Privacy Policy

version effective from 01.01.2024

Table of contents:

1. Privacy Policy principles

2. Definition of terms

3. Information about the Data Controller

4. Scope and purposes of data processing

5. Basis for data processing

6. Data retention periods

7. Rights of data subjects and ways of exercising rights

8. Data recipients

9. Security of personal data

10. Voluntary/obligatory provision of personal data

11. Data transfer to third countries, automated decision-making and profiling

12. Use of cookies

13. Final provisions


1. Privacy Policy principles

We request all Users of the Website to familiarize themselves with the contents of this document. The purpose of the Privacy Policy is to provide information on what basis and for what purpose the personal data of the Website Users are processed, what are the bases for the processing and what rights the Users have in connection with the processing of personal data by Grzegorz Gąsowski conducting business activity under the name AG TermoPasty Grzegorz Gąsowski, as a data Controller. Grzegorz Gąsowski attaches great importance to respecting the privacy of Users using the Website and makes the greatest efforts to make them feel comfortable and safe while using it. In addition, the Controller ensures that the processing of personal data is transparent and in compliance with applicable data protection laws, supervisory authority guidelines and good practices. 

This Privacy Policy performs the information obligation under the content of Article 13 of the GDPR; however, in case of any doubts, the Controller remains at your disposal and will try to answer any questions you may have regarding the processing of your personal data.  

2. Definition of term

Privacy Policy – this document, the content of which is available at; 

Website – the service at; 

Personal Data – as stated in Article 4(1) of the GDPR, it is any information about an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person; 

Processing – an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, structuring, storing, adapting or modifying, downloading, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or linking, restricting, erasing or destroying; 

Controller – an entity that alone or jointly with others determines the purposes and means of processing personal data; 

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, OJ EU L 2016 No. 119, p. 1).


3. Information about the Data Controller

The Controller of personal data of the Website Users is Grzegorz Gąsowski conducting business activity under the name AG TermoPasty Grzegorz Gąsowski, NIP [Tax Id No.]: 9661767714, REGON [Business Id No.]: 200133730. The Controller’s registered office is located in Sokoły, at ul. Kolejowa 33/ E, 18-218 Sokoły. The Controller can be contacted via the e-mail address: and by mail using the address of the registered office. 

4. Scope and purposes of data processing

Guided by the principles of personal data processing derived from the content of Article 5 of the GDPR, and in particular the principle of data minimization and the principle of privacy by default, the Controller limits the scope of personal data processed in the use of the Website (as well as the implementation of all processes carried out in the course of the company’s activities) to necessary data. 

In order to use the contact form found at, regardless of the purpose of the message (order/query/technical or product inquiry/cooperation/career), the following personal data are collected: name, surname, telephone number, email address, message content. 

The Website also allows to file a complaint via a form at In order to file a complaint by this means, the following data is required: name, surname, email, telephone, NIP [Tax ID No.], company, address and information about the product being complained about. 

In the case of sending CVs electronically via the Website, the personal data of job applicants contained in the CV and attached documents and the application form are obtained. 

In the event of telephone contact with AG TermoPasty Grzegorz Gąsowski, the Administrator informs that outgoing and incoming calls made with the Administrator’s employees are recorded, which means that the voice and information provided during telephone conversations may also be processed. Recording of telephone conversations can take place for the purposes of:

– ensuring the highest standards of service and the proper conduct of conversations with clients;

– the realization or pursuit of entering into an agreement with the Administrator, as a form of recording information to which one can refer for the purpose of confirming the arrangements made;

– establishing, defending, and pursuing claims by the Administrator, as security or evidence allowing for the resolution of any disputes.

The participant of the conversation is informed about the recording each time. Staying on the line signifies their consent to the recording of voice data, and in case of disagreement, please end the call and contact the Administrator by email.

In the case of a personal visit to the Controller’s premises (e.g. business meeting, job interview), it is possible that a person’s image may be processed in connection with the Controller’s video surveillance system, operating under the provisions of the Regulations on Video Surveillance at AG TermoPasty Grzegorz Gąsowski. 

The Controller ensures that data is always obtained for a legitimate and clearly defined purpose: 

– to provide services regarding the availability and functionality of the Website; 

– to handle communication between the Controller and the User (including contacts via email, contact and complaint forms); 

– to conduct recruitment processes;  

– to fulfil legal requirements (including accounting regulations, Labor Code, Civil Code); 

– to establish and assert claims or defend against claims, resolve complaints and disputes; 

– to inform about the services provided and promote them on social networking sites; 

– to administer the information system, to improve the functionalities used and the services provided; 

– to ensure the security of persons and property;

– for other purposes listed above (recording telephone conversations)..   

5. Basis for data processing

The Controller ensures that the principle of lawfulness is observed and makes the utmost effort to ensure that every operation on personal data is based on a legal basis. The Controller processes personal data on a variety of legal bases arising both from the content of Article 6(1) of the GDPR, as well as the provisions of national law, including the Accounting Act or the Labour Code.  

Depending on the case and the purpose of processing, the basis for processing personal data may be: 

– consent (Article 6(1)(a) of the GDPR, including the consent of a job candidate expressed when sending a CV via the Website, consent to be contacted electronically,consent to engage in telephone conversations recorded by the Administrator); 

– contract with the Customer (art. 6(1)(b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is a party or in order to take action at the request of the data subject prior to entering into a contract, including the performance of complaint procedures); 

– a legal obligation of the Controller (Article 6(1)(c) of the GDPR: the processing is necessary for the fulfilment of a legal obligation incumbent on the Controller, including obligations under the Accounting Act, the Civil Code, the Consumer Rights Act, the Labor Code); 

– legitimate interest pursued by the Controller (Article 6(1)(f) of the GDPR: processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject). The Controller refers to the legitimate interest when analysing, developing, improving and optimising the operation of the Website (primarily to ensure the security of the system), as well as in the aspect of defending against possible claims, and in the aspect of operating video surveillance (ensuring the security of persons and property) and maintaining profiles on social networking sites. 

6. Data processing periods

The Controller shall strive to keep the Website Users’ data only for as long as they are needed to fulfil the purpose or fulfil the obligations imposed on the Controller. Data processing periods may be extended if the processing is necessary for the establishment, investigation or defence of possible claims, and thereafter only if and to the extent required by law. After the expiry of the processing period, the data are irreversibly deleted or anonymised. 

Depending on the specific situation to which the processing of personal data is related, the following processing periods are provided for in the Controller’s activities: 

– 5 years counting from the beginning of the year following the financial year in which the payment took place (according to Article 74 of the Accounting Act); 

–- the period necessary for the execution of the Controller’s or the Customer’s rights and claims, including the period of the complaint process on the basis of the warranty, the periods of limitation of claims (6 years, and for claims for periodic benefits and claims related to the conduct of business activity – 3 years); 

– up to three months in accordance with the provisions of the Labour Code, as far as video surveillance data is concerned; 

– until the moment of withdrawal of consent, if the data are processed on the basis of consent (with data processed on the basis of consent with regard to future recruitment – up to 6 months);

– personal data in telephone call recordings are stored for up to 90 days, after which they are automatically deleted;

– the Controller has no impact on the data retention periods of the social networking sites on which it has a profile. 


7. Rights of data subjects and ways of exercising rights

Notification of the data subject’s rights can be made: 

– in person at the registered office of the Entrepreneur located at ul. Kolejowa 33 lok. E, 18-218 Sokoły, 

– by email to:,  

– by mail to the following address: ul. Kolejowa 33 lok. E, 18-218 Sokoły. 


The exercise of data subjects’ rights is free of charge, unless otherwise provided in the GDPR. Pursuant to Article 12(5) of the GDPR, the Controller may charge a reasonable fee taking into account the administrative costs of providing the information, carrying out the communication or taking the action requested.  


Provided that the prerequisites under the provisions of the GDPR are met and not excluded by specific provisions, Website Users may have the following rights with regard to the processing of personal data: 

1) Art. 13 and 14 of the GDPR – right to information 

The Controller shall provide all the information listed in the content of art. 13 and 14 of the GDPR to the User when obtaining personal data. The Controller shall take appropriate measures to provide the data subject with all the information referred to in art. 13 and 14 in a concise, transparent, intelligible and easily accessible form in clear and plain language. 

2) Art. 15 of the GDPR – right to access to personal data  

The data subject shall have the right to obtain from the Controller confirmation as to whether personal data concerning him or her are being processed. The Controller shall provide the data subject with a copy of the personal data undergoing processing. 

3) Art. 16 of the GDPR – right to rectification of personal data 

The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. 

4) Art. 17 of the GDPR – right to erasure of personal data  

The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay only if the prerequisites resulting from the content of this provision arise and it is not excluded by other specific provisions. 

5) Art. 18 of the GDPR – right to restriction of processing of personal data  

The data subject has the right to obtain from the Controller the restriction of the processing in cases specified by law. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. 

6) Art. 19 of the GDPR – notification obligation regarding rectification or erasure of personal data or restriction of processing 

The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with art. 16, art. 17(1) and art. 18 of the GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject requests it. 

7) Art. 20 of the GDPR – right to data portability 

If the processing is based on consent or a contract and the processing is carried out by automated means, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided. 

8) Art. 21 of the GDPR – right to object to data processing  

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. 


Furthermore, the User shall have the right to lodge a complaint with the supervisory body dealing with the protection of personal data in Poland: Personal Data Protection Office ul. Stawki 2, 00-193 Warszawa. 

8. Data recipients

The personal data of Website Users processed by the Controller can be accessed directly by authorised employees, contractors, associates of the Controller. 

Access to personal data related to employee recruitment may be provided by providers of recruitment services, including the platform through which the application is made.

Access to personal data related to the recording of telephone conversations is granted to the telecommunications service provider and the server operator, based on the contracts and the terms of service provision.


In addition, access to the data is provided to entities to which the Controller entrusts the processing of personal data by means of entrustment agreements or acceptance of regulations (e.g. IT system provider, entities providing courier, IT, accounting services).  

Personal data may be made available, among others, to state authorities under the provisions of law, or to other entities authorised under the provisions of law, in order to fulfil the obligations incumbent on the Controller. 

In the case of the Users saving personal data on the Controller’s profiles on social networking sites, Grzegorz Gąsowski, who conducts the business activity under the name AG TermoPasty Grzegorz Gąsowski with its registered office in Sokoły, is not responsible for the content posted by the Users on the profile, nor does he have any influence on how the Users’ personal data will be processed by Facebook or Instagram. 

Users’ personal data are not commercially shared with other entities.  

We make the utmost effort to ensure that the entities to which we share personal data guarantee the application of protection measures adequate to the applicable data protection legislation, thus ensuring high standards and security, and we refer to their privacy policies for more information. 

9. Security of personal data

The Controller shall apply technical and organisational measures to ensure the protection of the processed data appropriate to the risks and the category of protected data, and in particular to protect personal data against unauthorised access by unauthorised persons, loss or damage (access only to authorised persons), to select the contractors carefully, to train the personnel in the field of personal data protection and information security, to meticulously analyse the requests for exercising the rights of the data subjects.  

10. Voluntary/obligatory provision of personal data

The provision of data is voluntary, but necessary in order to fulfil the relevant purpose – without providing personal data, it is not possible to conclude a contract, handle a complaint, contact the Controller, conduct a recruitment, exercise rights or exercise claims. 

11. Data transfer to third countries, automated decision-making and profiling

Users’ personal data is not knowingly and intentionally transferred by the Controller to a third country or an international organisation. Data is also not used for automated decision-making or profiling. 

12. Use of cookies

The Website automatically collects only the information contained in cookies. Cookies are text files which are stored on the Website User’s end device. They are intended for the use of the pages of the Website. First of all, they contain the name of the website of their origin, their unique number, the time of storage on the end device. The Controller is the entity which places cookies on the User’s end device and has access to them.

Cookies are used in order to:

– adapt the content of the website to the individual preferences of the User, primarily these files recognise the User’s device in order to display the website in accordance with his preferences; 

– prepare statistics helping to learn about the preferences and behaviour of users; the analysis of these statistics is anonymous and allows the content and appearance of the website to be adapted to prevailing trends; statistics are also used to assess the popularity of the website; 

enable and maintain the User’s login on each subsequent page of the Website.

The Website uses two main types of cookies – session and persistent. Session files are temporary, stored until you leave the Website (by going to another page, logging out or closing your browser). Persistent files are stored on the User’s end device until they are deleted by the User or for the time resulting from their settings.

The User may at any time change the settings of their browser to block cookies or to be informed each time they are placed on their device. Other available options can be checked in the settings of your web browser. Please note that most browsers are set by default to accept the storage of cookies on your end device.

The cookies used by the Website (placed on the user’s end device) may be made available to cooperating service providers. 

The Controller informs that changes in the User’s web browser settings may restrict access to certain functions of the Website. Information on web browser settings is available in its menu (help) or on the website of its producer. 

13. Final provisions

This version of the Privacy Policy is effective as of 01.01.2024. The content of the Privacy Policy may be changed by the Controller and is published on the Website. 

In matters not regulated in the Privacy Policy, the relevant provisions of commonly applicable law, guidelines of the supervisory authority, and the European Data Protection Board shall apply. 

Any possible disputes concerning the provisions of the Privacy Policy shall be settled amicably in the first place.