Based on Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 2016.119.1 of 04.05.2016 (“Regulation” or “GDPR”), we would like to inform that:

  1. The Personal Data Controller is MDT Sp. z o.o., court register number (KRS): 0000478430, registered office: ul. Skośna 12A, 30-383 Kraków, Poland, website: The Personal Data Controller can be contacted by email at: or by writing to the mailing address specified in the first sentence above;
  2. The Data Protection Officer is Mr Tomasz Kalita. Any data subject can contact him concerning the processing of personal data and use of the data subject’s rights related to the processing, by email at or by writing to the Personal Data Controller address specified in section 1;
  3. MDT Sp. z o.o. processes personal data for the following purposes:
  • personal data which is name, surname and contact details of the Customer – to perform the contract concluded with the Customer (GDPR Article 6.1.b)
    – throughout the period of performing the requested service;
  • processing, dissemination of the Customer’s image – to perform the contract
    or based on the Customer’s consent, for example documentation of the performance, such as equipment training (GDPR Article 6.1.a and b) – throughout a period specified in the contract or the consent;
  • personal data which is name, surname and contact details of the Customer – to carry out promotion and marketing – based on the Customer’s consent (GDPR Article 6.1.a)
  • personal data involved in electronic payments stored in pay terminals – to take electronic payments in exchange for the Data Controller’s services, as necessary to pursue the legitimate interest of the Data Controller and the Customer in use of the electronic payment mechanism (GDPR Article 6.1.f);
  • personal data contained in the Data Controller’s accounting, bookkeeping and tax documentation as well as in banking systems and documents – to meet statutory obligations, in particular the Polish Accounting Act, the Tax Regulation and CIT and VAT (GDPR Article 6.1.c) – for 5 years of the end of a financial year;
  • the Customer’s personal data will be also processed by the Data Controller to establish or defend potential claims based on its legitimate interest and generally applicable legal regulations of Poland, in particular the Civil Code (GDPR Article 6.1.f) – for 3 years after the end of a given service, but in the case of pending proceedings this period can be extended until the proceedings become ended with a final and non-appealable ruling and time bar periods expire;
  1. The collected personal data may be disclosed to entities and public authorities entitled to process personal data on the basis of generally applicable laws as well as to entities processing personal data on behalf of the Data Controller in connection with its performance of tasks outsourced to them (e.g. IT services, legal support, entities receiving such data in connection with contract performance: banks, payment terminal providers, postal operators, courier companies).
  2. The data subject may exercise his/her rights vested based on legal regulations, depending on the legal grounds underlying the processing of his/her data, including to:
  • access own personal data, i.e. to obtain confirmation from the Data Controller as to whether his/her personal data is being processed. If the data is processed, the data subject can access it and obtain the following information: purposes of the processing, personal data categories, current or future recipients (and recipient categories) of data, data retention period (or criteria of determining such period), the right to correct, erase the date or restrict its processing, and the right to object against the processing of the data subject’s data
    (GDPR Article 15);
  • receive a copy of the processed data, with the first copy free of charge and any subsequent copies subject to the Data Controller’s fee in a reasonable amount calculated based on administrative costs (GDPR Article 15.3);
  • correct own personal data, if incorrect, or complete it, if incomplete (GDPR Article 16);
  • erase own data, if the Data Controller no longer has legal grounds for its processing or when the data is no longer necessary for the purposes of the processing (GDPR Article 17);
  • restrict the processing of personal data, if: the data subject challenges the correctness of the personal data – for a period allowing the Data Controller to verify correctness of the data; the processing of the personal data is unlawful and the data subject objects against its erasure and instead requests restriction of its use; the Data Controller does not need the data any more but the data subject needs it in order to establish, defend or exercise claims; the data subject objects against the personal data processing – until determined whether the Data Controller’s legitimate interest overrides such objection;
  • move the data, i.e. to receive it in a structured, commonly used and machine-readable format of the data subject’s data which he/she provided to the Data Controller, and request sending it to another data controller, if the data is processed based on the data subject’s consent or based on a contract concluded with the data subject and if the data is processed by automated means (GDPR Article 20);
  • object against the processing for the Data Controller’s legitimate purposes – for reasons of a specific case of the data subject, including in the case of profiling. In such situation, the Data Controller will assess existence of valid legitimate grounds for the processing that override the data subject’s interest or grounds to establish, defend or exercise claims. If assessed that the data subject’s interest overrides the one of the Data Controller, the latter will be required to discontinue the processing carried out for those purposes (GDPR Article 21);
  • file a complaint with the President of the Personal Data Protection Office (UODO) whenever the processing of personal data appears to violate the Regulation.