Südzucker Polska SA is committed to protecting your privacy and related personal data, and ensuring required data security. Südzucker Polska SA processes your personal data only in accordance with the rules described below and applicable personal data protection law, in particular the Personal Data Protection Act of 10 May 2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) (Official Journal of the EU, L 119, 2016, p. 1).
I. Name and address of the Controller
The controller of your personal data is:
Südzucker Polska S.A. with the registered office in Wrocław, ul. Muchoborska 6, tel. +48 71 79 88 900, fax +48 71 79 88 901, e-mail: firstname.lastname@example.org, www.suedzucker.pl, District Court for Wrocław-Fabryczna, 6th Division of the National Court Register, with the reference number KRS 0000134177, share capital of PLN 197,087,493 fully paid up
If you wish to exercise your rights of access, correction, rectification, erasure, or restriction of processing or if you wish to exercise your right to object to the processing of your personal data by Südzucker or the right to personal data portability, you can do so by sending an appropriate declaration to the address of Südzucker’s registered office given above, the Company’s e-mail address or the e-mail address of the Data Protection Officer.
II. Name and address of the Personal Data Protection Officer
Südzucker appointed a Data Protection Officer (hereinafter the “DPO”) who can be reached at: Südzucker Polska S.A., ul. Muchoborska 6, 54-424 Wrocław, tel.: +48 71 79 88 900, fax: +48 71 79 88 901, Company e-mail: email@example.com or Inspektor.Danych.Osobowych@suedzucker.pl
III. General Information About the Processing of Personal Data
1. Scope of processing of personal data
We process the personal data of users (hereinafter “Users”) of Südzucker websites (www.suedzucker.pl including Planter website www.rmp.szgroup.de www.cukier-krolewski.pl, www.muzeumcukrownictwa.pl) and Internet profiles, including social media profiles (Facebook fanpage: Zycie jest słodkie, Instagram: https://www.instagram.com/cukierkrolewski/), and websites of Suedzucker Polska S.A. (application at www.slodkigest.pl) used to promote the Cukier Królewski brand owned by Suedzucker Polska S.A., however, in principle only if it is necessary for the functioning of the website, considering the information or content published on the website. Users’ personal data are processed only based on the consent of such users except in cases when the processing of personal data without the data subject’s consent is permitted by the law.
2. Legal basis for processing of personal data
If the processing of personal data requires the data subject’s consent, the legal basis of processing is Article 6(1)(a) of the GDPR.
If the processing of personal data is necessary for the performance of a contract to which the data subject is party, the legal basis of processing is Article 6(1)(b) of the GDPR. This applies also to processing operations which are necessary to take steps prior to entering into a contract.
If the processing of personal data is necessary for Südzucker’s compliance with a legal obligation, the legal basis of processing is Article 6(1)(c) of the GDPR.
If the vital interests of the person concerned or of another natural person require personal data processing, the legal basis of processing is Article 6(1)(d) of the GDPR.
If data processing is necessary for the purposes of the legitimate interests pursued by Südzucker or by a third party, except where such interests are overridden by the interests, fundamental rights or freedoms of the data subject which require protection of personal data, then the legal basis is Article 6(1)(f) of the GDPR.
3. Data erasure and storage period
The personal data of the data subject is erased as soon as the purpose of processing has ceased to exist. Data can be stored after the purpose of processing has ceased to exist if provided for by applicable law. In such a case, data is erased when the storage period allowed by such law has elapsed.
Each time you access a Südzucker website, the following data and information from the accessing computer system is automatically stored in our system:
(1) information about the type and version of the Internet browser;
(2) User’s operating system;
(3) User’s IP address;
(4) time of visit;
(5) websites from which the User’s system has been directed to our website;
(6) websites reached by the User’s system via our website.
Data is also stored in the log files in our system. It is stored together with other personal data of the User for up to 30 days.
2. Legal basis for data processing
The legal basis for the temporary storage of personal data in log files is Article 6(1)(f) of the GDPR.
3. The purpose of data processing
The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the User’s computer. For this purpose, the User’s IP address must be stored for the duration of the website visit.
Log files are stored to ensure the smooth functioning of the website. Additionally, they are used for website optimisation and ensuring the security of our technical and IT systems. In this case, we do not analyse data obtained for the purposes of marketing.
4. Storage period
Data is erased as soon as it is no longer required for the purposes for which it was collected. If data is recorded in order to provide access to a website, it is erased upon completion of the visit.
Log files are erased after 30 days. They can be stored for a longer period provided that Users’ stored IP addresses have been made anonymous so as to prevent identification of the User who visited our website.
V. Disabling cookies
1. Description and scope of data processing
Cookies save and transmit the following information:
(1) language settings;
(3) session information.
(1) terms searched;
(2) data in contact forms and other text fields;
(3) frequency of opening websites;
(4) using website functions.
User data collected as described above are pseudonymised and can no longer be related to the visiting User. Data indicated above is not saved with other User personal data.
If, for any reason, you do not give your consent to the saving of cookies as described above, you can disable saving cookies by selecting appropriate settings in your Internet browser or setting it to notify you when a cookie is saved. To this end, you need to modify appropriate settings in the browser menu by choosing your preferences or options. However, a consequence of changing such settings could be that some functions on the Südzucker website will be disabled completely or partly, i.e. they will be functional only to a limited extent.
2. Legal basis for data processing
The legal basis for the storage of personal data when storing the necessary cookies is Article 6(1)(f) of the GDPR.
The legal basis for the storage of personal data when storing cookies for analysis purposes, provided the User has given a relevant consent, is Article 6(1)(a) of the GDPR.
3. The purpose of data processing
(1) copying language settings;
(2) storing terms searched.
User data stored by cookies are not used to create User profiles. Such data is, however, used to carry out analysis referred to below.
Cookies are used for analysis purposes in order to help us improve the quality and content of our website. Thanks to the analysis, we learn how Users access the Südzucker website which helps us constantly optimise our offer.
4. Storage period, the opportunity to object and erase data
VI. Contact by e-mail
1. Description and scope of data processing
The Südzucker website includes an e-mail address that can be used to contact the company. If the User takes advantage of this possibility, their personal data included with the e-mail address will be stored. Data stored is not made available or transferred to any third parties, but it is used only to engage in and process any conversations/correspondence using the e-mail address.
2. Legal basis for data processing
The legal basis of processing of data sent by Users to the e-mail address included in the Südzucker website is Article 6(1)(f) of the GDPR.
3. The purpose of processing of personal data
Personal data sent to the e-mail address included in the Südzucker website or a data entry mask is processed only to handle the contact form submissions. This is also the basis of our legitimate interest in the processing of such personal data.
4. Storage period
Data is erased as soon as it is no longer required for the purpose for which it was collected. If personal data is sent by e-mail or via a data entry mask, it is erased upon completion of the conversation/correspondence with the User. The conversation/correspondence is deemed completed if it can be assumed on the basis of facts and content that the case at hand has been solved.
5. Opportunity to object and erase data
The User can at any time withdraw consent to the processing of their personal data. If the User contacts us by e-mail, they can object at any time to the storage of their personal data. In such a case, the conversation/correspondence can not be continued and User’s personal data that has been collected and stored by Südzucker in relation with the User’s use of the e-mail address included in our website are deleted.
VII. Google maps
1. Description and scope of data processing
Our website uses Google Maps api to present geographic information to our clients. The service is provided by Google LLG., 1600 Parkway Mountain View, CA 94043, USA. When using Google Maps or visiting a website, data is usually collected, processed and stored. More information about data processing by Google can be found in Google data protection guidelines.
2. Purpose and legal basis for data processing
By using Google Maps, website functionality is improved. The purposes of processing referred to above form a legitimate interest (Article 6(1)(f) of the GDPR).
3. Opportunity to object and erase data
You can object to the collection, storage and use of information by Google at any time with effect for the future by installing a browser plugin provided by Google.
VIII. Rights of the data subject
If your personal data is being processed, your rights under the GDPR as regards the controller are as follows:
1. Right of access to personal data by the data subject
You may require the data controller to confirm if your personal data is being processed. If it is, you can require the controller to provide the following information:
(1) purposes of processing;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
(4) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject and to object to such processing;
(6) the right to lodge a complaint with a supervisory authority.
You have the right to require information of your personal data is transferred to a third country or to an international organisation. In this respect, you can also require information about the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
To exercise your right to obtain information referred to above, please contact us directly using the contact details included in our website or contact our data protection officer (see items I and II).
2. Right to rectification
You have the right to request from the data controller rectification and/or completion of data, provided that your personal data subject to processing is incorrect or incomplete. The controller must immediately perform the rectification.
3. Right to restriction of processing
You can require restriction of processing of personal data concerning you in the following cases:
(1) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(4) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where personal data processing has been restricted, such data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The controller notifies the restriction of processing to the data subject who required the restriction according to the above criteria.
3. Right to erasure
a) obligation of erasure
You can require the controller to erase personal data concerning you without delay and the controller shall have the obligation to erase such personal data without undue delay where one of the following grounds applies:
(1) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
(2) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(3) the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;
(4) the personal data has been unlawfully processed;
(5) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) the personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
b) Information made available to third parties
Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure does not apply if processing is necessary in the following situations:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(4) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
(5) for the establishment, exercise or defence of legal claims.
5. Right of notification
If you have exercised your right to request from the controller rectification or erasure of personal data or restriction of processing of personal data, the controller is obliged to notify all recipients to whom the personal data has been disclosed of the rectification or erasure of personal data or restriction of processing of personal data, except where it is impossible or involves disproportionate effort.
Upon request, you have the right to be notified by the controller of any recipients referred to above.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit such data to another controller without hindrance from the controller to which the personal data has been provided, where:
(1) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and
(2) the processing is carried out by automated means.
In exercising your right to data portability, you can have the personal data concerning you transmitted sent directly from the controller to another controller, where technically feasible.
The right referred to above must not adversely affect the rights and freedoms of others.
The right to data portability does not apply to the processing of personal data which is required for the performance of a task carried out in the public interest or in the exercise of official authority by the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
8. Right to withdraw the consent to processing
If the processing of personal data is based on Article 6(1)(a) or Article 9 (2)(a) of the GDPR, you have the right to withdraw the consent to the processing of your data at any time. The withdrawal of consent shall not, however, the lawfulness of processing based on consent before its withdrawal.
9. Right to notify a personal data breach to a supervisory authority
Without prejudice to any other administrative or non-judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the Regulation (GDPR).
The supervisory authority that receives the complaint shall notify the complainant of the progress or outcome of the complaint or the complainant will have the right to bring proceedings against the supervisory authority in a case referred to in Article 78 of the GDPR.
The competent authority for data protection is the President of the Office for Personal Data Protection.
Office for Personal Data Protection
Stawki 7 Street
01-193 Warsaw, Poland
Helpline + 48 606 950 000
fax: + 48 22 531 03 01
Further information can be found on www.uodo.gov.pl.
IX. Links to other websites
Please also note that if Südzucker processes the personal data of Südzucker profile users in social networks, including facebook.com or Instagram, the controller processes only the personal data sent to them, published in their profile or made available by you through an appropriate configuration of account privacy settings in the portal. However, we can use your personal data for statistical purposes using tools provided by a given social network (such tools may also use profiling). The rules governing the processing of personal data for such purposes are defined in the portal’s terms and conditions, policies and regulations. Please read them before taking the decision to make your data available or to determine the scope and manner of making your data available.
We take all security measures to protect your personal data from unintended or unlawful access, erasure, alteration, loss or unauthorised disclosure.
Whenever your data is transmitted through our website, we use a secure socket layer (SSL) to encrypt it. We also protect our website and our other systems and personal data with appropriate technical and organisational measures, in particular from loss, destruction, unauthorised disclosure, alteration or transmission of data to third parties.
Version 1.0, May 2018