GWW Grynhoff i Partnerzy Radcowie Prawni i Doradcy Podatkowi Spółka Partnerska (“GWW Legal”) and GWW Ladziński, Cmoch i Wspólnicy Spółka komandytowa (“GWW Tax”) as Joint Controllers (controllers who jointly determine the purposes and methods of data processing), in connection with their business process personal data of individuals who on their own initiative contact the Joint Administrators using a contact form available on the websites of the Joint Administrators, by regular mail, telephone, e-mail or personally on the premises of the Joint Administrators (“Individuals Contacting GWW”).

In fulfilment of the obligations imposed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), in connection with the processing of the personal data of Individuals Contacting GWW by the Joint Controllers, below the Joint Controllers provide information on the principles of processing of the personal data of Individuals Contacting GWW by the Joint Controllers, including the purposes of processing, the legal basis for processing, the retention period, the recipients of personal data, as well as the rights of Individuals Contacting GWW.

1. JOINT CONTROLLERS

The following companies are Joint Controllers of the personal data of Individuals Contacting GWW:

• GWW Grynhoff i Partnerzy Radcowie Prawni i Doradcy Podatkowi sp. p. with its registered office in Warsaw, ul. Dobra 40 (00-344 Warsaw), entered in the Register of Entrepreneurs of the National Court Register held by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under KRS number 0000541501, NIP (tax ID) 7792022623, REGON (statistical no.) 631226810, and
• GWW Ladziński, Cmoch i Wspólnicy Spółka komandytowa with its registered office in Warsaw, ul. Dobra 40 (00-344 Warsaw), entered in the Register of Entrepreneurs of the National Court Register held by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under KRS number 0000956566, NIP (tax ID) 7010313649, REGON (statistical no.) 145496595.

2. RESPONSIBILITIES OF JOINT CONTROLLERS

As part of the Co-Controlling Agreement concluded between the Joint Controllers, the Joint Controllers have agreed their respective responsibilities regarding the fulfilment of their obligations under the GDPR, including in particular that:

• with regard to the fulfilment of the obligation to provide information to data subjects, in accordance with the provisions of Articles 12–14 of the GDPR, the Joint Controller who collects the personal data or initiates the process of collecting the personal data shall be responsible;
• with regard to the exercise of the rights of data subjects set out in Article 7(3) and Articles 15–22 of the GDPR, i.e. withdrawal of consent, exercise of the right of access to personal data, rectification, erasure, restriction of processing, portability of personal data, objection to the processing of personal data, the Joint Controller who received such request shall be responsible;
• with regard to the fulfilment by the Joint Controllers of their obligations concerning the management of personal data breaches, their notification to the supervisory authority (Article 33 GDPR) and to the data subject (Article 34 GDPR), the Joint Controller who first obtained information about the breach shall be competent; and if the information about the breach is obtained simultaneously, the Joint Controller on whose side the breach occurred shall be competent;
• if it is not possible to determine based on the above rules which Joint Controller is responsible for the fulfilment of the obligations set out in these paragraphs, GWW Legal shall be responsible.

Notwithstanding the above arrangements, the data subject may exercise his or her rights under the GDPR in respect of and against each of the Joint Controllers.

3. CONTACT DETAILS

The Joint Controllers have designated a single point of contact for all requests and inquiries relating to the personal data they process:

• if contacted by post, by sending a letter to: Personal Data Coordinator: ul. Dobra 40, 00-344, Warsaw, marked “Dane osobowe” [Personal Data],
• if contacted by e-mail, by sending an e-mail to: odo@gww.pl

4. PERSONAL DATA PROCESSED BY THE JOINT CONTROLLERS AND THE SOURCE OF SUCH DATA

The Joint Controllers process the personal data of Individuals Contacting GWW that have been provided to them directly by the Individuals Contacting GWW, including in particular the name and surname of the Individual Contacting GWW, his or her contact details and other personal data provided upon contact with the Joint Controllers.

5. PURPOSE OF PERSONAL DATA PROCESSING AND LEGAL BASIS

The Joint Controllers process the personal data of the Individuals Contacting GWW:

• for the purposes arising from the legitimate interests pursued by the Joint Controllers or third parties (legal basis: Article 6(1)(f) GDPR), which include: the conduct and management of business by the Joint Controllers, identification of the Individual Contacting GWW and handling of the matter referred to by the Individual Contacting GWW to the Joint Controllers, establishing, pursuing or defence against claims, implementation of internal procedures, including prevention of criminal acts and frauds.

Although the provision of personal data by Individuals Contacting GWW is voluntary, it is necessary for the purpose for which they are processed.

6. RECIPIENTS OF PERSONAL DATA

The Joint Controllers shall share personal data with other entities (recipients of personal data) only if they have a legal basis for doing so. If the Joint Controllers transfer personal data to recipients located outside the European Union or the European Economic Area (EEA), this is only done if in relation to that third country, the European Commission has confirmed an adequate level of data protection or an adequate level of data protection has been agreed with the data recipient (e.g. using so-called standard contractual clauses).

Personal data of Individuals Contacting GWW may be made available to public authorities or other entities authorised by law to access such data.

Depending on the purpose for which the Joint Controllers process the personal data of Individuals Contacting GWW and the form of contact, the recipients of their personal data may also include: entities providing ICT services to the Joint Controllers, entities providing IT/technical/service support services, providers of software used by the Joint Controllers, other entities involved in establishing, pursuing or defence against possible claims against Joint Controllers.

The processing of personal data in ICT systems may result in the transfer of such data to the servers of software and IT service providers, in connection with the use by the Joint Controllers of the services/software provided by the aforementioned providers. Some of these servers are located in the US. The transfer of data to the United States shall take place using the so-called standard contractual clauses referred to above. The data subject shall be able to obtain a copy of such personal data.

7. PERSONAL DATA RETENTION PERIOD

The personal data of Individuals Contacting GWW shall be processed until the purpose of the processing ceases to exist or the data subject raises an effective objection (whichever occurs earlier).

8. INFORMATION ON AUTOMATED DECISION-MAKING INCLUDING PROFILING

Personal data shall not be processed in a solely automated manner (including in the form of profiling) that may arise legal effects to the data subjects or similarly significantly impact data subject’s situation.

9. RIGHTS OF THE DATA SUBJECTS

To the extent and in the cases prescribed by law, in particular the GDPR, the individuals whose personal data are processed (data subjects) shall have the following rights:

• Right to withdraw consent (Article 7 GDPR) – if the processing of personal data is carried out under a consent, such consent may be withdrawn by the data subject at any time (however, this does not affect the lawfulness of processing carried out before consent withdrawal). Consent is entirely voluntary.
• Right of access and right to obtain a copy of data (Article 15 GDPR) – the data subject shall be entitled to obtain from the Joint Controllers information about the processing of his or her personal data, including the source of the personal data, the purposes of processing, the categories of personal data processed, the intended duration of the processing and the recipients to whom the data are disclosed, and to obtain a copy of his or her personal data that are processed by the Joint Controllers. The right to obtain a copy shall not affect the rights and freedoms of others (including those derived from copyright or trade secrets).
• Right to rectification (correction) of personal data (Article 16 GDPR) – the data subject shall have the right to request the Joint Controllers to rectify inaccurate or complete incomplete personal data concerning the data subject.
• Right to erasure of personal data (“right to be forgotten” under Article 17 GDPR) – the data subject shall have the right to request the Joint Controllers to immediately erase his or her personal data in an event that: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject has withdrawn the consent on which the processing was based and there would be no other legal basis for the Joint Controllers to process his or her personal data, (iii) the data subject has objected under Article 21(1) of the GDPR to the processing and there would be no overriding legitimate grounds for processing his or her personal data, or has objected under Article 21(2) GDPR to the processing of his or her personal data, (iv) the personal data have been unlawfully processed; (v) the erasure of the data subject’s personal data is required in order to comply with a legal obligation which the Joint Controller is subject to, (vi) the personal data relating to the data subject have been collected in connection with the offer of information society services referred to in Article 8(1) GDPR. The right to erasure is not absolute. This right does not apply to the extent that the processing is necessary, among others, to comply with a legal obligation requiring processing under the law to which the Joint Controller is subject or to establish, assert or defend claims.
• Right to restriction of processing (Article 18 GDPR) – the data subject shall have the right to request the Joint Controllers to restrict the processing of his or her personal data where (i) he or she contests the correctness of his/her personal data – for a period allowing the Joint Controllers to verify the correctness of the data; (ii) the processing is unlawful and the data subject opposes erasure of the personal data, requesting instead that the processing be restricted; (iii) the Joint Controllers no longer need the personal data for the purposes of the processing but the data subject needs them to establish, assert or defend his/her claims; (iv) the data subject has objected under Article 21(1) to the processing – until such time as it is ascertained whether the Joint Controllers’ legitimate grounds override the grounds for the data subject’s objection. The exercise of this right shall mean that the Joint Controllers may process the personal data requested, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
• Right to personal data portability (Article 20 GDPR) – data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Joint Controllers, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Joint Controllers to which the personal data have been provided, where: (i) processing is based on consent or an agreement; and (ii) the processing is carried out by automated means. In doing so, the data subject shall have the right to have the personal data transmitted directly by the Joint Controllers to another controller, where technically feasible. The exercise of the right to data portability shall not adversely affect the rights and freedoms of others.
• Right to object (Article 21 GDPR) – The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based among others on the Joint Controllers’ legitimate interests, including profiling. The exercise of this right shall mean that the Joint Controllers shall no longer process the personal data unless the Joint Controllers demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed by the Joint Controllers for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. The exercise of this right shall mean that the Joint Controllers would not process personal data for such purposes.

The Joint Controllers shall effect the above rights in accordance with the provisions of the GDPR and other relevant legislation. In order to exercise data subjects’ rights or to obtain further information on their rights, they should contact the Joint Controllers (contact details are found in Section 3).

10. RIGHT TO COMPLAIN

If the data subject believes that the processing of his or her personal data by the Joint Controllers violates the provisions of the GDPR or other generally applicable data protection regulations, he or she may file a complaint with the President of the Personal Data Protection Office.