Privacy Policy

PERSONAL DATA PROCESSING POLICY ON THE WEBSITE

This policy is for informational purposes and primarily outlines the rules regarding the processing of personal data by the Controller on the website, including the legal bases, purposes, and scope of personal data processing, as well as the rights of data subjects and information on the use of cookies and analytical tools.

§1 DEFINITIONS

  1. Controller – KNK Medical sp. z o.o., Górnicza 2/72, 60-107 Poznań, Poland, NIP: 6443399464, REGON: 240956379, KRS: 0000308778.
  2. Personal data – all information about an identified or identifiable natural person through one or more specific factors such as physical, physiological, genetic, mental, economic, cultural, or social identity, including image, voice recording, contact details, location data, information contained in correspondence, or collected through recording devices or other similar technologies.
  3. Policy – this Personal Data Processing Policy.
  4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.
  5. Data subject – any natural person whose personal data is processed by the Controller.

§2 DATA PROCESSING

  1. In connection with its business activity, the Controller collects and processes personal data in accordance with applicable regulations, particularly the GDPR and the principles set out therein.
  2. The Controller ensures transparency in data processing, particularly by informing individuals at the time of data collection about the purpose and legal basis for processing—e.g., during the conclusion of a sale or service agreement. The Controller ensures that data is collected only to the necessary extent and retained only as long as needed for the specified purpose.
  3. The Controller ensures the security and confidentiality of data and guarantees access to information about the processing to data subjects. If, despite applied safeguards, a data breach occurs (e.g., data leak or loss), the Controller will inform affected individuals as required by law.

§3 CONTACT WITH THE CONTROLLER

  1. Contact with the Controller is possible via email at: info@knkltd.com or by mail at: KNK Medical sp. z o.o., Górnicza 2/72, 60-107 Poznań, Poland.
  2. The Controller has not appointed a Data Protection Officer.

§4 PERSONAL DATA SECURITY

  1. To ensure data integrity and confidentiality, the Controller has implemented procedures allowing access to personal data only to authorized persons and only to the extent necessary for their duties.
  2. The Controller uses organizational and technical measures to ensure that all data operations are logged and performed only by authorized personnel.
  3. The Controller also ensures that subcontractors and cooperating entities guarantee the use of appropriate security measures whenever they process personal data on behalf of the Controller.
  4. The Controller continuously analyzes risk and monitors the adequacy of safeguards in relation to identified threats. Additional measures are implemented as needed to improve data security.

§5 PURPOSES AND LEGAL BASIS FOR PROCESSING

  1. Personal data of all users visiting the Controller’s websites—including IP addresses and information collected via cookies or similar technologies—is processed for:
    a) Providing electronic services and content from the website – legal basis: necessity for contract performance (Art. 6(1)(b) GDPR);
    b) Analytical and statistical purposes – legal basis: legitimate interests of the Controller (Art. 6(1)(f) GDPR), involving analysis of user activity and preferences to improve functionalities and services;
    c) Establishing or defending against claims – legal basis: legitimate interests of the Controller (Art. 6(1)(f) GDPR);
    d) Marketing purposes – described in the “Marketing” section below.
  2. User activity on the Controller’s website, including personal data, is logged in system logs. These are processed primarily for service provision purposes, but also for technical, administrative, and security reasons, as well as analytical and statistical purposes – legal basis: legitimate interests of the Controller (Art. 6(1)(f) GDPR).

§6 MARKETING

  1. The Controller processes users’ personal data for marketing purposes, which may include:
    a) Displaying non-personalized marketing content (contextual advertising);
    b) Displaying marketing content tailored to user interests (behavioral advertising);
    c) Conducting direct marketing (sending commercial information electronically or via telemarketing).
  2. In some cases, the Controller may use profiling, meaning automated data processing to analyze or predict user behavior. Legal basis: legitimate interests of the Controller (Art. 6(1)(f) GDPR).

§7 COOKIES AND SIMILAR TECHNOLOGIES

  1. Cookies are small text files installed on a user’s device when browsing the site. Cookies collect information to facilitate website use, such as remembering past visits and user actions. Legal basis: legitimate interests of the Controller (Art. 6(1)(f) GDPR).
  2. The Controller uses cookies primarily to provide services and improve their quality. Cookies may also be used by entities providing analytical and statistical services on behalf of the Controller. These include:
    a) Session cookies with user input data (user input cookies);
    b) Authentication cookies for services requiring login;
    c) Security cookies to detect authentication abuses;
    d) Session cookies for media players (e.g., Flash player);
    e) Persistent cookies for user interface customization;
    f) Cookies for website traffic monitoring (e.g., Google Analytics cookies). Google Analytics helps analyze user interactions, generate statistics and reports, and deliver behavioral advertising. Google does not use collected data for user identification. Details on this service can be found by searching: “Google – Privacy and Terms.”

§8 CONTACT FORMS AVAILABLE ON THE WEBSITES

  1. The Controller provides the possibility of contacting him via electronic contact forms available on the Controller’s websites. Using the form requires providing personal data necessary to contact the user and respond to the inquiry. The user may also provide other data to facilitate contact or handling of the inquiry. Providing data marked as mandatory is required in order to accept and handle the inquiry; failure to provide such data will result in the inability to process the request. Providing other data is voluntary.
  2. Personal data is processed:

§9 EMAIL AND TRADITIONAL CORRESPONDENCE

If correspondence is addressed to the Controller via email or traditional mail, the personal data contained in such correspondence is processed solely for the purpose of communication and resolution of the matter to which the correspondence relates.

The legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in conducting correspondence addressed to him in connection with his business activity.

The Controller processes only personal data relevant to the matter to which the correspondence pertains. All correspondence is stored in a manner that ensures the security of the personal data (and other information) it contains and is disclosed only to authorized persons.

§10 TELEPHONE CONTACT

  1. If contact with the Controller is made by phone, the Controller may request personal data only if it is necessary to handle the matter related to the contact. The legal basis in such a case is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in enabling the handling of requests and responding to questions from individuals interested in the Controller’s services.
  2. Phone calls may also be recorded — in such cases, appropriate information is provided at the beginning of the conversation. Calls are recorded to monitor the quality of services provided and to verify the performance of consultants. Recordings are available only to the Controller’s employees and persons operating the Controller’s helpline. The legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in improving the quality of services provided by the Controller.

§11 SOCIAL MEDIA

The Controller processes the personal data of users visiting the Controller’s profiles maintained on social media platforms (Facebook, YouTube, Instagram, Twitter). These data are processed only in connection with the management of the profile, including for the purpose of informing users about the Controller’s activity and promoting various events, services, and products. The legal basis for processing personal data by the Controller in this regard is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in promoting its own brand.

§12 DATA COLLECTION IN OTHER CASES

  1. In connection with the business activities conducted, the Controller also collects personal data in other cases for purposes related to initiating and maintaining business contacts. The legal basis for processing in this case is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in creating a network of contacts in connection with the conducted business activity.
  2. The personal data collected in such cases are processed only for the purpose for which they were collected, and the Controller ensures their proper protection.

§13 DATA RECIPIENTS

  1. In connection with the business activities requiring data processing, personal data are disclosed to external entities, including in particular providers responsible for IT systems and equipment maintenance, entities providing legal or accounting services, couriers, marketing or recruitment agencies. Data may also be disclosed to selected partners of the Controller, e.g. in the course of promotional campaigns joined by the data subject.
  2. The Controller reserves the right to disclose selected information concerning the data subject to competent authorities, services, or third parties that request such information, based on an appropriate legal basis and in accordance with applicable legal regulations.

§14 TRANSFER OF DATA OUTSIDE THE EEA

The level of personal data protection outside the European Economic Area (EEA) differs from that guaranteed by European law. Therefore, the Controller transfers personal data outside the EEA only when necessary and with an adequate level of protection ensured, primarily through:

§15 DATA RETENTION PERIOD

  1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. The period of data processing may also result from legal provisions when they constitute the basis for processing. In the case of data processing based on the Controller’s legitimate interest, e.g. for security reasons, data are processed for a period that allows the fulfillment of this interest or until an effective objection to the data processing is submitted. If processing is based on consent, the data are processed until the consent is withdrawn. Where the basis for processing is the necessity to conclude and perform a contract, the data are processed until the contract is terminated.
  2. The data processing period may be extended where processing is necessary to establish or pursue claims or defend against claims, and after that period — only in cases and to the extent required by law. After the processing period expires, the data are irreversibly deleted or anonymized.

§16 RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA

  1. Data subjects have the following rights:
    a) Right to information about the processing of personal data – on this basis, the Controller provides information about the processing of data, in particular about the purposes and legal grounds for processing, the scope of the data held, the recipients of the data, and the planned retention period;
    b) Right to obtain a copy of the data – on this basis, the Controller provides an electronic copy of the processed data concerning the requesting person;
    c) Right to rectification – the Controller is obliged to correct any inaccuracies or errors in the processed personal data and to supplement the data if it is incomplete;
    d) Right to erasure (right to be forgotten) – on this basis, one may request the deletion of data that is no longer necessary for the purposes for which it was collected;
    e) Right to restriction of processing – upon such a request, the Controller ceases to carry out operations on personal data (except for those operations to which the data subject has consented) and only stores the data in accordance with the adopted retention policy or until the reason for the restriction ceases (e.g., a supervisory authority decision allowing further processing is issued);
    f) Right to data portability – to the extent that the data is processed in connection with a contract or consent, the Controller provides the data in a format readable by a computer. It is also possible to request that the data be transferred directly to another entity, provided that such a transfer is technically feasible for both the Controller and the other entity;
    g) Right to object to processing for marketing purposes – the data subject may object at any time to the processing of personal data for marketing purposes without needing to justify such an objection;
    h) Right to object to other purposes of processing – the data subject may object at any time to the processing of personal data based on the Controller’s legitimate interest (e.g., for analytical or statistical purposes, or for property protection); such objection must include justification;
    i) Right to withdraw consent – if data is processed based on consent, the data subject has the right to withdraw it at any time, without affecting the lawfulness of processing before the withdrawal;
    j) Right to lodge a complaint – if the data subject believes that the processing of personal data violates the GDPR or other data protection laws, they may lodge a complaint with the President of the Personal Data Protection Office.

§17 SUBMITTING REQUESTS RELATING TO THE EXERCISE OF RIGHTS

  1. A request to exercise data subject rights may be submitted:
    a) In writing to the address: KNK Medical sp. z o.o., Górnicza 2/72, 60-107 Poznań, NIP: 6443399464, REGON: 240956379, KRS: 0000308778.
    b) By email to: info@knkltd.com
  2. If the Controller is unable to identify the applicant based on the request, they will ask for additional information.
  3. The request may be submitted in person or through a representative (e.g., a family member). For data security reasons, the Controller encourages the use of a power of attorney certified by a notary or an authorized legal advisor or attorney, which will significantly speed up the verification of the request’s authenticity.
  4. A response should be provided within one month of receiving the request. If it is necessary to extend this period, the Controller will inform the applicant of the reasons for the delay.
  5. The response is provided by traditional mail unless the request was submitted by email or an electronic response was requested.

§18 FEE POLICY

  1. The procedure for handling requests is free of charge. Fees may only be charged in the following cases: a) Request for a second and each subsequent copy of data (the first copy is free of charge); in such cases, the Controller may charge a fee of PLN 50. This fee covers the administrative costs related to fulfilling the request;
    b) Excessive (e.g., very frequent) or clearly unjustified requests from the same person; in such cases, the Controller may charge a fee of PLN 150.
  2. This fee includes the costs of communication and the actions taken as requested.
  3. If the decision to charge a fee is disputed, the data subject may lodge a complaint with the President of the Personal Data Protection Office.

§19 CHANGES TO THE DATA PROCESSING POLICY

This policy is subject to ongoing updates and review.