Personal data privacy policy (GDPR)

Effective as of 2024-01-01

The purpose of this Policy is to provide users of Koda’s services or websites (collectively, the “Services”) with information on the scope of personal data processed.

The administrator of the personal data provided during the use of the Online Service operated under the name of koda-advisory.pl is Koda Advisory Sp.  z o.o., based in Warsaw (03-291), 124/94 Św. Wincentego Street, KRS: 0000995600, REGON: 523324516, NIP: 5242952126, e-mail: rodo@koda-advisory.pl.

Data shall be processed in accordance with currently applicable laws; i.e. Regulation 2016/679 of the European Parliament and of the Council of the EU of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (hereinafter: RODO), the Data Protection Act of May 10, 2018, as well as the Act of July 18, 2002 on the provision of electronic services.

The following Privacy Policy covers the rules for processing the data of Site Users, as well as of persons entering into contracts with the Data Controller, as well as data collected through contact with the Data Controller (e-mail address or telephone) or traditional correspondence, as well as of persons who like and/or observe the Administrator’s fanpage on social media, if it conducts a such.

2. Relevant definitions

The following definitions are used in this policy:

Service – an Internet service available at koda-advisory.pl, through which the User can: browse its content (blog), contact the data controller (contact form), order commercial and marketing information (newsletter).

Personal data controller – the entity that decides on the purpose and means of data processing, in this policy it is understood as: Koda Advisory Sp. z o.o., based in Warsaw (03-291), 124/94 Św. Wincentego Street, KRS: 0000995600, REGON: 523324516, NIP: 5242952126, e-mail: rodo@koda-advisory.pl.

User – an individual to whom the data pertains and who uses the services available on the Website.

Personal Data – any information that, without excessive time and cost, can lead to the identification of an individual, including his/her identification, address and contact information.

Third countries – countries outside the European Economic Area (EEA).

3. Purposes of personal data processing

The Data Controller shall process personal data only when permitted by currently applicable laws, including for the purpose of:

a/ to take action at the request of the data subject, including responding to inquiries made via electronic means of communication or for the purpose of handling traditional correspondence, and this processing is carried out on the basis of Article 6(1)(b) of the RODO,

b/ sending ordered marketing information by electronic means (newsletter) to the e-mail address provided by the User for this purpose, and this processing takes place on the basis of Article 6(1)(a) RODO, i.e. the consent of the data subject,

c/ marketing of the Controller’s own products and services by traditional means, on the basis of Article 6(1)(f) RODO, i.e. for the purpose of realizing the legitimate interests of the Controller or the data subject,

d/ the assertion of rights and claims by the Data Controller or the data subject, on the basis of Article 6(1)(f) RODO, and is done for a legitimate purpose,

e/ to carry out the recruitment process for the position applied for, including contacting the candidate in order to organize and conduct a recruitment interview (based on Article 6(1)(a) of the RODO and no longer than necessary until the recruitment process is completed),

f/ fulfillment of obligations under applicable laws related to the employment process, in particular the Labor Code (on the basis of Article 6(1)(c) of the RODO and for no longer than necessary for the full realization of the purposes of processing in connection with employment),

g/ realization of our legitimate interests (on the basis of Article 6(1)(f) RODO), i.e. investigation of possible claims, archiving for the purpose of protecting our legal interest (for no longer than necessary for the full realization of these purposes).

Providing your email address is necessary for the purpose of sending content in the form of a newsletter. Provision of personal data in other respects is voluntary. Provision of personal data by applicants for employment or recommended for employment is voluntary, but necessary for them to participate in the recruitment process.

4. Ways of obtaining data

User’s personal data is collected directly from data subjects, i.e. through:

a/ filling out the newsletter subscription form,

b/ direct contact with the data controller via contact details available on the website or in traditional form at the place of business.

5. Scope of data processing

The scope of personal data processed has been limited to the minimum necessary for the provision of services in terms of:

a/ submitting an inquiry through the contact form or by means of the contact details available on the website: e-mail address, telephone number, first and last name, any other data voluntarily provided by the data subject,

b/ to subscribe to the newsletter: e-mail address,

c/ enrollment in the recruitment process: first and last name, e-mail address, telephone number, profile on linkedin.

6. Period of data processing

The period of data processing depends on the purpose for which the data were collected and is:

a/ for the purpose of sending commercial information by electronic means (newsletter) – until the consent is revoked, without affecting the compatibility of the processing performed before its revocation,

b/ for the period necessary to answer a question asked via a contact form or by telephone, but no longer than for 6 months, unless the person decides to conclude a contract with the Personal Data Administrator,

c/ for the purpose of asserting claims, pursuant to the Act of Article 118 of the Act of April 23, 1964. – Civil Code. Unless a special provision provides otherwise, the statute of limitations is six years, and for claims for periodic benefits and claims related to the conduct of business – three years.

7. Recipients of data

The User’s personal data may be entrusted to other entities for the purpose of performing services on behalf of the data controller, in particular to entities in the field of:

a/ website hosting,

b/ service and maintenance of IT systems in which the data are processed, including for the purpose of newsletter automation.

The User’s personal data may also be shared with entities supporting the data controller, including entities performing courier and postal services, newsletter maintenance, CRM system maintenance, email system maintenance, email backup, office365 environment maintenance.

User’s personal data will be processed by suppliers whose headquarters and/or servers are located in a third country, i.e. the United States of America (USA). The transfer of data to the U.S. is based on the decision of the European Commission dated July 10, 2023, stating the adequate level of protection of personal data provided by the so-called “EU-U.S. Data Privacy Framework” with respect to suppliers listed by the U.S. Department of Commerce, such as:

a/ Microsoft Corporation, One Microsoft Way Redmond, WA 98052-7329 USA,

b/ Google LLC. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA; Meta Platforms, Inc., Menlo Park, California, USA.

8. Fanpage of the Data Controller in social media

The data controller is also at the same time the co-controllers of the data of its observers in social media – especially those who use electronic means of communication on the fanpage – Facebook“@Koda.Advisory” or LinkedIn under the account name “Koda. Taxes | Accounting | Payroll”, maintained by the Data Controller on these social networks.

For the rest, the data controller of the Users of these social networks is Meta Platforms, Inc. respectively, (formerly: Facebook Inc., headquartered at 1 Hacker Way, Menlo Park, CA 94025, USA) and Microsoft Corporation, One Microsoft Way Redmond, WA 98052-7329 USA, and the processing of such data is carried out in accordance with the terms and conditions described in the rules and privacy policies of the users of these sites, including at: https://www.facebook.com/privacy and at https://www.linkedin.com/legal/privacy-policy?_l=pl_PL.

Personal data of the User who likes and/or observes the Administrator’s fanpage on social media will be processed outside the European Economic Area in a so-called third country, in particular in the United States of America in connection with the use of IT solutions whose servers are located outside the European Economic Area.

Your personal data will be processed in a third country, i.e. the United States of America (USA). The transfer of data to the USA is based on the decision of the European Commission dated July 10, 2023, finding an adequate level of protection of personal data provided by the so-called “EU-US Data Privacy Framework” with respect to providers listed by the US Department of Commerce, such as Meta Platforms, Inc., Menlo Park, California, USA and Microsoft Corporation, One Microsoft Way Redmond, WA 98052-7329 USA.

9. Rights of personal data subjects

Data subjects have the right to:

a/ to access the content of personal data, including receiving a first copy of the content of personal data free of charge,

b/ to correct the data,

c/ the right to erasure of data, unless other legal provisions apply that oblige the data controller to archive data for a certain period of time,

d/ the right to data portability, insofar as the basis for data processing is a contract or the consent of the data subject, and data processing is carried out by automated means,

e/ to revoke consent to the processing of personal data – if the basis for such processing was the consent of the data subject. Revocation of consent shall not affect the compliance of the processing carried out before its withdrawal,

f/ to object to the processing of data – on grounds related to the particular situation to the processing of personal data concerning the data subject based on Article 6(1)(e) or (f) of the RODO, as well as the right to restrict processing,

g/ the right not to be subject to automated profiling if the controller would make decisions based solely on automated profiling and have legal consequences for or similarly affect the data subject,

h/ the right to control the processing of data and to be informed about who the data controller is, as well as to obtain information about the purpose, scope and manner of data processing, the content of the data, the source of the data, and the manner of sharing, including the recipients or categories of recipients of the data.

In order to exercise the right to information, access to the content of the data, correction of the data, as well as other rights, the Data Controller may be contacted.

The data subject also has the right to lodge a complaint with the Office for Personal Data Protection (OPA) if the processing of data violates the provisions of the General Data Protection Regulation (GDPR). The complaint may be filed electronically or by mail to: Office for Personal Data Protection, 2 Stawki Street, 00-193 Warsaw.

10. Final provisions

In the event of a change in the applicable privacy policy, particularly if required by the technical solutions used or changes in the law regarding the privacy of data subjects, appropriate modifications will be made to this Privacy Policy, which will be effective within 14 days of their publication on the Website.