What data do we mean?

Personal data is information about an identified or identifiable natural person. It is therefore primarily about data that identifies you, including your name contact details such as your telephone number, e-mail address and mailing address. 

Personal Data Controller

KRUK S.A. with its registered office in Wrocław (51-116), ul. Wołowska 8, is the controller of your personal data. 

You may address your query to any of the above-mentioned Controllers by sending it to KRUK S.A., ul. Wołowska 8, 51-116 Wrocław, or to the e-mail address info@kruksa.pl.

Data Protection Officer

We have appointed a Data Protection Officer whom you may reach for all matters concerning the processing of your personal data and your rights in this regard. You may write to him at the following address: Data Protection Officer, KRUK S.A. ul. Wołowska 8, 51-116 Wrocław, or contact by e-mail: dpo@kruksa.pl. 

Why and on what basis do we process your personal data?

Your personal data may be processed by us:

• to the extent necessary to conclude and perform a contract between the Administrator and you or your employer (legal basis: Article 6(1)(b) of the GDPR)

• in order to fulfill the legal obligations incumbent on the Administrator (legal basis: Article 6(1)(c) of the GDPR), i.e. to counteract money laundering and financing terrorism - this is an obligation resulting from the Act on counteracting money laundering and financing terrorism ( AML) and the application of accepted accounting principles - this is an obligation that results from the provisions of the Accounting Act

• in order to implement the Controllers legitimate interests (legal basis: Article 6(1)(f) of the GDPR), i.e. to prepare statistics and reports for own needs and within a group of enterprises, − consider complaints and determine claims, pursue them or defense, − ensures the safety of persons and property of the Controller, including ensuring security as part of the entrusted tasks, in particular preventing abuses, − verifying whether you are a natural person who is a representative or real beneficiary of a company entered on national and international sanction lists, against which measures are applied limiting on the basis of national and international law in connection with the regulations applicable to the Controller

• to carry out other activities when we have your consent to process data (legal basis: Article 6(1)(a) of the GDPR)

How long do we keep your personal data?

The duration of the Controller's processing of your personal data depends on the purpose of the processing. It arises in the case of a contract usually from: 

• the duration of the contract 
• the limitation period for contractual claims
• the requirements of common law (e.g. 5-year obligation to keep accounting documents counting from the closure of the fiscal year).

To whom may we pass your personal data?

Your data may be made available to entities supporting our activities, such as companies from the capital group, entities providing legal and accounting services, Your data may be transferred to our IT, ICT and cloud service providers. our consultants or auditors and law enforcement authorities, as well as other authorities and entities, if the obligation to provide data results from legal provisions, such as: General Inspector of Financial Information (GIIF).

Do you have to give us your personal information?

Your provision of personal data is voluntary. To the extent that the processing of your personal data takes place for the purpose of entering into and performing a contract, the consequence of failing to do so will be that you cannot be contacted for this purpose. 

From whom may we receive your data?

In principle, we receive your data directly from you as a result of you providing it in the relevant contractual provisions. In some situations, we obtain your personal data by means other than directly from you, e.g. someone else provides you as a contact person for the conclusion and performance of a contract. This could be your supervisor or a co-worker. 

Profiling and automated decision making

Please be informed that in the course of our activities your data will be processed by automated means, including profiling. We do not make automated decisions in relation to you. 

Transfer of your personal data outside the European Economic Area (EEA)

We use suppliers and partners outside the EEA and it is therefore possible to transfer personal data to countries outside the EEA. Such transfer of personal data may take place on the basis of a decision stating the appropriate level of protection or subject to appropriate safeguards, Art. 45, 46 GDPR. Information on the EU Commission's adequacy decisions is available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

What rights do you have in relation to your data and how can you exercise them?

In our business, we ensure that you can exercise your rights under the GDPR. 

Under the GDPR you have the right to:

• Receive information about our processing of your personal data and a copy of it.  
• Transfer the personal data provided by you in connection with the conclusion of a contract or processed by us on the basis of your consent. 
• Object to the processing of your personal data (request to stop processing your personal data), in particular on grounds relating to your particular situation. Exercising the right to object generally prevents the processing of your data. Please note, however, that this effect will not occur where we demonstrate that there are valid, legitimate grounds for their processing overriding the grounds for objection, or we demonstrate that there are grounds for establishing, asserting or defending our claims that we have against you.

You can also request: 

• Correction of your data if we have incorrect data, e.g. outdated or incomplete data.
• Erasure of your data ("right to be forgotten") when: the data are no longer necessary for the purposes for which they were collected or otherwise processed; the data will be unlawfully processed; the obligation to erase your data arises from the provisions of the law; you object to the processing of your data; you withdraw your consent to the processing of your data.
• Restrict the processing of your personal data, i.e. mark your stored personal data to limit future processing, where: you question the accuracy of your personal data - for a period of time to allow us to check the accuracy of the data; the processing is unlawful but you do not want it deleted; you no longer need the data but need it to defend or assert your claims; you object to the processing of your data - until it is determined whether the legitimate grounds for processing override the reasons for the objection. 

Please note that, in accordance with the GDPR, we will not delete your personal data to the extent that its processing is necessary for us to establish, assert or defend our claims, e.g. a request for payment of a debt, or we have a legal obligation to process it, e.g. an obligation to keep accounting documents. If, on the other hand, we restrict the processing of your data at your request, we will still be able to process your data to establish, assert or defend our claims. 

Where your consent is the basis for the processing of your personal data, you may withdraw it at any time. However, this will not affect the lawfulness of the Company's use of your data prior to the withdrawal of such consent.

If you wish to exercise the above rights, you may submit a request to us by: 

•    e-mail to: info@kruksa.pl
•    telephone by calling: 800 700 020
•    post to the following address: KRUK S.A., ul. Wołowska 8, 51-116 Wrocław
•    in person, when contacting our advisor or at KRUK S.A.'s registered office in Wrocław at ul. Wołowska 8.

You also have the right to lodge a complaint with the data protection supervisory authority, i.e. the President of the Office for Personal Data Protection.