Menu mobile

GDPR in Kraków Water

Back to main page

GDPR in Kraków Water Cofnij Rozmiar czcionki Drukuj

GDPR at Kraków Water (WMK S.A)


Kraków Water (WMK S.A) takes many measures to comply with the requirements of GDPR regulations. As a Data Controller, we want to give our customers, trading partners and individuals contacting the Company a feeling that their personal data is stored and processed with full security.

In order to minimize the potential risk of breaching your personal data, we have implemented new procedures and are keeping them up to date to ensure data security. We regularly train our employees in personal data protection.

Due to the change of the Company name, we have updated the information clauses. At the same time, we would like to emphasise that the purpose and scope of personal data processing does not change for  agreements concluded to supply water and/or dispose of sewage.

Your consents to personal data processing by Kraków Water (WMK S.A) given previously do not expire.

Kraków Water has appointed a Data Protection Officer (DPO). The Data Protection Officer name is Ms Magdalena Olender. You can contact the Officer at the following e-mail address: iod@wodociagi.krakow.pl. Only cases relating to the processing of your personal data by Kraków Water (WMK S.A), including requests to exercise your rights under GDPR regulations, should be addressed to the Data Protection Officer. The Data Protection Officer is not responsible for dealing with any other matters, including e.g. adaptation of the data processed by WMK S.A. All other matters should be addressed as specified in the instructions on the website of Kraków Water (WMK S.A).




 Information on personal data processing


What are personal data?

According to current regulations, personal data are any data that allow a natural person to be directly or indirectly identified, in particular by means of identifiers such as their given name, surname, PESEL (national ID) number, e-mail address or mailing address.


Who is the controller of your personal data?

The controller of your personal data is the company named Wodociągi Miasta Krakowa S.A. (hereinafter WMK.S.A. or controller), with its registered address: ul. Senatorska 1, 30-106 Krakow. This means that WMK S.A. is responsible for using this data in a secure manner, in accordance with a contract and the applicable legal regulations.


What categories of personal data are processed and from what source do they come?

WMK S.A. – in connection with the business it conducts, including supplying drinking water, disposing of waste water and maintaining the water supply network − processes your personal data, and in particular such personal data as: your given name and surname, PESEL (national ID) number, residence address, address of water outlet, mailing address, e-mail address, billing information (invoices/bills/bank account numbers), customer number, telephone number, NIP (tax ID) number, REGON (statistical business no.), business name, and other information provided by you in your request or messages addressed to WMK S.A.

We obtain personal data from letters/requests to WMK S.A., as part of agreements concluded with WMK S.A., and in connection with exchanging messages with you. We may also obtain personal information through Internet forms published on WMK S.A. web pages (e.g. the online registration form of the Electronic Customer Service Office). We may receive your personal data directly from you (e.g. when we receive a request/letter from you, when we exchange messages with you or we enter into an agreement with you). In some cases, we may receive your data from another applicant (e.g. from an owner of a building, an investor, persons cooperating with WMK S.A., in particular designers, or those acting on commission of third parties, in particular investors and potential clients).


What is the legal basis for processing your personal data?

The controller processes your personal data contained in a request to:
  • perform a contract you are party to (if you have a contract with WMK S.A.),
  • fulfil legal obligations imposed on the controller, including for archival purposes, and in particular:
    • carry out the tasks defined in the Act of 7 June 2001 on collective water supply and collective sewage disposal,
    • issue and store invoices and other accounting documents,
    • perform obligations under archiving regulations,
    • carry out complaint processing and tax-accounting activities,
  • perform tasks in the public interest, in so far as they result from the law in force,
  • exercise legitimate legal interests of the controller, which include, in particular, the establishment, exercise, enforcement, defence or protection of claims or rights connected with performing a contract, the performance of a contract between the controller and another party,
  • transfer personal data to WMK S.A. subsidiaries and entities exercising corporate governance for internal administrative purposes.
 

Who is the recipient of your personal data?

The following may receive your personal data: WMK S.A. subsidiaries, entities entrusted with the processing of personal data on the basis of a contract, in particular providers of IT services to WMK S.A., postal  operators and courier companies, banks, tax offices, bodies of local government units, public administration authorities, including authorities competent for water management, competent regulators within the meaning of the Act on collective water supply and collective sewage disposal.

Where appropriate, these may include debt collection companies, property owners and joint owners.


How long will we store your data?

WMK S.A. shall store your data for as long as it is performing the contract or as long as necessary to resolve the notified matter and for the period necessary to establish, exercise or defend claims, or to defend the rights of another natural or legal person, or because of a legal obligation to store personal data under the law, or due to important public interest considerations, and after this period, for the time required by the archiving regulations.


What rights do you have with regard to your personal data?

You have the right to request the following from the controller:
  • access to your personal data and to receive them:
    • at the request of the data subject, the controller shall send them a confirmation that the controller is processing their data and a copy of this data;
  • rectification of your personal data:
    • at the request of the data subject, the controller shall rectify their personal data by correcting inaccurate personal data or supplementing incomplete personal data taking into account the purposes of the processing;
    • the controller shall, without undue delay, inform the data subject of steps taken in response to their request;
    • the controller shall refuse to rectify the personal data if the controller is unable to identify the data subject, can demonstrate data accuracy or if the data is excessive for the purpose of the processing;
  • erasure of your personal data (the “right to be forgotten”):
    • upon a request of the data subject, the controller shall without undue delay erase the data relating to that subject if one of the following circumstances applies:
      • personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
      • the data subject withdraws the consent the processing was based on and there is no other legal ground for the processing;
      • the data subject objects to the processing based on their right to object to processing and there are no overriding legitimate grounds for the processing;
      • the personal data have been unlawfully processed;
      • the personal data have to be erased for compliance with a legal obligation in European Union or Member State law to which the controller is subject;
    • where the request relates to personal data previously made public, then taking into account available technology and the cost of implementation, the controller shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data of the need of erasing any links to, or copy or replication of, those personal data;
    • "the right to be forgotten" shall not apply to the extent that processing is necessary, among others: 
      • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
      • for the establishment, exercise or defence of legal claims;
exceptions from the obligation to implement the „right to be forgotten” are described in Article 17(3) of the GDPR;
  • a restriction of personal data processing:
    • upon request of the data subject, the controller shall restrict the processing of their personal data where:
      • the accuracy of the personal data is contested by the data subject − for a period enabling the controller to verify the accuracy of the personal data;
      • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
      • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
      • the data subject has objected to processing pursuant to Article 21(1) of the GDPR − until the verification whether the legitimate grounds of the controller override the grounds for the objection by the data subject;
    • before lifting a processing restriction, the controller shall inform the person who requested the restriction;
    • the controller shall restrict the processing of personal data by temporarily transferring selected personal data to another processing system, by stopping users from accessing the selected personal data, by temporarily erasing published personal data from the website. In automated data sets, processing shall be restricted by technical means so that personal data are not further processed or altered; the fact that the processing of personal data is restricted shall be clearly indicated in the system;
  • to object to the processing of your personal data:
    • if the data subject has objected, on grounds relating to his or her particular situation, to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of GDPR, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;
  • to transfer your personal data:
    • upon a request of the data subject, the controller shall transfer to him or her or another controller which he or she has appointed the personal data he or she has provided, in a structured, commonly used and machine-readable format, where:
      • the processing is based on consent or on a contract; and
      • the processing is carried out by automated means;
    • this right shall not apply to processing necessary for the performance of a task carried out in the public interest;

You have the right to lodge a complaint with the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warszawa. Information on how to file a complaint can be found on the website of the Data Protection Office.

 

Additional information

Your data is not subject to automated decision-making. The controller does not transfer nor plan to transfer your personal data to third countries or international organizations. An exception to this rule may occur where a party to a contract changes their place of residence and is located outside the territory of the European Union, while the formalities connected with terminating the contract and making final settlements require the transfer of their data. In this case, personal data may need to be transferred to a country for which the European Commission has not issued a decision establishing an adequate level of protection of personal data or the lack thereof. In such cases, the data shall be transferred in accordance with generally applicable law, ensuring adequate safeguards, on the basis of standard personal data protection clauses adopted by the European Commission. You will be able to obtain a description of these safeguards or the controller will indicate where they are published.
 

 

Our contact details:

Wodociągi Miasta Krakowa S.A.
ul. Senatorska 1, 30-106 Kraków.
Contact details of the Data Protection Officer: e-mail: iod@wodociagi.krakow.pl