Privacy Policy

The protection of privacy is important to us. We do our best to protect your personal data and present to you, in a transparent way, the way we use it.

This policy (“Privacy Policy”) was drawn up by Spaczyński, Szczepaniak i Wspólnicy sp.k. with its registered office in Warsaw (00-124) at ul. Rondo ONZ 1 and is addressed to the natural persons, whose personal data are being processed by the Data Controller due to their using of Data Controller’s webpage, Data Controller’s business activity and its marketing and promotional activity.

SSW processes personal data pursuant to the generally applicable regulations of law, including, in particular, the Regulation of the European Parliament and the EU Council 2016/679 of 27 April 2016 on protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of the Directive 95/46/EC (general data protection regulation) (GDPR) and the Act of 10 May 2018 on personal data protection.

1. Who is responsible for your personal data? (Data Controller)

The Data Controller of your personal data is Spaczyński, Szczepaniak i Wspólnicy sp.k. seated in Warsaw (00-124) at ul. Rondo ONZ 1, entered into the register of entrepreneurs of the National Court Register kept by the District Court for the capital city of Warsaw, the 12th Division of the National Court Register under KRS number: 0000583564, NIP: 525-256-91-33, REGON: 146936694 (the “SSW” and/or the “Controller”).

2. How to contact the Data Controller?

Our Data Protection Officer is Rafał Rępiński.

In all matters related to processing of your personal data You can contact him or the Data Controller:

a) via traditional post to the address Spaczyński, Szczepaniak i Wspólnicy sp.k., ul. Rondo ONZ 1, p. 12, 00-124 Warszawa or;
b) via dedicated email address: privacy@ssw.solutions.

3. On what basis and in what purpose do we process your personal data?

Your personal data, which you pass on to the Controller are processed:

• to enable you to contact SSW through its webpage and contact forms thereto as well as due to your passing your personal data to the SSW in any other form (for example by handing out your business card at the meeting);
• to enable you to sign up for newsletters offered by the SSW;
• to enable you to sign up for events organized by the SSW;
  pursuant to your consent (art. 6 sec. 1 letter a) of GDPR);
• to execute the agreement – pursuant to art. 6 sec. 1 letter b) of GDPR;
• to execute the legal obligations imposed on the Controller in connection with execution of the agreement – pursuant to art. 6 sec. 1 letter c) of GDPR;
• for the purpose of direct marketing of the SSW or a third party – pursuant to art. 6 sec. 1 letter f) of GDPR (legitimate interest);
• for the purpose of the legitimate interest of the Controller consisting in establishing, requesting the recovery of claims or rights of the Controller or defending against such claims – pursuant to art. 6 sec. 1 letter f) of GDPR (legitimate interest);
• to ensure smooth functioning of the Controller’s webpage as well as to adjust it to the needs of its users (for this purpose the webpage uses cookies) – pursuant to art. 6 sec. 1 letter f) of GDPR.

If your personal data were collected not directly from you, the Controller process them within following scope: name, surname, firm, correspondence address, e-mail and phone for the purposes listed above. In such an event your personal data were passed on the Controller by your employer, mandator or other entity whose interest you represent in contacts with the SSW.

The Controller’s legitimate interest means establishing and pursuing claims or rights of the Controller or defence against such claims, direct marketing of the services rendered by the Controller or third parties, delivery of services and communication with the Customer.

4. What are your rights with respect to personal data?

Pursuant to GDPR provisions you have many rights with respect to your personal data. Below, you will find a general description of your rights:

a)  Access to personal data. You can exercise your right to access your data at any time.
b)  Rectification and supplement to data. You have right to ask the Data Controller to rectify immediately your incorrect personal data and complete uncomplete personal data.
c) Right to deletion of data. You have right to ask the Data Controller to delete immediately your data under any of the following circumstances:

• when personal data are no longer necessary for the purpose for which they were collected or otherwise processed;
• when the person concerned has withdrawn the consent constituting the basis of processing and where there is no other legal basis of processing – if applicable;
• when you raise an objection against data processing referred to in item e) below and when there are no prevailing grounds to process the data;
• when personal data are unlawfully processed;
• when personal data have to be deleted in order to settle legal obligation provided for by the law of the European Union or Poland;
• when personal data have been collected in relation to offering information society services pursuant to GDPR.

However, the Data Controller will not be entitled to delete your personal data to the extent that such processing is necessary: (i) to exercise the right to freedom of information and expression, (ii) to settle legal obligation requiring processing under the law of the European Union or Poland, (iii) to establish, request the recovery or defend against claims.

d) Right to limit data processing. You have right to ask the Data Controller to limit processing under the following circumstances:

• you contest the accuracy of personal data – for the period enabling the Data Controller to verify the accuracy of such data;
• processing is unlawful and you oppose their erasure and demand their limiting instead;
• the Data Controller does no longer need personal data for the purpose of processing, however you need them for the purpose of establishing, requesting the recovery of claims or defending against such claims;
• you objected to the processing referred to in item e) below – until it is determined whether the reasonable grounds of the Data Controller take precedence over your grounds of objection.

e)  Right to object. You have right to object to processing your personal data when the Data Controller processes such data based on the legitimate interest. The Data Controller of data may not take into account the objection if they prove reasonable grounds to process, taking precedence over your interests, rights and freedoms or grounds to establish, request the recovery or defend against claims.

f) Right to withdraw the consent. To the extent that your personal data are processed on the basis of your consent, you have right to withdraw your consent at any time. The withdrawal of the consent does not affect the lawfulness of the processing made on the basis of the consent prior to its withdrawal.

g) Right to data portability. To the extent that your data are processed for the purpose of concluding and executing the agreement or processed on the basis of the consent and data are processed by automated means – you have right to receive from the Data Controller, in a structured, commonly used and machine readable form, the personal data you have provided before or during the cooperation with the Data Controller. You have also the right to transfer such personal data to another data controller.

h) Right to file a complaint. You have the right to file a complaint on processing of personal data by the Data Controller to the supervisory authority – in Poland, such a function is held by the President of the Office Personal Data Protection.

The rights provided for in items a)-g) above can be exercised by contacting our Data Protection Officer:

a) via traditional post to the address Spaczyński, Szczepaniak i Wspólnicy sp.k., ul. Rondo ONZ 1, p. 12, 00-124 Warszawa or;
b) via dedicated email address: privacy@ssw.solutions.

You can exercise the right to file a complaint provided for in item h) above by contacting directly the supervisory authority.

5. Processing of sensitive personal data and personal data related to criminal convictions and infringements

Some categories of personal data are considered to be sensitive pursuant the provisions on data protection and are subject to higher level of protection and security. According to the provisions, the following categories of personal data are considered to be sensitive: (1) racial or ethnic origin; (2) political opinions; (3) religious or philosophical beliefs; (4) trade union membership; (5) sex life or sexual orientation; (6) physical or mental health or determinants; (7) genetic and biometric data and (8) data related to criminal convictions and infringements.

The Data Controller may collect and process your sensitive personal data and data related to criminal convictions and infringements in very limited cases and only when it is necessary for the purpose of their processing and only when it is authorised by law.

6. Providing personal data

In the case of collecting personal data directly from you, their provision is voluntary. Refusal to provide personal data may prevent conclusion of the agreement with the Controller or may affect the scope of services which can be provided to you by the Controller or may make it impossible to contact you or to provide you with marketing materials including newsletter.

7. Who do we share your personal data with?

We can share your personal data with the following data recipients or categories of data recipients:

a) service providers providing services in our name or on our behalf. In the agreements concluded with such providers, we require respecting the applicable provisions on data protection;

b) entities affiliated with the Controller;

c) if required under generally applicable provisions of law, to the necessary extent also to third parties, in particular authorised national authorities.

8. Communication of personal data to third countries

In case of communicating your personal data to third countries, i.e. recipients established outside the European Economic Area or Switzerland in the countries which, according to the European Commission do not provide an adequate level of data protection (third countries which do not provide an adequate level of data protection), the Data Controller communicates them using the mechanisms in compliance with applicable law, including, but not limited to (1.) “Standard Contractual Clauses” of EU, (2.) obtaining the certificate of compliance with the Privacy Shield by the third party (in case when it is seated in the US), (3.) if data are communicated to the third country, which, according to the European Commission, on the basis of the decision, provides an adequate level of data protection. You can obtain more information on existing safeguard implemented by the Data Controller for the purpose of ensuring lawful data processing and on possibility to obtain a copy of data or on place of their availability by contacting us as indicated in item 2 above.

9. How long do we keep your personal data?

The Data Controller is committed to process your personal data in an adequate manner and as long as it is necessary for the purpose for which they were collected. With this in mind, the Data Controller keeps your personal data for a period not exceeding the one necessary for purpose for which such data were collected or, if it is necessary, for the purpose of compliance with applicable law, in particular with regard to the period of execution of the agreement and the limitation period.

10. Automated decision making

The Data Controller does not carry out the automated decision making process, including profiling on the basis of provided data.

11. Changes in Privacy Policy

This Privacy Policy can be changed, especially if the need or necessity of such changes results from amendments to the relevant provisions of law, including changes to data recipients.

Clients, whose data are processed under this Privacy Policy will be informed on its changes in advance.