GDPR

Lubelskie Zakłady Farmaceutyczne „Polfa” Spółka Akcyjna, a limited liability company with its registered office in Lublin, is a responsible and ethical company. As such, it respects the personal data protection rights of its co-workers, contractors and partners. Considering the above, we hereby present you with information regarding the Company’s personal data protection policy.

Who collects and processes your personal data, i.e. who acts as the Data Controller with regards to your personal data

The Data Controller of your personal data is Lubelskie Zakłady Farmaceutyczne „Polfa” Spółka Akcyjna, located at ul. Wojciechowska 42, 20-704 Lublin, entered into the National Court Register in Lublin, KRS No. 0000038438 (hereinafter referred to as Polfa Lublin S.A., the Company or DC).

Contact details

You can reach us by traditional postal service at: Lubelskie Zakłady Farmaceutyczne „Polfa” Spółka Akcyjna ul. Wojciechowska 42, 20-704 Lublin, Poland, or by sending an e-mail to: sekretariat(at)polfa.pl

The Company has also appointed a Data Protection Officer (Mr. Łukasz Chrościcki), whom you can reach by sending an e-mail to: rodo(at)polfa.pl, or by traditional postal service at: Lubelskie Zakłady Farmaceutyczne „POLFA” Spółka Akcyjna ul. Wojciechowska 42, 20-704 Lublin, Poland.

When we collect personal data, and which data is collected and processed

We collect and process personal data for the following purposes:

  • selling products offered by the Company – the legal basis for data processing is carrying out the agreement (Article 6(1)(b) of the GDPR),
  • marketing the Company’s products – the legal basis for data processing is the Company’s legitimate interest – the marketing of the Company’s own products and services (Article 6(1)(f) of the GDPR),
  • handling complaints, as well as asserting and defending mutual claims – the legal basis for data processing is the Company’s legitimate interest (Article 6(1)(f) of the GDPR),
  • purchasing services and goods related to conducting business activity – the legal basis for data processing is taking steps to conclude and carry out the agreement (Article 6(1)(b) of the GDPR),
  • sending commercial information by electronic means – subject to your express written consent – the consent constitutes the legal basis for data processing (Article 6(1)(a) of the GDPR),
  • handling financial transactions and solving technical issues – the legal basis for data processing is carrying out the agreement (Article 6(1)(b) of the GDPR),
  • tax and accounting purposes – the legal basis for data processing is fulfilling the legal obligation of the Data Controller – the Company (Article 6(1)(c) of the GDPR),
  • reporting medical incidents as well as taking actions with regard to product safety – the legal basis for data processing is the legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR) and/or fulfilling a legal obligation under which we are obliged to draw up reports as a manufacturer of medical devices, i.e. on the basis of (Article 6(1)(c) of the GDPR),
  • carrying out the recruitment process and hiring employees – the legal basis for data processing is the Labour Law (Article 6(1)(c) of the GDPR) and/or your consent (Article 6(1)(a) of the GDPR), in the event that the data contained in your CV documents extends beyond the scope provided for in the regulations.

What you can do with your personal data

To the extent provided for by law, you have the right to access, rectify, delete or anonymise your data, or limit the scope of the processing, the right to object to the processing, as well as the right to revoke the consent granted for the processing of your personal data at any time. Withdrawal of the consent shall not affect the lawfulness of processing carried out on the basis of the consent granted prior to the withdrawal.

In the event of any doubts arising in relation to personal data processing, each person has the right to contact the Company in order to receive information. Notwithstanding the foregoing, you have the right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office.

If you wish to exercise any of these rights, you can contact Polfa Lublin S.A. via the following e-mail address: rodo(at)polfa.pl

Data transfer to countries outside of the European Economic Area

Polfa Lublin S.A. does not transfer your personal data to any entities outside of the European Economic Area.

Data profiling

Your personal data shall not be subject to automatic processing (including profiling) in a manner that such processing would influence any decisions.

The data is provided voluntarily; however, it is required for concluding the Agreement with the Company.

If you are a contractor for Polfa Lublin S.A.

Your data shall be collected directly from you, either before concluding the agreement or in the course of its performance.

Providing the data required to submit the offer, and to sign and carry out the agreement, shall be the prerequisite for entering into the agreement. Refusing to provide the data shall result in the inability to submit an offer or to conclude the agreement.

The Company shall process your personal data for the following purposes:

  • where necessary to carry out the agreement concluded with the Company – the legal basis for data processing is carrying out the agreement (Article 6(1)(b) of the GDPR),
  • keeping accounting books and tax records, if your personal data is included in the agreement or in other documents pertaining to the Data Controller’s obligations imposed by law, in particular by tax and accounting regulations (Article 6(1)(c) of the GDPR in conjunction with Article 74(2) of the Accounting Act of 29 September 1994, as well as other special provisions),
  • marketing the Company’s products – the legal basis for data processing is the Company’s legitimate interest – the marketing of the Company’s own products and services (Article 6(1)(f) of the GDPR),
  • handling complaints, as well as asserting and defending mutual claims – the legal basis for data processing is the Company’s legitimate interest (Article 6(1)(f) of the GDPR),
  • sending commercial information by electronic means – subject to your express written consent – the consent constitutes the legal basis for data processing (Article 6(1)(a) of the GDPR),
  • for tax and accounting purposes – the legal basis for data processing is fulfilling the legal obligation by the Data Controller – the Company (Article 6(1)(c) of the GDPR),
  • ensuring the safety of persons and property by means of video surveillance equipment used to record images at Polfa Lublin S.A., which constitutes a legitimate purpose for processing personal data by the Data Controller (Article 6(1)(f) of the GDPR).

Personal data retention period

Your personal data shall be retained for the period required to carry out the agreement, following which it shall be stored until the period of limitation has expired for all potential claims arising from the agreement concluded between you and the Company. In addition, your data may be retained by the Company for the purpose of preventing abuse and fraud, and for statistical and archiving purposes for up to 6 years following the end of the agreement or the cessation of the purpose for processing. Any personal data collected on the basis of your consent shall be retained until you decide to revoke it. In addition, for the purpose of accountability, the Company shall store your personal data for the statutory period determined for storing personal data, or documents containing such data, in order to meet the legally binding obligations, including enabling the control of their fulfilment by public authorities.

Recipients of your personal data

  • Authorised employees and co-workers of Polfa Lublin S.A.
  • Postal service operators and courier companies
  • Public authorities as well as other entities authorised by law, in order to perform our legal obligations (the Tax Office, the National Labour Inspectorate, the Social Insurance Institution)
  • Legal entities which handle our remote payments
  • Legal entities hired to provide business support services, in particular suppliers of external systems, software suppliers, software or hardware maintenance companies, accountants, auditors, legal counsel, tax advisers.
If you act as a representative of a contractor for Polfa Lublin, including as a contact person or a person authorised to carry out specific activities in the name of the contractor

Your data shall be collected from the legal entity which you represent or directly from you. In the event that the data is provided by the legal entity which you represent, the Data Controller shall collect the following data items: your full name, telephone number, e-mail address, job title.

In the event that you provide your personal data directly to the Data Controller, providing such data is voluntary but required by the Data Controller to carry out the agreement concluded with the legal entity which you represent. Refusing to provide such data may hinder the performance of the agreement.

The Company shall process your personal data for the following purposes:

  • carrying out an agreement entered into by Polfa Lublin S.A. and the legal entity which you represent, which constitutes a legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR),
  • keeping accounting books and tax records, if your personal data is included in the agreement or other documents pertaining to the Data Controller’s obligations imposed by law, in particular by tax and accounting regulations (Article 6(1)(c) of the GDPR in conjunction with Article 74(2) of the Accounting Act of 29 September 1994, as well as other special provisions),
  • marketing the Company’s products – the legal basis for data processing is the Company’s legitimate interest – the marketing of the Company’s own products and services (Article 6(1)(f) of the GDPR),
  • handling complaints, as well as asserting and defending mutual claims – the legal basis for data processing is the Company’s legitimate interest (Article 6(1)(f) of the GDPR),
  • sending commercial information by electronic means – subject your express written consent – the consent constitutes the legal basis for data processing (Article 6(1)(a) of the GDPR),
  • for tax and accounting purposes – the legal basis for data processing is fulfilling the legal obligation of the Data Controller – the Company (Article 6(1)(c) of the GDPR)
  • ensuring the safety of persons and property by means of video surveillance equipment used to record images at Polfa Lublin S.A., which constitutes a legitimate purpose for processing personal data by the Data Controller (Article 6(1)(f) of the GDPR).
  • Personal data is provided voluntarily, but is it required by the Data Controller to carry out the agreement concluded with the legal entity which you represent.

Personal data retention period

Your personal data shall be retained for the period required to carry out the agreement, following which it shall be stored until the period of limitation has expired for all potential claims arising from the agreement concluded between you and the Company. In addition, your data may be retained by the Company for the purpose of preventing abuse and fraud, and for statistical and archiving purposes for up to 6 years following the end of the agreement or the cessation of the purpose for processing. Any personal data collected on the basis of your consent shall be retained until you decide to revoke it. In addition, for the purpose of accountability, the Company shall store your personal data for the statutory period determined for storing personal data, or documents containing such data, in order to meet the legally binding obligations, including enabling the control of their fulfilment by public authorities.

Recipients of your personal data

  • Authorised employees and co-workers of Polfa Lublin S.A.
  • Postal service operators and courier companies
  • Public authorities as well as other entities authorised by law, in order to perform our legal obligations (the Tax Office, the National Labour Inspectorate, the Social Insurance Institution)
  • Legal entities which handle our remote payments
  • Legal entities hired to provide business support services, in particular suppliers of external systems, software suppliers, software or hardware maintenance companies, accountants, auditors, legal counsel, tax advisors.
If you are a potential contractor for Polfa Lublin S.A.

Your personal data shall be collected directly from you.

Providing the data required to submit the offer, and to sign and carry out the agreement, shall be the prerequisite for entering into the agreement. Refusing to provide the data shall result in the inability to submit an offer or to conclude the agreement.

The Company shall process your personal data for the following purposes:

  • taking actions prior to entering into an agreement as per your request (Article 6(1)(b) of the GDPR),
  • marketing the Company’s products – the legal basis for data processing is the Company’s legitimate interest – the marketing of the Company’s own products and services (Article 6(1)(f) of the GDPR),
  • handling complaints, as well as asserting and defending mutual claims – the legal basis for data processing is the Company’s legitimate interest (Article 6(1)(f) of the GDPR),
  • sending commercial information by electronic means – subject to your express written consent – the consent constitutes the legal basis for data processing (Article 6(1)(a) of the GDPR),
  • ensuring the safety of persons and property by means of video surveillance equipment used to record images at Polfa Lublin S.A., which constitutes a legitimate purpose for processing personal data by the Data Controller (Article 6(1)(f) of the GDPR).
  • Personal data is provided voluntarily, but is it required to enter into negotiations that would result in establishing cooperation with the Company.

Personal data retention period

Your personal data shall be retained until a decision concerning entering into the agreement is made, following which it shall be retained until the expiry of the statute of limitations for mutual claims. The personal data collected on the basis of your consent shall be retained until you decide to revoke it.

Recipients of your personal data

  • Authorised employees and co-workers of Polfa Lublin S.A.
  • Postal service operators and courier companies
  • Legal entities hired to provide business support services, in particular suppliers of external systems, software suppliers, software or hardware maintenance companies, accountants, auditors, legal counsel, tax advisers.
Persons reporting medical events

Your data shall be obtained directly from you or from the medical personnel.

Providing the data required to respond to your report/inquiry shall be the prerequisite for such a response to be offered. Refusing to provide the data shall render it impossible to respond to your report/inquiry.

The purposes for processing your personal data:

You are providing us with your personal data in order to report medical events and to allow us to take action with regards to the safety of medical products – the legal basis for data processing is fulfilling the legal obligation of the Data Controller – the Company (Article 6(1)(c) of the GDPR).

Your data shall be processed in compliance with the provisions of the Act on medical devices and the secondary legislation, as well as for statistical purposes and for preparing reports (evidence).

Your personal data is provided voluntarily, but is it required to implement the activities related to the safety of medical products.

Personal data retention period

Your personal data shall be retained for 20 years, following which it shall be stored until the period of limitation has expired for all potential legal claims. In addition, your data may be retained by the Company for the purpose of preventing abuse and fraud, for statistical and archiving purposes, or until the cessation of the purpose for processing. In addition, for the purpose of accountability, the Data Controller shall store your personal data for the statutory period determined for storing personal data, or documents containing such data, in order to meet the legally binding obligations, including enabling the control of their fulfilment by public authorities.

Recipients of your personal data

  • Authorised employees and co-workers of Polfa Lublin S.A.
  • Postal service operators and courier companies
  • Public authorities as well as other entities authorised by the law, in order to perform our legal obligations
  • Legal entities hired to provide business support services, in particular suppliers of external systems, software suppliers, software or hardware maintenance companies, accountants, auditors, legal counsel, tax advisers.
If you are a recipient of marketing activities carried out by Polfa Lublin S.A.

Your data may be collected from the following sources: directly from you; from the legal entity which you represent (full name, phone number, e-mail, job position);

The data is provided voluntarily.

The Company shall process your personal data for the following purposes:

  • marketing the Company’s products – the legal basis for data processing is the Company’s legitimate interest – the marketing of the Company’s own products and services (Article 6(1)(f) of the GDPR),
  • sending commercial information by electronic means – subject to your express written consent – the consent constitutes the legal basis for the processing operation (Article 6(1)(a) of the GDPR).
  • Personal data is provided voluntarily, but is it required for sending marketing offers and commercial information.

Personal data retention period

Your personal data shall be stored until you decide to revoke your consent. In addition, for the purpose of accountability, the Company shall store your personal data for the statutory period determined for storing personal data, or documents containing such data, in order to meet the legally binding obligations, including enabling the control of their fulfilment by public authorities.

Recipients of your personal data

  • Authorised employees and co-workers of Polfa Lublin S.A.
  • Postal service operators and courier companies
  • Public authorities as well as other entities authorised by the law, in order to perform our legal obligations
  • Legal entities which handle our remote payments
  • Legal entities hired to provide business support services, in particular suppliers of external systems, software suppliers, software or hardware maintenance companies, accountants, auditors, legal counsel, tax advisers.
Persons taking part in the recruitment process

We shall collect your data directly from you or from the companies which handle the recruitment process on our behalf, for instance: Grupa Pracuj sp. z o.o., ul. Prosta 68, 00-838 Warsaw, Poland, KRS 0000584545.

Providing your personal data is the prerequisite for joining the recruitment process.

The Company shall process your personal data for the following purposes:

  • to carry out the recruitment, and – following its successful completion – to enter into an employment agreement; moreover, if you grant your consent, your data shall be processed for the purpose of carrying out future recruitment – the legal basis for data processing is taking action as per your request, prior to entering into an employment agreement, as well as performing the employment agreement in the event of successful recruitment (Article 6(1)(b) of the GDPR), as well as to participate in any future recruitments – subject to your consent (Article 6(1)(b) of the GDPR);
  • fulfilling the Company’s legal obligations as an employer, in relation to the recruitment process, as arising, for instance, from the Labour Code, including measures to prevent employment discrimination – the legal basis for data processing is fulfilling the legal obligation of the Company (Article 6(1)(c) of the GDPR);
  • in order to ensure physical security on the Company’s premises, including indoor and outdoor video surveillance system and tracking the persons entering and exiting the Company’s facilities – the legal basis for data processing is the Company’s legitimate interest (Article 6(1)(f) of the GDPR),
  • entering into any court proceedings with regards to legal disputes, proceedings before other public authorities as well as other proceedings, including defending against claims – the legal basis for data processing is the Company’s legitimate interest (Article 6(1)(f) of the GDPR).
  • The personal data is provided voluntarily, but it is required in order to join the recruitment process, and to subsequently enter into and carry out an employment agreement with the Company.
  • The obligation to provide your personal data in order to join the recruitment process arises in particular from Article 221 of the Labour Code, and concerns the following personal data items: full name, date of birth, contact details, education, employment history.
  • In the event that you submit any additional data that is not required by law (i.e. information regarding your hobbies or your image), the Company shall process the additional data on the basis of your consent (Article 6(1)(a) of the GDPR). In such cases, you have the right to revoke your consent with relation to the data processed on the basis of your consent. Withdrawal of the consent shall not affect the lawfulness of processing carried out on the basis of the consent granted prior to the withdrawal. The consent may be revoked by submitting a declaration by the following means: in writing to 20-704 Lublin, Poland, ul. Wojciechowska 42, or by submitting the declaration by e-mail to: rodo(at)polfa.pl
  • Submitting a set of documents containing your personal data in order to enter the recruitment process shall be interpreted as granting the express consent for the Company to process the submitted data.

Personal data retention period

Your personal data shall be retained for the time required to carry out the recruitment process, following which it shall be stored until the period of limitation has expired for all potential legal claims arising from the recruitment process. In addition, in the event that you grant your consent to participate in future recruitments, your data shall be stored until the consent is withdrawn. Moreover, for the purpose of accountability, the Company shall store your personal data for the statutory period determined for storing personal data, or documents containing such data, in order to meet the legally binding obligations, including enabling the control of their fulfilment by public authorities.

The recipients of your personal data

  • Authorised employees and co-workers of Polfa Lublin S.A.
  • Postal service operators and courier companies
  • Public authorities as well as other entities authorised by the law, in order to perform our legal obligations
  • Legal entities hired to provide business support services, in particular suppliers of external systems, software suppliers, software or hardware maintenance companies, accountants, auditors, legal counsel, tax advisers.
GDPR personal data processing information

Lubelskie Zakłady Farmaceutyczne „POLFA” Spółka Akcyjna, a limited liability company with its registered office in Lublin, shall act as the controller of your personal data. Detailed information regarding personal data processing, in particular the purpose and the legal basis for processing, as well as your rights in that regard, is available on our website: www.polfa.pl in the GDPR tab.