PRIVACY POLICY
of the website https://tomczykowscy.pl/en
kept by
Tomczykowski Tomczykowska sp. z o. o.,
with its registered office in Warsaw,
and its related parties:
Tomczykowski Tomczykowska sp. z o. o.,
and Tomczykowski i Wspólnicy Kancelaria Prawnicza Sp. K.,
with their registered offices in Warsaw
Version adopted on 12th August 2024
§ 1. Privacy Policy Assumptions
This document satisfies the requirements set forth in the Act on Providing Electronic Services and the Telecommunications Law. The purpose hereof is to provide information about the basis and objective of processing the Website Users’ personal data, what the data processing grounds are, and what rights are vested in the Users in connection with their personal data being processed by the company Tomczykowski Tomczykowska Sp. z o.o., with its registered office in Warsaw, and its Related Parties (Kancelaria Tomczykowski Tomczykowska sp. z o. o., and Tomczykowski i Wspólnicy Kancelaria Prawnicza Sp. K.), being Joint Controllers of the Website data. In addition, the Policy contains information about the Website functionality and about solving technical issues.
The Joint Controllers attach major importance to respecting the privacy of the Website Users, including Clients and newsletter subscribers, candidates for work/co-operation/apprenticeship, participants of events organized by the Joint Controllers, and accordingly they use their best efforts so that the Users can feel comfortable and secure while using the Website. In addition, the Joint Controllers exercise care so that the personal data processing will be transparent and will comply with legal regulations applicable to personal data protection, guidelines of the supervisory authority, and best practices.
This Privacy Policy satisfies the obligation to provide information that arises from article 13 of the GDPR, however the Joint Controllers will remain at the Users’ disposal, ready to answer any questions about personal data processing.
Each User is obliged to use the Website in accordance with this Privacy Policy, legal regulations, and established customs. In particular, it is prohibited to:
– provide untrue or misleading information or personal data;
– disseminate information about the Website contents which is untrue or contravenes the law or established customs;
– violate in any way the personal rights of the Joint Controllers, persons related to them, or third parties;
– interfere in the Website operation, in particular in the Website code, use or upload viruses, worms, Trojan horses, disallowed extensions and other mechanisms than may adversely affect the Website functioning, or the Joint Controllers’ or the Users’ software or equipment.
§ 2. Definitions of terms
Controller – an entity that independently or jointly with others determines the objectives and methods of personal data processing;
Joint Controllers – joint controllers are data controllers that jointly decide about processing measures and objectives, that is Tomczykowski Tomczykowska Sp. z o.o., with its registered office in Warsaw; Kancelaria Tomczykowski Tomczykowska sp. z o. o., with its registered office in Warsaw; and Tomczykowski i Wspólnicy Kancelaria Prawnicza Sp. K., with its registered office in Warsaw; hereinafter also referred to as Related Parties;
Privacy Policy – this document, the content of which is available at https://tomczykowscy.pl/en/privacy-policy/;
Website – the service available at https://tomczykowscy.pl/en;
Personal Data – means, in accordance with article 4 point 1 of the GDPR, any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, OJ L of 2016, no. 119, p. 1);
User – any entity using the Website.
§ 3. Information on Joint Controllers of data
Because of business operations being carried out by them as Related Parties and due to the shared IT systems and servers, the Joint Controllers of personal data are:
– TOMCZYKOWSKI TOMCZYKOWSKA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office in Warsaw at ul. Aleje Jerozolimskie 93, 02-001 Warszawa, tax identification number NIP 5262734243, number KRS 0000183769, statistical number REGON 01561091300000,
– KANCELARIA TOMCZYKOWSKI TOMCZYKOWSKA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office in Warsaw at ul. Aleje Jerozolimskie 93, 02-001 Warszawa, tax identification number NIP 5252538109, number KRS 0000433949, statistical number REGON 14631703400000,
– TOMCZYKOWSKI I WSPÓLNICY KANCELARIA PRAWNICZA SPÓŁKA KOMANDYTOWA, with its registered office in Warsaw at ul. Aleje Jerozolimskie 93, 02-001 Warszawa, tax identification number NIP 5252707664, number KRS 0000673514, statistical number REGON 36706261400000.
The Joint Controllers can be contacted by e-mail at: daneosobowe@tomczykowscy.pl or by post at the registered office address in all matters connected with processing personal data and exercising rights vested under the GDPR.
§ 4. Essence of arrangements between Joint Controllers
The Joint Controllers have made arrangements about the scope of responsibilities and the breakdown of tasks connected with processing personal data on their shared IT systems and servers, and with carrying out business operations as related parties. In accordance with article 26 of the GDPR, the Joint Controllers made joint arrangements the essence of which is hereby made available to data subjects:
a) Performance of obligation to provide information
– The Joint Controllers have agreed that the obligation to provide information will rest with Tomczykowski Tomczykowska Sp. z o.o., with its registered office in Warsaw.
b) Point of contact for data subjects
– The Joint Controllers have agreed that the point of contact for data subjects will be Tomczykowski Tomczykowska Sp. z o.o., with its registered office in Warsaw at Al. Jerozolimskie 93, 02-001 Warszawa, e-mail address: daneosobowe@tomczykowscy.pl.
c) Determination of responsible entity
– The Joint Controllers have agreed that the entity responsible for all personal data protection matters will be Tomczykowski Tomczykowska Sp. z o.o., with its registered office in Warsaw.
Irrespective of the aforesaid arrangements, and in accordance with article 26 section 3 of the GDPR, the data subject may exercise his or her rights under the GDPR in respect of and against each of the Joint Controllers.
§ 5. Data processing scope and purposes
Driven by the data processing principles arising from article 5 of the GDPR, in particular the data minimisation principle and the privacy by default principle, the Joint Controllers limit the scope of personal data processing during the Website use (and while carrying out all the processes within the Joint Controllers’ operations) to necessary data.
In order to use the contact form posted on the Website, the following personal data are obtained: first name, surname, e-mail address, message content. The data provided in the form is processed for the purpose that arises from the function of the particular form, e.g. in order to handle a submission.
In certain cases, the Website may record information that will facilitate the association of data provided in the form with the e-mail address of the user who completed it. In this case, the user’s e-mail address will appear inside the URL of the page containing the form.
If a CV is emailed, personal data provided by the recruitment candidate in the CV and its attachments will be processed.
In order to receive industry-specific and commercial information (including the newsletter) from Tomczykowski Tomczykowska Sp. z o.o., with its registered office in Warsaw, and its related parties, the e-mail address provided by the User will be processed.
While carrying out operations within a tax and law firm, the Joint Controllers,
organize a number of events (including those held online). The registration and participation in events entails processing their participants’ data, in particular the first name, surname, and e-mail address.
In addition, the Joint Controllers exercise care so that data will always be obtained for a reasonable and explicitly determined purpose:
– to provide Website accessibility and functionality services;
– to manage communication between the Joint Controllers and the User (including contacts made via electronic mail and contact form);
– to satisfy requirements arising from legal regulations (including accounting regulations, the Labour Code, and the Civil Code);
– to carry out the recruitment of candidates for work/co-operation/apprenticeship;
– to establish and pursue claims or to defend against claims, to settle disputes;
– to provide information about and to promote their services;
– to administer the IT system, and to improve its functionalities and the services provided.
§ 6. Data processing grounds
The Joint Controllers exercise care to comply with the legality principle, and make their best efforts so that every operation involving the use of personal data can be based on legal grounds. The Joint Controllers process personal data based on different legal grounds arising both from article 6 section 1 of the GDPR, and the provisions of national law, including the Accounting Act and the Labour Code.
Depending on the case and the processing purpose, the grounds for processing personal data may be:
– consent (article 6 section 1 letter a of the GDPR, including consent to be contacted by electronic means, consent to receive industry-specific and commercial information, including the newsletter);
– contract with Client (article 6 section 1 letter b of the GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, including to follow complaint procedures);
– legal obligation of the Joint Controllers (article 6 section 1 letter c of the GDPR: processing is necessary for compliance with a legal obligation to which the controller is subject, including obligations under the Tax Consultancy Act, Act on Attorneys-at-Law, Law on Advocates and other industry-specific regulations, the Accounting Act, Civil Code, and Labour Code);
– legitimate interests pursued by the Joint Controllers (article 6 section 1 letter f of the GDPR: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject). The Joint Controllers rely on legitimate interests while analysing, developing, improving, and optimizing the Website operation (first of all in order to ensure system security), and also from the perspective of defence against potential claims.
§ 7. Data processing periods
The Joint Controllers make efforts to retain Website Users’ data only throughout a period where the data are necessary to achieve the processing purpose or satisfy obligations resting with the controller. Data processing period may be extended where its processing is necessary to establish, pursue, and defend against potential claims, and afterwards only in so far as and to the extent necessary under the law. Once the processing period ends, data will be irreversibly destroyed or anonymized.
Depending on a concrete situation with which personal data processing is connected, the following data processing periods are envisaged in the Joint Controllers’ operations:
– contract term plus a period required under the law, including the Civil Code, and the Accounting Law;
– period necessary to exercise rights and pursue claims of the Joint Controllers or of the User, including the claim limitation period (6 years, and for claims for recurring performances and claims connected with carrying out business activity – 3 years);
– periods arising from the Labour Code applicable to recruitment process and employment data;
– until the consent is withdrawn, where data are processed based on consent (e.g. where industry-specific or commercial information is transmitted).
§ 8. Data subjects’ rights and methods of exercising them
A submission concerning data subjects’ rights can be made:
– in person in the Joint Controllers’ registered office at: Aleje Jerozolimskie 93, 02-001 Warszawa,
– by e-mail at: daneosobowe@tomczykowscy.pl,
– by traditional mail at: Aleje Jerozolimskie 93, 02-001 Warszawa.
Data subjects’ rights are exercisable free of charge unless the GDPR provides otherwise. In accordance with article 12 section 5 of the GDPR, the controller may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested.
As long as appropriate prerequisites under the GDPR are fulfilled, unless specific regulations do not prevent it, Website Users are entitled to enjoy the following rights concerning personal data processing:
1) Article 7 of the GDPR – the right to withdraw consent
The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject will be informed thereof. It must be as easy to withdraw as to give consent.
2) Articles 13 and 14 of the GDPR – the right to receive information
While obtaining personal data, the Controller provides the data subject will all the information itemized in the content of articles 13 and 14 of the GDPR. The controller will take appropriate measures to provide any information referred to in articles 13 and 14 to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
3) Article 15 of the GDPR – the right of access to personal data
The data subject will have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. The controller will provide the data subject with a copy of the personal data undergoing processing.
4) Article 16 of the GDPR – the right to rectify personal data
The data subject will have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
5) Article 17 of the GDPR – the right to erase personal data
The data subject will have the right to request that the controller erase personal data concerning him or her without undue delay only in a situation where prerequisites arising from this article are met, and its provisions are not excluded under other specific legal regulations.
6) Article 18 of the GDPR – the right to restrict the processing of personal data
The data subject will have the right to request that the controller restrict processing in cases specified by the law. Where processing has been restricted, such personal data will, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
7) Article 19 of the GDPR – the right to be notified about rectification or erasure of personal data or about restriction of processing
The controller will communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with article 16, article 17 section 1 and article 18 of the GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller will inform the data subject about those recipients if the data subject requests it.
8) Article 20 of the GDPR – the right to data portability
Where the processing is based on consent or on a contract or is carried out by automated means, the data subject will have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from the controller to which the personal data have been provided.
9) Article 21 of the GDPR – the right to object to data processing
The data subject will have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of article 6 section 1, including profiling based on those provisions.
In addition, the User is entitled to lodge a complaint with a supervisory authority that protects personal data in Poland: Personal Data Protection Office (UODO), address: ul. Stawki 2, 00-193 Warszawa.
§ 9. Personal data recipients
Personal data are not commercially made available to any entities. Personal data may be accessed by the Joint Controllers’ employees and collaborators, entities authorised under the law, and entities to which data processing is entrusted in accordance with article 28 of the GDPR. The Joint Controllers inform the Users that the recipients category may include: providers of IT infrastructure solutions; subcontractors or suppliers of and entities cooperating with the Joint Controllers, which provide administration, accounting and financial, HR or advisory services, or other services contracted by the Joint Controllers. In the case of online events, data may only be accessed by technology providers such as Microsoft Bookings, Teams, and Zoom.
We will use our best efforts so that the entities to which we provide personal data can warrant the implementation of protection measures appropriate for the applicable personal data protection regulations and thereby ensure high standards and security; for more information, please refer to their respective privacy policies.
§ 10. Securing personal data
The Joint Controllers will use technical and organisational measures that ensure security of data being processed and of the categories of data being secured, as appropriate for threats, in particular they secure personal data against unauthorized access, loss or corruption (accessible only to authorized persons); they diligently choose business partners, train personnel in personal data protection and information security; and scrupulously analyse requests to exercise data subjects’ rights. The personal data introduction places are protected in the transport layer (an SSL certificate). As a result, personal data introduced to the Website are encrypted in the user computer and may be read only on the target server.
§ 11. Voluntary / mandatory provision of personal data
Data are provided voluntarily, however they are necessary, as their receipt is a condition for achieving the purpose as appropriate for the situation – without personal data it is impossible to execute any contract, examine any complaint, contact the Joint Controllers, carry our recruitment, exercise rights, or pursue claims.
§ 12. Data transfer to third countries, automated decision-making, and profiling
Users’ personal data are not wilfully and intentionally transferred by the Joint Controllers to any third country or international organization. The data are not used for automated decision-making or profiling.
§ 13. Use of cookies
The Website uses cookies, i.e. small pieces of text information stored on the User’s end (receiving) device. Cookies are used to ensure the correct operation of the Website and also for statistical purposes, e.g. in order to examine the popularity of particular tabs and services.
The User may prevent the storage of cookies on the end device by appropriate configuration of the Internet browser.
The User may delete cookies stored on the end device by using appropriate Internet browser functions or other software. Cookie deletion methods can be found at appropriate Internet browser addresses, e.g.:
Google Chrome: https://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
Mozilla Firefox: https://support.mozilla.org/pl/kb/usuwanie-ciasteczek,
Microsoft Internet Explorer: https://windows.microsoft.com/pl-pl/internet-explorer/delete-manage-cookies#ie=ie-11
Only information contained in cookies are automatically collected on the Website. Cookies are text files that are stored on the Website User’s end device. They are intended to be used when Website pages are viewed. First of all, they contain the name of the website where they originated, their unique numbers, and the time of storage on the end device. The Joint Controllers are entities placing cookies on the Users’ end devices and accessing them therefrom.
Cookies are used in order to:
– adjust the web page content to the User’s individual preferences; above all those files recognize his or her device so that the web page content can be displayed in accordance with the User’s preferences;
– prepare statistics enabling learning about the Users’ preferences and behaviours; an analysis of the statistics is anonymous and it facilities adjusting the service display to prevailing trends; statistics are also used for the web page popularity assessment.
The Website uses two basic types of cookies – session and persistent cookies. Session cookies are temporary and they are stored until the service web page is left (by entering another web page, logging out or closing the browser). Persistent cookies are stored on the User’s end device until they are deleted by the User or until the time setting applicable to them passes.
The User may at any time change the browser settings in order to disable the operation of cookies or to obtain each time information about cookies being placed on his or her device. Other available options can be checked in the browser settings. Importantly, most browsers are set by default to accept cookies and save them on the end device.
Cookies used by the Website (and saved on the Users’ end devices) may be made available to collaborating service providers.
The Joint Controllers inform the Users that changes introduced to their Internet browser settings may restrict access to some web page functions. Information about the browser settings is available in the browser menu (help) or on the manufacturer’s website.
§ 14. Contact, complaints, and liability
The Joint Controllers exercise due care in order to ensure correct operation of the Website. The User can express reservations about the Website operation at the following e-mail address: marketing@tomczykowscy.pl.
The Website User can file complaints at the following e-mail address: marketing@tomczykowscy.pl.
Submissions and complaints should contain a detailed description of the reservation and the User’s e-mail address, so that the Joint Controllers can respond to the reservation.
The Joint Controllers may request the User to provide additional information needed for their response. The Joint Controllers are obliged to respond within 14 days from receiving full information, including a detailed description of the reservation and the User’s e-mail address.
Due to technical reasons, irregularities in the operation or a breakdown may occur, preventing or hindering the Website use. Also periodic terminations of access to the Website may occur due to its modernisation.
The Joint Controllers will not be liable for the undue operation or inaccessibility of the Website arising from or connected with the causes indicated above or other causes independent of the Joint Controllers.
§ 15. Final provisions
This edition of the Privacy Policy enters into effect on 12th August 2024. The Privacy Policy content may be amended by the Joint Controllers and the changes will be published on the Website.
Matters that are not regulated in this Privacy Policy will be governed by appropriate generally applicable regulations, and guidelines issued by the supervisory authority and the European Data Protection Board.
Any potential disputes concerning the Privacy Policy content will be subject first of all to amicable resolution.