Legal Office PIERÓG & Partners assures that the data entrusted to it are processed in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ EU L 2016.119.1) – hereinafter referred to as the “GDPR”, as well as the Act of 10 May 2018 on the protection of personal data.
The purpose of this Privacy Policy is to explain the principles on which personal data are processed and to discuss your basic rights related to the processing of your personal data by us.
I. Data Controller
The controller of personal data is Jerzy Pieróg, conducting business activity under the name Legal Office Jerzy PIERÓG & Partners, with its registered office in Warsaw, at ul. Wspólna 50, unit 6, 00-684 Warsaw, NIP 525-115-42-81, REGON 013109095 (the “Controller”).
Contact with the Controller is possible via the above correspondence address, as well as via e-mail at:
kancelaria@pierog.pl
The Controller ensures that data are collected only to the extent necessary for the specified purpose and only for the period necessary to achieve that purpose.
II. Types of personal data
The Controller processes personal data necessary to achieve a specific processing purpose, in particular: first name, last name, employer, job title, e-mail address, correspondence address, telephone/fax number, residential address, NIP, REGON, PESEL, which were provided in the course of the Controller’s business activity.
In the scope of public procurement procedures, the Controller may process personal data concerning experience, qualifications and authorisations of persons designated by contractors to perform the contract, information on the criminal record of members of management boards and supervisory boards, data of contractors who are natural persons, as well as other personal data provided by the contractor or contracting authority necessary to prepare and conduct a public procurement procedure.
Providing data is necessary for concluding contracts, providing services and settling accounts related to business activity.
In other cases, providing data is voluntary; however, depending on the circumstances, refusal to provide data or a request for their deletion may prevent the Controller from providing information about its activities and maintaining contact.
III. Scope, period and purposes of personal data processing
A. CORRESPONDENCE AND TELEPHONE CONTACT
1. Scope and source of data
The Controller processes your personal data in the following scope: first name, last name, employer, job title, e-mail address, correspondence address, telephone/fax number.
Your personal data were obtained directly from you or from the entity you represent or for which you are employed.
2. Purposes of processing
We process your data for the purpose of:
a) ongoing contact unrelated to services provided to you as the sender of correspondence and not related to the performance of another contract between you and the Controller, in order to resolve or finalise the matter to which the correspondence relates (legal basis: Article 6(1)(f) GDPR);
b) conducting e-mail and traditional correspondence related to the Controller’s business activity (legal basis: Article 6(1)(f) GDPR);
c) telephone contact related to business activity, including informing about services (legal basis: Article 6(1)(f) GDPR);
d) other legitimate purposes related to establishing and maintaining business contacts and building a network of contacts (legal basis: Article 6(1)(f) GDPR).
3. Data retention period
Your personal data will be processed for the period necessary to achieve the purpose of contact and during the period of maintaining ongoing relations, including correspondence exchange, and after the termination of such relations for a period of 2 years. Where data are processed on the basis of the Controller’s legitimate interest, the data will be processed for the period enabling the pursuit of that interest or until an effective objection to the processing is raised.
The processing period may be extended within the limits of the law where personal data processing is necessary for the establishment, exercise or defence of claims.
After the processing period, the data will be deleted or anonymised.
B. PERFORMANCE OF CONTRACTS / ORDERS
Where data are collected for the purpose of performing a specific contract, the Controller provides the data subject with information regarding the processing of their data (including scope, purpose and retention period) at the time of concluding the contract.
C. COOPERATION WITH CONTRACTORS AND CLIENTS, INCLUDING POTENTIAL CLIENTS
1. Scope and source of data
The Controller processes your personal data in the following scope: first name, last name, employer, job title, e-mail address, correspondence address, telephone/fax number, residential address, NIP, REGON, PESEL.
Your personal data were obtained directly from you, from your employer or the entity you represent, or from public registers (KRS, CEIDG).
2. Purposes of processing
The Controller processes your data for the purpose of:
a) ongoing contact related to concluding or performing a contract, presenting an offer, sending an order, responding to enquiries (legal basis: Article 6(1)(f) GDPR);
b) conducting e-mail and traditional correspondence related to the performance of contracts, orders, submitted offers and enquiries (legal basis: Article 6(1)(f) GDPR);
c) telephone contact related to services performed and business activity, including contract performance and informing about services (legal basis: Article 6(1)(f) GDPR);
d) informing about events organised by the Controller or in which the Controller participates (legal basis: Article 6(1)(f) GDPR);
e) performance of contracts and orders, including the establishment or defence of claims (legal basis: Article 6(1)(b) GDPR);
f) performance of contracts concluded by the Controller with clients, including organising training, in order to cooperate with suppliers and other entities cooperating with the Controller (legal basis: Article 6(1)(b) GDPR);
g) other legitimate purposes related to establishing and maintaining business contacts and building a network of contacts, e.g. through exchanging business cards, organising/participating in business meetings/conferences/events (legal basis: Article 6(1)(f) GDPR).
3. Data retention period
The Controller will process your personal data for the period necessary to perform the contract, as well as for the limitation period of claims arising from the contract. Where data are processed on the basis of the Controller’s legitimate interest, the data will be processed for the period enabling the pursuit of that interest or until an effective objection is raised.
The processing period may be extended within the limits of the law where personal data processing is necessary for the establishment, exercise or defence of claims.
After the processing period, the data will be deleted or anonymised.
D. CONTACT VIA WWW.PIERÓG.PL
1. Scope and source of data
The Controller processes your personal data in the following scope: first name, last name, employer, e-mail address, telephone/fax number, correspondence address.
Your data were obtained directly from you via the contact form available on www.pierog.pl.
2. Purposes of processing
The Controller processes your data for the purpose of:
a) responding to your enquiries submitted via the contact form (Article 6(1)(f) GDPR);
b) establishing cooperation with you or your employer/principal (Article 6(1)(f) GDPR);
c) establishing or pursuing possible claims or defending against such claims (Article 6(1)(f) GDPR).
3. Data retention period
The Controller will process your personal data during the period of maintaining ongoing relations, including correspondence exchange, and after the termination of such relations for a period of 2 years. Where data are processed on the basis of the Controller’s legitimate interest, the data will be processed for the period enabling the pursuit of that interest or until an effective objection is raised.
The processing period may be extended within the limits of the law where personal data processing is necessary for the establishment, exercise or defence of claims.
After the processing period, the data will be deleted or anonymised.
E. RECRUITMENT
1. Scope and source of data
The Controller processes your personal data in the following scope: first name, last name, date of birth, information on education, experience and qualifications, interests, photograph (image), e-mail address, correspondence address, telephone/fax number, residential address.
Your personal data were provided to the Controller electronically to the Controller’s e-mail address or in paper form at the Controller’s registered office. The data were obtained directly from you or from a recruitment agency.
2. Purposes of processing
We process your data for the purpose of:
a) conducting recruitment of persons interested in employment or cooperation with the Controller (legal basis: Article 221 of the Labour Code and Article 6(1)(c) GDPR, Article 6(1)(a) GDPR);
b) assessing your qualifications for the position covered by the application (legal basis: Article 6(1)(c) GDPR, Article 6(1)(a) GDPR);
c) inviting you to a job interview (legal basis: Article 6(1)(c) GDPR, Article 6(1)(a) GDPR);
d) establishing or pursuing possible claims or defending against such claims (Article 6(1)(f) GDPR);
e) with your consent, processing the data entrusted to the Controller also for future recruitment processes (Article 6(1)(a) GDPR).
3. Data retention period
The Controller will process your personal data until the completion of the recruitment process for the position covered by the application.
Where consent is given for processing personal data for future recruitment purposes, the Controller will store your data for a period of 2 years from the date of their collection. Where data are processed on the basis of the Controller’s legitimate interest, the data will be processed for the period enabling the pursuit of that interest or until an effective objection is raised. Where processing is based on consent, the data will be processed until the consent is withdrawn.
The processing period may be extended within the limits of the law where personal data processing is necessary for the establishment, exercise or defence of claims.
After the processing period, the data will be deleted or anonymised.
F. PUBLIC PROCUREMENT
1. Scope and source of data
The Controller processes only personal data necessary to achieve a specific processing purpose, including:
a) first name, last name, job title, e-mail address, correspondence address, telephone/fax number, residential address, NIP, REGON – provided by Contractors who are natural persons,
b) first name, last name, job title, e-mail address, telephone/fax number – of attorneys-in-fact and persons designated by the Contractor for contact,
c) first name, last name, job title, residential address, information on criminal record (if required) of members of corporate bodies, partners in partnerships, commercial proxies of Contractors,
d) first name, last name, job title, information on experience, qualifications and authorisations, and the basis for disposal of persons designated by the Contractor to perform the contract,
e) other personal data provided by the Contractor necessary to conduct the Procedure.
Where the Contractor applying for a public contract conducted by the Controller as the contracting authority’s attorney-in-fact provides the Controller with personal data of its personnel, attorneys-in-fact, members of bodies, proxies, partners, contractors, collaborators and contact persons, the Controller obliges Contractors to inform the persons whose data have been provided about the fact and scope of the data transfer, the Controller’s contact details and the principles of data processing.
2. Purposes of processing
The Controller collects and processes your personal data for the purpose of:
a) preparing and conducting the Procedure and concluding the public procurement contract (legal basis: Article 6(1)(c) GDPR);
b) pursuing legitimate interests of the Controller in providing services to the Contracting Authority (legal basis: Article 6(1)(f) GDPR);
c) ensuring ICT security related to activities performed electronically, including via the website pierog.pl (legal basis: Article 6(1)(f) GDPR);
d) archiving documents, in particular contracts and settlement documents (legal basis: Article 6(1)(c) GDPR);
e) fulfilling legal obligations imposed on the Controller (legal basis: Article 6(1)(c) GDPR);
f) conducting e-mail and traditional correspondence and telephone contact related to the Procedure (legal basis: Article 6(1)(c) and (f) GDPR).
The obligation to provide personal data is a statutory requirement specified in the Act of 29 January 2004 – Public Procurement Law (Journal of Laws of 2017, item 1579), hereinafter referred to as the “PPL”, related to participation in a public procurement procedure. The consequences of failure to provide specific data result from the PPL.
3. Data retention period
Your personal data will be stored, in accordance with Article 97(1) of the PPL, for a period of 4 years from the date of completion of the Procedure, and if the duration of the contract exceeds 4 years, the retention period covers the entire duration of the contract. Where data are processed on the basis of the Controller’s legitimate interest, the data will be processed for the period enabling the pursuit of that interest or until an effective objection is raised.
The processing period may be extended within the limits of the law where personal data processing is necessary for the establishment, exercise or defence of claims.
After the processing period, the data will be deleted or anonymised.
IV. Data recipients
In connection with the Controller’s business activity, personal data may be transferred, to the extent necessary, to external entities, in particular:
a) accounting service providers,
b) postal or courier service providers,
c) banks, where necessary for settlements,
d) entities responsible for IT systems and equipment maintenance,
e) state authorities or other entities authorised under the law to perform obligations imposed on the Controller (Tax Office, National Labour Inspectorate, Social Insurance Institution),
f) other entities where the Controller is obliged to do so by law, including the National Appeal Chamber, other contractors requesting access to procedure documentation, and supervisory authorities.
V. Transfer of data outside the European Economic Area
The Controller does not transfer personal data outside the EEA.
VI. Automated decision-making
The Controller does not make decisions in an automated manner in individual cases; in particular, your personal data will not be subject to profiling.
VII. Rights of data subjects
The processing of personal data in the provision of legal assistance services is regulated by law, contracts concluded with clients or general terms and conditions for the provision of legal services.
Subject to situations specified by law, data subjects have the right to:
1. access the content of their data,
2. rectify inaccuracies or errors in processed data or supplement them,
3. obtain information about processed data, including purposes and legal bases,
4. restrict the processing of personal data,
5. withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal, where processing is based on consent,
6. data portability,
7. object to processing for marketing purposes or based on the Controller’s legitimate interest,
8. lodge a complaint with the supervisory authority, i.e. the President of the Personal Data Protection Office, where processing of personal data violates legal provisions, including the GDPR.
Requests regarding the exercise of these rights should be submitted in writing or electronically to the addresses indicated in Section I.
Some of the above rights may not apply to the processing of personal data in the provision of legal assistance services and in public procurement procedures.
VIII. Data security
1. The Controller makes every effort to ensure the security of the personal data entrusted to it.
2. The Controller:
a) ensures transparency of data processing,
b) informs about data processing at the time of data collection, except where separate regulations provide otherwise,
c) ensures that data are collected only to the extent necessary for the specified purpose and processed only for as long as necessary,
d) ensures confidentiality by granting access only to authorised persons,
e) complies with obligations arising from the professional secrecy of legal advisers and advocates.
3. To ensure data integrity and confidentiality, the Controller:
a) has implemented procedures enabling access to personal data only to authorised persons and only to the extent necessary for their tasks,
b) applies organisational and technical measures to ensure that all operations on personal data are adequately secured,
c) takes necessary steps to ensure that entities cooperating with the Controller provide guarantees of applying appropriate security measures whenever they process personal data on the Controller’s behalf,
d) where necessary, implements additional measures to enhance data security.
4. In the event that, despite the security measures taken, a personal data breach occurs and may result in a high risk to the rights and freedoms of data subjects, the Controller will promptly inform the affected persons.
IX. Final provisions
The personal data processing policy is regularly reviewed and updated as necessary.
The personal data processing policy has been in force since 25 May 2018.
The Controller has a separate cookie policy.
