Clients
GWW Ladziński, Cmoch i Wspólnicy Spółka komandytowa with its registered office in Warsaw, ul. Książęca 4 (00-498 Warsaw), entered into the register of entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, XII Economic Division of the National Court Register, under KRS no. Warszawy in Warsaw, XII Economic Division of the National Court Register, under the KRS number 0000956566, NIP 7010313649, REGON 145496595 (“GWW Tax” or “Administrator”), in connection with the services concerning JPK (Uniform Control Files) provided to its customers (natural persons, legal persons or organisational units which are not legal persons to which legal capacity is granted by law – “GWW Tax Customers”), processes as an administrator personal data of the following persons:
- natural persons declaring on their own behalf their interest in the services provided by GWW Tax concerning JPK or using the services provided by GWW Tax concerning JPK (“Customers being natural persons”),
- persons submitting on behalf of other entities (potential GWW Tax clients) an interest in the services provided by the Administrator concerning JPK or – in the case of GWW Tax clients – acting on behalf of or for the GWW Tax client, i.e. contact persons, proxies or persons representing GWW Tax clients or potential GWW Tax clients, to the extent concerning JPK (“Client Representatives”).
Fulfilling the obligations imposed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free flow of such data and the repeal of Directive 95/46/WE (“RODO“), in connection with the Administrator’s processing of personal data of Clients who are natural persons and Client Representatives, the Administrator presents below information concerning the principles of personal data processing, including the purposes of processing, legal basis for processing, storage period, recipients of personal data, as well as the rights of persons whose personal data are processed by the Administrator.
1. CONTACT DETAILS
In matters concerning personal data, the Administrator may be contacted:
- if contacted by post, by sending a letter to: Personal Data Coordinator: 4 Książęca Street, 00-498, Warsaw, marked “Personal Data”,
- in the case of contact by e-mail, by sending an e-mail to: odo@gww.pl.
2. WHAT PERSONAL DATA IS PROCESSED BY THE ADMINISTRATOR AND WHAT IS THE SOURCE OF SUCH DATA
The Administrator processes personal data of the Customers who are natural persons, which were provided to it directly by the Customers who are natural persons or by the Customers’ Representatives or by JPK Insight Sp. z o.o., in connection with the conclusion and performance of agreements concerning the services provided by the Administrator concerning JPK, in particular the name and surname of the Customer who is a natural person, his/her contact details, signature, data necessary to perform and settle the services and issue an invoice, and other personal data of the Customer who is a natural person, provided in the course of contact with the Administrator.
The Administrator may also process personal data of Customer Representatives, made available by the GWW Tax Customer, provided directly by Customer Representatives or made available by TAX Insight Sp. z o.o., in connection with the conclusion and implementation of the agreement between the GWW Tax Customer and the Administrator within the scope concerning JPK, in particular the name and surname of the Customer Representative, his/her position, contact data of the Customer Representative, data contained in the power of attorney or the register in which the GWW Tax Customer is entered, and other personal data of the Customer Representative provided within the contact with the Administrator.
Provision of personal data of Clients who are natural persons and Client Representatives is voluntary; however, it is necessary for the conclusion of the agreement and the performance of the agreement relating to the services provided by the Administrator concerning JPK.
3. PURPOSE OF PERSONAL DATA PROCESSING AND LEGAL BASIS
The Administrator processes personal data of Customers who are natural persons:
- for the purpose of concluding and performing a contract concerning the services provided by the Administrator with regard to JPK (legal basis under Article 6(1)(b) of the RODO);
- for the purposes resulting from the legally justified interests pursued by the Administrator or third parties (legal basis of Article 6(1)(f) RODO), which are: the Administrator’s performance of settlements in respect of the services provided, management of activities and administration of agreements concluded with GWW Tax clients, performance of settlements with the Administrator’s contractors involved in the provision of services (in particular TAX Insight Sp. z o.o.); shaping and maintaining business relations with clients who are natural persons; establishing, asserting or defending against claims; implementing internal procedures, including the prevention of criminal acts and abuse;
- in order to ensure and demonstrate compliance with legal obligations imposed on the Administrator, when the processing is necessary to comply with a legal obligation incumbent on the Administrator, in particular under the provisions of the AML/CFT Act, the RODO and tax and accounting regulations (legal basis under Article 6(1)(c) of the RODO);
- for other purposes, on the basis of a separate consent granted by the Client who is a natural person (legal basis from Article 6(1)(a) RODO).
The Administrator processes the personal data of the Client’s Representatives:
- for the purposes resulting from the legally justified interests pursued by the Administrator or third parties (legal basis of Article 6(1)(f) RODO), which are: conclusion of an agreement with the GWW Tax Client and performance of an agreement concerning the services provided by the Administrator in the field of JPK; conducting by the Administrator of settlements in the scope of the provided services, management of activities and administration of agreements concluded with GWW Tax Clients; conducting settlements with the Administrator’s contractors involved in the provision of services (in particular TAX Insight Sp. z o.o.); shaping and maintaining business relations with GWW Tax Clients; establishing, asserting or defending against claims; implementing internal procedures, including the prevention of criminal acts and abuse;
- in order to ensure and demonstrate compliance with legal obligations imposed on the Administrator, when the processing is necessary to comply with a legal obligation incumbent on the Administrator, in particular arising from the provisions of the AML/CFT Act, the RODO and tax and accounting regulations (legal basis from Article 6(1)(c) of the RODO);
- for other purposes, on the basis of the consent separately granted by the Customer Representative (legal basis from Article 6(1)(a) RODO).
4. RECIPIENTS OF PERSONAL DATA
The Administrator shall make personal data available to other entities (recipients of personal data) only if it has a legal basis for doing so. If the Controller transfers personal data to recipients located outside the European Union or the European Economic Area (EEA), this shall only take place if an adequate level of data protection has been confirmed for that third country by the European Commission or an adequate level of data protection has been agreed with the recipient (e.g. using so-called standard contractual clauses).
Personal data may be made available to public authorities or other entities entitled to such access by law.
Depending on the purpose for which the Administrator processes personal data of the Customers who are natural persons and the Customers’ Representatives, the recipients of their personal data may also be: entities providing ICT services to the Administrator, entities providing IT/technical/service support services, suppliers of software used by the Administrator, entities providing courier or postal services, banks – if it is necessary to make settlements, entities providing accounting and settlement services, TAX Insight Sp. z o.o. and other entities cooperating with the Administrator in relation to the provided services.
The processing of personal data in ICT systems, may result in the transfer of such data to the servers of software and IT service providers, in connection with the use of the services/software that the aforementioned providers provide. Some of these servers are located in the USA. The transfer of data to the USA is carried out using the so-called standard contractual clauses referred to above. The data subject has the possibility to obtain a copy of this personal data.
5. RETENTION PERIOD OF PERSONAL DATA
The controller shall not keep personal data longer than necessary to achieve the purposes for which the data were collected.
Personal data obtained in connection with the conclusion and performance of the contract between the GWW Tax client and the Administrator are processed until the end of the period of limitation of claims that may potentially arise from the concluded contract.
Personal data processed on the basis of the Administrator’s legitimate interest will be processed until the purpose of the processing ceases or the data subject raises an effective objection (whichever comes first).
In the case of personal data required to comply with a legal obligation to which the Administrator is subject, the personal data will be processed for the period resulting from the applicable legal provisions.
Personal data processed on the basis of consent expressed by the Client who is an individual / Client’s Representative, will be processed until the purpose of the processing ceases or the consent is withdrawn (whichever is earlier).
6. INFORMATION ON AUTOMATED DECISION-MAKING, INCLUDING PROFILING
Personal data will not be processed in a purely automated manner (including profiling), which may produce legal consequences for the data subjects or similarly significantly affect them.
7. RIGHTS OF PERSONAL DATA SUBJECTS
To the extent and in the cases prescribed by law, in particular the RODO, data subjects (data subjects) have the following rights:
- Right to withdraw consent (Article 7 of the RODO) – if the processing of personal data is carried out on the basis of consent, this consent may be withdrawn by the data subject at any time (however, this does not affect the lawfulness of the processing carried out before the withdrawal of consent). Consent is entirely voluntary.
- Right of access and right to obtain a copy of the data (Article 15 RODO) – the data subject is entitled to obtain from the Controller information about the processing of his/her personal data – including the source of the personal data, the purposes of the processing, the categories of personal data processed, the intended duration of the processing and the recipients to whom the data are disclosed – and to obtain a copy of his/her personal data that are processed by the Controller. The right to obtain a copy must not adversely affect the rights and freedoms of others (including those arising from copyright or trade secrets).
- Right to rectification (amendment) of personal data (Article 16 RODO) – the data subject has the right to request the Controller to rectify inaccurate or complete incomplete personal data concerning the data subject.
- Right to erasure of personal data (“right to be forgotten” of Art. 17 RODO) – the data subject has the right to request from the Controller the immediate erasure of his/her personal data where (i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, (ii) he/she has withdrawn the consent on the basis of which the processing took place and there will be no other legal basis for the Controller to process the data subject’s personal data, (iii) he/she has objected under Art. 21(1) RODO to the processing and there will be no overriding legitimate grounds for the processing of his/her personal data or he/she has objected under Art. 21(2) RODO against the processing of his or her personal data, (iv) his or her personal data have been unlawfully processed, (v) the erasure of his or her personal data is required in order to comply with a legal obligation to which the Controller is subject, (vi) his or her personal data have been collected in connection with the offering of information society services as referred to in Article 8(1) RODO. The right to erasure is not an absolute right. This right does not apply to the extent that the processing is necessary, inter alia, to comply with a legal obligation requiring processing under the law to which the Controller is subject or to establish, assert or defend claims.
- The right to restrict the processing of personal data (Art. 18 RODO) – the data subject has the right to request the Controller to restrict the processing of his/her personal data where (i) he/she questions the correctness of his/her personal data – for a period of time allowing the Controller to verify the correctness of the data; (ii) the processing is unlawful and the data subject objects to the erasure of the personal data, requesting instead the restriction of its use, (iii) the Controller no longer needs the personal data for the purposes of the processing, but the data are needed by the data subject to establish, assert or defend claims; (iv) the data subject has raised an objection under Art. 21(1) against the processing – until it is determined whether the legitimate grounds on the part of the Controller override the grounds of the data subject’s objection. The exercise of this right means that the Controller may only process the requested personal data, with the exception of storage, with the consent of the data subject or for the establishment, exercise or defence of a claim, or for the protection of the rights of another natural or legal person, or on compelling grounds of public interest of the Union or of a Member State.
- Right to data portability (Article 20 RODO) – The data subject has the right to receive, in a structured, commonly used machine-readable format, personal data concerning him or her which he or she has provided to the Controller, and has the right to have that personal data transferred to another controller without hindrance from the Controller to whom the personal data has been provided, where (i) the processing is based on consent or on a contract; and (ii) the processing is carried out by automated means. In doing so, the Data Subject has the right to request that his or her personal data be sent by the Controller directly to another controller, insofar as this is technically possible. The exercise of the right to data portability, shall not adversely affect the rights and freedoms of others.
- Right to object (Article 21 RODO) – the data subject has the right to object at any time – on grounds relating to his/her particular situation – to the processing of personal data concerning him/her based, inter alia, on the legitimate interests of the Controller, including profiling. The exercise of this right means that the Controller is no longer allowed to process these personal data unless they demonstrate the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or grounds for establishing, asserting or defending claims. If the Controller processes personal data for the purposes of direct marketing, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling, to the extent that the processing is related to such direct marketing. The exercise of this right means that the Controller will not process the personal data for such purposes.
The Controller will exercise the above rights in accordance with the provisions of the RODO and other relevant legislation. In order to exercise the data subject’s rights or to obtain further information regarding their rights, please contact the Controller (contact details are indicated in section 1).
8. RIGHT TO LODGE A COMPLAINT
If a data subject considers that the processing of his/her personal data by the Controller violates the provisions of the RODO or other generally applicable data protection legislation, he/she may lodge a complaint with the President of the Data Protection Authority.