THIS DOCUMENT HAS BEEN AUTOMATICALLY TRANSLATED.
IN CASE OF ANY DOUBT, PLEASE REFER TO THE POLISH VERSION, WHICH IS BINDING.
This Policy (hereinafter also referred to as ‘Policy’ or ‘Document’) has been implemented by Kancelaria Radców Prawnych Żelaznowski & Głowiński S.C. based in Sopot, ul. Antoniego Abrahama 23 (‘Law Office’) in order to maintain the required diligence on the protection of personal data in the Law Office and to provide you relevant information regarding the provisions on the protection of personal data.
The policy applies to those cases in which the Law Office is the administrator of personal data, regardless of their source. Among these cases, it can therefore distinguish situations in which data have been obtained by us directly from the data subject, e.g. from the Client, and those in which personal data come from sources other than the data subject (e.g. data of the event’s witness provided by the Client during an interview with him).
We emphasize, that our business is conducted with a special respect for the privacy guaranteed in our legal order, as well as with the constitutional basis of practicing the public trust profession and the values assigned to it, including duty of professional secrecy.
Due to the above, we want to fulfil the obligations imposed on us by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter ‘GDPR’) as well as to satisfy your rights and legitimate expectations on us in the abovementioned scope, including fulfilment of informational obligation, specified in art. 13 and art. 14 of GDPR in accordance with these provisions.
We make sure to always provide necessary information to every person whose personal data we process as a controller. We hope that this document will bring you closer to the knowledge about the processing of personal data by the Law Office.
Due to the fact that knowledge of the provisions on the protection of personal data can be very diverse, we decided to divide the Policy into four parts, preceded by our foreword.
The first part ‘Introduction to the protection of privacy’ includes an explanation of the basic concepts of the GDPR. In this part, we want to clarify the meaning of certain terms, which seem important to us to understand the rights that you are entitled to.
The second part ‘General characteristics of the data controller’s informational obligation’ describes the controller’s obligations towards the data subject / data owner, differentiated depending on whether the controller obtained them directly from that entity or from another source.
The third part ‘Processing personal data in the Law Office’ refers directly to our Law Office and will provide you information regarding data of which categories of the entities we process (e.g. Client’s data, employees, etc.), for what purposes, on what legal basis and about our obligations and your rights in relation to such processing.
The fourth part, titled ‘Final provisions’ contains a reference to a separate document, which is ‘Cookies Policy’, and also presents the principles of changing the Privacy Policy.
At the same time, to make it easier for you to ‘navigate’ the Document, we have introduced a Table of Contents, that you can read below.
Table of Contents
Foreword from the Shareholders
Part one. Introduction to the privacy policy
1.1. Definition of 'processing'.
1.2. Definition of ‘restriction of processing’.
1.3 Definition of ‘profiling’.
1.4 The definition of ‘pseudonymisation’ .
1.5. Definition of 'controller'.
1.6 Definition of 'processor'.
1.7. Definition of ‘recipient’.
1.8 Definition of ‘consent of the data subject’.
1.9 Definition of ‘personal data breach’.
1.10. Definition of 'personal data'.
1.11 Definition of 'genetic data'.
1.12. Definition of 'biometric data'.
1.13 Definition of 'health data'.
1.14 Definition of ‘representative’.
1.15 Definition of ‘GDPR’.
Part two. General characteristics of the data controller's informational obligation
2.1. Sources of informational obligation.
2.2. Scope of the informational obligation.
2.2.1. Data collected directly from the person they refer to.
2.2.2. Data collected from a source other than the person they refer to.
2.3. The moment of transmission of information.
2.4. Circumstances excluding information obligation.
2.4.1. The first case - data collected directly from the person they refer to.
2.4.2. The second case - data collected from a source other than the person they refer to.
Part Three. Processing of personal data by the Law Office
3.1. Administrator of personal data.
3.2. Contact with the personal data administrator.
3.3. Typical categories of natural persons whose personal data are processed by the Law Office. Objectives. Law basics. Processing time.
3.4. The right to raise objections.
3.5. Recipients of data.
3.6. Rights of the data subject related to the processing of personal data.
3.7. The right to lodge a complaint to the authority.
3.8. Additional information about automated data processing.
Part Four. Final Provisions
4.1. Cookies policy.
4.2. Change of privacy policy.
Part One. Introduction to the privacy policy
The following definitions come from the GDPR. In case of changes in the rules, the concepts should be interpreted in accordance with the provisions of currently binding regulations.
1.1. Definition of ‘processing’ - this term means an operation or series of operations performed on personal data or personal data sets in an automated or non-automated way, such as collecting, recording, organizing, ordering, storing, adapting or modifying, downloading, viewing, using, disclosing sending, distributing or otherwise sharing, matching or combining, limiting, deleting or destroying.
1.2. Definition of ‘restriction of processing’ - this term means the marking of stored personal data in order to limit their future processing.
1.3. Definition of ‘profiling’ - this term means any form of automated processing of personal data, which is the use of personal data to assess individual’s personal aspects, in particular to analyze or forecast effects of individual’s work, its economic situation, health, personal preferences, interests, credibility, behaviour, location or movement.
1.4. Definition of 'pseudonymisation' – this term means processing of personal data in such manner that it cannot be no longer assigned to the specific individual without the use of additional information, provided that such additional information is kept separately and is covered by technical and organizational measures making it impossible to assign to the identified or identifiable natural person.
1.5. Definition of ‘controller’ - this term means a natural or legal person, public body, unit or other entity, that independently or jointly with others determines the purposes and means of personal data processing; where the purposes and means of such processing are determined by European Union law or under the law of a Member State, an administrator may be designated by European Union law or under the law of a Member State, or specific criteria may be laid down for its determination.
1.6. Definition of ‘processor - this term means a natural or legal person, public body, unit or other entity that processes personal data on behalf of the administrator.
1.7. Definition of ‘recipient’ - this term means a natural or legal person, public body, unit or other entity to whom personal data are disclosed, regardless of whether it is a third party. However, public authorities which may receive personal data in the context of specific procedures under European Union law or under the law of a Member State shall not be considered as recipients; processing of these data by public authorities must be conducted in accordance with the data protection rules applicable for the purposes of the processing.
1.8. Definition of ‘consent of the data subject’ - this term means voluntary, specific, conscious and unambiguous representation of the will, in which the data subject, in the form of a declaration or a clear confirmation action, allows for the processing of personal data concerning him.
1.9. Definition of ‘personal data breach’ - this term means a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data sent, stored or otherwise processed.
1.10. Definition of 'personal data' - this term means any information about an identified or identifiable natural person ('data subject'); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name, identification number, location data, internet identifier or one or more specific factors determining physical, physiological, genetic, psychological, the economic, cultural or social identity of a natural person;
1.11. Definition of ‘genetic data’ - this term means personal data on inherited or acquired genetic traits of a natural person that reveal unique information about the physiology or health of that person and which arise in particular from the analysis of a biological test sample from that individual.
1.12. Definition of ‘biometric data’ - this term means personal data that result from special technical processing, relate to the physical, physiological or behavioural characteristics of a natural person and enable or confirm the unambiguous identification of that person, such as facial image or fingerprint data.
1.13. Definition of ‘health data’ - this term means personal data about the physical or mental health of a natural person - including the use of health care services - disclosing information about his or her health.
1.14. Definition of 'representative' - means a natural or legal person residing or having its registered office in the European Union, who has been designated in writing by the controller or processor under Article 27 to represent the controller or processor in their duties under this Regulation.
1.15. The definition of ‘GDPR’ - this term is refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general regulation on data protection) (Journal of Laws of the EU, No. L. of 2016, No. 119); GDPR text can be found on the website of the President of the Office of Personal Data Protection "uodo.gov.pl".
Part two. General characteristics of the data controller's informational obligation.
2.1. Sources of informational obligation
Among the Law Office responsibilities defined in the GDPR as a controller, we emphasise special obligation to provide information to data subjects (data subjects / data owners), that is, provide them with information on the processing of their personal data.
Based on art. 13 and art. 14 of the GDPR, this obligation may be distinguished into two situations:
1. when data is collected directly from the data subject (art. 13 of the GDPR)
2.
(In cases typical for the Law Office, it may primarily involve: Clients - natural persons, natural persons representing Clients, employees, students on internships, trainees who are not employees, and occupational trainees, natural persons recruited to work, or even suppliers, contractors, service providers who are natural persons).
and
3. when the data is collected in a different way than from the data subject (Article 14 of the GDPR)
4.
(In situations typical for the Law Office, these may be witnesses' data mentioned by Clients and other parties / participants of procedures, data available in various types of records or public registers and collected during or for the purposes of proceedings with the Office, which may be relevant for proper compliance by the Law Office.)
Depending on whether the data is collected directly or indirectly differ:
• the scope of information to be provided to the data subject;
•
• the moment of transmission of information, as well as
•
• circumstances excluding the disclosure obligation.
•
2. 2. Scope of the information obligation
As already mentioned, the scope of information to be provided to the data subject varies depending on whether it is itself provided by or derived from another source, e.g. from a third party.
2.2.1. Data collected directly from the person they concern.
Accordingly to art. 13 of GDPR the controller should provide the data subject with the following information when collecting personal data from him:
1. controller’s identity and contact details and, if applicable, the identity and contact details of his representative;
2.
The Law Office hereby informs that an obligation to provide representative’s identity or other data is not applicable in its case.
3. where applicable, contact details of the data protection officer;
4.
The Law Office hereby informs that it has not appointed or intends to appoint an inspector of personal data protection in the nearest future, hence the above-mentioned obligation is not applicable in its case; Law Office ensures that it has analyzed the circumstances in which establishing such a body would be mandatory and accordingly to applicable legal provisions no such obligation exists on its side. At the same time, the Law Office ensures that it organizes work of its team in such manner to properly fulfil the obligations under the GDPR;
5. purposes of processing personal data and the legal basis for such processing;
6.
In Part Three of the Privacy Policy, we present specific goals and legal grounds for personal data processing, at the same time being aware, that circumstances of each case can present different objectives, different grounds for processing data, as well same objectives based on different grounds. Some data are processed, because the legislator obliges us to do so, especially when it comes to the duties performed under the labour law, tax law, health protection law or social insurance. At this point, we shall only inform you, that the legal grounds of data processing have been described in Articles 6, 9 and 10 of GDPR. We invoke them to make it easier for you to reach for their content in case they are referred in the Policy.
Therefore, accordingly to art. 6 par. 1 of GDPR, processing is legal only in cases – and in the scope – if at least one of the following conditions is met:
a. the data subject has agreed for processing of his personal data in one or more specific purposes;
b.
c. processing is necessary due to the execution of a contract, which the data subject is a party, or to take steps at the request of the data subject prior to entering the contract;
d.
e. processing is necessary to comply with legal obligation in which controller is a subject;
f.
g. processing is necessary to protect the vital interests of the data subject or another natural person;
h.
i. processing is necessary to perform a task carried out in the public interest or in the exercise of public authority vested in the controller;
j.
k. processing is necessary for the purposes arising from legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject, requiring the protection of personal data, prevail over those interests, in particular when the data subject is a child.
l.
With regards to specific category of data, the basis for processing are listed in Article 9 of GDPR. The rule is a prohibition of processing personal data revealing racial or ethnic origin, political opinions, religious or ideological beliefs, trade union membership and processing of genetic data, biometric data to uniquely identify a person or data relating to the health, sexuality or sexual orientation of that person.
The above prohibition does not apply if one of the following conditions is met:
a. the data subject has expressly consented for the processing of such personal data for one or more specific purposes, unless Union or Member State law provides that the data subject may not repeal above prohibition;
b.
c. processing is necessary to fulfil by the controller or data subject the obligations and exercise specific rights in the field of labour law, social security and social protection, if this is permitted by European Union law or the law of a Member State, or collective agreement under the law of a Member State providing adequate safeguards for the fundamental rights and interests of the data subject;
d.
e. processing is necessary to protect the vital interests of the data subject or another natural person, and the data subject is physically or legally incapable of giving consent;
f.
g. processing is carried out in the course of legitimate activities with appropriate safeguards by a foundation, association or other non-profit-making entity with political, ideological, religious or trade aim, and on conditions, that the processing concerns solely members or former members of that entity or persons maintaining permanent contacts with it in connection with its purposes, and that personal data is not disclosed outside of this entity without the consent of the data subjects;
h.
i. the processing relates to personal data that are manifestly made public by the data subject;
j.
k. processing is necessary to establish, investigate or defend legal claims or in the administration of justice through the courts;
l.
m. processing is necessary for reasons related to substantial public interest, based on European Union law or the law of a Member State, which are proportionate to the objective pursued, do not infringe the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject;
n.
o. processing is necessary for the purpose of preventive medicine or occupational medicine, for the assessment of the employee's ability to work, medical diagnosis, provision of health care or social security, treatment or management of health and social security systems or services under European Union law or the law of a Member State or according to an agreement with a health care worker and subject to the conditions and safeguards referred to in art. 9 par. 3 GDPR;
p.
q. processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border health threats or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices, on the basis of European Union law or the law of a Member State, that provides specific measures to protect the rights and freedoms of the data subjects, in particular professional secrecy;
r.
s. processing is necessary for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with art. 89 par. 1 GDPR, on the basis of EU law or the law of a Member State, which are proportionate to the objective pursued, do not infringe the essence of the right to data protection and provide for appropriate specific measures to protect the fundamental rights and interests of the data subject.
t.
Accordingly to art. 10, processing of personal data concerning convictions and violations of law or related security measures may only be carried out under the supervision of public authorities or where processing is authorized by European Union law or the law of a Member State providing adequate safeguards for the rights and freedoms of data subjects. All complete records of convictions are kept only under the supervision of public authorities
Attention! If the processing is carried out on the basis of art. 6 par. 1 lit. "F" GDPR, legitimate interests pursued by the administrator or by a third party;
(We would like to inform you that despite the fact we process personal data based on the legitimate interest of the data controller, we also try to analyze and balance our interest and potential impact on the data subject and the rights of that person under the provisions on personal data protection. We do not process personal data based on our legitimate interest, if we come to the conclusion, that the impact on the data subject would prevail over our interests (then we may process personal data, e.g. on the basis of appropriate consent, if it has been given to us).
In relation to the Law Office, if there are legal grounds of data processing, most often our legitimate interest means supporting and defending the claims / position of the Law Office or its Clients.
7. information about recipients of personal data or categories of recipients, if any;
8.
Only authorized by us employees or co-workers have access to personal data in the Law Office, the scope of authorization includes only data essential and necessary for the fulfilment of the tasks assigned to them. We also commit personal data to entrusting entities on the basis of contracts for the entrustment of processing, including, i.e. entities providing IT services, e-mail services and maintenance services.
9. where applicable, information on the intention to transfer personal data to a third country or international organization and about the determination or non-determination by the Commission of an adequate level of protection or in the case of a transfer as referred to in art. 46, art. 47 or art. 49 par. 1 - 2, reference to appropriate or correct safeguards and information on how to obtain copies of these securities or where they are made available.
10.
At the date of the Policy, the Law Office does not consider transferring personal data to third countries or any international organization. In case such an obligation will arise, it shall be based only on the scope of realized legal service or on applicable legal provisions. Notwithstanding the foregoing, in any such situation, we will ensure that the transfer complies with the GDPR and the security required by the GDPR.
11. the period in which personal data will be stored, or, if it is not possible, the criteria for determining such period;
12.
13. information on the right to demand from the controller an access to personal data relating to the data subject, rectification, deletion or limitation of processing or the right to object to the processing, as well as the right to data transfer;
14.
15. if the processing is carried out on the basis of art. 6 par. 1 lit. a) or art. 9 par. 2 lit. (a) - information on the right to withdraw consent at any time without affecting the lawfulness of the processing, which have been carried out on the basis of consent before its withdrawal;
16.
17. information on the right to lodge a complaint to the President of the Office for Personal Data Protection;
18.
19. information whether the provision of personal data is a statutory or contractual requirement or a condition for the conclusion of the contract and whether the data subject is obliged to provide them and what are the possible consequences of not providing the data;
20.
21. information about automated decision-making, including profiling referred to in art. 22 par. 1 and 4, and - at least in these cases - relevant information on the rules for their adoption, as well as on the significance and envisaged consequences of such processing for the data subject.
22.
The office also informs, that it does not take decisions in an automated way.
Attention! If the controller plans to process personal data further for purposes other than the purpose for which the personal data were collected, he shall inform the data subject about such purpose before the processing and provide him with any other information relevant to the above.
2.2.2. Data collected from sources other than the person they concern.
If personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
1. identity and contact details of this person, and, if applicable, identity and contact details of his or her representative;
2.
The Law Office informs, that it is not obliged to provide identity or other data regarding the representatives.
3. where applicable, contact details of the data protection inspector;
4.
The Law Office hereby informs that it has not appointed or intends to appoint an inspector of personal data protection in the nearest future, hence the above-mentioned obligation is not applicable in its case; Law Office ensures that it has analyzed the circumstances in which establishing such a body would be mandatory and accordingly to applicable legal provisions no such obligation exists on its side. At the same time, the Law Office ensures that it organizes work of its team in such manner to properly fulfil the obligations under the GDPR;
5. the purposes and legal basis of personal data processing;
6.
In Part Three of the Privacy Policy, we present specific goals and legal grounds for personal data processing, at the same time being aware, that circumstances of each case can present different objectives, different grounds for processing data, as well same objectives based on different grounds. Some data are processed, because the legislator obliges us to do so, especially when it comes to the duties performed under the labour law, tax law, health protection law or social insurance. At this point, we shall only inform you, that the legal grounds of data processing have been described in Articles 6, 9 and 10 of GDPR.
7. categories of relevant personal data;
8.
9. information about recipients of personal data or categories of recipients, if any;
10.
11. where applicable, information on the intention to transfer personal data to the recipient in a third country or an international organization and about the determination or non-existence of a sufficient degree of protection by the Commission or in the case of a transfer as referred to in art. 46, art. 47 or art. 49 par. 1, second paragraph, reference to appropriate or appropriate safeguards and information on how to obtain copies of these securities or where they are made available.
12.
At the date of the Policy, the Law Office does not consider transferring personal data to third countries or any international organization. In case such an obligation will arise, it shall be based only on the scope of realized legal service or on applicable legal provisions. Notwithstanding the foregoing, in any such situation, we will ensure that the transfer complies with the GDPR and the security required by the GDPR.
13. the period in which personal data will be stored, and if this is not possible, the criteria for determining this period;
14.
15. if the processing is carried out on the basis of art. 6 par. 1 lit. f) - legitimate interests pursued by the administrator or by a third party;
16.
(We would like to inform you that despite the fact we process personal data based on the legitimate interest of the data controller, we also try to analyze and balance our interest and potential impact on the data subject and the rights of that person under the provisions on personal data protection. We do not process personal data based on our legitimate interest, if we come to the conclusion, that the impact on the data subject would prevail over our interests (then we may process personal data, e.g. on the basis of appropriate consent, if it has been given to us).
17. information on the right to demand from the administrator access to personal data relating to the data subject, rectification, deletion or limitation of processing and the right to object to the processing, as well as the right to data transfer;
18.
19. if the processing is carried out on the basis of art. 6 par. 1 lit. a) or art. 9 par. 2 lit. (a) - information on the right to withdraw consent at any time without affecting the lawfulness of the processing, which have been carried out on the basis of consent before its withdrawal;
20.
21. information on the right to lodge a complaint to the President of the Office for Personal Data Protection;
22.
23. the source of personal data and, if applicable, whether they come from publicly available sources;
24.
25. information about automated decision-making, including profiling referred to in art. 22 par. 1 and 4 of the GDPR and - at least in these cases - relevant information about the rules for taking them, as well as about the significance and expected consequences of such processing for the data subject.
26.
The office also informs, that it does not take decisions in an automated way.
2.3. The moment of transmission of information
1. Regarding the moment of providing information, in the case of direct collection of data from the data subject, the administrator must provide it while collecting data.
2.
3. If the data is collected from a third party, the information obligation should be met within a reasonable time after obtaining personal data, taking into account the specific circumstances of the processing of personal data, but no later than one month after obtaining the data. In case of using personal data to communicate with the data subject, an information obligation should be fulfilled at the first communication with the data subject, even if the month has not yet passed since the data has been obtained. Similarly, if the controller intends to disclose personal data to another recipient [1], the disclosure obligation should be met at least during first disclosure of the data, even if the month has not yet passed since the data has been obtained.
4.
[ATTENTION! Regarding the consent to personal data processing - information, that such consent may be revoked at any time and the withdrawal does not affect the law.]
2.4. Circumstances excluding informational obligation [2]
Policy only specifies those circumstances, that exclude the disclosure obligation under the GDPR. However, we stipulate, that other legal acts (such as the Act of May 10, 2018 on the protection of personal data [3]) also contain or may contain such restrictions.
2.4.1. The first case - data collected directly from the data subject.
In case the controller collects data directly from the data subject, the informational obligation is excluded only in one situation - if the person has already all the information to be communicated to him under art. 13 par. 1 - 2 GDPR.
2.4.2. The second case - data collected from another source.
However, art. 14 par. 5 of GDPR, concerning the collection of data from a third party provides four situations, in which the fulfilment of the informational obligation is not required:
• the data subject already has the information listed in art. 14 par. 1 - 2 GDPR (see Appendix No. 2);
•
• providing such information proves impossible or would require a disproportionate effort;
•
• the acquisition or disclosure of personal data is expressly regulated by EU or national law providing for adequate measures to protect the legitimate interests of the data subject; or
•
• personal data must remain confidential in accordance with the duty of professional secrecy laid down in European Union or national law, including the statutory obligation of secrecy.
•
There is no informational obligation on the legal counsel / attorney related to the information obtained from a third party if an information provided to him must remain confidential in relation to professional secrecy of the legal counsel (based on Article 14 (5) (d) of the GDPR). "A legal advisor or attorney will not, therefore, have to fulfil the obligation to - for example - natural persons, whose data are processed in connection with the conduct of Clients' matters (e.g. other parties to court or administrative proceedings, witnesses, proxies, experts)." [4]
Part Three. Processing of personal data by the Law Office
3.1. Controller of personal data
The controllers of your personal data are / will be: Marek Żelaznowski and Antoni Głowiński, partners in a civil partnership named "Kancelaria Radców Prawnych Żelaznowski & Głowiński Spółka Cywilna” with its registered office in Sopot.
3.2. Contact with the personal data controller
In case the content of this document may raise your doubts, be unclear, unapproachable or cause other problems in its interpretation, you can contact us by mail at the following address: Kancelaria Radców Prawnych Żelaznowski & Głowiński Spółka Cywilna ul. Antoniego Abraham 23, Sopot (code: 81-825). We are willing to address your comments within the agreed time.
3.3. Typical categories of natural persons whose personal data are processed by the Law Office. Objectives. Law basics. Processing time.
The Law Office is the controller of natural persons personal data, which can be broadly divided into the following categories, most commonly found in our office realities:
1. potential Clients and potential Clients’ contact persons;
2.
These data, among others they may be made available to us directly by potential Clients (e.g. by phone, as a part of planning the date of initial meeting, which may lead to the conclusion of a legal assistance contract, in Law Office secretariat, etc.) or otherwise, e.g. in the case of its launch through a simple contact form prepared by us, posted at www.zg.com.pl. Providing data through this form or in another way to establish contact is voluntary and helps us determine whether we are able to help you. These data, if it does not lead to cooperation, are immediately removed by us, unless there is a legitimate interest on our side. However, if such cooperation occurs, these of the data that you transfer, which will not be useful in the further communication / cooperation process, will not be processed further by us, unless there is a legitimate interest on our side (note: as for the remaining data, they will be subject to the principles of processing data of the Clients' - see pt. "B" directly below). At the same time, please make sure that only the necessary data, allowing us to contact you back, are available through the above - mentioned form, including the identification, date and place of direct contact, if it is your will. We emphasize, that it is not our purpose to collect data. The principles of professional ethics that impose on us the duty of a dignified profession help our efforts in this area, in the interests of the potential Client's privacy.
With regard to the grounds of the legitimate interest mentioned above:
o this interest is confined to the possibility of establishing factual and legal situation for the purpose of taking proper defence in the event of raising claims against us, and even suspicion, that such claims may be raised against us;
o
o we would like to remind you again, that while we process personal data based on the legitimate interest of the controller (Article 6 (1) lit. "f" of the GDPR), we try to analyze and balance our interest and potential impact on the data subject and the rights of that person under the provisions on the protection of personal data. We do not process personal data based on our legitimate interest, if we come to the conclusion that the impact on the data subject would prevail over our interests (then we may process personal data, e.g. on the basis of appropriate consent, if it is given to us).
o
3. Clients of the Law Office, contacts from Clients and other people, who will appear in the framework of providing legal assistance to Clients:
4.
We obtain the above data in the course of providing legal assistance to Clients who have entrusted it with the Law Office. The main purpose of data processing is an execution of the contract or earlier, before its conclusion, taking action at the request of the data subject. Providing data is voluntary, but if the Client does not provide them to us or provides only some of them, the Client may expose himself to failure or incorrectness in the contract execution. Shortage of personal data required to conduct the case may disturb execution of the contract and expose you to damages. In our case, it may also cause a damage in our reputation / PR, which is extremely important due to the nature of our services. We emphasize, that while processing these data, we pay a special attention to the principle of professional secrecy constituted by professional self-governments to which we belong, as well as the codes of ethics issued by them, which are so important in privacy protection. We must emphasize, that we process the above data both during the performance of the services, i.e. during the cooperation, and also after its termination, for the purposes of possible claims, during the period, in which such claims might be possible on the basis of so-called legitimate interest (art. 6 par. 1 point "f" of the GDPR). We have a legitimate interest to establish and assess, if necessary, our legal situation, adopt a specific strategy of action to defend our line and conduct this defence, including. e.g. to demonstrate, that we performed our services properly, or that the other party failed in performing their duties or did not perform them properly, or to raise other circumstances, that affected the performance of the contract, including the creation of possible claims. Apart from contracts, the legal basis of personal data processing may be our legitimate interest, as for the time when these data may serve the above-mentioned purposes. Time of data storage after cooperation (termination of the contract) is determined accordingly to obligation to minimize data processing time on the one hand, and to claim limitation periods, practice, our life and professional experience, as well as the behaviour of the opponent / potential opponent in the dispute / event dispute and other circumstances of the case, on the other hand.
Again, with regards to the legitimate interest (Art. 6 (1) (f) of the GDPR), we would like to remind you, that while we process your personal data on the basis of the legally legitimate interest of the controller, we try to analyze and balance our interest and the potential impact on the data subject, as well as the rights of that person under the provisions on the protection of personal data. We do not process personal data based on our legitimate interest, if we come to the conclusion, that the impact on the data subject would prevail over our interests (then we may process personal data, e.g. on the basis of appropriate consent, if it has been given to us).
The sources of Client’s data, Client’s contact persons or third parties, that have appeared in the case presented by the Client (e.g. potential witnesses, event participants, representatives of authorities) for legal services are usually Client’s themselves. Such data - in the course of conducting a case - we can also obtain from people other than the Client, e.g. from representatives of public authorities, witnesses, experts, etc. It is possible, that the source of our knowledge about the Client or third party, that appeared in the case presented by the Client, will be a public source, such as the public register (including the National Court Register, Central Registration and Information on Business), press releases, articles available in traditional form or online. Nevertheless, we emphasize, that, due to the nature of our activities, we pay special attention to the reliability of data.
As already mentioned above, the legal basis of the Client’s data processed by us, as well as Client’s contact persons, may be both conclusion and performance of the contract, as well as our legitimate interest. We do not exclude, that in specific circumstances, we could ask you for consent to process personal data, which does not have a legal processing basis within the contract or a legitimate interest; nevertheless, currently we do not anticipate such a situation. Applying for permission, we would make the best efforts to ensure, that it has all the values of compliance with the requirements of the GDPR, with the provision, that you consent depends on your consideration only and it should be voluntary.
We process only some of Client’s data, e.g. by issuing a VAT invoice, in relation to the obligations and public or legal burdens imposed on us by you; in such situations, the provisions governing duties and burdens determine, within the scope of them, our required by the law behaviour, such as the period of data storage.
5. personal data of our employees and co-workers
6.
We process this data for the following purposes:
o conclusion and execution of the contracts (in case of the employees – employment contracts),
o
o fulfilment of our legal rights and obligations related to the legal relationship established with an employee or associate (e.g. based on legal relationship, its legal regulations, organization of the Law Office work, consent to employee’s leave or absence, protection of our property or determination of legal liability, determination of the existence of an employee / co-worker claims towards the Law Office or vice versa);
o
o exercising the rights and obligations of an employee or associate related to the legal relationship with the Law Office,
o
o determining the existence or non-existence of claims, their investigation, defence, both when it comes to our claims or a third party’s claims, and possible claims of an employee / co-worker or a third party to us;
o
o compliance with legal requirements, e.g. labour law and other legal provisions, including, inter alia, regulations on social insurance, health insurance, taxes, accidents at work, accounting;
o
o proper personnel management.
o
The legal basis of data processing in case of the Law Office employees and associates are:
o contracts concluded with an employee or an associate, including an employment contract or contract on provision of the services;
o
o with regards to employees: legal provisions (Article 22(1) of the Labour Code - in case of the following data: name and surname, parents' names, date of birth, place of residence (correspondence address), education, course of previous employment, PESEL and other data, which an employer may demand);
o
o consent to the processing of personal data (in relation to data not covered by Article 22 (1) of the Labour Code, only if such consent has been given; consent is always voluntary);
o
o our legitimate interest – in case of pursuing a claims against an employee / former employee or an associate / former associate or defending our rights in such situation; when an employee / former employee, associate / former associate or a third party will make claims against us - in order to determine and conduct defence (or if we will pursue such claims);
o
o our legitimate interest while verifying the skills, qualifications, competences of the person in relation to given or offered job.
o
(We would like to inform you that despite the fact we process personal data based on the legitimate interest of the data controller, we also try to analyze and balance our interest and potential impact on the data subject and the rights of that person under the provisions on personal data protection. We do not process personal data based on our legitimate interest, if we come to the conclusion, that the impact on the data subject would prevail over our interests (then we may process personal data, e.g. on the basis of appropriate consent, if it has been given to us).
Moreover, we would like to inform you, that the provision of personal data by employees and associates is voluntary, but it is a prerequisite for the proper compliance with the rights and obligations related to their contract, i.e. a contract of employment (we are, as an employer, obliged to comply with the provisions, however we would like to also express our will to comply with them) and the cooperation agreement (contract for the provision of services). In case of failure in providing some of them by the employee, we might incorrectly implement or enforce a contract of employment, which could result in negative consequences for the employee in the light of applicable law (e.g. improper definition of benefits, amount of annual leave, possible additional benefits), or for us, e.g. incorrect implementation of our public-law obligations, including those imposed by tax law, social security law and related legal liability. The same applies to people cooperating with us on the basis of civil law contracts; the lack of certain data could make it impossible to properly implement legal obligation and could also result in failure in fulfilling our obligations under legal provisions, e.g. tax and legal regulations.
It should be noted that the time of data storage after termination of work / cooperation may result from legal provisions (e.g. storing employee documentation or accounting / tax documents, including invoices, tax declarations). Our intention is to comply with these provisions. If the maximum data retention periods are not specified in them, time of retaining personal data of former employees or associates, i.e. after cooperation (after termination of the contract), is determined by an obligation to minimize data processing time on the one hand and periods of limitation of claims, practice, our life and professional experience, and the behaviour of the opponent / potential opponent in the dispute / possible dispute on the other hand.
7. personal data of contractors, service providers and other persons providing for us various types of services (e.g. IT) or delivering goods;
8.
The above data are obtained to execute contracts concluded with them. Processing is based on execution of contracts and, earlier, before its conclusion, on taking action at the request of the data subject. We must emphasize, that we process the above data both during the period of contract, i.e. during the period of cooperation, but also after its termination, because of possible claims and in a period, that in would be available for us or other persons against the Law Office on the basis of the so-called justified interest (Art. 6 par. 1 point "f" of the GDPR). We have a legitimate interest to be able to establish and assess our legal situation, adopt a specific strategy of action to defend our case and conduct this defence, including. e.g. to demonstrate, that we have performed our services properly or that the other party performed them improperly, did not perform them, or other circumstances significant from the perspective of findings fact or legal status in a subject matter regarding the implementation of the contract by us. Therefore, the legal basis for the processing may be our legitimate interest for the time in which these data may serve the above-mentioned purposes.
The time of data storage after termination of the contract may arise from legal provisions (e.g. storing accounting / tax documents, including invoices, VAT invoices, tax declarations). Our intention is to comply with these laws. If the maximum data retention periods are not specified in them, the time of retaining personal data of former co-workers / contractors, i.e. after cooperation (after termination of the contract), is determined by an obligation to minimize the data processing period, on the one hand, and limitation of claims, practice, our life and professional experience, behaviour of the opponent / potential opponent in the dispute / eventual dispute, on the other hand.
(We would like to inform you that despite the fact we process personal data based on the legitimate interest of the data controller, we also try to analyze and balance our interest and potential impact on the data subject and the rights of that person under the provisions on personal data protection. We do not process personal data based on our legitimate interest, if we come to the conclusion, that the impact on the data subject would prevail over our interests (then we may process personal data, e.g. on the basis of appropriate consent, if it has been given to us).
The sources of data belonging to the contractors, service providers and other physical persons providing us with various types of services (e.g. IT) or delivering goods, as well as data of their contact persons, are usually these people themselves. In the course of cooperation we can also obtain such data from persons other than them, for example from public authorities, witnesses, experts, etc. It may happen, that the source of our knowledge about the contractor, will be a public source, e.g. public register or press article.
As already mentioned, the legal basis of the data processing, also of the contact persons from the above-mentioned subjects, may be both concluding or implementing the contract, as well as legitimate interest. We do not exclude, that in certain circumstances, we could ask them to agree to the processing of personal data, that are not based on the contract or legitimate interest. However, at the moment, we do not anticipate such situation. While applying for the permission, we would do our best to provide the consent all the legal instruments required by the GDPR, with the proviso, that granting a consent, depends only on the data subjects, and should itself be voluntary.
At the same time, we would like to inform you, that providing your personal data is voluntary, but if you fail to do so or fail to supply some of them, we possibly could not properly implement or enforce the content of the contract we have concluded with you, which could result in negative, in the light of applicable law, consequences for us and the data subject; the lack of certain data could also cause us not to fulfil our obligations under the law.
9. data of people applying for a job in the Law Office;
10.
These are, in principle, data given in the application documents by the interested parties themselves.
We process this personal data to:
o assess the candidate's qualifications for the job he is applying for;
o
o assess the candidate's skills required to work on the position he applies for;
o
o choose the right person to work.
o
It may happen, that some of the data are obtained on the basis of previously prepared forms. We always leave the applicant the right to choose (e.g. as a part of the above-mentioned form) whether he is interested only in participating in particular recruitment process, or in future processes with right to indicate the maximum deadline for data processing. We assure you, that we process personal data in accordance with the specified expectations. If you do not specify them - we process them for the purposes of a specific recruitment process and if we do not employ the applicant, we will remove data, unless the applicant is interested in participating in future recruitments (and has not indicated the maximum date of processing of the data by us; such period cannot be longer than two years from the recruitment announcement, this term applies unless we have indicated shorter or longer deadline within the content of our job offer)
The forms we use contain appropriate requests to include in the text of the applications, which are necessary for the proceedings. Participation in such recruitment and provision of personal data is voluntary, however the lack of certain data may clearly make it impossible to carry out the process. We pay special attention to the art. 22 (2) par. 2 of the Labour Code, constituting the legal basis of personal data processing while recruiting the candidate. The legal basis of such data processing are:
o law (Article 22 (1) § 1 of the Labour Code) constituting the processing needed to conclude an employment contract (if it comes to its conclusion) - in the scope of the following data: name and surname, names of parents; date of birth, place of residence (correspondence address); education; course of the previous employment.
o
o consent to processing of data provided within application documents (cv and motivation letter), if candidate provides us data other than: name and surname, names of parents, date of birth, place of residence (correspondence address); education; the course of previous employment.
o
o our legitimate interest - in the scope of data collected during an interview or the qualification tests (the knowledge of legal regulations and the ability to resolve legal cases), we have a legitimate interest in checking skills and abilities - this is what we need to assess whether a candidate is the right person for the position we are recruiting for.
o
(We would like to inform you that despite the fact we process personal data based on the legitimate interest of the data controller, we also try to analyze and balance our interest and potential impact on the data subject and the rights of that person under the provisions on personal data protection. We do not process personal data based on our legitimate interest, if we come to the conclusion, that the impact on the data subject would prevail over our interests (then we may process personal data, e.g. on the basis of appropriate consent, if it has been given to us).
We would like to also inform you, that it sometimes happens, that the Law Office uses the services of professionals recruiters and acquires personal data of candidates through them. In such a situation, the Law Office clearly gives its identity.
3.4. The right to raise objections
In the light of art. 21 par. 1 GDPR, the data subject has the right to raise objections at any time - for reasons related to his special situation - to the processing (including profiling) of his personal data based on our legitimate interest, i.e. the processing basis listed in art. 6 par. 1 lit. "F" of GDPR. In such situation, we will not be allowed to process these data, unless we prove, that there are legally binding grounds for processing, superior to his interests, rights and freedoms or grounds for establishing, investigating or defending claims.
(We would like to inform you that despite the fact we process personal data based on the legitimate interest of the data controller, we also try to analyze and balance our interest and potential impact on the data subject and the rights of that person under the provisions on personal data protection. We do not process personal data based on our legitimate interest, if we come to the conclusion, that the impact on the data subject would prevail over our interests (then we may process personal data, e.g. on the basis of appropriate consent, if it has been given to us.)
3.5. Recipients of data
We forward personal data to:
• our suppliers / contractors / service providers to whom we outsource services related to the processing of personal data, e.g.:
•
o IT service providers that provide us, among others services such as system maintenance, application repairs, data back-up;
o
o Entities responsible for archiving the documents of our employees,
o
o e-mail service providers,
o
o telephone operators.
o
Such entities process data on the basis of a contract with us and only in accordance with our instructions. We assure you, that we carefully select the processors, in such a way, that they guarantee respecting the provisions of GDPR.
3.6. Rights of the data subject related to the personal data processing
3.6.1. You have the following rights related to the personal data processing:
1. the right to withdraw a consent to data processing at any time in cases the basis for processing is your consent; see also point 3.6.2 below;
2.
3. the right to access your personal data referred to in art. 15 of GDPR;
4.
5. the right to demand the correction of your personal data referred to in art. 16 GDPR;
6.
7. the right to demand the removal of your personal data ("the right to be forgotten"), referred to in art. 17 of GDPR;
8.
9. the right to demand restricting the processing of your personal data referred to in art. 18 of GDPR;
10.
11. the right to raise objections to the processing of your personal data due to your special situation - in cases while we process your data on the basis of our legitimate interest (Article 6 (1) "F" of GDPR), including profiling based on these provisions, which is mentioning art. 21 of GDPR;
12.
13. the right to transfer your personal data, i.e. the right to receive from us in a structured, commonly used machine-readable format personal data about you, that you have provided, and send this data to another controller without any obstacles on our part. You can also request sending this data by us to another controller; however we will do this only if such a message is technically possible on our part. The right to transfer personal data is provided in art. 20 of GDPR.
14.
3.6.2. The right to withdraw consent
Within the scope of processing your data on the basis of consent (i.e. data provided in the CV or cover letter, other than: first name and surname, parents' names, date of birth, place of residence, education, course of previous employment) - you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of the processing, which has been carried out on the basis of your consent prior to its withdrawal. The consent may be withdrawn by providing us a statement of withdrawal of consent; our contact details are given above.
(regarding the withdrawal of consent - see, in particular, Article 7 (3) of the GDPR).
3.6.3. At the same time, we would like to point out, that more detailed information regarding your rights listed above (point 3.6.1), including the scope or additional circumstances, which have to be met and would allow you to exercise your rights (e.g. one of the circumstances, that must occur to erase the data referred to in art. 17 par. 1 of GDPR) or the restrictions are mainly described in Chapter III of GDPR. Such restrictions or exclusions may also result from other legal provisions.
3.6.4. To exercise the above rights, you can contact us in the manner provided above as part of the Administrator information.
3.7. The right to lodge a complaint to the authority
You also have the right to file a complaint regarding the unlawful processing of your personal data to the supervisory body dealing with the protection of personal data, i.e. the President of the Office for the Protection of Personal Data.
3.8. Additional information about automated data processing
Please be advised that we do not make decisions, that are based solely on automated processing, including profiling, as referred to in art. 22 GDPR.
Fourth part . Final Provisions
4.1. Cookies Policy
The office stores and gains access to the so-called cookies sent by a web server and stored on a hard disk or other data carrier of the user in order to ensure proper functioning of the website www.zg.com.pl and configuration, security and reliability of this website, monitoring the state of the session, adjusting the displayed information to the user or analyzes, statistics, research and audit of web page views.
The software used for browsing the web by default allows storing information in the form of cookies and other similar technologies in the user's end device. However, the user can change these settings at any time. Failure to change means, that above information can be posted and stored on its end device, and thus that we will store information on the user's end device and access this information. More information can be found in our cookie policy available at: www.zg.com.pl/strony/cookies
4.2. Change of Privacy Policy
The Law Office may review this Policy in order to ensure its validity and compliance with the applicable legal status. The policy may change, in particular due to: new legal provisions; acts of professional self-governments to which we and some of our employees and associates belong, relating to the specifics of personal data processing; new guidelines or recommendations of bodies responsible for supervising the processes of personal data protection; jurisprudence interpretations; best practices applied in the area of personal data protection (Codes of good practice, if the Law Office will be a party to such codes, which will be immediately notified on the Website), etc. We also reserve the right to change this Policy in the event of technological or technical changes, if it affects its wording or changes in the manner, purposes or legal grounds of processing or other data.
The last update of this document took place on 04-01-2019.
________________________________________
[1] E.g. to the processor; this entity is part of the term "recipient".
[2] See footnote 1.
[3] The text of the Act on the Protection of Personal Data can be found on the website uodo.gov.pl.
[4] X. Konarski, G. Sibiga, D. Nowak, K. Syska, I. Małobęcka, General Data Protection Regulation (GDPR). Guide for legal advisors and lawyers, legal status 20/04/2018, p. 50.
