Privacy Policy

 

§1. Preliminary provisions

Synthos S.A., with its registered office in Oświęcim, respects every person’s fundamental right to privacy. Synthos S.A. strives and makes every effort to ensure: 1) the confidentiality and protection of the personal data we process; 2) that the processing of such data is carried out in accordance with the law and with respect for the fundamental rights and freedoms of data subjects; and 3) that the adopted safeguards and rules regarding the use of the information stored in our databases guarantee confidentiality and security.

Consequently, pursuant to Article 20(1) of the Act of 18 July 2002 on the provision of services by electronic means (consolidated text: Dz.U. [Journal of Laws] of 2024, item 1222, as amended) and to the Act of 12 July 2024 – the Electronic Communications Law (consolidated text: Dz.U. [Journal of Laws] of 2024, item 1222, as amended), Synthos S.A. introduces this Privacy and Cookies Policy, hereinafter also referred to as the “Policy”.

§2. Information on the processing of personal data

  1. As you use the services offered on the website, you may be asked to provide certain personal data. We will only request the data that are necessary in relation to the purposes for which they will be processed.
  2. The controller of your personal data is Synthos S.A., with its registered office in Oświęcim (address: ul. Chemików 1, 32-600 Oświęcim), entered into the register of entrepreneurs of the National Court Register under KRS number: 0000038981, whose registration files are kept by the District Court for Kraków Śródmieście in Kraków, 12th Commercial Department of the National Court Register, Tax Identification Number (NIP): 5490002108, REGON number: 070472049, hereinafter referred to as “Synthos” or the “Controller”.
  3. You can contact the Controller via the dedicated contact form, available on the website under the “Contact” tab, or by email at .
  4. In order to ensure the highest standards of personal data protection, the Controller has appointed a Data Protection Officer (DPO). In all matters concerning the processing of personal data and, in particular, the exercise of your rights related thereto, you can contact the DPO at the following email address: .

§3. Terms of personal data processing

This paragraph covers, among others, the purposes for which we process your personal data and the legal basis for such processing.

The provision of personal data is voluntary, but necessary for the use of certain services on our website.

  1. Synthos S.A. may process the following types of data: company names (in the case of sole proprietorships), the first and last names of company representatives, the address of each company’s registered office (street, city, postcode), contact data (phone numbers, email addresses), information on invoice recipients (if disclosed), data related to the delivery of goods as well as any other data you disclose when placing an order in the online shop or filling in the contact form (or any other form available on the website). Data may also be collected (to the extent permitted by law) to fulfil legal obligations imposed on the Controller in connection with the conclusion of a contract.
  2. Personal data may be collected in connection with the use of the website as well as for the following purposes and to the extent necessary to:
    1. perform a contract (pursuant to Article 6[1][b] GDPR), which includes:
      1. ensuring that the Controller is able to exercise its powers (as an “obliged entity” providing bookkeeping services to entities within the Synthos Group) for the purpose of applying financial security measures, i.e. to process the information contained in the identity documents of a client and a person authorised to act on its behalf, to make copies of such information and to analyse transactions carried out within the framework of the clients’ business relations – to the extent permitted by law and pursuant to Article 6(1)(c) GDPR, in conjunction with Article 34 of the Act on counteracting money laundering and financing of terrorism (the AML/CFT Act);
      2. taking measures necessary for the conclusion of a contract, i.e. assessing clients’ credibility, minimising the risk of liquidity loss as well as estimating financial risks for transactions with the use of publicly available sources and the services of credit information agencies – pursuant to Article 6(1)(f) GDPR; the data regarding companies are obtained from sources such as the Commercial Gazette (Monitor Gospodarczy), the Dun & Bradstreet entity, prospectuses, business activity registers, the statistical office and the Chambers of Commerce; the scope of such data includes: entries in the National Court Register (KRS) and the Central Register and Information on Economic Activity (CEIDG) as well as information on whether the business is active and whether the person signing an order/contract is authorised to do so – we confirm whether the necessary powers of attorney are in place, check the duration of business activities and determine whether the company is subject to restructuring proceedings or other procedures specified under bankruptcy law; depending on the level of risk, we may also obtain other data about entities – to the extent necessary for the analysis and assessment of financial risk;
      3. receiving and processing orders placed in the Synthos Direct online shop (incl. those placed via the provided order form), i.e. for the purpose of concluding and performing sales agreements, which includes making financial settlements and organising the delivery goods – pursuant to Article 6(1)(b) GDPR; the scope of data processed in connection with the execution of orders: first and last name, company name, Tax Identification Number (NIP), address of the company’s registered office, phone number, email address, invoice recipients (if provided), order notes (optional) and data necessary for the delivery of goods (drivers’ details);
      4. enabling the Controller to handle complaints and fulfil its legal obligations under accounting and tax laws, which includes meeting the financial and tax reporting requirements as well as assuming liability for physical and legal defects (resolving complaints), as set forth in these laws – pursuant to Article 6(1)(c) GDPR; the scope of data: first and last name, company name, Tax Identification Number (NIP), address of the company’s registered office, order number, data related to invoices as well as other data as required by law;
      5. using transmission data, preparing summaries, conducting analyses, keeping statistics and generating reports within the Synthos Group, i.e. fulfilling internal administrative purposes in order to pursue the Controller’s legitimate interest – pursuant to Article 6(1)(f) GDPR;
    2. carry out marketing activities with the use of telecommunications terminal equipment and automated calling systems (in accordance with Article 6(1)(a) GDPR); such activities include:
      1. broadening the base of Newsletter subscribers, which allows such persons to receive messages from Synthos S.A. and other companies within the Synthos Group, including marketing and information materials concerning the Synthos Group companies – based on the Controller’s legitimate interest (in accordance with Article 6[1][f] GDPR) and your consent to receive marketing content; the scope of data: the indicated email address;
      2. sending commercial information (e.g. as part of direct marketing of products and services); such marketing communication activities shall only be conducted on the basis of your additional consent to the use of automated calling systems (automated email and SMS campaigns) and telecommunications terminal equipment (phone number and email address) – in accordance with the requirements of the Electronic Communications Law and the Act on the provision of services by electronic means;
        the legal basis for activities related to the provision of commercial information, including direct marketing, shall be:
        • each person’s consent (in the case of attracting new, potential clients where no business or contractual relationship has been established, or for other purposes that have not been previously indicated) – pursuant to Article 6(1)(a) GDPR;
        • the Controller’s legitimate interest (in the case of an existing relationship with a client), which includes providing information about new products, sending surveys related to the execution of contracts and orders (e.g. product surveys), using transmission data for billing purposes as well as preparing analyses, statistics and summaries aimed at improving the effectiveness of our marketing activities and developing our business strategy – in most cases, such statistics are based on non-personal or anonymised data;
    3. answer questions submitted via the contact forms made available to users, i.e. for the purpose of pursuing our legitimate interest which involves communicating with users of the website – pursuant to Article 6(1)(f) GDPR; the scope of data: first and last name, company name, email address, phone number (optional);
    4. establish, assert and secure potential claims arising in connection with the Controller’s activities, i.e. for the purpose of pursuing our legitimate interest – pursuant to Article 6(1)(f) GDPR;
    5. carry out the recruitment process, which includes undertaking recruitment activities aimed at selecting the right person from among the job applicants, taking steps at the request of the data subject prior to the conclusion of a contract in connection with the employer’s rights under the provisions of the Labour Code (Art. 22.1) and pursuant to Article 6(1)(b) GDPR as well as obtaining the applicant’s consent to the processing of data after the completion of recruitment as part of the Talent Pool for the purposes of future recruitment (pursuant to Article 6[1][a] GDPR); for detailed information about the processing, please go to the CAREER tab and read the privacy notice;
    6. carry out the whistleblowing process, which includes receiving reports via the zalezynam.pl app, verifying their validity and taking appropriate follow-up action, as well as ensuring protection of whistleblowers in accordance with Article 6(1)(c) GDPR; the scope of data: first and last name, email address, phone number and any other information provided by the whistleblower.
  3. Data processing periods:
    1. in the case of entering into a contract and/or receiving and handling an order placed in the Synthos Direct online shop, the data shall be processed for the period necessary to handle and complete the order as well as after this period, to the extent required by law – for archiving purposes and for the period of limitation of claims;
    2. in the case of implementing the AML procedure pursuant to Article 49 of the Act of 01 March 2018 on counteracting money laundering and financing of terrorism, the obliged entities shall store the data for a period of 5 years, counting from the date of termination of the business relationship with a client or from the date of carrying out an occasional transaction, or – at the request of the General Inspector of Financial Information – for an additional period, which shall not exceed 5 years;
    3. in the case of assessing creditworthiness and analysing financial risks, the data shall be processed for the duration of the contract;
    4. in the case of including a new person in the list of Newsletter subscribers, the data shall be processed for the period during which the Newsletter service is provided or until the subscriber withdraws his/her consent to the provision of this service by electronic means or successfully objects to the processing of his/her data;
    5. the processing of data for marketing purposes shall be carried out until you withdraw your consent or successfully object to the processing (only applicable to data processed on the basis of the Controller’s legitimate interest);
    6. in the case of responding to a question submitted via the contact form, the data shall be processed for the period necessary to respond to such a question and after this period – until a valid objection to the processing of such data is submitted;
    7. in the case of establishing, asserting and/or securing potential claims arising in connection with the services provided on the website, the data shall be processed for the period necessary to secure such claims in accordance with generally applicable law;
    8. in the case of carrying out a recruitment process, the Controller shall process your personal data until the end of said process, for a maximum period of 12 months or – in relation to the subsequent recruitment processes as part of the so-called Talent Pool – for 36 months or until you withdraw your consent;
    9. data related to whistleblowing shall be processed for a period of 3 years after the end of the calendar year in which follow-up actions were completed, unless further storage is necessary due to planned or pending legal proceedings; in such cases, personal data shall be stored until the proceedings are concluded or the statute of limitation on claims expires.
  4. Whenever we ask you to provide any personal data, we shall inform you in detail about the terms of their processing by Synthos S.A. or any other company within the Synthos Group.

§4. Rights of data subjects

  1. Right of access to data – Art. 15 GDPR. As a data subject, you may request information about the processing of your data and obtain a copy thereof.
  2. Right to rectification of data – Art. 16 GDPR. As a data subject, you may request for your data to be rectified or updated.
  3. Right to erasure – Art. 17 GDPR. As a data subject, you may request the erasure of your data in situations provided for by law. However, such erasure will not be possible, among others, if claims are pursued or during the period when we are legally obliged to process the data (e.g. due to tax regulations).
  4. Right to restriction of processing – Art. 18 GDPR. As a data subject, you may request the suspension of all data processing operations under the conditions and for the period provided for by law.
  5. Right to data portability – Art. 20 GDPR. As a data subject, you may request for your data to be transferred to another, explicitly indicated, controller.
  6. Right to object to the processing of your data – Art. 21 GDPR. As a data subject, you may object to the processing of your data at any time. Synthos S.A., as the Controller, shall review the request and may refuse to comply with it in the event that the legal grounds for data processing override the interests of the requesting party or if the right to object to data processing does not apply under the law.
  7. The right to withdraw consent to the processing of data for marketing purposes. To withdraw the consent, please contact us using the contact details indicated above. The withdrawal of consent shall not affect the validity and lawfulness of the processing carried out prior to such withdrawal.
  8. The right to lodge a complaint with the President of the Personal Data Protection Office – if you believe that the processing of your personal data violates the provisions of the GDPR.

§5. Who may have access to your data?

  1. Synthos S.A. shares your personal data with its business partners as well as entities providing IT, postal, courier, HR & payroll, marketing, legal, archiving and accounting services. Recipients of your personal data may also include other companies within the Synthos Group (as part of the processing of data for internal administrative purposes) as well as entities providing creditworthiness reports (Dun & Bradstreet) and/or companies providing insurance services. Detailed information regarding the identity of data recipients can be found in the relevant privacy notices made available in connection with the services you use.
    Your data may also be transferred to entities authorised to access them in accordance with generally applicable law (e.g. police, courts, tax authorities).
    Some data recipients may be based in countries outside the European Economic Area (EEA). In such cases, the Controller shall ensure that appropriate safeguards are in place so as to protect data subjects. The transfer of data to countries outside the EEA may take place in connection with, for example, activities carried out on social networking sites as well as the use of plug-ins and other tools linked to these sites (e.g. Facebook, Twitter, LinkedIn, YouTube).

§6. Protection of personal data

  1. Synthos undertakes to protect your personal data in accordance with applicable regulations, in particular to refrain from disclosing your data to third parties and to process the data only for the purposes set out in the Privacy and Cookies Policy of the https://www.synthosgroup.com/ website.
  2. Personal data shall be protected against: 1) disclosure to or access by unauthorised persons; 2) destruction, loss, damage or alteration; and 3) unlawful processing.
  3. Synthos takes appropriate security measures to protect your data. Such measures include suitable storage and processing procedures, internal controls in relation to the data collected and their processing, as well as physical and IT security measures aimed at preventing unauthorised access to the systems in which we store personal data.
  4. Your personal data will not be subject to automated processing, including profiling.

§7. Cookies Policy
Cookies – definition and use

  1. When you use this website, text files known as cookies are collected. Such files may contain personal data, including your computer’s IP address and a unique device identifier. Cookies are not stored on Synthos’ servers. In addition, the data stored in cookies are read only during your visit to the website. For more information about cookies, please visit https://www.aboutcookies.org/.
  2. The legal basis for the collection of your data stored in cookies is Article 6(1)(f) GDPR, which stipulates that the processing of personal data is lawful provided that it is necessary for the purposes of the legitimate interests pursued by the controller.
  3. The above legitimate purposes which require the use of data obtained by reading cookies include:
    1. adjusting the website according to the individual settings of each user and saving data related to his/her use of the website, e.g. language preferences;
    2. conducting statistical analyses concerning the website’s users in accordance with the needs of its administrator (operator), e.g. website traffic statistics.
  4. Cookies processed by Synthos include:
    1. the cookies necessary to ensure the correct functioning of certain elements of the website and to maintain the connection to the server;
    2. the cookies used for website traffic analysis in order to measure the effectiveness of advertisements and to tailor their content to users’ expectations;
    3. the cookies that remember each user’s website settings (e.g. language version) – in accordance with his/her cookie preferences.
  5. When you visit www.synthosgroup.com, you remain anonymous as long as you do not explicitly decide otherwise. The information contained in the system logs (e.g. IP address) is used by Synthos for technical purposes related to the administration of our servers. In addition, IP addresses are used to collect general statistical demographic data, e.g. information about the region from which you access the website.
  6. The hosting company cooperating with Synthos uses the information contained in the system logs in connection with general Internet connectivity principles only for technical and statistical purposes.

§8. Your rights in relation to the use of cookies by the website

  1. Synthos would like to inform you that most web browsers allow the storage of cookies on your device by default. However, you are free to change the browser’s configuration at any time in order to block the collection of new cookies and/or delete the files which are already stored on your device. To do so, please follow the instructions applicable to the browser you currently use:
  2. Please note that if you choose to disable cookies (by changing the settings of the browser you use to access our website, as described above), some or all features of the website may be limited or unavailable.
  3. You are free to access your data collected through the analysis of cookies which are stored on your device and used by the website. You may also delete such data at any time.
  4. You have the right to request the erasure of data which pertain to you and have been collected by Synthos, the right to object to their processing, as well as the right to lodge a complaint with the supervisory authority, i.e. the President of the Personal Data Protection Office.

§9. Final provisions

In case of any questions regarding the Privacy and Cookies Policy of the https://www.synthosgroup.com/ website, please contact us using the contact details indicated in §2 above.