GDPR • Trzech Kumpli craft brewery, craft beers, craft beer

Information clause

Dear Sir or Madam,

When you conclude a contract with us, place an order, contact us to ask a question, want to receive information about our offer, you provide your personal data to us (e.g. name, surname, telephone number, e-mail address).

Carrying out the so-called information obligation arising from Art. 13 of the Regulation (EU) 2016/679 of the European Parliament and the Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), we would like to inform as follows:

1. The Controller of your personal data is the company: Browar Trzech Kumpli sp. zo.o. with registered office in Tarnów at ul. Langiewicza 5/37 (hereinafter the Data Controller). Contact with him is possible at the following e-mail address: piotr.sosin@trzechkumpli.pl.

2. The purposes of data processing and legal basis:

when you contact us to conclude a contract, we process your data in order to take actions at your request before concluding the contract, e.g. conducting negotiations, sending an offer (legal basis of Art. 6 section 1 letter b GDPR);
in the event of concluding a contract with you, we process your data:
- in order to perform the contract, which includes contact related to the execution of the contract, payment and settlement services, response to any complaints, requests (legal basis of Art. 6 section 1 letter b GDPR);
- in order to carry out the legal obligations of the Data Controller, including tax obligations, issuing VAT invoices (legal basis of Art. 6 section 1 letter c GDPR);
- for archiving data and documents, pursuing possible claims, defending legitimate interests (legal basis of Art. 6 section 1 letter f GDPR);
in the event of queries to us via the contact form, we process your data to answer this query, on the basis of your voluntary consent (legal basis of Art. 6 section 1 letter a GDPR).

3. Providing data is voluntary, but necessary to achieve the purposes set out in point no. 2. If you do not provide data, it will not be possible to conclude and perform the contract (order execution), send an offer or answer your question.

4. You have the right to request access to the content of your personal data and to rectify it, delete or limit processing, as well as the right to object to the processing of your personal data. You have the right to receive from us your personal data in recorded form that allows it to be transferred or you can request the transfer of such data directly to another entity. If your data is processed on the basis of your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of data processing prior to withdrawal of consent. If you have doubts whether your data is processed in accordance with the law, you can lodge a complaint with the supervisory authority – the President of the Data Protection Office.

5. The data you provided will be made available to the following categories of recipients:

courier companies, postal operators, shippers,
accounting offices,
banks,
business information and credit information offices,
law firms,
IT companies,
tax offices
entities or bodies authorized on the basis of legal provisions (including courts, prosecutors, bailiffs, regulatory and supervisory bodies).

6. Please be informed that you will not be subject to a decision that is based solely on automated processing, including profiling.

7. The Data Controller does not intend to transfer personal data to a third country or international organization.

8. Personal data obtained in connection with the conclusion of the contract will be stored for the period necessary to achieve the purposes of this contract, and after the termination of the contract – until the time limitation for the claims of the Data Controller or against him. Data processed in order to implement the legal obligation of the Data Controller will be stored until the obligation is fulfilled; data processed in connection with the Controller’s legitimate interest – until it is completed or your objection is effective. Data obtained on the basis of your consent (as in the case of contact via a contact form) will be processed until the consent is withdrawn.

Principles for the processing of personal data

Principle of legality and reliability

Personal data can only be processed if there is a so-called legal basis for data processing, i.e. at least one of the following conditions exists

the data subject has consented to the processing of their personal data,
the processing is necessary to perform the contract concluded with the data subject or take action at the request of the data subject before concluding the contract,
processing is necessary to fulfill the legal obligation of the Controller,
processing is necessary to protect the vital interests of the data subject or another natural person,
processing is necessary to perform a task carried out in the public interest or within the frames of public authority vested in the Controller,
processing is necessary for purposes arising from legitimate interests carried out by the Controller or by a third party.

Principle of minimization

The Controller who processes personal data should only process data that is necessary and proportionate to the given aim pursued.

Personal data should be processed only in cases where the purpose of the processing cannot be reasonably achieved by other means. Each data processing entity must consider whether the data processed, as well as their type, are adequate, relevant and limited to what is necessary for the purposes for which they are processed.

The Controller should not collect data unnecessary from the point of view of the purpose of processing or accumulate data in the case they were to be useful in the future.

Principle of purpose

The Controller may process personal data only in accordance with a specific, explicit and legitimate purpose. When specifying the purpose, general descriptions of the purposes of the processing should be avoided.

This principle is connected with the information obligation, i.e. with the need to inform the interested by the Controller about the purpose of personal data processing.

Principle of accuracy

Personal data should be complete, true, and should correspond to the current state. The Controller is obliged to ensure the correctness of data, update the data in the event of any incorrectness or incompleteness, and to rectify it at the request of the data subject

Principle of transparency

Information provided to data subjects should be easily accessible, understandable and in clear and simple language.

Principle of data integrity and confidtiality (data security)

The Data Controller is obliged to process data in a way that ensures their security.

The data should be secured against unauthorized or unlawful processing of data and their accidental loss, destruction or damage. For this purpose, the Controller should use appropriate technical and organizational measures.

Principle of limiting data storage

Personal data may be stored for a period not longer than necessary to achieve the given purpose of processing.

Principle of accountability

The Controller should implement appropriate and effective measures that will ensure compliance with the obligations and requirements of the GDPR and be able to demonstrate compliance with the principles regarding the processing of personal data and that the means used meet the obligations and requirements of the GDPR

The choice of means depends on the Controller and the identified and estimated threat to the security of personal data.