Information clause for Contractors’ Representatives
Ladies and Gentlemen!
In connection with the beginning of the General Data Protection Regulation (GDPR), we send a package of information explaining how CMT ADVISORY sp. z o.o. processes personal data of representatives of its Contractors in connection with the conclusion of a contract for accounting or human resources.
We want to familiarise our Business Partners with how we collect and process personal data.
We take utmost care of the personal data of individuals that we handle. Taking care of the protection of our Contractors’ personal data, we improve the description of the applied procedures and technological solutions.
I. Personal Data Administrator
CMT ADVISORY spółka z ograniczoną odpowiedzialnością (ul. Ignacego Paderewskiego 8, 61-770 Poznań), in light of the binding provisions of law, in particular in accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), is the administrator of your personal data (hereinafter: Personal Data Administrator).
Contact with the Personal Data Administrator is possible in the following way:
via e-mail: firstname.lastname@example.org
by phone: 618553010
The Administrator has appointed neither a Data Protection Officer nor his representative.
The Personal Data Administrator is responsible for the use of personal data in a safe manner and in accordance with applicable law.
II. Purpose and basis of personal data processing
Your personal data is processed so that:
- the Administrator of Personal Data may conduct business activity, primarily to provide economic, financial and tax consultancy services – the legal basis for the processing of personal data is enshrined in Art. 6 clause 1 letter b of GDPR (the processing is necessary for the conclusion and performance of a contract),
- the Administrator may fulfil the legal obligations imposed on him – the legal basis for the processing of personal data is enshrined in Art. 6 clause 1 letter c of GDPR (e.g. as regards the need to settle taxes, other accountancy and accounting obligations),
- the Administrator may perform his legally justified interests, pursuant to Art. 6 clause 1 letter f of GDPR, to which the Administrator includes the following: direct marketing, investigation and defense against claims, fraud prevention, data transmission to related entities, statistics and analyses, ensuring the security of the ICT environment, application of internal control systems.
III. Categories of personal data processed
The Personal Data Administrator processes the following categories of data: name and surname, official position, company name, business correspondence address, business e-mail address, and business phone number.
In a situation where the Administrator requests the provision of personal data, their provision is not mandatory, yet it is necessary for establishing and conducting business cooperation between the Administrator and the Contractor.
Personal data are not processed for automated decision making, including profiling.
Personal data come directly from the person they refer to. If personal data do not come from the person they concern, then they are obtained from sources commonly available on the Internet (e.g. Central Registration and Information on Economic Activity CEIDG, Poland’s National Court Register KRS, company website, etc.)
IV. Entities to whom personal data are entrusted
Personal data are transferred to the following:
- entities performing audits as well as financial, legal and tax consultancy services,
- entities providing IT services, including servers and networks management,
- entities providing technological services to the Administrator,
- entities providing bookkeeping and accounting services to the Administrator,
- service providers supplying the Administrator with technical and organizational solutions,
- state administration bodies – at their request, justified on the basis of applicable law.
Some of the Administrator’s subcontractors are based in countries outside the European Economic Area, where the level of personal data protection may not be comparable to that in the European Union. Whenever this happens, the Administrator shall take care that the entity to whom the data are transferred should offer appropriate safeguards guarantees and assurances related to the security of the data of natural persons. The Administrator’s suppliers have the so-called Privacy Shield Certificate, ensuring appropriate protection of personal data, at a level adequate to the protection guaranteed in the European Economic Area and in the European Union.
V. The duration of personal data processing
The personal data of Contractors’ representatives will be kept during the period of business cooperation between the Administrator and the Contractor, as well as after its completion, when there are reasonable grounds that the cooperation will be resumed.
VI. Entitlements arising from the Administrator’s processing of personal data
You have the right to:
- access the personal data processed – the person whose data are processed has at all times the right to request access to their personal data, including the right to request both information about whether their personal data are processed and copies of the personal data,
- rectify and complete the personal data processed – the person whose data are processed has the right to demand immediate correction of their personal data as well as to supplement them, provided, however, that the Administrator does not have a legal basis that will allow him to refuse to correct or supplement them,
- delete the personal data processed (so-called right to be forgotten) – the person whose personal data are processed has the right to request the deletion of personal data concerning them. The Administrator may, however, refuse the exercise of this right. Such a situation will take place primarily when, under applicable law, the Administrator is entitled or obliged to store personal data,
- limit the processing of personal data,
- raise objections to the processing of personal data.
The above rights may be exercised by submitting an appropriate application to the Administrator for the data indicated in section I. The Administrator has the right to verify the identity of the person exercising the rights indicated above.
In addition, the person whose data are processed is entitled to request that the personal data be transferred to another administrator, but only on condition that the processing takes place in an automated manner and is technically possible.
The processing of your personal data will not take place based on consent for processing.
VII. The right to lodge a complaint with a supervisory authority
If the processing of personal data violates the law, you have the right to submit a complaint concerning the processing of personal data by the Administrator of Personal Data to the supervisory body. A complaint may be submitted to the President of the Office for Personal Data Protection (Office of the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw).
Information on personal data processing in line with GDPR
Pursuant to Article 13 clause 1 and 2 of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as GDPR), we wish to provide the following information.
Who is the Administrator of my personal data?
CMT Advisory Sp. z o.o. with its registered office in Poznań at ul. Ignacego Paderewskiego 8, 61-770 Poznań, is the Administrator of your personal data (hereinafter referred to as: Administrator).
Contact data of the Personal Data Administrator:
CMT Advisory spółka z ograniczoną odpowiedzialnością
Address: ul. Ignacego Paderewskiego 8, 61-770 Poznań
The Administrator is responsible for the use of personal data in a safe manner and in accordance with applicable law.
Who can I contact regarding the processing of my personal data?
In all matters regarding the processing of your personal data you can contact:
via e-mail: email@example.com
by phone: +48618553010
or personally in the registered office of CMT Advisory sp. z o.o. at 8 Ignacego Paderewskiego St., 61-770 Poznań.
The Administrator has appointed neither a Data Protection Officer nor his representative.
What is the source of my data – where do they come from?
We obtain personal data either directly from you or from sources commonly available on the Internet (so-called yellow pages available online, e.g. Panorama Firm). We obtain your data for various purposes as well as process them in varying degrees and on different legal bases envisaged by the GDPR. To provide as clear information as possible, we have grouped this information concerning the processing of your personal data and provide it below. Personal data are not processed by the Administrator for automated decision making, including profiling.
What is the scope and purpose of the Administrator’s processing of personal data?
Description. CMT ADVISORY sp. z o.o. dispatches to its Clients a periodic newsletter concerning economic, financial and taxation consultancy services. The dispatch is via electronic mail.
Scope of data. For this purpose, we process the data provided by you, i.e. name and e-mail address.
Legal basis. Your consent for receipt of a newsletter with information about the real estate market (Art. 6 clause 1 letter a of GDRP).
Statistics concerning the use of individual functionalities of the www service and the ease of use of the service, ensuring the security of the IT service.
Scope of data. For this purpose, we process the personal data concerning your activity on the www service, such as: sites and sub-sites visited, the amount of time spent on each, as well as data concerning your search history, your IP address, location, device ID and data concerning the web browser and the operational system.
Legal basis. Our legally justified interest (Art. 6 clause 1 letter f of GDPR), consisting in the ease of the use of electronically-provided services and in the improved functionality of these services.
Considering requests, replies to questions
Scope of data. For this purpose, we may process certain personal data you provide, relating to your use of such services being the direct reason for your complaint or request, and data contained in documents attached to your complaint or request.
Legal basis. Your consent to the processing of personal data in order to reply to questions (Art. 6 clause 1 letter a of GDPR), as well as our legitimate interest (Art. 6 clause 1 letter f of GDPR), consisting in improving the functionality of services provided by the Administrator and building positive relationships between CMT ADVISORY sp. z o.o., based on reliability and loyalty.
Who are my personal data transferred to?
The Personal Data Administrator takes utmost care of the confidentiality of your personal data. Due to the need to meet contractual obligations and to ensure the proper provision of services for the benefit of our Clients, personal data are transferred to the following persons:
We transfer your personal data to the providers of services we make use of in our business. The providers supply the Administrator with technical and logistical solutions which ensure the provision of services benefiting our Clients and corporate management. The data are transferred to entities providing IT services for the Administrator, including software suppliers and the suppliers of the servers where the personal data are stored.
We offer access to your data on request of duly authorised state authorities, in particular the Prosecution Authority, the Police, President of the Office for Personal Data Protection, President of the Office for the Protection of Competition and Consumers or the President of the Office for Electronic Communication.
Are my data transferred outside the European Union?
Some of our subcontractors are based in countries outside the European Economic Area, where the level of personal data protection may not be comparable to that in the European Union. Whenever this happens, we make sure that the entity to whom the data are transferred should offer appropriate safeguards guarantees and assurances related to the security of the data of natural persons. The Administrator’s suppliers have the so-called Privacy Shield Certificate, have the so-called Privacy Shield Certificate, ensuring appropriate protection of personal data, at a level adequate to the protection guaranteed in the European Economic Area and in the European Union.
Am I obliged to provide data?
Data are provided on a voluntary basis. If, however, you want to make use of our services (e.g. receive the newsletter or send us a request), then our system automatically designates as obligatory the data without which we will be prevented from addressing your request.
What rights do I have?
In connection with the processing of your personal data, the Administrator guarantees the exercise of your rights related to the processing of the personal data as defined below. You can exercise your rights by making a request to the e-mail address: firstname.lastname@example.org
The right to withdraw consent
You have the right to withdraw your consent for the processing of personal data. The withdrawal of consent becomes effective as of the moment of withdrawal. The withdrawal of consent has no effect on the processing we carried out under the law prior to the withdrawal. The revocation of consent carries no negative consequences for you. However, it may prevent you from making use of some of our services.
Legal basis: Art. 7 clause 3 of GDPR
The right to object to the use of data
You have the right to object at any time to the use of your personal data if we process your data on the basis of our legitimate interest, e.g. in connection with the processing of a complaint, a request or a reply to a question. If your objection is justified and we have no other legal basis for processing your personal data, we will delete the data you have objected to.
Legal basis: Art. 21 of GDPR
The right to erasure of personal data (so-called “right to be forgotten”)
You have the right to request the deletion of all or some of your personal data. We will treat any request for deletion of all personal information as a request for deletion of your Account.
You have the right to request the deletion of personal data if:
a. you have withdrawn a specific consent to the extent that your personal data have been processed on the basis of your consent,
b. your personal data are no longer necessary for the purposes for which they were collected or for which they were processed,
c. you have objected to the use of your data for the purpose of maintaining statistics about your use of the Service and satisfaction surveys, and the objection is deemed justified,
d. your personal data are processed illegally.
Despite your request to delete your personal information, we may retain certain personal data to the extent necessary for the purpose of establishing, pursuing or defending claims. This applies in particular to personal data such as: name, surname, PESEL number, address of residence, which are stored for the purpose of processing complaints and claims related to the use of our services.
Legal basis: Art. 17 of GDPR
The right to limit data processing
You have the right to request the limitation of your personal data processing. If you make such a request known to us, for the duration of our processing the data we will disable your use of selected functionalities or services, whose use will be tied with the processing of the data covered by the request.
You have the right to request that the use of your personal data be restricted in the following cases:
- if you question the correctness of your personal data, in which case we will limit their use for the time necessary to verify the correctness of your data, no longer than for 7 days,
- if the processing of your data is in contravention of the law and you demand a restriction on the use of the data instead of their deletion,
- when your personal data are no longer necessary for the purpose for which we collected or used them, but are necessary for you to establish, pursue or defend a claim,
- when you have objected to the use of your data, the limitation is for the time necessary to consider whether, due to your particular situation, the protection of your interests, rights and freedoms outweighs the interests we pursue when processing your personal data.
Legal basis: Art. 18 of GDPR
The right to access data
You have the right to obtain a confirmation whether we process your personal data, and this being the case, you have the right to the following:
- gain access to your personal data,
- obtain information about the purposes of the processing, categories of the personal data processed, the recipients or categories of recipients of these data, the planned storage period for your data or the criteria for determining that period, your rights under the GDPR and your right to lodge a complaint with the supervisory authority, the source of the data, the automated decision making, including profiling, and the safeguards applicable to the transfer of the data outside the European Union,
- obtain a copy of your personal data.
Legal basis: Art. 15 of GDPR
The right to have data corrected
You have the right to request the correction of your personal data (when they are incorrect) or the supplementation of the personal data provided (when they are incomplete).
Legal basis: Art. 16 of GDPR
The right to the transfer of data
You have the right to obtain your personal data provided to us and then send them to another personal data administrator of your choice, e.g. to another operator of similar services. Furthermore, you have the right to demand that the personal data should be sent by us directly to such other administrator, provided this is technically feasible.
Legal basis: Art. 20 of GDPR
What is the duration of our processing of your request?
If, in the exercise of the above rights, you make a request to us, we comply with the request, or we refuse to comply with it immediately, but no later than one month after receipt. However, if, due to the complexity of the request or the number of requests, we are unable to meet your request within one month, we will do so within a further two months, notifying you in advance of the intended extension.
The right to lodge a complaint with a supervisory authority
You have the right to submit a complaint concerning the processing of personal data by the Administrator of Personal Data to the supervisory body. A complaint may be submitted to the President of the Office for Personal Data Protection (Office of the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw).
- What is a cookie file?
“Cookies” are single, small text files sent by the websites you visit and downloaded on your computer. The information contained in these files shall allow the information contained therein to be read only by the party which created them. This means that the website may not access other files on your computer.
- What cookies do we use?
The website https://cmt-advisory.pl may use two cookie types:
- session-related – they remain on the user’s device until the leaving of the website or the turning off of the web browser,
- permanent – they remain on the user’s device for a time defined in the parameters of the file or until their removal by the user.
- Can I give up accepting cookies?
The storage and sending of cookies are handled by web browsers and are not visible to the user. Most of the browsers you use will accept them by default. However, the user may set the browser to refuse requests to store cookies in general or to store selected cookies. This can be done using the settings in the browser. Before we make this decision, however, it is worth remembering that many cookies help you to use the website.
Detailed information on the management of cookies is available in the settings and documentation of the selected web browser.