• Cookie policy
Legal page

Personal data processing rules

Learn how your personal data is processed.

Personal Data Controller

The controller of personal data is Deli Group limited liability company with its registered office in Warsaw, Obrzeżna 5/XIP / 1 (02-691 Warsaw), entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw under KRS number: 0000651616, NIP: 521-375-91-83 REGON: 366073662. Contact with the Controller is possible at the email address delieurope.office@nbdeli.com

Purpose, legal basis and period of data processing

The Controller processes personal data for the following purposes:

  1. conclusion and performance of a contract – pursuant to Article 6(1)(b) GDPR, as well as for the purpose of contacting employees/associates of customers, contractors, collaborators – pursuant to Article 6(1)(f) GDPR, where the legitimate interest pursued by the Controller is to ensure the proper performance of the contract – for the duration of the contract, and after its termination until the expiry of claims related to the performance of the service or contract,
  2. handling complaints/claims and requests – pursuant to Article 6(1)(b) GDPR – for one year after the expiry of the warranty period or settlement of the complaint,
  3. archiving documents, including contracts and settlement documents – pursuant to Article 6(1)(c) GDPR – until the expiry of the tax obligation limitation period, unless tax laws provide otherwise,
  4. establishing and pursuing claims or defending against them, pursuant to Article 6(1)(f) GDPR where the legitimate interest is pursuing or defending against claims – for the duration of proceedings regarding the pursuit of claims, and in the case of enforcement proceedings until the final satisfaction of the pursued claims,
  5. handling requests made using the contact form, email or traditional mail – not related to services provided to the sender or other contract concluded with them and ensuring accountability – pursuant to Article 6(1)(f) GDPR, where the legitimate interest pursued by the Controller is to respond to submissions and inquiries, as well as pursuant to Article 6(1)(c) GDPR when the need to respond is the fulfillment of a legal obligation incumbent on the Controller – the Controller processes only personal data relevant to the matter to which the correspondence relates for a period of 3 years in order to maintain the principle of accountability,
  6. identification of the sender and handling their inquiry directed using the contact form, email or traditional mail – in terms of data that is not necessary to establish contact or handle the inquiry – pursuant to Article 6(1)(a) GDPR – until withdrawal of consent,
  7. own marketing – pursuant to Article 6(1)(f) GDPR where the legitimate interest pursued by the Controller is conducting marketing activities – when conducting activities without using electronic means of communication, and if consent has been given, also for the purposes of conducting marketing activities of own products and services using electronic means of communication, pursuant to Article 6(1)(f) GDPR and provisions of other laws requiring consent for such activities, until withdrawal of consent for such activities or objection, depending on which event occurs first,
  8. ensuring the security of property, safety of employees and associates, and information that could expose the Controller to damage – pursuant to Article 6(1)(f) GDPR where the legitimate interest pursued by the Controller is the implementation of the above-mentioned purpose – for a period of 3 months (unless there is an event requiring the collection of evidence). In the event that the image recording constitutes evidence in proceedings conducted under the law or the Controller has become aware that it may constitute evidence in proceedings, the storage period is extended until the final conclusion of the proceedings,
  9. conducting analyses and statistics – pursuant to Article 6(1)(f) GDPR where the legitimate interest of the Controller is the possibility of conducting analyses and statistics – for a period of 3 years.

Data categories (information applies to personal data obtained in a manner other than from the data subject)

The Controller processes the following categories of data: first name, last name, billing/correspondence address, email address, phone number, entrepreneur name, REGON, NIP, PESEL, ID card number, driver’s license number.

Source of data (information applies to personal data obtained in a manner other than from the data subject)

Recipients of personal data

Recipients of your data may be entities such as: companies supporting the Controller in marketing activities, PR, providers of hosting or ICT services, delivery providers, providers of legal, accounting and advisory services, as well as other entities if their participation is necessary to achieve the purposes of processing. There is also a possibility that we will transfer your personal data to state authorities – we will only do so when we have a legal obligation under Article 6(1)(c) GDPR. We do not assume that we will transfer data to third countries, i.e., those outside the EEA (European Economic Area). However, should this happen, it will take place in compliance with all requirements resulting from applicable law. In a situation where the transfer of your data to a third country would take place on a basis other than your consent or the necessity for the proper performance of the contract, or when one of the exceptions indicated in Article 49 GDPR does not occur, your data will be transferred in accordance with Article 45 or 46 GDPR. Article 45 GDPR concerns the decision of the European Commission, which may recognize that an adequate level of personal data protection is respected in a given third country. In this case, the transfer of personal data to this country does not require special permission. Article 46 GDPR indicates that the transfer of data to a third country may take place when appropriate safeguards are provided and provided that enforceable rights of data subjects and effective legal remedies are available in the legal system of the third country.

Rights of data subjects

You have the right to access personal data, rectify, delete or limit processing, as well as the right to object to processing, and the right to data portability. In the event that data is processed on the basis of your consent, you have the right to withdraw it at any time without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal. In addition, you have the right to lodge a complaint with the supervisory authority. To exercise the above-mentioned rights, please contact the Controller.

Providing data is necessary to conclude a contract, settle conducted business activities, respond to directed requests, consider complaints and claims. In other respects, providing data is voluntary.

Your personal data will not be subject to automated decision-making or profiling.