Data Processing Terms and Conditions of EXTREGO Sp. z o.o.

In connection with the execution of a transport or forwarding order (hereinafter referred to as the order), the parties transfer and process the personal data of their employees, subcontractors, and contractors who will participate in the execution of the order.

Therefore, it has become necessary to establish the rules for the processing of personal data.

The parties agree that the processing rules set out below regulate their rights and obligations related to the processing of personal data. The parties have identical rights and obligations to the extent that they mutually transfer personal data for processing.

1. Under the terms specified in these regulations and in accordance with the conditions of cooperation prevailing between the parties, the parties process personal data (as defined by GDPR). The parties act as individual data controllers in connection with the processing of personal data, which processing is necessary for the performance of obligations arising from the order and is carried out exclusively in accordance with the received instructions.
2. The parties declare that they have the legal basis for processing the personal data they transfer and have taken all actions required by law.
3. The parties are aware that the data transferred by them may be further transferred outside the European Economic Area (EEA) if necessary to carry out specific orders, especially to countries such as: United Kingdom, Switzerland, Ukraine, Turkey, Serbia, Morocco, Bosnia and Herzegovina, Macedonia, etc. In some of these cases, the Commission has not determined an adequate level of protection by the third country, territory, or specified sectors in those third countries or international organizations to which personal data will be transferred. The parties apply appropriate and proper safeguards for the transferred personal data. The parties have the possibility to obtain a copy of the data or information about where the data transferred outside the EEA is made available.
4. The parties declare that in connection with the arrangements set out in point 3, they have informed all entities whose data they transfer about their transfer outside the EEA and have provided them with the appropriate information required by law.
5. Processing will be carried out for the period in which the parties remain in business relations or until the withdrawal of consent for processing personal data.
6. Personal data will be processed for the purpose of executing services consisting of carrying out orders, facilitating and supervising their execution, enabling contact between the parties and their subcontractors with employees, subcontractors, and contractors, and additionally enabling specific legal actions if necessary.
7. Processing will include personal data necessary for the performance of services. Data processing will concern the following categories of persons: employees, subcontractors, contractors, members of the Management Board. Data processed by the parties includes, among others, identification data, identity confirmation data, and contact data.
8. The parties have the following obligations:
9. Compliance with the GDPR Regulation;
10. Restricting access to data exclusively to persons whose access to data is necessary for the execution of the order and who have the appropriate authorization (Art. 25(2) GDPR);
11. Personnel training. The parties are obliged to provide persons authorized to process data with appropriate training in the field of personal data protection.
12. The parties are obliged to cooperate in the implementation of the Regulations, provide explanations in case of doubts as to the legality of processing, and fulfill their specific obligations promptly.
13. The parties ensure and commit to comply with the provisions of generally applicable law and the provisions of these Regulations.
14. The parties inform each other about any suspicion of data protection breaches no later than within 24 hours from the first report of such a breach, thereby enabling participation in explanatory actions and informing about the findings at the moment they are made, in particular about the detection of a breach or its absence.
15. The parties are liable for damages caused by their actions in connection with the non-fulfillment of obligations which GDPR directly imposes on the parties. The parties are also liable for damages caused by the application or non-application of appropriate security measures.
16. The parties are obliged to retain documents constituting proof of data processing in accordance with applicable regulations and in connection with the services performed for the appropriate retention periods after the end of cooperation.
17. Data transfer is made on the terms specified in these Regulations. It includes personal data required to carry out orders.
18. Data transfer arises from the nature of the relations between the parties, particularly necessary for the execution of orders and supervising their execution, enabling contact between one party (contractor) and its contractors and subcontractors with subcontractors and contractors of the other party.

Information Clause

Pursuant to Articles 12 and 13 of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) in relation to the concluded contract, we inform you that:

1. The Data Controller of personal data is the company from the EXTREGO group. Companies of the EXTREGO group include: a. EXTREGO Sp. z o.o., located in Świlcza (Świlcza 146E 36-072 Świlcza KRS: 0001001810 REGON: 380202918 NIP: 8133781093). b. Extrego Express Sp. z o.o., located in Świlcza (Świlcza 146E 36-072 Świlcza KRS: 0000801724 NIP: 5170401462 REGON: 384252735). Contact details of Joint Controllers: email: contact@extrego.com. The content of the arrangements between Joint Controllers can be found at: https://www.extrego.com/uzgodnienie-pomiedzy-wspoladministratorami.
2. We inform you that EXTREGO Sp. z o. o. has appointed a Data Protection Officer – Mr. Łukasz Ważny. You can contact the Data Protection Officer via email rodo@extrego.com or in writing at the Data Controller’s address (Świlcza 146E 36-072 Świlcza).
3. Joint Controllers have decided to establish a joint contact point with which you can contact regarding matters related to the protection of personal data through the contact form located at https://www.extrego.com/kontakt by sending an email to rodo@extrego.com or in writing at the address of the Joint Controllers (Świlcza 146E 36-072 Świlcza).
4. Personal data will be processed for the purposes of:

1. executing the contract or taking actions at the request of the person the contract concerns based on Article 6(1)(b) GDPR and possible defense against claims or their assertion based on Article 6(1)(f) GDPR;
2. accounting and tax settlements based on Article 6(1)(c) GDPR;
3. based on Article 6(1)(a) GDPR – for purposes resulting from the consent given for the processing of personal data in cases where they are processed on this basis.

1. Providing personal data in terms of identification, contact, and billing data is necessary to conclude and perform the service contract. Failure to provide these data will prevent the conclusion of the contract and the performance of the service. Provision of other data is voluntary but failing to provide it will prevent contact and sending offers.
2. Personal data will be processed for a period of 6 years from the date of contract performance, with exceptions regarding data processed on the basis of given consent, which will be processed until the consent is withdrawn or the purpose of processing ceases.
3. The recipients of personal data are persons authorized by the data controller, entities authorized under the law, and external entities within signed contracts, particularly: server and email hosting providers, external payroll and accounting services, and external entities providing payroll and accounting software, entities providing TMS transport management software, and entities providing services supporting the performance of freight and transport services.
4. We inform you of the right to:

1. access your data, their rectification, restriction of processing, and to data deletion;
2. transfer personal data to another controller if technically feasible, and the right to receive a copy of the data in a structured format, which can only be used when processing is done in an automated manner;
3. withdraw consent for data processing, which does not affect the lawfulness of the processing carried out before the withdrawal of consent;
4. lodge a complaint with the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw, kancelaria@uodo.gov.pl;
5. object to the processing of personal data in case of possible defense against claims or their assertion.

You may exercise these rights (except for the right to lodge a complaint with the Office for Personal Data Protection) by contacting any of the Joint Controllers or by making a request through the joint contact point established by the Joint Controllers as indicated in point 3 of this information clause.

1. Personal data will not be subject to automated decision-making or profiling.
2. In specific cases (i.e., when performing a transport order on behalf of a contractor/recipient of the cargo/sender of the cargo having its seat outside the European Economic Area (i.e., United Kingdom, Switzerland, Ukraine, Turkey, Serbia, Morocco, Bosnia and Herzegovina, or North Macedonia), data may be transferred outside the European Economic Area. Switzerland, according to the European Commission’s decision no. 2000/518/EC and the United Kingdom according to the European Commission’s decisions marked C(2021) 4800 final and C(2021) 4801 final, ensure an adequate level of data protection. Given that the legal regulations in force in Turkey, Serbia, Morocco, Bosnia and Herzegovina, North Macedonia, and Ukraine do not guarantee the protection of personal data on a par with the regulations applicable in the European Union, the Administrator applies standard contractual clauses to secure the transferred data. In all the aforementioned cases, data will be transferred based on Art. 46(2)(c) or Art. 49(1)(b) or (c) GDPR. A copy of the standard contractual clauses applied by the Administrator can be obtained at the Administrator’s headquarters. Except for the aforementioned exceptions, data will not be transferred to third countries and international organizations.