Dear Sir or Madam,
in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of individuals with regard to the processing of personal data and on the
free movement of such data and repealing Directive 95/46 / EC (GDPR), we would like to inform
you that the Controller of your personal data is the AUDYTORZY I DORADCY Spółka z o.o.
[Ltd.] 29 Mickiewicza Street 40-085 Katowice, KRS: 0000260564, NIP: 9542563170, E-mail
address for contact: firstname.lastname@example.org.
Personal data – means any information relating to an identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person;
Processing – means any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction,
erasure or destruction;
Restriction of processing – means the marking of stored personal data with the aim of limiting their
processing in the future;
Profiling – means any form of automated processing of personal data consisting of the use of
personal data to evaluate certain personal aspects relating to a natural person, in particular to
analyse or predict aspects concerning that natural person’s performance at work, economic situation,
health, personal preferences, interests, reliability, behaviour, location or movements;
Pseudonymisation – means the processing of personal data in such a manner that the personal data
can no longer be attributed to a specific data subject without the use of additional information,
provided that such additional information is kept separately and is subject to technical and
organisational measures to ensure that the personal data are not attributed to an identified or
identifiable natural person;
Controller – means the natural or legal person, public authority, agency or other body which, alone
or jointly with others, determines the purposes and means of the processing of personal data; where
the purposes and means of such processing are determined by Union or Member State law, the
controller or the specific criteria for its nomination may be provided for by Union or Member State
Processor – means a natural or legal person, public authority, agency or other body which processes
personal data on behalf of the controller;
Recipient – means a natural or legal person, public authority, agency or another body, to which the
personal data are disclosed, whether a third party or not. However, public authorities which may
receive personal data in the framework of a particular inquiry in accordance with Union or Member
State law shall not be regarded as recipients; the processing of those data by those public authorities
shall be in compliance with the applicable data protection rules according to the purposes of the
Third party – means a natural or legal person, public authority, agency or body other than the data
subject, controller, processor and persons who, under the direct authority of the controller or
processor, are authorised to process personal data;
Consent – of the data subject means any freely given, specific, informed and unambiguous
indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of personal data relating to him or her;
Personal data breach – means a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or
Main establishment – means an independent public authority which is established by a Member
State. Each Member State shall provide for one or more independent public authorities to be
responsible for monitoring the application of this Regulation, in order to protect the fundamental
rights and freedoms of natural persons in relation to processing and to facilitate the free flow of
personal data within the Union;
B. Principles relating to processing of personal data
1. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to
the data subject.
2. Personal data shall be adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed.
3. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step
must be taken to ensure that personal data that are inaccurate, having regard to the purposes
for which they are processed, are erased or rectified without delay.
4. Personal data shall be kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the personal data are processed.
5. Personal data shall be processed in a manner that ensures appropriate security of the
personal data, including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organisational
The controller is responsible for compliance with the above-mentioned provisions and must also be
in able to demonstrate compliance.
C. Lawfulness of processing
1. Processing is lawful, the data subject has given consent to the processing of his or her
personal data for one or more specific purposes.
2. Processing is lawful, processing is necessary for the performance of a contract to which the
data subject is party or in order to take steps at the request of the data subject prior to
entering into a contract.
3. Processing is lawful, processing is necessary for compliance with a legal obligation to which
the controller is subject.
4. Processing is lawful, processing is necessary in order to protect the vital interests of the data
subject or of another natural person.
5. Processing is lawful, processing is necessary for the purposes of the legitimate interests
pursued by the controller or by a third party, except where such interests are overridden by
the interests or fundamental rights and freedoms of the data subject which require protection
of personal data.
D. Compliance with the law of personal data processing
Where processing is based on consent, the controller shall be able to demonstrate that the data
subject has consented to processing of his or her personal data.. The data subject shall have the right
to withdraw his or her consent at any time. The withdrawal of consent shall not affect the
lawfulness of processing based on consent before its withdrawal.
E. Rights of the data subject
1. Transparent information, communication and modalities for the exercise of the rights of the
data subject. The controller shall take appropriate measures to ensure that concise,
transparent, understandable and easily accessible form, in clear and simple language
communication on the processing of personal data, the person to whom the personal data
2. The data subject shall have the right to obtain from the controller confirmation as to whether
or not personal data concerning him or her are being processed, and, where that is the case,
access to the personal data and the following information: the purposes of the processing;
the categories of personal data concerned; informacje o odbiorcach lub kategoriach
odbiorców, którym dane osobowe zostały lub zostaną ujawnione, w szczególności o
odbiorcach w państwach trzecich lub organizacjach międzynarodowych; where possible, the
envisaged period for which the personal data will be stored, or, if not possible, the criteria
used to determine that period; the existence of the right to request from the controller
rectification or erasure of personal data or restriction of processing of personal data
concerning the data subject or to object to such processing; the right to lodge a complaint
with a supervisory authority; where the personal data are not collected from the data subject,
any available information as to their source; the existence of automated decision-making,
3. The controller shall provide a copy of the personal data undergoing processing.
4. The data subject shall have the right to obtain from the controller without undue delay the
rectification of inaccurate personal data concerning him or her. Taking into account the
purposes of the processing, the data subject shall have the right to have incomplete personal
data completed, including by means of providing a supplementary statement.
5. In the cases specified in the GDPR Regulation, the data subject shall have the right to obtain
from the controller the erasure of personal data concerning him or her without undue delay
and the controller shall have the obligation to erase personal data without undue delay.
6. In the cases specified in the GDPR Regulation, the data subject shall have the right to obtain
from the controller restriction of processing.
7. The controller shall communicate any rectification or erasure of personal data or restriction
of processing each recipient to whom the personal data have been disclosed, unless this
proves impossible or involves disproportionate effort. The controller shall inform the data
subject about those recipients if the data subject requests it.
8. In the cases specified in the GDPR Regulation, the data subject shall have the right to
receive the personal data concerning him or her, which he or she has provided to a
controller, in a structured, commonly used and machine-readable format and have the right
to transmit those data to another controller without hindrance from the controller to which
the personal data have been provided.
9. The data subject shall have the right to object, on grounds relating to his or her particular
situation, at any time to processing of personal data concerning him or her which is based on
point (e) or (f) of Article 6(1), including profiling based on those provisions.
10. The data subject shall have the right to lodge a complaint with the designated supervisory
Full text of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of data
personal data and on the free movement of such data and repealing Directive 95/46 / EC (General
Data Protection Regulation).
quality. If you do not allow cookies, you can set the appropriate settings in your browsers for this