• Rodo policy
Legal page

Rodo policy

Learn how your personal data is processed.

Principles of Personal Data Processing

Personal Data Administrator

The administrator of personal data is Deli Group spółka z ograniczoną odpowiedzialnością, headquartered in Warsaw, ul. Obrzeżna 5/XIP / 1 (02-691 Warsaw), registered in the National Court Register of Entrepreneurs maintained by the District Court for the capital city of Warsaw under KRS number: 0000651616, NIP: 521-375-91-83, REGON: 366073662.
You can contact the Administrator via email at delieurope.office@nbdeli.com.

Purpose, Legal Basis, and Processing Period

The Administrator processes personal data for the following purposes:

  1. Contract conclusion and execution – based on Article 6(1)(b) of GDPR, as well as for contacting employees/cooperators of clients, contractors, and collaborators based on Article 6(1)(f) of GDPR, where the legitimate interest of the Administrator is ensuring proper contract execution – for the duration of the contract and after its termination until the expiration of claims related to the performance of the service or contract.
  2. Handling complaints and requests – based on Article 6(1)(b) of GDPR – for one year after the expiry of the warranty period or the resolution of the complaint.
  3. Archiving documents, including contracts and financial documents – based on Article 6(1)(c) of GDPR – until the expiration of the tax obligation, unless tax laws provide otherwise.
  4. Establishing and pursuing claims or defending against them – based on Article 6(1)(f) of GDPR, where the legitimate interest is claim enforcement or defense – for the duration of legal proceedings, and in the case of enforcement proceedings, until the final satisfaction of the claims.
  5. Handling inquiries submitted via the contact form, email, or postal mail – not related to services provided to the sender or another contract with them, and ensuring accountability – based on Article 6(1)(f) of GDPR, where the legitimate interest of the Administrator is responding to inquiries, as well as based on Article 6(1)(c) of GDPR, when responding is a legal obligation – data will be processed for three years to ensure accountability.
  6. Identifying the sender and handling their inquiry submitted via the contact form, email, or postal mail – regarding data that are not necessary to establish contact or handle the inquiry – based on Article 6(1)(a) of GDPR – until consent is withdrawn.
  7. Marketing activities – based on Article 6(1)(f) of GDPR, where the legitimate interest is conducting marketing activities – if activities do not use electronic communication means. If consent has been given, marketing activities for the Administrator’s own products and services may be conducted using electronic communication means based on Article 6(1)(f) of GDPR and other applicable laws, until consent is withdrawn or an objection is raised, whichever occurs first.
  8. Ensuring the security of property, employees, and collaborators, as well as information that could harm the Administrator – based on Article 6(1)(f) of GDPR, where the legitimate interest is achieving the stated goal – for three months (unless an incident occurs requiring evidence collection). If recorded images serve as evidence in legal proceedings, storage may be extended until the proceedings’ final conclusion.
  9. Conducting analyses and statistics – based on Article 6(1)(f) of GDPR, where the legitimate interest is the ability to perform analysis and statistics – for three years.

Categories of Data Processed (In the case of data obtained indirectly)
The Administrator processes the following categories of data:

First name, last name, Billing/correspondence address, Email address, Phone number, Business name, Tax/ID numbers, ID card number, driver’s license number

Data Source (For Data Not Collected Directly from the Data Subject)

The Administrator may obtain personal data from other sources.

Recipients of Personal Data

Your data may be shared with:

  • Marketing and PR service providers
  • Hosting or IT service providers
  • Delivery service providers
  • Legal, accounting, and consulting service providers
  • Other entities necessary for processing purposes

If legally required, we may also disclose your data to government authorities under Article 6(1)(c) of GDPR.

Transfer of Data Outside the EEA

The Administrator does not plan to transfer data outside the European Economic Area (EEA). However, if such transfer occurs, it will comply with all applicable legal requirements. If data is transferred based on any legal ground other than your consent, contract execution, or specific GDPR exemptions (Article 49), it will be done under Article 45 or 46 of GDPR. These articles require either:

  • A European Commission decision confirming adequate data protection in the destination country (Article 45), or
  • Appropriate safeguards ensuring enforceable rights and effective legal protection (Article 46).

Data Subject Rights

You have the right to:

  • Access your data
  • Rectify, delete, or restrict processing of your data
  • Object to processing
  • Data portability

If data processing is based on your consent, you can withdraw it at any time without affecting previous lawful processing. You also have the right to lodge a complaint with the supervisory authority. To exercise your rights, contact the Administrator.

Data Provision – Mandatory or Voluntary?

Providing data is necessary for contract execution, business settlement, responding to requests, and handling complaints. In other cases, providing data is voluntary. Automated Decision-Making and Profiling Your data will not be subject to automated decision-making or profiling.