I. General Information
1. This Privacy Policy is a set of principles aimed at informing you of all aspects of the process related to the collection, processing, and securing of your personal data.
2. This Policy defines the rules concerning the processing of personal data by the Data Controller, which is: ANDRA Sp. z o.o., with its registered office at Pryzmaty 6/8, 02-226 Warsaw, KRS: 0000128727, NIP: 5220000499, REGON: 008203398, (hereinafter referred to as the “Administrator”).
The Policy is addressed to all users (hereinafter referred to as the “Users”) of the Administrator’s Website. The Administrator has appointed a Data Protection Officer. Contact regarding the processing of personal data is possible via email at: rodo@andra.com.pl or by mail to the Administrator’s registered office.
3. This Policy may be amended and updated in the event of changes in practices related to the processing of personal data (including current case law and guidelines of the Polish Data Protection Authority) or changes in generally applicable law. The Administrator will appropriately inform Users registered on the Website about any changes to the Policy. Other Users of the Website are encouraged to carefully read this Policy and regularly check the Website to verify any changes the Administrator may make in accordance with the provisions of this Policy.
4. Using the Administrator’s Website and the electronic service of the contact form (hereinafter referred to as the “Electronic Service”) requires the User to review and accept this Privacy Policy.
5. Providing personal data to the Administrator is voluntary but is a necessary condition for using the Website and Electronic Services.
6. The Website and Electronic Services are not intended for individuals under the age of 18, and we ask that such individuals refrain from using the Website and from providing their personal data through the Website.
II. Definitions
1. Administrator refers to the entity that determines how and for what purposes personal data are processed. The Administrator is responsible for ensuring compliance with applicable data protection law.
2. Personal Data means any information about an identified or identifiable natural person. Examples of personal data that the Administrator may process are listed in section III below.
3. Processing (or Processed or Process) refers to any operations performed on personal data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
4. Processor means any person or entity that processes personal data on behalf of the Administrator (other than an employee of the Administrator).
5. Website refers to www.andra.com.pl, www.comander.pl, www.comander.eu.
6. Administrator’s Fanpage refers to the Administrator’s social media page: LinkedIn at the link https://www.linkedin.com/company/72886.
III. Processing of Users’ Personal Data
1. The Administrator may collect Users’ personal data in particular in the following cases:
a) When Users provide their personal data (e.g., through email, telephone, contact form, or in any other way) based on Article 6(1)(f) of the GDPR (legitimate interest of the Administrator – responding to a message) in connection with the necessity of addressing the submitted matter or handling an inquiry,
b) For the purpose of pursuing claims and taking action related to the debt recovery process, conducting legal proceedings, enabling the use of the Website, preventing fraud in the use of the Website and Electronic Services, in particular managing, maintaining, improving, and providing all their functionalities, as well as creating internal reports, analyses, and statistics for the Administrator’s purposes, including reporting, planning the development of the Website and Electronic Services, development work, and creating statistical models, based on Article 6(1)(f) of the GDPR (legitimate interest – protecting the rights of the Administrator and pursuing claims),
c) When obtaining personal data published by Users on social media (Administrator’s Fanpage) (e.g., retrieving information from Users’ private social media profiles to the extent that such information is publicly visible) based on Article 6(1)(f) of the GDPR (legitimate interest of the Administrator – promoting its own activities and services, managing the social media profile (Fanpage), building and strengthening relationships with customers, conducting analyses and statistics concerning the popularity and functioning of the profile, as well as determining, pursuing, and defending against any potential claims related to the use of the profile, responding to messages),
d) When obtaining or requesting Users’ personal data during visits to the Administrator’s Website or when using any functionalities or resources available on or through the Website (cookies). When Users visit the Website, their devices and browsers may automatically provide certain information (such as device type, operating system, browser type, browser settings, IP address, language settings, dates and times of connection to the Website, and other technical information related to communication), some of which may constitute personal data. During the visit to the Website, no personal data of Users will be stored by the Administrator without the appropriate legal basis. Regarding cookies, the Administrator, beyond essential cookies, will obtain the User’s consent for cookie installation each time. Giving such consent is optional and does not affect the ability to use the Website. In some cases, without the appropriate consent, the possibility of using the Website may be partially limited, based on Article 6(1)(a) of the GDPR (consent – for non-essential cookies) and Article 173 of the Telecommunications Law (legal provision – for essential cookies).
2. Providing personal data is voluntary and not a statutory requirement. However, in certain cases, without providing personal data, it may not be possible to use the Website or Electronic Services. The categories of personal data processed by the Administrator may include:
a) Personal information: first name(s), surname(s),
b) Contact details: company data, email address, phone number,
c) Message content: all messages (inquiries, statements, opinions, and views) sent via the contact form or published online,
d) IP address, cookies, and information on how you use our Website and Electronic Services – while using the Website or Electronic Services,
e) Image: if an opinion is published, a comment is left, or the “Like” button is clicked on the Administrator’s social media profile (Fanpage), provided the User’s image is visible on their private social media account.
3. The Administrator operates fanpage profiles on social media platforms. Public data made available by social media users may be used for the following purposes:
a) Responding to private messages directed to us,
b) Conducting discussions within the comments section under individual posts,
c) Sharing our posts with those who follow our Fanpage,
d) Marketing by informing about our services and ourselves through posts on our Fanpage, including sponsored posts displayed to a broader audience of Users,
e) Statistical purposes, by presenting data about the visibility of our posts, their reach, the number of interactions, and demographic data of our followers; the data presented to us by social media platform providers are statistical in nature but are based on observations by the platform of behavior on our Fanpage.
4. The Administrator’s Website currently provides redirects to the following social media platforms (Fanpages): LinkedIn.
5. By liking the Administrator’s post, leaving a comment, sending a private message, or subscribing to the channel, the Administrator, together with LinkedIn Ireland Unlimited Company, Attn: Legal Dept., becomes the joint data controller for the personal data shared on the Fanpage for statistical and advertising purposes.
6. Therefore, we encourage you to review the LinkedIn privacy policy available at https://pl.linkedin.com/legal/privacy-policy. Detailed information clauses regarding the processing of personal data on social media platforms are available on the respective profile page of the Administrator’s Fanpage in the “Information” section or other visible locations.
IV. Sharing Personal Data with Third Parties
1. The Administrator may share Users’ personal data with:
a) Individuals authorized by the Administrator to process data,
b) Entities entrusted with data processing, such as technical service providers and advisory service providers,
c) Other administrators, where required by law or in good faith, if such action is necessary to comply with applicable legal regulations, in particular in response to court orders or government authorities’ requests.
2. If we engage a third party to process Users’ personal data, in accordance with the data processing agreement concluded with such a third party, the Processor will be obliged to:
a) Process only the personal data indicated in the Administrator’s prior written instructions, and
b) Implement all confidentiality and security measures for the personal data and ensure compliance with all other legal requirements.
3. Due to the use of LinkedIn services, data may be transferred to third countries – the United States of America (USA) in connection with internal sharing by Meta Platforms Inc. (Facebook) or LinkedIn Corporation. Such data transfers occur based on Article 45 of the GDPR and the European Commission’s decision on an adequate level of protection, i.e., the “EU-US Data Privacy Framework.”
V. Third-Party Services
1. The Website may contain features or links redirecting to websites and services provided by third parties, which are not managed by us. The information you provide on these websites or services will be subject to their own privacy policies and data processing procedures.
2. The Administrator is not responsible for the data processing practices of independent website administrators and service providers.
3. We encourage you to familiarize yourself with the privacy and security policies of third parties before providing them with any personal data.
VI. Data Protection
1. The Administrator informs that it has implemented appropriate technical and organizational measures to protect personal data, particularly to safeguard against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, and other unlawful and unauthorized forms of processing, in accordance with applicable law.
2. The Administrator is not responsible for any actions or omissions of Users. Users are responsible for ensuring that all personal data is sent to the Administrator securely.
VII. Accuracy of Data
1. The Administrator takes all reasonable steps to ensure that:
a) The personal data of Users processed by the Administrator is accurate and, where necessary, kept up to date;
b) Any personal data of Users processed by the Administrator that is inaccurate (having regard to the purposes for which it is processed) is erased or rectified without undue delay.
2. The Administrator may, at any time, ask Users to verify the accuracy of their personal data being processed.
VIII. Data Minimization
The Administrator takes all reasonable steps to ensure that the personal data processed is limited to what is necessary for the purposes described in this Policy.
IX. Data Retention
The criteria determining the duration for which the Administrator retains Users’ personal data are as follows: The Administrator retains copies of Users’ personal data in a form that permits identification only for as long as it is necessary for the purposes outlined in this Policy unless a longer retention period is required by applicable law. The Administrator may, in particular, retain Users’ personal data for the entire duration necessary to establish, exercise, or defend legal claims.
X. International Data Transfers
1. Personal data may be transferred and processed outside the European Economic Area (EEA) (the European Economic Area consists of the European Union and Iceland, Liechtenstein, and Norway, collectively the “EEA”). If your personal data is transferred outside the EEA, the service provider is required to implement appropriate safeguards. The Administrator will fulfill its obligations under Chapter V of the GDPR.
2. The Administrator uses Google Analytics and other products provided by Google LLC, whose infrastructure is located in the USA.
XI. Retention Period of Personal Data
1. Personal data is retained:
a) For 60 days from the moment of contact (if no contract is concluded); personal data may be processed for a longer period if, as a result of the inquiry, the User decides to use the Administrator’s services (e.g., entering into a contract),
b) In relation to data processed to comply with legal obligations, personal data will be retained for the time specified by law, e.g., tax documentation must be retained for 5 years from the end of the calendar year in which the invoice was issued (Article 70 § 1 of the Tax Ordinance),
c) If the services are used, for the duration of the contract and the period necessary to resolve any complaints, disputes, and settle accounts, with regard to the applicable limitation periods for claims,
d) For internal administrative purposes of the Administrator and other processing purposes where the legal basis is the legitimate interest of the Administrator, personal data will be stored until the legitimate interests of the Administrator that justify the processing are fulfilled, or until an objection to such processing is raised, after the Administrator has appropriately considered the User’s interests and the basis for processing,
e) For data processed on our Fanpage, until an objection is raised to further processing by clicking “unlike,” removing a comment, or unsubscribing.
However, in each case, the Administrator has the right to process personal data beyond the above periods for the time required by law or for the duration of the limitation period for possible claims (Article 118 of the Civil Code).
XII. User Rights
1. You are entitled to the following rights in relation to the processing of your personal data:
a) Right of access to the personal data being processed – On this basis, the Administrator, upon request from the data subject, provides information on the processing of their personal data, including the purposes and legal basis of the processing, the scope of the data, the entities to whom the data is disclosed, and the planned retention period. As part of the right of access, the data subject may also request information on whether their personal data is shared with anyone, whether it is subject to profiling, and whether any automated decision-making processes are applied. The data subject is also entitled to obtain a copy of their data.
b) Right to rectification of data – On this basis, the Administrator, upon request from the data subject, corrects any inaccuracies or errors in the personal data being processed and supplements or updates it if it is incomplete or has changed.
c) Right to erasure of data – On this basis, the Administrator, upon request from the data subject, deletes data that is no longer necessary for achieving any of the purposes for which it was collected, or when consent for its processing has been withdrawn or an objection has been raised, and it is not required for establishing, pursuing, or defending the Administrator’s claims.
d) Right to restrict processing and data portability – On this basis, the Administrator, upon request from the data subject, ceases to carry out operations on such personal data to the extent permitted by law and also provides the data in a format readable by a computer.
e) Right to lodge a complaint – If the data subject believes that their personal data is being processed unlawfully, they may file a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
f) Right to object – The data subject may object at any time to the processing of their personal data for purposes for which it was collected, particularly for direct marketing purposes. If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing of their personal data at any time.
g) Right to withdraw consent – If we process personal data based on consent, the data subject may withdraw such consent at any time. Withdrawing consent does not affect the lawfulness of the processing carried out before the withdrawal.
2. A request to exercise any of the rights described above may be submitted by traditional mail to the Administrator’s registered office or by email to: rodo@andra.com.pl.
3. The request should specify, to the extent possible, the details of the request, particularly the intended recipient and the right the data subject wishes to exercise. If the Administrator is unable to determine the content of the request or identify the person submitting it, the Administrator will contact the requestor for additional information.
XIII. Cookies
1. During a User’s use of the Website, data related to the User is automatically collected. This data includes:
a) IP address,
b) Domain name,
c) Browser type,
d) Operating system type.
2. This data may be collected through:
a) Cookies,
b) The Google Analytics system,
c) Server logs.
3. Cookies are small text files stored by a web browser on your computer’s hard drive or on a smartphone memory card. During subsequent visits to the website, the information stored in the cookie is sent back to the Website. This allows the Website to recognize you and adjust the content to your needs.
4. To improve our Website and Electronic Services, provide the most relevant content, and analyze how Users use our Website, we may use cookies.
5. We may process the data contained in cookies for the following purposes:
a) Personalizing the Website and Electronic Services: remembering User information so that the User does not have to re-enter it during subsequent visits;
b) Providing tailored advertisements, content, and information to Users;
c) Monitoring aggregated usage statistics of the Website, such as the total number of visitors and page views.
6. We use the following types of cookies:
a) Session cookies, which are temporary files stored on the User’s device until the User leaves the Website;
b) Persistent cookies, which are stored on the User’s device for the time specified in the file parameters or until they are manually deleted.
7. Cookies can be divided into the following categories:
a) Necessary cookies, which ensure the proper functioning of the site, security, and a maintained session. These files are installed by default, and without them, the Website cannot function properly;
b) Statistical cookies, which enable the collection of information on how the Website is used (a checkbox to select);
c) Functional cookies, which allow the website to remember the choices made by visitors, such as language selection or font size (a checkbox to select).
8. We use analytics and similar services, which include third-party cookies. During the use of the Website, third-party cookies may be used to enable the use of Website functionalities and integrated websites, or to analyze the effectiveness of advertising campaigns and collect anonymous information about the use of the Website for statistical purposes.
9. This Privacy Policy does not govern the use of third-party cookies. Each third party sets its own cookie usage rules in its privacy policy.
10. The Website uses Google Analytics. Please note that you can prevent Google from registering data collected by cookies regarding your use of the Website and prevent Google from processing such data by installing the browser plugin available at the following address: https://tools.google.com/dlpage/gaoptout.
We encourage you to review the details related to data processing under Google Analytics, provided in Google’s explanations at: https://support.google.com/analytics/answer/6004245.
11. You can also change how cookies are used by your browser and block or delete them. To do this, adjust your browser settings. Most browsers offer options to accept or reject all cookies, accept only certain types of cookies, or notify you each time a site tries to save a cookie. You can also easily delete cookies that have already been saved on your device. Managing cookies depends on the browser you are using. You can find out how to do this for a specific browser by clicking “Help” in the browser’s menu. You can find step-by-step guidance for controlling and deleting cookies below:
• Google Chrome
• Safari (macOS)
• Mozilla Firefox
• Microsoft Edge
• Microsoft Internet Explorer
• Opera
12. Refusing, deleting, blocking, or restricting the use of cookies may cause difficulties or even prevent the use of the Website or Electronic Services.