Personal Data Protection – GDPR

Document symbol: DA/16, edition 02, issued on 03.02.2026

Privacy Policy

1. Introduction

We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, store, process and protect your data, as well as what rights you have in connection with the processing of your personal data. We comply with personal data protection laws, including Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), and other applicable regulations in order to ensure full transparency and control over information concerning you.

Please read the rules below, which describe our privacy practices in detail. If you have any questions regarding this Privacy Policy, you may contact us at any time by sending a message to: info@immunolab.com.pl

2. Data Controller

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (GDPR), we inform you that the controller of your personal data is the Research and Development Department of the Salmonella Center IMMUNOLAB Ltd. (hereinafter referred to as IMMUNOLAB Ltd.), represented in accordance with the rules of representation disclosed in the National Court Register, with its registered office at 24 Kładki Street, 80-822 Gdańsk, Poland, KRS No.: 0000098932, NIP: 586-20-11-240.

The Controller has not appointed a Data Protection Officer. Contact regarding personal data matters: info@immunolab.com.pl

3. Legal basis

Data processing is carried out on the basis of:

 Article 6(1)(a) GDPR — consent,
 Article 6(1)(b) GDPR — performance of a contract or pre-contractual activities,
 Article 6(1)(c) GDPR — legal obligations, in particular accounting and tax obligations,
 Article 6(1)(f) GDPR — the legitimate interest of the Controller,
 Article 398 of the Polish Electronic Communications Law — with regard to communication channel consents, including e-mail, telephone and SMS.

4.Personal data

4.1 Purposes, legal bases and periods of personal data processing

The purposes of processing, legal bases and retention periods for personal data are determined separately for each processing purpose. Details concerning individual purposes of data processing are provided in sections 6 and 7.

5. Your rights

Under the GDPR, you have a number of rights related to the processing of your personal data. These include:

Right of access to data: You have the right to obtain information at any time about the personal data we process, in accordance with Article 15 GDPR.

Right to rectification of data: You have the right to request the immediate rectification of any inaccurate personal data concerning you, in accordance with Article 16 GDPR.

Right to erasure of data: If the circumstances set out in Article 17 GDPR occur, you have the right to request the immediate erasure of your personal data, also known as the “right to be forgotten”. Such circumstances include, among others, situations where the personal data are no longer necessary for the purposes for which they were processed, or where you withdraw your consent to processing and there is no other legal basis for further processing. This right also applies where the data subject objects to processing, unless there are overriding legitimate grounds for the processing, except in cases of objection to processing for direct marketing purposes.

Right to restriction of processing: If the conditions set out in Article 18 GDPR are met, you have the right to request restriction of the processing of personal data. Restriction of processing may be required in particular where the processing of data is unlawful and the data subject objects to their erasure, requesting instead restriction of their use. This right also applies where the data subject objects, pursuant to Article 21(1) GDPR, to the processing of data — until it has been determined whether our legitimate grounds for processing override the objection of the data subject.

Right to data portability: You have the right to data portability under Article 20 GDPR. This means that you may receive the personal data that you have provided to us in a structured, commonly used and machine-readable format.

Right to object to data processing: You have the right to object at any time, pursuant to Article 21 GDPR, to the processing of personal data carried out on the basis of Article 6(1)(f) GDPR, for reasons related to your particular situation. Regardless of this, you may object at any time to the processing of your data for direct marketing purposes, without providing any justification.

Requests concerning the exercise of rights under the GDPR may be submitted by e-mail to: info@immunolab.com.pl or in writing to the registered office address of the Controller. We will respond without undue delay, as a rule within 1 month of receiving the request. In complex cases, this period may be extended by a maximum of 2 months — in such a case, we will inform you of the extension and provide the reasons for the delay.

Right to withdraw consent to data processing: You have the right to withdraw any consent you have given at any time, in accordance with Article 7 GDPR.

Right to lodge a complaint with a supervisory authority: If you believe that the processing of your personal data is unlawful or inadmissible, you have the right to lodge a complaint with the competent supervisory authority. Supervisory authority: President of the Personal Data Protection Office, ul. Stanisława Moniuszki 1A, 00-193 Warsaw, Poland.

6. Purposes and processing activities

Providing data is voluntary.

In the scope of marketing activities, we process data on the basis of Article 6(1)(f) GDPR, meaning the legitimate interest of the Controller, or — if you provide consent — Article 6(1)(a) GDPR.

Detailed rules concerning marketing communication channels under the Polish Electronic Communications Law, the consent register and withdrawal of consent are described in the section “Marketing communication — PKE/GDPR”.

Data used for marketing communication are stored until:

– consent for a given communication channel is withdrawn under the Polish Electronic Communications Law, or
– an objection to direct marketing is lodged under the GDPR,

whichever occurs first.

Details concerning the storage of consent and objection logs are described in the section “Marketing communication — PKE/GDPR”.

Where data are obtained from the data subject, providing them is a condition for initiating proceedings concerning the subject matter specified in the request, letter or submission made by that person, while providing contact details enables us to respond and handle the matter efficiently. In the case of certain tasks, such as training, providing data is a condition for the performance of a contract or order.

The data subject may object at any time to the processing of data for direct marketing purposes. After an objection has been lodged, we will no longer process the data for this purpose, in accordance with Article 21(2)–(3) GDPR. The user may also withdraw communication channel consents for electronic communication under the Polish Electronic Communications Law — separately for e-mail, telephone and SMS.

After consent has been withdrawn or an objection has been lodged, we may store a minimum scope of data and consent/objection logs solely for the purpose of demonstrating compliance with obligations, meaning accountability, and to ensure that we will not send marketing communication to you.

7. Table — purposes, legal bases and processing periods

Purpose of processing Legal basis Scope of data Retention period
Performance of B2B/B2C contracts and orders Article 6(1)(b) and (c) GDPR Identification data, contact data, company data Duration of the contract + 5 years, with the 5-year period calculated from the end of the year in which the tax payment deadline expired
Responses to enquiries, including forms and e-mail Article 6(1)(f) or (b) GDPR, depending on the nature of the contact First name, last name, e-mail, telephone number Up to 12 months from the end of correspondence
Direct marketing under the GDPR Article 6(1)(f) GDPR Contact details Until an objection is lodged; we may store a minimum scope of data and consent/objection logs solely for the purpose of demonstrating compliance with obligations, meaning accountability
Marketing communication channels, including e-mail, telephone and SMS GDPR: Article 6(1)(a); Polish Electronic Communications Law: Article 398 E-mail, telephone number Until consent is withdrawn; we may store a minimum scope of data and consent/objection logs solely for the purpose of demonstrating compliance with obligations, meaning accountability
Newsletter Article 6(1)(a) GDPR E-mail, IP address, date of consent Until consent is withdrawn; we may store a minimum scope of data and consent/objection logs solely for the purpose of demonstrating compliance with obligations, meaning accountability
Register of consents and objections Article 6(1)(c) and Article 5(2) GDPR Consent metadata Until the expiry of the limitation period for claims, i.e. 6 years
Recruitment Article 6(1)(b) and/or (c) GDPR for recruitment; Article 6(1)(a) GDPR for consent to participate in future recruitment processes CV, professional data, contact details Until the end of the recruitment process; in the case of consent, up to 12 months
Complaint handling Article 6(1)(b) and (c) GDPR Contact details 5 years
Website analytics and statistics, including GA4 Consent — Article 6(1)(a) GDPR Cookie data, online identifiers Until consent is withdrawn; data already collected in GA4 are stored in accordance with GA4 retention settings
Server logs Article 6(1)(f) GDPR IP address, time, browser headers 30–90 days

8. Contact via forms

As part of contact with IMMUNOLAB Ltd. through contact forms, personal data are collected. On our website, we provide contact forms, a training registration form, a customer satisfaction survey form and a complaint submission form. Marketing consent checkboxes under the Polish Electronic Communications Law and GDPR are always unchecked by default. Processing based on consent continues until consent is withdrawn.

The type of data collected through individual forms is indicated directly in the relevant form. We process data in order to handle the submission, provide a response, perform a service or take steps prior to its performance, as well as to the extent necessary to ensure the proper functioning of forms and communication. The legal basis for processing these data is our legitimate interest in responding to an enquiry, pursuant to Article 6(1)(f) GDPR, or your voluntarily given consent pursuant to Article 6(1)(a) GDPR.

If the purpose of contact is to perform a service or to take steps necessary before its performance, data processing is based on Article 6(1)(b) GDPR. In the case of legal obligations incumbent on the Controller, such as tax or accounting purposes, the basis for processing will be Article 6(1)(c) GDPR, as well as the pursuit of the legitimate interests of the data controller, such as establishing, pursuing or defending against claims, pursuant to Article 6(1)(f) GDPR.

Your data will be deleted after the processing of your request has been completed or the service has been provided. The data deletion process will be completed when the matter has been finally resolved and the contract has been performed, unless there are legal provisions requiring further storage of the data, for example provisions concerning retention periods specified by tax regulations. Where data are processed on the basis of consent, the data will be stored until the purpose for which they were collected has been achieved or until you withdraw your consent.

In online forms, we use separate communication channel consent checkboxes: (1) consent to e-mail marketing under Article 398 of the Polish Electronic Communications Law, (2) consent to telephone/SMS contact for marketing purposes under Article 398 of the Polish Electronic Communications Law, and (3) optionally, GDPR consent to the processing of data for marketing purposes under Article 6(1)(a) GDPR. The checkboxes are not selected by default. Consent is voluntary and may be withdrawn at any time.

We use the double opt-in mechanism in the newsletter subscription process. See the “Newsletter” section.

9. Data obtained from other sources

In certain cases, we may obtain personal data from other sources, in particular from:

  • public registers, including the National Court Register and CEIDG,
  • employers or contractors — business data of contact persons,
  • recruitment platforms, such as Pracuj.pl, OLX and LinkedIn,
  • courier and logistics companies, including return information concerning deliveries.

The scope of data depends on the purpose, but most often includes: first name and last name, position, business e-mail address, telephone number and the name of the employer. Detailed purposes and legal bases of processing are described in the table in section 7.

If data are obtained from other sources, we provide the data subject with the required information in accordance with Article 14 GDPR — as a rule at the first contact or within a reasonable period.

10. Voluntary provision of data

  • Providing data for marketing and newsletter purposes is voluntary.
  • Providing data in the contact form is voluntary, but necessary in order to provide a response.
  • Providing data when purchasing products or services is necessary for the performance of the contract.
  • Providing accounting data results from legal provisions.
  • Providing data in recruitment, to the extent necessary to conduct the recruitment process, is required. Providing additional data, for example for future recruitment purposes, is voluntary.

11. Transfer of data to third parties

As a rule, we do not disclose personal data to other entities unless this is necessary to provide services, fulfil legal obligations or protect our rights, for example in connection with pursuing or defending against claims.

Service providers, which may also include other entities such as IT service providers, are bound by agreements. Therefore, they are subject to our requirements, which include processing your data only in accordance with our instructions and applicable data protection laws. In particular, they are contractually obliged to treat your data as strictly confidential and may not process them for purposes other than those agreed.

In the scope of e-mail/SMS dispatches and subscription management, we may use mailing system/CRM providers, acting as processors under Article 28 GDPR. We ensure that appropriate data processing agreements are concluded and, where applicable, that mechanisms for transfers outside the EEA are used.

Other recipients of data, depending on the scope of services provided, may include, for example, external experts, accounting offices and entities handling electronic payments, including online transfers or card payments, such as T-Pay.

The transfer of data to a data processor takes place in accordance with Article 28(1) GDPR.

We do not sell your personal data to third parties or otherwise disclose them for commercial purposes.

Within the scope of applicable law, we may transfer your data to competent administrative authorities, courts and law enforcement authorities if, under specific legal provisions, the Controller is obliged to transfer personal data to them or if such entities are entitled to request access to such data. We may also transfer data to other parties or participants in proceedings who, under the provisions of the Code of Administrative Procedure, are entitled to access the files of the proceedings.

Data may be transferred outside the European Economic Area only:

  • to countries covered by an adequacy decision, or
  • on the basis of EU Standard Contractual Clauses, also known as SCCs.

This applies, among others, to Google and, in certain cases, MailerLite.

12. Website analysis using Google Analytics

If the user gives consent in the cookie banner, we may use Google Analytics (GA4), a tool for analysing website traffic. The service is provided in the EU/EEA by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Data are processed for the purpose of analysing statistics and improving the operation of the website. The legal basis is Article 6(1)(a) GDPR, meaning consent, which may be withdrawn at any time by changing the settings in the cookie banner.

12.1. Cookies

In order to make our website more user-friendly and adapted to your needs, we use cookies in certain cases. A cookie is a small file that is saved on your device after visiting our website. Cookies also allow us to analyse how the website is used. You have full control over the storage of cookies on your device. Detailed instructions on how to disable or delete cookies can be found in the documentation of the web browser you use.

Analytical and advertising tools are activated only after the relevant consent has been given in the cookie banner. The user may change their preferences at any time. Marketing and analytical cookies are not used without consent. Retention periods depend on GA4 settings, in accordance with GA4 retention settings — 2 or 14 months.

Information about web beacons and newsletter dispatch statistics is described in the section “Newsletter / MailerLite”.

12.2. Server logs

Using our website involves sending requests to the server on which it is hosted. Each request sent to the server is recorded in server logs. These logs include, among others, the user’s IP address, the date and time of the request, as well as information about the web browser and operating system used.

Data stored in logs are kept on the server and are not used for direct identification, but they may constitute personal data and are processed for the security and maintenance of the website. We do not use this information to identify users.

Server logs are used only for administrative and website management purposes. Their content is not disclosed to anyone other than persons authorised to administer the server.

13. Newsletter and MailerLite subscription management

If you subscribe to our newsletter, we will use your personal data, including your e-mail address and, if provided, your first name and last name, in order to send you information about news, updates, events, educational materials and — if you give additional consent — commercial and promotional information concerning products and services of IMMUNOLAB Ltd.

The legal basis for data processing is consent, pursuant to Article 6(1)(a) GDPR.

Before sending commercial information by electronic means of communication, we also require separate consent in accordance with Article 398 of the Polish Electronic Communications Law.

In the subscription process, we use a double opt-in mechanism. After completing the subscription form, we send an e-mail asking you to confirm your wish to subscribe by clicking the activation link.

As part of the subscription process, we record the data necessary to confirm consent: e-mail address, IP address, date and time of subscription, and the content of the consent given. These data are used only for evidentiary purposes and to ensure the security of the subscription process.

The subscriber may unsubscribe from receiving messages at any time by clicking the “Unsubscribe” link included in the footer of each message or by contacting us at: newsletter@immunolab.com.pl. After unsubscription, we store minimum data and logs or a “suppression list” for the limitation period for claims / in accordance with the consent register.

Subscribers’ data are stored for the period during which the newsletter is operated or until the subscriber withdraws consent, whichever occurs first.

For newsletter management, we use the MailerLite mailing platform, operated by:

MailerLite Limited
Ground Floor, 71 Lower Baggot Street,
Dublin 2, D02 P593, Ireland.

MailerLite acts as a data processor on our behalf pursuant to Article 28 GDPR. It processes subscriber data only in accordance with our instructions and solely for the purpose of handling newsletter dispatches and managing the subscriber list.

Data are stored on servers located within the European Union. In the event of any transfer of data outside the EEA, MailerLite applies appropriate safeguards, including EU Standard Contractual Clauses.

Messages sent via MailerLite may contain technical markers, known as web beacons, which inform us whether the message has been opened and which links have been clicked. These data may be assigned to the subscriber. We use them for statistical purposes, without automated decision-making or profiling.

14. Marketing communication — PKE/GDPR

Before using electronic means of communication, including telephone, SMS, e-mail and instant messaging, to provide commercial information or conduct direct marketing, we require prior, voluntary consent in accordance with Article 398 of the Polish Electronic Communications Law.

Independently of this, data processing for marketing purposes may be based on Article 6(1)(f) GDPR, meaning the legitimate interest of the Controller, or — if consent has been given — on Article 6(1)(a) GDPR.

The data subject has the right to object to direct marketing pursuant to Article 21(2)–(3) GDPR and the right to withdraw consent at any time.

Logs of consents, withdrawals and objections are stored for the period necessary to demonstrate compliance with legal provisions, in accordance with Article 5(2) GDPR — the accountability principle.

Each e-mail message contains an easily accessible opt-out mechanism, in accordance with applicable provisions of the Polish Electronic Communications Law and the GDPR.

15. Security

We apply appropriate technical and organisational measures to protect personal data against accidental loss, destruction, unauthorised access, disclosure or modification, taking into account the nature of the data and the risks associated with their processing.

Access to data is granted only to authorised persons. When cooperating with processors, such as IT, hosting, mailing system or CRM providers, we conclude the required agreements and require appropriate safeguards and confidentiality.

In electronic communication, we use transmission security measures, such as TLS, and access control mechanisms. Detailed rules concerning the register of consents, withdrawals and objections, as well as mechanisms for opting out of marketing communication, are described in the section “Marketing communication — PKE/GDPR”.

16. Changes to this personal data protection declaration

This Privacy Policy may be updated periodically, in particular in the event of changes in legal provisions, including the Polish Electronic Communications Law, generally applicable from 10 November 2024, changes in the operation of the website or the implementation or change of tools used, such as mailing, analytical or CRM tools.

The current version of the Privacy Policy is always available on our website and applies from the date of its publication. Users will be informed of significant changes through a notice on the website.

Last updated: 03.02.2026 r.