Canna Gold Logo
Security and Transparency

Data Protection Policy

Shortened version of the Personal Data Protection and Privacy Policy of Canna Gold Sp. z o.o.

Full Policy Document

You can familiarize yourself with all detailed legal terms by opening the official PDF document.

View full content (PDF)
1

Basic Information and Data Controller

  • ā€¢Data Controller: Canna Gold Sp. z o.o. with its registered office in RacibĆ³rz at ul. Gospodarcza 1.
  • ā€¢Legal basis: Processing is carried out in accordance with GDPR (Regulation UE 2016/679) and the Polish Act on the Protection of Personal Data of May 10, 2018.
  • ā€¢Supervision: The Management Board of the Company is responsible for implementing the policy, and direct supervision is exercised by the Data Protection Officer (DPO) or the designated data protection coordinator.
2

Categories of Data Subjects and Purposes of Processing

ā€¢Categories of data subjects: The Company processes the data of employees/collaborators, contractors/customers, suppliers, and website users. Services are not directed at children under the age of 16.
Main purposes and legal bases:
  • Performance of contracts and provision of services (Art. 6(1)(b) of the GDPR).
  • Fulfillment of legal obligations, such as accounting, tax, and personnel settlements (Art. 6(1)(c) of the GDPR).
  • Legitimate interests of the Company, including assertion of claims, IT systems management, and basic soft marketing (Art. 6(1)(f) of the GDPR).
Marketing and profiling: The Company does not conduct direct marketing, does not send spam, does not run newsletters, and does not profile natural persons for automated decision-making. Personal data is not subject to commercial sale.
3

Main Principles of Data Processing

The Company bases its operations on the fundamental principles of the GDPR:

Lawfulness, fairness, and transparency

Processing is carried out fairly, and customers are informed about its details through information clauses.

Data minimization and purpose limitation

Only data necessary to perform a specific task is collected; the Company avoids collecting data "in reserve".

Storage limitation

Data is subject to specific retention periods, after which it is permanently deleted or anonymized.

Privacy by design & default

Data protection and privacy are considered already at the design stage of new business processes and IT systems.

4

Rights of Data Subjects

Every person has the right to:

Access to their data and receive a copy of it
Rectification (correction) and completion of data
Erasure of data ("the right to be forgotten")
Restriction of processing and portability of data
Object to processing
Withdraw consent at any time
Lodge a complaint with the UODO (supervisory authority)
Time to fulfill requests: Answers to requests are provided without undue delay, generally within one month. The procedure is free of charge, unless requests are clearly unfounded or excessive.
5

Data Sharing and Transfers

  • Data entrustment (Processors): The Company uses external providers (IT, accounting offices, courier companies, law firms) with whom it enters into written data processing agreements (DPA) in accordance with Article 28 of the GDPR. These entities act solely on the documented instructions of the Company.
  • Public authorities: Data may be shared with state entities (e.g. ZUS, Tax Office, courts, Police) solely within the limits of law and after verification of the request.
  • Transfers outside the EEA: Data is stored and processed within the European Economic Area. In exceptional cases of transfer outside the EEA, the Company ensures legal safeguards such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).
6

Security and Handling of Breaches

  • Technical and organizational measures: We apply authentication with unique passwords, antivirus software, firewalls, regular backups, and encryption of hard drives and internet transmissions (SSL/TLS, VPN). We also introduced physical access control to rooms, paper shredders, employee training, and mandatory non-disclosure agreements (NDAs).
  • Incident management: In the event of a detected data protection breach, the Company takes immediate steps to contain the leak. If the incident poses a risk to the rights or freedoms of individuals, the Company reports it to the UODO within 72 hours. In the event of a high risk, the affected individuals are also notified immediately in plain language.
7

Final Provisions

  • ā€¢To implement the principle of accountability, the Company maintains a Record of Processing Activities (RoPA) and registers of authorizations and sharing.
  • ā€¢This document is subject to regular review and update (at least once a year).
Canna Gold Sp. z o.o.Last update: January 1, 2025