Last update: 1 January 2021
- What is the VENP company?
- What personal data is obtained by VENP?
- What is the purpose of processing personal data by VENP and making it available to third parties?
- What are the sources of personal data?
- How is personal data secured against the violation related to its processing?
- Obligations of entities entrusting personal data of third parties to VENP and entities receiving such data from VENP,
- Rights of persons whose personal data are processed by VENP.
1. What is the VENP company?
VENP is the leader in Value Added Distribution (VAD) in the field of ICT solutions. VENP provides comprehensive IT solutions which can be applied in all sectors of the economy. Pursuant to the provisions of the EU law, VENP is a controller of personal data. Contact details of VENP are given below:
Veracomp – Exclusive Networks Poland SA
ul. Zawiła 61
tel. 12 25 25 555
fax 12 25 25 500
In order to ensure the highest standards of personal data protection, VENP has appointed Data Protection Officer (hereinafter “DPO”) who is responsible for the implementation, supervision and auditing of Personal Data Security Policy and for the compliance of the processing of personal data by VENP with legal provisions. Should you have any questions or doubts, you can contact the DPO using the details below:
VENP Data Protection Officer – e-mail address for contact firstname.lastname@example.org
2. What personal data is obtained by VENP?
The Polish IT market in which VENP is active is the market of IT goods and services, comprised of the following entities:
- IT manufacturers – usually global or Polish companies offering their products and services in several countries,
- IT distributors – global or local entrepreneurs,
- Resellers and integrators – usually local entrepreneurs,
- Consulting companies – global or local companies,
- Buyers of products (goods and services) – end users.
Relations between the aforementioned entities may be of the following nature:
- consulting, including design of ready-made IT system solutions,
- delivery (sales) of equipment, software or service according to the specific preferences of the potential buyer,
- performing services of seeking or informing potential buyers about the offered goods, e.g. by the following means:
v. tests (so-called Proof of Concept),
- provision of professional services, e.g.:
ii. design and selection of equipment for a given solution,
vi. service maintenance,
The subject of trade on the IT market in Poland is standardised software, hardware, as well as services provided by the seller or third parties acting on the seller’s behalf.
In the Polish IT market, there are market segments of buyers (end customers) classified as:
- institutional, the so-called B2B: i.e. organisations, companies and other public or private institutions – represented in the process by natural persons being their employees or providing services for their benefit under other legal relations, such as contract of mandate, self-employment or subcontracting,
- private, i.e. consumers, the so-called B2C, that is natural persons.
VENP, by purchasing products directly from manufacturers, performs sales for both customer segments, exclusively through its commercial partners and telecommunications operators.
In connection with its activities, VENP has to process the data of the aforementioned entities and their employees, and in certain cases such data must be made available to such individual entities. VENP may collect some of the following information:
- first name, surname,
- phone number,
- e-mail address,
- job title,
- employer’s company,
- NIP [Tax Identification Number],
- PESEL [Personal Identification Number],
- mailing address,
- participation in special offers and training sessions organised by VENP.
In addition, VENP obtains data which is not personal data, such as: IP address of the device used by a natural person in order to access the services of VENP, technical information, including the information pertaining to internet and/or network connections, identifier of the VoIP device/ communicator, data pertaining to log-in activity, including date and time of the last log-in.
VENP also collects information related to the Customer by using cookies of which the Customer is informed while viewing the VENP website for the first time.
In extraordinary cases, the scope of data processed may be broader, due to specific processing purposes, which the data subject will be informed about when collecting such data.
3. What is the purpose and legal basis for the processing of personal data by VENP and to whom the data may be transferred?
Personal data processed by VENP are mainly used for contact purposes as part of regular business activities constituting the subject of VENP’s activity.
Regular business activities of VENP include:
- sending commercial offer of VENP,
- pre-sales support (activities related to the preparation of solution relevant to the needs of the end user),
- contact for the purpose of performance of the contract for the delivery of equipment or provision of service,
- contact for the purpose of after-sales support,
- own marketing,
- processing arising from the generally applicable provisions of the law, including tax and customs law,
- making data available to the aforementioned third parties for the purpose of contract performance,
- investigation and enforcement of claims,
- providing technical and business knowledge (mailing, webinars, events, training).
Personal data is made available to the third parties only for the purpose of performance of a contract to which the data subject is a party or in order to undertake measures at the request of the data subject prior to entering into a contract, e.g. to obtain special prices, after-sales support, perform guarantees or provide updates and renewals.
Presentation of a competitive offer (including special manufacturer’s rebates) of VENP may require:
A) provision of the buyer’s personal data (end customer or their employee) to the suppliers of VENP in order to verify the actual need for granting such a rebate,
B) provision of the intermediary’s personal data (reseller or their employee) to the suppliers of VENP in order to verify the actual need for granting such a discount,
C) provision of personal data of employees of the manufacturers to the intermediaries (resellers) or purchasers (end users) suppliers of VENP in order to verify the actual need for such a discount.
Furthermore, due to objective conditions of economic, legal or technical nature, VENP may be forced to disclose or to entrust personal data for processing to its suppliers in order to:
- obtain a special rebate,
- process an order,
- verify personal data in its trade control systems, the so-called WSK,
- verify personal data in the trade control systems of the manufacturers, the so-called Export Control,
- activate the product or service (e.g. maintenance) with the manufacturer,
- perform after-sales support.
Personal data may be transferred to the following categories of entities: manufacturers of products offered by VENP, authorised distributors of these products, external authorised manufacturers’ service centres, spare parts warehouses, freight forwarders, professional carriers, postal operators, Exclusive Networks Group companies and other entities processing data on behalf of VENP, e.g. providers of hosting, IT services, administrative, legal, consultancy, marketing and PR services.
Data may be transferred to contractors, cooperating entities and IT service providers located outside the European Economic Area, with the provision of legal safeguards (e.g. model contractual clauses for data protection approved by the European Commission) on the terms of Articles 44 – 49 of GDPR.
In addition, due to objective conditions of technical nature, VENP is forced to store the received personal data in order to:
- perform the services of remote configuration and technical support,
- remotely diagnose the product at the request of the buyer to verify their warranty claims, to secure them against exposure to unnecessary costs in the event of submission of unjustified claim,
- execute guarantee services, including:
i. assign the RMA number,
ii. track and collect the shipment,
iii. potentially establish contact with the sender (buyer or intermediary) to clarify any doubts,
iv. send return shipment.
In view of the above, VENP derives a legitimate interest to process personal data in accordance with the requirements of GDPR, and:
- undertakes not to expand the above-mentioned adopted criteria without prior consent of data owners,
- considers and respects the rights of data owners in accordance with the applicable legal standards, particularly in the following areas:
- data protection and restriction of access to such data only to authorised persons,
- transmission of data to third parties, particularly outside the EU,
- no profiling,
- no processing of sensitive data,
- use of pseudonymisation, wherever technically and economically justified and legally permitted,
- notification about obtained data in accordance with Article 14 point 3b of GDPR,
3. assumes related liability, including liability concerning the potential leak of such data, as well as civil and administrative liability.
If VENP has to process personal data for any other purposes, a relevant consent shall always be obtained prior to the processing. VENP shall not make personal data available to third parties for marketing purposes.
4. What are the sources of personal data?
VENP may obtain personal data in the following manner:
- direct consents on the basis of the person’s registration for an event (training session, webinar, special offer) organised by VENP via an online form (event website),
- consents arising from the invitation sent automatically when adding the person to the CRM system functioning at VENP,
- consents arising from invitations sent by the CRM employee from the personal card level,
- independent registration of end users in the VENP systems by electronic means in order to obtain information about products offered by this company,
- independent registration of intermediaries in the VENP systems by electronic means in order to obtain information about products offered by this company,
- entrusting the data of employees of business partners of VENP provided on the basis of partnership agreements containing the provision on consent for the transmission of information about the products and commercial offer of VENP,
- entrusting personal data to VENP by third parties (the obligations of entities entrusting personal data to VENP are specified in point 6 below),
- personal meetings during which contact details are exchanged,
- use of existing information gathered in the databases of VENP,
- digital marketing (TBD).
5. How is personal data secured against the violation related to its processing?
Personal data processed by VENP is stored at secure servers in Poland. VENP has implemented appropriate technical and organisational measures in order to protect personal data against unauthorised or unlawful processing, including loss, destruction or damage. These measures include but are not limited to: access control systems, firewalls and antivirus programs, endpoint protection management, vulnerability scanning, appropriate backup policies. In case of personal data processed in paper form, data is stored in separate rooms to which only authorised persons have access, and if the data is processed in rooms to which more people have access, the data is stored in locked cabinets the keys to which are only in possession of persons authorised to process data.
6. Obligations of entities entrusting personal data of third parties to VENP
Considering the fact that, in certain cases, VENP may make personal data available to a third party, the third party undertakes to follow the below-mentioned obligations, regardless of the fact whether it acts as an entrusting entity or as an entity to which VENP has entrusted or made available data for processing.
Upon the provision of personal data to VENP, the third party confirms that it assumes liability and indemnifies VENP against any liability arising from the fact that the third party has failed to obtain relevant consents of data subjects, and if an administrative fine or obligation to pay compensation is imposed on VENP, the third party undertakes to pay the amount equal to the imposed fine and/or compensation upon the first request of VENP.
The entrusting entity particularly, but not exclusively, undertakes to:
- process the data only for the performance of cooperation for the duration of cooperation and potential security of claims arising from such cooperation, unless the data retention period arises from the commonly applicable provisions of the law,
- use the personal data entrusted to it by VENP only for the purposes indicated at the time of transmission of personal data or at a later date, upon prior approval of VENP,
- ensure sufficient guarantees of implementation of appropriate technical and organisational means so that the processing would meet the requirements of GDPR and protect the rights of data subjects,
- obtain all legally required consents entitling it to make personal data available to VENP for the purpose of entrusting such data further to the following entities: authorised distributors of products, equipment manufacturers, external authorised service centres of the manufacturer, warehouses with spare parts, service centres acting as intermediaries in the transport of equipment. If, for the proper performance of obligations arising from cooperation, it is necessary for VENP to entrust the data further, also to a third country, the third party represents that VENP may do so, and guarantees that it has the right to make personal data available to VENP for this purpose, the third party is considered to be the Controller within the scope of such data and performs the obligations set forth in Articles 12, 13 and 14 of GDPR. As far as VENP is subject to the information obligation arising from GDPR, the Parties agree that such obligations shall be performed by the third party, and the third party shall be fully liable towards VENP for the proper performance of such obligations, and shall be liable, without limitations, to the potential damage incurred by VENP on the account of improper performance of such obligations,
- upon the completion of the provision of services related to data processing, the third party shall be obliged to delete or return to VENP, at the discretion of VENP, all personal data entrusted to it, and to remove all existing copies of such data, unless the processing is necessary in view of the commonly applicable provisions of the law or in order to determine, assert or secure claims.
7. Information about the rights of persons whose personal data are processed by VENP
VENP ensures the execution of the following rights vested in the persons whose personal data are processed:
- right to receive information about the processing of personal data,
- right to access the contents of processed personal data,
- right to rectify data,
- right to demand from the Controller to erase data,
- right to demand from the Controller to restrict the processing of data,
- right to data portability,
- right to object against the processing of data,
- right to lodge a complaint to the Polish supervisory authority or the supervisory authority of another European Union member state,
- right to withdraw consent to the processing of personal data at any time.