1.1 Administrator – Krynicki, Dajczer, Kamiński, Heromiński Spółka Partnerska Radców Prawnych with its registered office in Warsaw, at ul. Nowy Świat 35 lok. 8, 00-029 Warsaw.

1.2 Personal data – all information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact information, information contained in correspondence, as well as device IP, location data, Internet identifier and information collected through cookies and other similar technology.

1.3 Policy – this Privacy and Data Protection Policy.

1.4 RODO – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

1.5. Service – the website operated by the Administrator at https://kdkh.pl/.

1.6 User – any natural person visiting the Service or using one or more of the services or functionalities described in this Policy.

1.7 Data subject – any natural person whose personal data is processed by the Administrator, such as a person visiting the Administrator’s premises or directing an inquiry to the Administrator in the form of an e-mail or a User.


2.1 In connection with its activities, the Administrator shall collect and process personal data in accordance with the relevant laws, including in particular the RODO, and the data processing rules provided therein.

2.2 The Administrator shall ensure transparency of data processing, in particular, always informs about data processing at the time of collection, including the purpose and legal basis of processing – e.g. when concluding a contract for the sale of goods or services. The Administrator shall ensure that data are collected only to the extent necessary for the indicated purpose and processed only for the period of time necessary.

2.3 When processing data, the Administrator shall ensure security and confidentiality, as well as access to information about the processing to data subjects. Should a breach of personal data protection (e.g., data “leakage” or loss) occur despite the security measures in place, the Administrator shall inform data subjects of such an event in a manner consistent with the regulations.

2.4 In connection with the use of the Website by the User, the Administrator collects data to the extent necessary to provide the services offered, as well as information about the User’s activity on the Website. Detailed rules and purposes of processing personal data collected during the use of the Website by the User are described below.



3.1 In the case of directing e-mail or traditional correspondence to the Administrator, unrelated to the services provided to the sender or other agreement concluded with them, the personal data contained in such correspondence shall be processed solely for communication and resolution of the matter to which the correspondence relates.

3.2 The legal basis for the processing is the legitimate interest of the Administrator (Article 6(1)(f) of the RODO), consisting in carrying out correspondence received in connection with their business activities.

3.3 The Administrator processes only personal data relevant to the matter to which the correspondence relates. All correspondence is stored in a manner that ensures the security of the personal data contained therein (and other information) and is disclosed only to authorized persons.


3.4 In case of contacting the Administrator via telephone, on matters not related to the existing contract or services provided, the Administrator may require personal data only if it is necessary to handle the matter to which the contact relates. The legal basis in such a case is the legitimate interest of the Administrator (Article 6(1)(f) of the RODO) consisting in the need to resolve the reported matter related to their business activity.


3.5. Personal data of the Service Users (including IP address or other identifiers and information collected through cookies or other similar technologies), are processed by the Administrator:

3.5.1. for the purpose of providing services electronically in the scope of providing Users with access to content collected on the Website – in which case the legal basis for processing is the necessity of processing for the performance of the agreement (Article 6.1.b RODO);

3.5.2. for analytical and statistical purposes – then the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) RODO) consisting in conducting analyses of Users’ activities, as well as their preferences to improve the functionalities used and services provided;

3.5.3. for possible establishment and investigation of claims or defense against them

– the legal basis for processing is the legitimate interest of the Administrator

(Article 6.1.f RODO) consisting in the protection of the Administrator’s rights;


3.6 The Administrator sends information regarding their offer to persons who have provided their e-mail address for this purpose. Providing data in order to receive information regarding the Administrator’s offer is voluntary. The Administrator sends such information only

if the User has given their consent, which they may withdraw at any time – without affecting the legality of the processing performed before its withdrawal.

3.7 Personal data is processed for the purpose of sending information regarding the Administrator’s offer by e-mail in the form of a newsletter 

– the legal basis for processing, including profiling, is the legitimate interest of the Administrator (Article 6(1)(f) RODO) in connection with the consent given to receive the newsletter.


3.8 The Administrator processes personal data of Users visiting the Administrator’s profiles maintained on social media (LinkedIn, X, Facebook).

The data is processed exclusively in connection with running the profiles, including for the purpose of informing Users about the Administrator’s activities and promoting various events, services and products. The legal basis for the Administrator’s processing of personal data for this purpose is their legitimate interest (Article 6(1)(f) RODO) in promoting their own brand.


3.9 As part of recruitment processes, the Administrator expects the transfer of personal data (e.g., in a resume or CV) only to the extent specified in the employment law. Accordingly, information should not be transferred to a broader extent. In the event that the submitted applications contain additional data, the data will not be used or taken into account in the recruitment process.

3.10 Personal data shall be processed:

3.10.1. for the purpose of fulfilling legal obligations related to the employment process, including primarily the Labour Code – the legal basis for processing is the legal obligation binding the Administrator (Article 6(1)(c) of the RODO in connection with the provisions of the Labor Code);

3.10.2. for the purpose of conducting the recruitment process in the scope of data not required by law, as well as for the purpose of future recruitment processes

– the legal basis for processing is consent (Article 6.1.a RODO);

3.10.3. for the purpose of establishing or asserting potential claims or defending against such claims – the legal basis for data processing is the legitimate interest of the Administrator (Article 6(1)(f) RODO).


3.11. If data is collected for the performance of a specific contract, the Administrator shall provide the data subject with details of the processing of their personal data at the time of entering into the contract.


3.12. In connection with their operations, the Administrator also collects personal data in other cases – such as during business meetings, at industry events or through the exchange of business cards – for the purposes of initiating and maintaining business contacts. The legal basis for processing in this case is the legitimate interest of the Administrator (Article 6(1)(f) of the RODO), consisting of networking in connection with their business activities.

3.13 Personal data collected in such cases shall be processed only for the purpose for which they were collected, and the Administrator shall ensure their adequate protection.


4.1 Cookies are small text files installed on the device of the User browsing the Website. Cookies collect information to facilitate the use of the Website

– e.g. by remembering the User’s visits to the Website and their actions on the Website.


4.2 The Administrator uses so-called “service cookies” primarily to provide the User with services carried out electronically and to improve the quality of such services. In this regard, the Administrator and other entities providing analytical and statistical services to the Administrator use cookies, storing information or accessing information already stored in the User’s telecommunications end device (computer, phone, tablet, etc.). Cookies used for this purpose include:

4.2.1. user input cookies (session ID) for the duration of the session;

4.2.2. authentication cookies used for services requiring authentication for the duration of the session (authentication cookies);

4.2.3. security cookies, such as those used for detecting authentication abuse (user centric security cookies);

for detecting authentication abuse (user centric security cookies);

4.2.4. multimedia player session cookies (e.g. flash player cookies), for the duration of the session (multimedia player session cookies);

4.2.5. persistent user interface customization cookies for the duration of the session or slightly longer (user interface customization cookies),

4.2.6. cookies used to monitor website traffic, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyze how the User uses the Website, to create statistics and reports on the functioning of the Website). Google does not use the collected data to identify the User, nor does it combine this information to enable identification. Detailed information about the scope and principles of data collection in connection with this service can be found at the following link: https://www.google.com/intl/pl/policies/privacy/partners.


5.1 The time period of data processing by the Administrator depends on the type of service provided and the purpose of processing. The period of data processing may also result from regulations when they provide the basis for processing. If the data is processed on the basis of the legitimate interest of the Administrator – e.g. for security reasons – the data is processed for a period that allows the fulfillment of this interest or until an effective objection to the processing is made. If processing is based on consent, data is processed until the consent is withdrawn. When the basis for processing is the necessity to conclude and perform a contract, data is processed until the contract is terminated.

5.2 The data processing period may be extended if the processing is necessary to establish and assert or defend against possible claims, and thereafter only if and to the extent required by law. After the expiration of the processing period, the data shall be irreversibly deleted or anonymized.


6.1 The data subject has the right: to access the content of the data and to request rectification, erasure, restriction of processing, the right to data portability and the right to obtain a copy of the data, to object to the processing of the data, as well as the right to lodge a complaint with the supervisory authority dealing with personal data protection.

6.2 To the extent that data is processed on the basis of consent, you may withdraw it at any time by contacting the Administrator, which does not affect the compliance lawfulness of data processing before the withdrawal.

6.3 The data subject shall have the right to object to the processing of data for marketing purposes if the processing is carried out in connection with the legitimate interests of the Administrator, as well as – for reasons related to the particular situation of the data subject – in other cases where the legal basis of the processing is the legitimate interests of the Administrator (e.g., in connection with the implementation of analytical purposes and statistical purposes).

6.4 A request for the exercise of the rights of data subjects may be submitted:

6.4.1. in writing to the address: Krynicki, Dajczer, Kamiński, Heromiński Spółka Partnerska Radców Prawnych, Nowy Świat 35 lok. 8, 00-029 Warsaw.

6.4.2. by e-mail to: biuro@kdkh.pl.

6.5 If the Administrator is unable to identify the person submitting the application on the basis of the notification made, they will ask the applicant for additional information.

6.6 The application may be submitted in person or through a proxy (such as a family member). For reasons of data security, the Administrator encourages the use of a power of attorney in a form certified by a notary public or authorized legal counsel or attorney, which will significantly speed up the verification of the authenticity of the application.

6.7 The application shall be responded to within one month of its receipt. If it is necessary to extend this deadline, the Administrator shall inform the applicant of the reasons for the delay.

6.8 The response shall be provided by postal service, unless the application was submitted by e-mail or electronic transmission of the response was requested.

6.9 The processing of submitted applications is free of charge. Fees may be charged only in the case of:

6.9.1. request for the issuance of the second and each subsequent copy of the data (the first copy of the data is free of charge); in this case, the Administrator may require payment of a fee of PLN 20.

The aforementioned fee includes administrative costs related to the execution of the request.

6.9.2. submitting excessive (e.g. extremely frequent) or obviously unjustified requests by the same person; in such case the Administrator may require payment of a fee of PLN 50.

The aforementioned fee includes the costs of communication and the costs associated with taking the requested action.

6.10 If the decision to impose a fee is disputed, the data subject may file a complaint with the President of the Personal Data Protection Office.



7.1 A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed by the Administrator.

7.2 Any incident that may constitute a Data Protection Breach shall be immediately reported to the Administrator. Each employee or co-worker of the Administrator shall take action to report the breach in question within no more than 4 hrs from the time of observing a situation that may constitute a breach.

7.3 The Administrator, immediately upon receipt of the relevant information, shall investigate any reported situation in which a data protection violation cannot be ruled out. The investigation proceeding consists of collecting the information necessary to complete the record of violations and aims to determine, based on this information, whether a violation has occurred (determination of a violation). A finding of a violation occurs when, based on the information collected, it can be reasonably assumed that a Breach has occurred or is highly likely to have occurred.

7.4 The actions taken in the course of the investigation shall be documented in the form of a memo. The notes and collected materials, documents, etc. are kept for the time necessary to clarify the circumstances of the Violation, which includes any actions taken by the Supervisory Authority or the court (until final decisions), and then for another 6 months.

7.5 If a Violation is found (regardless of its final qualification), the date and time at which the Violation was found shall be recorded.

7.6 The Administrator shall assess:

7.6.1. whether it is likely that the identified Breach results in a risk of violation of the rights or freedoms of individuals,

7.6.2. whether the Breach is likely to result in a high risk of violation of the rights or freedoms of individuals.

7.7 In making the assessment referred to in para. 7.6 of the Procedure, the Administrator shall take into account the circumstances of the Breach, including its severity, scale and possible negative impact on the situation of data subjects, as well as the likelihood of such negative impact. In particular, the Administrator shall take into account:

7.7.1. the type of Breach, i.e. whether there was unauthorized disclosure, loss, destruction, modification, or unauthorized access – mainly affects the assessment of the types of possible negative consequences of the Breach;

7.7.2. the type, level of sensitivity and scale of the Data affected by the Breach, in particular whether the Breach involves Special Category Data – mainly affects the assessment of the possible negative consequences of the Breach;

7.7.3. whether the Data can be easily linked to an individual – mainly affects the assessment of the likelihood of the risk of violation of the rights or freedoms of individuals;

7.7.4. the seriousness of potential consequences for data subjects;

7.7.5. the special characteristics of the Data Subjects, e.g. particularly sensitive individuals like children or individuals with addictions – mainly affects the assessment of the possible negative consequences of the Breach;

7.7.6. the number of Data Subjects affected by the Breach – mainly affects the assessment of the likelihood of the risk of violation of the rights or freedoms of individuals.

7.8 If it is determined that the Breach is unlikely to result in a risk of violation of the rights or freedoms of individuals, the Administrator shall not take any action, subject to the need to enter the Breach in the Breach Register.

7.9 If it is determined that it is likely that the Breach results in a risk of violation of the rights or freedoms of individuals, the Administrator shall report the Breach to the Supervisory Authority. Unless the Supervisory Authority has authorized another mode of reporting the Breach, the Administrator shall make the report by sending a scan of the report to the Supervisory Authority’s address and the original by registered mail to the Supervisory Authority’s address. The notification must be made immediately, no later than within 72 hours of the discovery of the Violation. If it is not possible to submit complete information within this timeframe, part of the information should be sent, indicating at the same time the type of information to be completed and the deadline for its completion. If the deadline is missed, a notification must be made, explaining the reasons for missing the deadline.

7.10 If it is determined that the Breach may cause a high risk of infringement of the rights or freedoms of natural persons, the Administrator shall make a notification and, in addition, immediately inform the Data Subjects affected by the Breach. The Administrator shall inform the Data Subjects of the Breach by e-mail or any other means of communication allowing to provide the information in the shortest possible time. If an exhaustive identification of the Data Subjects affected by the Breach is not possible, the Administrator shall post the information on their website or provide it in another manner that maximizes the chance of the information reaching the relevant Data Subjects.

7.11. Notification of a violation shall be made:

7.11.1. electronically using the appropriate form, which shall be filled out and then attached to the general letter available on the biznes.gov.pl platform, or sent via ePUAP to the electronic sub-box address: /GIODO/SkrytkaESP or

7.11.2. by sending the form as an attachment to the electronic mailbox address: /GIODO/SkrytkaESP.


7.12 The Administrator shall maintain a Register of data protection violations in an electronic form. The Register shall be a business secret of the Administrator.

7.13 Each case of a Personal Data Protection Breach shall be entered in the Register and described in accordance with the systematics of the Register. In each case of a Breach in which the Controller does not make a notification to the Supervisory Authority or does not inform the Data Subjects affected by the Breach, the reasons for such decision shall be described in detail in the Register.


8.1 In connection with the conduct of activities requiring processing, personal data shall be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and equipment, as well as entities providing the Administrator with services necessary for the performance of the contract concluded with the data subject, entities providing accounting, courier or recruitment services.

8.2 The Administrator reserves the right to disclose selected information concerning the data subject to competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with the provisions of applicable law.


9.1 The level of protection of personal data outside the European Economic Area (EEA) differs from that stipulated by European law. For this reason, the Administrator transfers personal data outside the EEA only when necessary and with an adequate level of protection, primarily by:

9.1.1. cooperating with processors of personal data in countries for which a relevant European Commission decision has been issued;

9.1.2. applying standard contractual clauses issued by the European Commission;

9.1.3. application of binding corporate rules approved by the relevant supervisory authority;

9.1.4. in the case of data transfers to the U.S., cooperation with entities participating in the Privacy Shield program approved by a decision of the European Commission.

9.2 The Administrator shall always inform of the intention to transfer personal data outside the EEA at the stage of data collection.


10.1 The Administrator shall, on an ongoing basis, conduct a risk analysis to ensure that personal data is processed by them in a secure manner – ensuring, in particular, that only authorised persons have access to the data and only to the extent it is necessary for their tasks. The Administrator shall ensure that all operations on personal data are recorded and carried out only by authorised employees and associates.

10.2 The Administrator shall take all necessary measures to ensure that also their subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the Administrator.

10.3 The Administrator shall perform on an ongoing basis a risk analysis and monitor the adequacy of the applied data security measures to the identified risks. If necessary, the Administrator implements additional measures to enhance data security.


11.1 Contacting the Administrator is possible via e-mail: biuro@kdkh.pl or by using the postal address: Krynicki, Dajczer, Kamiński, Heromiński Spółka Partnerska Radców Prawnych, ul. Nowy Świat 35 lok. 8, 00-029 Warsaw.


12.1 The Policy shall be reviewed on an ongoing basis and updated as necessary. The current version of the Policy has been adopted and is effective as of 1 October 2020.

See more

Media about us

"Recently, we have been hearing a lot about pathologies in social networks, streaming services or among youtubers. In the ongoing discussion, some commentators seem to forget about the broad context of online creators' activities. Removing – often with difficulty – individuals or individual content that constitutes a socially unacceptable message, in practice changes nothing."

"After the garbage verdict. According to Gazeta Wyborcza, the National Appeals Chamber has ruled that the Warsaw authorities should cancel the negotiated procedure. The chairperson of the adjudicating panel argued, among others, that MPO is not capable of performing the garbage transport service on its own."

"The New Public Procurement Law is analysed in Dziennik Gazeta Prawna by Karol Kamiński, an attorney-at-law at KDKH, and Katarzyna Wyzgał, an advocate at KDKH. The authors conclude that the law of September 11, 2019. (Journal of Laws of 2019, item 2019, as amended) does not make fundamental changes to the institution of subcontracting."

"Blockchain technology is one of the fastest growing areas of the digital economy. So far, the law has not kept up with the development of new technologies, but many countries are already trying to put blockchain into a legal framework. The European Union, including Poland, needs to do so, too."

Michał Heromiński, an attorney-at-law and a partner at KDKH, has been appointed to the investment committee of PFR NCBR CVC FIZAN. This is a fund of funds created to support the commercialization of innovative technological projects in cooperation with corporations – reports Rzeczpospolita.

"Regulations have not kept up with technology. Michał Heromiński, a partner at KDKH, draws attention in today's issue of Parkiet to the topic of regulatory arbitrage and emphasizes the role of good law in increasing Poland's economic competitiveness. – In the EU, entrepreneurs using regulatory arbitration can register their business in any member state."

"3D printing, blockchain, artificial intelligence, cloud computing, robotics or automation are just examples of industries that have great potential. They could become an important part of the Polish economy, but their expansion is blocked by legal barriers, among other things."

Karol Kamiński, a partner at KDKH, took part in the Rzeczpospolita debate on the new public procurement law. The discussion was an opportunity to evaluate the new legislation, pointing out its strengths, but also its shortcomings. Karol noted that many clients point to the imprecision of the regulations, the length of the proceedings and the costs involved as problems. This has a direct effect of making contractors more likely to choose bids from the private market.

"In the case of Próchnik, we are dealing with a brand that has existed for over 70 years and has become a permanent part of users' consciousness and the history of Polish economic transformation. Therefore, detailed due diligence and subsequently, responsible negotiations with the seller were key."

"We are developing competence in media and new technologies following our clients. We have advised on many projects in this area, with the number of cases and their complexity on the rise. Together with Piotr, we will continue strengthening our expertise focused on these areas - said Michał Heromiński, an attorney-at-law and a partner at KDKH."


Contact us

Spółka Partnerska Radców Prawnych
ul. Nowy Świat 35 lok. 8
00-029 Warszawa, Poland

+48 607 741 741
+48 22 380 33 50
+48 22 380 33 51
© KDKH 2020. All rights reserved.