Privacy Policy

Article 1 The rule of privacy protection

  • The data controller is Phytopharm Klęka S.A with the registered office at Klęka 1, 63-040 Nowe Miasto nad Wartą, entered into the register of entrepreneurs kept by the District Court in Poznań- Nowe Miasto and Wilda, 9th Commercial Division of the National Court Register (KRS) under KRS number 0000051392, NIP (tax identification number) 786-00-05-532.
  • Phytopharm Klęka S.A., as the personal data controller (hereinafter: “the Controller”) attaches great significance to protection of privacy and confidentiality of the personal data processed in the scope of the conducted business, including the data entered by the Internet users into electronic forms on a website, shared on the domain and domains of the Controller’s specific products (including,,,,, and, hereinafter “websites”).
  • The Controller selects and applies appropriate technical and organizational matters ensuring the protection of personal data processing with due diligence. Only persons diligently authorized by the Controller have full access to data.
  • The Controller protects personal data from sharing them with unauthorized persons, as well as from their processing with infringement on the rules of law.
  • Persons who visit the websites may view them without providing personal data.
  • In case of any doubts or requests regarding the willingness to exercise Your rights, please contact our data protection officer Maciej Sodkiewicz at the email address:

Article 2 The basis for personal data processing

  • Personal data are processed by the Controller in compliance with law regulations, in particular with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (hereinafter: “GDPR”) in order to:
    • provide answers to questions posted through forms and contact addresses, listed on the websites, based on the Controller’s legally justified interest, connected with the necessity to immediately respond to letters (article 6 section 1 point f GDPR);
    • run and decide on recruitment of persons who have applied to the recruitment processes, based on the Controller’s legal obligation and expressed consent (article 6 section 1 point a and c GDPR);
    • establish and maintain trade relationships and enter and execute agreements with the Client’s clients, suppliers and service providers, and also to document them and process them, pursue and protect claims and complaints related to them, based on the Controller’s legal obligation, in relation to carrying out their legally justified interest or in the scope necessary to take action before entering or executing agreements (article 6 section 1 point b, c and f GDPR);
    • process requests sent to the Controller for sponsoring, financing or support, in particular requests made by institution or persons in need, based on the Controller’s legally justified purposes, connected with the necessity to immediately reply to letters, based on the Controller’s legal obligations (article 6 section 1 point c GDPR);
    • conduct advertising and promotional activities, in particular the one targeted at professionals – specialists in the healthcare market – whose data were shared with the Controller, along with the contracts, based on the Controller’s legally justified interest (article 6 section 1 point f GDPR) and, in particular, in the scope of providing samples of medical products, based on the Controller’s legal obligations (article 6 section 1 point c GDPR);
    • concerning the reporting side effects, based on the Controller’s legal obligations (article 6 section 1 point c GDPR);
    • fulfilling other legal obligations of the Controller, based on article 6 section 1 point c GDPR (e.g. accounting and tax obligations).
  • Providing your data is voluntary, but the consequence of not providing them, depending on the case, may be among others: inability to receive a reply to the posted question, inability to participate in the recruitment process.
  • The user should not provide the Controller with third party personal data. However, if they provide such data, they guarantee each time that they have a legal basis for sharing such data.

Article 3. The scope of personal data processing

  • The Controller processes:
    • data included in questions sent to the Controller through contact addresses and forms on the websites;
    • data included in application documents sent to the Controller, connected with conducted recruitment;
    • data of the Controller’s clients, suppliers and service providers who are natural persons, and if it is necessary to carry out the agreement or fulfill the Controller’s legal obligations, e.g. connected with safety of production or distribution, also data of the Controller’s clients’ employees, suppliers and service providers;
    • data included in requests by persons who contacted the Controller for financing or sponsoring, or employees of institutions who made contact for such support, in particular data categories (e.g. information about health condition) – provided that they were included in the request sent to the Controller – if they are of importance for processing the filed request;
    • data of specialists on the healthcare market shared with the Controller based on the signed agreements, including their: name and surname, occupation, specialization, place of work, functions performed at their workplace, the number of the licence to practice the profession, scientific title and contact data;
    • data of patients, indicated in reports on side effects by themselves or by other persons or subjects, including special data categories (information on health condition) important to assess the report.
  • The Controller uses IP addresses collected during internet connections for technical purposes connected with server administration. Moreover, IP addresses are used to collect general, statistical demographic information (e.g. about the region from which the connection is made).

Article 4. Control of personal data processing

  • The User is obligated to provide full, up-to-date and true data.
  • Every person whose personal data are processed by the Controller, has the right to:
    • access their data and rectify or transfer them, so to receive them in an organized form, suitable to transfer them to a third party, including another personal data controller;
    • object to the processing of their data in the cases where it is based on justified interest of the Controller;
    • if the processing is based on a consent – the right to withdraw it at any time, with no effect on the compliance with the right to process which was done based on the agreement prior to it being withdrawn.
    • request to have their data removed (the right to be forgotten) or to limit their processing, among others, in the case of withdrawing the expressed agreement or objecting while not having other bases for processing such data by the Controller;
    • file a complaint to the President of the Personal Data Protection Office if they think that their actions infringe the provisions of law.
  • In case of willingness to use the rights determined in the section above may be done by sending a suitable request with the user’s stated name and surname and email address to our data protection officer Maciej Sodkiewicz at the email address:
  • The user has the right to issue a complaint to the Personal Data Protection Office if they think that the processing of their data infringes on the GDPR provisions.

Article 5 Sharing of personal data

User data may be shared with subjects authorized to receive them based on the law regulations, including the appropriate judicial authorities. Personal data may be transferred to subjects processing them on an order, i.e. marketing agencies, subjects providing services in the area of organizing workshops, conferences, partners providing technical services (development and maintenance of IT systems and websites), a subject running the accounting or delivery service companies. Personal data shall not be transferred to a third party country/international organization.

Article 6 The period of storing data and other information about data processing

  • Personal data shall be stored only for the period necessary to carry out a specific purpose for which they have been sent in or for the purposes of maintaining the compliance with law regulations, including the scope regarding:
    • providing a reply to the question posed (contact), personal data shall not be processed for more than three years after the end of the contact;
    • the recruitment process, personal data shall be processed for the period of the process and six months from its conclusion, and if an additional agreement is given – for 12 months from the moment of submitting the application documents;
    • clients, suppliers and service providers who are natural persons, personal data shall be processed for a period necessary to maintain trade relationships, and if they are terminated – for the time necessary to pursue and protect possible claims, defence against them or processing submitted complaints;
    • healthcare market specialists, personal data shall be processed until the Controller terminates advertising and promotional activities, until an objection to processing is submitted, and in the case of inventorying samples of medical products – for a period required by the provisions of law;
    • submitting a side effect, personal data shall be processed for a period of maximum 10 years.
  • Personal data shall not be processed in an automated way by the Controller.


BioaronDentosept Complex