The protection of privacy is important to us. We do our best to protect your personal data and transparently present to you the way we use it.
– jointly referred to as “Joint Controllers” and each of them a “Joint Controller” and is addressed to the natural persons, whose personal data are being processed by the Joint Controllers due to their use of the Joint Controllers webpage (“Webpage”), the social media profiles of Joint Controllers (Linkedin, Facebook, Instagram) Data Controller’s business activity and its marketing and promotional activity.
Joint Controllers process personal data pursuant to the generally applicable law, including, in particular, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) and the Act of 10 May 2018 on personal data protection.
1. Who is responsible for your personal data?
The joint controllers of your personal data, on the basis of Article 26(1) of GDPR, are:
1) SSW Pragmatic Solutions Spaczyński, Szczepaniak, Okoń sp.k. with its registered seat in Warsaw, at Rondo ONZ 1, 00-124 Warsaw
2) SSW Pragmatic Solutions TAX sp. z o.o. with its registered seat in Warsaw, at Rondo ONZ 1, 00-124 Warsaw, Poland
3) SSW Family Office spółka z ograniczoną odpowiedzialnością spółka komandytowa with its registered seat in Warsaw, at Rondo ONZ 1, 00-124 Warsaw, Poland
4) SSW Accounting spółka z ograniczoną odpowiedzialnością with its registered seat in Warsaw, at Rondo ONZ 1, 00-124 Warsaw, Poland
5) SSW Finance spółka z ograniczoną odpowiedzialnością with its registered seat in Warsaw, at Rondo ONZ 1, 00-124 Warsaw, Poland
The substance of the arrangements between the Joint Controllers regarding the responsibilities of the Joint Controllers and the relationship between them and the data subjects are set out in paragraph 12 below.
2. How to contact the Joint Controller?
On all matters concerning the processing of your personal data, you may contact one of the Joint Controllers:
a) by directing traditional correspondence to its address: Rondo ONZ 1 Street, floor 12, 00-124 Warsaw or;
b) via a dedicated email address: firstname.lastname@example.org
3. Has a Data Protection Officer been appointed?
We have appointed a Data Protection Officer common to all Joint Controllers. You can contact him at email@example.com
4. On what basis and for what purpose do we process your personal data?
Your personal data, which you pass on to the Joint Controllers are processed:
a) in order to provide services electronically in terms of giving you access to the content collected on the Webpage – the legal basis of the processing is the necessity of the processing for the performance of the contract (Article 6(1)(b) of GDPR);
b) in order to enable you to contact the Joint Controllers or one of the Joint Controllers via the Webpage and the contact forms provided on the Webpage – the legal basis for processing is the necessary interest in relation to the need to respond to a question or message sent by you (Article 6(1)(f) of GDPR);
c) in order to enable you to subscribe to newsletters offered by the Joint Controllers or one of them – the legal basis for processing is the necessity of processing for the performance of the contract (Article 6(1)(b) of GDPR);
d) for analytical and statistical purposes – in which case the legal basis of the processing is the Joint Controllers’ legitimate interest (Article 6(1)(f) of GDPR), which consists in conducting analyses of users’ activities, as well as their preferences in order to improve the functionalities used and the services provided;
e) to comply with a legal obligation incumbent on the Joint Controllers (Article 6(1)(c) of GDPR);
f) in order to carry out direct marketing of services provided by the Joint Controllers – the basis for processing is the fulfilment of the Joint Controllers’ legitimate interest (Article 6(1)(f) of GDPR);
g) in order to pursue the Joint Controllers’ legitimate interest in establishing, pursuing or defending against claims or rights of the Joint Controllers – the basis for processing is Article 6(1)(f) of GDPR (legitimate legal interest);
The legitimate interest of the Joint Controllers shall be understood as: establishing and asserting claims or rights of the Joint Controllers or defending against such claims, direct marketing of services provided by the Joint Controllers or a third party, provision of services and communication with the user of the Webpage.
5. What are your rights with respect to personal data?
Pursuant to GDPR provisions you have many rights with respect to your personal data. Below, you will find a general description of your rights:
a) Access to personal data. You can exercise your right to access your data at any time.
b) Rectification and supplement to data. You have the right to ask us to rectify immediately your incorrect personal data and complete incomplete personal data.
c) Right to erasure. You have the right to ask us to delete immediately your data under any of the following circumstances:
However, we will not be entitled to delete your personal data to the extent that such processing is necessary: (i) to exercise the right to freedom of information and expression, (ii) to settle legal obligations requiring processing under the law of the European Union or Poland, (iii) to establish, request the recovery or defend against claims.
d) Right to restriction of data processing. You have the right to ask us to limit processing under the following circumstances:
e) Right to object. You have the right to object to processing your personal data when we process such data based on legitimate interest. We may not take into account the objection if they prove reasonable grounds to process, taking precedence over your interests, rights and freedoms or grounds to establish, request the recovery or defend against claims.
f) Right to withdraw the consent. To the extent that your personal data are processed on the basis of your consent, you have the right to withdraw your consent at any time. The withdrawal of the consent does not affect the lawfulness of the processing made on the basis of the consent prior to its withdrawal.
g) Right to data portability. To the extent that your data are processed for the purpose of concluding and executing the agreement or processed on the basis of the consent and data are processed by automated means – you have the right to receive from us, in a structured, commonly used and machine-readable form, the personal data you have provided before or during the cooperation with us. You have also the right to transfer such personal data to another data controller.
h) Right to file a complaint. You have the right to file a complaint on the processing of personal data by us to the supervisory authority – in Poland, such a function is held by the President of the Office Personal Data Protection (address: Stawki 2 Street, 00-193 Warsaw) if you consider that the processing of your personal data is unlawful.
The rights provided for in items a)-g) above can be exercised by contacting our Data Protection Officer as described in points 1 and 2 above.
You can exercise the right to file a complaint provided for in item h) above by contacting directly the supervisory authority.
Your request should, as far as possible, indicate precisely what the request concerns, i.e., in particular:
a) which of the rights mentioned at this point do you wish to exercise;
b) what processing the request concerns.
If the request is formulated in such a way that it is not possible to ascertain the content of the request or for other reasons it is not possible to comply with the request, we will request additional information from you.
We will respond to your request without undue delay, but no longer than within 1 month of receipt. If necessary, this deadline may be extended by a further two months due to the complexity of the request or the number of requests. Within one month of receipt of the request, we will inform you of such an extension, stating the reasons for the delay.
The response will be provided to the e-mail address from which the request was sent and, in the case of requests sent to the Joint Controller’s registered office address, by post to the address indicated by you, unless it is clear from the content of the letter that you wish to receive a response to the e-mail address and if such an e-mail address is indicated in the request.
6. Data security
We carry out a risk analysis to ensure that personal data is processed in a secure manner, ensuring above all that only authorised persons have access to the data and only to the extent that this is necessary for the tasks performed. We ensure that all operations on personal data are recorded and carried out only by authorised employees and associates.
We take all necessary measures to ensure that our subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on our behalf.
7. Providing personal data
In the case of collecting personal data directly from you, their provision is voluntary. Refusal to provide personal data may prevent the conclusion of the agreement with the Joint Controller or may affect the scope of services which can be provided to you by the Joint Controller or may make it impossible to contact you or to provide you with marketing materials including a newsletter.
8. Who do we share your personal data with?
We can share your personal data with the following data recipients or categories of data recipients:
a) to service providers providing services on our behalf or for our benefit. In contracts concluded with such service providers, we require compliance with the applicable data protection provisions
b) if obliged to do so by mandatory legal provisions, to the extent necessary also to other third parties, in particular to authorised state authorities.
9. Transfer of personal data to third countries
We store your data on IT infrastructure provided by third parties, including email inboxes whose servers may be located outside the European Economic Area, and thus transfer personal data to recipients located outside the European Economic Area. The controller transfers your personal data using mechanisms that comply with applicable law.
10. How long do we keep your personal data?
We make every effort to ensure that your personal data is processed adequately and for as long as necessary for the purposes for which it was collected. The period for which we process your data depends on the type of service provided and the purpose of the processing, i.e.:
a) in case of the user’s use of the contact form on the Website – until the submitted enquiry is answered and the matter which is the subject of the enquiry submitted in the contact form is dealt with,
b) in the event that the user enters into a contract with the Joint Controllers – for the time necessary for the performance of such contracts, and thereafter for other lawful purposes, e.g., for the purpose of securing possible claims until they become time-barred,
c) in case of the fulfilment of a legal obligation incumbent on the Joint Controllers under generally applicable law – until the fulfilment of the obligations under the law,
d) in the case of expressed consent – until the consent is withdrawn by you,
e) in the case of pursuing the Controllers’ legitimate interests – until you object to the processing of your personal data.
11. Automated decision making
We do not carry out the automated decision-making process, including profiling on the basis of provided data.
12. Substantive content of arrangements between Joint Controllers
1) The leading Joint Controller, i.e., responsible for running the Webpage and the social media profiles, shall be SSW Pragmatic Solutions Spaczyński, Szczepaniak, Okoń sp.k. with its registered office in Warsaw, address: Rondo ONZ 1, 00-124 Warsaw.
2) Each Joint controller shall, prior to the processing of personal data, obtain consent from such persons for the processing of such personal data, if such consent is required, and shall provide such persons with the information referred to in Article 13 or Article 14 of the GDPR.
3) The competent Joint Controller for responding to requests from a personal data subject will be the Joint Controller who received such a request unless only the leading Joint Controller can comply with the request. In the event that a request is made to several Joint Controllers, they are obliged, each separately, to respond to the request, having first agreed on a common position. Notwithstanding the foregoing, the Joint Controllers are obliged to cooperate in responding to requests from the personal data subject. To this end, the Joint Controller is obliged to inform the other Joint Controllers without delay of any request from the personal data subject and to provide all necessary information in this regard.
4) If a person requests the deletion of his/her personal data on the basis of Article 17 of GDPR, the Joint Controllers shall immediately decide jointly on the deletion and agree on the content of the response. The decision regarding the erasure of personal data and agreement on the content of the response must be made without undue delay.
5) The Joint Controller is competent for all matters relating to the incident, in particular, the management of the incident and the notification of the personal data breach to the supervisory authority in accordance with Article 33 of GDPR and the notification of the personal data subject in accordance with Article 34 of GDPR, shall be the Joint Controller from whose act or omission the personal data breach arose, unless otherwise agreed by the Joint Controllers.
6) If the Joint Controller who identified the suspected personal data breach is not the Joint Controller from whose act or omission the personal data breach occurred, he/she shall inform the other Joint Controllers of the incident without delay, and at the latest within 24 hours after the discovery of the suspected personal data breach.
7) If the incident is the result of an act or omission of several Joint Controllers, the Joint Controller designated by them jointly shall be the competent one to carry out the obligations referred to in point 5.
8) Notwithstanding points 5 to 7 above, the Joint Controllers shall be obliged to cooperate with each other in complying with the obligations set out in point 5. To this end, the Joint Controllers shall promptly inform each other of any suspected personal data breach, the steps taken in relation to the personal data breach, the content of the notification submitted to the supervisory authority in relation to the personal data breach, the notification of the personal data subject and provide each other with all necessary information in this regard.
9) Each Joint Controller shall, in the event that it receives a request for personal data from the competent authorities, promptly notify the other Joint Controllers of the receipt of such a request, unless such notification is not permissible in light of the request of the competent authorities or the provisions of law.
10) In order to ensure the security of personal data, the Joint Controllers shall apply appropriate technical and organisational measures as referred to in Article 32 of GDPR.
11) Each Joint Controller may entrust the processing of personal data to a processor, by means of a written agreement on entrusting the processing of personal data. In such a case, the Joint Controller is obliged to ensure that the processor fulfils its obligations related to the entrustment of personal data processing under GDPR and to inform the other Joint Controllers of its intention to conclude an agreement with the processor.
12) Any Joint Controller may object for legitimate reasons to the intention to entrust the processing of personal data to a specific processor. If an objection is raised, the Joint Controller is obliged to refrain from entrusting the processing of personal data to a processor until a common position is agreed. The Joint Controllers may also raise an objection against a previously approved processor. If the objection is well-founded, the Joint Controller who has entered into a personal data processing entrustment agreement with the processor is obliged to terminate the agreement with the processor. In any case, the objection should be raised in time to ensure the continuity of personal data processing and to agree to alternative solutions.
13) It is prohibited for the Joint Controller to entrust the processing of personal data to a processor established outside the European Economic Area without agreeing on such entrustment with the other Joint Controllers. Where the Joint Controller entrusts personal data to a processor established outside the European Economic Area, the Joint Controller shall apply the mechanisms in accordance with Articles 44 – 46 of GDPR.
14) The Joint Controllers shall be jointly and severally liable for damage caused to a personal data subject as a result of a breach of the GDPR under Article 82 of GDPR. In their mutual settlements, the Joint Controllers shall use the liability principle of fault. If no fault can be attributed to any of the Joint Controllers or the degree of fault of the Joint Controllers is similar, each of them shall be liable for the damage in equal shares.
15) Each Joint Controller shall be liable for the acts and omissions of the persons with whom it will process personal data, including the acts and omissions of processors, as for its own acts or omissions.
16) Each Joint Controller shall be liable for damages caused by its own actions for failure to comply with the obligations which these arrangements impose directly on the Joint Controller concerned.