GDPR information clause


GDPR information clause for clients, contractors, service contractors, employees and job applicants.


In accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (OJ EU L 119 of May 4, 2016), hereinafter referred to as “GDPR”, we inform you that:

1. The Administrator of your personal data is ROFOOD EXPORT-IMPORT Ryszard Ogonowski with its registered office at Komandor Wiktor Węgrzyn 1 street, 05-250 Emilianów, Poland. Contact with the Administrator is possible via e-mail:

2. Purposes and legal basis for data processing:

Your personal data is processed by the Administrator:

  • for the purpose of entering into a contract with the Administrator and its subsequent performance (legal basis for processing: Article 6(1)(b) GDPR)
  • in order for the entity you represent to enter into an agreement with the Administrator and its subsequent performance (legal basis for processing: Article 6(1)(f) GDPR)
  •  in order for the Administrator to carry out the activities you request, other than the activities specified above, or to carry out the activities for which you give your consent (legal basis for processing: Article 6(1)(a) GDPR)
  • in order to comply with the Administrator’s legal obligations in connection with the type of activity carried out and the performance of contracts concluded by the Administrator (legal basis for processing: Article 6(1)(c) GDPR)
  • in pursuit of the Administrator’s legitimate interests, for example: (a) for the preparation of commercial offers, (b) for archival and evidential purposes, (c) for the possible establishment, investigation or defense against claims, (d) for the analytical selection of services to meet the needs of the Administrator’s customers, (e) for customer satisfaction surveys, (f) for internal administrative purposes, (g) for the complaint process (legal basis for processing: Article 6(1)(f) GDPR)


3. Types and categories of personal data processed:

  • personal data identifying a person and allowing the Administrator to prepare offers
  • data identifying or verifying a person, i.e. data allowing to ascertain or verify the identity of a person or entity, for example in order to place an order and sign a contract with the Administrator
  • data concerning persons or entities needed to fulfill legal obligations incumbent on the Administrator or processed within the framework of the Administrator’s legitimate interest,
  • personal data relating to browsing the Administrator’s website, which are collected in accordance with the Cookies Policy and Privacy Policy or the individual consent of the Client in a given case.

4. Your data may be shared with the following recipients or categories of recipients:

  • your data may be accessed by the Administrator’s subcontractors, for example: legal, IT, debt collection companies and other entities, on the basis of personal data entrustment agreements signed with them by the Administrator
  • data may also be accessed by authorized third parties on the basis of generally applicable legal regulations

5. The Administrator may transfer your personal data, if you are an employee or provide services to the Administrator, outside the European Economic Area, i.e. to the United Kingdom, as a result of the nature of your business. The European Commission has adopted a decision stating the adequate level of personal data protection provided by the UK.

6. Period of data storage by the Administrator:

  • to the extent of the performance of the contract entered into by you or by the entity you represent with the Administrator, for the term of the contract
  • with regard to the processing of data, the prerequisite of which is consent to processing, until such consent is revoked by the data subject without affecting the legality of the processing carried out on the basis of consent prior to its revocation
  • in terms of fulfilling legal obligations incumbent on the Administrator in connection with the Administrator’s operation and performance of contracts concluded, for the period obliging the Administrator to fulfill those obligations
  • with regard to the existence of the Administrator’s legitimate interest, for the period in which the Administrator is able to document the existence of such interest and demonstrate the primacy of its legal interest over the interests or fundamental rights and freedoms of the data subjects.

7. Rights of data subjects:

  • the right to access data, i.e. to obtain information about the purpose and manner of processing of personal data and a copy of the data
  • the right to data portability
  • the right to withdraw consent, which means that you can withdraw any consent you have given at any time, whereby the withdrawal of consent does not affect the lawfulness of the processing performed on the basis of consent before its withdrawal (as of the submission of such a disposition, the Data Controller does not process the data for the purpose indicated by the data subject)
  • right to rectification, completion, of personal data in case they are incorrect or incomplete
  • the right to lodge a complaint with the President of the Office for Personal Data Protection as a supervisory authority
  • the right to object, which means that in certain situations you can object to the processing of your data at any time
  • the right to restrict data processing
  • the right to partial or complete erasure of data processing (the right to be forgotten) that is processed by the Data Controller without a legitimate legal basis
  • the right to transfer personal data, i.e. send the data to another Data Controller (e.g. another operator).

8. Your provision of personal data for most of the processes carried out by the Administrator is not based on your consent, and although in many cases it is voluntary, but in order to carry out the processing in question, it is necessary.


9. The source of the data in the vast majority of cases is the data subjects, so they are obtained directly from the persons with whom the Administrator performs the legal or factual act in question, while in the case of obtaining personal data in a manner other than from the data subjects, the source of the data is third parties.


10. The Administrator does not process personal data in an automated manner through profiling, with the exception of certain data of specific users of, which processes are described in the Privacy Policy and Cookies Policy posted on the Administrator’s website.


11. Personal data shall be collected with due diligence and adequately protected from access by unauthorized persons.