Rysiak Michalik Wójcik

Gdpr & Aml

Since 25 May 2018 the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (text with EEA relevance) has applied. This Regulation is referred to as the "GDPR". According to GDPR we are obligated to provide data subjects with certain information (the "privacy notice"). Please find below our privacy notice for the following categories of data subjects:

individuals who are our customers
individuals authorized to represent our customers, including, by way of example, management boards members, commercial attorneys-in-fact, agents (collectively referred to as the "Client Representatives")
contact persons of our customers
individuals who are our suppliers, including, by way of example, legal counsels and advocates contracted by us
ndividuals authorized to represent our suppliers, including, by way of example, management boards members, commercial attorneys-in-fact, agents (collectively referred to as the "Supplier Representatives")
contact persons of our suppliers

According to the Act of 1 March 2018 on Anti-Money Laundering and Countering Financing Terrorism (the "AML"), in certain situations more fully described in AML, we act as the obligated entity as this term is defined in AML. According to AML, before entering into any business relationship or pursuing any occasional transaction, as the obligated entity, we are obligated to inform our customer of processing his personal data, including, by way of example, of our obligations we have in respect of such processing under AML. Please find below also information AML requires us to provide to our customers.

Data Controller

The controller of personal data is Rysiak Michalik Wójcik Kancelaria Radców Prawnych i Adwokata Sp.j. (law firm acting in a form of partnership). Contact data: ul. Basztowa 23/6, 31-156 Krakow, phone number: +48 429 22 21, e-mail: biuro@wspolnicy.com.

Types of personal data we process

We process the following types of personal data:

Category of data subjects	Types of personal data
Individuals - our customers	name business name e-mail phone number residential address seat (address) of main place of doing business profession, position, title employer identity card or passport number and other information contained in such document citizenship PESEL number date of birth country of birth tax identification number statistical number bank account number, including IBAN information made available to us in connection with providing legal services, including information concerning health (e.g. personal injuries suffered by our customer), wage, salary, descent
Client Representatives	name e-mail phone number profession, position, title employer identity card or passport number and other information contained in such documents PESEL number date of birth country of birth
Contact persons of our customers	name e-mail phone number profession, position, title employer
Individuals - our suppliers	name business name e-mail phone number seat (address) of main place of doing business tax identification number statistical number bank account number, including IBAN VAT account number
Supplier Representatives	name e-mail phone number profession, position, title employer
Contact persons of our suppliers	name e-mail phone number profession, position, title employer

How do we collect personal data?

We collect personal data in various ways. We may obtain it directly from data subjects. We may obtain it from employers of data subjects. We may obtain it on the Internet.

What do we need personal data for?

We process personal data for the following purposes and we do so having lawful bases stated below:

Category of data subjects	Purposes for processing of personal data	Lawful basis for processing of personal data
Individuals - our customers	Discussing subject matter of legal services, preparing and sending draft of legal services contract to customer, entering into legal services contract with customer, including detailing our customer as a party to such contract	Article 6 Section 1 letter (b) of GDPR
	Performing our obligations under legal services contract, including communicating with customer in respect of details concerning legal services, sending timesheet or invoice to customer	Article 6 Section 1 letter (b) of GDPR
	Issuing invoice, correction invoice, correction note, sending electronic invoice and complying with any other legal obligations we may have under tax law	Article 106a and further Articles of Act of 11 March 2004 on Value Added Tax in conjunction with Article 6 Section 1 letter (c) of GDPR
	Claiming rights and remedies of customer, securing such rights and remedies, enforcing such rights and remedies and defending customer against third party claims	Article 6 Section 1 letter (d) of GDPR, Article 9 Section 1 letter (f) of GDPR
	Complying with legal obligations we may have, as the obligated entity, in connection with countering money laundering and financing terrorism (AML)	Articles 27, 33, 34, 36 of AML in conjunction with Article 6 Section 1 letter (c) of GDPR
Client Representatives	Identifying a person entitled to act in the name of customer, verifying identity and authorization of such person to act in the name of customer	Article 34 Section 2 of AML in conjunction with Article 6 Section 1 letter (c) of GDPR
	Detailing in legal services contract which we enter into with our customer a person entitled to act in the name of customer. It is necessary to enter into legal services contract and it constitutes legitimate interest we rely on when processing of personal data	Article 6 Section 1 letter (f) of GDPR
	Communicating in respect of all matters related to legal services, including discussing details concerning legal services, sending timesheet. It is necessary to perform our obligations under legal services contract and it constitutes legitimate interest we rely on when processing of personal data	Article 6 Section 1 letter (f) of GDPR
Contact persons of our customer	Communicating in respect of all matters related to legal services, including discussing details concerning legal services, sending timesheet, applying for PO number. It is necessary to perform our obligations under legal services contract and it constitutes legitimate interest we rely on when processing of personal data	Article 6 Section 1 letter (f) of GDPR
Individuals - our suppliers	Discussing subject matter of contract we intend to enter into with our supplier, including contract of sale, license agreement, service contract, legal services contract, preparing and sending a draft of such contract to supplier, entering into such contract with supplier, detailing supplier as a party to such contract	Article 6 Section 1 letter (b) of GDPR
	Communicating with supplier in connection with the performance of supplier's contract, performing our obligations under supplier's contract, including, paying price, remuneration	Article 6 Section 1 letter (b) of GDPR
	Complying with split payment mechanism	Article 108a and further Articles of Act of 11 March 2004 of Value Added Tax in conjunction with Article 6 Section 1 letter (c) of GDPR
Supplier Representatives	Detailing in supplier's contract which we enter into with our supplier a person entitled to act in the name of supplier. It is necessary to enter into supplier's contract and it constitutes legitimate interest we rely on when processing of personal data	Article 6 Section 1 letter (f) of GDPR
Supplier Representatives	Communicating in connection with the performance of supplier's contract, including pursuing complaints, notifying errors, and providing supplier with information which it may need to perform its obligations to us. It is necessary to obtain by us services or goods supplier is obligated to provide to us under supplier's contract and it constitutes legitimate interest we rely on when processing of personal data	Article 6 Section 1 letter (f) of GDPR
Contact persons of our suppliers	Communicating in connection with the performance of supplier's contract, including pursuing complaints, notifying errors, and providing supplier with information which it may need to perform its obligations to us. It is necessary to obtain by us services or goods supplier is obligated to provide to us under supplier's contract and it constitutes legitimate interest we rely on when processing of personal data	Article 6 Section 1 letter (f) of GDPR

Obligations we have under AML and AML-related purposes for processing of personal data

According to AML we are obligated, by way of example and not as an exhaustive list, to:

identify and assess risks connected with money laundering and financing terrorism (their level),
prepare risk assessment and update it,
document risk we have identified,
use with respect to our customer financial security measures, including identify our customer and verify his identity, identify beneficial owner and verify his identity, regularly monitor business relationships of our customer,
determine circumstances and context of the pursued transactions,
determine whether customer is a politically exposed person,
determine origin of customer's wealth and origin of assets which are to be disposed of by customer
provide General Officer of Financial Information with certain information and notifications (also using legal counsels or advocates bar association), including in respect of circumstances that may justify allegation that an offense of money laundering or financing terrorism has been committed, or when we reasonably believe that a particular transaction or a particular asset may be linked to money laundering or financing terrorism. However, we our exempted from this obligations if and on each occasion that we obtain information about our customer in connection with litigation, when we defend our customer in litigation, when we provide our customer with legal services for the purposes to initiate litigation or to avoid litigation, regardless of a time we obtain such information,
give to General Officer of Financial Information an access to certain information and documents in our possession, including information and documents concerning our customer,
suspend transaction in situations more fully described in AMP,
use special restriction measures more fully described in AMP,
give to auditors/controllers an access to documents, materials and information we possess to enable them to perform their duties.

When complying with the above referred obligations, we may process personal data. When we do so, we process personal data for the purposes to comply with such obligations.

To whom do we disclose personal data?

We disclose personal data to various groups of third parties. For instance, we disclose personal data to legal counsels and advocates contracted by us, third party suppliers that provide us with services in respect of maintenance, reparation, updating of our IT systems, accountants, couriers, financial information authorities, including General Officer of Financial Information, legal counsels or advocates bar associations, auditors/controllers.
We do not transfer personal data to third countries.
We do not make decisions in an automated manner, including we do not profile individuals.

How long do we retain personal data?

We specify below retention periods for processing by us of personal data.
Please notice that if and to the extent two or more retention periods apply to personal data, we retain such personal data for the longest retention period.

Category of data subjects	Group of personal data	Retention period
Individuals - our customers and Clients Representatives	Personal data processed by when we comply with our obligations under AML, including personal data contained in documents and their copies received by us as a result of using financial security measures, evidences of the completed transactions, register of transactions, documents and their copies needed to identify transactions	5 years as from the date of expiration or termination of business relationship with our customer or the date of completion of occasional transaction
	Personal data contained in the results of regular analysis of the completed transactions which we conduct under AML	5 years as from the date of completion of analysis
	Personal data processed by us in connection with the provision of legal services as legal counsels or advocates which is related to litigations	10 years as from the date our participation in litigation in connection with which personal data is processed has been ended
	Personal data processed by us in connection with the provision of legal services as legal counsels or advocates which is not related to litigations, including in connection with preparation of legal documents, conducting negotiations	6 years as from the end of year in which our legal services have been completed
	Personal data contained in books and records with respect to contracts, claims sued in the court, including stated on invoices	5 years as from the beginning of year immediately subsequent to year in which contract has been finally completed or settled, claims have became time-barred, or litigation has been finally ended
	Other personal data	6 years as from the end of year in which our legal services have been completed
Contact persons of our customers	Personal data processed by us in connection with the provision of legal services as legal counsels or advocates which is related to litigations	10 years as from the date our participation in litigation in connection with which personal data is processed has been ended
	Personal data processed by us in connection with the provision of legal services as legal counsels or advocates which is not related to litigations, including in connection with preparation of legal documents, conducting negotiations	6 years as from the end of year in which our legal services have been completed
	Other personal data	6 years as from the end of year in which our legal services have been completed
Individuals - our suppliers and Suppliers Representatives	Personal data contained in books and records with respect to contracts, claims sued in the court, including stated on invoices	5 years as from the beginning of year immediately subsequent to year in which contract has been finally completed or settled, claims have became time-barred, or litigation has been finally ended
Individuals - our suppliers and Suppliers Representatives	Personal data contained in contracts, protocols, complaints, error notifications	3 years from the end of year in which contract has been finally completed or settled
Contact persons of our suppliers	All personal data	3 years from the end of year in which contract has been finally completed or settled

Object to our processing of personal data

In circumstances where we rely on legitimate interest when processing of personal data, data subject may at any time OBJECT TO such processing in certain circumstances. It may be done on grounds relating to particular, personal situation of data subject. However, we may still process personal data if and to the extent we prove substantial lawful grounds which outweigh rights, interests and freedoms of data subject, or if and to the extent we process personal data for the purposes of claiming rights or remedies or defence.
Such right is not available with respect to personal data obtained by us in connection with the provision of legal services.

Other rights available under GDPR

Data subject may require us to erase his personal data without undue delay (right to be forgotten). Such right can be exercised in circumstance more fully described in GDPR, for example, if and to the extent we do not need personal data for the purposes we have processed it any longer.
Data subject has also the right:

to access to his personal data, including the right to obtain from us confirmation that we process his personal data, the right to assess to his personal data and to receive supplementary information or copy of personal data, however, only to the extent we do not breach our confidentiality obligations as legal counsels or advocates when responding to data subject's request (e.g. by giving him access to his personal data);
to have his inaccurate personal data rectified, or completed if it is incomplete;
to request the restriction of his personal data, however, this right applies only in limited circumstances described in GDPR (e.g. if he questions correctness of his personal data we process), and this right applies only to the extent we do not breach our confidentiality obligations as legal counsels or advocates when responding to data subject's request;
to request us to record his personal data in electronic data file, in commonly used format (e.g. .docx), in organized manner, and to transfer it to a controller specified by him (right to data portability), however, only if, for example, we process his personal data to perform a contract and in an automated manner;
to complain to President of the Personal Data Protection Office or to any other supervisory authority when he believes that we violate personal data protection law when processing his personal data.

In the event that data subject wishes to exercise any of those rights, he shall send us an e-mail to the e-mail address indicated above, with a content that would help us determine what his expectations are.

Statutory or contractual obligation to disclose to us personal data

There is no legal (statutory) obligation to disclose personal data to us.
We cannot enter into a contract until and unless personal data has not been disclosed to us. Accordingly, any failure to disclose to us personal data will result in refusing by us to enter into a contract.
Data subject has not any contractual obligation to disclose to us his personal data. However, data subject may have such obligation to any other third party (e.g. his employer) due to his position or title. In such circumstances, his failure to disclose to us his personal data may result in his failure to perform his professional duties.