Privacy and data protection policy
.
1.1 Administrator - FTAX FILIP BIEGUN, Warsaw, al. Jana Pawła 11/p.901, 00-828 Warsaw.
1.2 Personal Data - all information about a natural person identified or identifiable by one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact data, information contained in correspondence, as well as device IP, location data, internet identifier and information collected through cookies and other similar technology.
1.3. Policy - this Privacy and Data Protection Policy.
1.4. RODO - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
1.5. Service - the website operated by the Administrator at https://ftax.org.
1.6. User - any natural person visiting the Service or using one or more services or functionalities described in the Policy.
1.7. Data Subject - any natural person whose personal data is processed by the Administrator, e.g. a person visiting the Administrator's premises or directing an enquiry to the Administrator in the form of an email or a User.
.
.
2.1 In connection with its activities, the Administrator shall collect and process personal data in accordance with the relevant legislation, including in particular the RODO, and the data processing rules provided for therein.
2.2 The Controller shall ensure transparency of data processing, in particular always informing about the data processing at the time of collection, including the purpose and legal basis of the processing - e.g. when concluding a contract for the sale of goods or services. The controller shall ensure that data are collected only to the extent necessary for the stated purpose and are processed only for the period of time necessary.
2.3 When processing the data, the Controller shall ensure the security and confidentiality of the data and access to information about the processing to the data subjects. If, despite the security measures in place, a breach of personal data protection (e.g. data "leakage" or data loss) were to occur, the Controller shall inform the data subjects of such an event in accordance with the regulations.
2.4 In connection with the User's use of the Website, the Administrator collects data to the extent necessary to provide the individual services offered, as well as information about the User's activity on the Website. The detailed principles and purposes of the processing of personal data collected during the User's use of the Website are described below.
.
E-MAIL AND TRADITIONAL CORRESPONDENCE.
3.1 Where correspondence is addressed to the Administrator by e-mail or traditional mail not related to the services provided to the sender or any other contract concluded with the sender, the personal data contained in such correspondence shall be processed solely for the purpose of communication and resolution of the matter to which the correspondence relates.
3.2 The legal basis for the processing is the legitimate interest of the Administrator (Article 6(1)(f) of the RODO) in carrying out the correspondence addressed to it in connection with its business activities.
3.3 The Administrator only processes personal data relevant to the matter to which the correspondence relates. All correspondence shall be stored in a manner that ensures the security of the personal data (and other information) contained therein and shall only be disclosed to authorised persons.
Telephone CONTACT 3.4.
3.4 In the case of contacting the Administrator by telephone, on matters not related to the contract concluded or the services provided, the Administrator may request personal data only if it is necessary to handle the matter to which the contact relates. The legal basis in such a case is the legitimate interest of the Administrator (Article 6(1)(f) RODO) consisting of the need to resolve the reported matter related to his/her business activity.
Use of the Website.
3.5 Personal data of the Service Users (including IP address or other identifiers and information collected through cookies or other similar technologies), are processed by the Administrator:
3.5.1. for the purpose of providing services electronically in the scope of making available to the Users the content collected on the Website - then the legal basis of processing is the necessity of processing for the performance of the agreement (art. 6.1.b RODO);
3.5.2. for analytical and statistical purposes - then the legal basis for processing is the Administrator's legitimate interest (Article 6(1)(f) RODO) consisting of conducting analyses of Users' activity, as well as their preferences in order to improve the applied functionalities and provided services;
3.5.3. for the purposes of possible establishment and investigation of claims or defence against them
- the legal basis for the processing is the legitimate interest of the Administrator (Article 6(1)(f) RODO) consisting in the protection of his/her rights;
NEWSLETTER.
3.6 The Administrator sends information regarding its offer to persons who have provided their e-mail address for this purpose. Providing data in order to receive information concerning the Administrator's offer is voluntary. The Administrator sends such information only if the User has given his/her consent, which he/she may withdraw at any time - without affecting the legality of the processing performed before its withdrawal.
3.7 Personal data is processed for the purpose of sending information concerning the Administrator's offer by e-mail within the framework of a newsletter - the legal basis for the processing, including profiling, is the Administrator's legitimate interest (Article 6(1)(f) RODO) in connection with the consent to receive the newsletter.
SOCIETY PORTALS.
3.8 The Administrator processes the personal data of Users visiting the Administrator's profiles maintained on social media (Linkedin, Twitter, Facebook). This data is processed exclusively in connection with the running of the profile, including for the purpose of informing Users about the Administrator's activities and promoting various events, services and products. The legal basis for the Administrator's processing of personal data for this purpose is its legitimate interest (Art. 6(1)(f) RODO) in promoting its own brand.
RECRUITMENT.
3.9 In the context of recruitment processes, the Administrator expects the transfer of personal data (e.g. in a CV or resume) only to the extent stipulated by employment law. Accordingly, information should not be provided to a broader extent. In the event that the submitted applications contain additional data, these will not be used or taken into account in the recruitment process.
3.10. Personal data shall be processed:
3.10.1. in order to comply with legal obligations related to the employment process, including primarily the Labour Code - the legal basis for processing is a legal obligation incumbent on the Administrator (Article 6(1)(c) of the RODO in relation to the provisions of the Labour Code);
3.10.2. in order to carry out the recruitment process in the scope of data not required by law, as well as for the purposes of future recruitment processes
- the legal basis for processing is consent (Article 6(1)(a) RODO);
3.10.3. for the purpose of establishing or asserting potential claims or defending against such claims - the legal basis for data processing is the legitimate interest of the Administrator (Article 6(1)(f) RODO).
COLLECTION OF DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR PERFORMANCE OF OTHER CONTRACTS.
3.11 Where data is collected for the purpose of performing a specific contract, the Controller shall provide the data subject with details of the processing of his/her personal data at the time of entering into the contract.
COLLECTION OF DATA IN OTHER CASES.
3.12. In connection with its activities, the Controller also collects personal data in other cases - e.g. during business meetings, at industry events or by exchanging business cards - for the purposes of initiating and maintaining business contacts. The legal basis for the processing in this case is the legitimate interest of the Administrator (Article 6(1)(f) RODO) consisting of networking in connection with the business.
3.13 Personal data collected in such cases shall be processed only for the purpose for which it was collected and the Administrator shall ensure that it is adequately protected.
.
4.1 Cookies are small text files installed on the device of the User browsing the Website. Cookies collect information to facilitate the use of the Website - e.g. by remembering the User's visits to the Website and the actions they perform.
"SERVICE" COOKIES .
4.2 The Administrator uses the so-called "service" cookies primarily to provide the User with services provided electronically and to improve the quality of these services. In this regard, the Administrator and other entities providing analytical and statistical services to the Administrator make use of cookies, storing information or accessing information already stored in the User's telecommunications end device (computer, phone, tablet, etc.). Cookies used for this purpose include:
4.2.1. user input cookies (session ID) for the duration of the session;
4.2.2. authentication cookies used for services that require authentication for the duration of the session;
4.2.3. security cookies, e.g. used for authentication abuse detection (user centric security cookies);
4.2.4. multimedia player session cookies (e.g. flash player cookies), for the duration of the session;
4.2.5. permanent user interface customisation cookies, for the duration of the session or slightly longer (user interface customisation cookies),
4.2.6. cookies used to monitor website traffic, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyse your use of the Website, to create statistics and reports on the functioning of the Website). Google does not use the data collected to identify the User, nor does it combine this information to enable identification. Detailed information on the scope and principles of data collection in connection with this service can be found at the following link: https://www.google.com/intl/pl/policies/privacy/partners.
.
5.2 The processing period may be extended if the processing is necessary for the establishment, assertion or defence of possible claims, and thereafter only if and to the extent required by law. After the expiry of the processing period, the data shall be irreversibly deleted or anonymised.
.
.
6.1 The data subject has the right: to access the content of the data and to request rectification, erasure, restriction of processing, the right to data portability and to obtain a copy of the data, to object to the processing of the data,
as well as the right to lodge a complaint with the supervisory authority dealing with personal data protection.
6.2 To the extent that the data are processed on the basis of consent, the consent may be withdrawn at any time by contacting the Controller, which shall not affect the lawfulness of the processing before the withdrawal.
6.3 The data subject shall have the right to object to the processing of data for marketing purposes if the processing is carried out in relation to the legitimate interest of the Controller, and - for reasons related to the particular situation of the data subject - in other cases where the legal basis of the processing is the legitimate interest of the Controller (e.g. in relation to the performance of analytical and statistical purposes).
6.4 A request for the exercise of data subjects' rights may be made:
6.4.1. in writing to: Filip Biegun Doradztwo Podatkowe, ul. Jana Kazimierza 64a/613, 01-248 Warszawaa.
6.4.2. by e-mail to: fbiegun@fbtax.pl.
6.5 If the Administrator is not able to identify the person submitting the application on the basis of the notification made, it will ask the applicant for additional information.
6.6 The application may be made in person or through a proxy (e.g. a family member). For reasons of data security, the Administrator encourages the use of a power of attorney in a form certified by a notary public or an authorised solicitor or barrister, which will significantly speed up the verification of the authenticity of the application.
6.7 The application should be responded to within one month of receipt. If it is necessary to extend this deadline, the Administrator shall inform the applicant of the reasons for the delay.
6.8 The response shall be provided by post, unless the request was made by email or an electronic response was requested.
6.9 The processing of submitted applications is free of charge. Fees may only be charged in the event of:
6.9.1. a request for issuance of the second and each subsequent copy of the data (the first copy of the data is free of charge); in such a case the Administrator may require payment of a fee of PLN 20.
The aforementioned fee includes administrative costs related to the execution of the request.
6.9.2. the same person making excessive requests (e.g. extremely frequent) or manifestly unfounded; in such a case the Administrator may request payment of a fee in the amount of PLN 50.
The aforementioned fee includes the costs of communication and the costs related to taking the requested action.
6.10 If a decision to impose a fee is disputed, the data subject may lodge a complaint with the President of the Office for Personal Data Protection.
.
PROCEEDINGS IN CASE OF INSPECTION AND CONFIRMATION OF A BREACH 7.1.
7.1 A personal data breach is a breach of security leading to
to the accidental or unlawful destruction, loss, modification, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed by the Controller.
7.2 Any incident that may constitute a Data Protection Breach shall be reported immediately to the Controller. Each employee or co-worker of the Controller shall take action to report the respective breach within a maximum of 4 hours
from the time of observing the situation that may constitute a breach.
7.3 The Administrator shall, immediately upon receipt of the relevant information, conduct an investigation into any reported situation where a data breach cannot be excluded. The investigation consists of collecting the information necessary to complete the record of infringements and aims to determine, on the basis of this information, whether a breach has occurred (determination of a breach). A finding of a breach occurs when, on the basis of the information gathered, it can be reasonably assumed that a Breach has occurred or is reasonably likely to occur.
7.4 The actions taken as part of the investigation shall be documented in the form of a memo. The notes and the collected materials, documents, etc. shall be kept for the time necessary to clarify the circumstances of the Infringement, which also includes any actions taken by the Supervisory Body or a court (until final decisions),
and for another 6 months thereafter.
7.5 If a Breach is found (irrespective of its final classification), the date and time at which the Breach was found shall be recorded.
7.6 The Administrator shall assess:
7.6.1. whether it is likely that the identified Breach results in a risk of infringement of the rights or freedoms of individuals,
7.6.2. whether the Breach is likely to result in a high risk of infringement of the rights or freedoms of natural persons.
7.7 In making the assessment referred to in para. 7.6 of the Procedure, the Administrator shall take into account the circumstances of the Breach, including its severity, scale and possible negative impact on the situation of data subjects, as well as the likelihood of such negative impact. In particular, the Administrator shall take into account:
7.7.1. the type of Breach, i.e. whether there has been unauthorised disclosure, loss, destruction, modification or unauthorised access - this mainly affects the assessment of the types of possible negative consequences of the Breach;
7.7.2. the type, level of sensitivity and scale of the data affected by the Breach, i.e. whether the Breach involves special categories of Data - mainly affects the assessment of the possible negative consequences of the Breach;
7.7.3. whether the Data can be readily linked to an individual - mainly affects the assessment of the likelihood of the risk of infringement of the rights or freedoms of individuals;
7.7.4. the seriousness of the potential consequences for data subjects;
7.7.5. the special characteristics of the Data Subjects, e.g. vulnerable persons like children or persons with addictions - mainly influences the assessment of the possible negative consequences of the Breach;
7.7.6. the number of Data Subjects affected by the Breach - mainly affects the assessment of the likelihood of the risk of infringement of the rights or freedoms of individuals.
7.8 Where it is determined that the Breach is unlikely to result in a risk of infringement of the rights or freedoms of natural persons, the Controller shall take no action, subject to the need to enter the Breach in the Breach Register.
7.9 Where it is determined that it is likely that the Breach results in a risk of infringement of the rights or freedoms of individuals, the Administrator shall report the Breach to the Supervisory Body. Unless otherwise permitted by the Supervisory Body to report the Breach, the Administrator shall make the notification by sending a scan of the notification to the Supervisory Body's address and the original by registered mail to the Supervisory Body's address. The notification shall be made immediately, but no later than within 72 hours of the discovery of the Breach. If it is not possible to submit the complete information within this timeframe, part of the information should be sent, indicating at the same time the type of information to be completed and the deadline for this completion. If the deadline is missed, a notification should be made, explaining the reasons for missing the deadline.
7.10. If it is determined that the Breach may cause a high risk of infringement of rights or freedoms of natural persons, the Controller shall make a notification and, in addition, immediately inform the Data Subjects affected by the Breach. The Controller shall inform the Data Subjects of the Breach by e-mail or any other means of communication allowing to provide the information in the shortest possible time. If an exhaustive identification of the Data Subjects affected by the Infringement is not possible, the Administrator shall post the information on its website or communicate it in another way that maximizes the chances of the information reaching the relevant Data Subjects.
7.11 The notification of the Breach shall be made:
7.11.1. electronically by means of an appropriate form to be filled in and then attached to the general letter available on the biznes.gov.pl platform, or sent via ePUAP to the electronic sub-box address: /GIODO/ESP box or
7.11.2. by sending the form as an attachment to the electronic mailbox address: /GIODO/SkrytkaESP.
Registry of Violations.
7.12 The Administrator shall maintain a Register of personal data protection violations in electronic form. The Register is a business secret of the Administrator.
7.13 Each case of Personal Data Protection Breach shall be entered in the Register and described in accordance with the Registry's systematics. In any case of a Breach in which the Controller does not make a notification to the Supervisory Authority or does not inform the Data Subjects affected by the Breach, the reasons for such decision shall be described in detail in the Register.
.
8.2 The Administrator reserves the right to disclose selected information concerning the data subject to competent authorities or third parties who request such information on the basis of an appropriate legal basis and in accordance with
accordance with the provisions of applicable law.
.
9.1.1. cooperating with processors of personal data in countries for which a relevant European Commission decision has been issued;
9.1.2. applying the standard contractual clauses issued by the European Commission;
9.1.3. applying binding corporate rules approved by the competent supervisory authority;
9.1.4. in the case of data transfers to the USA, cooperation with entities participating in the Privacy Shield programme approved by a decision of the European Commission.
9.2 The controller shall always inform of its intention to transfer personal data outside the EEA at the stage of collection.
.
10.2 The Administrator shall take all necessary measures to ensure that also his subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the Administrator.
10.3 The Administrator shall perform on an ongoing basis a risk analysis and monitor the adequacy of the applied data security measures to the identified risks. If necessary, the Administrator shall implement additional measures to enhance data security.
.
11.1 Contact with the Administrator is possible via e-mail address: fbiegun@fbtax.pl or correspondence address: Filip Biegun Doradztwo Podatkowe, ul. Jana Kazimierza 64a/613, 01-248 Warsaw.
.
.
12.1 The Policy is kept under review and updated as necessary. The current version of the Policy has been adopted and is effective from 1 November 2022.