Effective from July 2024
The Controller of your data is ROCKWOOL Polska Sp. z o.o. in Cigacice, hereafter referred to as “ROCKWOOL Polska”, which is part of the international ROCKWOOL capital group.
ROCKWOOL Polska is committed to protecting your privacy. The protection of personal data is important to us. We only process your data in compliance with the applicable data protection legislation, in particular the General Data Protection Regulation (“GDPR”). For that reason ROCKWOOL Group has implemented a set of Binding Corporate Rules (“BCRs”), introducing data protection requirements to be complied with by the ROCKWOOL Group worldwide.
In connection with our business activities we, as data controller, process the personal data of our customers, suppliers, and users of our websites and apps as well as visitors and other third parties as described further in Section C.
This Privacy Statement will inform you about what personal data we process, how we collect it, the legal basis, the purpose of our processing, and the retention period. Furthermore, we inform you about your rights as a data subject.
ROCKWOOL Polska Sp. Z o.o.
Ul. Kwiatowa 14
66-131 Cigacice
Poland
E-mail: ldpo@rockwool.com
Company registration number: KRS 0000089825, REGON 970286608.
If you have any questions about our Privacy Statement and/or our processing of your personal data, please contact our Data Protection Officer:
Tel.: (+48) 68 38 50 250
Email: ldpo@rockwool.com
Depending on your relationship with companies from the ROCKWOOL Group, we will process different categories of your personal data for various purposes. Below are details of the purposes and means of processing your personal data.
|
Who? |
Categories of personal data |
Purposes of processing |
Legal basis |
Retention periods |
|
Clients and their representatives
|
Name, address, telephone number, e-mail, position and place of work, NIP, REGON, PESEL, number and series of identity document. |
Carrying out ordinary customer relations, i.e.: administration of payments, general communication, and management of day-to-day operations following legitimate and fair business practices (including planning, execution and management of cooperation; statistics, analysis). |
In the case of representatives, the data will be processed based on a legitimate interest related to the fulfilment of business relationships and contracts (Article 6(1)(f) of the GDPR). Implementation of a contract with an individual (Article 6(1)(b) of the GDPR).
|
Until the stated purpose has been fulfilled, but no longer than 12 years from the last purchase of our products or services.
|
|
Providing general customer service and support, including after-sales surveys |
Legitimate interests in ensuring customer satisfaction and improving our products and services (Article 6 (1) (f) of the GDPR). | |||
|
To gain customer insights and knowledge of how our products and services are used (e.g., by sending satisfaction surveys or market surveys). |
Consent of the data subject (Article 6(1)(a) of the GDPR). | |||
|
Fraud prevention and payment security. |
Legitimate interests in protecting the interests of the company (Article 6 (1) (f) of the GDPR). | |||
|
Establishment, protection or enforcement of legal claims. | ||||
|
Prospective customers and their representatives |
First and last name, address, phone number, e-mail, job title, and place of work. |
Generating business leads – see Part D for more information.
|
Consent of the data subject (for electronic activities) or legitimate interests in promoting the company and selling our products and services (Article 6(1)(f) of the GDPR). |
Until the customer is won, but no longer than 5 years after the last interaction.
|
|
Measuring effectiveness in customer acquisition – see Part D for more information. |
Data subject’s consent (for electronic activities) or legitimate interests in measuring the effectiveness of our activities (Article 6(1)(a), (f) of the GDPR). | |||
|
Pursuing business leads. |
Taking steps before entering into a contract (Article 6 (1) (b) of the GDPR). | |||
|
Suppliers of goods or services and their representatives |
Name, business telephone number, e-mail, position and place of work, NIP1, REGON2, PESEL3, identity document number and series, vehicle registration number, nationality. |
Carrying out ordinary supplier relations, i.e.: administration of payments, general communication, management of day-to-day operations following legitimate and fair business practices (including planning, execution and management of cooperation; performing credit ratings, as well as carrying out statistics, and analyses). |
Performance of the contract (Article 6(1)(b) of the GDPR) – in the case of suppliers who are natural persons. Legitimate interest to execute and perform the contract entered into with the supplier, to establish, defend or assert claims (Article 6(1)(f) of the GDPR) |
Until the stated purpose is fulfilled, but no longer than 12 years from the last purchase of products or services. |
|
To source and locate suppliers. Entering into and implementing the provisions of executed contracts. |
Legitimate interest in fulfilling business needs and conducting regular business activities (Article 6 (1) (f) of the GDPR). | |||
|
Visitors to physical locations |
Name, company name, registration number, if applicable, date and time of visit, ID number, results of breathalyser test. |
Ensuring the security of our physical locations, protecting confidential information and preventing and solving crimes at our physical locations. |
Legitimate interest in ensuring safety on premises and protecting employees, visitors, information and property (Article 6 (1) (f) of the GDPR).
|
Up to 2 years from the date of registration; the results of breathalyser tests indicating a state of alcohol consumption or a state of intoxication shall be kept for a period not exceeding one year from the date of their collection.
Up to 90 days from the date of registration or as long as necessary in connection with an ongoing case. |
|
Video surveillance footage including image, date and location of recording, vehicle registration number and model. | ||||
|
Recipients of marketing communications |
First and last name, salutation, job title, place of work, e-mail and/or phone number.
|
Distribution of marketing communications. |
Consent to receive marketing information (Article 6(1)(a) of the GDPR). |
Until the marketing consent has been withdrawn. |
|
Persons using contact forms |
First and last name, e-mail, telephone number, occupation, company, city, country. |
Providing a response. Communicating, at the request of the person who makes contact, the necessary information, including the presentation of an offer. Communication for the purposes of marketing, promotion and sale of the company’s products and services, and to provide support. |
If the enquiry concerns the (potential) conclusion of a contract, the legal basis will be taking the steps necessary to enter into a contract or to perform an existing contract (Article 6(1)(b) of the GDPR). Consent to provide marketing information (Article 6(1)(a) of the GDPR). If the inquiry does not concern a contract or offer, the legal basis will be our legitimate interest in handling the inquiry (Article 6 (1) (f) of the GDPR). |
Until the contact is completed and then for the period necessary for our record-keeping purposes. In the case of data processed based on consent, until the purpose is no longer valid or consent is withdrawn. |
|
Account users |
First and last name, e-mail address, telephone, occupation, company, address. |
Providing the user with our services on websites or apps. |
Performance of a contract for the provision of electronic services (Article 6 (1) (b) of the GDPR). |
Until the account is closed and then for the period necessary for our record-keeping purposes. |
|
Communication of commercial and marketing information. |
Consent of the data subject (Article 6(1)(a) of the GDPR). |
Until the consent is withdrawn. | ||
|
Management of user accounts created; for security, statistical and analytical purposes |
Legitimate interest in conducting statistics and analyses to improve the user experience (Article 6 (1) (f) of the GDPR). |
Until the account is closed and then for the period necessary for our record-keeping purposes. | ||
|
Visitors of social media profiles |
Information publicly available on a user’s profile, including name, gender, marital status, place of work, interests, image and city; whether the user has “liked” or used other reactions on our profile; comments left on our posts; content shared with the company with the intention of interacting; the fact that the user has visited our profile; IP address. |
To improve our products and services, including our social media profiles and pages; * platform providers may process users’ personal data for their own purposes – please keep in mind this is outside of our control |
Legitimate interest to be able to communicate with users and address marketing communications to users on our social media profiles, as well as our legitimate interest to improve our products and services (Article 6(1)(f) of the GDPR). |
Retention periods are set out by social media platform providers and can be found in their privacy policies: Meta (Instagram, Facebook): https://www.facebook.com/privacy/policy/?entry_point=facebook_help_center_ig_data_policy_redirect&locale=pl_PL Google (YouTube): https://policies.google.com/privacy?hl=pl X (formerly Twitter): https://twitter.com/pl/privacy |
|
Description |
When? |
Categories of personal data |
Purposes of processing |
Legal basis |
Retention periods |
|
Cookies, tracking pixels, social media tools and other technologies used by our websites and apps |
When users visit our websites or apps and have consented to the use of cookies or similar technologies. |
IP-address, MAC address, type of browser and devices, a webpage that led the users to the website or app, search terms entered in a search engine which led the user to our website, browsing history, click-behaviour and use and navigation of websites and apps* * the categories depend on the consent given in the cookie banner. This can be changed at any time here |
To run marketing activities, especially to facilitate the use of the websites and apps; for service development, statistics, and analysis; to deliver personalised content and search |
Legitimate interests in providing a website and app that works, marketing, developing, and providing statistics, evaluating, promoting and selling our products and services through first-party cookies, (Article 6 (1) (f) of the GDPR). Consent for the processing of personal data in relation to marketing cookies and third-party statistical cookies (Article 6 (1) (a) of the GDPR). In addition, we always obtain a valid cookie consent with the exemption of strictly necessary cookies and other technologies. |
Personal data obtained through cookies, pixels, similar technologies, and social media tools are deleted as described in the cookie declaration. |
|
Custom / lookalike audiences on Facebook or platform X |
When the user registers to receive our marketing information and accepts our cookies, pixels or similar technologies, in some cases we will send Facebook (Meta) or X (Twitter) irreversibly encrypted information. |
E-mail address and in some cases, information about the user’s interest in one or more of our products. |
To create audiences for subsequent advertising via Facebook or X. |
Legitimate interest in spreading awareness of our products and services, including to other persons who may have similar interests in our products and services (Article 6 (1) (f) of the GDPR), based on the consent given (Article 6(1)(a) of the GDPR). | |
|
Tracking e-mails |
Emails we send for marketing purposes based on consent given or in connection with events to which users have signed up may contain tracking technologies that tell us whether the recipient has received or opened the email or clicked on a link in the email. |
Tracking information about the user’s interaction with our emails. |
To deliver personalised content, analysis, and statistics. |
Consent to this action (Article 6(1)(a) of the GDPR). |
If users have consented to marketing communications: until such consent is withdrawn.
|
Your personal data may be transferred between ROCKWOOL Group companies for the purposes for which they were collected, provided that such transfer is not prohibited or restricted by law. The transfer of personal data between ROCKWOOL Group companies (both in Poland and abroad) is carried out on the basis of Binding Corporate Rules (BCRs), approved by the Danish data protection supervisory authority.
The ROCKWOOL Group structure is presented at ROCKWOOL Group Companies .
Your personal data may be entrusted to service providers necessary for the fulfilment of our processing purposes indicated above, that is, among others, to:
In certain circumstances and under the law, it may be necessary to transfer your personal data also to the following categories of data controllers:
|
Controller category |
Type of personal data |
Legal basis |
|
Public authorities, law enforcement authorities, courts, lawyers, and external auditors |
Information required by law or relating to the establishment, protection or enforcement of claims. |
Our obligation under the law (Article 6(1)(c) of the GDPR) or our legitimate interests (Article 6(1)(f) of the GDPR). |
|
Payment processing companies |
Payment information. |
Performance of the contract (Article 6(1)(b) of the GDPR), obligations under the law (Article 6(1)(c) of the GDPR). |
Where consent has been given to the use of cookies or similar technologies for marketing purposes, data may also be shared with other parties, in accordance with our Cookie Policy.
If we transfer your personal data to recipients (both controllers and processors) whose registered offices are located in a third country for which the European Commission has not adopted an adequacy decision, such transfer shall be made on the basis of the EU-US Privacy Framework (for US-based companies) or the Standard Contractual Clauses approved by the European Commission (for other countries), a copy of which can be obtained by contacting us in the manner set out above (section B). ROCKWOOL commits to have in place the appropriate security measures to safeguard your personal data and our website has security measures in place to protect against the loss, misuse and/or alteration of the personal data under our control.
Cooperation with social media platform providers
Facebook, Instagram and LinkedIn
In the case of Facebook and Instagram (owned by Meta Platforms Ireland Ltd.), ROCKWOOL, together with the social media providers, are joint data controllers for the processing of personal data collected in connection with your interactions with the profiles, including posts made as part of your interactions with our profile pages. When Meta processes your personal data to create target groups (lookalike and custom audiences), it acts as a data processor on our behalf.
In the case of LinkedIn, we and the platform provider are joint controllers of the data processed for statistical purposes.
We have entered into agreements with the providers of the LinkedIn, Instagram and Facebook platforms regarding the sharing of data protection tasks. According to these agreements, the entities (such as ROCKWOOL) and the social media providers are each responsible for the tasks associated with the processing undertaken. Information on the division of responsibilities can be found here:
YouTube
ROCKWOOL also uses Google tools in relation to the use of YouTube. Accordingly, we share certain information about your interactions, interests, etc. with Google in order to optimise our marketing and services, including our YouTube videos.
Twitter / platform X
When uploading custom audiences to platform X (Twitter), the platform provider (X/Twitter) will act as a data processor for ROCKWOOL.
Prezes Urzędu Ochrony Danych Osobowych
ul. Stawki 2
00-193 Warszawa
Polska
kancelaria@uodo.gov.pl, infolinia: 606-950-000
Due to technical developments, the emergence of new data processing activities and/or changes in legal requirements, we reserve the right to amend the Privacy Statement. Insofar as changes to the Privacy Statement are deemed to be material and significant, you will be informed of them on our website. An up-to-date version of this Privacy Statement will always be available at https://cee.rockfon.international/legal-information/privacy-statement/ .
We provide customers with a complete acoustic ceiling system offering, combining sound absorbing ceiling tiles and wall panels with suspension grid systems and accessories.