ATEPAA Sp. z o.o. with registered office in Bielsko-Biała

1.Introduction

Personal dataprotection is treated as one of the most important aspects within ATEPAA Sp. z o.o. activity (hereinafter referred to as: „ATEPAA”). As a business owner, particularly responsible for the sales of furnishing equipment and fitness equipment and at the same timeas a Data Controller, we feel responsible for the safety of the personal data. Our aim is to inform you properly about issues related to personal data processing, in particular, in view of the content of the new data protection regulations, including the Regulation of the European Parliament and of the Council Regulation (EU) 2016/679 of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free data movement and repeal of the Directive 95/46/EC (hereinafter referred to as: “GDPR”). Hence, in this document we inform you about legal basis for personal data processing, methods of collection and use, as well as the rights of the Data Subjects related to the processing. ATEPAA , as a reliable business owner, also implements the requirements set forth in the Telecommunications Law Act, i.e. of 15 September 2017 in connection with the use of cookies. ATEPAA, as the owner of the website https://www.atepaa.com/, is obliged to inform the users about the a fore-mentioned files, which the Internet service places in the user’s computer and for what purpose it does so.

2.Personal data

2.1.What are personal data and what does the processing mean?

Personal data means information about identified or identifiable natural person. Identifiable natural person is a person who may be directly or indirectly identified, in particular, on the basis of the ID information such as: first name and surname, ID number, location data, on-line ID or one, or several specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person. Personal data processing is, in principle, any act on personal data, whether or not it is carried out automatically, e.g. collection, storage, retention, organization, modification, viewing, use, sharing, limiting, erasure or destruction. ATEPAA processes personal data for different purposes but depending on the purpose, various ways of collection, legal basis for processing, use, disclosure and retention periods may apply.

2.2.When does this Privacy Policy apply?

This Privacy Policy applies to all cases in which ATEPAA is a Data Controller and processes personal data. This applies to both cases in which LYXGARAGE processes personal data collected directly from the Data Subject, as well as cases where we have collected personal data from other sources. ATEPAA fulfils its information duties in both cases above-mentioned, i.e. in accordance with articles 13 and 14 of the GDPR. The Data Controller means a natural or legal person, public authority, entity or other entity which individually or jointly with others determines the purposes and ways of processing personal data, and in this case, the Data Controller is ATEPAA, in accordance with the following information:
ATEPAA sp. z o.o. with its registered office in Bielsko-Biała (43-300), Podwale 45 street, registry files kept in District Court in Bielsko-Biała, VIII Commercial Division of National Registry Court, KRS number: 0000636102, NIP (Tax ID): 5472165082, share capital 7.505.000,00 zł. ATEPAA has designated within its structures a contact person for issues related to personal data available under e-mail: [email protected] In case of any questions or doubts related to the processing of personal data by ATEPAA, please contact us at the above-mentioned e-mail address.

2.3.In what way, on the basis of which legal basis and what types of personal data are processed by ATEPAA?

We would like to be transparent about the ways and legal basis of processing personal data as well as the purposes for which ATEPAA processes personal data. We make all effort to indicate the necessary information in this respect to each person whose personal data are processed by ATEPAA as a Data Controller. In order to make our explanation of these issues as clear as possible, we present the following list of personal data processing operations in connection with the operated website.At the same time, we would like to point out that whenever we process personal data on the basis of the legitimate interest of the Data Controller (article 6 item 1 letter f of the GDPR), we try to analyse and balance our interest and the potential impact on the Data Subject (positive and negative) as well as the rights of the Data Subject under the provisions on personal data protection. We do not process personal data on the basis of our legitimate interest if we conclude that the impact on the Data Subject would outweigh our interests (in this case we may process personal data if we have appropriate consent or it is required or permitted by law).

A.Personal data processing of the visitors of the website operated by ATEPAA

In connection with your use of our website, we process the personal data sent by your browser to our server. The processing of this personal data is necessary for the proper functioning of our website and to ensure the stability and safety of the user. The processing is carried out on the basis of article 6 item 1 letter f of the GDPR. The data processed should include: IP address, date and time of session start, time zone information, source page information, access status/http access code, page address, browser type, operating system and its interface, software language and version of the browser.

The information concerning cookies may be found in point 3 of this Privacy Policy.

B.Personal data processing within the contact form

In the ‘contact’ tab on our website you will find a contact form that allows you to submit a query with respect to the business activity conducted by LYXGARAGE.


The contact form collects from the user the following data: first name, e-mail address and query content. Optionally, within the content of the query, the user can make available to LYXGARAGE other personal data which are provided voluntarily and in accordance with the will expressed by the user. The data such as first name, e-mail address is necessary in order for the user to make them available because by providing them we will be able to accomplish the intended goal, i.e. provide an answer to the question asked by the user.


The contact form meets the requirements of article 5 item 1 letter c of the GDPR,i.e. the personal data processed are adequate, relevant and limited to what is necessary for the purposes for which they are processed (‘data minimisation’).Personal data are processed on the basis of the user’s consent using the contact form, i.e. on the basis of article 6 item 1 letter f of the GDPR. The consent is given on a voluntary basis and by way of your actions agrees to process his personal data.It is also crucial that the user independently decides which data he/she provides within the framework of the contact form with the exception of the necessary minimum information such as first nameand e-mail address. The full scope of rights and obligations of the user in relation to the processing of personal data (in accordance with article 13 of the GDPR) has been included in the information clause in point 2.6. Privacy Policy.

C.Personal data processing within the Google Analytics

Our website uses Google Analytics, a web analytic service provided by Google Inc (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Analytics uses cookies stored on the user’s computer which enable the analysis of the use of the website. The information generated by the cookies about the use of our website is usually transferred to a Google server in the USA and stored there. Google will use this information on behalf of the operator of this website for the purpose of evaluating the use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage. In exceptional cases where personal data are transferred to USA, Google provided the EU-USA Privacy Shield.IP address sent by Google Analytics will not be linked with other data by Google.You can prevent the storage of cookies by setting your browser software. However, it needs to be remembered that if you do this, you may not be able to use all the functions of the website. You may also prevent Google from collecting the data generated by the cookies and related to your use of the website (including your IP address), as well as the processing of this data by Google using the appropriate browser plug-in.We use Google Analytics to analyse and improve the use of our website. Thanks to the statistics, we may improve our offer and make it more interesting for you as a user. This website also uses Google Analytics to analyse the number of visits on various devices by means of a user’s ID. The legal basis for the processing of personal data is article 6 item 1 letter f of the GDPR.The full scope of the rights and obligations of the user in relation to the processing of personal data (in accordance with article 13 of the GDPR) has been included in the information clause in point 2.6. Privacy Policy.

D.Social Media

On our website you will find links to social networking sites, where information about us and our activities is posted. Data controller within social networkingsites is LYXGARAGE as well as owner of social networkingsite.

E.Uploading YouTube videos on the website

On our website you may find the videos which are stored within the www.youtube.com and they can be directly played on the website. All videos are included in extended privacy mode, which means that you do not transfer data about yourself as a YouTube user if you do not play videos. Only when you are playing videos, the data referred to in point A will be transmitted. We have no influence on the afore-mentioned data transfer.YouTube receives information about the website used. It happens whether YouTube provides a user account to which you are logged in or whether you do not have a user account. If you log in to Google account, your data will be assigned directly to your account. If you do not want to link your profile with YouTube, you must log out of your Google account before activating the video play button. YouTube stores your data as user profiles and uses it for advertising, market research or website design purposes. This assessment is used, in particular, to ensure that we provide appropriate advertising and inform other social network users about the activities on our website. You have the right to object to the creation of these user profiles by YouTube, by requiring an automatic redirection to the YouTube website to use it.For further information on the scope and purpose of data collection and processing by YouTube may be found in its Privacy Policy.

F.Website integration with Google Maps

As part of our website, we also use Google Maps. That is why, we provide the possibility of displaying the interactive map directly on the website and the convenience of using the map’s functions.In relation to the use of Google Maps, the provisions of section C apply.

2.4.How long do we process personal data?

The length of time we may process personal data depends on the legal basis on which the processing of personal data is legally required by ATEPAA. In the applicable ATEPAA’s policies we determine that we must never process personal data for a period longer than is required by the above-mentioned legal basis. Accordingly, we inform you that:

a)In the case if ATEPAA processes personal data on the basis of the consent, the processing period lasts until the intended purpose is achieved or the fixed archiving period expires, or consent withdrawal, in any case contactform -for the period of the parties’ correspondence on the question asked.

b)In case if ATEPAA processes personal data on the basis of agreement performance purpose or to perform actions before agreement performance (order performance), for time of order realization and after its cessation for period of claims prescription and accounting documentation archiving, according to binding legal provisions.

c)in case if ATEPAA processes personal data on the basis of justified interest of the Data Controller, the processing period lasts until the above-mentioned interest ceases (e.g. period of prescription of civil law claims) or until the Data Subject objects to such processing -in situations where such objection is legally possible.

d)In the event that LYXGARAGE processes personal data because it is necessary due to the applicable legal regulations, the periods of data processing for this purpose are determined by these regulations.

2.5.When and how do we transfer personal data with third parties? Do we transfer personal data to third countries?

We only transfer personal data to others if we are permitted to do so by law. In such a case, we provide for data protection provisions and security features in the relevant agreement with a third party in order to protect your personal data and to maintain our standards in the scope of data protection, confidentiality and security.

If we transfer personal data, of which we are the administrator, to other entities for the performance of certain activities on our behalf, we conclude a special agreement with such an entity. Such agreements are called personal data processing agreements (article28 of GDPR), thanks to it, ATEPAA has control over how and to what extent the entity, to which ATEPAA entrusted the processing of certain categories of personal data, processes them. Personal data processing agreements include obligations that the personal data processing entity:

-processes personal data exclusively on the Data Controller’s documented instructions -including the transfer of personal data to a third country or an international organisation -unless such an obligation is imposed on the Data Controller by the Union law or by the law of the Member State of the processing entity, in such a case the processing entity shall inform the Data Controller of this legal obligation prior to the start of the processing, provided that this right does not prohibit the provision ofsuch information on the grounds of important public interest;

-ensures that persons authorised to process personal data have undertaken to keep confidentiality or are subject to an appropriate statutory confidentiality obligation;

-takes all measuresrequired under article 32 of the GDPR;

-considering the nature of the processing, it shall, as far as possible, assist the Data Controller, through appropriate technical and organisational measures, to comply with the Data Subject’s requests for the exercise of its rights set out in Chapter III of the GDPR;

-considering the nature of the processing and the information available to this entity, it shall assist the Data Controller in fulfilling the obligations set out in Articles 32 to 36 of the GDPR;

-upon termination of the provision of processing services, depending on the decision of the Data Controller, the processing entity erasures or returns any personal data and deletes any existing copies, unless the Union law or the law of a Member State requires the storage of personal data;

-makes available to the Data Controller all information necessary to demonstrate compliance with the obligations set out in article 28 of the GDPR and allows the Data Controller or auditor authorised by the Data Controller to carry out audits, including inspections and contributes to them.

In relation to personal data collected by ATEPAA within the operated website https://www.atepaa.com/, no provision is made for personal data to be made available to third parties, with the exception of possible access:
-IT company operating the website on behalf of ATEPAA;
-entities providing hosting services for ATEPAA;
-entities carrying out marketing or sales campaigns for ATEPAA;
-other ATEPAA’s subcontractors providing services in the field of software, software maintenance services including website.

Additionally, certain personal data may be transferred to other companies in the ATEPAA corporate group, which constitutes a legitimate interest of the Data Controller (article 6 item 1 letter f of the GDPR). In the case of personal data transferred outside the territory of the Republic of Poland, it should be noted that: cross-border transfers may concern the countries which do not belong to the European Economic Area (‘EEA’) and countries in which there are no regulations specifying special protection of personal data. We have taken steps to ensure adequate protection of all personal data and the lawfulness of the transfer of personal data also outside the EEA. In the case of transfer of personal data outside the EEA to the country, which according to the European Commission does not ensure a proper level of protection of personal data, the transfer takes place exclusively on the basis of an agreement considering the EU requirements in the scope of the transfer of personal data outside the EEA.

2.6.What are the rights of Data Subjects and how to exercise them? [information clause]

Natural persons have certain rights concerning their personal data and ATEPAA, as the Data Controller, is responsible for the exercise of these rights in accordance with applicable laws. If you have any questions or requests concerning the scope and exercise of your rights, as well as to contact us in order to exercise your specific data protection rights, please contact us at the following e-mail address:

[email protected]

We reserve the right to exercise the following rights after positive verification of the identity of the person applying for a given action.

A.Access to personal data

Natural persons have the right to access the data that we store as a Data Controller. This right mat be exercised by sending e-mail to the address: [email protected]

B.Modification, rectification or erasure of personal data

Modifications, including updating, rectification or erasure of personal data which are processed by ATEPAA may be carried out by sending e-mail to the address: [email protected] right to erasure data may be exercised e.g. when personal data of a natural personwill no longer be necessary for the purposes for which they were collected by ATEPAA or a natural person withholds its consent for data processing by ATEPAA. Additionally, if a natural person objects to the processing of his or her data or if his or her data will be processed unlawfully. The erasure of such data should be carried out in order to comply with a legal obligation.

C.Withdrawal of the consent

In the event of personal data processing on the basis of a consent, natural persons have the right to withdraw this consent at any time. We inform about this right at any time during the collection of consents and allow you to withdraw your consent as easily as it was given. If there is no different information, i.e. if we have not provided a different address or contact number for withdrawal of the consent, please send us an e-mail at the following address: [email protected]

D.Right to the restriction of processing or object to the processing of personal data

Natural persons have the right to restrict or object to the processing of their personal data at any time, on the basis of their particular situation, unless processing is required by law.


Natural person may object to the processing of personal data, if:
-the processing of personal data is based on the legitimate interest of the Data Controller or for statistical purposes and the objection is justified by the particular situation in which it finds itself;
-personal data are processed for the purposes of direct marketing of the Data Controller, including profiled for this purpose.
In relation to the request to restrict the processing of personal data, we inform you that it is possible when:
-the Data Subject argues against the correctness of the personal data – for a period allowing the Data Controller to check the correctness of the data;
-the processing is unlawful and the Data Subject objects to the erasure of personal data and instead demands the restriction on their use;
-the Data Controller no longer needs personal data for the purposes of the processing, but they are needed by the Data Subject for the determination, assertion or defence of claims;
-the Data Subject has objected under article 21item 1of GDPR to the processing of personal data by the Data Controller, -until it isdetermined whether the Data Controller’s legitimate grounds are superior over the Data Subject’s grounds for objection.

E. Right to data transfer

The Data Subject has the right to receive, in a structured, machine-readable format in common use, personal data relating to him/her that has been supplied to the Data Controller and has the right to forward those personal data to another Data Controller without hindrance of the Data Controller to whom the personal data have been supplied, if any:

-the processing is carried out on the basis of the consent in accordance with article 6 item 1 letter aof GDPRor article 9 item 2 letter aof GDPR; or

-under the agreement within the meaning of article 6 item 1 letter b of GDPR; and

-the processing takes place in an automated manner

In exercising the right of personal data transfer, the user has the right to demand that it is sent by the Data Controller directly to another Data Controller, as far as it is technically possible.

The right of data transfer shall not adversely affect the rights and freedoms of others.

If you wish to exercise these rights, please send an e-mail to the following address: [email protected]

F.Further questions, concerns and complaints

If you have any questions, objections or concerns about the content of this Privacy Policy or the way in which we process personal data, as well as complaints concerning these issues, please send us an email with details to the following e-mail address: [email protected]

All complaints we receive will be considered and answered.

Persons whose personal data are being processed by ATEPAA have the right to lodge a complaint to the supervisory authority, which is the President of the Office for Personal Data Protection at Stawki 2street, 00-193 Warszawa.

3.Cookies

As it was explained in point 2.3. A we use cookies as part of this website. That is why, we would like to inform you about the most important elements of cookies so that your use of our website is clear and understandable to you.

3.1.What are cookies?

Cookies are small files that are stored on your electronic device by the websites that you visit. Cookies contain different information that is often necessary for the website to function properly. Cookies are encrypted in such a way that unauthorized persons do not have access to them. Information collected on the basis of cookies may be read only by ATEPAA as well as -due to technical reasons -trusted partners whose services we use. What is more important, cookies cannot run programs or transfer viruses to electronic devices.

3.2.Why do we use cookies?

We divide cookies, according to the purpose for which we use them, on:

Basic cookies -installed if the user has given the consent by means of software settings installed on the electronic device. These cookies include technical and analytical cookies.

Technical cookies -are necessary for the website to function properly. We use them in order to:

-ensure that the website is displayed correctly -depending on which device you are using,

-adapt our services to your choices which are relevant to the operation of the website from technical point of view, e.g. language chosen,

-remember whether you give a consent to the display of certain content.

Analytical cookies -are necessary to settle with business partners or to measure the effectiveness of our marketing activities without identifying personal data and to improve the functioning of our website. We may use them to:-examine statistics concerning website traffic and check its sources (redirections), -detect various types of abuse, e.g. artificial Internet traffic (bots).

3.3. How long will we use cookies?

We also divide all cookies according to the time for which they are installed in the user’s browser:

Session cookies -remain on the user’s device until the user leaves the website or turns off the software (browser). They are mostly technical cookies.

Permanent cookies -remain on the user’s device for the time specified in the file parameters or until they are manually deleted by the user.

3.4.Can I refuse to accept cookies?

You can always change your browser settings and rejectrequests for cookies. However, before you decide to change your settings, please note that cookies serve your convenience in using the website. Disabling cookies may have influence on how our website is displayed in your browser. In some cases, the website may not display at all.

3.5.How to disable cookies?

You can delete cookies from your browser at any time and block their reinstallation.

Depending on the browser you use, the option to delete or withdraw your consent to the installation of cookies may vary. In this case, please refer to the user’s manual available from the browser on your electronic device.

4.Final provisions

Are changes to this Privacy Policy possible and when?

We are obliged to review this Privacy Policy on a regular basis and to amendit when it is necessary or desirable to do so: new legislation, new guidelines for data protection authorities, best practices in the area of personal data protection (Codes of good practice, if ATEPAA will be bound by such Codes, of which we will then inform). We also reserve the right to change this Privacy Policy in the event of a change in the technology by which we process personal data (provided that the change affects the wording of this document), as well as in the event of a change in the ways, purposes or legal basis for processing personal data by us.


In order to ensure the best possible contact with us in relation to the protection of personal data, we also enable direct contact at the seat of ATEPAA as well as contact by letter (post) or telephone and for this purpose we provide the following contact details:

ATEPAA Sp. z o.o.
Podwale 45street
43-300Bielsko-Biała, Poland
T:+442081333050
E: [email protected]