Privacy Policy

Privacy Policy

1. Data Controller

The controller of your personal data is:Work Group Sp. z o.o.ul. Legnicka 62C/103, 54-204 Wrocław, PolandTel.: +48 71 786 87 80E-mail: biuro@workgroupevents.plWebsite: https://www.workgroupevents.pl(“Controller”)

2. Scope and Purpose of Processing

The Controller processes personal data of users of the website and of individuals who contact the Controller in connection with the services offered.

Data may include, among others: first and last name, e-mail address, phone number, correspondence address, identification data (e.g. NIP/REGON for contractors), contact history (correspondence, enquiries), invoicing and payment data, technical/IT data of the website, IP address/cookies where applicable.

Personal data are processed in particular for the following purposes:

• Contract and pre-contract activities (Article 6(1)(b) GDPR) — to conclude and perform a contract or take steps at the data subject’s request before entering into a contract.

• Marketing of own services — where consent has been given (Article 6(1)(a) GDPR) or where processing is based on the Controller’s legitimate interests (Article 6(1)(f) GDPR), subject to the right to object.

• Customer service and communications — handling correspondence, claims, satisfaction analysis and service development.

• Website operation and security — ensuring the website functions, IT maintenance, security monitoring, traffic analysis and fraud prevention.

• Legal obligations (Article 6(1)(c) GDPR) — e.g. obligations under tax, accounting and archiving laws.

Where processing is based solely on consent, data will be used within the scope of that consent; consent may be withdrawn at any time (Article 7(3) GDPR).

The Controller may also process data for analytical and statistical purposes in a way that does not identify individuals or after anonymisation.

3. Legal Basis for Processing

Processing is carried out on the basis of:

• Regulation (EU) 2016/679 (GDPR) — in particular Article 6(1)(a), (b), (c) and (f).

• Polish Data Protection Act of 10 May 2018 (Journal of Laws 2018, item 1000, as amended) implementing GDPR in Poland.

• Article 6(1)(c) GDPR where processing is necessary for compliance with a legal obligation.

• Article 6(1)(a) or 6(1)(f) GDPR for marketing activities, with due respect for the right to object (Article 21 GDPR).

• Article 6(1)(b) GDPR where the data subject is a party to a contract.

4. Data Retention

Personal data are stored for as long as necessary to achieve the purpose for which they were collected.

After the purpose ends (e.g. completion of cooperation or account deletion), data are retained for the periods required by applicable law — e.g. tax, accounting and archiving obligations.

Where processing is based on consent, data are stored until consent is withdrawn or the processing purpose changes, unless another legal basis applies.

After the retention period expires, data will be:

• deleted; or

• anonymised (where retained in anonymised form for archiving or statistical purposes).

The Controller maintains a data retention policy, sets deletion/anonymisation schedules for specific categories of data and performs periodic reviews.

5. Your Rights

Individuals have the rights provided under GDPR, in particular:

• Right of access (Article 15) — to obtain confirmation of processing and a copy of the data.

• Right to rectification (Article 16) — to correct inaccurate or incomplete data.

• Right to erasure (“right to be forgotten”, Article 17) — in cases provided by law.

• Right to restriction of processing (Article 18) — e.g. where accuracy is contested, processing is unlawful, or data are no longer needed but must be retained to establish, exercise or defend claims.

• Right to data portability (Article 20) — to receive data in a structured, commonly used format and transmit them to another controller, where processing is based on consent or contract and carried out by automated means.

• Right to object (Article 21) — in particular to processing for marketing or profiling based on the Controller’s legitimate interests; upon objection, the Controller will cease processing for that purpose.

• Right to withdraw consent (Article 7(3)) — where processing is based on consent; withdrawal does not affect the lawfulness of processing prior to withdrawal.

• Right to lodge a complaint with the supervisory authority — President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw. You may also request information about transfers to third countries or international organisations (Article 13(2)(f) GDPR).

6. Data Recipients and Transfers

Personal data may be disclosed to the following categories of recipients:

• IT and technical support providers, hosting, server maintenance and cloud service providers;

• accounting offices, bookkeepers and auditors;

• courier and transport companies where necessary to deliver services;

• marketing subcontractors and advertising agencies — only as necessary and consistent with the processing purpose;

• public authorities or courts where there is a legal obligation to disclose data.

Where data are processed by processors on behalf of the Controller, appropriate data processing agreements and safeguards are applied in accordance with Article 28 GDPR.

If data are transferred outside the European Economic Area (EEA), the Controller will ensure appropriate safeguards, such as standard contractual clauses, adequacy decisions or other measures compliant with Chapter V GDPR.

The Controller does not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect the data subject.

7. Cookies and Similar Technologies

The website https://www.workgroupevents.pl uses cookies and/or similar technologies (e.g. local storage, beacons, pixels) for:

• proper operation of the site (e.g. remembering language settings, user sessions);

• traffic analytics and statistics (e.g. number of visits, traffic sources);

• improving functionality (e.g. recommendations, personalisation);

• online marketing (e.g. ads, remarketing) — only where prior consent has been given.

You can change cookie settings at any time via your browser or via tools provided on the website. Disabling cookies may affect some site functionalities.

Further details are set out in the dedicated Cookie Policy.

8. Security Measures

The Controller has implemented appropriate technical and organisational measures to ensure the security of personal data processing — in particular protection against unauthorised access, disclosure, loss, alteration or destruction — in line with Article 32 GDPR.

Examples include:

• access control for systems and premises where data are stored;

• data encryption and pseudonymisation where required;

• back-ups and disaster recovery;

• testing, risk assessments and security audits;

• staff training on data protection;

• records of processing activities and documentation of data protection measures.

Measures are reviewed and adapted to the level of risk, technological developments and changes in operations.

9. Personal Data Breach Reporting

In the event of a personal data breach likely to result in a risk to the rights or freedoms of natural persons, the Controller will:

• Notify the supervisory authority (UODO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Article 33 GDPR).

• Notify the data subjects without undue delay if the breach is likely to result in a high risk to their rights or freedoms (Article 34 GDPR).

• Maintain and implement internal incident-management procedures, including identification, impact assessment, mitigation, documentation and preventive actions.

• Provide the information required by law to the supervisory authority and, where necessary, to affected individuals — in a clear and transparent manner.

10. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy where necessary (e.g. due to changes in law, technology or how our services operate). Users will be informed in advance by publication of the updated version on the website.Last updated: 1 October 2025.

11. Final Provisions

Use of https://www.workgroupevents.pl or contacting Work Group Sp. z o.o. constitutes acceptance of this Privacy Policy.

For questions about personal data processing or exercising your rights, please contact biuro@workgroupevents.pl or +48 71 786 87 80.

This Policy and our data protection activities comply with:

• Regulation (EU) 2016/679 (GDPR)

• Polish Data Protection Act of 10 May 2018 (Journal of Laws 2018, item 1000, as amended)