Clients

• natural persons declaring on their own behalf an interest in the services provided by the Co-administrators or using the services provided by the Co-administrators (‘Customers who are natural persons’),
• persons declaring on behalf of other entities (potential GWW Customers) an interest in the services provided by the Co-Administrators or – in the case of GWW Customers – acting on behalf of or for the GWW Customer, i.e. contact persons, proxies or persons representing GWW Customers or potential GWW Customers (‘Customer Representatives’).

In fulfilment of the obligations imposed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (‘RODO’), in relation to the processing by the Joint Administrators of personal data of Clients who are natural persons and Clients’ Representatives, the Joint Administrators present below information concerning the principles of processing of their personal data by the Joint Administrators, including the purposes of processing, the legal basis for processing, the storage period, the recipients of personal data, as well as the rights of persons whose personal data are processed by the Joint Administrators.

1. JOINT CONTROLLERS

The co-controllers of the personal data of Clients who are natural persons and Clients’ Representatives are the companies:

• GWW Grynhoff i Partnerzy Radcowie Prawni i Doradcy Podatkowi sp. p. with its registered office in Warsaw at 4 Książęca Street (00-498 Warsaw), entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the city of Warsaw in Warsaw, XII Economic Division of the National Court Register, under the KRS number 0000541501, NIP 7792022623, REGON 631226810, and
• GWW Ladziński, Cmoch i Wspólnicy sp.k. with registered office in Warsaw, ul. Książęca 4 (00-498 Warsaw), entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, XII Economic Division of the National Court Register, under KRS number 0000956566, NIP 7010313649, REGON 145496595.

2. CO-ADMINISTRATORS’ RESPONSIBILITIES

As part of the Co-Administration Agreement concluded between the Joint Administrators, the Joint Administrators have agreed on the scopes of their responsibility regarding the fulfilment of their obligations under the RODO, including in particular that:

• with regard to the fulfilment of the obligation to provide information to personal data subjects, in accordance with the provisions of Articles 12 to 14 of the RODO, the Joint Controller who collects personal data or initiates the collection of personal data is responsible;
• with regard to the exercise of the rights of the personal data subjects as set out in Articles 7(3) and 15-22 RODO, i.e. withdrawal of consent, exercise of the right of access to personal data, rectification, erasure, restriction of processing, portability of personal data, objection to the processing of personal data, the Joint Controller who received the request is responsible;
• with regard to the fulfilment by the Joint Controllers of their obligations concerning the management of personal data breaches, their notification to the supervisory authority (Art. 33 RODO) and to the personal data subject (Art. 34 RODO), the Joint Controller who first became aware of the breach shall be competent; in the event of simultaneous information about the breach, the Joint Controller on whose side the breach occurred shall be competent;
• if, on the basis of the above rules, it cannot be determined which Co-Administrator is responsible for fulfilling the obligations set out in these paragraphs, GWW Legal is responsible.

Notwithstanding the above arrangements, the data subject may exercise his or her rights under the RODO against any of the Joint Controllers.

3. CONTACT DETAILS

The Joint Controllers have designated a single point of contact for all requests and enquiries concerning the personal data they process:

• when contacted by post, by sending a letter to: Personal Data Coordinator: 4 Książęca Street, 00-498 Warsaw, marked ‘Personal Data’,
• in the case of contact by e-mail, by sending an e-mail to: odo@gww.pl.

4. WHAT PERSONAL DATA ARE PROCESSED BY THE JOINT CONTROLLERS AND WHAT IS THE SOURCE OF THIS DATA

The Joint Administrators process personal data of Clients who are natural persons that has been provided to them directly by Clients who are natural persons, by Clients’ Representatives or obtained from other sources (e.g. from another legal advisor/attorney/tax advisor in connection with the transfer of files/documents relating to the case conducted for Clients who are natural persons), in connection with the conclusion and performance of agreements relating to the services provided by the Joint Administrators, in particular the name and surname of the Client who is a natural person, his/her contact details, signature, data necessary for the performance and settlement of services and the issuance of an invoice and other personal data of the Client who is a natural person provided in the course of contact with the Joint Administrators.

The Joint Administrators may also process the personal data of Customer Representatives provided by the GWW Customer, provided directly by Customer Representatives or obtained from other sources (e.g. from publicly available registers), in connection with the conclusion and implementation of the agreement between GWW Customer and the Joint Administrators or one of the Joint Administrators, in particular the name and surname of the Customer Representative, his/her position, contact details of the Customer Representative, data contained in the power of attorney or the register in which the GWW Customer is entered, and other personal data of the Customer Representative provided within the framework of contact with the Joint Administrators.

Provision of personal data of Clients who are natural persons and Client Representatives is voluntary; however, it is necessary for the conclusion and implementation of the agreement concerning the services provided by the Joint Administrators.

5. PURPOSE OF PERSONAL DATA PROCESSING AND LEGAL BASIS

The Joint Administrators process personal data of Customers who are natural persons:

• for the purpose of concluding and performing a contract relating to the services provided by the Joint Administrators, in particular legal assistance and tax advisory services (legal basis under Article 6(1)(b) of the RODO);
• for purposes arising from the legitimate interests pursued by the Joint Administrators or third parties (legal basis of Art. 6(1)(f) RODO), which are: the Co-Administrators‘ billing of the services provided, the management of the business and administration of the contracts concluded with GWW Customers, the settlement of accounts with the Co-Administrators’ contractors involved in the provision of services, the formation and maintenance of business relations with Customers who are natural persons; the establishment, investigation or defence of claims, the implementation of internal procedures, including the prevention of criminal acts and abuse; if the processing of special category data is necessary for the establishment, investigation or defence of claims, it is carried out on the basis of Art. 9(2)(f) RODO;
• in order to ensure and demonstrate compliance with the legal obligations imposed on the Joint Administrators, when the processing is necessary for the fulfilment of a legal obligation incumbent on the Joint Administrators, in particular under the provisions of: the Law on Prevention of Money Laundering and Financing of Terrorism, the Law on Legal Advisers, the Law on the Bar, the Law on Tax Advice, the RODO, and tax and accounting regulations (legal basis under Article 6(1)(c) RODO);
• for other purposes on the basis of a separately granted consent by the client who is a natural person (legal basis from Article 6(1)(a) RODO).

The Joint Administrators process the personal data of the Customer Representatives:

• for purposes arising from the legitimate interests pursued by the Joint Administrators or third parties (legal basis of Art. 6(1)(f) RODO), which are: the conclusion of the GWW with the Client and the performance of the contract concerning the services provided by the Joint Administrators, in particular legal assistance and tax advice services; the Co-Administrators‘ billing of the services provided, the management of the business and administration of the agreements concluded with GWW Clients, the settlement of accounts with the Co-Administrators’ contractors involved in the provision of services, the formation and maintenance of business relations with GWW Clients, the establishment, investigation or defence of claims, the implementation of internal procedures, including the prevention of criminal acts and abuse; if the processing of special category data is necessary for the establishment, investigation or defence of claims, it is carried out on the basis of Art. 9(2)(f) RODO;
• in order to ensure and demonstrate compliance with legal obligations imposed on the Joint Administrators, when the processing is necessary to comply with a legal obligation incumbent on the Joint Administrators, in particular under the provisions of the Anti-Money Laundering and Countering the Financing of Terrorism Act, the Solicitors Act, the Law on the Bar, the Tax Advisory Act, the RODO and tax and accounting regulations (legal basis under Article 6(1)(c) RODO);
• for other purposes, on the basis of the Client Representative’s separately granted consent (legal basis from Article 6(1)(a) RODO).

6. RECIPIENTS OF PERSONAL DATA

The Joint Administrators only share personal data with other entities (recipients of personal data) if they have a legal basis for doing so. If the Joint Controllers transfer personal data to recipients located outside the European Union or the European Economic Area (EEA), this is only done if an adequate level of data protection has been confirmed for that third country by the European Commission or an adequate level of data protection has been agreed with the recipient (e.g. using so-called standard contractual clauses).

Personal data may be made available to public authorities or other entities entitled to such access by law.

Depending on the purpose for which the Joint Controllers process the personal data of Customers who are natural persons and Customers’ Representatives, the recipients of their personal data may also be: entities providing ICT services to the Joint Administrators, entities providing IT/technical/service support services, suppliers of software used by the Joint Administrators, entities providing courier or postal services, banks – if it is necessary to make settlements, entities providing accounting and settlement services, other entities cooperating with the Joint Administrators in connection with the services provided.

The processing of personal data in ICT systems may result in the transfer of such data to the servers of software and IT service providers, in connection with the use by the Joint Administrators of the services/software that the aforementioned providers provide. Some of these servers are located in the USA. Data transfer to the USA only takes place if the data recipient has joined the EU-US Data Protection Framework (i.e. the European Commission has confirmed an adequate level of data protection) or an adequate level of data protection has been agreed with the data recipient using so-called standard contractual clauses. A copy of the applicable safeguards including standard contractual clauses can be obtained from the Joint Controllers.

7. RETENTION PERIOD OF PERSONAL DATA

The Joint Administrators shall not keep personal data longer than necessary to achieve the purposes for which the data were collected.

Personal data obtained in connection with the conclusion and performance of the contract between the GWW Customer and the Joint Administrators are processed until the end of the period of limitation of claims that may potentially arise from the contract concluded with the Joint Administrator(s).

Personal data processed based on the legitimate interest of the Joint Controllers will be processed until the purpose of the processing ceases or the data subject raises an effective objection (whichever comes first).

In the case of personal data required to comply with a legal obligation to which the Joint Administrators are subject, the personal data will be processed for the period resulting from the applicable legislation.

Personal data processed on the basis of consent expressed by the Client who is an individual / Client Representative, will be processed until the purpose of the processing ceases or the consent is withdrawn (whichever is earlier).

8. INFORMATION ON AUTOMATED DECISION-MAKING, INCLUDING PROFILING

Personal data will not be processed in a purely automated manner (including profiling), which may produce legal consequences for the data subjects or similarly significantly affect them.

9. RIGHTS OF PERSONAL DATA SUBJECTS

To the extent and in the cases prescribed by law, in particular the RODO, data subjects (data subjects), including Clients who are natural persons and Clients’ Representatives, have the following rights:

• The right to withdraw consent (Article 7 of the RODO) – if the processing of personal data is carried out on the basis of consent, this consent may be withdrawn by the data subject at any time (however, this does not affect the lawfulness of the processing carried out before the withdrawal of consent). Consent is entirely voluntary.
• Right of access and right to obtain a copy of the data (Article 15 RODO) – the data subject is entitled to obtain from the Joint Controllers information about the processing of his/her personal data – including the source of the personal data, the purposes of the processing, the categories of personal data processed, the intended duration of the processing and the recipients to whom the data are disclosed – and to obtain a copy of his/her personal data that are processed by the Joint Controllers. The right to obtain a copy must not adversely affect the rights and freedoms of others (including those arising from copyright or trade secrets).
• Right to rectification (amendment) of personal data (Article 16 RODO) – the data subject has the right to request the Joint Controllers to rectify inaccurate or complete incomplete personal data concerning the data subject.
• Right to erasure of personal data (‘right to be forgotten’ under Article 17 of the DPA) – the data subject has the right to request from the Joint Controllers the immediate erasure of their personal data where: (i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, (ii) he/she has withdrawn the consent on the basis of which the processing took place and there will be no other legal basis for the Co-Data Controllers to process his/her personal data, (iii) he/she has objected under Article 21(1) RODO to the processing and there will be no overriding legitimate grounds for the processing of his/her personal data, or he/she has objected under Art. 21(2) RODO against the processing of his or her personal data, (iv) his or her personal data has been unlawfully processed, (v) the erasure of his or her personal data is required in order to comply with a legal obligation to which the Joint Controller is subject, (vi) his or her personal data has been collected in connection with the offering of information society services as referred to in Article 8(1) RODO. The right to erasure is not an absolute right. This right does not apply to the extent that the processing is necessary, inter alia, to comply with a legal obligation requiring processing under the law to which the Joint Controller is subject, or to establish, assert or defend claims.
• Right to restrict the processing of personal data (Article 18 RODO) – the data subject has the right to request the Joint Controllers to restrict the processing of his/her personal data where: (i) he or she contests the accuracy of his or her personal data – for a period allowing the Joint Controllers to verify the accuracy of the data; (ii) the processing is unlawful and the data subject objects to the erasure of the personal data, requesting instead the restriction of its use; (iii) the Joint Controller no longer needs the personal data for the purposes of the processing, but the data are needed by the data subject to establish, assert or defend a claim; (iv) the data subject has objected under Art. 21(1) against the processing – until it is determined whether the Joint Controllers’ legitimate grounds override the data subject’s grounds for objection. The exercise of this right means that the Joint Controllers may only process the requested personal data, with the exception of storage, with the data subject’s consent, or for the establishment, exercise or defence of claims, or for the protection of the rights of another natural or legal person, or for important grounds of public interest of the Union or of a Member State.
• Right to data portability (Article 20 RODO) – the data subject has the right to receive, in a structured, commonly used machine-readable format, the personal data concerning him or her which he or she has provided to the Joint Controllers, and has the right to send this personal data to another controller without hindrance from the Joint Controllers to whom the personal data has been provided, if: (i) the processing is based on consent or pursuant to a contract; and (ii) the processing is carried out by automated means. In doing so, the data subject has the right to request that his or her personal data be sent by the Joint Controllers directly to another controller, insofar as this is technically possible. The exercise of the right to data portability must not adversely affect the rights and freedoms of others.
• Right to object (Article 21 RODO) – the data subject has the right to object at any time – on grounds relating to his/her particular situation – to the processing of personal data concerning him/her based, inter alia, on the legitimate interests of the Joint Controllers, including profiling. The exercise of this right means that the Joint Controllers are no longer allowed to process this personal data unless they demonstrate the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or grounds for establishing, asserting or defending claims. If the Joint Controllers process personal data for the purposes of direct marketing, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling, to the extent that the processing is related to such direct marketing. The exercise of this right means that the Joint Controllers will not process personal data for such purposes.

The Joint Controllers will exercise the above rights in accordance with the provisions of the RODO and other relevant legislation. In order to exercise the data subjects’ rights or to obtain further information on their rights, please contact the Joint Controllers (contact details are indicated in section 3).

10. RIGHT TO COMPLAIN

If the Client who is an individual or the Client’s Representative considers that the processing of his/her personal data by the Joint Controllers violates the provisions of the RODO or other generally applicable data protection legislation, he/she may lodge a complaint with the President of the Personal Data Protection Authority.