CVI Dom Maklerski spółka z ograniczoną odpowiedzialnością Ph.: +48 22 185 55 44 District Court for the Capital City of Warsaw, ul. Piękna 24/26a Fax:+48 22 185 55 43 12th Commercial Division00-549 Warsaw of the National Court Register, KRS number: 0000424707
firstname.lastname@example.org NIP: 9542738238, REGON: 242949739, www.cvi.pl share capital in the amount of PLN 1,929,500.00 fully paid up
We attach great importance to the protection of privacy. We take all necessary efforts to properly and adequately protect your personal data and transparently inform you of how we use them.
Effective 25 May 2018, the new European provisions regarding data protection are introduced by implementing the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 04.05.2016, p. 1) (“GDPR”), and the Personal Data Protection Act of 10 May 2018.
Taking the above into consideration, we would like to inform you of the processing of your personal data and rules of their processing while performing agreements and contracts by CVI Dom Maklerski sp. z o.o. after 25 May 2018.
1. Who is responsible for your personal data? (Personal Data Controller)
Your personal data controller is CVI Dom Maklerski sp. z o.o. (hereinafter referred to as: „CVI DM”, „Controller”) with its registered office in Warsaw at ul. Piękna 24/26a, 00-549 Warsaw, entered to the register of entrepreneurs of the National Court Register (KRS) maintained by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register under number KRS 0000424707.
2. How can you contact your Personal Data Controller?
In matters concerning the processing of your personal data by your Controller you can contact us:
a) by sending correspondence in a traditional manner to the address indicated above with a note Inspektor Ochrony Danych Osobowych (Personal Data Protection Officer) or
b) via the following dedicated e-mail address: email@example.com
Please use the same address to contact the Personal Data Protection Officer.
3. What are legal bases of and purposes for the processing of your personal data?
We undertake to process your personal data in a manner compliant with law on the basis of one of the following premises:
1. in the scope of: personal data of the Contracting Party (such Contracting Party being a natural person) and contact persons of each of the Contracting Parties, i.e. name, surname, business name, address data, tax identification number NIP, national business register number REGON, bank account number, e-mail address for the purpose of performing an agreement or contract with the Contracting Party being a party thereto or to take activities at the request of theContracting Party such data refer to, prior to entering into the agreement or contract - on the basis of Article 6.1 (b) of the GDPR (performance of a contract);
2. in the scope of: personal data of the Contracting Party (such Contracting Party being a natural person) and contact persons of each of the Contracting Parties, i.e. name, surname, business name, address data, tax identification number NIP, national business register number REGON, bank account number, e-mail address - for the purpose of compliance with legal obligations incumbent upon the controller in connection with the performance of an agreement or contract - i.e. on the basis of Article 6.1 (c) of the GDPR;
3. in the scope of: name, surname, address for correspondence, telephone number, e-mail address and the Contracting Party's other obtained data - to the extent necessary forcooperation / performance of an agreement or contract with CVI DM - to realise the Controller's legitimate interest consisting in facilitating cooperation / performance of the agreement or contract - on the basis of Article 6.1 (f) of the GDPR (legitimate interest);
4. in the scope of: personal data of the Contracting Party (being a natural person) and contact persons of each of the Contracting Parties: name, surname, telephone number, e-mail address - to the extent necessary for the establishment, exercise or defence of legal claims in court, administrative proceedings or other out of court proceedings - to realise the Controller's legitimate interest consisting in establishing, exercising the controller's rights or legal claims ordefending against such legal claims - on the basis of Article 6.1 (f) of the GDPR (legitimate interest);
The Controller's legitimate interest is to be understood as: the establishment and exercise of the Controller's legal claims or rights or defence against such legal claims, the direct marketing of services rendered by the Controller, the provision of services and communication with Contracting Parties.
4. What are your rights regarding personal data?
In accordance with the GDPR provisions, you can enjoy many rights in respect of your personal data. Please find below a general description of your rights:
a) Access do personal data. You may use your right of access to your data and obtain their copies at any time.
b) Disclaimer or data update. You have the right to demand that the Controller corrects immediately your personal data which are not correct and you have the right to demand that your incomplete personal data are complemented.
c) Right to delete data. You have the right to demand the Controller to delete or erase immediately your personal data in each of the following situations:
- when personal data are no longer required for purposes for which they were initially collected or otherwise processed;
- when the data subject withdrew the consent on the basis of which processing is carried out and there is no other legal basis for processing;
- when you raise objection to the data processing referred to in item (e) below and there are no overriding legitimate bases for the processing of such data;
- when personal data are processed unlawfully;
- when personal data must be deleted or erased to comply with a legal obligation envisagedin the European Union law or the Polish law;
- when personal data were collected in connection with offering information society services.
The Controller will not however delete or erase your personal data to the extent to which theirprocessing is necessary: (i) to use the right to free speech and information, (ii) to comply with a legal obligation which requires processing on the basis of the European Union law or the Polish law, (iii) to establish, exercise or defend legal claims.
d) Right to restrict data processing. You have the right to obtain from the Controller restriction ofprocessing where one of the following applies:
- you contest the accuracy of personal data - for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the deletion or erasure of personal data and request the restriction of their use instead;
- The Controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
- you have objected to the processing pursuant to item (e) below - pending the verification whether the legitimate grounds of the Controller override your bases of objection.
e) Right to object. You have the right to object to the processing of your personal data when the Controller processes such data in a legitimate interest. The data Controller may ignore your objection if the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the grounds for the establishment, exercise or defence of legal claims.
f) Right to revoke your consent. To the extent to which your personal data are processed on the basis of your consent, you have the right to revoke your consent at any time. Your revocation of consent has no affect on compliance with law of the processing carried out on the basis of the consent prior to the revocation.
g) Right to data portability. To the extent to which your personal data are processed for the purpose of concluding and performing an agreement or contract or to the extent to which they are processed on the basis of consent, or to the extent to which data are processed in an automated decision-making mode - you have the right to receive from the Controller your personal data provided to the Controller prior or in the course of cooperation with the Company, in a structured, commonly used and machine-readable format. You have also the right to transmit those personal data to another controller.
h) Right to object. You have the right to lodge a complaint to the processing of personal data by the Controller with a supervisory authority, in Poland such authority being the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
The rights referred to in items (a) - (h) above can be exercised by contacting the Personal Data Protection Officer:
- by sending correspondence in a traditional manner to the address indicated above or;
- via the following dedicated e-mail address: firstname.lastname@example.org
5. Source of personal data
Data are obtained directly from you or they can be obtained not directly from you, i.e. from our Contracting Parties who provided your personal data to us in connection with the performance of agreements or contracts concluded with CVI DM, such as, for instance: your employer, principal or another entity you represent in contacts with CVI DM.
6. Processing of special categories of personal data and of personal data relating to criminal convictions and offences
Some categories of personal data are considered to be subject to special protection in accordance with personal data regulations and as such they are subject to a higher level of protection and security. In accordance with the regulations, the following categories of personal data are considered to be subject to special protection: (1) race or ethnic origin; (2) political opinions; (3) religious or philosophical beliefs;
(4) trade union membership; (5) sex life or sex orientation; (6) physical or mental health or personal conditions; (7) genetic data and biometric data as well as (8) data concerning criminal convictions and offences.
The Controller does not collect and process your personal data which are subject to special protection including, specifically, the data specified in items (1) - (7) above.
7. Provision of personal data
You provide directly your personal data voluntarily. However, if you refuse to provide personal data, CVI DM may not be able to enter into an agreement or contract, or a scope of services that CVI DM will be able to provide to you may change.
8. Who receives your personal data?
Your personal data may be made available to the following recipients or categories of data recipients:
a) Persons authorised by CVI DM - such as CVI DM's employees and associates who need access to your personal data to fulfil their obligations resulting from concluded agreements or contracts;
b) Investment funds managed by CVI DM, to the extent necessary to perform concluded agreements or contracts;
c) Fund Managers which manage investment funds managed by CVI DM, to the extent necessary to perform concluded agreements or contracts;
d) Depositaries of investment funds managed by CVI DM, to the extent necessary to perform concluded agreements or contracts;
e) Service Providers who provide services on our behalf or in our name. The agreements and contracts executed with such service providers contain clauses in which we require that the applicable data protection provisions must be observed;
f) If such obligation results from peremptory legal provisions, to the extent necessary, also to other third parties, specifically public authorities, such as, including but not limited to, courts, bailiffs, revenue service, the Polish Financial Supervision Authority, the General Inspector of Financial Information, when they request them on the basis of a valid legal basis;
g) Entities which provide IT infrastructure;
h) Entities being parties to an agreement concluded with CVI DM on entrusting a task of processing personal data, including, specifically entities which provide accounting services, auditors, internal auditors, legal counsels.
Whenever personal data are made available to them, CVI DM considers the legal basis for such data disclosure.
9. Transfers of personal data to third countries
When your personal data are transferred to third countries, i.e. to recipients outside the European Economic Area (EEA) or Switzerland, in countries which do not ensure, according to the European Commission, sufficient data protection (third countries which do not ensure an adequate level of protection), then the Controller will transfer them using safeguarding mechanisms compliant with the applicable law, including but not limited to: (1) "EU Model Contractual Clauses", (2) receipt of Privacy Shield compliance certification by a third party (when headquartered in the United States), (3) when data are transferred to a third country, in respect of which the European Commission assessed, on the basis of decision, that the third country ensures an adequate level of protection. You can receive further information regarding existing safeguards implemented by the Controller to ensure the processing of personal data in compliance with respective provisions and the receipt of copies of data, or the place where the data are transferred to, by contacting us in the manner described in section 2 above.
10. How long are your personal data stored?
The Controller takes all necessary efforts to process your personal data in an adequate manner and as long as it is necessary for the purposes for which they were collected. Taking the above into consideration, the Controller stores your personal data throughout a time period not longer than it is necessary to attain the purposes for which they were collected or, if necessary, for the purpose of compliance with applicable laws, specifically over the time period, in which an agreement or contract is being performed and in the limitation period.
11. Automated decision making
The Controller does not make decisions in the automated decision making mode, including profiling on the basis of obtained personal data.