Definitions
1.1.
Administrator – BMS Legal Broniszewska Majewski i Wspólnicy Sp. K. based in Warsaw, at Mokotowska Street 15A, apartment 3, 00-640 Warsaw, registered in the register of entrepreneurs of the National Court Register under the number KRS 0000742456, whose documentation is kept at the District Court for the capital city of Warsaw in Warsaw, XII Economic Division of the National Court Register, NIP: 5213835843, e-mail: office@bms.legal.
1.2.
Personal data – information about an identified or identifiable natural person, through one or more specific factors that define their physical, physiological, genetic, mental, economic, cultural, or social identity, including their image, voice recording, contact details, location data, information contained in correspondence, and information collected via recording equipment or similar technology.
1.3.
GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
1.4.
Data subject – an individual whose personal data is processed by the Administrator.
Processing of personal data by the Administrator
2.1.
The Administrator, in connection with the carried out activities, collects and processes Personal Data in accordance with the relevant legal regulations, including, in particular, the GDPR and Polish regulations regarding the processing of personal data.
2.2.
In order to ensure the transparency of the processing of personal data, the Administrator informs about their processing at the moment of collection, including the purpose and legal basis for processing. The Administrator ensures that personal data is collected only to the extent necessary to achieve the specified purpose, and that the processing lasts only for the necessary period.
2.3.
The Administrator ensures that Personal Data is processed in a secure manner and with confidentiality, and provides access to information about the processing to Data Subjects. In the event that, despite the security measures applied, there is a breach of Personal Data protection, the Administrator will inform the Data Subjects in a manner consistent with the relevant regulations.
2.4.
Contact with the Administrator is possible via email: office@bms.legal and by postal mail to the address BMS Legal Broniszewska Majewski i Wspólnicy Sp. K., ul. Mokotowska 15A lok. 3, 00-640 Warsaw.
The security of personal data processed by the Administrator
3.1
The Administrator ensures that access to personal data is granted only to authorized individuals and only to the necessary extent due to the tasks performed by these individuals. Furthermore, the Administrator implements technical and organizational solutions to ensure that all operations on personal data are recorded and carried out exclusively by authorized individuals.
3.2
To ensure the transparency of personal data processing, the Administrator informs about the processing at the moment of collection, including the purpose and legal basis for the processing. The Administrator ensures that personal data is collected only to the extent necessary to achieve the specified purpose, and the processing lasts only for the necessary period.
3.3.
The Administrator continuously conducts a risk analysis related to the processing of personal data and monitors the adequacy of the security measures used in relation to the identified threats. If necessary, the Administrator implements additional measures to enhance the security of personal data.
3.4.
The administrator did not appoint a data protection officer.
The objectives and legal grounds for processing data
4.1
Contacting the Administrator by phone – in the case of contacting the Administrator by phone regarding matters not related to the services provided by the Administrator or the concluded agreement, the Administrator will process personal data only when it is necessary to handle the matter related to the contact. In such cases, the legal basis for processing personal data is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f of the GDPR), which consists of the necessity to resolve the reported matter related to the business activity conducted by him.
Contact with the Administrator via email or traditional mail – in the case of contact with the Administrator via email or through traditional mail regarding matters unrelated to the services provided by the Administrator or the contract concluded, the Personal Data contained in this correspondence will be processed by the Administrator solely for the purpose of communication and resolving the matter addressed in the correspondence. In such cases, the legal basis for processing Personal Data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which relates to conducting correspondence directed to him in connection with his business activities. Email and traditional correspondence are stored in a manner that ensures the security of the Personal Data contained therein and is disclosed only to authorized persons.
4.3.
The Administrator's execution of contracts – in the case of processing Personal Data for the purposes related to the execution of the contract, the Administrator provides the Data Subject with detailed information regarding the processing of their Personal Data at the time of concluding the contract or at the time of obtaining the Personal Data when processing is necessary for the conclusion of the contract. In such a case, the legal basis for processing Personal Data is the execution of the contract (Article 6(1)(b) of the GDPR) and, in the case of sensitive data, the establishment, assertion, or defense of claims (Article 9(2)(f) of the GDPR).
4.4.
Processing Personal Data of client staff – in the case of processing Personal Data related to the conclusion and execution of contracts within the scope of business activities, the Administrator acquires Personal Data of data subjects involved in the performance of contracts from clients. The scope of the transmitted Personal Data is in each case limited to the extent necessary for the execution of the contract and usually does not include information other than the name and surname and business contact details. The specified Personal Data is processed to fulfill the legitimate interests of the Administrator and the client (art. 6 sec. 1 letter f of GDPR), which consists in enabling the proper execution of the contract and for the purpose of establishing, pursuing, or defending claims (art. 9 sec. 2 letter f of GDPR). The specified Personal Data may be disclosed to third parties involved in the execution of the contract, as well as to entities obtaining access to Personal Data based on regulations concerning the disclosure of public information and proceedings conducted under public procurement law, to the extent provided for by these regulations. The specified Personal Data is processed for the duration necessary to achieve the above interests and to fulfill the obligations arising from the regulations.
4.5.
Other cases of data collection – The Administrator processes Personal Data also in other cases such as participation in conferences and industry meetings, business meetings, training sessions, workshops, or seminars. The legal basis for processing Personal Data in this case is the legitimate interest of the Administrator (art. 6 sec. 1 lit. f GDPR), which consists of creating a network of contacts related to the conducted activity. Personal Data collected in such cases is processed solely for the purpose for which it was collected.
Data recipients
In the course of its activities, the Administrator discloses Personal Data to third parties, such as: entities providing legal or accounting services, couriers, suppliers of IT systems and equipment. The Administrator may disclose selected Personal Data of the data subject to the relevant authorities or third parties that request such information, based on the appropriate legal basis and in accordance with applicable law. Personal Data is made available to authorized recipients to the extent that it does not violate the obligation of confidentiality imposed on lawyers.
Data transfer outside of the EEA
6.1.
The Administrator transfers Personal Data outside the EEA only when necessary and with an appropriate level of protection (informing about the intention to transfer Personal Data outside the EEA at the stage of their collection), primarily through:
6.1.1.
cooperation with entities processing personal data in countries for which a relevant decision has been issued by the European Commission regarding the finding of an adequate level of protection of personal data,
6.1.2.
the use of standard contractual clauses issued by the European Commission, provided that an adequate level of personal data protection is ensured,
6.1.3.
the use of binding corporate rules approved by the relevant supervisory authority.
The period of processing Personal Data by the Administrator
7.1.
The period for processing personal data by the Administrator depends on the basis and purpose of the processing.
7.1.1.
In the case of processing Personal Data based on the legitimate interest of the Administrator, Personal Data is processed for a period that allows the realization of this interest or until an effective objection to the processing of Personal Data is raised.
7.1.2.
In the case of processing Personal Data on the basis of a contract, Personal Data is processed until the contract is terminated or for a period set forth by the Act of May 26, 1982, the Law on the Bar, i.e., 10 years from the end of the year in which the personal data was collected – in the case of personal data processed by lawyers in connection with data obtained by the lawyer while providing legal assistance, Article 21(1) of the GDPR (right to object) does not apply.
7.2.
The processing period of personal data may be extended in cases where processing is necessary for the establishment or pursuit of claims or defense against claims, and after this period – to the extent required by legal regulations.
Rights of Data Subjects related to the processing of Personal Data
8.1.
In connection with the processing of Personal Data, Data subjects have the following rights:
8.1.1.
the right to information about the processing of personal data – on this basis, the Administrator provides the data subject submitting the request with information about the processing of personal data, including primarily the purposes and legal bases for processing, the scope of the personal data held, the entities to whom it is disclosed, and the planned date for their deletion.
8.1.2.
right to obtain a copy of Personal Data – based on this, the Administrator provides a copy of the processed Personal Data concerning the data subject making the request.
8.1.3.
the right to rectification – The Administrator is obliged to remove any errors in the processed personal data and to complete it if it is incomplete.
8.1.4.
the right to delete Personal Data – on this basis, the Data Subject may request the deletion of Personal Data that is no longer necessary for the purposes for which it was collected.
8.1.5.
the right to restrict processing – in the event of such a request in the circumstances described in Article 18 of the GDPR, the Administrator will restrict the processing of Personal Data in the manner and for the duration specified in the referenced provision.
8.1.6.
the right to data portability – to the extent that Personal Data is processed automatically in connection with a contract – the Administrator shall, at the request of the Data Subject, provide the Personal Data of the Data Subject in a format that allows for the reading of data by a computer. It is also possible to request the transfer of this data to a third party, provided that there are technical capabilities for this both on the part of the Administrator and the indicated third party.
8.1.7.
the right to object to the processing of data – The data subject may at any time object – for reasons related to their particular situation – to the processing of Personal Data, which is carried out on the basis of the legitimate interest of the Administrator; the objection in this regard should include a justification. The right to object does not apply in the case of Personal Data obtained by a lawyer in connection with providing legal assistance.
8.1.8.
the right to lodge a complaint – if it is believed that the processing of Personal Data violates the law, the Data Subject may lodge a complaint with the supervisory authority responsible for the processing of Personal Data, which is relevant based on the ordinary residence of the Data Subject, their place of work, or the place of the alleged violation. In Poland, the supervisory authority is the President of the Personal Data Protection Office (Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw)
8.2.
Requests regarding the exercise of rights of Data Subjects can be submitted electronically to the address: office@bms.legal or in writing to: BMS Legal Broniszewska Majewski i Wspólnicy Sp. K., 00-640 Warsaw, ul. Mokotowska 15A lok. 3. If the Administrator is unable to identify the Data Subject based on the submitted request, they will ask the requester for additional information. Providing this information is not mandatory, but failure to do so will result in the refusal to fulfill the request.
8.3.
The response to the application should be provided immediately, no later than one month from its receipt. If it is necessary to extend this deadline, the Administrator informs the applicant of the reasons for this action.
The administrator does not engage in automated decision-making and does not create profiles of data subjects.
© All rights reserved.