COTT Electronics Sp. z o.o. GDPR Compliance Statement

Introduction

At COTT Electronics Sp. z o.o., we are committed to safeguarding the privacy and security of the personal data we process. In line with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), we have implemented comprehensive measures and procedures that uphold the principles of lawfulness, fairness, and transparency in data processing. This statement outlines our commitment to protecting your data in accordance with the GDPR and Polish data protection laws, including the Act on Personal Data Protection (Ustawa o ochronie danych osobowych).

Data Controller: COTT Electronics Sp. z o.o., Mikołaja Kopernika 30 / 11A, 00-336 Warszawa, Polska, KRS: 0001019972, NIP: 5252944045, REGON: 524484765.

Data Protection Principles

We adhere to the following fundamental principles when processing personal data, as set out in GDPR Article 5:

1. Lawfulness, Fairness, and Transparency (Article 5(1)(a)): We process personal data lawfully, fairly, and in a transparent manner in relation to the data subject. We provide clear information about how we use personal data through our Privacy Policy and this statement.
2. Purpose Limitation (Article 5(1)(b)): We collect data only for specified, explicit, and legitimate purposes and do not process it further in a manner incompatible with those purposes. We clearly communicate the purposes for which we collect data.
3. Data Minimization (Article 5(1)(c)): We only collect data that is adequate, relevant, and limited to what is necessary for the intended purposes, such as providing our IPTV services, processing payments, and maintaining customer relationships.
4. Accuracy (Article 5(1)(d)): We take every reasonable step to ensure that personal data is accurate and, where necessary, kept up-to-date. We have procedures in place to correct inaccurate data promptly.
5. Storage Limitation (Article 5(1)(e)): We retain personal data for no longer than is necessary for the purposes for which it was collected, in compliance with legal obligations such as Polish tax regulations (Ustawa o rachunkowości), which require retention of accounting records for 5 years.
6. Integrity and Confidentiality (Article 5(1)(f)): We ensure that personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, loss, destruction, or damage, using appropriate technical and organizational measures, such as encryption, access controls, and regular security assessments.
7. Accountability (Article 5(2)): We are responsible for and able to demonstrate compliance with all the above principles. We maintain documentation of our data processing activities and implement appropriate measures to ensure compliance.

Rights of Data Subjects

We respect and facilitate the exercise of the following rights of data subjects under GDPR Chapter III:

1. Right to be Informed (Articles 13-14): We provide clear and transparent information about how we use personal data, as outlined in our Privacy Policy. This includes information about the purposes of processing, legal basis, retention periods, and data subject rights.
2. Right of Access (Article 15): Data subjects have the right to access their personal data and obtain information about how it is being processed, including copies of the data and details about processing purposes, categories of data, recipients, and retention periods.
3. Right to Rectification (Article 16): Data subjects have the right to request the correction of inaccurate or incomplete personal data without undue delay.
4. Right to Erasure / "Right to be Forgotten" (Article 17): Data subjects have the right to request the deletion of their personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected, consent is withdrawn, or the data has been unlawfully processed.
5. Right to Restrict Processing (Article 18): Data subjects have the right to restrict the processing of their personal data in certain cases, such as when the accuracy of the data is contested, processing is unlawful, or the data subject has objected to processing.
6. Right to Data Portability (Article 20): Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance, where technically feasible.
7. Right to Object (Article 21): Data subjects have the right to object to the processing of their personal data in certain circumstances, such as for direct marketing purposes or when processing is based on legitimate interests.
8. Rights in Relation to Automated Decision Making and Profiling (Article 22): Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. We do not currently engage in such automated decision-making that would produce legal effects.

To exercise any of these rights, please contact our Data Protection Officer at gdpr@cottelectronics.com. We will respond to your request within one month, as required by GDPR Article 12(3), and may extend this period by a further two months if necessary, with notification to the data subject.

Data Protection Officer (DPO)

To ensure compliance with GDPR Article 37, we have appointed a Data Protection Officer (DPO) who oversees our data protection strategies and their implementation to ensure compliance with GDPR standards. Our DPO is responsible for:

• Monitoring compliance with GDPR and other data protection laws
• Providing advice and guidance on data protection impact assessments (DPIAs)
• Cooperating with supervisory authorities
• Acting as a point of contact for data subjects and supervisory authorities
• Training staff on data protection matters
• Conducting internal audits and reviews

You can contact our DPO for any data protection concerns or inquiries at:

Data Processing Records

In accordance with GDPR Article 30, we maintain records of our data processing activities, including:

• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• Transfers to third countries
• Retention periods
• Security measures

These records are regularly reviewed and updated to ensure accuracy and compliance.

Data Protection Impact Assessments (DPIAs)

In accordance with GDPR Article 35, we conduct Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in a high risk to the rights and freedoms of data subjects. DPIAs are conducted:

• Before implementing new processing activities that may pose high risks
• When using new technologies or processing methods
• When processing special categories of personal data on a large scale
• When systematically monitoring publicly accessible areas on a large scale

Our DPIAs assess the necessity and proportionality of processing, risks to data subjects, and measures to address those risks. We consult with our DPO and, where necessary, with the supervisory authority before processing.

Data Breach Notification

In accordance with GDPR Articles 33-34, we have implemented procedures for detecting, reporting, and investigating personal data breaches:

Internal Procedures:

• Immediate assessment of the breach and its potential impact
• Containment and mitigation measures
• Documentation of the breach and actions taken
• Notification to supervisory authority within 72 hours (where required)
• Notification to affected data subjects without undue delay (where required)

Supervisory Authority Notification: We will notify the Polish Data Protection Authority (UODO) of any personal data breach that is likely to result in a risk to the rights and freedoms of natural persons within 72 hours of becoming aware of it, unless the breach is unlikely to result in such a risk.

Data Subject Notification: We will notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms, unless:

• We have implemented appropriate technical and organizational measures that render the data unintelligible (e.g., encryption)
• We have taken subsequent measures to ensure the high risk is no longer likely to materialize
• It would involve disproportionate effort (in which case we will use public communication)

Third-Party Processors

We work with third-party processors who assist us in providing our services. All processors are bound by strict data processing agreements (DPAs) as required by GDPR Article 28, ensuring they:

• Process data only in accordance with our instructions
• Implement appropriate technical and organizational measures
• Ensure the security of processing
• Assist us in fulfilling data subject rights requests
• Notify us of any data breaches
• Return or delete data at the end of the processing relationship

Categories of Processors:

• Cloud hosting and infrastructure providers
• Payment processors (PCI-DSS compliant)
• Email service providers
• Analytics and marketing service providers
• Customer support platforms
• Content delivery networks (CDNs)

For a current list of our processors, please contact our Data Protection Officer.

International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V:

• Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs for transfers to countries without adequacy decisions
• Adequacy Decisions: We may transfer data to countries with adequacy decisions by the European Commission
• Binding Corporate Rules: Where applicable, we rely on binding corporate rules approved by supervisory authorities
• Other Safeguards: We may use other appropriate safeguards as permitted by GDPR Article 46

You can obtain more information about the safeguards we use for international transfers by contacting our Data Protection Officer.

Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32:

Technical Measures:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and authentication mechanisms (multi-factor authentication where appropriate)
• Regular security assessments and penetration testing
• Network security and firewall protection
• Intrusion detection and prevention systems
• Secure backup and disaster recovery procedures

Organizational Measures:

• Employee training on data protection and security
• Access controls and role-based permissions
• Regular reviews and audits of data processing activities
• Incident response procedures
• Business continuity and disaster recovery plans
• Confidentiality agreements with employees and contractors

Reporting a Concern

If you have any concerns or queries about how we handle your personal data, please contact our Data Protection Officer at gdpr@cottelectronics.com.

You also have the right to lodge a complaint with the relevant data protection authority in your jurisdiction if you believe your rights have been violated. In Poland, the supervisory authority is:

You can also find your local data protection authority through the European Data Protection Board (EDPB) website: https://edpb.europa.eu

Regular Reviews and Updates

We regularly review and update our data protection practices to ensure ongoing compliance with GDPR and Polish data protection laws. This includes:

• Regular audits of our data processing activities
• Review and update of our policies and procedures
• Staff training and awareness programs
• Monitoring of regulatory developments and guidance
• Assessment of new technologies and processing methods
• Review of third-party processors and contracts

Conclusion

COTT Electronics Sp. z o.o. is committed to upholding the highest standards of data protection and privacy. We continually review and update our processes to ensure compliance with the GDPR and Polish data protection laws. Our commitment to data protection is integral to our business operations and reflects our respect for the privacy rights of our customers and users.

Thank you for entrusting COTT Electronics Sp. z o.o. with your data. We are dedicated to protecting it and respecting your rights.

Contact Us

For general inquiries, you can reach us at:

Data Protection Officer:
Email: gdpr@cottelectronics.com
Phone: +48 22 1530505