GDPR

Personal Data Protection Policy (GDPR)

Website www.cannamed-pharma.pl operated by CANNA MED PHARMA SP. Z O.O. with its registered office in Warsaw, al. Solidarności 155/4, 00-877 Warsaw, KRS: 0001104367, NIP: 5273111445, REGON: 528551949

  1. Personal data controller. The controller of your personal data within the meaning of Article 4(7) of the GDPR is: CANNA MED PHARMA SP. Z O.O. Address: al. Solidarności 155/4, 00-877 Warsaw E-mail: rodo@cannamed-pharma.pl Tel.: +48 XXX XXX XXX
  2. Purposes and legal basis for data processing. We process your personal data only to the extent permitted by law, for the following purposes:

Purpose of processing

Legal basis

Legitimate interest

Handling inquiries via contact form or email

Article 6(1)(f) of the GDPR

Providing an answer to an inquiry

Fulfillment of orders or provision of services

Article 6(1)(b) of the GDPR

Execution of the contract

Marketing your own products and services (e.g. newsletter)

Article 6 paragraph 1 letter a or f of the GDPR

Promoting business activity

Conducting statistical analyses

Article 6(1)(f) of the GDPR

Improving the functioning of the website

Fulfillment of legal obligations (e.g. accounting, taxes)

Article 6(1)(c) of the GDPR

Compliance with legal regulations

Establishing, pursuing or defending claims

Article 6(1)(f) of the GDPR

Protection of administrator rights

  1. Data recipients. Your personal data may be disclosed to the following categories of entities:
  • entities providing IT, hosting, and analytical services (e.g., Google, OVH, Microsoft),
  • companies providing legal, accounting, and consulting services,
  • payment and payment system operators (e.g., Przelewy24, PayPal),
  • couriers and postal operators (in the case of product shipments),
  • public authorities to the extent required by law.

We have signed personal data processing agreements with all data processors in accordance with Article 28 of the GDPR.

  1. Data transfers to third countries. Your data may be transferred outside the European Economic Area (EEA) only when necessary and with appropriate safeguards, such as:
  • European Commission adequacy decisions,
  • standard contractual clauses adopted by the European Commission,
  • Binding Corporate Rules.

We currently use service providers who may process data outside the EEA (e.g., Google, Meta). In such cases, we ensure compliance with Articles 44–49 of the GDPR.

  1. Data retention period. Your personal data will be stored:
  • for the duration of the contract and for the time necessary to pursue claims,
  • for the period required by law (e.g., 5 years for accounting documents),
  • until consent is withdrawn (if processing is based on consent),
  • until an effective objection to processing is raised (if the basis is a legitimate interest).
  1. Your rights. Under the GDPR, you have the following rights:
  • The right to access your personal data (Article 15 of the GDPR),
  • The right to rectification (Article 16 of the GDPR),
  • The right to erasure (“the right to be forgotten”, Article 17 of the GDPR),
  • The right to restriction of processing (Article 18 of the GDPR),
  • The right to data portability (Article 20 of the GDPR),
  • The right to object to data processing (Article 21 of the GDPR),
  • The right to withdraw consent at any time (Article 7(3) of the GDPR),
  • The right to lodge a complaint with the President of the Personal Data Protection Office (PUODO).
  1. Obligation to provide data. Providing personal data may be:
  • voluntary, e.g., when subscribing to a newsletter or contacting us,
  • necessary, e.g., for the conclusion and performance of a contract – failure to provide this data will prevent the conclusion of the contract.
  1. Automated decision-making and profiling. Your data is not used for automated decision-making, including profiling, that produces legal effects or significantly impacts you in a similar way. However, we may use analytical tools (e.g., Google Analytics) to analyze website traffic and optimize content—this is called statistical profiling, which does not affect your rights or freedoms.
  2. Cookies and other technologies. More information about cookies can be found in the Cookie Policy, which forms an integral part of this document.
  3. Changes to the GDPR Policy

The Administrator reserves the right to make changes to this policy. Changes will be published on the website along with an appropriate notice.

  1. Contact regarding GDPR matters

If you have any questions, requests, or complaints regarding personal data protection, please contact us at:
rodo@cannamed-pharma.pl
or by mail to the Company’s registered office address.

Download the Statement on the Right to Be Forgotten