GDPR package at FAKRO Sp. z o.o.

We value your privacy, and we conduct our daily operations in full compliance with personal data protection regulations. This document explains why we collect personal data, the scope of the data we process, the legal basis for doing so, how long we store it and who may receive it. You will also learn about the rights you have in relation to the processing of your personal data.

This document has been prepared in accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”).

Its purpose is to bring clarity to the way personal data is managed and, above all, to ensure the protection and safeguarding of your personal data.

For all matters — including those related to personal data — you can contact us via our website, email, telephone, chat, collaboration platforms or traditional mail. Our contact details are as follows:

FAKRO Sp. z o.o.

ul. Węgierska 144a

33-300 Nowy Sącz

email: fakro@fakro.pl

tel.: +48 18 444 0 444

When working with your personal data, we follow the following principles:

1. Lawfulness, fairness and transparency. We process personal data in accordance with legal regulations. We clearly and transparently inform you which of your data we collect, process and store.
2. Data minimisation. We process only the data that is genuinely necessary to achieve a specific purpose.
3. Accuracy. We ensure that your data is up to date. From time to time, we take actions to verify and correct it when needed. •
4. Purpose limitation and storage limitation. We collect your data only when we have a legitimate purpose and when the purpose cannot be achieved in another way. We store your data only for as long as it is needed to identify you during the fulfilment of that purpose, in accordance with applicable laws.
5. Integrity and confidentiality. We take all necessary measures to secure your personal data and protect it against unauthorised access.
6. Accountability. We are able to demonstrate that we process your personal data in compliance with the law, including the principles of privacy by design and privacy by default.

We have appointed a Data Protection Officer (DPO) whom you can contact with any questions or requests regarding personal data. You can do so in the following ways:

a) by post, at the following address:

Data Protection Officer - Kinga Nowobilska

ul. Węgierska 144a

33-300 Nowy Sącz

b) email: iod@fakro.pl

c) tel.: +48 18 444 03 06

Providing your personal data to us is entirely voluntary. However, certain data is necessary to conclude and perform a contract related to any transaction. If you do not provide this data, we will unfortunately be unable to enter into a contract with you, and as a result, we will not be able to begin cooperation. If legal regulations - for example, tax requirements - oblige us to collect additional essential data, providing such information will also be necessary in order to establish or maintain cooperation with us.

When we process personal data?	What data we process?	Purpose of processing	Legal basis	Retention period
Analytical and statistical activities on websites	IP address, cookie-derived data, information about activity on the website	We monitor activity in the online store to understand customer purchasing preferences. The data is collected, among others, through cookies – their processing requires the customer’s consent.	Art. 6(1)(a) and (f) GDPR	Until consent is withdrawn or an effective objection is submitted.
Activities related to concluding and performing a contract / Product-related claims	First name, last name, residential address, email address, telephone number	Personal data is processed for the purpose of concluding and performing a contract, providing customer service and warranty support, as well as for the establishment, exercise or defence of legal claims.	Art. 6(1)(b), Art. 6(1)(c) – e.g. the Civil Code, Art. 6(1)(f) GDPR	Until the completion of the service, provision, support, complaint handling or warranty process. In the case of establishing, exercising or defending legal claims – until the last day of the calendar year following a period of three years from the completion of the service.
Business activities	First name, last name, residential address, email address, telephone number	We process personal data of individuals, customers, suppliers and other stakeholders in order to carry out business activities.	Art. 6(1)(b), Art. 6(1)(c) – e.g. the Anti-Money Laundering Act, Art. 6(1)(f)	Until the termination of cooperation.
Newsletter	Email address	Personal data is used to send a newsletter containing information about price changes, company news and promotions.	Art. 6(1)(a) GDPR	Until consent is withdrawn.
Whistleblower protection	First name, last name, email address, nature of the relationship with the company and any other categories of data that may be included in the report to describe the irregularity correctly.	Personal data is processed as part of the whistleblower protection procedure exclusively by authorised persons and solely for the purpose of handling reports of violations of law or internal regulations.	Art.6(1)(c) – e.g. the Whistleblower Protection Act, Art.6 (1)(f)	Until the expiry of claims arising from applicable legal provisions, including the Civil Code, or until the expiry of the limitation period for criminal offences under the Criminal Code.
Responding to enquiries	Contact, communication, technical and location data processed for the purpose of providing services, performing analysis and integrating with external platforms.	We collect and process personal data in order to handle customer contact (via email, telephone) and fulfil orders.	Art. 6(1)(b) and (f) GDPR	Until the completion of the service or until we provide an answer / fulfil the subject of the enquiry or request.
Training activities	First name, last name, telephone number, email address, company/institution name, company registered address, image (likeness).	Educational activities related to our product offering.	Art. (6)(1)(a), (b) and (f) GDPR	5 years or for the duration of cooperation including the applicable claims period.
Recruitment	First name and last name, date of birth, contact details, education, professional qualifications, employment history.	We require personal data to conduct the recruitment process and, if applicable, to conclude an employment contract, a B2B contract, or to accept a candidate for an internship or traineeship. If you provide consent, your personal data may also be processed for the purposes of future recruitment processes.	Art. 6(1)(a), (b) and (f) GDPR, the Labour Code	Until the expiry of employee-related claims or until consent is withdrawn (if you have provided consent for future recruitment).
Use of artificial intelligence	First name and last name, email address, photos or video recordings, information from platform accounts, answers provided during the recruitment process.	Personal data may be processed using AI technologies to streamline processes and improve services, including cooperation with external technology providers.	Art. 6(1)(f) GDPR	Personal data is stored and processed for the period necessary to fulfil the stated purposes, unless the user submits an effective written objection.
Marketing activities	Contact data and technical data (e.g. browsing history, cookie data) collected while using our services and communication channels, as well as those belonging to third party providers, for the purpose of service provision and interaction analysis.	We use this data for marketing activities, including the creation of personalised offers. Processing for this purpose is based on the customer’s consent, which may be withdrawn at any time.	Art. 6(1)(a) and (f) GDPR	Until consent is withdrawn or an effective objection is submitted.
Digital platforms and mobile apps	Personal data collected on digital platforms and mobile apps.	Personal data is collected through our platforms and apps to improve customer communication and to support the development of our products and services.	Art. 6(1)(b) and (f) GDPR	Personal data is processed for the duration of the contract and, based on legitimate interest, until the expiry of the limitation period or until an effective objection is submitted.
Social media accounts/profiles	First name, last name, username, profile picture, other images containing likeness, statistical data.	We process personal data through our social media accounts for the purposes of communication, promotion, activity analysis and event organisation. Processing occurs, among others, when you subscribe, leave a comment or complete a form. In certain cases, we act as joint controllers of these platforms.	Art. 6(1)(f) GDPR	Until the subscription is withdrawn or for as long as the social media accounts remain active.
Video monitoring	Image	Image (likeness) is processed as part of video monitoring for the purposes of ensuring safety, protecting property, controlling production processes and safeguarding confidential information.	Art. 6(1)(b), (c) and (f) GDPR	Recordings are stored for a maximum of 3 months from the date they are made. If recordings constitute evidence in proceedings conducted under applicable law, the retention period may be extended until the final conclusion of the proceedings.
Promotional activities	First name, last name, residential address, email address, telephone number, identity document number, bank account number, National ID (PESEL) number, tax ID.	Personal data is collected for the organisation of promotional activities, registration of participants, delivery of prizes and verification of the winners’ identity.	Art. 6(1)(b) and (f) GDPR	Until the expiry of the period resulting from tax regulations or until an effective objection is submitted.
Participation in photos, videos and campaigns	Image	The image may be processed on the basis of consent or under the provisions of a contract. In certain cases — for example, when the image appears only as an element of a larger photograph — additional consent is not required.	Art. 6(1)(a) and (b) GDPR	Until consent is withdrawn or for the period specified in the contract
Registration and purchases in the online store	First name, last name, delivery address, email address, purchase history, contact details, bank account number.	We process personal data for the purpose of fulfilling an order, enabling login to the store through external services, analysing purchase history and handling payments and deliveries.	Art. 6(1)(b), (c) and (f) GDPR	Until the completion of the service, until an effective objection is submitted, and for the periods specified by applicable law.

We may process your data when:

1. You have given consent for marketing of products or services.
2. We engage in joint activities aimed at establishing or carrying out our cooperation, for example:
   • responding to enquiries,
   • preparing quotations,
   • handling service requests,
   • processing complaints,
   • delivering training activities.
3. We fulfil a legal obligation in this way: on this basis, we process personal data in order to comply with the duties imposed on us by applicable laws, such as the Payment Services Act, the Tax Ordinance, the Accounting Act, the Copyright and Related Rights Act, and the Act on the Provision of Services by Electronic Means.
4. Processing may also be required based on our (as the controller’s) legitimate interest, for example:
   • conducting direct marketing of our products or services – their descriptions are available on our website,
   • analysing data to improve products and services,
   • monitoring logs, IP addresses and detecting attempts of unauthorised access to systems,
   • preparing statistics and reports,
   • archiving data,
   • pursuing claims.

We obtain data from, for example:

• directly from customers,
• from customer representatives, such as payment recipients,
• from other controllers, such as the Credit Information Bureau,
• from publicly available databases, such as the National Court Register or the Central Registration and Information on Business.

You have the following rights related to the processing of your personal data:

1. The right to access your personal data – you have the right to know which of your personal data is being processed, for what purpose, by whom, and you may request a copy of this data.
2. The right to rectification of your personal data – this means you may request that incorrect information be corrected or that incomplete data be supplemented.
3. The right to delete your personal data – this means you may request that we delete your personal data in specific situations.
4. The right to restrict the processing of your personal data – this means you can request a temporary limitation on the use of your data by us when certain circumstances apply.
5. The right to transfer your personal data – this means you may receive a copy of your personal data from us or request that we transfer it to another entity.
6. The right to lodge a complaint with a data protection supervisory authority, i.e. the President of the Personal Data Protection Office (address: ul. Moniuszki 1A, 00-014 Warszawa). If you believe that your personal data is being processed unlawfully, you may file a complaint.
7. The right to withdraw consent – this means you may withdraw your consent at any time, without providing a reason.
8. The right to object – this means that at any time you may request that we stop processing your personal data if we do so on the basis of legitimate interest or for marketing purposes.

We exercise these rights after successfully verifying the identity of the person submitting the request. A request may be submitted by telephone, email or in person at our registered office, as well as by post. You can also send your request directly to our Data Protection Officer. We will provide a written response without undue delay.

The personal data we collect may be shared with other companies within the FAKRO Group and with companies cooperating with us – our business partners – so that we can assist you in resolving your issue, preparing an offer or organising the provision of a service.

In accordance with the law, we may also share your data with other entities in order to fulfil statutory obligations or to conclude and perform a contract.

We may share your data in particular with:

1. Our employees and collaborators who must have access to the data in order to fulfil our obligations.
2. Other companies within the FAKRO Group with whom we have concluded a joint controllership agreement or data processing agreements, ensuring an appropriate level of protection when personal data is processed by those companies.
3. Entities processing data on our behalf, participating in the performance of our activities, including:
   • our agents, advertising agencies and other entities involved in the sale of our services,
   • entities that operate our ICT systems or provide ICT tools to us,
   • subcontractors supporting us in performing the contract between you and us, e.g., in handling correspondence or customer service,
   • entities providing advisory, consulting, audit, legal, tax or accounting services.
4. Other data controllers processing data in their own name, such as:
   • our agents, advertising agencies and entities cooperating in customer service – for the purpose of settling remuneration due to them,
   • postal or courier service providers • entities purchasing receivables – in the event of non-payment of invoices issued by us,
   • payment service providers (banks, payment institutions) – for the purpose of processing refunds for you or enabling the operation of Direct Debit service,
   • entities cooperating with us in accounting, tax or legal matters – to the extent that they become data controllers,
   • public authorities, such as courts, prosecutors, tax authorities.

Your personal data may be transferred to so called “third countries”, meaning countries outside the European Economic Area.

In such cases, to ensure the security of your personal data, we make sure that the transfer to a given third country is safe. This is done through mechanisms such as: a European Commission adequacy decision confirming an adequate level of data protection in that country; the use of Standard Contractual Clauses approved by the European Commission; Binding Corporate Rules; codes of conduct; certification mechanisms; or standard data protection clauses adopted by the supervisory authority.

Based on your consent, we may use your data for profiling. However, decisions will not be made in an automated manner and will not produce any legal effects concerning you.

Profiling of personal data means processing your data (including automated processing) in order to evaluate certain information about you — in particular to analyse or predict your personal preferences and interests.

A personal data breach occurs when personal data is accidentally or unlawfully destroyed, lost, altered, disclosed or made available to unauthorised persons. In the event a personal data breach is identified, we take the following steps:

1. The data subject:
   • We inform the data subject if the breach may result in a high risk to their rights or freedoms.
   • We provide this information without undue delay. If direct contact is significantly difficult, we publish a public communication.
2. Supervisory authority (President of the Personal Data Protection Office):
   • We report the breach to the supervisory authority if it is likely to result in a risk to the rights or freedoms of natural persons (a risk higher than low).
   • The notification is submitted without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach.

Due to ongoing changes in the functioning of our company and regularly evolving legal regulations, we may introduce periodic updates to this document. The latest version of the Data Protection Policy will always be available on our website.

Date of GDPR implementation: 25.05.2018

Date of last update to this document: 15.01.2026