Privacy policy

POLICY ON THE PROCESSING OF PERSONAL DATA AT MFW FIAŁEK Kancelaria Radcy Prawnego Mirosław Krzysztof Fiałek

I. Personal data administrator

  1. The personal data administrator covered by the following policy is the law firm MFW FIAŁEK Kancelaria Radcy Prawnego Mirosław Krzysztof Fiałek with its registered office in Warsaw at Aleje Jerozolimskie 44, 00-024 Warsaw (hereinafter the Administrator or the Law Firm).
  2. This policy defines the rules the Administrator’s processing of the following personal data:
    • the personal data of persons who contact the Administrator by phone, e-mail, or traditional correspondence and whom the Administrator contacts by phone, e-mail, or traditional correspondence in any matter, and who are not candidates for employment or cooperation, clients, contractors of the Administrator, or contact persons thereof;
    • the personal data of the Administrator’s contractors or clients;
    • the personal data of candidates for employment or cooperation with the Administrator participating in recruitment processes or submitting applications, regardless of the recruitment conducted;
    • personal data provided to the Administrator during meetings, conferences (e.g. in the form of business cards);
    • the personal data of employees and associates of the Administrator’s contractors and clients (i.e. contact persons);
    • the personal data of subscribers to the Law Firm’s newsletter.
  3. You can contact the Administrator by e-mail at office@mfwfialek.com, by phone at +48 22 411 11 00, or by post to the address: MFW FIAŁEK Kancelaria Radcy Prawnego Mirosław Krzysztof Fiałek, Widok Towers, Aleje Jerozolimskie 44, 00-024 Warsaw, Poland.
  4. The Administrator collects and processes personal data in connection with its business activity and processes such data in accordance with the provisions of law, including the provisions of the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation or GDPR).
  5. The rules for the Administrator’s processing of personal data in connection with contracts concluded or legal services rendered are provided to the relevant data subjects separately.
  1. The personal data of persons who contact the Administrator by phone, e-mail, contact form available on the Administrator’s website, or traditional correspondence, provided during a telephone conversation or included in such correspondence, as well as the data of persons whom the Administrator contacts by phone, e-mail, or traditional correspondence in any matter, and who are not candidates for employment or cooperation, clients, or contractors of the Administrator, or contact persons thereof, are processed only for the purpose of conducting such conversation or correspondence and settling the matter constituting the subject of the conversation or correspondence or, respectively, to establish or conduct cooperation and relations as part of business activity, which constitutes the legitimate interest of the Administrator and a legal basis for such processing (Article 6 (1) (f) of the GDPR).
  2. The personal data of the Administrator’s clients and contractors are processed in order to establish cooperation, conclude and perform contracts, settle contracts, conduct correspondence related to such contracts, defend against or pursue potential claims, fulfil legal obligations (e.g. tax or accounting), and in order to establish and maintain business relationships. The legal bases for the processing of personal data for these purposes are the necessity of such processing to perform contracts or to take action at the request of the data subjects prior to the conclusion of contracts (Article 6 (1) (b) of the GDPR), legitimate interest in the form of conducting correspondence, establishing and maintaining business relationships, and defending against or pursuing potential claims (Article 6 (1) (f) of the GDPR), and fulfilling legal obligations (Article 6 (1) (c) of the GDPR).
  3. The personal data of candidates for employment or cooperation with the Administrator who are participating in recruitment processes or providing the Administrator with their applications, regardless of the recruitment conducted, are processed for the purpose of conducting the recruitment process, assessing candidates and their abilities and qualifications, and selecting a candidate or candidates for employment or cooperation. If a given candidate provides separate consent, his or her data shall also be processed in order to invite such candidate to participate in future recruitment processes and to conduct such processes with his or her participation.
  4. The legal bases for personal data processing for the purpose specified in point 3 above are:
    • legal provisions (in particular Article 221 of the Labour Code) regarding the processing of the following personal data of an employment candidate for the needs of the current recruitment process: name(s) and surname, parents’ names, date of birth, place of residence (correspondence address), ID number (PESEL), educational status, course of previous employment (Article 6 (1) (c) of the GDPR);
    • the consent of the employment applicant regarding the processing of personal data beyond the data listed in the point 2.4 (a) above for the purposes of the current recruitment process and a separate consent to the processing of data for the purposes of conducting future recruitment processes (Article 6 (1) (a) of the GDPR)
    • the consent of the candidate for cooperation with the Administrator on the basis of a civil law contract to the processing of personal data for the needs of the ongoing recruitment process and a separate consent to the processing of data for the purposes of conducting future recruitment processes (Article 6 (1) (a) of the GDPR);
    • the Administrator’s legitimate interest within the scope of data provided in the course of the recruitment process, e.g. during job interviews, which is the ability to assess candidates and their abilities and qualifications and to selecting a candidate or candidates for employment or cooperation (Article 6 (1) (f) of the GDPR).
  5. Personal data provided to the Administrator during meetings and conferences (e.g. in the form of business cards) are processed in order to build a network of business and professional contacts, to be able to maintain contact with the data subject, e.g. in connection with the potential for future cooperation, and to exchange knowledge and information, which constitutes the Administrator’s legitimate interest and the legal basis for this processing (Article 6 (1) (f) of the GDPR).
  6. The personal data of employees or associates of the Administrator’s contractors and clients (i.e. contact persons) are processed in order to maintain contact with contractors and clients in connection with ongoing matters regarding, inter alia, the performance of contracts between the Administrator and its contractors or clients, cooperation, receiving and submitting orders, and answering queries, which constitutes the Administrator’s legitimate interest and the legal basis for such processing (Article 6 (1) (f) of the GDPR).
  7. The data of subscribers to the Law Firm’s newsletter are processed in order to provide information about news regarding the Administrator’s activities and to market its services, to the extent allowed by relevant provisions governing the activities of legal advisers and attorneys, which constitutes the Administrator’s legitimate interest and the legal basis for this processing (art. 6 (1) (f) of GDPR).
  8. The Administrator may process the personal data covered by this policy using IT systems (e.g. in connection with the use of e-mail), which means that such data may also be temporarily stored in order to ensure the proper functioning of such systems as well as the security of the systems and the data, e.g. in connection with making backups, which constitutes the Administrator’s legitimate interest and the legal basis for this processing (Article 6 (1) (f) of the GDPR).
  9. All consents to the processing of data by the Administrator may be withdrawn at any time, which, however, does not affect the lawfulness of the processing conducted before such consent is withdrawn.

III. PERSONAL DATA RECIPIENTS

  1. The personal data processed by the Administrator may be disclosed to external entities providing services to the Administrator on the basis of contracts concluded therewith. These may be, inter alia: entities providing accounting or IT services, marketing agencies, recruitment companies, couriers, suppliers of software used by the Administrator in its current operations, etc.
  2. Personal data may also be transferred to other entities on the basis of separate legal provisions.
  3. The personal data processed by the Administrator may, exceptionally and only to the extent necessary, be transferred to the Administrator’s partners which process such data outside the European Economic Area, e.g. in connection with the provision of IT services by such entities to the Administrator, including cloud-based services. The security of personal data is ensured by the appropriate security measures applied by the Law Firm, including standard contractual clauses approved by the European Commission.

IV. PERSONAL DATA PROCESSING PERIOD

  1. Personal data processed by the Administrator in connection with communicating with data subjects by phone, e-mail, or traditional correspondence as well as the personal data of persons whom the Administrator contacts by phone, e-mail, or traditional correspondence in any matter are processed for the duration of the Administrator’s legitimate interest, i.e. until the matter related to the telephone conversation or correspondence is resolved, or for the duration of a given relationship as part of business activity.
  2. Clients’ personal data are processed for the duration of the contract or the implementation of a given order, and then until the expiry of the limitation period for claims related to the contract to which the processing of such data is related. In the case of personal data processed in connection with the professional practice of a legal advisor or attorney, such data is processed for a period of 10 years from the end of the year in which the proceedings or the case in which the personal data were collected ended.
  3. The personal data of the Administrator’s contractors are processed for the duration of the contract or the implementation of a given order, and then until the expiry of the limitation period for claims related to the contract to which the processing of such data is related.
  4. The personal data of candidates for employment or cooperation with the Administrator who are participating in a recruitment process are processed for the duration of such recruitment process. If a candidate has consented to the processing of his or her personal data for the purposes of future recruitment, these data will be processed for a period of 3 years following their collection by the Administrator.
  5. Personal data provided to the Administrator during meetings and conferences (e.g. in the form of business cards) are processed for the duration of the Administrator’s legitimate interest which is the basis for such processing.
  6. The personal data of employees and associates of the Administrator’s contractors and clients (i.e. contact persons) provided to the Administrator are processed for the duration of the Administrator’s legitimate interest which is the basis for such processing (e.g. for the duration of the contract to which the processing of such personal data is related) and then until the expiry of the limitation period for claims related to the contract to which the processing of this data is related.
  7. The personal data of subscribers to the Law Firm’s newsletter provided to the Administrator are processed for the duration of the Administrator’s legitimate interest which is the basis for such processing or until the data subject has withdrawn his or her consent.
  8. In the case of personal data processed on the basis of consent, the Administrator shall also cease to process such data in such case as the data subject withdraws his or her consent.
  9. Moreover, personal data processed on the basis of the Administrator’s legitimate interest shall cease to be processed after the data subject has objected to processing.
  10. The data processed using IT systems are also processed for the duration of the Administrator’s legitimate interest, which is to ensure the proper functioning of the systems as well as the security of the systems and the data.
  11. The data processing period may also be extended if the processing of such data is necessary to pursue or defend against claims – until the expiry of the limitation period, and then within the period specified by law.

V. RIGHTS OF DATA SUBJECTS

  1. The persons whose personal data are processed by the Administrator have the following rights:
    • the right to receive information about the processed personal data, to access such data, and to obtain a copy thereof;
    • the right to request the correction of incorrect personal data;
    • the right to request the deletion of personal data, e.g. if such data are no longer necessary for the purposes for which they were collected or if the data subject has withdrawn his or her consent to processing;
    • the right to request the restriction of processing, e.g. in the event that the correctness of the data is questioned, for a period allowing the Administrator to verify their correctness
    • the right to object at any time to the processing of data by the Administrator for marketing purposes and to the processing of data on the basis of the Administrator’s legitimate interest;
    • the right to transfer data, i.e. to receive his or her personal data in a structured, commonly used machine-readable format and to request that the personal data be sent to another administrator, if technically possible; this right applies only to data processed on the basis of consent or contract and only to the extent that these data are processed in an automated manner;
    • the right to lodge a complaint with the supervisory authority, i.e. the Director of the Personal Data Protection Office.
  2. In addition, in the case of the processing of data on the basis of the consent of the data subject, such person has the right to withdraw consent at any time, which, however, does not affect the lawfulness of the processing conducted before such withdrawal.
  3. In order to exercise their rights, the data subject should contact the Administrator. Contact details are provided in section 1.3. of this policy.
  4. The Administrator points out that the ability to exercise the rights set out in point 5.1 may depend on the occurrence of certain circumstances specified in the provisions of the GDPR. Detailed information in this scope is provided by the Administrator.
  5. The Administrator also notes that the provisions of art. 15 (1) and (3), art. 18, and art. 19 of the GDPR, i.e. the right to receive information about processed personal data, to access such data, to obtain a copy thereof, the right to request the restriction of processing, and the obligation to inform each recipient about the rectification or removal of personal data or the restricted processing thereof are performed by the Administrator in to the extent that such rights and obligations do not violate the obligation of professional secrecy. The provision of art. 21 (1) GDPR, i.e. the right to object, does not apply to personal data obtained by the Administrator in connection with the provision of legal assistance.

VI. SOURCE OF PERSONAL DATA

  1. The Administrator most often receives personal data directly from the data subject, e.g. in recruitment documentation or on a business card.
  2. In the case of some data subjects, e.g. employees or associates of the Administrator’s contractors and clients (contact persons), personal data was obtained directly from these persons or from the entities they represent, e.g. from their employers, entities to which they provide services, or entities with which they cooperate in a different way, or from entities with whom the data subject and the Administrator both cooperate. The scope of this data usually includes the name, surname, telephone number, e-mail address, position, workplace, and information on the scope of duties or activities performed for the benefit of the contractor or client. Detailed information in this scope is provided by the Administrator..

VII. INFORMATION ABOUT THE OPTIONAL OR OBLIGATORY PROVISION OF PERSONAL DATA

  1. Providing the personal data referred to in this information is voluntary, however, their provision and processing is necessary to achieve the purposes for which these data are processed, as set out in point 2 above.

VIII. CHANGES AND UPDATES OF INFORMATION

  1. This information is regularly verified and updated by the Administrator. Any and all changes will be published on the Administrator’s website: https://mfwfialek.com/.