3. Based on the regulations of Regulation (EU) 2016/679 of the European Parliament and the Council of 27.04.2016 on the protection of individuals concerning the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, hereinafter referred to as GDPR and the Act of 10.05.2018 on the protection of personal data. The Administrator shall take all necessary security measures to protect the processed personal data.
4. Personal data shall mean any information about an identified or identifiable natural person to whom the data relates. An identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
1. The administrator of the personal data is Gardens Tax & Legal Wilk Latkowski Łokaj Doradcy Podatkowi i Radcowie Prawni Sp. p., tel. +48 422080510 and +48 664341667, biuro@GardensTaxLegal.pl, hereinafter referred to as the Administrator.
2. The Administrator collects the data for specific, explicit, and legitimate purposes and does not further process them in a manner incompatible with those purposes. If the Administrator is deprived of the purpose of processing, it shall immediately and permanently delete the data, unless the right to further processing results from generally applicable laws. The Administrator shall perform a regular assessment of the legitimacy of the processing of certain personal data, taking into account the actuality of the purposes of their processing.
3. The Administrator shall process data in an adequate, relevant, and limited to what is necessary for the purposes for which they are processed. The Administrator strives to continuously minimize the processing of personal data. For this purpose, the Administrator performs a regular assessment of the scope and types of the processed personal data to determine the necessity of their processing or the possibility of their permanent erasure.
4. The Administrator shall ensure that the data processed by him/her are correct, and shall update them whenever necessary and possible.
5. The controller shall store data in a form that permits the identification of the data subject for no longer than is necessary for the purposes for which the data are processed, taking into account the relevant provisions of law that allow the controller to process personal data for a specified period. In case the term of storage of certain personal data expires, the Administrator shall, as a rule, immediately and permanently delete the personal data in question, unless separate legal regulations impose an obligation on the Administrator to archive the documentation containing the personal data.
6. The Administrator processes personal data for the following purposes:
a) Performance of legal and tax advisory services
The Administrator provides its clients, who are both natural persons and entities of other types, with legal and tax consulting services. These services are provided based on a written or oral agreement concluded with the client. The legal basis for the processing of personal data for this purpose is Article 6(1)(b) of the GDPR, according to which the processing is lawful if the processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract, and Article 6(1)(f) of the GDPR, i.e. the legitimate interest of the Controller.
b) Fulfilment of a legal obligation to which the Controller is subject under generally applicable provisions of law
The Administrator is subject to several legal obligations for the fulfillment of which it is necessary to process personal data. The Administrator is obliged to keep accounts in a manner compliant with the applicable legal regulations. Furthermore, the Administrator is subject to certain tax obligations. The above involves the necessity to process the data of customers, in particular entrepreneurs for whom the Administrator issues VAT invoices. Furthermore, the Administrator is obliged to undertake activities and actions related to preventing money laundering and financing terrorism, as well as activities related to avoiding conflicts of interest between customers. The legal basis for this is the Administrator’s legal obligation regulated in Article 6(1)(c) of the GDPR.
c) Recording the course of cooperation with the client and the services provided
The Administrator records the course of cooperation with each customer. This is done by maintaining client files, including files on the court and other proceedings. In addition, the Administrator keeps a register of incoming and outgoing correspondence in connection with the provision of services under the contract with the client. The legal basis of data processing for the above-described purpose is the legitimate interest of the Administrator – (Article 6(1)(f) of GDPR).
d) Pursuing claims and defending rights
The processing of personal data is necessary in case the Administrator is pursuing its claims or defending its rights in the course of possible court and out-of-court proceedings. The legal basis for data processing for the above-described purpose is the legitimate interest of the Administrator – (Article 6(1)(f) GDPR).
e) Marketing of own products and services (newsletter on the website and blog of podatkifirmowe.pl)
The Administrator undertakes numerous marketing and information activities concerning its own products, which constitute a form of direct marketing. Marketing purposes are carried out using the e-mail address provided by the client. Through the website, it is possible to subscribe to a newsletter, through which the Administrator sends information concerning changes in the law, court, and authority rulings as well as information concerning its own services and information materials prepared by the Administrator’s team. To send the newsletter, personal data concerning the e-mail address is processed. A newsletter subscription is also possible through the Administrator’s blog at podatkifirmowe.pl. The legal basis for the processing of personal data in the case of the newsletter is the legitimate interest regulated by art. 6 sec. 1 letter f GDPR and consent expressed by ticking the appropriate checkbox when subscribing to the newsletter. By ticking the checkbox you consent to receive commercial information under Article 10 of the Act on Provision of Electronic Services in conjunction with Article 172 of the Telecommunications Law. Such consent can be withdrawn at any time by resigning from receiving the newsletter by sending an email to the following address: biuro@GardensTaxLegal.pl.
f) Establishing contact with the Administrator
The Administrator makes it possible to contact him through the contact form and e-mail address available on the website. The form is used to process personal data. The legal basis for data processing for the above-described purpose is the natural person’s voluntary consent to the processing of personal data (Article 6(1)(a) of GDPR).
7. The Administrator may only retain personal information for the period necessary to fulfill the purposes for which it is used. Considering the above, the Administrator will store personal data for the following period:
a) about data processed for the purpose indicated in point 6 lit. a – for the duration of the contract,
b) about data processed for the purposes referred to in point 6 (b), (c), and (d) – for the period resulting from generally applicable laws, including those which determine the period for the barring of claims, the period for keeping accounting records and tax documentation, and in the case of proceedings conducted by legal advisers or advocates – for no longer than 10 years counting from the end of the year in which the proceedings in which the personal data were collected ended (Article 5c of the Act on Legal Advisers and Article 16c of the Act on Advocates),
c) about data processed for the purposes referred to in point 6(e) – until you object or resign from the newsletter,
d) about data processed for the purposes indicated in point 6 letter f – until the answer to the question asked via the form or e-mail address or until the withdrawal of consent, if earlier,
8. If the legal basis for the processing of personal data is consent, an individual has the right to withdraw consent at any time without affecting the legality of the processing that was performed based on consent before its withdrawal. Withdrawal of consent should be made by sending a statement of withdrawal of consent to the following address: biuro@GardensTaxLegal.pl.
9. Recipients of personal data can be entities providing external services to PDA (IT, technical support, accounting, consulting), subcontractors of services based on relevant entrustment agreements, provided that adequate security measures are applied, as well as entities and public authorities in cases required by applicable law.
10. Every data subject has the right to:
a) access to data – to obtain confirmation from the Controller as to whether his or her personal data are being processed. If data about a person are processed, he/she is entitled to access them and obtain the following information: about the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the data have been or will be disclosed, the period for which the data will be stored or the criteria for their determination, the data subject’s right to request rectification, erasure or restriction of processing of personal data, and to object to such processing (Article 15 of the GDPR);
b) to obtain a copy of the data – to obtain a copy of the data undergoing processing, whereby the first copy is free of charge, and for subsequent copies, the controller may impose a fee of a reasonable amount resulting from the administrative costs (Article 15(3) GDPR)
c) rectification – request for rectification of personal data concerning her that is inaccurate or completion of incomplete data (Article 16 GDPR);
d) erasure of data – to request that his or her personal data be erased if the Controller no longer has a legal basis for processing them or the data are no longer necessary for processing (Article 17 of the GDPR)
e) restriction of processing – request for restriction of processing of personal data (Article 18 GDPR) when:
> the data subject challenges the accuracy of the personal data – for a period allowing the Administrator to verify the accuracy of the data,
> the processing is unlawful, and the data subject objects to the erasure of the data by requesting the restriction of its use,
> the Controller no longer needs the data, but they are necessary for the data subject to establish, assert or defend a claim,
> the data subject has objected to the processing – until it is established whether the legitimate grounds on the part of the Controller override the grounds of the data subject’s objection;
f) data portability – to receive in a structured, commonly used and machine-readable format the personal data concerning him or her which he or she has provided to the Controller, and to request that these data are transferred to another controller if the data are processed based on the data subject’s consent or a contract concluded with him or her and if the data are processed by automated means (Article 20 of the GDPR);
g) to object – to the processing of his/her personal data for the legitimate purposes of the Controller on grounds relating to his/her particular situation, including profiling. The Controller shall assess the existence of valid legitimate grounds for processing overriding the interests, rights, and freedoms of the data subject, or grounds for establishing, pursuing, or defending claims. If, according to the assessment, the interests of the data subject override the interests of the Controller, the Controller shall be obliged to cease processing the data for those purposes (Article 21 of the GDPR);
h) withdraw consent at any time and without giving any reason, but the processing of personal data carried out before the withdrawal of consent will still be lawful. Withdrawal of consent will cause the Administrator to cease processing personal data for the purpose for which the consent was given.
11. Each data subject has the right to complain about the supervisory authority – the President of the Office for Personal Data Protection if he/she considers that the processing of his/her personal data violates the regulations. Complaints can be submitted in the form of:
a) in writing to the address: 2 Stawki Street, 00-193 Warsaw,
b) electronically: through the ePUAP platform.
12. Providing personal data is voluntary but it is a necessary condition for providing legal or tax advisory services. Refusal to provide the data will prevent the Administrator from providing the service. Providing personal data for direct marketing purposes and to establish contact is entirely voluntary.
13. Personal data shall not be transferred to a third country (i.e. to a country other than a Member State of the European Union, Iceland, Liechtenstein, or Norway) or an international organization.