GDPR INFORMATION CLAUSE FOR CONTACT PERSONS

[EN] INFORMATION ON PERSONAL DATA PROCESSING AND PROTECTION BY MAXIMA EUROPE SP. Z O.O. (GDPR)

Click here to see the Polish version

This information clause is addressed to contact persons. By contact persons we are referring to persons authorized to represent our clients, subcontractors, suppliers, including board members, proxies, attorneys, associates of commercial partnerships.


Following article 13 item 1 and 2 and article 14 of the General Data Protection Regulation of 27 April 2016 (hereinafter referred to as the GDPR) we inform you that:

[Personal Data Controller]

The personal data controller is Maxima Europe sp. z o.o. with its registered office in Kraków (30-305), Wasilewskiego Street 20/6, KRS No. 0000589963 (hereinafter referred to as the Controller). In matters concerning your personal data, you can contact the Controller by email: [email protected].

[Types of personal data]

The Controller processes the following categories of contact person data: name and surname, telephone number, e-mail address, as well as the position held. We collect personal data in a number of ways. The Controller has received personal data from our clients or their representatives. The Controller may also obtain personal data directly from you (if contact is made). As regards persons authorized to represent, the Controller may obtain personal data from publicly available registers (i.e. National Court Register).

[Basis, purpose of processing personal data and retention period of personal data]

The basis for the Controller's processing of personal data is:

  1. the necessity to establish cooperation with our clients, subcontractors, suppliers. The legal basis for data processing is the Controller's legitimate interest in being able to establish legal relationships (Article 6 item 1 point (f) of the GDPR);

  2. the necessity to designate in a contract the person authorized to represent our client, subcontractor or supplier. The legal basis for the processing is the legitimate interest of the Controller (Article 6 item 1 point (f) of the GDPR);

  3. the necessity to perform the contract concluded between the Controller and our client, subcontractor or supplier, including contact in current matters, presenting offers, receiving orders, answering questions. The legal basis for data processing is the legitimate interest of the Controller, consisting in the possibility of ongoing contact with our customers, as well as ensuring the performance of the contract with the clients, subcontractors, suppliers (Article 6 item 1 point (f) of the GDPR);

  4. to defend against possible claims or to assert possible claims related to the contract concluded by the Controller with the client, subcontractor, supplier. The legal basis for data processing is the Controller's legitimate interest in being able to defend against or assert claims (Article 6 item 1 point (f) of the GDPR);

  5. to offer services to our clients (direct marketing). The Controller send information regarding our services in which your employer/mandator may be interested. The legal basis for the processing is the Controller's legitimate interest in wanting to extend or renew cooperation (Article 6 item 1 point (f) GDPR).

The Controller will process personal data during the period of performance of the contract with the client, subcontractor, supplier, and after that time for the period of limitation of possible claims under the contract concluded with our client, subcontractor, supplier.[Voluntariness]

[Voluntariness]

Providing personal data is voluntary, but necessary to  conclude and perform the contract. Failure to provide data prevents the conclusion of the contract with the Controller.

[Recipients of the data]

The Controller share personal data with different groups of recipients, but only if it is related to the purposes for which we process personal data or our use of IT systems. Personal data may be transferred to entities providing legal, IT, accounting or advisory services, transport services, as well as to entities related  by capital or organizational to the Controller (including other companies from our Group of companies).

[Rights of data subjects]

in relation to the processing of personal data, you have:

  • the right to access the content of your data

  • the right to rectification;

  • the right to erasure (so called “the right to be forgotten”)

  • the right to restriction of processing;

  • the right to data portability;

  • the right to object;

  • the right to complaint with the President of the Office for Personal Data Protection if you consider that the processing of personal data violates the law.

The Controller would like to point out that the right to object is not automatic, which means that the cessation of data processing can only take place if there is a specific situation concerning you. In connection with the filing of an objection, the Controller can demonstrate compelling legitimate grounds to continue processing personal data or to do so in connection with the assertion of rights, defense. Furthermore, you may object, at any time and without further circumstances, to our processing of your personal data, but only if the Controller process it for direct marketing purposes.

[No profiling]

Personal data will not be processed by automated means or profiling.

[Transfer of personal data to third countries]

Personal data is also processed in an IT system. The Controller uses the Google Workspace service, based on the servers of Google Inc. As a result, personal data is transferred to a third country (USA). The transfer of personal data to a third country is based on the mechanism provided by GDPR, as the data are adequately protected using Standard Contractual Clauses (“SCC”). If you wish to review the SCCs, please be advised that they are available for review at the Controller, which allows you to review this document, according to an internal procedure. In addition, the Controller has entered into an agreement with the related companies situated in third countries, based on the legal instrument provided for by the GDPR, in the form of standard contractual clauses (“SCC”), adopted by the European Commission based on the implementing decision of 4 June 2021. If you wish to review this agreement, we inform you that they are available at the Controller, which allows you to review this document, according to an internal procedure.