extent necessary to achieve it and for as long as needed. Your personal data will be kept for the period of execution of the agreement concluded with the Company and after the termination of the agreement for the period necessary to secure the assertion of possible claims, and to meet obligations under the law, and in the case of withdrawal of consent to the processing of personal data or filing an objection – until the withdrawal of consent or filing an objection, respectively. In a situation where the processing of personal data is carried out based on the law, the data will be kept for a period of time under specific legislation, e.g. for 5 years from the end of the calendar year in which the deadline for payment of taxes has passed
Transfer of personal data
Transfer of personal data within the group of entities affiliated with the Company
We may transfer personal data to our employees, associates, and other entities affiliated with the Company. It applies to the following situations:
- provision and operation of IT systems and solutions used to process customer data by affiliates;
- sharing customers’ contact information with affiliates;
- sharing customer data with affiliated entities in the framework of cooperation between these companies and the performance of mutual services in product and service sales, such as transportation, warehousing, logistics, and legal services.
Transfer of personal data to other recipients
Data may be transferred to recipients and other third parties to fulfill the purposes listed above, to the extent that they are necessary for them to perform the Company’s tasks, if required by law or if the Company has another legal basis. Recipients or other third parties may be considered:
- entities that process personal data on behalf of the Company, such as IT system providers or document archiving service providers;
- any public administration, authorities of other EU member states, courts, bailiffs, if required by applicable national or EU law or at their request;
- courier or postal service providers;
- transportation and freight forwarding companies;
- companies providing legal services;
- debt collection companies;
- accounts receivable insurance companies;
- other entities.
Transfer Of Personal Data Outside The European Economic Area (EEA)
Your personal data may be subject to cross-border transfers to countries outside the European Economic Area (“EEA”) and to countries that do not have laws specifying special protection for personal data. The Company has taken measures to ensure that all personal data is adequately protected and that transfers of personal data outside the EEA are lawful. In the case of transfers of personal data outside the EEA to a country that, according to the European Commission, does not provide an adequate level of protection for personal data, the transfer will be based on an agreement that takes into account EU requirements for transfers of personal data outside the EEA, such as standard contractual clauses approved by the European Commission.
You have the right to:
- access to your personal data processed by the Company. If you believe that any information concerning you is incorrect or incomplete, you may submit a request for correction.
- withdraw your consent in case the Company has obtained such consent to process your personal data; generally, we do not process personal data based on consent (as we usually act on other legal grounds).
- request deletion of your personal data in the cases specified by the provisions of the GDPR;
- request the restriction of the processing of your personal data in cases specified in the provisions of the GDPR;
- object to processing,
Individuals have the right to restrict processing or object to processing their personal data at any time, based on their particular situation, unless the processing is required by law.
In such a case, we will no longer process the personal data or limit the processing as long as we can demonstrate a legitimate basis for the processing or for establishing, exercising or defending our rights.
- transfer of data, i.e., to receive personal data provided to the Company in a structured, commonly used and machine-readable format and to request that such personal data be sent to another personal data controller, without hindrance from the Company and subject to the Company’s confidentiality obligations;
- file a complaint with the competent supervisory authority.
The above rights are not absolute; the regulations provide exceptions to their application.
To execute the above rights, please send an email or contact the Company by correspondence to the respective addresses of the Controller indicated above in the section “PERSONAL DATA CONTROLLER”.
This Policy was updated on 1.02.2023 and may be subject to further changes. If required by law, we will inform you of any material changes via our website or other customary communication channels.