PRIVACY AND PERSONAL DATA PROTECTION POLICY

1. DEFINITIONS

1.1 Administrator – Krynicki, Dajczer, Kamiński, Heromiński Spółka Partnerska Radców Prawnych with its registered office in Warsaw, at ul. Nowy Świat 35 lok. 8, 00-029 Warsaw.

1.2 Personal data – all information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact information, information contained in correspondence, as well as device IP, location data, Internet identifier and information collected through cookies and other similar technology.

1.3 Policy – this Privacy and Data Protection Policy.

1.4 RODO – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

1.5. Service – the website operated by the Administrator at https://kdkh.pl/.

1.6 User – any natural person visiting the Service or using one or more of the services or functionalities described in this Policy.

1.7 Data subject – any natural person whose personal data is processed by the Administrator, such as a person visiting the Administrator’s premises or directing an inquiry to the Administrator in the form of an e-mail or a User.

2. DATA PROCESSING BY THE ADMINISTRATOR

2.1 In connection with its activities, the Administrator shall collect and process personal data in accordance with the relevant laws, including in particular the RODO, and the data processing rules provided therein.

2.2 The Administrator shall ensure transparency of data processing, in particular, always informs about data processing at the time of collection, including the purpose and legal basis of processing – e.g. when concluding a contract for the sale of goods or services. The Administrator shall ensure that data are collected only to the extent necessary for the indicated purpose and processed only for the period of time necessary.

2.3 When processing data, the Administrator shall ensure security and confidentiality, as well as access to information about the processing to data subjects. Should a breach of personal data protection (e.g., data “leakage” or loss) occur despite the security measures in place, the Administrator shall inform data subjects of such an event in a manner consistent with the regulations.

2.4 In connection with the use of the Website by the User, the Administrator collects data to the extent necessary to provide the services offered, as well as information about the User’s activity on the Website. Detailed rules and purposes of processing personal data collected during the use of the Website by the User are described below.

3. PURPOSES AND LEGAL BASIS OF DATA PROCESSING

E-MAIL AND TRADITIONAL CORRESPONDENCE

3.1 In the case of directing e-mail or traditional correspondence to the Administrator, unrelated to the services provided to the sender or other agreement concluded with them, the personal data contained in such correspondence shall be processed solely for communication and resolution of the matter to which the correspondence relates.

3.2 The legal basis for the processing is the legitimate interest of the Administrator (Article 6(1)(f) of the RODO), consisting in carrying out correspondence received in connection with their business activities.

3.3 The Administrator processes only personal data relevant to the matter to which the correspondence relates. All correspondence is stored in a manner that ensures the security of the personal data contained therein (and other information) and is disclosed only to authorized persons.

TELEPHONE CONTACT

3.4 In case of contacting the Administrator via telephone, on matters not related to the existing contract or services provided, the Administrator may require personal data only if it is necessary to handle the matter to which the contact relates. The legal basis in such a case is the legitimate interest of the Administrator (Article 6(1)(f) of the RODO) consisting in the need to resolve the reported matter related to their business activity.

USE OF THE SERVICE

3.5. Personal data of the Service Users (including IP address or other identifiers and information collected through cookies or other similar technologies), are processed by the Administrator:

3.5.1. for the purpose of providing services electronically in the scope of providing Users with access to content collected on the Website – in which case the legal basis for processing is the necessity of processing for the performance of the agreement (Article 6.1.b RODO);

3.5.2. for analytical and statistical purposes – then the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) RODO) consisting in conducting analyses of Users’ activities, as well as their preferences to improve the functionalities used and services provided;

3.5.3. for possible establishment and investigation of claims or defense against them

– the legal basis for processing is the legitimate interest of the Administrator

(Article 6.1.f RODO) consisting in the protection of the Administrator’s rights;

NEWSLETTER

3.6 The Administrator sends information regarding their offer to persons who have provided their e-mail address for this purpose. Providing data in order to receive information regarding the Administrator’s offer is voluntary. The Administrator sends such information only

if the User has given their consent, which they may withdraw at any time – without affecting the legality of the processing performed before its withdrawal.

3.7 Personal data is processed for the purpose of sending information regarding the Administrator’s offer by e-mail in the form of a newsletter 

– the legal basis for processing, including profiling, is the legitimate interest of the Administrator (Article 6(1)(f) RODO) in connection with the consent given to receive the newsletter.

SOCIAL NETWORKS

3.8 The Administrator processes personal data of Users visiting the Administrator’s profiles maintained on social media (LinkedIn, X, Facebook).

The data is processed exclusively in connection with running the profiles, including for the purpose of informing Users about the Administrator’s activities and promoting various events, services and products. The legal basis for the Administrator’s processing of personal data for this purpose is their legitimate interest (Article 6(1)(f) RODO) in promoting their own brand.

RECRUITMENT

3.9 As part of recruitment processes, the Administrator expects the transfer of personal data (e.g., in a resume or CV) only to the extent specified in the employment law. Accordingly, information should not be transferred to a broader extent. In the event that the submitted applications contain additional data, the data will not be used or taken into account in the recruitment process.

3.10 Personal data shall be processed:

3.10.1. for the purpose of fulfilling legal obligations related to the employment process, including primarily the Labour Code – the legal basis for processing is the legal obligation binding the Administrator (Article 6(1)(c) of the RODO in connection with the provisions of the Labor Code);

3.10.2. for the purpose of conducting the recruitment process in the scope of data not required by law, as well as for the purpose of future recruitment processes

– the legal basis for processing is consent (Article 6.1.a RODO);

3.10.3. for the purpose of establishing or asserting potential claims or defending against such claims – the legal basis for data processing is the legitimate interest of the Administrator (Article 6(1)(f) RODO).

COLLECTION OF DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR PERFORMANCE OF OTHER CONTRACTS

3.11. If data is collected for the performance of a specific contract, the Administrator shall provide the data subject with details of the processing of their personal data at the time of entering into the contract.

COLLECTION OF DATA IN OTHER CASES

3.12. In connection with their operations, the Administrator also collects personal data in other cases – such as during business meetings, at industry events or through the exchange of business cards – for the purposes of initiating and maintaining business contacts. The legal basis for processing in this case is the legitimate interest of the Administrator (Article 6(1)(f) of the RODO), consisting of networking in connection with their business activities.

3.13 Personal data collected in such cases shall be processed only for the purpose for which they were collected, and the Administrator shall ensure their adequate protection.

4. COOKIES AND SIMILAR TECHNOLOGY

4.1 Cookies are small text files installed on the device of the User browsing the Website. Cookies collect information to facilitate the use of the Website

– e.g. by remembering the User’s visits to the Website and their actions on the Website.

“SERVICE” COOKIES

4.2 The Administrator uses so-called “service cookies” primarily to provide the User with services carried out electronically and to improve the quality of such services. In this regard, the Administrator and other entities providing analytical and statistical services to the Administrator use cookies, storing information or accessing information already stored in the User’s telecommunications end device (computer, phone, tablet, etc.). Cookies used for this purpose include:

4.2.1. user input cookies (session ID) for the duration of the session;

4.2.2. authentication cookies used for services requiring authentication for the duration of the session (authentication cookies);

4.2.3. security cookies, such as those used for detecting authentication abuse (user centric security cookies);

for detecting authentication abuse (user centric security cookies);

4.2.4. multimedia player session cookies (e.g. flash player cookies), for the duration of the session (multimedia player session cookies);

4.2.5. persistent user interface customization cookies for the duration of the session or slightly longer (user interface customization cookies),

4.2.6. cookies used to monitor website traffic, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyze how the User uses the Website, to create statistics and reports on the functioning of the Website). Google does not use the collected data to identify the User, nor does it combine this information to enable identification. Detailed information about the scope and principles of data collection in connection with this service can be found at the following link: https://www.google.com/intl/pl/policies/privacy/partners.

5. TIME PERIOD OF PERSONAL DATA PROCESSING

5.1 The time period of data processing by the Administrator depends on the type of service provided and the purpose of processing. The period of data processing may also result from regulations when they provide the basis for processing. If the data is processed on the basis of the legitimate interest of the Administrator – e.g. for security reasons – the data is processed for a period that allows the fulfillment of this interest or until an effective objection to the processing is made. If processing is based on consent, data is processed until the consent is withdrawn. When the basis for processing is the necessity to conclude and perform a contract, data is processed until the contract is terminated.

5.2 The data processing period may be extended if the processing is necessary to establish and assert or defend against possible claims, and thereafter only if and to the extent required by law. After the expiration of the processing period, the data shall be irreversibly deleted or anonymized.

6. RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA

6.1 The data subject has the right: to access the content of the data and to request rectification, erasure, restriction of processing, the right to data portability and the right to obtain a copy of the data, to object to the processing of the data, as well as the right to lodge a complaint with the supervisory authority dealing with personal data protection.

6.2 To the extent that data is processed on the basis of consent, you may withdraw it at any time by contacting the Administrator, which does not affect the compliance lawfulness of data processing before the withdrawal.

6.3 The data subject shall have the right to object to the processing of data for marketing purposes if the processing is carried out in connection with the legitimate interests of the Administrator, as well as – for reasons related to the particular situation of the data subject – in other cases where the legal basis of the processing is the legitimate interests of the Administrator (e.g., in connection with the implementation of analytical purposes and statistical purposes).

6.4 A request for the exercise of the rights of data subjects may be submitted:

6.4.1. in writing to the address: Krynicki, Dajczer, Kamiński, Heromiński Spółka Partnerska Radców Prawnych, Nowy Świat 35 lok. 8, 00-029 Warsaw.

6.4.2. by e-mail to: biuro@kdkh.pl.

6.5 If the Administrator is unable to identify the person submitting the application on the basis of the notification made, they will ask the applicant for additional information.

6.6 The application may be submitted in person or through a proxy (such as a family member). For reasons of data security, the Administrator encourages the use of a power of attorney in a form certified by a notary public or authorized legal counsel or attorney, which will significantly speed up the verification of the authenticity of the application.

6.7 The application shall be responded to within one month of its receipt. If it is necessary to extend this deadline, the Administrator shall inform the applicant of the reasons for the delay.

6.8 The response shall be provided by postal service, unless the application was submitted by e-mail or electronic transmission of the response was requested.

6.9 The processing of submitted applications is free of charge. Fees may be charged only in the case of:

6.9.1. request for the issuance of the second and each subsequent copy of the data (the first copy of the data is free of charge); in this case, the Administrator may require payment of a fee of PLN 20.

The aforementioned fee includes administrative costs related to the execution of the request.

6.9.2. submitting excessive (e.g. extremely frequent) or obviously unjustified requests by the same person; in such case the Administrator may require payment of a fee of PLN 50.

The aforementioned fee includes the costs of communication and the costs associated with taking the requested action.

6.10 If the decision to impose a fee is disputed, the data subject may file a complaint with the President of the Personal Data Protection Office.

7. VIOLATIONS OF PERSONAL DATA PROTECTION

HANDLING A SUSPECTED AND IDENTIFIED BREACH

7.1 A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed by the Administrator.

7.2 Any incident that may constitute a Data Protection Breach shall be immediately reported to the Administrator. Each employee or co-worker of the Administrator shall take action to report the breach in question within no more than 4 hrs from the time of observing a situation that may constitute a breach.

7.3 The Administrator, immediately upon receipt of the relevant information, shall investigate any reported situation in which a data protection violation cannot be ruled out. The investigation proceeding consists of collecting the information necessary to complete the record of violations and aims to determine, based on this information, whether a violation has occurred (determination of a violation). A finding of a violation occurs when, based on the information collected, it can be reasonably assumed that a Breach has occurred or is highly likely to have occurred.

7.4 The actions taken in the course of the investigation shall be documented in the form of a memo. The notes and collected materials, documents, etc. are kept for the time necessary to clarify the circumstances of the Violation, which includes any actions taken by the Supervisory Authority or the court (until final decisions), and then for another 6 months.

7.5 If a Violation is found (regardless of its final qualification), the date and time at which the Violation was found shall be recorded.

7.6 The Administrator shall assess:

7.6.1. whether it is likely that the identified Breach results in a risk of violation of the rights or freedoms of individuals,

7.6.2. whether the Breach is likely to result in a high risk of violation of the rights or freedoms of individuals.

7.7 In making the assessment referred to in para. 7.6 of the Procedure, the Administrator shall take into account the circumstances of the Breach, including its severity, scale and possible negative impact on the situation of data subjects, as well as the likelihood of such negative impact. In particular, the Administrator shall take into account:

7.7.1. the type of Breach, i.e. whether there was unauthorized disclosure, loss, destruction, modification, or unauthorized access – mainly affects the assessment of the types of possible negative consequences of the Breach;

7.7.2. the type, level of sensitivity and scale of the Data affected by the Breach, in particular whether the Breach involves Special Category Data – mainly affects the assessment of the possible negative consequences of the Breach;

7.7.3. whether the Data can be easily linked to an individual – mainly affects the assessment of the likelihood of the risk of violation of the rights or freedoms of individuals;

7.7.4. the seriousness of potential consequences for data subjects;

7.7.5. the special characteristics of the Data Subjects, e.g. particularly sensitive individuals like children or individuals with addictions – mainly affects the assessment of the possible negative consequences of the Breach;

7.7.6. the number of Data Subjects affected by the Breach – mainly affects the assessment of the likelihood of the risk of violation of the rights or freedoms of individuals.

7.8 If it is determined that the Breach is unlikely to result in a risk of violation of the rights or freedoms of individuals, the Administrator shall not take any action, subject to the need to enter the Breach in the Breach Register.

7.9 If it is determined that it is likely that the Breach results in a risk of violation of the rights or freedoms of individuals, the Administrator shall report the Breach to the Supervisory Authority. Unless the Supervisory Authority has authorized another mode of reporting the Breach, the Administrator shall make the report by sending a scan of the report to the Supervisory Authority’s address and the original by registered mail to the Supervisory Authority’s address. The notification must be made immediately, no later than within 72 hours of the discovery of the Violation. If it is not possible to submit complete information within this timeframe, part of the information should be sent, indicating at the same time the type of information to be completed and the deadline for its completion. If the deadline is missed, a notification must be made, explaining the reasons for missing the deadline.

7.10 If it is determined that the Breach may cause a high risk of infringement of the rights or freedoms of natural persons, the Administrator shall make a notification and, in addition, immediately inform the Data Subjects affected by the Breach. The Administrator shall inform the Data Subjects of the Breach by e-mail or any other means of communication allowing to provide the information in the shortest possible time. If an exhaustive identification of the Data Subjects affected by the Breach is not possible, the Administrator shall post the information on their website or provide it in another manner that maximizes the chance of the information reaching the relevant Data Subjects.

7.11. Notification of a violation shall be made:

7.11.1. electronically using the appropriate form, which shall be filled out and then attached to the general letter available on the biznes.gov.pl platform, or sent via ePUAP to the electronic sub-box address: /GIODO/SkrytkaESP or

7.11.2. by sending the form as an attachment to the electronic mailbox address: /GIODO/SkrytkaESP.

REGISTER OF VIOLATIONS

7.12 The Administrator shall maintain a Register of data protection violations in an electronic form. The Register shall be a business secret of the Administrator.

7.13 Each case of a Personal Data Protection Breach shall be entered in the Register and described in accordance with the systematics of the Register. In each case of a Breach in which the Controller does not make a notification to the Supervisory Authority or does not inform the Data Subjects affected by the Breach, the reasons for such decision shall be described in detail in the Register.

8. DATA RECIPIENTS

8.1 In connection with the conduct of activities requiring processing, personal data shall be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and equipment, as well as entities providing the Administrator with services necessary for the performance of the contract concluded with the data subject, entities providing accounting, courier or recruitment services.

8.2 The Administrator reserves the right to disclose selected information concerning the data subject to competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with the provisions of applicable law.

9. TRANSFER OF DATA OUTSIDE THE EEA

9.1 The level of protection of personal data outside the European Economic Area (EEA) differs from that stipulated by European law. For this reason, the Administrator transfers personal data outside the EEA only when necessary and with an adequate level of protection, primarily by:

9.1.1. cooperating with processors of personal data in countries for which a relevant European Commission decision has been issued;

9.1.2. applying standard contractual clauses issued by the European Commission;

9.1.3. application of binding corporate rules approved by the relevant supervisory authority;

9.1.4. in the case of data transfers to the U.S., cooperation with entities participating in the Privacy Shield program approved by a decision of the European Commission.

9.2 The Administrator shall always inform of the intention to transfer personal data outside the EEA at the stage of data collection.

10. SECURITY OF PERSONAL DATA

10.1 The Administrator shall, on an ongoing basis, conduct a risk analysis to ensure that personal data is processed by them in a secure manner – ensuring, in particular, that only authorised persons have access to the data and only to the extent it is necessary for their tasks. The Administrator shall ensure that all operations on personal data are recorded and carried out only by authorised employees and associates.

10.2 The Administrator shall take all necessary measures to ensure that also their subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the Administrator.

10.3 The Administrator shall perform on an ongoing basis a risk analysis and monitor the adequacy of the applied data security measures to the identified risks. If necessary, the Administrator implements additional measures to enhance data security.

CONTACT INFORMATION

11.1 Contacting the Administrator is possible via e-mail: biuro@kdkh.pl or by using the postal address: Krynicki, Dajczer, Kamiński, Heromiński Spółka Partnerska Radców Prawnych, ul. Nowy Świat 35 lok. 8, 00-029 Warsaw.

CHANGES TO THE PRIVACY AND PERSONAL DATA PROTECTION POLICY

12.1 The Policy shall be reviewed on an ongoing basis and updated as necessary. The current version of the Policy has been adopted and is effective as of 1 October 2020.