Gdpr & Aml


Since 25 May 2018 the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (text with EEA relevance) has applied. This Regulation is referred to as the "GDPR". According to GDPR we are obligated to provide data subjects with certain information (the "privacy notice"). Please find below our privacy notice for the following categories of data subjects:

  • individuals who are our customers
  • individuals authorized to represent our customers, including, by way of example, management boards members, commercial attorneys-in-fact, agents (collectively referred to as the "Client Representatives")
  • contact persons of our customers
  • individuals who are our suppliers, including, by way of example, legal counsels and advocates contracted by us
  • ndividuals authorized to represent our suppliers, including, by way of example, management boards members, commercial attorneys-in-fact, agents (collectively referred to as the "Supplier Representatives")
  • contact persons of our suppliers

According to the Act of 1 March 2018 on Anti-Money Laundering and Countering Financing Terrorism (the "AML"), in certain situations more fully described in AML, we act as the obligated entity as this term is defined in AML. According to AML, before entering into any business relationship or pursuing any occasional transaction, as the obligated entity, we are obligated to inform our customer of processing his personal data, including, by way of example, of our obligations we have in respect of such processing under AML. Please find below also information AML requires us to provide to our customers.


Data Controller

The controller of personal data is Rysiak Michalik Wójcik Kancelaria Radców Prawnych i Adwokata Sp.j. (law firm acting in a form of partnership). Contact data: ul. Basztowa 23/1, 31-156 Krakow, phone number: +48 429 22 21, e-mail: biuro@wspolnicy.com.


Types of personal data we process

We process the following types of personal data:

Category of data subjects Types of personal data
Individuals - our customers
  • name
  • business name
  • e-mail
  • phone number
  • residential address
  • seat (address) of main place of doing business
  • profession, position, title
  • employer
  • identity card or passport number and other information contained in such document
  • citizenship
  • PESEL number
  • date of birth
  • country of birth
  • tax identification number
  • statistical number
  • bank account number, including IBAN
  • information made available to us in connection with providing legal services, including information concerning health (e.g. personal injuries suffered by our customer), wage, salary, descent
Client Representatives
  • name
  • e-mail
  • phone number
  • profession, position, title
  • employer
  • identity card or passport number and other information contained in such documents
  • PESEL number
  • date of birth
  • country of birth
Contact persons of our customers
  • name
  • e-mail
  • phone number
  • profession, position, title
  • employer
Individuals - our suppliers
  • name
  • business name
  • e-mail
  • phone number
  • seat (address) of main place of doing business
  • tax identification number
  • statistical number
  • bank account number, including IBAN
  • VAT account number
Supplier Representatives
  • name
  • e-mail
  • phone number
  • profession, position, title
  • employer
Contact persons of our suppliers
  • name
  • e-mail
  • phone number
  • profession, position, title
  • employer


How do we collect personal data?

We collect personal data in various ways. We may obtain it directly from data subjects. We may obtain it from employers of data subjects. We may obtain it on the Internet.


What do we need personal data for?

We process personal data for the following purposes and we do so having lawful bases stated below:

Category of data subjects Purposes for processing of personal data Lawful basis for processing of personal data
Individuals - our customers Discussing subject matter of legal services, preparing and sending draft of legal services contract to customer, entering into legal services contract with customer, including detailing our customer as a party to such contract Article 6 Section 1 letter (b) of GDPR
Performing our obligations under legal services contract, including communicating with customer in respect of details concerning legal services, sending timesheet or invoice to customer Article 6 Section 1 letter (b) of GDPR
Issuing invoice, correction invoice, correction note, sending electronic invoice and complying with any other legal obligations we may have under tax law Article 106a and further Articles of Act of 11 March 2004 on Value Added Tax in conjunction with Article 6 Section 1 letter (c) of GDPR
Claiming rights and remedies of customer, securing such rights and remedies, enforcing such rights and remedies and defending customer against third party claims Article 6 Section 1 letter (d) of GDPR, Article 9 Section 1 letter (f) of GDPR
Complying with legal obligations we may have, as the obligated entity, in connection with countering money laundering and financing terrorism (AML) Articles 27, 33, 34, 36 of AML in conjunction with Article 6 Section 1 letter (c) of GDPR
Client Representatives Identifying a person entitled to act in the name of customer, verifying identity and authorization of such person to act in the name of customer Article 34 Section 2 of AML in conjunction with Article 6 Section 1 letter (c) of GDPR
Detailing in legal services contract which we enter into with our customer a person entitled to act in the name of customer. It is necessary to enter into legal services contract and it constitutes legitimate interest we rely on when processing of personal data Article 6 Section 1 letter (f) of GDPR
Communicating in respect of all matters related to legal services, including discussing details concerning legal services, sending timesheet. It is necessary to perform our obligations under legal services contract and it constitutes legitimate interest we rely on when processing of personal data Article 6 Section 1 letter (f) of GDPR
Contact persons of our customer Communicating in respect of all matters related to legal services, including discussing details concerning legal services, sending timesheet, applying for PO number. It is necessary to perform our obligations under legal services contract and it constitutes legitimate interest we rely on when processing of personal data Article 6 Section 1 letter (f) of GDPR
Individuals - our suppliers Discussing subject matter of contract we intend to enter into with our supplier, including contract of sale, license agreement, service contract, legal services contract, preparing and sending a draft of such contract to supplier, entering into such contract with supplier, detailing supplier as a party to such contract Article 6 Section 1 letter (b) of GDPR
Communicating with supplier in connection with the performance of supplier's contract, performing our obligations under supplier's contract, including, paying price, remuneration Article 6 Section 1 letter (b) of GDPR
Complying with split payment mechanism Article 108a and further Articles of Act of 11 March 2004 of Value Added Tax in conjunction with Article 6 Section 1 letter (c) of GDPR
Supplier Representatives Detailing in supplier's contract which we enter into with our supplier a person entitled to act in the name of supplier. It is necessary to enter into supplier's contract and it constitutes legitimate interest we rely on when processing of personal data Article 6 Section 1 letter (f) of GDPR
Communicating in connection with the performance of supplier's contract, including pursuing complaints, notifying errors, and providing supplier with information which it may need to perform its obligations to us. It is necessary to obtain by us services or goods supplier is obligated to provide to us under supplier's contract and it constitutes legitimate interest we rely on when processing of personal data Article 6 Section 1 letter (f) of GDPR
Contact persons of our suppliers Communicating in connection with the performance of supplier's contract, including pursuing complaints, notifying errors, and providing supplier with information which it may need to perform its obligations to us. It is necessary to obtain by us services or goods supplier is obligated to provide to us under supplier's contract and it constitutes legitimate interest we rely on when processing of personal data Article 6 Section 1 letter (f) of GDPR


Obligations we have under AML and AML-related purposes for processing of personal data

According to AML we are obligated, by way of example and not as an exhaustive list, to:

  • identify and assess risks connected with money laundering and financing terrorism (their level),
  • prepare risk assessment and update it,
  • document risk we have identified,
  • use with respect to our customer financial security measures, including identify our customer and verify his identity, identify beneficial owner and verify his identity, regularly monitor business relationships of our customer,
  • determine circumstances and context of the pursued transactions,
  • determine whether customer is a politically exposed person,
  • determine origin of customer's wealth and origin of assets which are to be disposed of by customer
  • provide General Officer of Financial Information with certain information and notifications (also using legal counsels or advocates bar association), including in respect of circumstances that may justify allegation that an offense of money laundering or financing terrorism has been committed, or when we reasonably believe that a particular transaction or a particular asset may be linked to money laundering or financing terrorism. However, we our exempted from this obligations if and on each occasion that we obtain information about our customer in connection with litigation, when we defend our customer in litigation, when we provide our customer with legal services for the purposes to initiate litigation or to avoid litigation, regardless of a time we obtain such information,
  • give to General Officer of Financial Information an access to certain information and documents in our possession, including information and documents concerning our customer,
  • suspend transaction in situations more fully described in AMP,
  • use special restriction measures more fully described in AMP,
  • give to auditors/controllers an access to documents, materials and information we possess to enable them to perform their duties.

When complying with the above referred obligations, we may process personal data. When we do so, we process personal data for the purposes to comply with such obligations.


To whom do we disclose personal data?

We disclose personal data to various groups of third parties. For instance, we disclose personal data to legal counsels and advocates contracted by us, third party suppliers that provide us with services in respect of maintenance, reparation, updating of our IT systems, accountants, couriers, financial information authorities, including General Officer of Financial Information, legal counsels or advocates bar associations, auditors/controllers.
We do not transfer personal data to third countries.
We do not make decisions in an automated manner, including we do not profile individuals.


How long do we retain personal data?

We specify below retention periods for processing by us of personal data.
Please notice that if and to the extent two or more retention periods apply to personal data, we retain such personal data for the longest retention period.

Category of data subjects Group of personal data Retention period
Individuals - our customers and Clients Representatives Personal data processed by when we comply with our obligations under AML, including personal data contained in documents and their copies received by us as a result of using financial security measures, evidences of the completed transactions, register of transactions, documents and their copies needed to identify transactions 5 years as from the date of expiration or termination of business relationship with our customer or the date of completion of occasional transaction
Personal data contained in the results of regular analysis of the completed transactions which we conduct under AML 5 years as from the date of completion of analysis
Personal data processed by us in connection with the provision of legal services as legal counsels or advocates which is related to litigations 10 years as from the date our participation in litigation in connection with which personal data is processed has been ended
Personal data processed by us in connection with the provision of legal services as legal counsels or advocates which is not related to litigations, including in connection with preparation of legal documents, conducting negotiations 6 years as from the end of year in which our legal services have been completed
Personal data contained in books and records with respect to contracts, claims sued in the court, including stated on invoices 5 years as from the beginning of year immediately subsequent to year in which contract has been finally completed or settled, claims have became time-barred, or litigation has been finally ended
Other personal data 6 years as from the end of year in which our legal services have been completed
Contact persons of our customers Personal data processed by us in connection with the provision of legal services as legal counsels or advocates which is related to litigations 10 years as from the date our participation in litigation in connection with which personal data is processed has been ended
Personal data processed by us in connection with the provision of legal services as legal counsels or advocates which is not related to litigations, including in connection with preparation of legal documents, conducting negotiations 6 years as from the end of year in which our legal services have been completed
Other personal data 6 years as from the end of year in which our legal services have been completed
Individuals - our suppliers and Suppliers Representatives Personal data contained in books and records with respect to contracts, claims sued in the court, including stated on invoices 5 years as from the beginning of year immediately subsequent to year in which contract has been finally completed or settled, claims have became time-barred, or litigation has been finally ended
Personal data contained in contracts, protocols, complaints, error notifications 3 years from the end of year in which contract has been finally completed or settled
Contact persons of our suppliers All personal data 3 years from the end of year in which contract has been finally completed or settled


Object to our processing of personal data

In circumstances where we rely on legitimate interest when processing of personal data, data subject may at any time OBJECT TO such processing in certain circumstances. It may be done on grounds relating to particular, personal situation of data subject. However, we may still process personal data if and to the extent we prove substantial lawful grounds which outweigh rights, interests and freedoms of data subject, or if and to the extent we process personal data for the purposes of claiming rights or remedies or defence.
Such right is not available with respect to personal data obtained by us in connection with the provision of legal services.


Other rights available under GDPR

Data subject may require us to erase his personal data without undue delay (right to be forgotten). Such right can be exercised in circumstance more fully described in GDPR, for example, if and to the extent we do not need personal data for the purposes we have processed it any longer.
Data subject has also the right:

  • to access to his personal data, including the right to obtain from us confirmation that we process his personal data, the right to assess to his personal data and to receive supplementary information or copy of personal data, however, only to the extent we do not breach our confidentiality obligations as legal counsels or advocates when responding to data subject's request (e.g. by giving him access to his personal data);
  • to have his inaccurate personal data rectified, or completed if it is incomplete;
  • to request the restriction of his personal data, however, this right applies only in limited circumstances described in GDPR (e.g. if he questions correctness of his personal data we process), and this right applies only to the extent we do not breach our confidentiality obligations as legal counsels or advocates when responding to data subject's request;
  • to request us to record his personal data in electronic data file, in commonly used format (e.g. .docx), in organized manner, and to transfer it to a controller specified by him (right to data portability), however, only if, for example, we process his personal data to perform a contract and in an automated manner;
  • to complain to President of the Personal Data Protection Office or to any other supervisory authority when he believes that we violate personal data protection law when processing his personal data.

In the event that data subject wishes to exercise any of those rights, he shall send us an e-mail to the e-mail address indicated above, with a content that would help us determine what his expectations are.


Statutory or contractual obligation to disclose to us personal data

There is no legal (statutory) obligation to disclose personal data to us.
We cannot enter into a contract until and unless personal data has not been disclosed to us. Accordingly, any failure to disclose to us personal data will result in refusing by us to enter into a contract.
Data subject has not any contractual obligation to disclose to us his personal data. However, data subject may have such obligation to any other third party (e.g. his employer) due to his position or title. In such circumstances, his failure to disclose to us his personal data may result in his failure to perform his professional duties.