– concerning personal data of customers –
1. Who we are and how to find us
The personal data controller of the candidate is EASYBOOKS spółka z ograniczoną odpowiedzialnością with its registered office in Kraków (address: ul. Józefa Sarego 26/14, 31-047 Kraków), registered in the commercial register of the National Court Register by the District Court for Kraków-Śródmieście in Kraków, XI Commercial Division of the National Court Register under the number: KRS (National Court Register no.): 0000906966, REGON (business identification number): 3892324530 and NIP (tax identification number): 6762598909 (hereinafter referred to as: ‘Easybooks’). You can contact the controller via e-mail: firstname.lastname@example.org or by phone 502673861. You can also visit us in our office at: ul. Józefa Sarego 26/14, 31-047 Kraków.
2. Why do we process your personal data
If you are our customer, we process your personal data for the purpose of performing the service agreement in the scope of accounting and human resources (hereinafter referred to as: the ‘Agreement’) and for the purposes related to the fulfilment of accounting and tax obligations.
The legal basis for the processing of your personal data is therefore Article 6(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, hereinafter: ‘GDPR’ (processing is necessary for the performance of an agreement to which the data entity is a party or to take action at the request of the data entity prior to the conclusion of the agreement) and Article 6(1)(c) of the GDPR (processing is necessary to fulfil the legal obligation imposed on the controller).
Moreover, the legal basis for the processing of your personal data after the termination of the Agreement is Article 6(1)(f) of the GDPR (processing is necessary for purposes resulting from legitimate interests pursued by the controller or by a third party). This legitimate interest is to ensure that, in the event of a dispute with you, we are able to prove the content of the Agreement between us and that we have performed it properly.
If you are an employee or representative of our Customer, we process your personal data because otherwise we would not be able to perform the Agreement between us and your company (the purpose is therefore only to partner with the entity that has designated you as its representative or employee).
Such processing is necessary for the purposes of legitimate interests pursued by the controller (Article 6(1)(f) of the GDPR). This legitimate interest is our willingness to perform the Agreement with an entity that has indicated you as its representative or its employee. We assume in good faith that this entity has agreed with you before providing us with your data, or that it is your responsibility to represent this entity. We hope that you will not consider our actions as infringing your rights and freedoms. We make every effort to process only the personal data we need, preferably sent to us directly by you. Should the entity that has designated you as its representative or employee provide us with more of your personal data than you consider appropriate – please inform us immediately (see point 6).
3. What personal data do we process
We process the following personal data of our Customers:
If you are a consumer (within the meaning of Article 22 1 of the Civil Code):
1. full name;
2. telephone number;
3. e-mail address;
4. address of residence;
5. the data contained in the Agreement;
6. data necessary for the proper conduct of proceedings before courts and offices and the provision of other legal services;
7. data necessary for the issuance of the account.
If you are an entrepreneur (within the meaning of Article 43 1 of the Civil Code):
1. full name;
2. trading title;
3. identification data of the entrepreneur (e.g. REGON and NIP);
4. telephone number;
5. e-mail address;
6. business address;
7. data necessary for the proper conduct of proceedings before courts and offices and the provision of other legal services;
8. data necessary to issue the VAT invoice.
We process the following personal data of employees or representatives of our customers who are entrepreneurs:
1. full name;
3. e-mail address;
4. telephone number.
4. To whom we disclose your personal data
You also need to know that in our business we use the support of specialised external entities that may or must have access to some of your data.
The recipients of your data are:
1) service providers such as an email hosting provider (OVH sp. z o.o. with its registered office in Wrocław) or cloud service providers;
2) external entities providing IT support to Easybooks;
3) entities providing postal or courier services;
4) We also disclose your personal data to the extent required to government authorities entitled to do so by law (such as tax authorities);
2 5) courts, mediators, bailiffs (in case of a dispute between you and us);
Your personal data is processed in an IT system, some of which is located in the so-called cloud computing system provided by OVH sp. z o.o. with its registered office in Wrocław – the entity responsible for hosting e-mails used by Easybooks and the implementation of other cloud solutions. Due to the location of servers of these entities, such data may be transferred, stored and processed in third countries. However, this entity declares to ensure an adequate level of data protection.
5. How long will we process your personal data
Your personal data will be processed as long as it is necessary for tax purposes, i.e. in accordance with the currently applicable provisions of the Polish law – for 5 tax years.
If we cooperate with you in a permanent manner, your data necessary for this purpose will be processed throughout the cooperation period extended by the statute of limitations for claims (as a rule 3 years).
6. How do we enable you to exercise your rights
We make every effort to ensure that you are satisfied with our cooperation. However, please be aware that you have a number of rights that allow you to influence the way we process your personal data and, in some cases, cause us to stop such processing. These rights are:
right of access to personal data (regulated in Article 15 of the GDPR)
Article 15 Right of access by the data subject
1. The data subject is entitled to obtain from the Controller confirmation as to whether or not personal data concerning him or her is processed and, if this is the case, the data subject is entitled to obtain access to it and the following information:
a) the purposes of processing;
b) the categories of personal data concerned;
c) information about the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the intended period of storage of the personal data and, where this is not possible, the criteria for determining that period;
e) information on the right to request from the Controller the rectification, erasure or restriction of the processing of personal data concerning the data subject and to object to such processing;
f) information on the right to lodge a complaint with a supervisory authority;
g) if the personal data has not been collected from the data subject, any available information about its source;
h) information on the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. If personal data is transferred to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate safeguards referred to in Article 46 relating to the transfer.
3. The Controller shall provide the data subject with a copy of the personal data subject to processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject requests a copy by electronic means and unless they indicate otherwise, the information shall be provided by common electronic means.
4. The right to obtain a copy referred to in section 3 shall not adversely affect the rights and freedoms of others.
the right to rectify the data (regulated in Article 16 of the GDPR)
Right to rectification
The data subject shall have the right to request the Controller to rectify without delay any inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by providing an additional statement.
the right to erasure (regulated in Article 17 of the GDPR)
Right to erasure (‘the right to be forgotten’)
1. The data subject shall have the right to require the Controller to immediately erase the personal data concerning him/her, and the Controller shall be obliged to erase the personal data without undue delay if one of the following circumstances exists:
a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
b) the data subject has withdrawn the consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing;
c) the data subject objects under Article 1(1) to the processing and there are no overriding legitimate grounds for the processing or the data subject objects under Article 21(2) to the processing;
d) the personal data has been unlawfully processed;
e) the personal data must be erased for the purpose of complying with a legal obligation under Union or Member State law to which the controller is subject;
f) the personal data were collected in connection with the offering of information society services referred to in Article 8(1).
2. If a controller has made personal data public and, pursuant to section 1, is obliged to erase such personal data, it shall, taking into account the technology available and the cost of implementation, take reasonable steps, including technical measures, to inform controllers processing such personal data that the data subject requests such controllers to erase any links to, copies of or replications of such personal data.
3. Sections 1 and 2 shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation requiring processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);
d) for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1), insofar as the purposes of such processing are likely to be rendered impossible or seriously impeded by the right referred to in section 1; or
e) for the establishment, exercise or defence of legal claims.
the right to restriction of processing (regulated in Article 18 of the GDPR)
Article 18 Right to restriction of processing
1. The data subject has the right to request the controller to restrict processing in the following cases:
a) the data subject contests the correctness of personal data – for the period allowing the controller to verify the accuracy of the data;
b) the processing is unlawful and the data subject opposes the erasure of personal data, requesting the restriction of its use in exchange;
c) the controller no longer needs personal data for the purposes of processing, but it is necessary for the data subject, for the establishment, exercise or defence of claims;
d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted pursuant to section 1, such personal data may only be processed, with the exception of storage, with the consent of the data subject, or for the purpose of establishing, pursuing or defending claims, or for the purpose of protecting the rights of another natural or legal person, or for important grounds of public interest of the Union or of a Member State.
3. Before the restriction of processing is lifted, the controller shall inform the data subject who has requested restrictions under section 1.
the right to object to the processing (regulated in Article 21 of the GDPR)
Right to object
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, including profiling, to the extent that the processing is related to such direct marketing.
3. If the data subject objects to the processing for the purpose of direct marketing, the personal data may no longer be processed for such purposes.
4. At the latest at the time of the first communication with the data subject, the right referred to in sections 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6. If personal data is processed for the purpose of scientific or historical research or for statistical purposes under Article 89(1), the data subject has the right to object – on grounds relating to his or her particular situation – to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out in the public interest.
the right to data portability (regulated in Article 20 of the GDPR)
Right to data portability
1. The data subject shall have the right to receive, in a structured, commonly used machine-readable format, personal data concerning him or her which he or she has provided to the controller, and shall have the right to transmit such personal data to another controller without hindrance from the controller to whom the personal data have been provided, if:
a) processing takes place on the basis of a consent pursuant to Article 6(1)(a) or Article 9(2)(a) or under an agreement within the meaning of Article 6(1)(b); and
b) the processing is carried out in an automated manner.
2. In exercising the right to data portability under section 1, the data subject shall have the right to request that the personal data be sent by the controller directly to another controller, insofar as this is technically possible.
3. The exercise of the right referred to in section 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in section 1 shall not adversely affect the rights and freedoms of others.
Contact us to use any of the rights described above.
7. Complaint to the supervisory authority
Pursuant to Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place where the alleged infringement was committed, if you believe that the processing of personal data concerning you is in breach of the GDPR.
In Poland, the supervisory authority is the President of the Personal Data Protection Office – you can lodge a complaint, for example, by post to: ul. Stawki 2, 00-193 Warsaw or electronically via the epuap website, you can also obtain more detailed information (including current telephone numbers) on the website: https://uodo.gov.pl/.
8. Is the provision of data necessary to conclude an agreement with us?
We collect your personal data to the extent necessary for the conclusion and performance of the agreement. Part of the data is also necessary for us to fulfil our legal obligations (tax regulations, accounting regulations). Failure to provide personal data, unfortunately, prevents the conclusion or performance of the agreement.
9. Where do we obtain your personal data
We obtain personal data only from you, unless you are an employee or representative of our counterparty, then your data is obtained from your company or directly from you if you contact us directly.
10. Profiling and automated processing
Decisions concerning your personal data are not made in an automated manner. We also do not perform its profiling as defined by the GDPR.