INFORMATION OBLIGATION OF PEX Sp. z o.o.
The controller of personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter “RODO”) is PEX Sp. z o.o. (hereinafter also referred to as the “Controller”).
Full details of the Administrator: PEX Sp. z o.o., Migdałowa 4D lok. 46, 02-796 Warsaw, tel. 022-886-47-15, fax. 022-638-21-29, e-mail: [email protected], https://pexps.pl, KRS 0000178089, REG: 015579675, NIP 9512093564.
The controller declares that it ensures the application of the technical and organisational measures necessary to ensure the confidentiality, integrity, accountability and continuity of the personal data processed.
1. Purpose and legal basis of data processing
The purpose and basis of the processing of personal data depending on the activities carried out is:
a) The conclusion and performance of the Contract and the conclusion of possible future contracts, including for the purpose of contact in connection with the provision of services, the issuing of an invoice or bill for the performance of the contract – on the basis of Article 6(1)(b) RODO. The provision of personal data is voluntary, but is a condition for the conclusion and subsequent performance of the contract.
b) Conducting direct marketing of the Administrator’s own products and services, including, but not limited to, the presentation of offers by electronic means – the legal basis is Article 6(1)(f) RODO – the necessity of data processing for the fulfilment of the Administrator’s legitimate interest;
c) Fulfillment of the Administrator’s legal obligation under the tax and accounting legislation – the legal basis being Article 6(1) of the 1(c) RODO;
d) Establishing, asserting or defending against claims that the Controller or the data exporter may have against each other in connection with the conclusion or performance of a contract – on the basis of Article 6(1)(f) RODO;
e) Handling of requests addressed to the Administrator (e.g. via the contact form), answering enquiries and handling complaints and requests – the legal basis is the Article 6(1)(f) RODO – the necessity of processing the data for the purposes of carrying out the lawful legitimate interest of the controller.
f) Implementation of projects involving the processing of personal data of individuals – on the basis of Article 6(1)(a) RODO and Article 9(2) RODO.
g) Monitoring the safety of medicinal products – fulfilment of the Administrator’s legal obligation under pharmaceutical law, Article 6(1)(c) of the DPA and Article 9, paragraph 2, point (i) of the DPA.
2. Data retention period
The personal data will be kept by the Administrator only for the period necessary to fulfil the aforementioned purposes of data processing, i.e. for the duration of the Agreement and, upon termination or expiry of the Agreement, for the period of limitation of claims against the Administrator or the data transferor and the period resulting from the applicable laws, including tax laws.
3. Recipients of the data
The controller does not transfer personal data outside the European Economic Area.
Personal data may be transferred to processors for commissioned by the Administrator, including IT service providers, entities storing and data deleters, data processors for accounting purposes or debt recovery – with such entities processing data on the basis of a contract with the Administrator and only in accordance with the Administrator’s instructions.
Personal data will be made available at the request of state authorities, in particular the Courts, the President of the Data Protection Authority, the President of the Competition and Consumer Protection Authority and others.
Access to personal data shall only be granted to persons for whom there is a justification for such access in view of the tasks and services performed and to the extent necessary to fulfil the purposes of processing indicated above. The controller shall ensure that its employees undergo appropriate training in personal data protection, familiarising them with internal data protection policies and procedures or dedicated training programmes. All persons and entities authorised to process personal data are obliged to maintain the confidentiality of the processed data and to adopt adequate technical and organisational measures to protect them against disclosure to unauthorised persons, accidental or unlawful destruction, loss or alteration, misuse or other unlawful processing.
4. Rights in relation to the processing of personal data
The Data Subject may exercise the following rights against the Controller:
a) the right to request access to your personal data in accordance with Article 15 of the RODO, and to have it rectified in accordance with Article 16 of the RODO;
b) the right to request the restriction of the processing of personal data in the cases and under the conditions indicated in Article 18 RODO;
c) the right to request the erasure of personal data pursuant to Article 17 of the RODO (“right to be forgotten”);
d) the right to data portability pursuant to Article 20 of the RODO;
e) the right to object to the processing referred to in Article 21 RODO.
In addition, the data subject may exercise the right to lodge a complaint with a supervisory authority, the function of which is performed in Poland by the President of the Office for Personal Data Protection.
5. Automated processing of personal data
Personal data processed by the Administrator is not subject to profiling.
6. Data Protection Officer
In matters related to data processing and exercising the rights of data subjects, you may contact the PEX Sp. z o.o. appointed. Data Protection Officer, by directing correspondence to the e-mail address: [email protected] or in writing to the Administrator’s registered office address indicated in this information obligation.