0

Privacy

Home page  /  Privacy

The data we collect are nowhere transferred. They are used exclusively by Sandmix. They help us to improve the offers and adverts. We used the IT security measures. You do not have to worry about sending form or by calling us.

Privacy Policy

 

  1. Information on the Data Controller

 

We would like to inform you that Sandmix spółka z ograniczoną odpowiedzialnością spółka komandytowa, entered into the National Court Register under KRS No. 0000644173, hereinafter referred to as the “Controller”, acts as the data controller. You can contact the Controller as regards personal data protection using the email: odo@sandmix.pl

 

  1. The objective and grounds of personal data processing

 

The Controller processes your personal data for the purposes of service provision in line with its activity profile.

 

  • In order to provide services (perform sales) and value them the Controller processes the following personal data:
  • full name,
  • e-mail,
  • telephone,
  • residential address,
  • order number.

Article 6 (1) (b) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – Official Journal of the EU L 119 of 4 May 2016 (hereinafter referred to as the GDPR) forms the legal basis for the processing of personal data in this respect and facilitates the processing of personal data if such data are necessary for the performance of a contract or in order to take steps to enter into a contract. Should you decide to also provide other personal data, we will regard that as if you consented to the processing of these personal data as well – then the legal basis for the processing is Article 6 (1) (a) of the GDPR, which allows the processing of personal data on the basis of voluntary consent.

 

  • In order to handle complaints the Controller processes the following personal data:
  • full name,
  • e-mail,
  • telephone,
  • order number,
  • residential address,
  • bank account number – to perform a refund.

Article 6 (1) (b) of the GDPR forms the legal basis for the processing of personal data in this respect, if such data are necessary for the performance of a contract or in order to take steps to enter into a contract. Should you decide to also provide other personal data, we will regard that as if you consented to the processing of these personal data as well – then the legal basis for the processing is Article 6 (1) (a) of the GDPR, which allows the processing of personal data on the basis of voluntary consent.

 

  • In order to send email notifications related to the provision of information on the performance of the order or other service provided by the Controller, the Controller processes the following personal data:
  • full name,
  • function in an organisation or position,
  • e-mail,
  • order number.

Article 6 (1) (f) of the GDPR forms the legal basis for the processing of personal data and facilitates the processing of personal data, if it is necessary for the purposes of the legitimate interests pursued by the Data Controller (in this regard, the interest of the Controller is to inform the customer about the activities related to the performance of the order or other service, so that the service is provided correctly for the benefit of the Controller’s customer, as per agreements between the Controller and the customer, customs and legal regulations, including in respect of orders and other services to which the provisions about orders apply, in addition resulting from Article 740 of the Civil Code).

 

  • In order to establish telephone contact in matters related to service provision the Controller processes the following personal data:
  • full name,
  • function in an organisation or position,
  • telephone,
  • order number

– provided that you are interested in maintaining telephone contact. The legal basis for such processing is Article 6 (1) (a) of the GDPR, which allows the processing of personal data on the basis of voluntary consent. Article 6 (1) (f) of the GDPR also forms the legal basis for the processing of the aforementioned data and facilitates the processing of personal data, if it is necessary for the purposes of the legitimate interests pursued by the Data Controller (in this regard, the interest of the Controller is to inform the customer about the activities related to the performance of the order or other service, so that the service is provided correctly for the benefit of the Controller’s customer, as per the agreements between the Controller and the customer, customs and legal regulations, and in respect of orders and other services to which the provisions about orders apply, in addition resulting from Article 740 of the Civil Code).

 

  • In order to send SMS notifications related to the provision of information on the performance of the order, the Controller processes the following personal data:
  • full name,
  • function in an organisation or position,
  • telephone,
  • order number

– provided that you are interested in receiving such messages. The SMS sent will not include any marketing content. The legal basis for such processing is Article 6 (1) (a) of the GDPR, which allows the processing of personal data on the basis of voluntary consent. Article 6 (1) (f) of the GDPR also forms the legal basis for the processing of the aforementioned data and facilitates the processing of personal data, if it is necessary for the purposes of the legitimate interests pursued by the Data Controller (in this regard, the interest of the Controller is to inform the customer about the activities related to the performance of the order or other service, so that the service is provided correctly for the benefit of the Controller’s customer, as per agreements between the Controller and the customer, customs and legal regulations, and in respect of orders and other services to which the provisions about orders apply, in addition resulting from Article 740 of the Civil Code).

 

  • In order to issue invoices and fulfil other obligations under the provisions of tax law, such as the storage of accounting documents for 5 years, the Controller processes the following personal data:
  • full name,
  • function in an organisation or position,
  • company name,
  • address of residence, business address, service address or address of the registered office,
  • NIP (tax identification number),
  • order number,
  • payment information, including bank account number (if need be).

The legal basis for such processing is Article 6 (1) (c) of the GDPR, which allows the processing of personal data on the basis of voluntary consent, if such processing is necessary for the Data Controller to fulfil its legal obligations.

 

  • In order to create records and registers related to the GDPR, including a register of customers objecting pursuant to the GDPR, the Controller processes the following personal data:
  • full name,
  • e-mail,
  • telephone,
  • function in an organisation or position,
  • company name,
  • address of residence, business address, service address or address of the registered office,
  • NIP (tax identification number),
  • order number,
  • payment information, including bank account number (if need be).

This is because, first, the GDPR imposes on us certain documenting obligations to demonstrate compliance and accountability, and, secondly, should you object to the processing of your personal data for the purposes of marketing, we must know for which persons we cannot use direct marketing due to their objection.

The legal basis for such processing is, first, Article 6 (1) (c) of the GDPR, which allows the processing of personal data on the basis of voluntary consent, if such processing is necessary for the Data Controller to fulfil its legal obligations; and, second, Article 6 (1) (f) of the GDPR facilitates the processing of personal data, if it is necessary for the purposes of the legitimate interests pursued by the Data Controller (in this regard, the knowledge of persons who exercise their rights under the GDPR).

 

  • In order to determine, pursue or defend against claims, the Controller processes the following personal data:
  • full name, company,
  • telephone,
  • function in an organisation or position,
  • address of residence, business address, service address or address of the registered office,
  • order number,
  • payment information, including bank account number (if need be),
  • PESEL (personal number) or NIP (tax identification number),
  • e-mail,

The legal basis for such processing is Article 6 (1) (f) of the GDPR, which allows the processing of personal data, if it is necessary for the purposes of the legitimate interests pursued by the Data Controller (in this regard, the Controller’s interest is to have personal data which would make it possible to determine, pursue and defend against claims lodged by customers and third parties);

 

  • In order to archive and use as evidence, the Controller processes the following personal data:
  • full name, company,
  • telephone,
  • function in an organisation or position,
  • address of residence, business address, service address or address of the registered office,
  • order number,
  • payment information, including bank account number (if need be),
  • PESEL (personal number) or NIP (tax identification number),
  • e-mail,

– to secure information which may be used to demonstrate facts of legal significance. The legal basis for such processing is Article 6 (1) (f) of the GDPR, which allows the processing of personal data, if it is necessary for the purposes of the legitimate interests pursued by the Data Controller (in this regard, the Controller’s interest is to have personal data which would make it possible to determine certain facts related to the provision of services, for example, should a public authority request it);

 

  • In order to carry out analyses, i.e. to study and analyse activity on the Administrator’s website, the Controller processes the following personal data:
  • date and time of visiting the website,
  • operating system type,
  • approximate location,
  • type of internet browser used to view the website,
  • time spent on the website,
  • pages visited,
  • the page on which the contact form was completed.

The legal basis for such processing is Article 6 (1) (f) of the GDPR, which allows the processing of personal data, if it is necessary for the purposes of the legitimate interests pursued by the Data Controller (in this regard, the Controller’s interest is to learn the activities of customers on the website, to better adjust what it offers to their needs).

 

  • In order to use cookies on the website, the Controller also processes textual information (information on cookies is provided in a separate section). The legal basis for such processing is Article 6 (1) (a) of the GDPR, which allows the processing of personal data on the basis of voluntary consent (a message concerning consent to the use of cookies is displayed on the first visit to the website);
  • In order to administer the website, the Controller processes the following personal data:
  • IP address,
  • server date and time,
  • information on the internet browser,
  • information on the operating system

– these data are automatically recorded in server logs every time the website owned by the Controller is used. Administering a website without a server and automatic recording would be impossible. The legal basis for such processing is Article 6 (1) (f) of the GDPR, which allows the processing of personal data, if it is necessary for the purposes of the legitimate interests pursued by the Data Controller (in this regard, the Controller’s interest is to administer the website).

 

  • In order for you to publish comments on the website or to use the contact form on the website, the Controller processes such personal data, as required for this purpose, and which are provided by you voluntarily, as well as the IP address;

The legal basis for such processing is Article 6 (1) (a) of the GDPR, which allows the processing of personal data on the basis of voluntary consent (in this case, we assume that publishing a comment or using the form constitutes, at the same time, consent to the processing of the personal data provided therein and the IP address).

 

  • In order for you to publish opinions on services, the Controller processes such personal data which are provided by you voluntarily, as well as the IP address. The legal basis for such processing is Article 6 (1) (a) of the GDPR, which allows the processing of personal data on the basis of voluntary consent (in this case, we assume that publishing an opinion constitutes, at the same time, consent to the processing of personal data).

 

  1. Cookies
  • Similarly to other entities, the Controller uses Cookies on its website, i.e. short textual information saved on the computer, telephone, tablet or other device of the user. The can be read by the Controller’s system as well as by systems owned by other entities which render services for the Controller.
  • Cookies serve a number of functions on the website, such as:
  • ensure security — cookies are used to authenticate users and prevent unauthorised use of the customer panel; therefore, they are used to protect the user’s personal data against unauthorised access;
  • influencing the processes and performance of the website — cookies are used to ensure the website’s effective operation and facilitate the use of its functions, which is possible, owing to functions like saving the settings between subsequent visits; which allows smooth browsing of the website and individual pages;
  • status of the session — cookies often store information about the way visitors use the website, such as which pages they most often display; they also identify errors displayed on some pages; “session status” cookies, therefore, help to improve the service and make browsing more convenient;
  • maintain the status of the session — if the customer logs in to their panel, cookies makes it possible to maintain the session , which means that as the user moves from page to page, the user does not have to enter their login and password each time, which makes browsing more convenient;
  • produce statistics — cookies are used to analyse the way the users use the website (how many users open the website, amount of time spent on the website, which content attracts most interest, etc.); this makes it possible to continuously improve the website and adapt it to users’ preferences; to track activity and produce statistics used by Google tools, such as Google Analytics; in addition to reporting website usage statistics, the Google Analytics pixel can be also used, along with other aforementioned cookies, to help to display more appropriate content in Google services (e.g. the Google search engine) and the entire net;
  • use of social-networking functions — our website features a Facebook pixel, which makes it possible to like our fanpage while using the website; to facilitate this, however, we must use cookies provided by Facebook.
  • Your internet browser by default allows the use of cookies on your device, which is why we would like to ask you to allow the use of cookies while visiting the website for the first time. However, if you do not wish to use cookies when browsing, you can change your settings in the internet browser — completely block the automatic use of cookies or request notifications each time cookies are to be saved on the device. The settings can be changed at any time.
  • Respecting the autonomy of all persons using the website, we feel obliged to notify that disabling or limiting the use of cookies may result in significant difficulties in using the website, i.e. the necessity to log in on every page, longer load times, restricted functionality, limited ability to like the website on Facebook, etc.

 

  1. Right to withdraw consent

 

  • If the processing of personal data is based on consent, you can withdraw your consent at any time, at your sole discretion.
  • If you wish to withdraw the consent on which the processing of personal data is based, you should:
  • send an email directly to the Controller to odo@sandmix.pl or
  • remove your comment or opinion on the services, or
  • send a form by email or post, in line with the template entitled “implementation request ” (wniosek o realizację),
  • If your personal data were processed based on consent, withdrawing it will not result in its prior processing being illegal. In other words, until you withdraw consent, we have the right to process your personal data, and withdrawing the consent does not affect the legality of previous processing.

 

  1. Requirement to provide personal data

 

  • Providing any personal data is voluntary and at your discretion. In some cases, however, the provision of certain personal data is necessary to provide you with services.
  • To order services, it is necessary to provide the needed data, indicated in individual forms; without these data it will not be possible to enter into an agreement or provide answers to your questions.
  • In order for you to receive an invoice for the services, it is necessary to provide all the data required in tax law, i.e. full name or company name, address of residence or address of the registered office, and NIP – without providing these data, invoices cannot be issued correctly.
  • To facilitate telephone contact regarding service provision, it is necessary to state a telephone number – without providing this number, telephone contact is impossible.
  • If you wish to receive sms notifications on order execution, it is necessary to state a telephone number – without providing this number, sending sms messages is impossible.

 

  1. Automated decision-making and profiling

 

We would like to kindly inform you that we do not use automated decision-making, including profiling. The content of queries sent using the contact form is not evaluated by the IT system.

 

  1. Recipients of personal data

 

As part of its activities, the Controller benefits from assistance provided by other entities, which on many occasions is associated with the need to provide personal data. Therefore, your personal data are provided, when needed, to lawyers who cooperate with and provide services to the Controller, payment handling companies, accounting companies, hosting companies, companies responsible for sending sms messages, and also insurance companies (if it is necessary to redress damage). Furthermore, pursuant to a relevant legal regulation or decision of a competent authority, the Controller may be required to provide your personal data to other public or private entities. Given the above, it is difficult to predict the full group of recipients of the personal data in question. The Controller will however ensure that every such case of making available personal data will be analysed in detail, and involve legal consultation if necessary, to prevent such personal data from being disclosed to unauthorised persons.

 

The Controller would like to also indicate that in the case of it becoming necessary to provide services by post, including to deliver documents or goods, the Controller uses postal or courier services on the basis of separate regulations.

 

  1. Transfer of personal data to third countries

 

We do not transfer personal data to third countries, i.e. states outside the European Union.

 

  1. Period of personal data processing

 

In line with the legal regulations in force, your personal data will not be processed indefinitely, but as long as they are needed for a specific purpose. After that period, your personal data are irreversibly deleted or destroyed. As regards the individual periods of personal data processing, we would like to inform that the Controller processes personal data for:

  • the term of the agreement plus one year after its termination — in respect of personal data processed for the purposes of entering into and performing the agreement;
  • 11 or 21 years — in respect of personal data processed for the purposes of pursuing or defending against claims; the 21-year period is applied when the data may be hypothetically related to a claim for damages or compensation, and the damage resulted from a crime or misdemeanour, as in such a case, the limitation period for claims for redressing damage is twenty years from the day of the crime being committed regardless of the date on which the injured party became aware of the damage and person responsible for redressing it, as provided for in Article 442 [1] § 2 of the Civil Code;
  • 10 years — in respect of personal data related to the observation of tax law, since data connected with tax documents should be stored for 5 years, and given the limitation periods, the possibility of suspending them by the tax authorities, possible inspections and the length of any tax, court or administrative proceedings, as well as the limitation periods for penal and fiscal liability, to protect the rights of the Controller to store the necessary evidence, it is necessary to set a 10-year processing period;
  • until processing consent is withdrawn or the objective of processing is achieved; however, no longer than for 5 years in respect of personal data processed based on consent;
  • until effective objection or achieving the objective of processing; however, no longer than for 5 years in respect of personal data processed based on the legitimate interests of the Controller or for marketing purposes;
  • until obsolete or no longer useful, but not longer than for 3 years — in respect of personal data processed mainly for analytical purposes, use of cookies and website administration.
  • The periods are counted in years from the end of the year in which data processing was commenced, to streamline the process of personal data deletion or destruction. Calculating of the terms for each contract separately would entail significant organisational and technical difficulties, as well as significant financial outlays, which is why setting a single date for the deletion or destruction of personal data facilitates a more effective management of this process. Of course, should you want to exercise your right to be forgotten, the request is considered on an individual basis.
  • The additional year related to the processing of personal data for the purposes of agreement performance results from the possibility of your lodging a claim shortly before the lapse of the limitation period, the claim being served with a significant delay or your erroneous determination of the limitation period.

 

  1. Rights of data subjects

 

  • Please note that you have the right to:
  • access your personal data;
  • rectify personal data;
  • erase personal data;
  • restrict the processing of personal data;
  • object to the processing of personal data;
  • data portability.
  • The Controller respects your rights resulting from personal data protection regulations and facilitates you in their exercise to the highest extent possible, and therefore to make it easier for you to submit all notifications, provides a model “request letter” allowing any notification to be made.
  • The Controller indicated that your rights are not absolute, and, therefore, in certain situations your request may be denied, which will be preceded by a thorough analysis, and only when such a denial is necessary.
  • As regards the right to object, the Controller would like to clarify that you may object to the processing of your personal data based on the legitimate interests of the Controller, on grounds relating to your particular situation. You should remember, however, that in accordance with the regulations, the Controller may not consider your objection, if the Controller demonstrates:
  • compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
  • grounds for the establishment, exercise or defence of legal claims.
  • Furthermore, you may object to the processing of your personal data for marketing purposes at any time. After receiving such objection, the Controller will not process the data for this purpose.
  • You can exercise your rights by sending an email directly to the Controller to odo@sandmix.pl

 

  1. Right to lodge complaints

 

If you believe that your personal data are processed in violation of the regulations in force, you may lodge a complaint with the President of the Personal Data Protection Office.

 

  1. Final provisions

 

  1. Regulations on personal data protection apply to all matters not regulated herein.
  2. You will be notified by email of any changes to this Privacy Policy.
  3. This Privacy Policy enters into force on 25 May 2018.

Download the request letter>>