GDPR at ATAL S.A.

General obligation to provide information

As a Personal Data Controller, in accordance with the provisions of Regulation 2016/679 of the European Parliament and of the Council of the European Union of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR), ATAL S.A. is obliged to provide some information regarding the processing of your personal data. As part of its business processes, ATAL S.A. processes various categories of personal data. We never collect too much information, limiting ourselves to the information we really need. It is also our responsibility to ensure that your data is used only for the purpose for which it was provided. We exercise special care to ensure that only authorized persons have access to the data. We also use the latest technological and IT solutions to ensure the security of your personal data. Thanks to these measures, you can be sure that your personal data stored by us is safe and confidential. Data protection is a priority task for all ATAL S.A. employees.

GENERAL INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA AT ATAL S.A.

In accordance with the provisions of Regulation 2016/679 of the European Parliament and of the Council of the European Union of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter “GDPR”), we are obliged to provide the following information regarding the processing of your personal data:

INFORMATION REGARDING THE PROCESSING OF YOUR PERSONAL DATA AT ATAL S.A.

Personal Data Controller

The Controller of personal data (hereinafter: “Controller”) is ATAL S.A. with its registered office in Cieszyn, address: 43-400 Cieszyn, ul. Stawowa 27, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court in Bielsko-Biała, VIII Commercial Division of the National Court Register (KRS) number: 0000262397, NIP (Tax Identification Number): 548-248-72-78, REGON (National Business Registry Number): 240415672, share capital:
PLN 216,073,050.00, paid in full.

Contact information

In all matters relating to our processing of personal data and to exercising your rights related to the processing of your personal data, you can contact our Data Protection Officer, Piotr Witkowski, at the following e-mail address: [email protected] or in writing at: ATAL S.A., Cieszyn (43-400), ul. Stawowa 27, with the note “Personal data”.

Processing purposes and legal basis for processing

Przetwarzamy Twoje dane osobowe w różnych sytuacjach. Poniżej znajdziesz informacje na temat celów oraz podstaw prawnych przetwarzania Twoich danych osobowych.

  • Purpose of processing
    For marketing purposes, including analytics and profiling of third parties, including the Controller’s trusted partners.
    Legal basis for processing
    Art. 6(1)(a) GDPR, i.e., on the basis of consent granted to personal data processing.
  • Purpose of processing
    To take the necessary actions before entering into a contract, to conclude and perform the contract and to provide services in accordance with the contract.
    Legal basis for processing
    Art. 6(1)(b) GDPR, i.e., the processing is necessary for the performance of a contract to which the data subject is a party or to take action at the request of the data subject prior to entering into a contract.
  • Purpose of processing
    To fulfill the Controller’s legal obligations under applicable laws.
    Legal basis for processing
    Art. 6(1)(c) GDPR – that is the processing is necessary for the fulfillment of the Controller’s legal obligation under the law.
  • Purpose of processing
    To pursue the Controller’s legitimate interest.
    Legal basis for processing
    Art. 6(1)(f) GDPR – processing is necessary for the purpose of pursuing the Controller’s legitimate interests.

Period for which data will be stored

Your personal data will be stored for a period depending on the legal basis that authorizes the Controller to process your personal data.

  • Legal basis for processing
    Art. 6(1)(a) GDPR, i.e., on the basis of consent granted to personal data processing
    Storage period
    Until you withdraw your consent to the processing of your Personal Data.
  • Legal basis for processing
    Art. 6(1)(b) GDPR, i.e., the processing is necessary for the performance of a contract to which the data subject is a party or to take action at the request of the data subject prior to entering into a contract.
    Storage period
    For the entire term of the contract and then for the period of time required by law, e.g., tax laws or statute of limitations regulations.
  • Legal basis for processing
    Art. 6(1)(c) GDPR – that is the processing is necessary for the fulfillment of the Controller’s legal obligation under the law.
    Storage period
    For the period of time required by law, e.g., tax laws or statute of limitations regulations.
  • Legal basis for processing
    Art. 6(1)(f) GDPR – processing is necessary for the purpose of pursuing the Controller’s legitimate interests.
    Storage period
    For the period of the existence of a legitimate interest of the Controller or until a raised objection to such processing has been considered.

Data recipients

Your personal data may be shared with third parties only for the purposes mentioned above. We share your personal data to the extent necessary to achieve the purpose for which we process your personal data (data minimization).
Data may be shared with entities processing personal data at the request of the Controller, among others, entities from the capital group, suppliers of renovation and construction services, as well as entities providing services such as: accounting, legal services, courier delivery, IT services, design services, ICT, office services, services related to the repair of defects, security services, insurance, entities processing data for the purpose of debt enforcement, notaries, banks, building/real property managers and housing associations, marketing agencies – whereas such entities process data only in accordance with our instructions.
Moreover, data may be shared with other entities, including appropriate tax authorities and other authorized public administration and local government authorities, as well as judicial authorities and other authorized institutions (e.g., financial supervision, insurance companies in the scope of claims settlement) if the requirement to provide data results from the law.

Transfer of data outside the European Economic Area

Collected personal data will not be transferred to recipients located in countries outside the European Economic Area (European Union states and Iceland, Liechtenstein and Norway).

Rights of the data subject

Please be informed that depending on the legal basis for processing your personal data, you have the following rights:
a) right to request access to personal data,
b) right to request rectification of personal data,
c) right to request deletion of personal data,
d) right to request restricted processing of personal data,
e) right to object to the processing of personal data,
f) right to portability of personal data.
If the legal basis for the processing of your personal data is consent (Art. 6.1.a), you also have the right to withdraw your consent at any time without affecting the lawfulness of the processing performed on the basis of the consent before its withdrawal. You can withdraw your consent the same way it was given.
Moreover, you also have the right to lodge a complaint with the supervisory authority, i.e., the President of the Office for Personal Data Protection, sent to: ul. Stawki 2, 00-193 Warsaw, if you believe that the processing of your personal data violates the GDPR.

Obligation to provide data and possible consequences

The requirement to provide data and the consequences associated with not providing data may differ depending on the process for which the Controller needs to process your personal data.

  • Obligation to provide data
    Voluntary provision of personal data.
    Consequences
    Inability to provide some of the services offered by the Controller.
  • Obligation to provide data
    Statutory or contractual requirement to provide personal data.
    Consequences
    Inability to carry out certain actions stipulated by law or the concluded contract.
  • Obligation to provide data
    Provision of data as a condition for entering into a contract.
    Consequences
    Inability to conclude and properly perform a contract or to provide a service.

Profiling and automated decision-making

The Controller may use your personal data for profiling with respect to specific products or services it is marketing (in order to best match the products or services offered by the Controller to your needs). Profiling does not affect your legal situation, in particular, the Controller does not make decisions based solely on automated decision-making, including profiling, which could produce legal effects against you or affect you in a similar way.