Pursuant to Article 13(1) and 13(2) of Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, p. 1) (hereinafter referred to as “GDPR”) we inform that:
1. Data ControllerThe controller of personal data found in the Agreement is Polska Agencja Inwestycji i Handlu S.A. with its seat in Warsaw at ul. Krucza 50 (00-025 Warszawa), entered into the register of entrepreneurs of the National Court Register by the Capital City of Warsaw District Court, under the number KRS 0000109815 (hereinafter referred to as “
Controller”). The Controller can be reached through the contact form on
www.paih.gov.pl, by sending an email to:
iod@paih.gov.pl, or by traditional mail at the address of the Controller’s seat stated above.
2. Data Protection Officer
The Controller appointed a person responsible for protecting personal data, i.e. a Data Protection Officer, who can be contacted at
iod@paih.gov.pl or by traditional mail at the address of the Controller’s seat stated above, with a note saying “c/o the Data Protection Officer.”
3. Purposes and grounds for processing personal dataThe Controller processes your personal data to:
1) enter and perform the Agreement – the legal basis for processing are activities necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the GDPR),1
2) enable your performance of activities on behalf of the represented entity, based on the legitimate interest of the Controller, namely the need to process data necessary to enter into and perform contracts with its business partners (Article 6(1)(f) of the GDPR),2
3) match business entities and initiate international cooperation by sharing your contact details with third countries or international organisations, based on your consent (Article 6(1)(a) of the GDPR or Article 49(1)(a) of the GDPR, depending on which country the data are transferred to according to item 4 below),
4) perform tasks related to promoting Polish economy, according to the Act on performing tasks related to promoting Polish economy by the Polska Agencja Inwestycji i Handlu Spółka Akcyjna of 7 July 2017 (Journal of Laws of 2017, item 1941, as amended), based on your consent (Article 6(1)(a) of the GDPR or Article 49(1)(a) of the GDPR, depending on which country the data are transferred to according to item 4 below),
5)
transfer data to a PAIH Foreign Trade Office located in a third country, i.e. outside the European Economic Area, as part of the statutory activities of the Controller – Article 6(1)(a) of the GDPR or Article 49(1)(a) of the GDPR, depending on which country the data are transferred to according to item 4 below),3
6) potentially establish, exercise or defend legal claims related to the concluded Agreement – the legal basis for data processing is the necessity of processing to achieve the legitimate interest of the Controller. The legitimate interest of the Controller is the establishment, exercise or defence of legal claims (Article 6(1)(f) of the GDPR).
4. Data recipients
The recipients of your personal data are entities to which the Controller entrusted activities that involve the need for personal data processing, especially as regards managing electronic mail, ITC, hosting, IT, administrative services, legal services or consulting. The recipients of your personal data may also be entities or authorities that have the right to receive your data, but only in justified cases and in compliance with applicable provisions of law.
The Controller may transfer personal data to third countries, i.e. countries located outside the European Economic Area. Your data may be transferred
solely to third countries or third parties which were recognised by a decision of the European Commission as offering an adequate level of data protection. The list of countries confirmed by a decision of the European Commission to offer an adequate level of protection can be found at the link.
If no decision of the European Commission confirming an adequate level of protection referred to in Article 45(3) of the GDPR has been issued, your personal data may be transferred to a third country
solely on the basis of: binding corporate rules, standard data protection clauses adopted by the European Commission, standard data protection clauses adopted by a Polish supervisory authority and approved by the Commission, an approved code of conduct, or an approved certification mechanism (Article 46 of the GDPR).
If no decision of the European Commission confirming an adequate level of protection referred to in Article 45(3) of the GDPR has been issued and in the absence of the safeguards listed in Article of the 46 of the GDPR, including binding corporate rules, we will ask you to grant your express consent for a transfer to a third country or international organisation after advising you about the possible risks of such transfer pursuant to Article 49(1)(a) of the GDPR.
In connection with the transfer of your data outside the EEA you may request information about safeguards used in this respect, obtain a copy of such safeguards or information about the place in which they are shared by contacting us at the PAIH S.A. correspondence address stated in point 1 above.
5. The time for which personal data are stored
Personal data are stored until:
1) completion of the Agreement – until the Agreement is terminated or expires;4
2) until consent for the processing of personal data is withdrawn;
3) for the establishment, exercise or defence of claims – until the claims are time-barred according to generally applicable provisions of Polish law;
4) the obligation to store personal data resulting from generally applicable provisions of law (e.g. the obligation to store accounting documents) expires.5
6. Rights of data subjects
Due to the processing of personal data, a data subject has the following rights: the right to access data, to rectify data, to erase data, to restrict the processing of data, to object to the processing of data, to transfer data, and to file a complaint with the Chairman of the Personal Data Protection Office. You are entitled to these rights in the scope provided for in generally applicable provisions of law.
In addition, pursuant to Article 21 of the GDPR, with respect to processing which takes place pursuant to Article 6(1)(f), data subjects are also entitled to object to processing performed by the Controller in this respect.
7. Information about required/voluntary submission of data
Submission of personal data is voluntary, but required to achieve the objectives referred to in point 3 above.
8. Information about automated decision-making, including profiling
The Controller will not use personal data to make automated decisions, including decisions that are the result of profiling.
9. The risk related to transferring data to third countries if no decision of the European Commission confirming an adequate level of protection referred to in Article 45(3) of the GDPR has been issued and in the absence of the safeguards listed in Article 46 of the GDPR, including binding corporate rules
Your data may be transferred to third countries that do not ensure an adequate level of protection granted by generally applicable provisions of Polish law, in particular the provisions of the GDPR. In connection with the above, pursuant to Article 49(1)(a) of the GDPR, we inform that we do not ensure suitable safeguards listed in Article 46 of the GDPR. Due to the inability to enter into standard contractual clauses with the recipient of the data and lack of binding corporate clauses, we inform you that there is a risk that your data will not be adequately protected. You need to grant further consent to transfer personal data to a third party located in a third country, because there is a risk that such data will be processed without compliance with the GDPR regime.
1 If entering into a contract with a natural person requires the Controller to transfer personal data found in the contract outside the European Economic Area.
2 If entering into a contract with a legal person requires the Controller to transfer personal data found in the contract outside the European Economic Area.
3 If personal data are transferred to a PAIH S.A. Foreign Trade Office located outside the EEA.
4 If the Agreement is entered into.
5 If the Agreement is entered into.