I. About us
Policy is addressed to users of the website: www.mentzen.pl and Clients, subcontractors, as well as others interested in partnership with Kancelaria Mentzen.
The personal data controller with the meaning of Article 4 (7) of the RODO is Kancelaria Mentzen Spółka z ograniczoną odpowiedzialnością based in Toruń, Grudziadz 110-114/301, 87-100 Toruń. Entered in the register of entrepreneurs of the National Court Register by District Court in Toruń, Commercial Division of National Court Register, KRS number: 0001071605 with a share capital of 50 000 PLN, paid in full 52021262, NIP 9562371350.
In Kancelaria Mentzen there is designated Data Protection Officer, Aleksandra Glinka. You can contact DPO via e-mail: [email protected] or via phone: 531 856 346. In cases related to processing of personal data you can also contact via e-mail: [email protected] and via phone: 570 668 699.
Personal data is obtained and processed in the manner and under and under the terms of this Policy.
II. General provision
In Kancelaria Mentzen we attach special importance to protecting the privacy of our Customers, Contractors, Employees and Associates. One of its key aspects is the protection of the rights and freedoms of individuals in connection with the processing of their personal data.
We always want to make sure that the processing of personal date is carried out in accordance with regulations of RODO, personal data protection law and specific rules (contained in Ustawa prawo pracy or Ustawa o rachunkowości).
Kancelaria Mentzen is the personal Data Controller in the meaning of Article 4 (7) of RODO, we also use the services of processors referred to Article 4 (8) of RODO – they process personal data on behalf of the Data Controller (especially companies that provide IT solutions and hosting). We also process personal data of other data controllers that have been entrusted to us in order to provide the services we provide. The data is processed in accordance with the requirements of applicable law and contractually agreed terms.
Kancelaria Mentzen implements appropriate technical and organizational measures to ensure a degree of security corresponding to the possible risk of infringement of the rights or freedoms of individuals with different probability of occurrence and severity of threat. Our data protection measures are based on adopted policies and procedures and regular training to improve the knowledge and competence of our employees and associates.
In case of cooperation on the basis of certain subscription services (Mentzen Priem, Mentzen+ Real Estate, Mentzen+ IT, Mentzen+ B2B), Personal Data Controller and Customer are obliged to conclude an agreement for the entrustment of personal data processing.
The conclusion of the entrustment agreement is based on the content of the personal data processing entrustment agreement, which is attached as Exhibit 1 to this Policy.
III. Principles, purpose and legal basis of personal data processing
We exercise diligence to protect the interests of data subjects and, in particular, ensure that the data:
- processed lawfully, fairly and transparently to the data subject;
- collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- correct and updated as necessary. We take steps to ensure that personal data that is inaccurate in light of the purposes of its processing is promptly deleted or corrected;
- stored in a form that allows the identification of the data subject for no longer than necessary to achieve the purposes of the processing;
- processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss or destruction.
Dane mogą być przetwarzane w celu:
- to conclude, perform or terminate a contract to which the data subject is a party, or to take action at the request of the data subject prior to entering into a contract – based on Article 6(1)(b) of the RODO;
- identification of authority to represent a party – based on Article 6(1)(b) and (c) of the RODO;
- processing necessary to fulfil legal obligations incumbent on the Administrator, in particular those arising from the provisions of the Anti-Money Laundering and Terrorist Financing Act, the Accounting Act, the Labour Code, as well as other legal acts – on the basis of Article 6(1)(c) of the RODO;
- for purposes arising from the legitimate interests pursued by the Administrator or by a third party, in particular, but not limited to: for marketing activities, customer satisfaction surveys and determining the quality of service, conducting statistics, compilation, analysis, investigation of claims or protection against claims that may be raised by the Administrator and that may be raised against the Administrator, as well as for archival purposes, security purposes, for the investigation of possible complaints or demands and to satisfy the principle of accountability referred to in Article 5(2) RODO. (Legal basis Article 6(1)(c) and (f) RODO);
- for one or more specified purposes as to which the data subject has consented to the processing of his or her personal data. This consent may be withdrawn at any time.
IV. Time period for processing personal data
Personal data will be processed for the period necessary to fulfil the particular purpose for which they are processed, or until the data subject withdraws consent if they are processed on the basis of consent granted. Data will be processed only for the time, scope and purposes permitted by law.
V. What are you entitled to?
We take appropriate measures to provide you with all relevant information in a concise, transparent, understandable and easily accessible form and to conduct all communications with you regarding the processing of personal data in connection with the exercise of your right to:
- information provided when obtaining personal data;
- information provided upon request – about whether data is being processed, and other matters specified in Article 15 of the RODO, including the right to a copy of the data;
- being forgotten;
- limitation of processing;
- obtain copies, rectification, deletion, data portability;
- object to the processing of personal data for marketing or other purposes. The objection can be made by contacting the Administrator;
- not to be subject to a decision based solely on automated processing (including profiling);
- information about a data protection breach;
- withdraw consent to the processing of personal data at any time. The revocation of consent to processing will not affect the lawfulness of processing that was carried out before the revocation;
- lodge a complaint – the complaint is lodged with the supervisory authority, which is the President of the Office for Personal Data Protection (address: Stawki 2, 00-193 Warsaw)
To contact us regarding the implementation of a particular right, please contact us through:
E-mail address: [email protected]
Mailing address: Grudziądzka 110-114/301, 87-100
VI. How we will contact you
We provide information in writing or by other means, including electronically where appropriate. If you request it, we may provide the information orally, as long as we confirm your identity by other means. If you communicate your request electronically, to the extent possible, the information will also be provided electronically, unless you indicate to us another preferred form of communication.
VII. Timeframe to fulfil your request
We strive to provide information promptly – as a rule, within one month of receiving the request.
If necessary, this deadline may be extended by another two months due to the complexity of the request. However, in any case, within one month of receipt of the request we will inform you of the action taken and (if applicable) of the extension, stating the reason for such delay.
We share your data with third parties with your consent or when we are required to do so by law. If we cooperate with entities that process personal data on our behalf, we only use such processors that provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the RODO and protect the rights of data subjects.
We check in detail the entities to which we entrust the processing of your data. We conclude
detailed contracts with them, and we perform periodic checks on the compliance of processing operations with the content of such contracts and the law.
Recipients of your personal data may be:
- third-party processors who process data on our behalf and participate in the performance of our activities:
- entities and authorities authorized to process personal data under the law, banks in case of the need to conduct settlements;
- entities cooperating in marketing campaigns;
- couriers, postal operators;
- entities providing IT and hosting services, as well as operating our ICT systems or providing us with ICT tools;
- entities providing us with legal, tax, accounting assistance;
- training platform provider if you purchase an online course;
- Internet payment provider if you purchase an online course;
- Other data controllers processing data on their own behalf:
- entities that cooperate with us in handling accounting, tax, legal matters – to the extent that they become data controllers,
- the owner of the social network Facebook under the non-amendable data rules set by Facebook available at https://www.facebook.com/about/privacy.
IX. How we protect processing of your personal data
To meet the requirements of the law, we have developed detailed procedures covering such issues as:
- data protection in the design phase and default data protection;
- data protection impact assessments;
- violation notification;
- registering of data processing activities;
- data retention;
- realization of the rights of data subjects;
We regularly review and update our documentation to be able to demonstrate compliance with the requirements of the law in accordance with the principle of accountability formulated in the RODO, but also, out of concern for the interests of data subjects, we strive to incorporate the best market practices.
X. Data retention
We keep personal data in a form that allows identification of the data subject for no longer than is necessary for the purposes for which the data are processed. After such a period, we either anonymize the data (deprive it of characteristics that make it possible to identify the person) or delete it. In the retention procedure, we ensure that the storage period of personal data is limited to a strict minimum.
We determine the period of data processing primarily on the basis of legal regulations (e.g., retention time for employee records, accounting documents), as well as the legitimate interest of the Administrator (e.g., marketing activities). The retention policy covers both data processed in paper and electronic form.
We ensure that any person acting under our authority and having access to your personal data processes it only on our instructions, unless otherwise required by European Union or Member State law.
XII. Cookies files
a) Cookies are IT data, in particular text files, which are stored in the Service User’s terminal equipment and are intended for use on the Service’s websites. Cookies usually contain the name of the website from which they originate, the time they are stored on the end device and a unique number.
b) The entity placing cookies on the final device of the Service User and accessing them is the owner of the service.
c) The cookie mechanism is not used to obtain any information about users of the site or to track their navigation. Cookies used on the site do not store any personal data or other information collected from users and are used for statistical purposes.
d) By default, web browsing software (browser) allows cookies on the User’s device on which it is running. In most cases, you can configure the software yourself in this regard, including, among other things, forcing automatic blocking of cookies. Issues related to the configuration of how cookies are handled can be found in the settings of the software (web browser). Please note that the settings of restrictions on the handling of cookies may affect the operation of certain functionalities of the site.
e) Cookies are used for:
- adjustment of the content of the Website’s pages to the User’s preferences and optimization of the use of websites; in particular, these files allow for recognition of the Website User’s device and appropriate display of the website, adjusted to his individual needs;
- creation of statistics that help to understand how the Users of the Website use the websites, which allows to improve their structure and content;
- maintaining the session of the Service User (after logging in), thanks to which the User does not have to re-enter his login and password on each sub-page of the Service;f) The Service uses two main types of cookies: session cookies and persistent cookies. Session cookies are temporary files that are stored on the User’s terminal equipment until the User logs out, leaves the website or shuts down the software (web browser). Permanent cookies are stored on the User’s end device for the time specified in the parameters of the cookies or until they are deleted by the User.
g) The following types of cookies are used within the Service:
„necessary” cookies, to enable the use of services available on the Website, such as authentication cookies used for services that require authentication on the Website;
cookies used to ensure security, used to detect misuse of the Website’s authentication;
“performance” cookies, enabling the collection of information about the use of the Website’s websites;
„functional” cookies, which allow „remembering” the User’s selected settings and personalizing the User’s interface, with regard to the chosen language or region of origin of the User, font size, appearance of the website;
Links to other pages posted on the site. The owner of the website informs that the website contains links to other websites. The owner of the site recommends reading the privacy policies of those sites, as he is not responsible for them.
Securing user data on the Service. The description of technical and organizational security measures is contained in the Security Policy (protection of personal data) of the owner of the service. In particular, the following safeguards are used:
a) The data automatically downloaded by the server is secured through an authentication mechanism for access to the service;
b) The data collected from users during the registration process is secured by SSL protocol and through an authentication mechanism for access to the site;
c) Access to the administration of the service is carried out using an authentication mechanism
XIII. Transfer of personal data to countries outside the European Economic Area
Personal data will not be transferred to third countries or international organizations outside the EEA.
XIV. Personal data will not be transferred to third countries or international organizations outside the EEA.