Customers' personal data at Scanway S.A.

Information on the processing of customers’ personal data at Scanway S.A.

1. The Controller is Scanway S.A., with its registered office in Wrocław, at ul. Strzegomskiej 140a, 54-429 Wrocław, NIP 8842761100. E-mail address: industry@scanway.pl, https://scanway.pl, phone: (+48) 71 733 62 64.
2. Contact with the Data Protection Officer – Wiesław Lechowicz, e-mail address: iod@scanway.pl or by mail to the Controller’s address with a note: Data Protection Officer.
3. The purpose of personal data processing and the legal basis for processing is:
   1. performance of a contract to which the data subject is a party, or taking action at the request of the data subject prior to entering into a contract, on the basis of Article 6(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also known as “GDPR”;
   2. fulfillment of a legal obligation incumbent on the controller, based on Article 6(1)(c) of the GDPR;
   3. using electronic invoices and sending them to the e-mail address provided, in accordance with the submitted statement, based on Article 6(1)(a) of the GDPR;
   4. sending commercial information to the provided electronic address, in particular e-mail and/or the provided phone number (voice communication, SMS, MMS), in accordance with the submitted statement, on the basis of Article 6(1)(a) of the GDPR.
4. The processing of personal data is carried out out of legitimate interests pursued by the controller, based on Article 6(1)(f) of the GDPR, for the purposes of: sending or exchanging correspondence; invitation to contact; performance of the contract with the designated customer representatives; verification of payment reliability; blocking the use of services due to financial arrears; direct marketing of products or services, carried out in the traditional form; creation of compilations of analysis and statistics (for the controller’s internal needs); archival (evidential) which is the realization of our legitimate interest of securing information in case of a legal need to prove facts and establish, assert or defend claims.
5. Categories of personal data obtained otherwise than from the data subject: name(s) and surname, registered address, address of residence or address for service, PESEL number or other number confirming identity, series and number of document confirming identity, name of position, name, company of the entrepreneur, registered office and address, NIP, KRS, REGON, phone number, e-mail address.
6. Personal data may be transferred to entities that provide services to the Controller, such as a law firm, IT service providers, a hosting company, postal and courier operators for shipment processing, banks for payment processing. Personal data may be transferred to authorities authorized by law.
7. Please be informed that we use service providers from outside the European Economic Area (EU and Norway, Liechtenstein and Iceland) to support the operation of websites, applications and services (e.g. Microsoft, Google). Your personal data may be transferred outside the European Economic Area to a third country or international organization:
   1. as to which the European Commission has adopted a decision finding an adequate level of protection, as referred to in Article 45(3) of the GDPR; or
   2. by means of standard contractual clauses for the transfer of data outside the European Economic Area, providing adequate safeguards within the meaning of Article 46 of the GDPR.
8. The storage period for personal data is, respectively, for the purpose of:
   1. fulfilling a legal obligation incumbent on the controller – for the period prescribed by law;
   2. performance of the contract – for the duration of the contract and 5 years from the beginning of the year following the fiscal year in which operations, transactions and proceedings are finally completed, paid off, settled or barred;
   3. exercising rights under guarantee, warranty – 1 year after the expiration of the warranty or settlement of the complaint. The storage period shall be calculated from the beginning of the year following the fiscal year to which the collection relates;
   4. using electronic invoices and sending them to the provided e-mail address – for the period of consent to process personal data for the specified purpose;
   5. sending commercial information to the provided electronic address, in particular e-mail and/or the provided phone number (voice communication, SMS, MMS) – for the period of consent to process personal data for the specified purpose;
   6. sending or exchanging correspondence – in the absence of a specific, clear and legitimate purpose of data processing by the controller, the correspondence shall be deleted after 3 years. However, the end of the processing period is the last day of the calendar year;
   7. establishing, asserting or defending claims, unless a special provision states otherwise, the limitation period is six years, and for claims pertaining to periodical performances and claims resulting from an economic activity – three years. However, the end of the limitation period is the last day of the calendar year, unless the limitation period is less than two years.
9. You have the right to access, rectify, erase or restrict processing of your personal data, or the right to object to processing, as well as the right to data portability.
10. If the processing is based on consent, the data subject has the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal.
11. You have the right to lodge a complaint with the President of the Office for Personal Data Protection, ul. Stawki 2,
    00-193 Warsaw.
12. Provision of data is voluntary, but necessary for the above purposes.
13. Sources of personal data, when applicable, are customers who have designated persons to represent them and/or to execute concluded contracts and/or publicly available websites, registries, industry directories of companies.
14. Your data shall not be subject to automated decision-making in individual cases, including profiling as referred to in Article 22(1) and (4) of the GDPR.
15. You have the right to object to the processing of personal data based on Article 6(1)(f) of the GDPR, including profiling on the basis of these provisions for reasons related to the specific situation of the data subject.
16. You have the right to object to the processing of your personal data, for direct marketing purposes, including profiling, to the extent that the processing is related to such direct marketing.