a. Formaster S.A. with its registered office in Kielce (25-818), ul. Fabryczna 24, entered in to the register of entrepreneurs managed by the District Court in Kielce, the 10th Commercial Division of the National Court Register under KRS number: 0000080942, NIP [Tax ID]: 9590122245, REGON [National Business Registry Number]: 290670483 (hereinafter referred to also as the “Service Provider“);
– each also hereinafter referred to as the “Administrator“.
1. Personal data – shall stand for information on an identified or identifiable natural person (“person that the data refer to”); an identifiable natural person is a person that can be directly or indirectly identified, particularly on the basis of an identifier such as name and surname, identification number, details on location, Internet identifier, or one or several factors describing the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person;
2. GDPR – Regulation of the European Parliament and the Council (EU) 2016/679 dated 27 April 2016 on protection of individuals with regard to processing of personal details and on the free movement of such data and repeal to Directive 95/46/EC.
4. Application – the mobile application of the Service Provider called “My Dafi”.
5. User – every natural person visiting the Service, using the Application, or using one or several services or functions offered by the Service Provider.
6. Device – shall stand for the electronic device by means of which the User gains access to web pages of the Service or to the Application.
7. In order to ensure the safety of personal data we have been entrusted with, we have prepared internal procedures and instructions that are to prevent unauthorized persons from accessing the personal data. We monitor their performance and constantly check their compliance with relevant legal acts, i.e. the GDPR, the act dated 10 May 2018 on protection of personal data (Polish Journal of Laws dated 2018 item 1000 with further amendments), the act dated 18 July 2002 on provision of services by electronic means (consolidated text, Polish Journal of Laws dated 2017 item 1219 with further amendments), as well as any other commonly applicable regulations of law.
8. The Service implements functions of acquisition of information on Users and their behavior in the following manner:
a. through information provided by the User or
b. through storage of cookie files.
9. Personal data provided by the User as a part of a particular form completed in relation to the use of the Service or the Application shall be processed solely for the purpose arising from the function of the specific form, e.g. in order to implement the process of handling the information contact and shall be treated as confidential and shall not be visible for unauthorized persons.
10. As a part of the Service and the Application, we use unique, fixed identifiers of devices for diagnostic and statistical purposes – tools to monitor applications (whether errors occur and if yes, on which devices, etc.), we use Android Advertising ID (Android platform) and identifierForVendor (iOS platform).
11. Obtained personal data shall not be made available for third persons in any way, except for situations strictly provided for in applicable regulations of law.
Who processes personal data and why?
12. The role of the Administrator of personal data shall be performed by the Service Provider.
13. Personal data shall be processed by the Service Provider for the following purposes:
a. for the purpose necessary to establish, shape the content, perform, change, or terminate any agreement concluded between the Service Provider and the User, including in particular the agreement covering the use of the Application, the agreement connected with placing an order in the online store, or another agreement regarding services rendered in favor of the User through electronic means as a part of the Service (pursuant to Art. 6 section 1 letter b of the GDPR),
b. for purposes necessary to perform legal obligations imposed on the Service Provider, particularly arising from the act dated 12 July 2002 on provision of services by electronic means (consolidated text, Polish Journal of Laws dated 2017, item 1219 with further amendments), and from regulations of tax law and regulations on accounting (pursuant to Art. 6 section 1 letter c) of the GDPR);
c. for purposes arising from legally justified interests realized by the Service Provider, in particular:
(i) conducting marketing of products and services by the Service Provider during the period of the agreement concluded with the User,
(ii) conducting analyses of Users’ activity as well as their preferences and ensuring efficient functioning of the Service,
(iii) pursuit and protection against eventual claims arising from concluded agreements
(iv) provide answers to the question stated via the contact form included in the Service – pursuant to Art. 6 section 1 letter f) of the GDPR;
d. for the purpose compliant with the voluntary consent expressed by the User to the processing of their personal data, i.a. in the case of the User’s subscription to the newsletter, loyalty programs, or giving consent to participation in competitions and marketing actions (indicated precisely in the terms and conditions regarding a specific competition or marketing event) – pursuant to Art. 6 section 1 letter a) of the GDPR.
14. The Service Provider shall also process Personal Data of Users who visit the profiles of the Service Provider that are managed in social media (Facebook, YouTube, Instagram). Such data are processed solely in relation to the management of the profile, including the purpose to inform Users on the Service Provider’s activities and promotion of various events, services, and products. The legal grounds for the processing of personal data by the Service Provider for this purpose shall be their justified interest (Art. 6 section 1 letter f of the GDPR) involving promotion of own brand.
15. In a situation in which you are a natural person who runs sole proprietorship that concluded an agreement with the Administrator or in which actions had been undertaken towards you prior to the conclusion of the agreement upon your request, the Administrator of your personal data shall be a company from the Formaster that is a party to the agreement you concluded or that has undertaken actions prior to conclusion of the agreement upon your request. In such a situation, your personal data shall be processed:
a. for purposes necessary to perform the agreement concluded between you and the Administrator or to undertake actions upon your request, prior to conclusion of the agreement pursuant to Art. 6 section 1 letter b) of the GDPR;
b. for purposes necessary to fulfil the legal obligations imposed on the Administrator, in particular obligations arising from tax law and regulations on accounting pursuant to Art. 6 section 1 letter c) of the GDPR;
c. for purposes arising from legally justified interests implemented by the Administrator, particular to provide you with communication prior to conclusion of the agreement and during the agreement period, as well as determination, pursuit, and protection against possible claims under Art. 6 section 1 letter f) of the GDPR.
16. In a situation in which you are authorized to represent, be a contact person or another person on the side of the entity that concluded an agreement with the Administrator or another person participating in the performance of an agreement with the Administrator, the Administrator of your personal data is a company from the Formaster that is a party to the agreement concluded with the above-mentioned entity. In such a situation, your personal data shall be processed:
a. for purposes arising from the legally justified interests realized by the Administrator, in particular to ensure contact with the entity being a party to an agreement with the Administrator, verify whether the person who contacts the Administrator is authorized to undertake actions on behalf of that entity, correct performance of the agreement concluded with the Administrator, and to determine, pursue, or protect against possible claims under Art. 6 section 1 letter f) of the GDPR.
b. for purposes necessary to fulfil the legal obligations imposed on the Administrator, in particular obligations arising from tax law and regulations on accounting pursuant to Art. 6 section 1 letter c) of the GDPR.
For how long will we process personal data?
17. The Administrator shall exercise due diligence so that the processing of personal data is always substantively correct and adequate with regard to the purpose of their processing and stored in a form making it possible to identify persons that the data refer to, for no longer than it is necessary to achieve the purpose of processing.
18. Personal data shall be processed by the Administrator for the following periods:
a. If the processing takes place on the basis of your voluntary given consent, your personal data shall be processed until such consent for processing of personal data for specific, clear, and legally justified purposes is revoked.
b. If the processing of personal data is necessary to perform the agreement of which you are one of the parties or to undertake action upon your order, prior to conclusion of the agreement, your personal data shall be processed for the period of the agreement and then, after that period, for the period of prescription of possible claims arising from commonly applicable provisions of law.
c. If the processing is necessary to fulfil a legal obligation imposed on the Administrator, your personal data will be processed for the period resulting from commonly applicable provisions of law.
d. If the processing is required for purposes arising from legally justified interests implemented by the Administrator or by a third party, your personal data shall be processed for a period not longer than it is necessary for the purposes for which the data are processed or until an objection is made to the processing of personal data within the scope of processing of personal data for such purposes, for reasons concerning a special situation, unless the Administrator proves the existence of important and legally justified grounds for the processing, precedent to your interests, rights and freedoms or grounds for determination, pursuit, or protection of claims.
e. If personal data are processed for the purposes of direct marketing, your personal data shall be processed until an objection is made to processing of personal data for purposes of such marketing, within a range in which the processing is connected with such direct marketing.
What rights are you entitled to in terms of processing of personal data?
19. Each person that the data refer to (if we are their administrator) shall have the following rights:
b. the right to make corrections to personal data, which covers the right to order the Administrator to correct one’s personal data that are incorrect,
c. the right to remove personal data.
The right to remove personal data can be removed, if:
(i) personal data are no longer necessary for the purposes for which they were collected or processed otherwise;
(ii) the person that the data refer to revoked their consent on which the processing has been based on pursuant to Art. 6 section 1 letter a) of the GDPR or Art. 9 section 2 letter a) of the GDPR and there are no legal grounds for the processing;
(iii) the person that the data refer to submitted an objection to the processing of their personal data pursuant to Art. 6 section 1 letter e) or f) of the GDPR, including profiling based on those regulations, and there are no superior and legally justified grounds for the processing or the person that the data refer to submits an objection to processing of their personal data for the purposes of direct marketing;
(iv) personal data have been processed in an illegal manner;
(v) personal data must be removed in order to fulfil the Administrator’s legal obligation;
(vi) personal data have been collected with regard to offering information society services directly to a child.
The right to remove data shall not be executed, if the processing is necessary:
(i) to be applied for the use of the right to freedom of speech and right to have access to information;
(ii) to perform the legal obligation necessary for the processing that the Administrator is subject to or to perform a task implemented as a part of public interest or as a part of public authority entrusted to the Administrator;
(iii) for archiving purposes for public interest, for scientific or historical research, or for statistical purposes pursuant to Art. 89 section 1 of the GDPR, provided that it is possible that the law referred to in section 1 prevents or drastically hinders implementation of purposes of such processing.
(iv) to determine, pursue, and defend claims.
d. the right to limit processing of personal data:
(i) if the person that such data refer to questions the correctness of personal data – for a period that allows the Administrator checking the correctness of such data;
(ii) the processing is illegal and the person that the data refer to objects to removal of personal data, demanding the limitation of the processing in return;
(iii) the Administrator does no longer need personal data for processing purposes but they are required by the person they refer to in order to determine, pursue, or defend claims;
(iv) the person that the data refer to has submitted an objection to the processing of his or her personal data pursuant to Art. 6 section 1 letter e) or f) of the GDPR, including profiling based on those regulations – until it is determined whether the legally justified grounds on the Administrator’s side are precedent over the grounds of the objection submitted by the person that the data refer to.
e. the right to transfer data which cover the right to receive data and send them to another administrator or to request, if technically possible, to have such data sent directly to another administrator – within the scope of data processing under your consent and for purposes required to perform the agreement and process data in an automatic manner;
f. the right to submit an objection to the processing of personal data within the scope of:
(i) processing of data for purposes arising from legally justified interests realized by the Administrator under Art. 6 section 1 letter f) of the GDPR, unless the Administrator proves the existence of important legally justified grounds for the processing, where such grounds are precedent to interests, rights, and freedoms of the person that the data refer to or grounds to determine, pursue, or protect claims;
(ii) processing of data for the purposes of direct marketing, including profiling.
20. The person that the data refer to shall have the right to revoke the granted consent for processing of personal data at any time, without affecting the lawfulness of processing that had been performed under the consent prior to its revocation. Revocation of the consent shall be made through communication made to: email@example.com.
21. The person whose data are processed shall be entitled to submit a complaint to the supervisory authority, i.e.
the President of the Office of Personal Data Protection, if he or she decides that the processing of personal data is in breach with regulations of law.
Is provision of personal data mandatory?
22. If personal data are processed on the basis of the consent given by the person that the data refer to, provision of personal data is voluntary. No provision of data shall result with, i.a. lack of possibility to render a service, if the consent constitutes a condition to have that service rendered.
23. If personal data are processed for purposes required to perform the agreement one of the parties of which is the person that the date refer to or in order to undertake action upon a request of the person that the data refer to, prior to conclusion of the agreement, provision of personal data shall be voluntary yet necessary to conclude an agreement with the Administrator.
24. If the processing of personal data is necessary to fulfill a legal obligation imposed on the Administrator, the provision of personal data shall be considered a statutory requirement.
25. If the personal data are processed for purposes arising from legally justified interests realized by the Administrator or a third party, provision of personal data is voluntary yet necessary to implement those purposes.
How may I communicate with regard to matters concerning protection of personal data?
26. For all matters related to protection of personal data, you can contact the Administrator via the e-mail address or by mail:
a. Formaster S.A. with its registered office in Kielce (25-818), ul. Fabryczna 24 or via electronic means to: firstname.lastname@example.org;
27. One may contact the person appointed by the Administrator for matters regarding protection of personal data via electronic means, respectively, (depending on the Administrator) to the following e-mail address: email@example.com.
To whom will the personal data be transferred?
28. Recipients of personal data might include – only in situations in which it is necessary or in a necessary scope – entities that cooperate with the Administrator within the scope of services rendered by the Administrator and support of ongoing business processes of the Administrator, particularly entities that render services concerning bookkeeping, marketing, legal, courier, or IT services, haulers and suppliers of other additional services connected with the Administrator’s rendering of services as a part of the Service or the Application, and entities from the Formaster.
29. The Administrator shall not transfer personal data to third countries or international organizations.
Basic means to ensure safety of personal data
30. We respect the right to one’s privacy and we care for data safety. For that purpose, we use i.a. a safe protocol for encryption of communication (SSL) and we implemented access control so that we can minimize the outcome of a possible breach of data safety.
31. Personal data are processed only by authorized persons and only within the scope in which it is necessary due to such persons’ duties. The Administrator shall ensure that all operations on personal data are recorded and performed solely by authorized employees and partners.
32. The Administrator shall take all the necessary actions to have their subcontractors and other collaborating entities guarantee to apply proper safety measures in every case during their processing of personal data upon the Administrator’s order.
35. The request must be submitted by sending it respectively: firstname.lastname@example.org.
36. In the case of no processing of the Requestor’s personal data by the Administrator (excluding processing of personal data for the purposes of the request itself), the Requestor shall be informed about it and the data of the Requestor that have been acquired as a part of submission of the request shall be immediately removed.
37. After receipt of the request, the Administrator shall immediately inform the Requester about it and input information on the request in the registry they keep.
38. The Administrator shall be entitled to verify the Requestor’s identity. Lack of successful verification of the Requestor’s identity due to reasons beyond the Requestor’s liability might result in lack of the Administrator’s execution of the submitted request and the Requestor shall be immediately informed about it.
39. The Administrator shall reply to the Requestor’s request within maximum 3 (three) days starting from the date of its receipt. For objectively justified cases (i.e. cases that require a lot of effort on the Administrator’s side), the above-mentioned period might be extended to 2 (two) months and the Requestor shall be informed about it.
40. As a part of implementation of the right to access the data, the Requestor shall receive an indication of their data that are subject to processing, within the range regarded by the request, and the following information:
a. purpose of processing;
b. categories of personal data that are subject to processing;
c. information on recipients and categories of recipients to whom personal data were or will be disclosed, in particular on recipients in third countries or international organizations;
d. as far as possible, the planned period for which the personal data will be stored and if it is impossible, the method in which the period has been determined;
e. information on automated decision making, including decisions on profiling, and significant information on rules for the decision making, as well as on the significance and expected consequences of such processing for the person the data refer to;
f. the right to order the Administrator to correct, remove, or limit the processing of personal data or to submit an objection to such processing (if such right can be granted);
g. if the personal data is not collected from the person they refer to – any available information on their source;
h. the right to submit a complaint to the supervisory authority.
41. In the case of execution of the right to access the data and the right to transfer them, the reply given to the Requestor shall include a copy regarding their personal data in commonly known and available formats that are machine-readable.
42. Please submit any complaints connected with performance of this procedure to the following address:
a. Formaster S.A. z siedzibą w Kielcach (25-818), ul. Fabryczna 24 or by electronic means to: email@example.com;
43. The complaint shall be considered immediately but not later that within 7 (in words: seven) days from the date of its delivery and the Requestor shall be immediately informed about it. The Requestor shall also be informed that the complaint has been received. The information on the complaint shall be input in the registry kept by the person designated to handle matters connected with protection of personal data.
44. The Service uses cookie files. “Cookies” shall be understood as IT data stored in the users’ end devices to allow the usage of web pages. In particular, cookies are text files that contain the name of the website they come from, the storage period on the end device, and a unique number.
45. The Service does not collect any information in an automatic way, except for the information contained in cookie files.
46. The Service Provider uses two types of cookie files:
a. Session cookies: they are stored on the User’s Device and will remain there until the end of the session of a particular web browser. Stored information will then be permanently removed from the memory of the Device. The mechanism of session cookies does not allow downloading any personal data nor any confidential information from the User’s Device.
b. Persistent cookies: they are stored on the User’s Device and shall be kept on them until removed. Finishing the session of a particular web browser or switching the Device off will not remove such cookies from the User’s Device. The mechanism of persistent cookies does not allow downloading any personal data nor any confidential information from the User’s Device.
47. Cookie files are intended for the use of pages of the Service. The Service Provider uses such files to:
a. have a possibility of logging in and maintaining the User’s session on each consecutive page of the Service,
b. adjust the contents of the Service web page to User’s individual preferences, in particular the files recognize their Device in order to display the page according to the User’s preferences,
c. create anonymous statistics (excluding the possibility to identify the User), which help in understanding the manner in which the Service Users use the Service website, which allows improving the structure and contents of those web pages.
d. save the settings selected by the User and to personalize the User’s interface, e.g. in terms of the selected language or region the User comes from, size of font, look of the web page, etc.
e. correctly handle the partner program, making it particularly possible to verify the sources of User redirections to web pages of the Service.
48. Collected data are used to monitor and check the way in which the Users use our websites so that we can improve the functioning of the Service, ensuring more efficient and flawless navigation. We monitor the information on Users by using the Google Analytics tool that records the User’s behavior on web pages of the Service.
49. The following types of cookie files are used as a part of the Service:
a. “necessary” cookie files that allow the usage of services available as a part of our Service, e.g. authorization cookie files used for services that require authorization within the Service;
b. cookie files that are used to ensure safety, e.g. they are used to identify abuse within the scope of authorization as a part of the Service;
c. “performance” cookie files that allow collection of information on the way the web pages of the Service are used in;
d. “functional” cookie files that allow “memorizing” selected User settings and personalization of the User’s interface, e.g. in terms of the selected language or region the User comes from, font size, look of the web page, etc.;
e. “advertisement” cookie files that allow providing the Users with ads that suit better their interests.
52. Users of the Service may at any time change the settings regarding cookie files. Detailed information on the possibilities and methods regarding handling of cookie files are available in the software settings (of the web browser).
Exemplary editing options in popular web browsers:
– Mozilla Firefox: www.support.mozilla.org/pl/kb/ciasteczka
– Internet Explorer: www.support.microsoft.com/kb/278835/pl
– Google Chrome: www.support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
53. The Website Service Provider informs that limitations in the use of cookie files might affect some functions available on pages of the Website.
54. The conduction of direct marketing by companies from the Formaster can take place through sending commercial information via electronic means of communication, particularly via electronic mail or by phone (refers to the mobile application “My Dafi”).
55. Companies of the Formaster can send you information on products and services, in general, in the case of expressing a voluntary consent to processing of personal data for marketing purposes. The consent for processing of personal data can be revoked at any moment.
56. The sending of information on products and services of companies from the Formaster through means of electronic communication shall require giving a consent to receive commercial information via means of electronic communication, in particular via electronic mail and providing the address of electronic mail.
57. Presentation of information on products and services of companies from the Formaster by telephone shall require your consent to the usage of telecommunication end devices for the purposes of direct marketing and giving access to the phone number.
58. If you no longer want to receive information on products and services from companies of the Formaster, you can revoke your consent to processing of personal data for marketing purposes or make an objection to processing of personal data for the purposes of direct marketing, including profiling, within the scope in which the processing is connected with such direct marketing.