Last update: 21 May 2018
- What is the Veracomp company?
- What personal data is obtained by Veracomp?
- What is the purpose of processing personal data by Veracomp and making it available to third parties?
- What are the sources of personal data?
- How is personal data secured against the violation related to its processing?
- Obligations of entities entrusting personal data of third parties to Veracomp and entities receiving such data from Veracomp,
- Rights of persons whose personal data are processed by Veracomp.
I. What is the Veracomp company?
Veracomp is the leader in Value Added Distribution (VAD) in the field of ICT solutions. Veracomp provides comprehensive IT solutions which can be applied in all sectors of the economy. Pursuant to the provisions of the EU law, Veracomp is a controller of personal data. Contact details of Veracomp are given below:
ul. Zawiła 61
tel. 12 25 25 555
fax 12 25 25 500
In order to ensure the highest standards of personal data protection, Veracomp has appointed Data Protection Officer (hereinafter “DPO”) who is responsible for the implementation, supervision and auditing of Personal Data Security Policy and for the compliance of the processing of personal data by Veracomp with legal provisions. Should you have any questions or doubts, you can contact the DPO using the details below:
Veracomp Data Protection Officer – e-mail address for contact firstname.lastname@example.org
II. What personal data is obtained by Veracomp?
The Polish IT market in which Veracomp is active is the market of IT goods and services, comprised of the following entities:
- IT manufacturers – usually global or Polish companies offering their products and services in several countries,
- IT distributors – global or local entrepreneurs,
- Resellers and integrators – usually local entrepreneurs,
- Consulting companies – global or local companies,
- Buyers of products (goods and services) – end users.
Relations between the aforementioned entities may be of the following nature:
- consulting, including design of ready-made IT system solutions,
- delivery (sales) of equipment, software or service according to the specific preferences of the potential buyer,
- performing services of seeking or informing potential buyers about the offered goods, e.g. by the following means:
v. tests (so-called Proof of Concept),
- provision of professional services, e.g.:
ii. design and selection of equipment for a given solution,
vi. service maintenance,
The subject of trade on the IT market in Poland is standardised software, hardware, as well as services provided by the seller or third parties acting on the seller's behalf.
In the Polish IT market, there are market segments of buyers (end customers) classified as:
- institutional, the so-called B2B: i.e. organisations, companies and other public or private institutions – represented in the process by natural persons being their employees or providing services for their benefit under other legal relations, such as contract of mandate, self-employment or subcontracting,
- private, i.e. consumers, the so-called B2C, that is natural persons.
Veracomp SA, by purchasing products directly from manufacturers, performs sales for both customer segments, exclusively through its commercial partners and telecommunications operators.
In connection with its activities, Veracomp has to process the data of the aforementioned entities and their employees, and in certain cases such data must be made available to such individual entities. Veracomp may collect some of the following information:
- first name, surname,
- phone number,
- e-mail address,
- job title,
- employer's company,
- NIP [Tax Identification Number],
- PESEL [Personal Identification Number],
- mailing address,
- participation in special offers and training sessions organised by Veracomp.
In addition, Veracomp obtains data which is not personal data, such as: IP address of the device used by a natural person in order to access the services of Veracomp, technical information, including the information pertaining to internet and/or network connections, identifier of the VoIP device/ communicator, data pertaining to log-in activity, including date and time of the last log-in.
Veracomp also collects information related to the Customer by using cookies of which the Customer is informed while viewing the Veracomp website for the first time.
In extraordinary cases, the scope of data processed may be broader, due to specific processing purposes, which the data subject will be informed about when collecting such data.
III. What is the purpose of processing personal data by Veracomp?
The Veracomp company is obliged to process data under the provisions of the law; in other cases, its provision is voluntary. Personal data processed by Veracomp are mainly used for contact purposes as part of regular business activities constituting the subject of Veracomp's activity.
Regular business activities of Veracomp include:
- sending commercial offer of Veracomp,
- pre-sales support (activities related to the preparation of solution relevant to the needs of the end user),
- contact for the purpose of performance of the contract for the delivery of equipment or provision of service,
- contact for the purpose of after-sales support,
- own marketing,
- processing arising from the generally applicable provisions of the law, including tax and customs law,
- making data available to the aforementioned third parties for the purpose of contract performance,
- investigation and enforcement of claims,
- providing technical and business knowledge (mailing, webinars, events, training).
Personal data is made available to the third parties only for the purpose of performance of a contract to which the data subject is a party or in order to undertake measures at the request of the data subject prior to entering into a contract, e.g. to obtain special prices, after-sales support, perform guarantees or provide updates and renewals.
Presentation of a competitive offer (including special manufacturer's rebates) of Veracomp may require:
A) provision of the buyer's personal data (end customer or their employee) to the suppliers of Veracomp SA in order to verify the actual need for granting such a rebate,
B) provision of the intermediary's personal data (reseller or their employee) to the suppliers of Veracomp SA in order to verify the actual need for granting such a discount,
C) provision of personal data of employees of the producer to the suppliers of Veracomp SA in order to verify the actual need for such a discount.
In addition, due to objective conditions of economic, legal or technical nature, Veracomp may be forced to make personal data available to its suppliers in order to:
- obtain a special rebate,
- process an order,
- verify personal data in its trade control systems, the so-called WSK,
- verify personal data in the trade control systems of the manufacturers, the so-called Export Control,
- activate the product or service (e.g. maintenance) with the manufacturer,
- perform after-sales support.
In addition, due to objective conditions of technical nature, Veracomp is forced to store the received personal data in order to:
- perform the services of remote configuration and technical support,
- remotely diagnose the product at the request of the buyer to verify their warranty claims, to secure them against exposure to unnecessary costs in the event of submission of unjustified claim,
- execute guarantee services, including:
i. assign the RMA number,
ii. track and collect the shipment,
iii. potentially establish contact with the sender (buyer or intermediary) to clarify any doubts,
iv. send return shipment.
Considering the foregoing, Veracomp sees here a justified legal interest in personal data processing in accordance with the requirements of GDPR, and:
- undertakes not to expand the above-mentioned adopted criteria without prior consent of data owners,
- considers and respects the rights of data owners in accordance with the applicable legal standards, particularly in the following areas:
- data protection and restriction of access to such data only to authorised persons,
- transmission of data to third parties, particularly outside the EU,
- no profiling,
- no processing of sensitive data,
- use of pseudonymisation, wherever technically and economically justified and legally permitted,
- notification about obtained data in accordance with Article 14 point 3b of GDPR,
3. assumes related liability, including liability concerning the potential leak of such data, as well as civil and administrative liability.
If Veracomp has to process personal data for any other purposes, a relevant consent shall always be obtained prior to the processing. Veracomp shall not make personal data available to third parties for marketing purposes.
IV. What are the sources of personal data?
Veracomp may obtain personal data in the following manner:
- direct consents on the basis of the person's registration for an event (training session, webinar, special offer) organised by Veracomp via an online form (event website),
- consents arising from the invitation sent automatically when adding the person to the CRM system functioning at Veracomp,
- consents arising from invitations sent by the CRM employee from the personal card level,
- independent registration of end users in the Veracomp systems by electronic means in order to obtain information about products offered by this company,
- independent registration of intermediaries in the Veracomp systems by electronic means in order to obtain information about products offered by this company,
- entrusting the data of employees of business partners of Veracomp provided on the basis of partnership agreements containing the provision on consent for the transmission of information about the products and commercial offer of Veracomp,
- entrusting personal data to Veracomp by third parties (the obligations of entities entrusting personal data to Veracomp are specified in point VI below),
- personal meetings during which contact details are exchanged,
- use of existing information gathered in the databases of Veracomp SA,
- digital marketing (TBD).
V. How is personal data secured against the violation related to its processing?
Personal data processed by Veracomp is stored at secure servers in Poland. Veracomp has implemented appropriate technical and organisational means in order to protect personal data against unauthorised or unlawful processing, including loss, destruction or damage.
In case of personal data processed in paper form, data is stored in separate rooms to which only authorised persons have access, and if the data is processed in rooms to which more people have access, the data is stored in locked cabinets the keys to which are only in possession of persons authorised to process data.
VI. Obligations of entities entrusting personal data of third parties to Veracomp
Considering the fact that, in certain cases, Veracomp may make personal data available to a third party, the third party undertakes to follow the below-mentioned obligations, regardless of the fact whether it acts as an entrusting entity or as an entity to which Veracomp has entrusted or made available data for processing.
Upon the provision of personal data to Veracomp, the third party confirms that it assumes liability and indemnifies Veracomp against any liability arising from the fact that the third party has failed to obtain relevant consents of data subjects, and if an administrative fine or obligation to pay compensation is imposed on Veracomp, the third party undertakes to pay the amount equal to the imposed fine and/or compensation upon the first request of Veracomp.
The entrusting entity particularly, but not exclusively, undertakes to:
- process the data only for the performance of cooperation for the duration of cooperation and potential security of claims arising from such cooperation, unless the data retention period arises from the commonly applicable provisions of the law,
- use the personal data entrusted to it by Veracomp only for the purposes indicated at the time of transmission of personal data or at a later date, upon prior approval of Veracomp,
- ensure sufficient guarantees of implementation of appropriate technical and organisational means so that the processing would meet the requirements of GDPR and protect the rights of data subjects,
- obtain all legally required consents entitling it to make personal data available to Veracomp for the purpose of entrusting such data further to the following entities: authorised distributors of products, equipment manufacturers, external authorised service centres of the manufacturer, warehouses with spare parts, service centres acting as intermediaries in the transport of equipment.
If, for the proper performance of obligations arising from cooperation, it is necessary for Veracomp to entrust the data further, also to a third country, the third party represents that Veracomp may do so, and guarantees that it has the right to make personal data available to Veracomp for this purpose, the third party is considered to be the Controller within the scope of such data and performs the obligations set forth in Articles 12, 13 and 14 of GDPR. As far as Veracomp is subject to the information obligation arising from GDPR, the Parties agree that such obligations shall be performed by the third party, and the third party shall be fully liable towards Veracomp for the proper performance of such obligations, and shall be liable, without limitations, to the potential damage incurred by Veracomp on the account of improper performance of such obligations,
- upon the completion of the provision of services related to data processing, the third party shall be obliged to delete or return to Veracomp, at the discretion of Veracomp, all personal data entrusted to it, and to remove all existing copies of such data, unless the processing is necessary in view of the commonly applicable provisions of the law or in order to determine, assert or secure claims.
VII. Information about the rights of persons whose personal data are processed by Veracomp
Veracomp ensures the execution of the following rights vested in the persons whose personal data are processed:
- right to receive information about the processing of personal data,
- right to access the contents of processed personal data,
- right to rectify data,
- right to demand from the Controller to erase data,
- right to demand from the Controller to restrict the processing of data,
- right to data portability,
- right to object against the processing of data,
- right to lodge a complaint to the Polish supervisory authority or the supervisory authority of another European Union member state,
- right to withdraw consent to the processing of personal data at any time,
- right to obtain human intervention on the part of the Controller, to express their point of view, and to contest the decision based on automated processing of data.