GDPR

1. What is changing in personal data protection regulations and what is the GDPR?
On 25 May 2018 the European regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC of 27 April 2016 (the General Data Protection Regulation, the GDPR) came into force.

In view of the above, as the Administrators of your personal data within the meaning of the GDPR, we approach the issue of protecting your personal data responsibly.

The GDPR directly and comprehensively regulates the protection of personal data throughout the European Union. Its main objectives are focused on the implementation of the fundamental rights and freedoms of individuals, in particular the right to have one’s personal data protected. The GDPR not only gives new rights to the people it protects, it also strengthens existing requirements by introducing numerous responsibilities for administrators.

Important! In connection with the GDPR entering into force, it is not necessary to contact us; it is sufficient to read the information available on the following page.

2. Legal Basis
Throughout the European Economic Area the rules for the protection of personal data have been harmonised. From 25 May 2018, throughout Europe, the rights of European Union citizens have been strengthened by simultaneously imposing new obligations on all organisations that process personal data, and in particular on those that offer goods and services online. The internet is now much more user-friendly, and companies offering goods and services have to meet a number of requirements that increase the level of security of personal data processed and entrusted for processing by other entities.

We, as a reliable organisation, take this challenge extremely seriously and undertake to comply with the GDPR in respect of all the services we offer now and in the future. Our commitment to security is very important, therefore our clients can be sure that their data is properly protected. As part of this commitment, we want to let you know in a transparent and easy to understand way how we use personal data and what rights you have.

We are aware that both we and our clients have obligations resulting from the new regulations. Therefore, we provide security to our clients by conducting regular inspections, providing standard contractual safeguards, and sharing tools and necessary information.

As it has always been our goal to preserve the privacy and security of our clients’ personal data, and the control of its processing, in the near future we will provide you with updated contractual clauses that meet the requirements of the new regulations.

3. Purpose of Processing
For what purpose and on what basis do we use your personal data?

Please note that from this moment on we will be profiling your personal data, which means there will be an automated analysis of your expectations and needs as well as your preferences and behaviour. The aim of profiling is, above all, to optimise our commercial offering. We use your personal data obtained during the signing of contracts and the duration thereof for the following purposes:
  • concluding and implementing agreements, including ensuring the quality of services provided during the agreement and the correctness of settlements made after its completion (Article 6 of the GDPR);
  • to meet our legal obligations, such as
    • issuing and storing invoices and accounting documents,
    • responding to complaints on time and in the form provided for by law;
In view of the above, we will use your personal data:
  • For the duration of performing our obligations under the agreement between you and us, for example issuing invoices (Article 6.1 par. 1c of the GDPR).
  • For the time we required by applicable law to store personal data, e.g. for tax purposes (Article 6 par. 1c of the GDPR).
  • For the time during which there is a risk of legal consequences of non-performance or improper performance of obligations resulting from the GDPR, e.g. the imposition of a fine by a controlling body (Article 6 par. 1f of the GDPR):
    • detecting and preventing fraud for the duration of the agreement, and then for the period until the date when claims arising from such agreement are time-barred, and, in the case of enforcement of claims or notification to competent authorities, for the duration of those proceedings;
    • establishing protection and pursuing claims – also in the case of the sale of claims under the agreement to another entity – for the period until the date when claims resulting from such agreement are time-barred;
    • direct marketing – for the duration of the agreement or based of your consent, until it is withdrawn;
    • creating statements, analyses and statistics for our internal needs, in particular reporting, marketing research, service development planning or development work in information systems, creating statistical models – for the duration of the agreement, no longer than for the period the date when claims resulting from an agreement are time-barred;
    • service support, including by informing you about failures and complaints, as well as adjusting services based data about the service you are using – for the duration of the agreement.
4. What rights do you have?
  • The right to correct your personal data.
  • The right to have your personal data deleted.
  • The right to restrict the processing of your personal data.
  • The right to access your personal data.
  • The right to transfer your personal data.
  • The right to object to the processing of your personal data.
  • The right to withdraw consent for the processing of your personal data.
  • The right to make a complaint to a supervisory body.
5. What are the characteristics of these individual rights?
  • The right to correct your personal data – this right allows you to report to us the need to correct incorrect data or supplement incomplete data.
  • The right to have your personal data deleted – this right allows you to request the deletion of your personal data. If the grounds for a request are justified, we will immediately delete the data.
  • The right to restrict the processing of your personal data – this right allows you to request that data processing be restricted, e.g. questioning the correctness of the data being processed or the compliance of its processing with the law. If the grounds for a request are justified, the processing of the data will cease and we will only store it. The re-processing of data is possible when the basis for requesting that its processing is restricted is not possible. The foregoing does not apply in the event of establishing, asserting or defending the claims of the right holder, for example pursuing claims arising from the agreement.
  • The right to access your personal data – this right allows you to obtain information about your data, and how and for what purpose it is processed.
  • The right to transfer your personal data – this right allows you to request a transfer of data directly to another entity (data administrator), as well as to receive a copy of the data in a structured machine-readable format (for the purpose of transferring data to another administrator).
6. Register of Processing Activities

As an administrator of personal data we are required to keep a register documenting the most important activities related to the processing of your personal data, including how to protect it, and to keep a register of the recipients of this data. The register shows, in a reliable and responsible manner, the activities regarding your data that we hold in our data sets.

7. Protection of Personal Data

As an administrator we are required to re-evaluate the security of personal data processing. Ensuring security involves many activities, including the encryption or pseudonymisation of data (preventing the data subject from being identified).

8. Personal Data Protection Inspector
Contact details:
Ecovis Milczarek i Wspólnicy Kancelaria Prawna Sp.k.
ul. Belwederska 9A, 00-761 Warsaw.

Data Protection Inspector:
Mariusz Polok
email: iod@ecovis.pl
Phone: +48 22 400 45 85

CONSENT and COMPLAINTS
If the processing of personal data by us is not related to our agreement with you or does not result from the fulfilment of a legal requirement or does not constitute our legitimate interest, we may ask for your consent to certain ways of using your data. Such consent may enable us in advance to determine actions about which you will be informed. Of course, you can withdraw your consent at any time (this will not affect the legality of actions taken before the withdrawal of consent). You also have the right to address a complaint to the President of the Office for Personal Data Protection (previously known as GIODO) if you think that the processing of your personal data is in breach of applicable law.