RODO information clause regarding teleconferences with the Fireflies.ai assistant

1. JOINT CONTROLLERS

The joint controllers of Participants’ personal data are the following companies:

• GWW Grynhoff i Partnerzy Radcowie Prawni i Doradcy Podatkowi sp. p. with its registered office in Warsaw at ul. Książęca 4 (00-498 Warsaw), entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under KRS number 0000541501, NIP 7792022623, Warsaw, 12th Commercial Division of the National Court Register, under KRS number 0000541501, NIP 7792022623, REGON 631226810, and
• GWW Ladziński, Cmoch i Wspólnicy sp.k. with its registered office in Warsaw at ul. Książęca 4 (00-498 Warsaw), entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under KRS number 0000956566, NIP 7010313649, REGON 631226810, and Warsaw, 12th Commercial Division of the National Court Register, under KRS number 0000956566, NIP 7010313649, REGON 145496595.

2. SCOPE OF LIABILITY OF CO-ADMINISTERS

Within the framework of the joint controllership agreement concluded between the Joint Controllers, the Joint Controllers have agreed on the scope of their responsibilities regarding the fulfillment of obligations under the GDPR, including in particular that:

• the Joint Controller who collects personal data or initiates the process of collecting personal data is responsible for fulfilling the obligation to inform data subjects in accordance with Articles 12-14 of the GDPR;
• with regard to the exercise of the rights of data subjects as defined in Articles 7(3) 3 and Articles 15-22 GDPR, i.e. withdrawal of consent, exercising the right of access to personal data, rectification, erasure, restriction of processing, transfer of personal data, objection to the processing of personal data, the Joint Controller who received the request is responsible;
• with regard to the fulfillment of obligations by the joint controllers regarding the management of personal data breaches, their notification to the supervisory authority (Article 33 GDPR) and the data subject (Article 34 GDPR), the joint controller who first becomes aware of the breach is responsible; if the breach becomes known to them at the same time, the responsible Joint Controller is the one on whose side the violation occurred;
• if it cannot be determined on the basis of the above rules which Joint Controller is responsible for fulfilling the obligations set out in these paragraphs, GWW Legal is responsible.

Notwithstanding the above arrangements, Participants may exercise their rights under the GDPR against each of the Joint Controllers.

3. CONTACT DETAILS

The Joint Controllers have appointed a single point of contact for all requests and enquiries regarding the personal data they process:

• in case of contact by traditional mail, by sending a letter to the address: Personal Data Coordinator: ul. Książęca 4, 00-498 Warsaw, with the note “Personal Data”,
• in case of contact via e-mail, by sending an e-mail to: odo@gww.pl

4. WHAT PERSONAL DATA DO THE CO-ADMINISTERS PROCESS AND WHAT IS THE SOURCE OF THIS DATA?

The joint controllers process the personal data of Participants provided directly by the Participants as part of a meeting conducted using Fireflies.ai, including first name, last name, e-mail address, recorded voice.

5. PURPOSE OF THE PROCESSING OF PERSONAL DATA AND LEGAL BASIS

The joint controllers process the personal data of the Participants on the basis of the Participants’ consent to the recording of the conversation using Fireflies.ai for the purpose of transcription and the creation of automatic meeting notes (legal basis is Art. 6 (1) (a) GDPR).

6. REQUIREMENT TO PROVIDE DATA

The provision of personal data by Participants for the purpose of recording a conversation using Fireflies.ai for transcription and automatic meeting notes is voluntary.

Consent to the use of Fireflies.ai is not a condition for conducting the meeting (if Participants do not consent to the use of Fireflies.ai, the tool will not be activated during the meeting).

7. PERIOD OF STORAGE OF PERSONAL DATA

The joint controllers do not store personal data for longer than is necessary to achieve the purposes for which the data were collected.

Personal data processed on the basis of the consent given by the Participants are processed until the purpose of the processing ceases to exist or the consent is withdrawn (whichever occurs first).

The recording and the full transcript of the conversation will be deleted no later than the next working day after the meeting.

8. INFORMATION ON AUTOMATED DECISION-MAKING, INCLUDING PROFILING

Participants’ personal data will not be processed by automated means (including profiling) that could produce legal effects concerning them or similarly significantly affect them.

The Fireflies.ai tool processes personal data by automated means only (the tool uses artificial intelligence (AI) to create automatic meeting notes with transcription, audio recording and automatic meeting summaries), However, no profiling takes place (in particular, the Participants’ personal data will not be used to evaluate the Participant’s personal factors), and the automatic meeting summary created by Fireflies.ai is subsequently verified by the Joint Controllers.

9. RECIPIENTS OF PERSONAL DATA

Processing personal data in the Fireflies.ai system results in the transfer of this data to the servers of Fireflies.AI Corp. (5424 Sunol Blvd, Ste 10-531, Pleasanton, CA 94566) and trusted IT software and service providers used by this entity, in particular Amazon Web Services (AWS) and Google Cloud Platform (GCP).

In addition, trusted IT support service providers and participants of a given meeting may gain access to personal data.

10. TRANSFER OF DATA OUTSIDE THE EEA

In connection with the processing of personal data using Fireflies.ai, personal data is transferred outside the European Economic Area (EEA), i.e. to the USA.

Data will only be transferred to the USA if the recipient of the data has joined the EU-US Privacy Shield Framework (i.e. the European Commission has confirmed an adequate level of data protection) or an adequate level of data protection has been agreed with the recipient of the data using so-called standard contractual clauses. A copy of the safeguards used, including the standard contractual clauses, can be obtained from the Joint Controllers.

11. RIGHTS OF DATA SUBJECTS

To the extent and in the cases specified by law, in particular the GDPR, persons whose personal data is being processed (data subjects), including Participants, have the following rights:

• Right to withdraw consent (Article 7 of the GDPR) – if the processing of personal data is based on consent, this consent may be withdrawn at any time by the data subject (however, this does not affect the lawfulness of the processing carried out prior to the withdrawal of consent). Consent is entirely voluntary.
• Right of access and right to obtain a copy of the data (Article 15 of the GDPR) – the data subject is entitled to obtain information from the Joint Controllers about the processing of his or her personal data – including the source of the personal data, the purposes of the processing, the categories of personal data processed, the planned period of processing and the recipients to whom the data is disclosed – as well as to obtain a copy of his personal data that is processed by the Joint Controllers. The right to obtain a copy may not adversely affect the rights and freedoms of others (including those arising from their copyrights or trade secrets).
• Right to rectification (correction) of personal data (Article 16 of the GDPR) – the data subject has the right to request the Joint Controllers to rectify inaccurate personal data or to complete incomplete personal data concerning the data subject.
• Right to erasure (‘right to be forgotten’ under Article 17 of the GDPR) – the data subject shall have the right to obtain from the Joint Controllers the erasure of personal data concerning him or her without undue delay where: (i) the personal data is no longer needed for the purposes for which it was collected or otherwise processed, (ii) he/she has withdrawn his/her consent on which the processing was based, and there is no other legal basis for the Joint Controllers to process his/her personal data, (iii) you have objected to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing of your personal data, or you have objected to the processing pursuant to Article 21(2) GDPR, (iv) his/her personal data has been unlawfully processed, (v) the deletion of his/her personal data is required to fulfill a legal obligation to which the Joint Controller is subject, (vi) his/her personal data has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR. The right to erasure is not an absolute right. This right does not apply to the extent that the processing is necessary, among other things, to fulfill a legal obligation requiring processing under the law to which the Joint Controller is subject, or to establish, exercise or defend legal claims.
• Right to restriction of processing (Article 18 GDPR) – the data subject has the right to request the joint controllers to restrict the processing of his or her personal data if: (i) the accuracy of his or her personal data is contested – for a period enabling the Joint Controllers to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, (iii) the Joint Controller no longer needs the personal data for the purposes of the processing, but they are needed by the data subject to establish, assert or defend claims; (iv) the data subject has objected to the processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the Joint Controllers override those of the data subject. The exercise of this right means that the joint controllers may only process the personal data affected by the request, with the exception of storage, with the consent of the data subject or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
• Right to data portability (Article 20 GDPR) – the data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Joint Controllers, in a structured, commonly used and machine-readable format and has the right to transmit those personal data to another controller without hindrance from the Joint Controllers to whom the personal data has been provided, if: (i) the processing is based on consent or on a contract; and (ii) the processing is carried out by automated means. The data subject shall have the right to have the personal data transmitted directly from the joint controllers to another controller, where technically feasible. The exercise of the right to data portability shall not adversely affect the rights and freedoms of others.
• Right to object (Article 21 GDPR) – the data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her based, inter alia, on the legitimate interest of the Joint Controllers, including profiling. The exercise of this right means that the Joint Controllers are no longer allowed to process this personal data, unless they demonstrate the existence of valid legitimate grounds for processing that override the interests, rights and freedoms of the data subject or grounds for the establishment, exercise or defense of legal claims. If the Joint Controllers process personal data for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for such marketing, including profiling, to the extent that the processing is related to such direct marketing. The exercise of this right means that the Joint Controllers will not process personal data for such purposes.

The Joint Controllers will exercise the above rights in accordance with the provisions of the GDPR and other relevant regulations. In order to exercise your rights or to obtain further information about your rights, please contact the Joint Controllers (contact details are provided in clause 3).

12. RIGHT TO LODGE A COMPLAINT

If Participants believe that the processing of their personal data by the Joint Controllers violates the provisions of the GDPR or other generally applicable regulations regarding the protection of personal data, they may file a complaint with the President of the Personal Data Protection Office.