Data Protection Policy

Introductory information

The personal data of our employees, our contractors and their employees are processed in accordance with national and European legislation and under conditions that ensure their security. In order to ensure the transparency of the processing we carry out, we present the applicable data protection principles established on the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “RODO”)

Data controller

The controller, i.e. the entity that decides on the purposes and means of the processing of your personal data, is MDR Regulator with its registered office at 123A Jerozolimskie Avenue, 02-017 Warsaw (hereinafter referred to as “MDR Regulator” or “Administrator”). In matters related to the processing of your personal data you can also contact us by e-mail at:

Data acquisition and purpose of data processing

In carrying out our business functions, we process personal data for the following purposes:

1) Conclusion and performance of a contract with a customer or contractor, Article 6(1)(b). b andlit. f of the RODO, data retention period: for the duration of the contract and, after its termination, until the expiry of the time limits for claims arising therefrom, in principle 3 years, maximum 6 years. In connection with actions taken for the conclusion of a contract or its execution, employees/co-workers of customers and contractors are contacted for a legitimate purpose.

2) Processing of personal data for public relations, social
media,advertising activities,
on the basis of Article 6(1)(a)(f) RODO, personal data will be stored until you request to withdraw your consent to the processing of personal data.
Personal data is processed for the purposes of publicity activities, communication on social networks, sending information through newsletters, and other related activities.

3) Handling of complaints and claims, Article 6(1)(b) and (f) RODO, period Data retention: for 1 year after expiry of the warranty or settlement of the claim. The administrator, in connection with the processing of complaints, contacts the clients’ employees/co-workers for a legitimate purpose.

4) Redress or defence of legal claims, Art. 6(1)(b). 1(f) RODO, a retention period for the duration of the proceedings in respect of the claims asserted, i.e. until their final conclusion and, in the case of enforcement proceedings, until the final settlement of the claims asserted. The controller in connection with the assertion or defence of legal claims for a legitimate purpose may process the data of employees/co-workers of clients or contractors.

5) Archiving of documents, i.e. contracts and billing documents, Article 6(1)(c) of the RODO, duration of data retention: for the periods indicated by the law and, if no such periods are indicated for certain documents, for the duration of their retention within the legitimate purpose of the controller regulated by the time of possible redress.

6) Keeping statistics Article 6(1)(f) RODO, retention period: until the other processing operation indicated in this table is carried out. We do not store personal data solely for statistical purposes. Having information about the statistics of the activities carried out by the Controller allows us to improve our activities

7) Conducting marketing activities without the use of resources
electronic communications,
Article 6(1)(f) of the RODO, until you object, i.e. show us in any way that you do not wish to remain in contact with us and receive information about our activities.
Conducting marketing activities to promote the business.

8) Conducting marketing activities using electronic communication, Article 6(1)(a) RODO, these activities, due to other applicable regulations, in particular the Telecommunications Act and the Act on the provision of electronic services, are carried out on the basis of the consents held. Until or unless you withdraw your consent, i.e. show us in any way that you do not wish to stay in contact with us and receive information about the activities we undertake, and after revocation for the purpose of demonstrating the correctness of the fulfilment of the Administrator’s legal obligations and related claims (up to 6 years after revocation of consent).
Conduct marketing activities to promote the business using email addresses and telephone numbers.

9) Monitoring on the premises belonging to the data controller for the purposes of enhancing employee safety and property protection and maintaining the confidentiality of information. Article 6(1)(c) and (f) RODO , video recordings are processed only for the purposes for which they were collected and shall be stored for a period not exceeding 3 months from the date of the recording, unless the recording constitutes evidence in proceedings, in which case until the proceedings have become final or until an objection is lodged. Conducting access control for persons on the administrator’s premises is a legitimate purpose of the administrator and, in the case of employees, stems from a legal provision (Article 222 of the Labour Code).

10) Recruitment
Article 6(1)(a), (c) and (f) of the DPA, up to 6 months after the end of the recruitment process and, in the case of consent for further recruitment processes, up to one year. The controller, without the additional consent of the data subject, may keep the data of job applicants who have not yet been hired until 6 months after the recruitment process as a legitimate purpose of the controller due to the fact that the hired employee/co-worker may not perform well in the job or may resign.

11) Management of human resources – employees and associates
Article 6(1)(a), (b), (c) and (f) RODO , Article 9(2)(b) RODO In accordance with the current regulations applicable to the archiving of employment law documents, i.e. personal files for 50 years, in some cases for 10 years. A 10-year retention period for documentation related to the employment relationship and the employee’s personal file will apply for all employees hired after 1 January 2019. For employees hired after 31 December 1998 and before 1 January 2019, the documentation related to the employment relationship and the employee’s personal file will be kept for 50 years from the date of termination or expiry of the employment relationship,

The administrator uses the image only on the basis of the employee’s/co-worker’s consent.

If the retention period for selected documents is shorter, the administrator will respect this shorter period. In the case of civil law contracts, these contracts will be kept until the expiry of the limitation periods for claims arising from them.

If the periods relevant for the assertion of possible claims are shorter than the periods for the retention of tax settlement documents, we will retain these documents for the time necessary for tax settlement purposes, i.e. for 5 years from the end of the year in which the tax obligation was incurred.

Recipients of data

In connection with its activities, MDR Regulator will disclose your personal data to the following entities:

Eligibility for data processing and voluntary data provision

Any person whose data is processed by the Controller has the right to:

More information on data subjects’ rights is available in Articles 12-23 of the RODO, the text of which can be found at:

Furthermore, the person whose data is processed by the Controller has the right to lodge a complaint with the supervisory authority, i.e. the President of the Office for the Protection of Personal Data, more information at:

Do you have to give the MDR Regulator your personal data?

The provision of data is necessary for the conclusion of contracts and the settlement of business activities and for the Administrator to comply with legal requirements. This means that if you wish to use the services offered by the Administrator or become an employee/co-worker, you must provide your personal data.
For the rest (in particular for the processing of data for marketing purposes), the provision of data is voluntary.

Transfers of data to third countries

Data will be processed in the European Economic Area due to the ICT solutions provided by Microsoft being used.

Processing of personal data by automated means

Personal data will not be processed by automated means (including profiling) in such a way that any decisions could be made as a result of such automated processing, that any other legal effects would be produced or that our customers, contractors and their employees/co-workers would otherwise be materially affected.

Updated 31.01.2024.