Following the article 13 item 1 and 2 of the General Data Protection Regulation of 27 April 2016 (hereinafter referred to as the GDPR), we inform you that:

[Personal Data Controller]

The personal data controller is Maxima Europe sp. z o.o. with its registered office in Kraków (30-305), Wasilewskiego Street 20/6, KRS No. 0000589963 (hereinafter referred to as the Controller). In matters concerning your personal data, you can contact the Controller by email: [email protected].

[Types of personal data]

The Controller processes the following categories of personal data: name, surname, email address, telephone number, business address, correspondence address, name of a company, tax number, statistic number, KRS (National Court Register) number, bank account number.

[Basis, purpose of processing personal data and retention period of personal data]

The Controller processes personal data: 

  1. to conclude and perform of the contract concluded with the Controller (Article 6 item 1 point (b) of the GDPR), for the duration of the contract;

  2. to comply with legal obligations incumbent on the Controller, including tax regulations, regulations obliging to keep accounting documents (Article 6 item 1 point (c) of the GDPR), for the period required by law;

  3. to assert or defend against claims under a contract concluded with the Controller, based on the Controller's legitimate interest (Article 6 item 1 point (f) of the GDPR), until the expiry of potential claims;

  4. to undertake information and marketing activities, based on the Controller's legitimate interest (Article 6 item 1 point (f) of the GDPR), if you consent to receive information electronically, until you withdraw your consent to receive information electronically or until you make an effective objection;

  5. based on your consent, to the extent and for the purpose specified in the consent given (Article 6 item 1 point (a) of the GDPR), until it is withdrawn;

  6. to offer services to our clients (direct marketing). The Controller may send information regarding his services in which your employer/mandator may be interested. The legal basis for the processing is the Controller's legitimate interest in wanting to extend or renew cooperation (Article 6 item 1 point (f) GDPR);

  7. for the purpose of carrying out client satisfaction surveys, on the basis of a Controllers’ legitimate interest (Article 6 item 1 point (f) GDPR).


Providing personal data is voluntary, but necessary to conclude and perform the contract. Failure to provide data prevents the conclusion of the contract with the Controller.

[Recipients of the data]

The Controller share personal data with different groups of recipients, but only if it is related to the purposes for which we process personal data or our use of IT systems. Personal data may be transferred to entities providing legal, IT, accounting or advisory services, transport services, as well as to entities related  by capital or organizational to the Controller (including other companies from our Group of companies).

[Rights of data subjects]

in relation to the processing of personal data, you have:

  • the right to access the content of your data;

  • the right to rectification;

  • the right to erasure (so called “the right to be forgotten”)

  • the right to restriction of processing;

  • the right to data portability;

  • the right to object;

  • the right to complaint with the President of the Office for Personal Data Protection if you consider that the processing of personal data violates the law. 

The Controller would like to point out that the right to object is not automatic, which means that the cessation of data processing can only take place if there is a specific situation concerning you. In connection with the filing of an objection, the Controller can demonstrate compelling legitimate grounds to continue processing personal data or to do so in connection with the assertion of rights, defense. Furthermore, you may object, at any time and without further circumstances, to our processing of your personal data, but only if the Controller process it for direct marketing purposes.

[No profiling]

Personal data will not be processed by automated means or profiling.

[Transfer of personal data to third countries]

Personal data is also processed in an IT system. The Controller uses the Google Workspace service, based on the servers of Google Inc. As a result, personal data is transferred to a third country (USA). The transfer of personal data to a third country is based on the mechanism provided by GDPR, as the data are adequately protected using Standard Contractual Clauses (“SCC”). If you wish to review the SCCs, please be advised that they are available for review at the Controller, which allows you to review this document, according to an internal procedure. In addition, the Controller has entered into an agreement with the related companies situated in third countries, based on the legal instrument provided for by the GDPR, in the form of standard contractual clauses (“SCC”), adopted by the European Commission based on the implementing decision of 4 June 2021. If you wish to review this agreement, we inform you that they are available at the Controller, which allows you to review this document, according to an internal procedure.