About us
The Controller of your personal data is Cossma Plus Sp. z o.o. (ul. Armii Krajowej 80 lok.7, 35-307 Rzeszów). As a responsible organization, which is aware that information has a certain value and is a resource that requires proper protection, we intend to inform you appropriately about issues related to the processing of your personal data, particularly as regards the content of the new regulations on personal data protection, including the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”). Due to this reason, we present in this document the key information on legal bases of the processing of personal data, methods of its gathering and using, as well as the rights of entities they apply to. Cossma Plus Sp. z o.o. appointed the Data Protection Supervisor who can be contacted by writing to the following e-mail: info@cossmaplus.pl. When processing personal data, we follow the laws concerning data protection. Personal data are collected and processed in the way and based on the principles specified in this Policy.
General regulations
In Cossma Plus Sp. z o.o. , we place particular emphasis on protection of privacy of our clients, contracting parties, employees and co-workers. One of its key aspects is protection of rights and freedoms of natural persons in relation to the processing of their personal data. We make sure that the processing of your personal data is performed in compliance with the Regulation of the European Parliament and of the Council 2016/679/EC (hereinafter called the GDPR), the law on protection of personal data, as well as special regulations (contained in the labor law and the accounting law). Cossma Plus Sp. z o.o. is the Controller of personal data pursuant to art. 4, sec. 7 of the GDPR, using also services of the processors, specified in art. 4 sec. 8 of the GDPR – they process personal data on behalf of the Controller (they include IT companies, law firms, security companies). Cossma Plus Sp. z o.o. implements appropriate technical and organizational measures, in order to secure the level of safety corresponding with the possible risk of violation of rights and freedoms of natural persons with a varying probability of occurrence and scale of threat. Our activities concerning protection of personal data are based on policies and procedures accepted, as well as regular training broadening knowledge and competencies of our employees and co-workers. The joint controller of your personal data is a company operating within the group of companies:
- Cossma Plus Sp. z o.o. (ul. Armii Krajowej 80 lok.7, 35-307 Rzeszów)
In order to maintain safety of personal data processed by our companies, which have capital, personal and organizational ties, and also to assure high quality of services provided by us, we have accepted a model of joint control of data. Joint controllers ensure strict compliance with the laws concerning privacy of users and protection of their personal data. Joint controllers ensure sufficient warranties to implement appropriate technical and organizational measures, in order to make sure that the processing meets the requirements of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) and protects the rights of the people who are data subjects. All companies apply the same Privacy Policy. Based on it, we control the personal data adhering to the laws, including in particular regulations concerning protection of personal data and safety requirements. Each of the joint controllers is severely liable for all violations related to the processing of personal data. The person who is a data subject can file a claim to the selected joint controller, who will be obliged to repair the damage, even when it was caused by a different joint controller.
Personal data provided by you will be processed for the following purposes:
- Conclusion and performance of the contract of carriage based on art. 38 sec. 1 and 2 and art. 50 of the Act of November 15, 1984 of the Transport Law or art. 6 and 7 of the Convention on the Contract for the International Carriage of Goods, and art. 6 sec. 1 letter b and letter f of the GDPR,
- Fulfilment of the legal obligation by the Controller pursuant to art. 6 sec. 1. letter. c of the GDPR,
- Conducting marketing activities with the use of electronic communication means, art. 6 sec. 1 letter a of the GDPR,
- Securing the claims, art. 6 sec. 1 letter f of the GDPR and undertaking activities related to debt recovery procedure,
- Establishing of a contact based on art. 6 sec. 1 letter f of the GDPR as a legitimate interest pursued by the Controller (email, contact forms)
- Claim submission process – art. 6 sec.1 letters b and c,
- Legitimate interest pursued by the Controller – art. 6 sec. 1 letter f of the GDPR.
We forward your personal data to third parties with your consent or when we are obligated to do so – based on legal regulations. We do not make automated decisions regarding your personal data.
Principles that guide us during the processing of your personal data
- We act with diligence in order to protect interests of the people who are data subjects; in particular, we make sure that such data are:
processed in accordance with the law, reliably and transparently for the data subjects; - collected for specific, clear and legitimate purposes and not processed further in a way that is not compliant with these purposes;
- adequate, appropriate and limited to what is necessary to achieve the objectives for which they are processed;
- accurate and updated when needed. We undertake activities to immediately erase or rectify personal data which are inaccurate in the light of the purposes of their processing;
- stored in the way that makes possible identification of a person who is the data subject for a period no longer than it is necessary to fulfil the purposes of processing;
- processing in the way ensuring proper safety of personal data, including protection against unauthorized or illegitimate processing and accidental loss or damage.
We usually process your personal data based on a consent, which can be withdrawn anytime. A different case is when the processing of your personal data is necessary to perform a contract to which you are a party or to undertake activities at your request, even before concluding a contract. In some cases, processing is necessary to fulfil the legal obligation by the Controller. Such obligations result from, for instance, the labor law and the accounting law. Processing may also be necessary for the purposes resulting from our legitimate interests; one of the examples is pursuing claims related to business activity of our company.
Your rights
We undertake appropriate measures in order to provide to you all applicable information in a concise, transparent, understandable and easily accessible way, and to handle all communication with you with regard to processing of your personal data related to exercising of the following rights you are entitled to:
- information provided during collection of personal data;
- information provided upon request – regarding cases when personal data are processed and other issues specified in art. 15 of the GDPR, including the right to copy data;
- rectify data;
- be forgotten;
- limit processing;
- transfer data;
- raise an objection;
- not be subject to decision based exclusively on automated processing (including profiling);
- information about violation on data protection.
In addition, when your personal data are processed based on consent, you have the right to withdraw it. The consent can be withdrawn anytime, not affecting the legitimacy of processing before its withdrawal. In order to contact us regarding exercising any of the rights, please email us at info@cossmaplus.pl or send a letter to the following address: ul. Armii Krajowej 80 lok.7, 35-307 Rzeszów. Safety of your data is our top priority; however, when you decide that during processing of your data we violate the GDPR regulations, you have the right to lodge a complaint to the President of the Personal Data Protection Office.
How will we contact you?
We provide information in writing or in a different way, including – when appropriate – by e-mail. When you request it, we can provide information verbally, when we are able to verify your identity in another way. When you provide your request by e-mail, where possible, information will be also provided by e-mail, unless you indicate to us a different, preferred form of communication.
When will we comply with your request?
We try to provide information immediately – basically within a month from receiving a request. When needed, this period can be extended by another two months depending on the complexity of request. However, in every case, within a month from receiving the request, we will inform you about activities undertaken and (in appropriate cases) about extension of the deadline, giving the reason for such delay.
Subcontractors / processors
We can forward your personal data to companies or other trustworthy business partners who provide services on our behalf; for example, to secure technical support, to assess usefulness of website for marketing purposes or a different way to make the service available. When we cooperate with companies which on our behalf process personal data, we use exclusively services of processors that ensure sufficient warranties to implement appropriate technical and organizational measures, in order to make sure that the processing of personal data meets the requirements of the GDPR and protects the rights of the people who are data subjects. We verify in detail companies to which we entrust processing of your data. We conclude with them detailed agreements and perform periodic inspections of the compliance of processing operations with the content of such agreement and legal regulations. Your personal data can be also received by: a. entities and bodies authorized to process personal data based on legal regulations, banks in order to perform settlement of accounts, b. institutions providing additional financing for the purpose of performance of a contract concluded with the Controller, c. entities cooperating within marketing campaigns, d. entities providing transport and loading services, e. customs agencies, f. platforms for exchange of information between carriers, g. entities and bodies authorized to process personal data h. entities ensuring delivery of software, i. entities providing IT services, j. law firms, k. the owner of the social media portal Facebook on the principles not affected by changes regarding data specified by Facebook available at https://www.facebook.com/about/privacy. Personal data provided by you can be forwarded to entities having their place of business outside the European Economic Area (EEA), i.e. in third countries. In regard to these countries, no decision was issued by the European Commission confirming that these states ensure a proper level of protection within the meaning of the European regulations concerning data protection.
How do we protect processing of your personal data?
In order to meet the legal requirements, we have prepared detailed procedures involving the following issues:
- protection of personal data by design and data protection by default;
- data protection impact assessment;
- notification of violations;
- keeping register for data processing activities;
- data retention;
- exercising of rights by the people who are data subjects.
We verify and update on regular basis our documentation, in order to indicate meeting of legal requirements in accordance with the accountability principle specified in the GDPR, but also in order to take into consideration interests of the people who are data subjects, we try to incorporate the best market practices.
Data retention
We store personal data in the form making possible identification of a person to whom such data apply, for a period that is no longer than it is necessary for the purposes for which such data are processed. After expiration of this period, we anonymize data (depriving them of features making possible identification of a specific person) or delete them. In the retention procedure, we ensure limitation of the period for personal data storage to the strict minimum. We specify the period of data processing in the first order based on legal regulations (e.g. time of storing employee documentation, accounting documents), as well as legitimate interests of the Controller (e.g. marketing activities). The retention policy includes data processed both on paper and online.
Authorizations
We ensure that every person acting on our behalf within authorization, having access to your personal data, processed it exclusively at our request, unless other requirements result from EU laws or the laws of a member state.
Cookies
The policy of using cookie files (cookies) by service. a) The cookie files (cookies) are small pieces of data, in particular text files, which are stored on the terminal equipment of the Service User and designed to use websites of the Service. Cookies usually contain the name of the website, from which they derive, time of their storage on the terminal equipment and their unique identifier. b) The entity that places cookies on the terminal equipment of the Service User and having access to them is the service owner. c) The cookie mechanism is not used to collect any information about service users or to track their navigation. Cookies used in the service do not store any personal data or information collected from user, and are used for statistical purposes. d) Default software used to view websites (browser) allows to support cookies on the User’s equipment, on which it is activated. In the majority of cases, software in this area can be configured independently, including forcing automatic blocking of cookie files. The issues related to configuration of cookie support are located in software settings (Internet browsers). It is necessary to bear in mind that settings of limitations related to cookie support can impact operation of some service functions. e) Cookie files are used for the purpose of adjustment of the content of Service websites to User’s preferences and optimization of website use; in particular, these files allow to recognize Service User’s equipment and display properly the website, adjusted to its individual needs; development of statistics, which allow to understand how Service Users use websites, making possible improvement of their structure and content; maintaining Service User’s session (after logging), thanks to which User doesn’t have to enter login and password on every subsite of the Service; f) Within the Service, we use two basic types of cookie files: “session cookies” and “persistent cookies.” “Session cookies” are temporary files that are stored on User’s terminal equipment until logging out, leaving the website or turning off software ((Internet browser). “Persistent cookies” are stored on User’s terminal equipment for the time specified in cookie file parameters or until the time of their deletion by the User. g) The Service uses the following types of cookie files:
- “necessary” cookie files, making possible the use of services available within the Service, e.g. authentication cookies used for services requiring authentication within the Service;
- cookie files used to ensure safety, e.g. used to detect abuses within authentication within the Service; ◦”performance” cookies are used to gather information on how visitors use websites of the Service;
- “functional” cookies, making possible “remembering” of settings selected by the User and personalization of User interface, for example in the scope of selected language and region, from which the User originates, font size, look of the website, etc.;
References to other sites on the Service website
The service owner informs that the service features references to other sites. The service owner recommends reading of policy practices that are in force for these sites, since it is not liable for them.
Data protection of Service users
Description of technical and organizational measures for protection purposes is contained in the Safety Policy (personal data protection) of the service owner. In particular, the following safeguards are used: a) data collected automatically through the server are secured through mechanism authenticating access to the service; b) data collected from users during registration process are protected with SSL protocol and through mechanism authenticating access to the service; c) access to control the service takes place with the use of authentication mechanism.