Personal data processing notice related to emails

Based on Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 2016.119.1 of 04.05.2016 (“Regulation” or “GDPR”), we would like to inform that:

  1. The Personal Data Controller is MDT Sp. z o.o., court register number (KRS): 0000478430, registered office: ul. Skośna 12A, 30-383 Kraków, Poland, website: www.mdt.pl). The Personal Data Controller can be contacted by email at: info@mdt.pl or by writing to the mailing address specified in the first sentence above;
  2. The Data Protection Officer is Mr Tomasz Kalita. Any data subject can contact him concerning the processing of personal data and use of the data subject’s rights related to the processing, by email at iod@mdt.pl or by writing to the Personal Data Controller address specified in section 1;
  3. MDT Sp. z o.o. processes information about senders and recipients of email as well as other types of data contained there – for the following purposes:
  • to enable email communication between the Data Controller and email recipients;
  • document arrangements made between customers (individuals and businesses) and other parties;
  • take in notices, requests and other letters via email, including complaints;
  • defend against and establish claims, if any.

Correspondence will be stored for one year, unless a given email contains content relevant to establishing or defending claims, in which case the email would be stored for up to 3 years, i.e. the statutory time bar on claims according to the Civil Code.

  1. Legal grounds of the processing of such data contained in emails are:
  • legitimate interest of the Data Controller and email senders (GDPR Article 6.1.f) – in the case of occasional correspondence enabling electronic contact with the Data Controller;
  • the need to perform the contract made with our Customer, whether an individual or business entity (GDPR Article 6.1.b) in terms of correspondence related to the contract performance;
  • voluntary consent of the Customer in the event the correspondence contains any special categories of personal data. If the sender does not include his/her consent in the correspondence, it will be needed as a separate document because it is a condition for the processing to be compliant with GDPR. The consent may be cancelled at any time, without stating any reason, however without impact on the legitimacy of data processing carried out before its cancellation;
  • a voluntary consent expressed through an explicit confirmation – if the sender requests information concerning the Data Controller’s brand, products or services, then the reply for the sender will contain the information requested by him/her, and dispatch of such request will imply his/her consent for the Data Controller to reply by sending commercial information to the e-mail address provided by the sender, to the extent necessary to provide such reply (Article 10 of the Electronic Services Act). The consent may be cancelled at any time, without stating any reason;
  • the Data Controller’s legitimate interest to establish or defend claims, if any, according to generally applicable laws of Poland, in particular the Civil Code (GDPR Article 6.1.f and 9.2.f).
  1. The collected personal data may be disclosed to entities and public authorities entitled to process personal data on the basis of generally applicable laws as well as to entities processing personal data on behalf of the Data Controller in connection with its performance of tasks outsourced to them (e.g. IT services, legal support).
  2. The data subject may exercise his/her rights vested based on legal regulations, depending on the legal grounds underlying the processing of his/her data, including to:
  • access own personal data, i.e. to obtain confirmation from the Data Controller as to whether his/her personal data is being processed. If the data is processed, the data subject can access it and obtain the following information: purposes of the processing, personal data categories, current or future recipients (and recipient categories) of data, data retention period (or criteria of determining such period), the right to correct, erase the date or restrict its processing, and the right to object against the processing of the data subject’s data(GDPR Article 15);
  • receive a copy of the processed data, with the first copy free of charge and any subsequent copies subject to the Data Controller’s fee in a reasonable amount calculated based on administrative costs (GDPR Article 15.3);
  • correct own personal data, if incorrect, or complete it, if incomplete (GDPR Article 16);
  • erase own data, if the Data Controller no longer has the legal basis for its processing or when the data is no longer necessary for the purposes of the processing (GDPR Article 17);
  • restrict the processing of personal data, if: the data subject challenges the correctness of the personal data – for a period allowing the Data Controller to verify correctness of the data; the processing of the personal data is unlawful and the data subject objects against its erasure and instead requests restriction of its use; the Data Controller does not need the data any more but the data subject needs it in order to establish, defend or exercise claims; the data subject objects against the personal data processing – until determined whether the Data Controller’s legitimate interest overrides such objection;
  • move the data, i.e. to receive it in a structured, commonly used and machine-readable format of the data subject’s data which he/she provided to the Data Controller, and request sending it to another data controller, if the data is processed based on the data subject’s consent or based on a contract concluded with the data subject and if the data is processed by automated means (GDPR Article 20);
  • object against the processing for the Data Controller’s legitimate purposes – for reasons of a specific case of the data subject, including in the case of profiling. In such situation, the Data Controller will assess existence of valid legitimate grounds for the processing that override the data subject’s interest or grounds to establish, defend or exercise claims. If assessed that the data subject’s interest overrides the one of the Data Controller, the latter will be required to discontinue the processing carried out for those purposes (GDPR Article 21);
  • file a complaint with the President of the Personal Data Protection Office (UODO) whenever the processing of personal data appears to violate the Regulation.