GDPR package at KRONMAT Sp. z o.o.

We value your privacy, and we conduct our daily operations in full compliance with personal data protection regulations. This document explains why we collect personal data, the scope of the data we process, the legal basis for doing so, how long we store it and who may receive it. You will also learn about the rights you have in relation to the processing of your personal data.

This document has been prepared in accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”).

Its purpose is to bring clarity to the way personal data is managed and, above all, to ensure the protection and safeguarding of your personal data.

For all matters – including those related to personal data – you can contact us via our website, email, telephone and traditional mail.

 

Our contact details are as follows:

KRONMAT Sp. z o.o.

Węgierska 146c,

33-300 Nowy Sącz,

E-mail: biuro@kronmat.com

Telephone: +48 18 414 01 50

Website: www.kronmat.com

When working with your personal data, we are guided by the following principles:

• Lawfulness, fairness and transparency. We process personal data in accordance with legal regulations. We clearly and transparently inform you which of your data we collect, process and store.
• Data minimisation. We process only the data that is genuinely necessary to achieve a specific purpose.
• Accuracy. We ensure that your data is up to date. From time to time, we take actions to verify and correct it when needed.
• Purpose limitation and storage limitation. We collect your data only when we have a legitimate purpose and when the purpose cannot be achieved in another way. We store your data only for as long as it is needed to identify you during the fulfilment of that purpose, in accordance with applicable laws.
• Integrity and confidentiality. We take all necessary measures to secure your personal data and protect it against unauthorised access.
• Accountability. We are able to demonstrate that we process your personal data in compliance with the law, including the principles of privacy by design and privacy by default.

We have appointed a Data Protection Officer (DPO) whom you can contact with any questions or requests regarding personal data. You can do so in the following ways:

• by post, at the following address:

Data Protection Officer – Kinga Nowobilska

ul. Węgierska 144a 33-300 Nowy Sącz

 

• email: iod@fakro.pl
• telephone: +48 18 444 03 06

Providing your personal data to us is entirely voluntary. However, certain data is necessary to conclude and perform a contract related to any transaction. If you do not provide this data, we will unfortunately be unable to enter into a contract with you, and as a result, we will not be able to begin cooperation. If legal regulations – for example, tax requirements – oblige us to collect essential data, providing such information will also be necessary in order to establish or maintain cooperation with us.

When we process personal data?	What data we process?	Purpose of processing	Legal basis	Retention period
Analytical and statistical activities on websites	IP address, cookie-derived data, information about activity on the website	We monitor activity in the online store to understand customer purchasing preferences. The data is collected, among others, through cookies – their processing requires the customer’s consent.	Art. 6(1)(a) and (f) GDPR	Until consent is withdrawn or an effective objection is submitted.
Activities related to concluding and performing a contract / Product-related claims	First name, last name, residential address, email address, telephone number	Personal data is processed for the purpose of concluding and performing a contract, providing customer service and warranty support, as well as for the establishment, exercise or defence of legal claims.	Art. 6(1)(b), Art. 6(1)(c) – e.g. the Civil Code, Art. 6(1)(f) GDPR	Until the completion of the service, provision, support, complaint handling or warranty process. In the case of establishing, exercising or defending legal claims – until the last day of the calendar year following a period of three years from the completion of the service.
Business activities	First name, last name, residential address, email address, telephone number	We process personal data of individuals, customers, suppliers and other stakeholders in order to carry out business activities.	Art. 6(1)(b), Art. 6(1)(c) – e.g. the Anti-Money Laundering Act, Art. 6(1)(f)	Until the termination of cooperation.
Newsletter	Email address	Personal data is used to send a newsletter containing information about price changes, company news and promotions.	Art. 6(1)(a) GDPR	Until consent is withdrawn.
Whistleblower protection	First name, last name, email address, nature of the relationship with the company and any other categories of data that may be included in the report to describe the irregularity correctly.	Personal data is processed as part of the whistleblower protection procedure exclusively by authorised persons and solely for the purpose of handling reports of violations of law or internal regulations.	Art.6(1)(c) – e.g. the Whistleblower Protection Act, Art.6 (1)(f)	Until the expiry of claims arising from applicable legal provisions, including the Civil Code, or until the expiry of the limitation period for criminal offences under the Criminal Code.
Responding to enquiries	Contact, communication, technical and location data processed for the purpose of providing services, performing analysis and integrating with external platforms.	We collect and process personal data in order to handle customer contact (via email, telephone) and fulfil orders.	Art. 6(1)(b) and (f) GDPR	Until the completion of the service or until we provide an answer / fulfil the subject of the enquiry or request.
Training activities	First name, last name, telephone number, email address, company/institution name, company registered address, image (likeness).	Educational activities related to our product offering.	Art. (6)(1)(a), (b) and (f) GDPR	5 years or for the duration of cooperation including the applicable claims period.
Recruitment	First name and last name, date of birth, contact details, education, professional qualifications, employment history.	We require personal data to conduct the recruitment process and, if applicable, to conclude an employment contract, a B2B contract, or to accept a candidate for an internship or traineeship. If you provide consent, your personal data may also be processed for the purposes of future recruitment processes.	Art. 6(1)(a), (b) and (f) GDPR, the Labour Code	Until the expiry of employee-related claims or until consent is withdrawn (if you have provided consent for future recruitment).
Use of artificial intelligence	First name and last name, email address, photos or video recordings, information from platform accounts, answers provided during the recruitment process.	Personal data may be processed using AI technologies to streamline processes and improve services, including cooperation with external technology providers.	Art. 6(1)(f) GDPR	Personal data is stored and processed for the period necessary to fulfil the stated purposes, unless the user submits an effective written objection.

We may process your data when:

1. You have given consent for marketing of products or services.
2. We engage in joint activities aimed at establishing or carrying out our cooperation, for example:
   • responding to enquiries,
   • preparing quotations,
   • handling service requests,
   • processing complaints,
   • delivering training activities.
3. We fulfil a legal obligation in this way: on this basis, we process personal data in order to comply with the duties imposed on us by applicable laws, such as the Payment Services Act, the Tax Ordinance, the Accounting Act, the Copyright and Related Rights Act, and the Act on the Provision of Services by Electronic Means.
4. Processing may also be required based on our (as the controller’s) legitimate interest, for example:
   • conducting direct marketing of our products or services – their descriptions are available on our website,
   • analysing data to improve products and services,
   • monitoring logs, IP addresses and detecting attempts of unauthorised access to systems,
   • preparing statistics and reports,
   • archiving data,
   • pursuing claims.

We obtain data from, for example:

• directly from customers,
• from customer representatives, such as payment recipients,
• from other controllers, such as the Credit Information Bureau,
• from publicly available databases, such as the National Court Register or the Central Registration and Information on Business.

You have the following rights related to the processing of your personal data:

1. The right to access your personal data – you have the right to know which of your personal data is being processed, for what purpose, by whom, and you may request a copy of this data.
2. The right to rectification of your personal data – this means you may request that incorrect information be corrected or that incomplete data be supplemented.
3. The right to delete your personal data – this means you may request that we delete your personal data in specific situations.
4. The right to restrict the processing of your personal data – this means you can request a temporary limitation on the use of your data by us when certain circumstances apply.
5. The right to transfer your personal data – this means you may receive a copy of your personal data from us or request that we transfer it to another entity.
6. The right to lodge a complaint with a data protection supervisory authority, i.e. the President of the Personal Data Protection Office (address: ul. Moniuszki 1A, 00-014 Warszawa). If you believe that your personal data is being processed unlawfully, you may file a complaint.
7. The right to withdraw consent – this means you may withdraw your consent at any time, without providing a reason.
8. The right to object – this means that at any time you may request that we stop processing your personal data if we do so on the basis of legitimate interest or for marketing purposes.

We exercise these rights after successfully verifying the identity of the person submitting the request. A request may be submitted by telephone, email or in person at our registered office, as well as by post. You can also send your request directly to our Data Protection Officer. We will provide a written response without undue delay.

The personal data we collect may be shared with other companies within the FAKRO Group and with companies cooperating with us – our business partners – so that we can assist you in resolving your issue, preparing an offer or organising the provision of a service.

In accordance with the law, we may also share your data with other entities in order to fulfil statutory obligations or to conclude and perform a contract.

We may share your data in particular with:

1. Our employees and collaborators who must have access to the data in order to fulfil our obligations.
2. Other companies within the FAKRO Group with whom we have concluded a joint controllership agreement or data processing agreements, ensuring an appropriate level of protection when personal data is processed by those companies.
3. Entities processing data on our behalf, participating in the performance of our activities, including:
   • our agents, advertising agencies and other entities involved in the sale of our services,
   • entities that operate our ICT systems or provide ICT tools to us,
   • subcontractors supporting us in performing the contract between you and us, e.g., in handling correspondence or customer service,
   • entities providing advisory, consulting, audit, legal, tax or accounting services.
4. Other data controllers processing data in their own name, such as:
   • our agents, advertising agencies and entities cooperating in customer service – for the purpose of settling remuneration due to them,
   • postal or courier service providers • entities purchasing receivables – in the event of non-payment of invoices issued by us,
   • payment service providers (banks, payment institutions) – for the purpose of processing refunds for you or enabling the operation of Direct Debit service,
   • entities cooperating with us in accounting, tax or legal matters – to the extent that they become data controllers,
   • public authorities, such as courts, prosecutors, tax authorities.

We do not currently transfer data outside the European Economic Area.

A personal data breach occurs when personal data is accidentally or unlawfully destroyed, lost, altered, disclosed or made available to unauthorised persons. In the event a personal data breach is identified, we take the following steps:

1. The data subject:
   • We inform the data subject if the breach may result in a high risk to their rights or freedoms.
   • We provide this information without undue delay. If direct contact is significantly difficult, we publish a public communication.
2. Supervisory authority (President of the Personal Data Protection Office):
   • We report the breach to the supervisory authority if it is likely to result in a risk to the rights or freedoms of natural persons (a risk higher than low).
   • The notification is submitted without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach.

Due to ongoing changes in the functioning of our company and regularly evolving legal regulations, we may introduce periodic updates to this document. The latest version of the Data Protection Policy will always be available on our website.

Date of GDPR implementation: 25.05.2018

Date of last update to this document: 23.03.2026