Privacy Policy


Bearing the responsibility for the privacy, confidentiality and integrity of the personal data, in accordance with the applicable personal data protection laws and fulfilling the information obligation resulting from the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter: GDPR, Elmark Automatyka Spółka Akcyjna with its registered office in Warsaw publishes the following document, which is a data protection policy within the meaning of the GDPR.


  1. The Controller is Elmark Automatyka Spółka Akcyjna with its registered office in Warsaw, at ul. Bukowińska 22 lokal 1B, 02-703 Warsaw, Poland, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register under the KRS number: 0000803828, REGON: 013144306, NIP: 5252072585, share capital PLN 600,000.00 (fully paid-up share capital).
  2. Controller's contact details:

Address: ul. Bukowińska 22 lokal 1B, 02-703 Warsaw, Poland

Phone: +48 22 773 79 37


Controller informs of the possibility of using the contact form available on the website


  1. The Controller indicates the purposes and legal basis of the processing of personal data:

Purpose of the processing


Legal basis of the processing


Providing the ongoing services and execution of orders placed by the Controller's customers and contractors, including but not limited to the maintenance of databases containing addresses and payment data of the Controller's customers and contractors. E-mail and telephone contact required for customer technical support, commercial or other inquiries and handling commercial transactions. Conducting trainings, webinars, seminars and other events by the Administrator. Provision of materials at the request of customers

Necessity to perform the contract - art. 6 sec. 1 letter b) GDPR, i.e. processing is necessary for the performance of a contract to which the data subject is party or in order

to take steps at the request of the data subject prior to entering into a contract


Conducting employee recruitment processes. Obligations resulting from the provisions of the Polish labor law.

Controller's legal obligation - art. 6 sec. 1 letter c) GDPR in connection with with art. 221 of the Polish Labor Code, i.e. processing is necessary for compliance with a legal obligation to which the Controller is subject.


Marketing purposes, promoting the services provided by the Controller, including sending the newsletter.


Consent of the data subject - art. 6 sec. 1 letter a) of the GDPR, i.e. the data subject has given consent to the processing of his or her personal data for one or more

specific purposes.


Processing of personal data for the purposes of analytical and statistical operations, including customer satisfaction surveys.

Legitimate interests of the Controller - art. 6 sec. 1 letter f) of the GDPR, meaning the economic interest of improving the quality of services provided while ensuring the security and correct operation of the IT tools used by the Controller.


Answering customers' inquiries submitted via the webform available on the Controller's website.

Consent of the data subject - art. 6 sec. 1 letter a) of the GDPR, i.e. the data subject has given consent to the processing of his or her personal data for one or more

specific purposes.



  1. Depending on the purpose of processing described above, provision of personal data is a statutory or contractual requirement or a condition for concluding a contract, and the data subject is obliged to provide it. In case of a refusal to provide the required personal data, the Controller reserves the right to refuse to cooperate or provide services to the data subject.


  1. The Controller cooperates with the following categories of personal data recipients on the basis of a contract:
    1. Entities involved in postal and courier activities (i.e. inPost, DHL);
    2. Entities providing services in the field of information technology and computer technology, operating website portals, managing websites (hosting) and providing IT tools for the ongoing operations of the Controller (i.e. e.g. Microsoft, Salesforce, Google, Clickmeeting);
    3. Entities providing electronic payment services;
    4. Entities providing services in the field of operating the online store;
    5. An entity dealing with accounting and bookkeeping activities;
    6. Contractors of the Controller - producers to whom commercial data are transferred primarily as part of their business.
  2. Personal data may be transferred to third countries in connection with the data processing for the purposes of ongoing customer services and the Controller's use of IT and computer technology tools (Microsoft, Salesforce, Google, Clickmeeting). This also applies to countries outside the European Economic Area without an adequate level of data protection (e.g. USA). For this type of transfer, we rely on the Standard Contractual Clauses used by our partners. The entities whose services are used by the Controller have been selected in order to ensure a high level of security and guarantee the security of personal data. More information on the processing of personal data by our partners can be found at the following links:

Microsoft's Privacy Policy

Privacy Policy - Google

Salesforce's Privacy Information -

Clickmeeting Privacy Policy


  1. The Controller informs that the data subject has the right to: request the Controller to grant access to their personal data, rectify personal data, delete or limit the processing of personal data, right to object to processing, and the right to transfer personal data.
  2. The data subject has the right to withdraw the consent granted for processing at any time, which does not affect the lawfulness of the processing, which was carried out on the basis of consent before its withdrawal.
  3. The Controller informs that with regard to personal data processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing of his personal data for the purposes of such marketing.
  4. The above rights are exercised through direct contact of data subjects with the Controller.
  5. The data subject has the right to lodge a complaint with the supervisory authority. The function of the supervisory authority in Poland is performed by the President of the Personal Data Protection Office, whose contact details are:

Address: ul. Stawki 2, 00-193 Warsaw

Phone: 22 531-03-00, Helpline: 606-950-000



  1. The Controller aims to shorten the storage period of personal data in accordance with the principle of storage limitation. The Controller does not store personal data indefinitely, and the period of their storage is adjusted to the purposes for which they were collected.
  2. The criteria for determining the period of storage of personal data by the Controller are Applicable Law (e.g. Polish Civil Code) including provisions on limitation periods, as well as a legitimate interest of the Controller resulting from the nature of the Controller's activity, the need to provide maintenance and warranty services, after-sales customer service, maintaining business relationships and trade development.
  3. The Controller allows the possibility of extending or shortening the period of personal data storage due to a legitimate interest, e.g. in connection with pending court proceedings.


  1. The Controller carries out data processing by automated means (including profiling), but this does not produce legal effects or does not affect data subjects in a similarly significant way.
  2. Notwithstanding the foregoing, the Controller informs that he uses Google Analytics and Facebook Pixel to optimize the services provided as well as for analytical purposes. More information on these services can be found under the following links:

How Google uses data from websites and applications that use our services - Privacy and terms - Google

Cookie Policy (

  1. In order to ensure the proper operation of the Controller's website, as well as to guarantee the appropriate service level, Controller's website places small text files (cookies) on visitors' devices. The Controller's cookie policy is available under the link.


  1. The Controller keeps a Register of Personal Data Processing Activities (hereinafter: the Register). The register is a form of documenting data processing activities, in which the Controller records the manner in which he processes personal data.
  2. In the Register, for each data processing activity, which the Controller has recognized as separate for the purposes of the Register, at least: (i) name of the activity, (ii) purpose of processing, (iii) description of the category of persons, (iv) description of the data category, (v) planned date of removing data categories, (vi) description of the category of recipients of personal data (including processors), (vii) description of technical and organizational security measures, (vii) information about the transfer outside the EU / EEA.
  3. The Controller ensures an appropriate level of data security by:
    1. the risk analysis procedure for data processing activities or their categories;
    2. the data protection impact assessment procedure where the risk of violation of the rights and freedoms of persons is high;
    3. adaptation of data protection measures to the identified risks;
  4. The Controller records all breaches of personal data protection, regardless of the seriousness of the breach, in order to implement the principle of accountability and ensure transparency of personal data processing.
  5. In the event of a breach of personal data protection, the Controller assesses whether the breach could cause a risk of violating the rights or freedoms of data subjects.
  6. In any situation where the breach could cause a risk of violation of the rights or freedoms of data subjects, the Controller reports the data protection breach to data protection authorities without undue delay - if feasible - no later than 72 hours after finding the breach.
  7. If the risk of violation of rights and freedoms is high, the Controller shall also notify the data subject about the incident.


  1. The Controller uses a video monitoring to its employees and persons undertaking activities on the basis of civil law contracts for the Controller in order to ensure safety, protection of property and confidentiality of information, the disclosure of which could expose the Controller to damage.
  2. The Controller performs the information obligation in the field of monitoring towards entities mentioned in sec. 1 through:
    1. marking the premises and area monitored in a visible and legible manner, with the use of appropriate signs.
    2. providing the persons mentioned in sec. 1 with a written information on the objectives, scope and methods of the monitoring.


  1. The Controller reserves the right to change the Privacy Policy.
  2. The Privacy Policy was last updated on June 28 2024.