Home / Privacy Notice

Personal Data Protection Policy
at DIGITRONIC AUTOGAS Julia Furmanek
as of May 24, 2018

Taking into account the obligations arising from art. 25 and art. 32 of Regulation of the European Parliament and of the Council (EU) 2016/679 of 27April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, p. 1), to ensure that personal data at DIGITRONIC AUTOGAS Julia Furmanek, ul. Elewatorska 9, 15-620 Białystok, NIP: 9661799625 (hereinafter: Digitronic) are processed and secured in accordance with the provisions of law by implementing appropriate technical and organizational measures designed to effectively implement data protection principles and to provide the necessary safeguards for processing; and Digitronic ensures, that by default, only personal data that are necessary to achieve each specific processing purpose are processed.

 

  1. Initial provisions
    • The controller of Personal Data is DIGITRONIC AUTOGAS Julia Furmanek, ul. Elewatorska 9, 15-620 Białystok, NIP: 9661799625. The policy defines the principles of processing and protecting Personal Data in Digitronic, in order to ensure the compliance of Processing with the requirements of the GDPR and the provisions of the mandatory Polish law regarding the processing of personal data. The policy is a collection and the basis for the requirements, procedures and principles of personal data protection implemented in Digitronic. The policy includes:
      • a description of the Digitronic data protection rules;
      • a set of procedures, instructions and detailed regulations concerning the processing of Personal Data in Digitronic regarding specific areas of personal data protection; constituting attachments to the Policy.
    • The policy applies to all employees and associates of Digitronic. The entities and persons responsible for the compliance with and maintaining the provisions of the Policy are:
      • Digitronic;
      • Digitronic organizational units which process Personal Data;
      • Employees and associates.
    • For effective implementation of the Policy, taking into account the scope, context and purposes of processing as well as the risk of violating the rights or freedoms of persons with different probabilities and the importance of the risk, Digitronic provides:
      • implementation of appropriate technical and organizational measures to ensure compliance of the processing of Personal Data with the requirements of law and the necessary protection of personal data being processed;
      • continuous monitoring of the compliance of the processing of Personal Data consistent with the legal requirements and continuous reviews and updates of the measures referred to in paragraph 1.3 (i) above
      • control and supervision over the processing of Personal Data.
    • The supervision of compliance with the policy is ensured by Julia Furmanek, the owner of the company. The supervision referred to in the preceding sentence seeks, in particular, but not exclusively to ensure that the activities related to the processing of Personal Data in Digitronic comply with the requirements of law and the provisions of the Policy.
    • Digitronic ensures compliance of the business entities cooperating with Digitronic, including, in particular, the Processors with the provisions of the Policy in an appropriate scope in all situations where personal data are transferred to these entities for processing, including storage.
    • The policy is stored and made available in paper and electronic version at the Digitronic office.
    • The policy is made available to:
      • compulsory to all individuals authorized to process personal data at Digitronic in order to provide authorized persons with reasonable knowledge and information about the principles and requirements for processing Personal Data in Digitronic;
      • to interested persons, in particular to data subjects – at their request.
  2. Definitions
    • The following definitions or phrases used in this Policy shall have the following meaning:
      • Policy – means this Policy;
      • Personal data – mean information about an identified or identifiable physical person, such as name, identification number, location data, internet identifier, or one, or more specific factors determining physical, physiological, genetic, psychological, economic, cultural or the social identity of a natural person; referred to in art. 4 point 1 GDPR;
      • GDPR – means Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, p. 1);
      • Authorized Person – means a person authorized by Digitronic to process Personal Data in a given scope;
      • Processing – means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, ordering, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, dissemination or other type of sharing, matching or merging, limiting, erasing or destroying, as referred to in art. 4 point 2 GDPR;
      • Data set – means any structured Personal Data set, available according to specific criteria;
      • Processor – means any natural or legal person, public authority, entity or other entity that processes personal data on behalf of Digitronic;
      • Registry – means Digitronic Personal Data Processing Registry;
      • Authentication – means an activity whose purpose is to verify the User’s declared identity;
      • Digitronic – means DIGITRONIC AUTOGAS Julia Furmanek, ul. Elewatorska 9, 15-620 Białystok, NIP: 9661799625, email address: julia.furmanek@digitronicgas.com, telephone number: +48 790 360 718;
      • Employees – means both persons employed in Digitronic on the basis of an employment relationship, as well as natural persons cooperating with Digitronic under a Civil Law Agreement;
      • Customers – means natural persons acting on their own behalf, as well as natural persons acting on behalf of and for the benefit of entities, regardless of their organizational and legal form, cooperating with Digitronic, in particular suppliers, distributors, service providers, recipients of services;
      • System – means the Personal Data Protection System at Digitronic, referred to in § 5 of the Policy;
      • Sensitive Data – means Personal Data referred to in art. 9 THE GDPR.
  3. Personal data
    • Digitronic processes Personal Data for the purpose of:
      • enabling customers to submit a request for quotation and become acquainted with the Digitronic offer as well as to perform the contract, including delivery, (Article 6 paragraph 1 letter b) of the GDPR),
      • compliance with Digitronic obligations arising from law, including the Accounting Act and the Tax Ordinance (Article 6 (1) (c) of the GDPR),
      • the pursuit of the legitimate interests of Digitronic, including the pursuit of claims and defense against claims (Article 6 (1) letter f of the GDPR),
      • the promotion of Digitronic products and services (Article 6 (1) (a) and (f) of the GDPR).
    • Digitronic processes Personal Data collected in data sets.
    • Updating or expanding the Data Sets list follows the previous analysis of the consequences and risks of personal data processing for the rights and freedoms of natural persons included in the set.
    • Digitronic does not undertake any Processing activities that could involve a significant risk of violating the rights and freedoms of the data subjects. In the case of planning the activities referred to in the preceding sentence, Digitronic obligatorily carries out a prior assessment of the effects of the processing referred to in Art. 35 GDPR.
    • By default, personal data are processed in ​​the Digitronic premises located in Białystok at ul. Elewatorska 9. Additional areas in which Personal Data are processed are all portable computers and other data carriers located outside the area indicated in the preceding sentence.
  4. Foundations of Data Protection in Digitronic
    • Digitronic ensures the application of technical and organizational measures necessary to ensure confidentiality, integrity, accountability and continuity of the processed data.
    • Authorized persons and all other persons, to whom personal data are provided at Digitronic are obliged to process it in accordance with the legal requirements and in accordance with the provisions of the Policy, as well as other internal Digitronic laws or internal procedures related to the processing of personal data.
    • When hiring employees and during employment, Digitronic ensures that:
      • Employees, before commencing their official duties, receive adequate knowledge of the Principles of Processing and Protection of Personal Data at Digitronic;
      • each employee is authorized in writing to Process Personal Data to the necessary extent;
      • each employee is obliged to maintain the confidentiality and integrity of Personal Data, with Employees being obliged in particular, but not exclusively to:
        • strict compliance with the scope of the authorization;
        • compliance with legal requirements and the provisions of the Policy regarding processing;
        • keeping Personal Data secret;
        • maintain the confidentiality and integrity of Personal Data;
        • notify Digitronic immediately if any incident related to a Personal Data breach takes place.
    • Digitronic ensures that Personal Data Processed at Digitronic are:
      • Processed in accordance with law, fairly and transparently for the data subject;
      • collected for specific, explicit and legitimate purposes and not further processed in a manner inconsistent with those purposes;
      • adequate, relevant and limited to what is necessary for the purposes for which they are processed;
      • correct and updated where necessary; all reasonable steps must be taken to ensure that personal data, which are incorrect in view of the purposes for which they are processed are immediately removed or corrected (‘regularity’);
      • kept in a form, which permits identification of the data subject for no longer than is necessary for the purposes, for which the data are processed;
      • processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures.
    • While ensuring the processing of personal data in accordance with the principles set out in paragraph 4.1 above Digitronic bases the Processing on the following grounds:
      • Legality – Digitronic cares for the protection of privacy and processes Personal Data as required by law;
      • Security – Digitronic provides an adequate level of Personal Data security by constantly taking action in this area;
      • Rights of Data Subjects – Digitronic enables persons, whose Personal Data are processed, to exercise their rights and implement these rights;
      • Accountability – Digitronic provides a proper documentation of how to comply with data protection obligations.
  5. Personal data protection system
    • Digitronic ensures compliance of Personal Data Processing with legal requirements also by designing, implementing and maintaining the System. The System consists of organizational measures and technical protection measures, adequate to the level of risk identified for individual Data Sets and data categories. The system consists, in particular, of the following measures:
      • restricting access to the premises in which Personal Data are processed, only to Authorized Persons and ensuring that other persons remain in rooms used for processing Personal Data only in the presence of an Authorized Person;
      • closing the rooms constituing the area referred to in paragraph 3.4 of the Policies in case of the employees’ absence, in a way that prevents access to those rooms by the third parties;
      • ensuring the security of the area referred to in paragraph 3.4 of the Policies against random factors such as fire or flood;
      • using lockers, drawers or other technical resources to prevent unauthorized persons from accessing the Personal Data stored in them;
      • implementing the Clean Desk Policy;
      • implementation of the Procedure for opening and closing buildings and office spaces;
      • ensuring effective removal or destruction of documents containing Personal Information in a manner that prevents their subsequent reproduction;
      • ensuring hardware and IT security, including:
        • protection of the local network against external unauthorised initiatives,
        • ensuring that the software used is up to date,
        • securing the hardware used in Digitronic against malware,
        • ensuring the permanent and repeated back-up of data stored on computers, the server and the Digitronic network,
        • restricting access to hardware, server and local area network by applying Authentication rules;
        • conducting a risk analysis for data processing activities or categories of data;
        • implementation of the verification and selection standards of Processors, as well as the conditions for entrusting Data Processing to individual Processors;
        • monitoring changes in the processing of personal data in the Digitronic and on an ongoing basis managing changes affecting the protection of Personal Data at Digitronic.
  6. Register
    • The register includes categories of processing of Personal Data in the Office. Through the Digitronic Registry, it documents the processing of Personal Data and inventory and monitors the manner, in which it uses Personal Data.
    • Through the Registry, in particular by indicating in the Register general protection measures for Personal Data covered by a separate processing activity, Digitronic also strives to demonstrate compliance of the Personal Data Processing with the legal requirements.
    • In the Register, separately for each category of processing of Personal Data identified, recorded are at least:
      • the name of the activity;
      • the purpose of the processing;
      • a description of the categories of data subjects as a part of a given activity;
      • a description of the categories of Personal Data processed in the course of the activity;
      • the legal basis for the processing, specifying the category of the legitimate interest of Digitronic, if the basis of the processing is a legitimate interest;
      • description of the categories of recipients of the data, including the Processors,
      • information about the possible transfer of Personal Data outside of the European Union or the European Economic Area;
      • a general description of the technical and organizational measures to protect Personal Data applicable to the activity.
    • In the event of an upgrade or extension of the category of processing personal data, Digitronic shall immediately update the Register in order to ensure that the Registry complies with the actual state and scope of the processing of Personal Data in Digitronic.
    • The provisions of paragraph. 6.3 above do not exclude the possibility of including additional information in the Register, increasing the accuracy or legibility of the Register or facilitating the management of the compliance of personal data protection with the legal requirements, and the implementation of the accountability principle.
    • Digitronic documents in the Register the legal grounds for data processing for particular processing activities by indicating the general legal basis for processing, such as: consent, contract, legal obligation imposed on Digitronic, legitimate purpose of Digitronic.
  7. Responsibilities towards data subject
    • Digitronic implements consent management methods that enable registration and verification of the consent of the person to process specific data for a specific purpose, consent to remote communication (email, telephone, text messages) and registration of refusal of consent, withdrawal of consent and similar activities such as raising an objection or restriction of processing.
    • Digitronic takes care of the legibility and style of information transmitted and communication with data subjects.
    • Digitronic publishes the following information on the Digitronic website which is available for inspection at Digitronic:
      • policy;
      • Information on the rights of data subjects;
      • Information on the scope of personal data processed for specific purposes;
      • Methods of contacting Digitronic regarding personal data;
    • In order to exercise the rights of data subjects, Digitronic provides procedures and mechanisms to identify the data of specific persons processed by Digitronic, integrate this data, make changes to them and delete in an integrated manner.
    • Digitronic documents the handling of information obligations, notifications and requests of persons, informing the data subject:
      • on the processing of its data, in the collection of data from that person.
      • about the processing of its data, when collecting data about that person indirectly from it;
      • about the planned change of the purpose of data processing.
      • before revoking the processing restriction.
      • rectification, deletion or limitation of data processing (unless this requires a disproportionate effort or is impossible).
      • about the right to object to data processing at the latest at the first contact with that person.
    • Digitronic informs the person about the personal data breach without undue delay, if it can cause a high risk of violating the rights or freedoms of that person.
    • At the request of persons regarding access to their data, Digitronic informs the person whether he processes its data and informs the person about the details of processing, in accordance with art. 15 GDPR, and also gives the person access to data concerning him. Access to the data can be done by issuing a copy of the data.
    • Digitronic issues to the person whose Personal Data relates to a copy of its data and notes the fact of the first copy of the data.
    • Digitronic corrects incorrect data at the request of the data subject. Digitronic has the right to refuse to rectify the data, unless the person in a reasonable manner shows the irregularities of the data which he or she demands. If the data is corrected, the Digitronic informs the person about the recipients of the data at the request of that person.
    • Digitronic supplements and updates data at the request of the data subject. Digitronic has the right to refuse to supplement the data if the supplement would be incompatible with the purposes of data processing. Digitronic may rely on a statement of the person for the data being filled in, unless this is insufficient in the light of the procedures adopted by Digitronic, the law or the grounds for considering the statement to be unreliable.
    • Pursuant to paragraph 7.12 below, at the request of a data subject, Digitronic deletes data when:
      • the data is not necessary for the purposes for which it was collected or processed for other purposes,
      • the consent for their processing has been withdrawn and there is no other legal ground for processing,
      • the person has lodged an effective objection against the processing of such data,
      • the data was processed unlawfully,
      • the necessity of removal results from a legal obligation,
      • the request concerns the child’s data collected on the basis of consent to provide information society services directly offered to the child.
    • Digitronic takes into account the removal of personal data to ensure effective implementation of this law, while respecting all data protection principles, including security, and verifying that there are no exceptions referred to in Article 17. sec. 3 GDPR.
    • If the data to be deleted has been made public by Digitronic, Digitronic takes reasonable steps, including technical measures, to inform other controllers processing this personal data about the need to delete and access data. In the event of deletion of data, Digitronic informs the person about the recipients of the data at the request of that person.
    • Digitronic limits data processing at the request of a person when:
      • the person questions the correctness of the data – for a period that allows checking their correctness,
      • the processing is unlawful and the data subject opposes the removal of personal data, requesting instead to limit their use,
      • Digitronic no longer needs personal data, but it is necessary for the data subject to establish, assert or defend claims,
      • the person has objected to the processing for reasons related to its specific situation – until it is established that there are legitimate grounds on the Digitronic side that override the grounds of objection.
    • During processing restrictions, Digitronic stores data but does not process them (it does not use them, does not transmit them), without the consent of the data subject, unless to establish, investigate or defend claims, or to protect the rights of another natural or legal person, or because of important public interest considerations. Digitronic informs the person before revoking the processing limit. In the event of limitation of data processing Digitronic informs the person about the recipients of data, at the request of that person.
    • At the request of the person, the Digitronic publishes in a structured, commonly used machine-readable format or transfers to another entity, if possible, data about the person provided by the Digitronic, processed on the basis of that person’s consent or to conclude or perform a contract with contained in it, in Digitronic information systems.
    • If a person objects to a special situation motivated by it, the opposition to the processing of his data referred to in art. 21 of the GDP and data are processed by Digitronic on the basis of Digitronic’s legitimate interest or the Digitronic task entrusted to the public interest, Digitronic undertakes to take into account objections, unless Digitronic has important legitimate grounds for processing that override interests, rights and the freedom of the opponent or grounds for establishing, investigating or defending claims.
    • If the person objects to the processing of his data by the Digitronic for direct marketing purposes, Digitronic will take into account the opposition and stop such processing.
  8. Data minimization
    • Digitronic implements procedures to implement the principle of minimizing processed Personal Data in terms of:
      • the adequacy of Personal Data for purposes of Processing, including the limitation of the amount of Personal Data processed and the scope of processing to the purpose of Processing;
      • restricting access to Personal Data only to Authorized Persons for whom the use of Personal Data in a specific scope is necessary for the proper performance of duties;
      • limitation of storage time of Personal Data to the period for which storage of Personal Data is necessary due to the fulfillment of the purpose of the Processing or obligations imposed on Digitronic.
    • Digitronic performs a periodic review of the amount of data processed and the scope of their processing at least once a year.
    • Digitronic applies restrictions on access to Personal Data by implementing:
      • Employees’ commitment to confidentiality, including Personal Data;
      • verification of the circle of internal recipients of Personal Data by granting individual Employees specific authorizations regarding the Processing of Personal Data;
      • implementing logical technical measures to protect Personal Data by limiting access to systems, software and network resources used in the Processing of Personal Data;
      • implementing physical technical measures to protect Personal Data referred to in paragraph 5.1 (iv) Policies.
    • Digitronic updates the access permissions for changes in the composition of personnel and changes in the roles of persons, as well as changes of processors. Digitronic performs periodic review of established system users and updates them at least once a year.
    • Detailed rules for controlling physical and logical access are contained in the Digitronic physical security and information security procedures.
    • Digitronic processes personal data taking into account the criteria indicated in the Register. Digitronic implements the personal data life cycle control mechanisms at Digitronic, including verification of the further suitability of the data against the dates and checkpoints indicated in the Register.
    • Data whose scope of use is limited as time goes by are removed from Digitronic systems as well as from handheld and main files. Such data can be archived and located on backups of systems and information processed by Digitronic. Procedures for archiving and using archives, creating and using backup copies take into account the requirements of controlling the life cycle of data, including the requirements for data deletion.
  9. Security of personal data
    • Taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of individuals with different probability of occurrence and risk of death Digitronic implements technical and organizational measures ensuring adequate protection of personal data, corresponding to the risk of violation of rights and freedoms individuals due to the processing of personal data by Digitronic.
    • Digitronic carries out and documents the adequacy analysis of personal data security measures. For this purpose:
      • Digitronic categorizes the data and processing activities for the risks they represent;
      • Digitronic conducts analyzes of the risk of violation of the rights or freedoms of individuals for data processing activities or categories of data. Digitronic analyzes possible situations and scenarios of personal data breach taking into account the nature, scope, context and purposes of processing, the risk of violation of the rights or freedoms of individuals with varying likelihood of occurrence and the severity of the threat;
    • Digitronic implements measures to ensure business continuity and prevent the effects of disasters, i.e. the ability to quickly restore the availability of personal data and access to them in the event of a physical or technical incident.
  10. Breach of personal data protection
    • The breach or attempted violation of the terms of processing and protection of Personal Data shall be considered in particular, but not exclusively:
      • Infringement of the security of information systems in which Personal Data is processed;
      • disclosing Personal Data to unauthorized persons;
      • processing of Personal Data not in accordance with the assumed scope and purpose of their Processing;
      • unauthorized or accidental damage, loss, destruction or change of Personal Data.
    • In the event of a breach of personal data protection, Digitronic assesses whether the breach could have the potential to infringe the rights or freedoms of individuals and estimates the scale of risk.
    • In the event of a breach of Personal Data protection, Digitronic shall, without undue delay – if possible, no later than 72 hours after the violation is discovered – report it to the appropriate supervisory authority, unless it is unlikely that the violation would result in the risk of violating the rights or freedoms of natural persons.
    • If the risk of violating the rights and freedoms of the person whose personal data is high, Digitronic also notifies the incident of the person to whom the data relates, unless:
      • Digitronic will implement appropriate technical and organizational security measures and these measures have been applied to the personal data affected by the breach, preventing unauthorized persons from accessing such personal data;
      • Digitronic will then apply measures to eliminate the likelihood of a high risk of violation of the rights or freedoms of the data subject; or
      • it would require a disproportionately large effort. In this case, a public message is issued or a similar measure is put in place by which the data subjects are informed in an equally effective manner.
    • Notwithstanding the obligations set out in paragraph 10.2-10.4 above, Digitronic documents any breaches of the protection of personal data, including the circumstances of personal data breach, its consequences and the remedial actions taken.
  11. Entrusting processing
    • Digitronic may entrust the Processing of Personal Data to a Processing Entity only by way of an agreement concluded in writing, in accordance with the requirements specified in art. 28 para. 3 GDPR.
    • Digitronic uses only the services of such Processors that provide sufficient assurances that appropriate technical and organizational measures are implemented to ensure that the processing complies with the requirements of this regulation and protects the rights of the data subjects. In order to verify the fulfillment of the obligation referred to in the preceding sentence, Digitronic prior to entrusting the processing to a potential Processing Entity, if possible, obtains information about the principles of Personal Data Protection applied by a potential Processing Entity, and about the practices of that entity regarding the protection of Personal Data.
  12. Transmission of data to a third country
    • Digitronic does not transfer Personal Data to a third country located outside the territory of the European Union or the European Economic Area, except where it occurs at the request of the person to whom the Personal Data relates.
    • To avoid unauthorized data export, in particular in connection with the use of publicly available cloud services, Digitronic periodically verifies user behavior and, where possible, provides equivalent solutions to data protection law.
  13. Cookies and web analytics
    • Digitronic uses cookies on its website (https://www.digitronicgas.com/). Cookies are small text files that are automatically saved on the User’s end device. Some cookies used by us are deleted after the end of the web browser session, i.e. after its closing (so-called session cookies). Other cookies are stored on the end device and enable Digitronic to recognize the User’s browser the next time they access the site (permanent cookies). The storage time is given in the User’s Internet browser settings. The browser can be configured in this way to receive information about the use of cookies and be able to decide on their acceptance or rejection in specific cases or completely. Browsers manage cookie settings in various ways. The auxiliary browser menu contains explanations of changing cookie settings. They are available at the following links:

      Internet Explorer ™: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies
      Safari ™: http://safari.helpmax.net/en/protection-and-sprivacy/usuwanie-plikow-cookie/
      Chrome ™: https://support.google.com/chrome/answer/95647?hl=en&hlrm=en
      Firefox ™: https://support.mozilla.org/pl/kb/usuwanie-ciasteczek
      Opera ™: http://help.opera.com/Windows/12.10/en/cookies.html

    • The processing of personal data in this way is dictated by the need to:
      • the provision of services;
      • adapting the content of websites and applications to the User’s preferences and optimizing the use of websites; e.g. cookies allow you to in particular, recognize the User’s device and properly display the website adapted to his individual needs;
      • advertising presentation, including in a way that takes into account the interests of the User or his place of residence (individualising the advertising message) and with the guarantee of excluding the possibility of repeatedly presenting the same advertisement to the User;
      • the implementation of surveys – in particular to avoid multiple presentations of the same questionnaire to the same Recipient and to present surveys in a manner that takes into account the interests of recipients;
    • The user voluntarily agrees to the use of cookies. If you do not agree to the use of cookies, the functionality of the Digitronic website may be limited.
  14. Final provisions
    • The policy comes into force on the day of announcement.
    • In matters not covered in the Policy, the provisions of the GDPR and generally binding provisions of Polish and European law apply accordingly.
    • Any changes or supplements to the Policy require a written form to be effective, otherwise they are null and void. Changes or supplements to the Policy shall enter into force not earlier than within 7 days from the date of their publication.
Are you interested in DIGITRONIC AUTOGAS products?
or call us