for contractors

Personal data protection under the General Data Protection Regulation (GDPR)

The administrator is Kuźnia Sułkowice S.A., which concluded a contract or cooperates with the contractor based on permanent or one-off orders.

In this clause, we inform you about the ways in which personal data is used and about the rights of individuals related to the collection and use of such data. If you have any questions or comments, please contact us by e-mail:

The scope of information

In this clause, Kuźnia Sułkowice S.A. (hereinafter: the Company) informs about all forms of using personal data in Poland in relation to natural persons who are:

suppliers or contractors of the Company,
subcontractors of suppliers or contractors of the Company,
partners, employees, statutory representatives, proxies, representatives of suppliers, contractors or their subcontractors, other persons whose data we process for the purposes of issuing or executing invoices as part of cooperation with suppliers or contractors (jointly “you” or “Contractors”).
Types of processed personal data

Data provided by Contractors

In connection with the cooperation between you and the Company, which may involve, in particular, the provision of services by you or the organization you represent or the delivery of goods to the Company or cooperation by intermediaries, we may process personal data provided by you, such as:

name and surname, company, business address and correspondence addresses,
numbers in the relevant registers (e.g. NIP or REGON number, PESEL number),
contact details, such as e-mail address or telephone or fax number,
position held by you within your organization or function,
possessed permissions,
Bank account number.

In the case of concluding a contract directly between you and the Company, providing the data specified above is voluntary, but necessary for the purposes of concluding the contract and handling cooperation between you and the Company. This also applies to a situation where the Company orders goods or services from you periodically or once.

If you do not conclude a contract directly with the Company, providing your personal data may be your official duty or may be necessary to conclude a contract between you and a third party (e.g. when you are a contractor’s subcontractor). The consequence of failure to provide data is the inability to perform the above actions by the Company (for example, failure to provide data may result in the inability to perform or issue an invoice).

Contact details of the Contractors indicated in points a) -f) will be processed by the Company as the data administrator for the purpose of creating the Contractor Database.

Data collected from other sources

We may obtain your personal data from publicly available sources, such as the CEIDG or KRS business registers, in order to verify the information you provide. In such a case, the scope of processed data will be limited to data available to the public in the relevant registers.

We may also obtain your personal data from entities in which you are employed or which you represent. In such a case, the scope of processed data will include information necessary to support cooperation and contact with the Contractor, e.g. information about the termination of your employment with a given entity or a change in contact details.

We can also obtain personal data of Contractors’ subcontractors from Contractors who provided the Company with such data in order to support cooperation between the Contractor and the Company.

Legal grounds, purposes and periods of data processing

Legal grounds for data processing

We process personal data only when:

processing is necessary to fulfill contractual obligations towards you, if you are or will be a party to a contract concluded with the Company or Companies or to take specific steps before concluding the contract, e.g. preparing a draft contract (Article 6 (1) (b) of the GDPR);
processing is necessary in order to fulfill the legal obligations of the Companies or it is explicitly required by law (Article 6 (1) (c) of the GDPR) – in the scope of personal data contained in documents subject to archiving on the basis of legal provisions;
processing is necessary for the implementation of the legitimate interests of the Companies or a third party and does not excessively affect your interests or fundamental rights and freedoms (Article 6 (1) (f) of the GDPR). When processing personal data on this basis, we always strive to maintain a balance between our legitimate interest and your privacy

The legitimate interests are:

enabling the Company to contact contractors and service a given contract;
using contact details of Contractors as part of the Contractor Database;
fraud prevention and

criminal activity;
establishing or pursuing civil law claims by the Company cooperating with the Contractor as part of its activities, as well as defense against such claims;
verification of the Contractor’s credibility;
verification of Contractors in public registers.

Periods of data processing established for individual purposes

Personal data is processed only for a specific purpose and to the extent necessary to achieve it and for as long as it is necessary. The basic purposes pursued by the Company through the processing of personal data and the periods during which it processes it are presented below:

obligations under the contract – the duration of the contract between the Contractor and the Company;
storing documentation for the purpose of demonstrating compliance with the obligations arising from legal provisions, in particular the Accounting Act and the Tax Ordinance Act – the period specified in the relevant provisions of law. As a rule, these are 5-year periods, counted from the end of the calendar year in which the event occurred (e.g. invoice issuance);
for the purposes of establishing or pursuing civil law claims by the Companies as part of their activities, as well as defense against such claims – for appropriate limitation periods for such claims, i.e. in principle not longer than 3 years from the occurrence of the event giving rise to the claim.
Transferring personal data to other recipients

The data may be transferred to the following recipients:

entities processing personal data at the request of the Company, such as:
entities providing IT support services regarding IT systems or tools used to process personal data or similar services,

These types of entities do not independently decide how to process your personal data. The processing of personal data by them takes place only to the extent that it is necessary for the conduct of business by the Company and will not exceed the scope of the purposes indicated in point 4. The company has the right to carry out control activities.

b) other personal data administrators, including:
courier or postal service providers,
entities conducting consulting activities, law firms,
other Contractors or subcontractors participating in the contract performance process
c) other entities within a given Contractor or subcontractor.

Data transfer outside the European Economic Area

Your personal data will not be transferred outside the European Economic Area.

Contractor’s rights and exercise of them

Your rights

Each person has the right to access their personal data processed by the Company. If you believe that any information relating to you is incorrect or incomplete, please submit a request for rectification as set out in section 6.2 below. The Company will promptly correct such information.

In addition, you have the right to:

withdraw your consent if the Company obtains such consent to the processing of personal data (provided that such withdrawal does not violate the lawfulness of data processing carried out before the withdrawal);
request the deletion of your personal data in cases specified in the provisions of the GDPR;
request to limit the processing of your personal data in cases specified in the provisions of the GDPR;
objecting – for reasons related to your particular situation – to the processing of your personal data, if such processing is carried out in order to implement the public interest or legitimate interests of the Company or a third party;
data transfer.

The company will verify your requests, demands or objections in accordance with the applicable provisions on the protection of personal data. However, it should be remembered that these rights are not absolute; the regulations provide for exceptions to their application.

In response to your request, the Companies may ask you to verify your identity or provide information to help the Company better understand the situation. The company will make every effort to explain its decision to you if your requests are not met.

Exercising your rights

To exercise the above rights, please send a message by e-mail to the following address: or send a written application to the correspondence address, i.e. KUŹNIA Sułkowice S.A., ul. 1 Maja 70, 32-440 Sułkowice with the annotation – “Data protection – contractors”.

If you become aware of the unlawful processing of your personal data by the Company, you have the right to lodge a complaint with the supervisory body competent for the protection of personal data, i.e. the President of the Personal Data Protection Office.

In order to keep your personal data up-to-date and accurate, we may from time to time ask you to check and confirm the personal data we hold about you or to inform

not us about any changes to this personal data (such as e.g. change of e-mail address).

We encourage you to regularly check that the processed personal data is correct, up-to-date and complete.