PRIVACY POLICY

In order to ensure the transparency of the processing carried out, we present the rules of personal data protection in force at the National Clearing House (KIR), established on the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter the "GDPR").

1. DEFINITIONS

  1. CONTROLLER – the natural or legal person, public authority, entity or any other body which alone or jointly with others determines the purposes and means of the processing of personal data – Krajowa Izba Rozliczeniowa Spółka Akcyjna (KIR) with its registered office in Warsaw at ul. rtm. Witolda Pileckiego 65, 02-781 Warszawa, KRS 0000113064
  2. Personal Data – information about a natural person identified or identifiable by one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity, including an image, a voice recording, contact details, location data, information contained in correspondence, information collected with recording equipment or other similar technology.
  3. Data Subject – the natural person to whom the personal data processed by the Controller relates, e.g. a person directing an e-mail enquiry to the Controller.
  4. Policy – this Privacy Policy.
  5. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
  6. Portal – the web portal operated by the Controller at: https://kir.pl and at any other address within the KIR domain concerning individual KIR services.
  7. User – any natural person visiting the Portal or using one or more of the services or functionalities described in the Policy.

2. DATA PROCESSING BY THE CONTROLLER

  1. In connection with its business activities, the Controller collects and processes personal data in accordance with the relevant legislation, including in particular the GDPR and the data processing rules provided for therein.
  2. The Controller:
    • ensures transparency of data processing;
    • always informs about the processing of the data at the time of its collection, in particular about the purpose and legal basis of the processing of personal data, unless it is not obliged to do so under applicable legislation;
    • ensures that data is only collected to the extent necessary for the specified purpose and is only processed for as long as it is necessary.
    • when processing the data, the Controller shall ensure the security and confidentiality of the data and access to information about the processing to the Data Subjects. If, despite the security measures in place, a breach of personal data protection (e.g. a leakage of data or a loss of data) were to occur and such a breach could result in a high risk of infringement of the rights or freedoms of Data Subjects, the Controller shall inform Data Subjects of such an event in accordance with the law.

3. CONTACT WITH THE DATA PROTECTION CONTROLLER AND OFFICER

  1. Contact with the Controller is possible via e-mail: kontakt@kir.pl or by post at: ul. rtm. Witolda Pileckiego 65, 02-781 Warszawa, KRS 0000113064.
  2. The Controller has appointed a Data Protection Officer who can be contacted on all data protection matters by sending a message to iod@kir.pl or in writing to the postal address of the Controller indicated in the section above.

4. PERSONAL DATA SECURITY

  1. In order to ensure the integrity and confidentiality of the data, the Controller has implemented procedures to allow access to personal data only to authorised persons and only to the extent necessary for their tasks. The Controller shall apply organisational and technical measures to ensure that all operations on Personal Data are recorded and carried out only by authorised persons.
  2. The Controller shall take all necessary measures to ensure that also its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process Personal Data on behalf of the Controller.
  3. The Controller conducts a risk analysis on an ongoing basis and monitors the adequacy of the data security measures in place to address the risks identified. If necessary, the Controller shall implement additional measures to enhance data security.

5. PURPOSE AND LEGAL BASIS FOR PROCESSING

  1. WEB PORTAL
    In connection with the User's use of the Portal, the Controller collects data to the extent necessary to provide the individual services as well as information about the User's activity on the Portal.
    Personal data of all persons using the Portal (including IP address or other identifiers and information collected through cookies) is processed by the Controller:
    • for the proper functioning of the portal - necessary files: processed on the basis of the legitimate interest of the controller (Article 6(1)(f) of the GDPR);
    • in order to study traffic on the portal, learn about Users' preferences, analyse their behaviour on the portal and enable interaction with external networks and platforms - statistical files are processed on the basis of the User's voluntary consent (Article 6(1)(a) of the GDPR);
    • for the purpose of displaying advertisements tailored to the visitor's profile. Based on the browsing history, profiles are built which are shared with advertising partners so that personalised advertisements are displayed on other websites - marketing files (Article 6(1)(a) of the GDPR).
  2. PROVISION OF TRUST SERVICES
    The Controller processes personal data in order to fulfil a legal obligation ( Article 6(1)(c) of the GDPR in conjunction with Article 24 of the eIDAS); to conclude and perform a contract (Article 6(1)(b) of the GDPR), and to ensure the security of the trust service provided and to prevent data falsification on the basis of the Controller's legitimate interest (Art. 6(1)(f) of the GDPR, in conjunction with Articles 19(1), 24(2)(g) and Annex II(1)(c) of the eIDAS); and for the purposes of possibly establishing, pursuing or defending against claims on the basis of the Controller's legitimate interest of protecting its rights (Article 6(1)(f) of the GDPR). The disclosure of data is voluntary but necessary to conclude the agreement.
  3. PROVISION OF PAYBYNET SERVICES
    The Controller processes personal data for the purpose of concluding and performing a service contract, (Article 6(1)(b) of the GDPR), as well as for the purpose of possibly establishing, pursuing or defending against claims on the basis of the Controller's legitimate interest in protecting its rights (Article 6(1)(f) of the GDPR). The disclosure of data is voluntary but necessary to conclude the agreement.
  4. DETERMINATION OF THE RISK INDEX OF THE USE OF BANKS AND SKOK FOR FRAUDULENT PURPOSES
    The Controller processes personal data in order to fulfil a legal obligation (Article 6(1)(c) of the GDPR in conjunction with Article 119zn § 2 and Article 119zu § 2a and § 3 of the Act of 29 August 1997 - Tax Ordinance;
    • acting as an intermediary for banks and cooperative savings and credit unions (SKOK) to provide the Head of the KAS 9National Revenue Administration) with information on virtual account masks in connection with the List of registered, unregistered, deleted and reinstated entities in the VAT register maintained by the Head of the KAS;
    • acting as an intermediary in the transmission between the Head of KAS and banks and cooperative savings and credit unions of data supplementing the list referred to in Article 96b(3)(13)(3b) of the VAT Act).
  5. MANAGEMENT OF THE ELECTRONIC IDENTIFICATION SCHEME, CONFIRMATION OF THE IDENTITY AND VERIFICATION OF IDENTIFICATION DATA OF THE PERSONS APPLYING FOR ELECTRONIC IDENTIFICATION MEANS IN A MANNER APPROPRIATE TO THE SECURITY LEVEL OF THE ELECTRONIC IDENTIFICATION MEANS IN COMPLIANCE WITH THE REQUIREMENTS LAID DOWN IN THE REGULATIONS PURSUANT TO ARTICLE 8 (3) OF THE EIDAS; ISSUANCE, SUSPENSION AND CANCELLATION OF ELECTRONIC IDENTIFICATION MEANS
    The Controller processes personal data in order to comply with a legal obligation - on the basis of Article 6(1)(c) of the GDPR in conjunction with Article 21q(1) of the Act of 29 September 2016 on Trust and Electronic Identification Services.
  6. CONTACT FORM
    The Controller provides the possibility to contact it using an electronic contact form. Use of the form requires the submission of Personal Data necessary to make contact and respond to the enquiry. The provision of data marked as mandatory is required in order to receive and handle the enquiry, and failure to do so will result in the impossibility of handling the enquiry. Provision of the other data is voluntary. Personal data is processed in order to identify the sender and to handle their enquiry sent via the form provided - the legal basis for processing in order to handle the enquiry sent via the contact form is Article 6(1)(f) of the GDPR, and with regard to data provided optionally, the legal basis for processing is consent (Article 6(1)(a) of the GDPR).
  7. TELEPHONE CONTACT
    If the Controller is contacted by telephone, in matters not related to the concluded agreement or the services provided, the Controller may require the provision of Personal Data only if it is necessary for the handling of the matter to which the contact relates - the legal basis in such a case is the Controller's legitimate interest (Article 6(1)(f) of the GDPR) consisting in the necessity to resolve the reported matter related to its business activity.
  8. E-MAIL, TRADITIONAL CORRESPONDENCE AND CHATBOT
    When personal data contained in such correspondence is addressed to the Administrator via e-mail, traditional correspondence or chatbot unrelated to the services provided to the person or any other contract concluded with the person, the personal data contained in such correspondence is processed for the sole purpose of communication and resolution of the matter to which the correspondence relates.
    • the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) in carrying out correspondence addressed to it in connection with its business activities;
    • The Controller shall only process Personal Data relevant to the matter to which the correspondence relates.
  9. CUSTOMER SATISFACTION SURVEY
    In the case of a customer satisfaction survey consisting of a paper or electronic survey sent to the customer, the personal data indicated in the survey is processed on the basis of the Controller's legitimate interest (Article 6(1)(f) of the GDPR) in improving the products offered and services provided.
  10. RECRUITMENT (CAREER)
    The Controller shall process personal data in order to conduct and conclude the recruitment process conducted for the position applied for by the candidate, based on Article 6(1)(b) of the GDPR i.e. taking necessary actions at the request of the data subject prior to concluding a contract - within the scope of data indicated in Article 221 §1 of the Act of 26 June 1974 - the Polish Labour Code and on the basis of the consent granted by the candidate, i.e. Article 6(1)(a) of the GDPR, i.e. with regard to data outside the catalogue indicated in Article 221 §1 of the Act of 26 June 1974 - the Polish Labour Code.

    In addition, the data may be processed in order to take the application into account in future recruitment processes on the basis of the consent given by the candidate, i.e. Article 6(1)(a) of the GDPR.
  11. MARKETING
    The Controller will process personal data in order to send marketing content via the communication channel to which the User has voluntarily consented, i.e. via electronic message to the indicated e-mail address and/or telephone notifications (SMS/MMS), to present commercial offers and to send personalised information about products and services - on the basis of the Controller's legitimate interest (Article 6(1)(f) of the GDPR);

6. PROCESSING TIME OF PERSONAL DATA

  1. The duration of data processing by the Controller depends on the type of service provided and the purpose of the processing. As a general rule, data shall be processed for the duration of the service, until the consent given is withdrawn or an effective objection is made to the processing in cases where the legal basis for the processing is the legitimate interest of the Controller. Data collected for the purpose of sending marketing content will be processed until an objection to the processing is raised or until the consent to the chosen communication channel for which such consent has been given is withdrawn; Data collected in the process of customer satisfaction surveys will be processed until the purpose for which it was collected ceases to exist or until an objection to the processing is raised; Data collected through cookies will be processed in accordance with the provisions of the Cookie Policy below.
  2. The processing period may be extended if the processing is necessary for the establishment or assertion of any claims or the defence against claims, and thereafter only if and to the extent required by law. After the end of the processing period, the data is irreversibly deleted or anonymised.

7. DATA RECIPIENTS

  1. The Personal Data processed by the KIR may be disclosed to external entities, including in particular suppliers responsible for operating IT systems, entities providing accounting or technical services to the Controller.
  2. In duly justified cases, based on an appropriate legal basis, data may be made available to authorities or third parties that request such information.
  3. As a general rule, the Controller does not transfer data outside the European Economic Area. If necessary, however, data shall be transmitted with an adequate degree of protection, primarily by:
    • cooperation with processors of Personal Data in countries for which a relevant decision of the European Commission has been issued as to whether an adequate level of protection of Personal Data is ensured;
    • the use of standard contractual clauses issued by the European Commission;
    • the application of binding corporate rules approved by the competent supervisory authority.
    The Controller shall always give notice of its intention to transfer Personal Data outside the EEA at the stage of collection.

8. RIGHTS OF DATA SUBJECTS

  1. Each User whose personal data is processed by the Controller has the following rights:
    • the right to access your personal data,
    • the right to have the data rectified,
    • the right to have the data removed,
    • the right to have the processing of the data restricted,
    • the right to have the data transferred,
    • the right to object to processing taking place on the basis of a legitimate interest of the Controller,
    • the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of that consent prior to such withdrawal.
  2. The user also has the right to file complaints to the President of the Data Protection Bureau when the user finds that the processing breaches the provisions of the general data protection regulations.

9. DATA PROFILING

Data processed for the purpose referred to in the provision of trust services shall be subject to profiling on the basis of Article 6(1)(f) of the GDPR in conjunction with Article 19(1), Article 24(2)(g) and Annex II(1)(c) of the eIDAS, in order to ensure the security of the service provided and to prevent data falsification. If, as a result of profiling, the KIR becomes aware of a reasonable suspicion of a possible breach of security of a trust service, it may interrupt the certificate generation process or revoke a certificate already generated.

10. THE POLICY IS KEPT UNDER REVIEW AND UPDATED, AS NECESSARY.