sales representatives
service technicians
delivery drivers
vehicle rental companies
distributors
construction machinery
forklifts
waste containers
agricultural machinery
trailers
refrigerated vehicles
municipal vehicles
trucks
buses
boats
people and objects
theft protection
mobile objectsPrivacy policy
Privacy policy
This privacy policy sets out the rules for the processing of personal data by the controller of the datasystem.pl website, including the online shop, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR (Regulation (EU) 2016/679)).
1. Data controller
The controller of personal data is:
Data System spółka z ograniczoną odpowiedzialnością (sp. z o.o.)
ul. abpa Antoniego Baraniaka 88B, budynek C, IV piętro
61-131 Poznań, Polska
NIP: 7792361331
REGON: 301171094
KRS: 0001005427 — Sąd Rejonowy Poznań – Nowe Miasto i Wilda w Poznaniu, VIII Wydział Gospodarczy Krajowego Rejestru Sądowego (District Court for Poznań – Nowe Miasto i Wilda in Poznań, 8th Commercial Division of the National Court Register)
Share capital: PLN 1,000,000.00
E-mail: biuro@datasystem.pl
Telephone: +48 61 626 3000
Website: datasystem.pl
2. Data Protection Officer (DPO)
The controller has appointed a Data Protection Officer. For all matters relating to the processing of personal data and the exercise of rights connected with such processing, you may contact the Data Protection Officer by e-mail at: biuro@datasystem.pl. The role of Data Protection Officer is fulfilled by Hanna Tohmann.
3. Purposes and legal bases for processing
The controller processes personal data for the following purposes and on the following legal bases:
3.1. Conclusion and performance of a contract of sale or service agreement
Legal basis: Article 6(1)(b) GDPR (processing necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract).
Data are processed for the purposes of: registering a customer account, placing and fulfilling orders, processing payments, delivering goods, providing after-sales support, and enabling use of account features.
3.2. Issuing accounting documents and meeting tax obligations
Legal basis: Article 6(1)(c) GDPR (processing necessary for compliance with a legal obligation) in conjunction with the provisions of the Polish Accounting Act, the Act on Value Added Tax, and the Tax Ordinance.
Invoicing data (including VAT identification number and company details for B2B orders) are processed for the purpose of issuing VAT invoices and maintaining the required accounting records.
3.3. Handling enquiries, correspondence, and quotation requests
Legal basis: Article 6(1)(b) GDPR (steps prior to entering into a contract) or Article 6(1)(f) GDPR (the controller's legitimate interest in responding to enquiries directed to it).
Data submitted via the contact form or quotation form are processed for the purpose of handling correspondence and preparing a commercial offer.
3.4. Newsletter and marketing communications
Legal basis: Article 6(1)(a) GDPR (consent of the data subject).
Data (e-mail address) are processed solely after you have given your express consent, for the purpose of sending commercial and marketing information about Data System products and services. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to its withdrawal.
3.5. Product alerts (availability notifications)
Legal basis: Article 6(1)(a) GDPR (consent of the data subject).
The e-mail address provided in order to receive a product availability notification is processed solely on the basis of consent and solely for that purpose.
3.6. Analytics and cookie-based marketing
Legal basis: Article 6(1)(a) GDPR (consent of the data subject).
Once you have given your consent via the consent management panel (cookie banner), cookie identifiers, IP address, and on-site behavioural data are processed for analytical purposes (Google Analytics 4) and for marketing/remarketing purposes (Meta/Facebook Pixel). Further details about cookies are set out in the Cookie policy.
3.7. Service security and abuse prevention
Legal basis: Article 6(1)(f) GDPR (the controller's legitimate interest in ensuring the security of its services and infrastructure).
To protect forms against bots and abuse, the controller uses Google reCAPTCHA v3, which processes the user's IP address and browser data. The use of reCAPTCHA is necessary for the correct operation of forms and does not require separate consent.
3.8. Establishment, pursuit, and defence of legal claims
Legal basis: Article 6(1)(f) GDPR (the controller's legitimate interest).
Data may be processed for the period necessary to establish, pursue, or defend legal claims arising from contracts concluded or business activities carried out, in accordance with applicable law.
4. Categories of personal data processed
Depending on the purpose of processing, the controller processes the following categories of data:
- Identification data: first name, surname, optionally date of birth and gender (customer account).
- Contact data: e-mail address, telephone number.
- Address data: residential/registered address, delivery address, invoicing address.
- Company data (B2B): company name, VAT identification number (NIP).
- Transaction data: order history, products ordered, amounts, payment methods.
- Technical data: IP address, session identifiers, cookie identifiers, browser data (for security purposes and — subject to consent — for analytics/marketing).
- Form data: content of enquiry, information about the vehicle fleet and number of vehicles (quotation form).
5. Recipients and processors of personal data
Personal data may be transferred to the following categories of recipients:
- Amazon Web Services (AWS) — EMEA SARL: provider of cloud infrastructure (shop hosting, databases). Data are processed in the eu-central-1 (Frankfurt, Germany, EU) region under a data processing agreement.
- emaillabs: provider of e-mail delivery services (transactional e-mails: order confirmations, password resets). An entity operating within the EU/EEA.
- Paynow (mBank S.A. / Blue Media S.A.): online payment operator. Data necessary to carry out a transaction are transferred to the payment operator to the extent required to perform the payment service.
- Baselinker sp. z o.o.: an e-commerce integration platform used to synchronise orders and the product catalogue. Order data are transferred under a data processing agreement.
- Google Ireland Limited: provider of the reCAPTCHA v3 service (form protection) and — subject to consent — Google Analytics 4 and Google Tag Manager.
- Meta Platforms Ireland Limited: provider of the Meta/Facebook Pixel service — solely following your consent to marketing cookies.
- Public authorities and authorised bodies: data may be disclosed to public authorities (e.g. tax authorities, law enforcement agencies) solely on the basis of applicable law and to the extent prescribed therein.
6. Transfers of data to third countries
Personal data are, as a rule, processed within the European Economic Area (EEA). Due to the use of Google services (reCAPTCHA, Google Analytics 4, Google Tag Manager) and Meta Platforms (Facebook Pixel), data may be transferred to the United States of America.
Transfers to the USA take place on the basis of: European Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequate level of protection of personal data under the EU–U.S. Data Privacy Framework (DPF) — Google LLC and Meta Platforms, Inc. appear on the list of DPF-certified entities. To the extent not covered by the DPF decision, transfers are additionally safeguarded by Standard Contractual Clauses (SCC) approved by the European Commission.
Further information about how Google processes data: policies.google.com/privacy. Further information about how Meta processes data: facebook.com/privacy/policy.
7. Data retention periods
| Purpose of processing | Retention period |
|---|---|
| Customer account data (active account) | Until the account is deleted by the user or by the controller, but for no less than the period necessary to fulfil the last order; data linked to orders and settlements are retained for 5 years (see below) |
| Order and transaction data (including B2B data) | 5 years from the end of the calendar year in which the order was fulfilled (Article 74 of the Polish Accounting Act) |
| Accounting and tax documents (invoices) | 5 years, counted from the end of the calendar year in which the tax payment deadline expired (Polish Tax Ordinance and Accounting Act) |
| Correspondence from the contact form / quotation form | Up to 5 years from the end of the correspondence or from the date a contract is concluded, if applicable |
| Newsletter (subscriber data) | Until consent is withdrawn or a deletion request is made |
| Product alerts | Until the notification is sent or consent is withdrawn |
| Analytics and marketing data (cookies) | In accordance with cookie lifetimes — see the Cookie policy |
| Data for the purposes of establishing/defending legal claims | Up to 5 years from the date a claim falls due, taking into account statutory limitation periods (3 or 6 years under the Polish Civil Code) |
8. Rights of data subjects
You have the following rights in connection with the processing of your personal data:
- Right of access (Article 15 GDPR) — the right to obtain information about the data being processed and to receive a copy of those data.
- Right to rectification (Article 16 GDPR) — the right to request the correction or completion of inaccurate or incomplete data.
- Right to erasure (Article 17 GDPR) — the right to request the deletion of data ('right to be forgotten') where the data are no longer necessary for the purposes for which they were collected, or where you have withdrawn the consent that was the sole legal basis for processing.
- Right to restriction of processing (Article 18 GDPR) — the right to request that processing be restricted in the cases specified by the GDPR.
- Right to data portability (Article 20 GDPR) — the right to receive data in a structured, commonly used, machine-readable format and to transmit those data to another controller — applicable to data processed on the basis of consent or a contract by automated means.
- Right to object (Article 21 GDPR) — the right to object to the processing of data on the basis of the controller's legitimate interests, including for direct marketing purposes.
- Right to withdraw consent — at any time, without affecting the lawfulness of processing that took place prior to withdrawal. Consent to the newsletter may be withdrawn via the unsubscribe link included in every e-mail, or by contacting the controller. Consent to cookies may be withdrawn or amended via the consent management panel available on the website.
- Right to lodge a complaint with a supervisory authority — if you consider that the processing of your data infringes the GDPR, you have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) (address: ul. Stawki 2, 00-193 Warszawa; website: uodo.gov.pl).
To exercise your rights, please contact the controller by e-mail at: biuro@datasystem.pl or in writing to the registered address.
9. Voluntary nature of providing data
Providing personal data is:
- voluntary but necessary to create an account, place an order, or use the contact or quotation form — failure to provide the data makes it impossible to use the given service;
- voluntary and optional in the case of newsletter sign-up, product alerts, and consent to analytical and marketing cookies — failure to provide data or withholding consent does not affect the ability to use the shop.
10. Automated decision-making and profiling
Personal data may be processed by automated means for the purposes of analysing on-site behaviour and personalising advertising content (marketing profiling carried out via Google Analytics 4 and Meta/Facebook Pixel — solely following consent). This profiling does not produce any legal effects concerning you nor does it affect you in a similarly significant way. The controller does not make decisions based solely on automated processing of data that would produce legal effects or similarly significantly affect you (Article 22 GDPR).
11. Cookies
The datasystem.pl website uses cookies. Detailed information about the cookies used, their categories, purposes, lifetimes, and how to manage consent is set out in the Cookie policy.
12. Links to related documents
13. Changes to the privacy policy
The controller reserves the right to make changes to this privacy policy. Users with an account will be notified of any material changes by e-mail or via a notice on the website. The current version of the policy is always available at datasystem.pl/polityka-prywatnosci.
Effective date: 10 October 2025