In connection with the implementation of the requirements set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), we hereby inform you on the processing of your personal data for the purposes of concluding and performing contracts, for compliance with legal requirements, implementation of legitimate interests and based on consent and we inform you of your associated rights. The following rules are applicable from 25 May 2018.


1. The controller of your person data subject to processing is:


EMPERIA HOLDING Spółka Akcyjna, based in Warsaw (02-566), ul. Puławska 2B, entered into the register of companies at the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS number 0000034566, NIP 712-10-07-105, REGON 430450457, share capital: PLN 12 342 027, fully paid up, hereinafter the Controller.


2. If you have questions regarding the means and scope of the processing of your personal data by the Controller and your entitlements, please contact the Personal Data Protection Officer at or in writing to the Controller’s address.


3. The personal data Controller processes your personal data based on existing regulations, executed contracts, in order to implement the Controller’s legitimate interests and based on consent.


4. Your personal data is stored for the following purposes:


a)       executing and performing contracts with the Controller’s counterparties (legal basis: art. 6 sec. 1b GDPR) – for the term of contract and settlements after it expires,

b)       compliance with a legal obligation to which the Controller is subject, e.g. issuing or storing invoices and other accounting documents, responding to complaints (legal basis: art. 6 sec. 1c GDPR),

c)       establishing, defending and seeking claims (legal basis: art. 6 sec. 1f GDPR) – for a period after which such claims expire,

d)       verifying payment credibility (legal basis: art. 6 sec. 1 f GDPR) – for a period necessary to carry out such assessment when concluding, extending or expanding the scope of a contract,

e)       direct marketing (legal basis: art. 6 sec. 1f GDPR) – for the contract term or until a complaint is lodged,

f)        detecting and counteracting fraud (legal basis: art. 6 sec. 1c and 1f GDPR) – for the contract term and subsequently for a period after which claims expire or for the duration of proceedings conducted by appropriate public authorities,

g)       in any other cases, your personal data is processed exclusively based on consent, within the scope and for the purposes specified in such consent (art. 6 sec. 1a GDPR) – for the duration of the consent.


5. In connection with data processing for the purposes referred to in point 4, the recipients of your data may be entities from the following categories:


a)       entities processing personal data on behalf of the Controller based on appropriate contracts, e.g. servicing the Controller’s IT systems, subcontractors, advertising agencies, intermediaries, entities providing the Controller with advisory, legal, debt recovery, accounting, audit, mailing and courier services

b)       entities from the group to which the Controller belongs,

c)       entities authorised to receive such personal data on the basis of existing legal regulations, e.g. courts and state authorities.


6. We are currently not planning to transfer your personal data outside the EEA (covering the European Union, Norway, Lichtenstein and Iceland), except for cases where this data was obtained through the Controller’s websites and after you granted consent for receiving commercial information, newsletters or accepted the use of cookies, in which cases this data will be transferred to a third country, e.g. the U.S., in connection with profiling using Google Analytics.


7. You have the following entitlements in connection with the processing of your personal data:


a)       right to access your personal data, including the right to copy this data,

b)       right to demand rectification (correction) of personal data – if this data is incorrect or incomplete,

c)       right to demand erasure of personal data (right to be forgotten) in the following events:

-          the data is no longer necessary for the purposes for which it was collected or processed in another manner,

-          the data subject objects to the processing of personal data,

-          the data subject withdraws the consent for the processing of personal data that is the basis for data processing and there are no other legal grounds for data processing,

-          personal data is being processed unlawfully,

-          personal data must be erased in order to comply with a requirement resulting from legal regulations,

d)       right to demand restriction of personal data processing – if:

-          the data subject questions the correctness of the personal data,

-          data processing is unlawful and the relevant person objects to data erasure, instead demanding a restriction,

-          the Controller no longer needs the data for its purposes but the relevant person needs it to establish, defend or seek claims,

-          the data subject objects to data processing, for as long as it takes to establish whether or not the Controller’s legitimate grounds have priority over the grounds of the objection,

e)       right to transfer data – if the following conditions are met jointly:

-          data processing takes place on the basis of a contract executed with the data subject or on the basis of consent granted by this person,

-          processing takes place in an automated manner,

f)        right to object to data processing if a special situation arises and the basis for processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6 sec. 1f GDPR), except where the Controller:

-          proves the existence of legally important legitimate interests that override the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child, or

-          proves grounds for establishing, seeking or defending claims.


However, if data is processed for direct marketing purposes (including profiling), you have the right to object at any time and the Controller will no longer be allowed to process this data for these purposes.


8. When the processing of personal data takes place on the basis of the data subject’s consent for the processing of personal data (art. 6 sec. 1 letter a GDPR), you have the right to withdraw this consent at any time. This withdrawal has no impact on the compliance of the processing carried out prior to consent removal with the laws in effect.


9. If you obtain information on the unlawful processing of your personal data by the Controller, you have the right to lodge a complaint with the President of the Personal Data Protection Office.


10. If the processing of personal data takes place on the basis of the data subject’s consent, your provision of personal data to the Controller is voluntary. If a contract is being executed, the provision of personal data is voluntary but necessary to execute and perform the contract.


11. Your data may be stored in an automated manner. Your data will not be profiled, except if the data is obtained through the Controller’s websites and you grant consent for receiving commercial information, newsletters or approve the use of cookies. Profiling is performed on the basis of collected data, i.e. especially data such as: data concerning services, transmission data, location data, information obtained through cookies. Profiling has an impact on the marketing information and offers that you may receive. Detailed information on automated decision-making, including profiling, is provided in the Privacy Policy.