Privacy Policy

of the website at https://mpsystempack.com/ operated by MPSystem Sp. z o.o. with its registered office in Ostrówek

I. Introduction

MPSystem Sp. z o.o. is a business entity for which, apart from its main area of activity, which is the production of professional product protection packaging, it is also important to comply with the requirements of Polish and European Union law. Caring for the privacy of individuals associated with MPSystem Sp. z o.o. is one of our priorities, which is why we make every effort to ensure the security of personal data and its transparent processing in compliance with the provisions of the GDPR.

In connection with the Controller's business activities and the User's use of the Website, the Controller collects personal data to the extent necessary to provide the services offered and to meet specific legal requirements, as well as information about the User's activity on the Website. The detailed rules and purposes of personal data processing are described below. This Privacy Policy also constitutes an extensive information obligation resulting from the content of Articles 13 and 14 of the GDPR.

II. Explanation of key terms and abbreviations

Website – the website located at https://mpsystempack.com and its subpages;

User – any natural person visiting the Website or using one or more services or functionalities described in the Policy, as well as any natural person to whom the personal data processed by the Controller relates;

Personal data - information about an identified or identifiable natural person; an identifiable natural person is a person who can be identified, directly or indirectly, by reference to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, online identifier and information collected through cookies and similar technologies;

Processing - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adapting or altering, downloading, viewing, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, restricting, erasing or destroying;

Controller - an entity which, alone or jointly with others, determines the purposes and means of processing personal data;

GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

III. Information about the personal data Controller

The personal data Controller is MPSystem Spółka z ograniczoną odpowiedzialnością, NIP (tax identification number): 8722407436, REGON (statistical number): 18098169100000, KRS: 0000475078. The Controller's registered office is located in Ostrówek, ul. Św. Jana Pawła II 4, 07-132 Ostrówek. The Controller can be contacted by e-mail (e-mail: info@mpsystempack.com) and by post at the address of the registered office in all matters related to the processing of personal data and the exercise of the rights of data subjects provided for in the provisions of the GDPR.

IV. Principles followed by MPSystem Sp. z o.o. when processing personal data

Art. 5(1)(a) of the GDPR	lawfulness, fairness and transparency	Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject
Article 5(1)(b) of the GDPR	purpose limitation	Personal data must be collected for specified, explicit and legitimate purposes
Art. 5(1)(c) of the GDPR	data minimisation	Personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed
Art. 5(1)(d) GDPR	accuracy	Personal data must be accurate and, where necessary, kept up to date
Article 5(1)(e) of the GDPR	storage limitation	Personal data must be stored in a form that allows the data subject to be identified for no longer than is necessary for the purposes for which the data are processed
Article 5(1)(f) of the GDPR	integrity and confidentiality	Personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

V. Categories of persons whose personal data may be processed by MPSystem Sp. z o.o.

The processing of personal data by MPSystem Sp. z o.o. may concern the following categories of persons:

customers and potential customers, contractors, suppliers who are natural persons not conducting business activity or entrepreneurs conducting sole proprietorship registered in CEIDG, and persons designated for representation and contact,
persons interested in the Controller's offer,
persons contacting the Controller by e-mail, telephone and letter,
persons visiting the Website operated by the Controller,
users of contact forms on the website,
persons applying for jobs via the contact channels on the website,
persons visiting the Controller's profile on LinkedIn,
persons visiting the Controller's headquarters.

VI. Scope of data processed by MPSystem Sp. z o.o.

Depending on the purpose, the Controller may process a narrower or broader catalogue of personal data, including the following:

a) identification and contact details:

first name, surname, address, e-mail address, telephone number, company name, tax identification number (NIP), statistical number (REGON);

b) personal data left on the LinkedIn profile:

first name, surname, username, image, content of posts, other information shared by users;

c) other data:

provided in the content of messages or attached files.

VII. Source of data collection

In general, personal data is obtained directly from the data subject. In the case of transferring data of contact persons and contract service personnel with MPSystem Sp. z o.o., the Controller may obtain data from the contracting party. Data of persons representing the contracting party may also be obtained from publicly available sources, e.g. the National Court Register (KRS), websites.

VIII. Purposes and grounds for the processing of personal data by MPSystem Sp. z o.o.

Depending on the case and the purpose of processing, the basis for the processing of personal data may be:

consent - Article 6(1)(a) of the GDPR, including consent to contact by electronic means and to send commercial information by electronic means (here also consent pursuant to Article 398 of the Electronic Communications Law), consent to the processing of data for future recruitment;
contract – Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, including negotiations, conclusion and performance of contracts with customers and contractors, and recruitment procedures;
legal obligation of the Controller - Article 6(1)(c) of the GDPR: processing is necessary for compliance with a legal obligation to which the Controller is subject, including obligations under the Accounting Act, the Civil Code, and the Labour Code);
legitimate interest pursued by the Controller – Article 6(1)(f) of the GDPR: processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

The specific purposes of personal data processing are set out below:

Purpose	Legal basis
steps taken to conclude a contract with MPSystem Sp. z o.o., performance and settlement of the contract	necessity for the performance of the contract (Article 6(1)(b) of the GDPR)
archiving of settlement documents	necessity for compliance with legal obligations imposed on the Controller (Article 6(1)(c) of the GDPR)
compliance with legal requirements (including the Civil Code, accounting regulations, employment regulations)	necessity for the performance of legal obligations imposed on the Controller (Article 6(1)(c) of the GDPR)
handling complaints and claims by MPSystem Sp. z o.o.	necessity for the performance of a contract (Article 6(1)(b) of the GDPR)
pursuing and defending against claims	the legitimate interest of the Controller (Article 6(1)(f) of the GDPR)
provision of services related to the availability and functionality of the Website	legitimate interest of the Controller (Article 6(1)(f) of the GDPR)
maintaining the customer database of MPSystem Sp. z o.o.	consent (Article 6(1)(a) of the GDPR)
sending commercial information from MPSystem Sp. z o.o. by electronic means to the indicated e-mail address or telephone number	consent (Article 6(1)(a) of the GDPR)
providing information about the services provided and promoting them on social media	consent (Article 6(1)(a) of the GDPR), legitimate interest of the Controller (Article 6(1)(f) of the GDPR)
recruitment activities in response to job applications submitted via the contact channels on the website	consent (Article 6(1)(a) of the GDPR)
ensuring the safety of persons and property (including in the form of CCTV monitoring inside the headquarters of MPSystem Sp. z o.o.)	legitimate interest of the Controller (Article 6(1)(f) of the GDPR)
administration of the IT system, improvement of the Website's functionalities	legitimate interest of the Controller (Article 6(1)(f) of the GDPR)
purposes related to initiating and maintaining business contacts, creating a network of contacts in connection with business activities, e.g. during business meetings or through the exchange of business cards	consent (Article 6(1)(a) of the GDPR), legitimate interest of the Controller (Article 6(1)(f) of the GDPR)

IX. Rights of data subjects

Depending on the specific situation, Users have the right to exercise the rights set out in Articles 7-22 of the GDPR:

Right to withdraw consent	Article 7 of the GDPR	The data subject has the right to withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to information	Articles 12-14 of the GDPR	The Controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 in a concise, transparent, intelligible and easily accessible form, in clear and simple language, provide the data subject with all the information referred to in Articles 13 and 14
Right of access to data and to obtain a copy of the data	Art. 15 GDPR	The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. The Controller shall provide the data subject with a copy of the personal data undergoing processing.
Right to rectification and completion of data	Art. 16 GDPR	The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of providing a supplementary statement.
Right to erasure	Art. 17 GDPR	The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay.
Right to restriction of processing	Art. 18 GDPR	The data subject has the right to request the Controller to restrict processing in certain cases specified by law.
Right to data portability	Art. 20 GDPR	The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller.
Right to object	Art. 21 GDPR	The data subject shall have the right to object at any time on grounds relating to his or her particular situation.
Right not to be subject to automated processing, including profiling	Art. 22 GDPR	The data subject has the right not to be subject to a decision based solely on automated processing, including profiling
Right to lodge a complaint with a supervisory authority	Art. 77 GDPR	The data subject has the right to lodge a complaint with the President of the Personal Data Protection Office in Warsaw.

Requests to exercise data subjects' rights can be made in several ways:

in person at the headquarters of MPSystem Sp. z o.o. located at Ostrówek, ul. Św. Jana Pawła II 4, 07-132 Ostrówek,
by email to: info@mpsystempack.com,
by post to the following address: Ostrówek, ul. Św. Jana Pawła II 4, 07-132 Ostrówek.

X. Data recipients

Depending on the specific case, the recipients of personal data may include entities that are authorised to receive it under the law (e.g. the police, the public prosecutor's office, the court, inspectorates and guards in connection with ongoing proceedings). Authorised employees and associates of the Controller may have access to the data. In addition, the data may be made available to couriers, postal operators, service technicians, hosting providers, mail server providers, and entities providing legal, financial and advisory services. Personal data is not transferred to other entities for commercial purposes without consent.

XI. Data retention periods

The Controller respects the principle of limited storage (Article 5(1)(e) of the GDPR), according to which personal data must be stored in a form that allows the data subject to be identified for no longer than is necessary for the purposes for which the data are processed. Therefore, retention periods have been established for data processed on a specific legal basis:

the period required by relevant legal provisions (including provisions on the storage of accounting and tax documentation);
the period until consent is withdrawn (for data processed on the basis of consent);
the period until the expiry of claims related to business activities;
the period until the cookie expires;
the period of up to 3 months in the case of video surveillance data (unless it is secured for the purposes of conducting proceedings).

The Controller has no influence on the data retention periods on the LinkedIn portal where it has a profile. After the processing period has expired, the data is irrevocably deleted or anonymised.

XII. Voluntary/mandatory provision of personal data

With regard to each of the processing purposes, the provision of data is voluntary, but in most cases necessary because it determines whether the purpose can be fulfilled adequately. Without providing personal data, it is not possible to conclude contracts, contact with the Controller, conducting recruitment, exercising the rights of data subjects or pursuing claims.

XIII. Security of personal data processing

The Controller, respecting the obligations arising primarily from Articles 24 and 32 of the GDPR, is constantly working on the implementation of appropriate technical and organisational measures to ensure a high level of protection of personal data against unauthorised access, loss or destruction. The security measures include, in particular, data encryption, securing servers, systems and devices against unauthorised access, verification of processors, conducting security audits, monitoring the IT system for threats, and allowing only persons authorised by the Controller and trained in personal data protection to process data.

XIV. Information on the intention to transfer personal data to a third country or international organisation

The Controller informs that it does not intend to knowingly and intentionally transfer Users' personal data to a third country or international organisation. The Controller notes that it may use cloud technologies provided by entities that may be located and operate outside the EEA.

XV. Information on automated decision-making, including on profiling

The data is not used for automated decision-making and will not be profiled without the consent of Users.

XVI. Final provisions

This version of the Privacy Policy is effective from 27.11.2025. The Controller reserves the right to amend the content of the Privacy Policy as necessary and in line with changes in circumstances within the scope of its activities. Any disputes concerning the provisions of the Privacy Policy shall first be subject to amicable settlement.