Privacy policy
1.1 This Privacy Policy is a document containing information about the processing of personal data by the group of affiliated companies, i.e. SPECTRA LIGHTING Spółka z ograniczoną odpowiedzialnością headquartered in Warsaw; SPECTRA LIGHTING Spółka z ograniczoną odpowiedzialnością Sp.k. headquartered in Warsaw; QUEST Spółka z ograniczoną odpowiedzialnością headquartered in Warsaw; and QUEST Spółka z ograniczoną odpowiedzialnością Sp.k. headquartered in Warsaw (hereafter: the Company or the Companies or the Controller or Joint Controllers), of personal data of persons using services provided by these Companies, including via websites and online tools, persons who contact or cooperate with the Companies, regardless of the form of cooperation, in connection with the purposes carried out by the Companies as set out in their agreements.
1.2 Because the Companies form a capital group and are affiliated entities, they carry out the same personal data processing operations in relation to their business activity and have concluded an agreement concerning joint administration of personal data, this document refers together to all the Companies listed above.
1.3 Each Company respects the privacy of persons using their services, contacting them, or cooperating with them; therefore, this privacy policy is made available so that each such person may learn how their personal data are processed, and may independently, consciously, and freely decide about their processing.
1.4 This Privacy Policy describes generally how and to what extent the Companies process personal data of persons, for what purposes those data are used, to whom they are disclosed, and how they are protected. The Privacy Policy also sets out what rights are accorded to persons whose personal data are processed.
1.5 This document is of a general nature and presents the most important issues related to personal data processing. Further detail is provided in the system documents adopted and binding within the group of Companies, which specify in detail the rules for secure processing of personal data; in particular in instructions, contractual documentation or information clauses, which persons receive or accept at the moment of collecting data from them in connection with use of services, e.g. when contacting for a quotation, fulfilling an order, contact forms, concluding civil-law contracts or addressing correspondence to the Companies.
1.6 Where the Companies use cookies or other data‑collecting technologies on their websites, information is provided in a separate Cookies Policy document.
1.7 As part of their operations, the Companies process personal data in accordance with law, fairly and knowingly, preserving transparency in the area of data use in line with the purpose for which they were collected, and ensuring control over individual processing operations by ensuring persons have control regarding personal data relating to them.
1.8 The Privacy Policy contains information about processing of personal data concerning the following categories of persons:
a) Contractors or service‑providers in respect of persons authorized to conclude civil‑law contracts or designated for contacts or for performance of those contracts.
b) Persons contacting the Companies (by telephone, email, via contact form on the website) and persons with whom the Companies contact (by telephone or email).
c) Customers, with regard to products or services purchased, including rights or obligations arising from the general terms of sale applicable to those purchases.
d) Persons using the newsletter service.
e) Persons contacting the Companies for a quotation or initiating cooperation.
1.9 As indicated above, a joint controllership agreement has been entered into between the Companies, which means that each of the following:
process personal data of the persons indicated above in the agreed scope. Irrespective of the agreed responsibilities of each Controller, each of them is responsible to the persons whose personal data they process, for lawful processing.
This Privacy Policy used in the Companies is based on the following legislation:
a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”),
b) Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1791, as amended),
c) Act of 16 July 2004 – Telecommunications Law (Journal of Laws 2022, item 1648, as amended),
d) Act of 18 July 2002 on the provision of electronic services (Journal of Laws 2020, item 344, as amended).
3.1 The most important principles that the Companies follow when processing personal data are:
a) Personal data are collected only to the minimal extent necessary for achieving the purposes for which they are collected.
b) The purposes for collecting personal data are clearly defined, based in law or in the statutory activities of the Companies – the Companies do not process personal data in a manner inconsistent with those purposes.
c) The Companies ensure that personal data are accurate and up to date; they act without delay on any requests to correct or update data, unless applicable law provides otherwise.
d) The Companies ensure the rights of persons to access their personal data and to correct them, unless relevant legal provisions provide otherwise.
e) Where applicable, the Companies also provide for the rights of individuals to have their personal data erased, to withdraw consent, to restrict processing, to data portability, the right to object to processing, and the right not to be subject to decisions based solely on automated processing, including profiling.
f) The Companies limit retention of personal data in accordance with legal requirements, only for periods necessary for the purposes for which they were collected, unless legal grounds exist that allow longer retention.
g) The Companies protect personal data against loss, unauthorized access, accidental alteration or loss, as well as other unlawful forms of processing.
h) If personal data are disclosed to other entities, this is done securely, under contract, and in accordance with applicable law.
3.2 Data collection forms used in services are targeted to adults. Therefore, the Companies do not knowingly process personal data of persons under the age of 16. Consent given by persons aged 16 or above is valid. If the Companies become aware that a person under 16 has provided personal data without verifiable parental consent, they shall cease processing such data, and access to services will be blocked.
Each of the categories of persons referred to above, whose data are processed, is entitled to make requests to the Controllers with respect to the following rights:
4.1 The right of access to one’s personal data and to their correction (Articles 15 and 16 GDPR).
4.2 The right to restrict processing of one’s data in the situations and under the conditions specified in Article 18 GDPR or to have them deleted in accordance with Article 17 GDPR (“right to be forgotten”).
4.3 The right to object to processing of one’s data for reasons related to one’s particular situation (Article 21 GDPR), unless the Controller demonstrates legally justified grounds for processing which override the interests, rights, and freedoms of the data subject, or grounds for establishment, enforcement or defence of claims.
4.4 The right to withdraw consent at any time without giving reasons, without affecting the lawfulness of processing based on consent before its withdrawal.
4.5 The right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office (address: ul. Stawki 2, Warsaw (00‑193)).
4.6 To exercise any of the above rights, one should contact the Company designated for contact as indicated above. To withdraw consent, the data subject may send an email to: sekretariat@spectra-lighting.pl
In compliance with the obligation under Article 13 or 14 of Regulation (EU) 2016/679 of 27 April 2016 (hereafter: GDPR), the Companies inform that in the case of the categories of persons indicated above, each of the above‑mentioned entities is a Controller of the data within the meaning of Article 4 point 7 GDPR. For purposes of contact with the Controller, including in matters related to personal data processing and exercising rights of data subjects, the Companies have designated SPECTRA LIGHTING Spółka z ograniczoną odpowiedzialnością Sp.k., contact via email: sekretariat@spectra-lighting.pl
5.1 It is also possible to contact the designated Company by traditional mail to the address of its registered office given above, or in person at the registered office.
5.2 The Controllers have also appointed a person to be contacted in matters concerning processing of personal data or exercising data subject rights, via email: sekretariat@spectra-lighting.pl
5.3 Information about processing data of contractors / service providers (persons authorized to enter into civil‑law contracts or designated for contact or contract execution)
5.3.1 Purposes and legal grounds for processing Data of this category are processed because these persons have been authorized by their contractor or service provider to conclude agreements, or are contact persons, or are responsible for execution of contracts. Accordingly, their data will be processed for the following purposes:
a) entering into a contract or contact in ongoing matters, including performance of contracts between the Companies and the contractor/service provider whom the person represents or is designated to contact or execute the contract;
b) settling public law obligations arising from contracts entered into;
c) establishing, defending, or pursuing any claims arising from a contract with the contractor/service provider represented by that person, whenever a dispute arises concerning such contract;
d) archival purposes.
The legal basis for processing personal data is Article 6(1)(f) GDPR, i.e. the legitimate interest of the Controller manifested by the necessity to enter into contracts in order to conduct and perform the business activity of the Companies, including the ability to maintain ongoing contact with contractors / service providers (i.e. their employees / collaborators) in order to fulfil those contracts. If the contractor or service provider operates a sole proprietorship, the legal basis is Article 6(1)(b) GDPR, i.e. processing is necessary for entering into, or performance of, a contract. For purposes of settling public law obligations or archival purposes, the basis is Article 6(1)(c) GDPR, i.e. compliance with a legal obligation.
5.3.2 Source of data
The Companies obtain the personal data directly from the person whose data are being processed in case they represent the contractor/service provider and conclude the contract on their behalf, or directly from the contractor / service provider if these are personal data of their employees or persons designated for contact or performance of the contract. The Companies process identifying and contact data, job position, and the type of matters that the contractor’s contact person handles.
5.3.3 Obligation to provide data
Providing personal data is voluntary; however, it is necessary so that the Companies can successfully enter into contracts and fulfil their obligations towards contractors / service providers. In the case of settling public law obligations or archival purposes, provision of personal data is mandatory as required by applicable law.
5.3.4 Storage period
The Companies process personal data for the period of duration and performance of the relevant contracts with contractors / service providers whom the person represents, and after termination of the contract for a period of 3 years counted from its expiry, unless the data subject objects to processing of their data for reasons related to their particular situation and the Company cannot demonstrate legally justified grounds overriding the interests, rights, and freedoms of that person, or grounds for establishing, pursuing or defending claims. In case of claims arising from a contract, personal data will be processed until all legal remedies available to the parties from that contract are exhausted. In case of settling public law obligations, personal data will be processed for a period of 5 years from the end of the year in which the tax obligation arose. For archival purposes, personal data shall be retained no longer than permitted under the Act of 14 July 1983 on the national archival resource and archives.
5.4 Information about processing data of other persons contacting the Companies (by telephone, email or via contact form)
5.4.1 Purposes and legal basis for processing
The Companies process personal data of natural persons to:
a) respond to their inquiries, including contacting them for that purpose;
b) handle the necessary processes in connection with communication addressed to the Companies.
The legal basis for processing in these cases is Article 6(1)(a) GDPR, i.e. consent expressed by the person in the form of a statement or a clear affirmative action, which is the fact of sending the inquiry.
5.4.2 Source of data
The Companies receive personal data directly from the person concerned. The Companies process the following data: name, surname, telephone number and email address provided, job title, place of employment.
5.4.3 Obligation to provide data
Providing personal data is voluntary; however, necessary in order for the Companies to be able to process communications and contact these persons.
5.4.4 Storage period
The Companies process the personal data while there is an ongoing relationship with the person (e.g. answering questions, exchanging correspondence), and after the relationship ends, for a period of three years. After that period, the Companies may contact the person to ask whether their data may continue to be processed or remove their data. In any case, data are processed until the purpose of processing ends or consent is withdrawn.
5.5 Information about processing data of customers
5.5.1 Purposes and legal basis for processing
The Companies process personal data of natural persons in order to:
a) fulfill sales contracts of their own products or services in accordance with the terms of concluded agreements;
b) exercise consumer rights, including handling complaints;
c) enforce rights arising from warranties;
d) marketing, including sending commercial information;
e) maintain business relationships or develop cooperation;
f) settle tax obligations.
Legal basis is, accordingly, Article 6(1)(b) GDPR — processing necessary for conclusion and performance of a contract, including performance of rights vested in customers under it; Article 6(1)(f) GDPR — legitimate interest of the Controller in conducting marketing of its own products and services, maintaining business relations and their further development; Article 6(1)(c) GDPR — fulfilling legal obligations arising from selling goods or services, under tax law and, in the case the customer is a natural person, also consumer law.
5.5.2 Source of data
The Companies receive the personal data directly from the person whose data are concerned or from the entity which appointed them for the contract or contact in connection with purchase of goods or services. The Companies process identifying, contact data, or data regarding purchased products or services.
5.5.3 Obligation to provide data
Provision of data for the purposes indicated above is voluntary, though necessary for performance of those purposes. Failure to provide data prevents entering into the contract and effective purchase of goods or services. In the case of processing data for fulfilling public law obligations related to the sales contract, data are processed under tax law, and providing them is mandatory as provided by legal regulations.
5.5.4 Storage period
Personal data are processed for purposes of settling public‑law obligations in relation to completed orders for a period of 5 years from the end of the year in which the purchase of goods or services was made. Personal data processed in connection with a concluded sales contract until its performance, no longer than until the limitation period for claims arising from it or the enforcement of rights arising under the contract. Personal data processed for marketing, maintenance or development of business relationships until the data subject objects or the purpose of processing ends, unless the Company demonstrates the existence of legal grounds overriding the interests, rights and freedoms of that person, or grounds for establishment, pursuit or defence of claims. Personal data processed for complaints – until the complaint is resolved or any dispute arising from it is settled. Personal data processed for execution of consumer rights – for the period necessary to assert them.
5.6 Information about processing data of persons using the newsletter service
5.6.1 Purposes and legal grounds for processing
The Companies process personal data of individuals who have subscribed to the newsletter in order to send them the newsletter, to which they have subscribed on spectra‑lighting.pl
The legal basis for processing personal data is Article 6(1)(f) GDPR — the legitimate interest of the Controller in being able to send information to persons interested in current products or services offered by the Companies, for persons or entities who have subscribed to such service and have consented to receive commercial information.
5.6.2 Source of data
The Companies receive personal data directly from the person concerned. The Companies process email address for this purpose.
5.6.3 Obligation to provide data
Providing data is voluntary, but necessary in order for the Companies to provide the service.
5.6.4 Storage period
The Companies retain personal data until withdrawal of consent to receive commercial information or until the processing purpose ends.
5.7 Information about processing data of persons submitting offers or with whom Companies contact to obtain offers
5.7.1 Purposes and legal basis for processing
The Companies process personal data of individuals who contact the Companies for a quotation or with whom the Companies contact to obtain offers of goods or services, for purposes of:
a) preparing and sending the Companies’ current product offer to interested persons;
b) establishing cooperation with those persons or the entities for whom they act;
c) obtaining current product offers needed for the Companies’ own business operations.
The legal basis is Article 6(1)(f) GDPR, which is the legitimate interest of the Controller manifested by the necessity to respond to queries for product or service offers, to establish cooperation, or by the need to source current offers for its own business activity.
5.7.2 Source of data
In case of inquiries submitted to the Companies, personal data are obtained directly from the persons submitting them. In case the Company sends offer queries to relevant entities, personal data are obtained from publicly available sources, e.g. websites of those entities and contact information provided there. The categories of data processed are identifying and contact data.
5.7.3 Obligation to provide data
Providing personal data is voluntary, but necessary to allow the Companies to handle the process of preparing and sending offers and to contact persons interested in offers.
5.7.4 Storage period
The Companies process personal data during the period of current relationship with the person (preparing and responding to the offer query, exchanging correspondence in that regard), and after termination of the relationship for a period of three years. After that period, the Companies may contact the person to ask about the possibility of further processing of their data or remove their data.
6.1 In the Companies group, technical and organizational measures are taken to protect personal data against unlawful or unauthorized access or use, as well as accidental destruction, loss or alteration and other unlawful forms of processing. The principle of ensuring security is implemented at every stage of their operations. Security procedures include in particular: access protection, backup systems, monitoring, review and maintenance, management of security incidents.
6.2 As part of ensuring the security of processed personal data, the Companies observe the following principles:
a) confidentiality — protection of data from accidental disclosure to third parties;
b) integrity — protection of data from unauthorized modification;
c) availability — ensuring access for authorized persons to data when needed.
6.3 Personal data may be processed by third parties only when such entity commits to ensure appropriate technical and organizational measures guaranteeing the security of personal data processing, as well as confidentiality of those data. Every employee of the Company who has access to personal data has a proper authorization and is obliged to keep them confidential.
7.1 The Companies may transfer personal data within the capital group, where necessary for the purposes defined in this document and where allowed by applicable law. Accordingly, each Company may share data with its parent companies, subsidiaries, and companies under the control of the parent company. In any case, each Company requires the affiliated entities to comply with the provisions of this Privacy Policy when data are shared.
7.2 The Companies may entrust processing of personal data to third‑party entities acting on behalf of and for the benefit of individual Companies in connection with the necessity to deliver services requiring the processing of personal data. Such entrustment is effected under written contracts for processing of personal data. The Companies guarantee that the data entrusted in this way will be processed by that entity solely for the purpose and to the extent specified in the entrustment contract, and that such entity will apply technical and organizational measures protecting the entrusted personal data from unauthorized access, loss, modification, or destruction. Categories of third parties to whom personal data may be disclosed include, in particular: IT service providers, marketing agencies, investors, design offices, postal or courier services, print shops, entities providing consulting, legal or auditing services. To the extent permitted by applicable law, the Companies may also share data with institutions dealing with the recovery of debts, including debt‑collection companies and debt purchasers, and their representatives.
7.3 In some cases external entities providing services on behalf of the Companies may act as independent Controllers, e.g. Polish Post or other postal operators, payment institutions.
7.4 In justified cases personal data may also be disclosed to public administration authorities under directly applicable legal norms (e.g. courts, prosecutors, police, municipal guard, state offices).
7.5 In case data recipients independently process personal data in their own name (e.g. offering goods or services through their own channels without participation of the Companies, or providing services in their own name), then they become separate Controllers and in that scope bear their own responsibility for processing such personal data, not bound by this Privacy Policy of the Companies.
7.6 Websites of the Companies may contain links to other websites, social media service pages, or websites of cooperating entities. When a person proceeds to a website of a third party, they become subject to that third party’s privacy and data protection policy.
8.1 The Companies do not transfer personal data in connection with processing operations carried out in the course of their business activities to countries outside the European Economic Area (EEA), except for data which are publicly available via the Internet, insofar as it is accessible outside that area.
9.1 Personal data will not be processed in an automated manner (including profiling). Any profiling of personal data by the Companies would consist in processing data to assess certain information about customers with regard to the targeting of commercial information.
10.1 The Companies reserve the right to introduce amendments to this Privacy Policy; any such revision will be posted on the website www.spectra‑lighting.pl.