Contact
The Personal Data Protection Officer
Andrzej Rutkowski
Personal Data Protection Officer
Greta Kłubowicz
Vice Personal Data Protection Officer
e-mail: iod@kir.pl
adress
Krajowa Izba Rozliczeniowa S.A.
02-781 Warszawa
ul. rtm W. Pileckiego 65
|
GDPR |
Under Art. 13, section 1 and section 2 as well as Art. 14, section 1 and section 2 of the Regulation of the European Parliament and of the Council (EU) No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR")
|
||
|
Controller of your Personal Data
|
The controller of your personal data is Krajowa Izba Rozliczeniowa Spółka Akcyjna (hereinafter referred to as "KIR"), with its registered office in Warsaw at ul. rtm. Witolda Pileckiego 65, 02-781 Warszawa, National Court Register (KRS): 0000113064.
|
||
|
Contact details
eIDAS
|
A Personal Data Protection Officer was appointed at KIR. The Personal Data Protection Officer can be contacted by e-mail: IOD@kir.pl, or by post: ul. rtm. Witolda Pileckiego 65, 02-781 Warszawa.
means the Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (hereinafter referred to as "eIDAS");
|
||
|
|
Purpose and legal grounds for processing of your personal data |
Categories of personal data |
|
|
1. |
Provision of trust services: · Fulfilment of a legal obligation – Art. 6, section 1, letter c of the GDPR in connection with Art. 24 of eIDAS; · Conclusion and performance of the agreement – Art. 6, section 1, letter b of the GDPR; · Legitimate interests pursued by KIR, in order to ensure the security of the trust service provided and to prevent data forgery – Art. 6, section 1, letter f of the GDPR in connection with Art. 19, section 1, Art. 24, section 2, letter g and Annex II, section 1, letter c of the eIDAS;
|
The subscribers, to whom certificates are issued on a secure medium: full name, date of birth, place of birth, Polish Resident Identification Number (PESEL), IN VAT (NIP), series and number of an identity document, place of work, telephone number, e-mail address, nickname; other personal data contained in the certificate referred to in Art. 28, section 3 of the eIDAS.
The subscribers, to whom certificates are issued remotely: full name, Polish Resident Identification Number (PESEL), series and number of an identity document, telephone number, e-mail address; Data contained in subscriber's PDF files signed via the mSzafir portal and the mobile application
|
|
|
2. |
Provision of the Paybynet service: In order to perform an agreement for the provision of a service – Art. 6, section 1, letter f of the GDPR and Art. 6, section 1, letter b of the GDPR;
|
E-mail address, transaction identifier; |
|
|
3. |
Determining the risk indicator of using the services of banks and credit and savings unions for purposes related to a tax fraud: – Art. 6, section 1, letter c of the GDPR in connection with Art. 119 zu, section 2 and Art. 119 zn, section 2a and section 3 of the act of 29 August 1997, the Tax Ordinance Act; Intermediation in the provision of the information on virtual account masks to the Head of National Tax Administration by banks and credit and savings unions in connection with the list of registered, unregistered, deleted and reinstated entities in the VAT register kept by the Head of National Tax Administration; Intermediation in the transfer of supplementary data for the list referred to in Art. 96b, section 3, item 13, letter 3b of the Value Added Tax Act between the Head of National Tax Administration and banks and credit and savings unions; |
Full name, company, Polish Resident Identification Number (PESEL), IN VAT (NIP) / EU VAT (EURONIP) / other tax identification number, National Business Registry Number (REGON), other register, type of business, date of registration or commencement of business, country of registration or tax residence of the qualified entity, address details of the business and corporate office, correspondence address with country code, postal code, town, street, building and suite number, telephone number of the qualified entity, e-mail address of the qualified entity, bank account number, currency, date of opening and closing; IP address;
|
|
|
4. |
management of the electronic identification system, assertion of identity and verification of data identifying persons applying for the issuance of an electronic identification means in a manner adequate to the security level of a given electronic identification means in accordance with the requirements set out in the regulations issued under Art. 8, section 3 of eIDAS; issuing, suspending and cancelling electronic identification means: – Under Art. 6, section 1, letter c of the GDPR in connection with Art. 21q, section 1 of the Act of 29 September 2016, the Trust Services and Electronic Identification Act; |
Full name, maiden name, Polish Resident Identification Number (PESEL) or unique identifier of the electronic identification means referred to in the regulations issued under Art. 12, section 8 of eIDAS, date of birth, place of birth, gender, residential address; |
|
|
5. |
handling notifications, which are inquiries about services provided by KIR, including direct marketing of KIR services: – Based on the consent of the data subject – Art. 6, section 1, letter a of the GDPR;
|
Full name, correspondence address, telephone number, e-mail address; |
|
|
6. |
handling electronic correspondence: – Based on the legitimate interest of KIR – Art. 6, section 1, letter f of the GDPR;
|
Full name, correspondence address, telephone number, e-mail address, IN VAT (NIP), official position;
|
|
|
7. |
Protection of the areas of data and information processing, the disclosure of which could cause damage to KIR: – Based on the legitimate interest of KIR – Art. 6, section 1, letter f of the GDPR;
|
Full name, place of employment, image, e-mail address, business telephone number; |
|
|
8. |
Supervision over the KIR facilities and over the surrounding areas (monitoring): – Based on the legitimate interest of KIR – Art. 6, section 1, letter f of the GDPR;
|
Image, time spent in the protected area; |
|
|
9. |
Acquisition and selection of candidates for work at KIR: · In order to fulfil the legal obligation incumbent on KIR – under Art. 6, section 1, letter c of the GDPR in connection with Art. 221, section 1 of the Labour Code, · Based on the consent of the applicant for the processing of his or her personal data contained in the CV – Art. 6, section 1, letter a of the GDPR;
|
Full name, date of birth; contact details: place of residence (correspondence address), telephone number; education, employment history; |
|
|
10. |
Consideration of the request and providing a response to the data subject regarding the processing of his or her personal data: · under the relevant regulations – Art. 6, section 1, letter c of the GDPR,
|
Full name, e-mail address, telephone number, Polish Resident Identification Number (PESEL), number and series of identity document; |
|
|
11. |
Legitimate interest of KIR, which is pursuing claims and defending against claims, Art. 6, section 1, letter f of the GDPR |
Full name, e-mail address, telephone number, Polish Resident Identification Number (PESEL), number and series of identity document; |
|
|
Recipients of your personal data |
Your personal data may be disclosed to entities processing personal data for KIR (that is, to KIR consultants, including legal advisers and IT service providers), and such entities shall process your personal data under an agreement with KIR and only in accordance with the instructions of KIR.
Personal data may only be disclosed to the extent necessary and only under a relevant valid legal basis for such disclosure consistent with the above-mentioned purposes of processing. KIR may disclose the processed personal data to state authorities or other entities authorised under the provisions of law, and in particular may disclose personal data processed for the purpose referred to in: · section 1 - to trusted partners, the list of which is available at www.elektronicznypodpis.pl; · section 3 - To the Head of the National Tax Administration, banks, credit and savings unions – under Art. 119 zo, section 1 of the Tax Ordinance Act, to the entities entitled under Art. 119 zt, section 5 of the Tax Ordinance Act and to the entrepreneurs referred to in Art. 119 zi, section 2 of the Tax Ordinance Act; · section 4 - To a court, a prosecutor, other authorized entities and to the Head of the Internal Security Agency (ABW) – under Art. 15, section 4 and Art. 21o, section 2 of the Act of 29 September 2016, the Trust Services and Electronic Identification Act; · section 8 - To a trusted entity, which provides the video monitoring service;
|
||
|
Transfer of personal data to a third country
|
Your personal data will not be transferred to a third country. If it turns out to be necessary to transfer your personal data to a third country, KIR shall provide appropriate security and effective legal protection measures for the transfer of your personal data, in particular provide standard contractual clauses adopted by the European Commission, and shall inform you about this fact.
|
||
|
Period, for which your personal data will be stored |
Personal data will be kept for the period necessary to achieve the purposes of processing, however, if another legal grounds authorising KIR to process personal data appear, this period may be changed correspondingly to the duration of such grounds. Personal data processed for the purpose referred to in: · section 1 - shall be kept for the period necessary to provide trust services, and for the personal data referred to in Art. 17, section 2 of the Act of 5 September 2016, the Trust Services and Electronic Identification Act – for the period required by law, which is currently 20 years of their creation, and for subscriber's pdf files signed via the mSzafir portal or mobile application – for 24 hours of signing the file; · section 2 - shall be stored for a period of 13 months of performance of the service; · section 3 - shall be stored for 5 years, counting from the first day of the year following the year, in which KIR received the data – under Art. 119 zu, section 3 of the Tax Ordinance Act; · section 4 - shall be deleted as soon as the proof of identity is communicated to the national node; · section 5 - until the consent is withdrawn by the data subject; · section 6 - for the period necessary to process the request; · sections 7-9 - for a period of 3 months of data collection; · section 10 - for the period necessary to consider the request; · section 11 - for the period necessary to pursue claims or defend against claims.
|
||
|
Personal data profiling
|
Personal data processed for the purpose referred to in section 1 are subject to profiling under Art. 6, section 1, letter f of the GDPR in connection with Art. 19, section 1, Art. 24, section 2, letter g and Annex II, section 1, letter c of eIDAS, in order to ensure the security of the service provided and prevent data forgery. If, as a result of profiling, KIR becomes aware of a possible breach of the security of the trust service, it may stop the certificate generation process or cancel an already generated certificate. |
||
|
Rights of the data subject |
If your personal data are processed for the purposes set out in sections 1-2 and 4-11, you have the right to access your personal data and the right to demand their correction, their deletion or the restriction of their processing.
To the extent the basis for the processing of your personal data is your consent or an agreement concluded with KIR you are a party to, you have the right to data portability. To the extent the basis for the processing of your personal data is legitimate interest of KIR, you are entitled to object to the processing of your personal data for reasons related to your particular situation. To the extent the basis for the processing of your personal data is your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Personal data processed for the purpose specified in section 3 are processed excluding the information obligations – under Art. 3 – 5 of the Act of 10 May 2018 on Personal Data Protection. Please contact KIR to exercise the above-mentioned rights. Contact details are specified above. You also have the right to lodge a complaint with the supervisory body dealing with the protection of the personal data, that is, to the President of the Office for Personal Data Protection. |
||
|
Data source |
The personal data have been provided by you or by a business partner of KIR, who provided your personal data as its representative or for the purpose of contract performance.
|
||
|
Information about the requirement of providing your personal data |
Personal data have to be provided in order to conclude an agreement, to provide KIR services and to consider any request. If they are not provided, the service will not be performed and the application will not be considered. |
||
|
GDPR |
Under Art. 14, section 1 and section 2 of the Regulation of the European Parliament and of the Council (EU) No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR", KIR would like to inform that:
|
|
Controller of your Personal Data |
The controller of your personal data is Krajowa Izba Rozliczeniowa Spółka Akcyjna (hereinafter referred to as "KIR"), with its registered office in Warsaw at ul. rtm. Witolda Pileckiego 65, 02-781 Warszawa, National Court Register (KRS): 0000113064.
|
|
Contact details |
A Personal Data Protection Officer was appointed at KIR. The Personal Data Protection Officer can be contacted by e-mail: IOD@kir.pl, or by post: ul. rtm. Witolda Pileckiego 65, 02-781 Warszawa.
|
|
Purpose and legal grounds for processing of your personal data |
The personal data of the business partner's representatives, persons designated for working contacts and persons responsible for the coordination and performance of the Agreement will be processed in order to conclude and perform the Agreement and to establish, investigate or defend against any claims arising from the performance of the Agreement – under Art. 6, section 1, letter f of the GDPR;
|
|
Categories of personal data |
Your personal data will be processed for the above-mentioned purposes in the following scope: full name, business telephone number, business e-mail address, official position, serial number of the certificate, if it is necessary for the performance of the Agreement, or the function performed, and, for representatives or proxies, additionally: Polish Resident Identification Number (PESEL) or the number of the identity document and other personal data visible in the power of attorney;
|
|
Recipients of your personal data |
Your personal data may be disclosed to entities processing personal data for KIR (for example: to KIR consultants, including legal advisers and IT service providers), and such entities shall process your personal data under an agreement with controller of personal data and only in accordance with the instructions of controller of personal. Personal data may only be disclosed to the extent necessary and only under a relevant valid legal basis for such disclosure consistent with the above-mentioned purpose of processing;
|
|
Transfer of personal data to a third country |
Your personal data are not transferred to a third country or any international organisation. If it turns out to be necessary to transfer your personal data to a third country, KIR shall provide appropriate security and effective legal protection measures for the transfer of your personal data, in particular provide standard contractual clauses adopted by the European Commission, and shall inform you about this fact;
|
|
Period, for which your personal data will be stored |
Personal data will be kept for the period necessary to execute the Agreement, however, if another legal grounds authorising KIR to process personal data appear, this period may be changed correspondingly to the duration of such grounds; |
|
Rights of the data subject |
You have the right to access your personal data and the right to demand their correction, deletion or restriction of their processing. At your request, KIR will provide a copy of the personal data, which are processed, if it does not adversely affect the rights and freedoms of other. To the extent the basis for the processing of your personal data is legitimate interest of controller of personal data, you are entitled to object to the processing of your personal data for reasons related to your particular situation. In order to exercise the above-mentioned rights, please contact the controller of personal data or the Data Protection Officer. Contact details are specified above. You also have the right to lodge a complaint with the supervisory body dealing with the protection of the personal data, that is, to the President of the Office for Personal Data Protection.
|
|
Data source |
Personal data have been provided by the business partner; |
|
Information about the requirement of providing your personal data |
Providing personal data is necessary for the performance of the Agreement. If they are not provided, the Agreement cannot be performed. |