Privacy policy
This privacy policy contains the information required by law regarding the processing of personal data processed by HRK S.A. with headquarters in Warsaw (00-095), Plac Bankowy 2 (hereinafter referred to as HRK).
I. Preliminary information and concepts used by us
In order to make the Privacy Policy clear, in places where it was only possible, we have departed from the use of formal, legal vocabulary. Therefore, when we write “You” we mean data subject and/or the service user.
II. Data controller and contact information
The data controller of your personal data is HRK.
HRK has appointed a Data Protection Officer, whose function is performed by Jakub Gałczyński.
In case you have any questions about this privacy policy or regarding the processing of your personal data, please contact the Data Protection Officer at:
HRK S.A.
Pl. Bankowy 2
00-095 Warsaw
Email: [email protected]
III. Legal basis and purposes of processing activities
Below, in the form of a table, we present for what purpose, on what basis, and for how long we process your personal data – depending on the relationship between us (Processing activity column).
| Processing activity | Legal basis | Purpose of the processing | Retention period |
| Representatives and individuals associated with our clients or suppliers | art. 6 sec. 1 let. f) of the GDPR – legitimate interests pursued by HRK | Enabling the provision of professional services to clients;
Ordering and receiving services from Suppliers; Clients and Suppliers relationship management; Exercising legal claims in particular by documenting completed services. | Until the end of cooperation with HRK and for the period indicated by statutory provisions of law as long as you or us may pursue legal claims towards each other. |
| Clients, Suppliers and Subcontractors who are natural persons | art. 6 sec. 1 let. b) of the GDPR –
the performance of a contract or to take steps at the request of the data subject prior to entering into a contract | Establishing cooperation with a Client, Supplier or Subcontractor;
Ordering and receiving services from Suppliers and Subcontractors. | Until the end of cooperation with HRK and for the period indicated by statutory provisions of law and as long as you or us may pursue legal claims towards each other. |
| Clients, Suppliers and Subcontractors who are natural persons | art. 6 sec. 1 let. c) of the GDPR – compliance with a legal obligation to which HRK is subject such as:
Goods and Services Tax Act, Personal Income Tax Act or Corporate Income Tax Act | Fulfilling HRK’s tax obligations. | Until the end of cooperation with HRK and for the period indicated by statutory provisions of law and as long as you or us may pursue legal claims towards each other. |
| Clients, Suppliers and Subcontractors who are natural persons | art. 6 sec. 1 let. f) of the GDPR – legitimate interests pursued by HRK | Enabling the provision of professional services to clients;
Ordering and receiving services from Suppliers; Clients and Suppliers relationship management; Exercising legal claims in particular by documenting completed services. | Until the end of cooperation with HRK and for the period indicated by statutory provisions of law and as long as you or us may pursue legal claims towards each other. |
| Job candidates | art. 6 sec. 1 let. a) of the GDPR – consent | Participation in a given recruitment project. | Until the recruitment project is completed. |
| Job candidates | art. 6 ust. 1 lit. a) RODO – zgoda | Entry to the HRK candidate database (unless separate consent has been granted in this regard). | Until you withdraw the consent. |
| Website users | art. 6 sec. 1 let. f) of the GDPR – legitimate interests pursued by HRK | Monitoring and enforcing compliance with our terms and conditions for use of our website;
Aggregating data for website analytics and improvements;
| Until the deletion of cookies files in accordance with information in Cookie section
|
IV. Do you have to provide your details?
Providing personal data is mandatory – in the scope of processing purposes pursued within the legal obligation. In the remaining scope, providing personal data is voluntary, however, without providing them we will not be able to provide our services or some services will be limited.
V. Who can we pass your data to?
Your personal data will not be disclosed to third parties except:
- Trusted partners and/ or service providers who process personal data on a HRK’s behalf. Service providers may include providers of IT services, including identity management, website hosting and management, data analysis, data back-up, security and storage services in so far as it refers to processing activities;
- Current and potential clients/suppliers of HRK, professional advisors (e.g. law firms), only to the extent necessary to contact you and enable proper performance of obligations arising from concluded contracts;
- Governmental or regulatory authorities, courts and law enforcement authorities or agencies as required by and/or in accordance with applicable law or regulation.
Your personal data may be transferred to countries outside the European Economic Area (EEA) – third countries, based on art. 45 sec. 1 of the GDPR – European Commission’s adequacy decision (applies for countries, which were subject of decision) or art. 46 sec. 2 let. c) of the GDPR – standard data protection clauses adopted by the European Commission.
VI. What are your rights?
The General Data Protection Regulation (GDPR) grants you a number of rights regarding the processing of your personal data. These include:
- the right to access your data, including obtaining a copy of the data;
- the right to request rectification of data;
- the right to erasure of data (in cases provided for in the GDPR);
- the right to restriction of processing of your personal data;
- the right to withdraw consent – to the extent that your data is processed based on your consent. Please note that withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal;
- the right to data portability;
- the right to lodge a complaint with the supervisory authority – President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
To exercise your rights, please contact us at the following email address: [email protected].
VII. Automated decision making
HRK will not make automated decisions regarding you based on your personal data, including profiling.
VIII. Cookie information
Cookies are small text files that are placed on your computer by the websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. The use of cookies is now standard for most websites. If you are uncomfortable with the use of cookies, you can manage and control them through your browser (see below), including removing cookies by deleting them from your ‘browser history’ (cache) when you leave the site. Please note that removing or blocking cookies can impact your user experience and some functionality may no longer be available.
Most browsers allow you to view, manage, delete and block cookies for a website. Be aware that if you delete all cookies then any preferences you have set will be lost, including the ability to opt-out from cookies as this function itself requires placement of an opt out cookie on your device. Guidance on how to control cookies for common browsers is linked below.
The following table explains the way in which we use cookies on this website
| Name | Purpose | Type | Duration | Entity responsible |
| PHPSESSID | Stores the session identifier. | necessary | Until end of session | HRK |
| _ga
_gat | This cookie is set to allow HRK to track individual visitors and their use of the site. It is set when you first visit the site and updated on subsequent visits. HRK does not use Google Analytics to collect personal information, other than IP address, from our visitors. | performance | 2 years | Google Inc. |
| _gid | Used to distinguish users. | performance | 24 hours | Google Inc. |
Whistleblower clause
Pursuant to Article 13 (1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”), HRK S.A. provides the following information:
1. Personal data controller
The contoller of your personal data is HRK S.A. with headquarters in Warsaw 00-095, Pl. Bankowy 2
2. Data Protection Officer
Correspondence on issues related to personal data protection should be addressed to HRK S.A.’s designated Inspector for Personal Data Protection:
- by mail to the address of the registered office of HRK S.A.
- by e-mail to: i[email protected]
3. Purposes and legal basis for processing personal data
Personal data obtained in connection with the notification of violation of the law in HRK S.A., i.e. first and last names, mailing addresses and other data indicated in the notification made (as long as such notification is not made anonymously) are processed for the following purposes and on the basis of:
| Basis for processing personal data | Purpose of personal data processing |
| Article 6(1)(c) of the GDPR
Authorizing the processing of personal data if it is necessary for the performance of legal obligations incumbent on the controller | Performing legal obligations under Article 8(4) of the Act on the Protection of Whistleblowers to the extent necessary to accept a report and/or take follow-up action. |
| Article 6(1)(a) of the GDPR
Consent to processing of personal data | Disclosure of the identity of the person filing a report (whistleblower). |
| Article 9(2)(g) of the GDPR
Permittee has processing is necessary for reasons of important public interest, based on the law | Performing legal obligations under Article 8(4) of the Act on the Protection of Whistleblowers to the extent necessary to accept a report and/or take follow-up action. |
4. Recipients of personal data
Personal data obtained from you will not be transferred to third parties except for:
- Entities that provide services or goods to HRK S.A. and to whom HRK has entrusted the processing of personal data in accordance with Article 28 of the GDPR, such as IT service providers, data storage and archiving;
- Public authorities or entities authorized to obtain data under applicable law, such as courts, law enforcement agencies or state institutions.
HRK S.A. does not transfer your personal data to a third country (i.e. a country that is not part of the European Economic Area comprising the European Union, Norway, Liechtenstein and Iceland) nor to international organizations.
5. Period of personal data processing
Your personal data will be processed:
- for a period of 3 years after the end of the calendar year in which the follow-up actions are completed, or after the completion of the proceedings initiated by these actions;
- in the case of transmission of a notification to a public body, for a period of 3 years after the end of the calendar year in which the notification was transmitted to the public body competent to take follow-up action or follow-up action was completed, or after the completion of the proceedings initiated by these actions.
6. Rights of data subjects:
In accordance with the GDPR, you shall have the following rights:
- The right to access your personal data
- The right to request the rectification of your personal data that is incorrect and the completion of incomplete personal data
- The right to request the deletion of your personal data
- The right to request restrictions on the processing of your personal data
- The right to portability of your personal data
- The right to lodge a complaint with the supervisory authority in charge of personal data protection, i.e. the President of the Office for Personal Data Protection, based in Warsaw, ul. Stawki 2.
To the extent that your data are processed on the basis of consent, you shall have the right to withdraw your consent to data processing at any time. Withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of your consent before its withdrawal. You may withdraw your consent by sending a statement of withdrawal of consent to our mailing address or e-mail address, i.e. [email protected].
7. Information about the requirement /voluntariness of provision of personal data
The provision of personal data whose purpose of processing is the implementation of the controller’s legal obligations is mandatory. Provision of personal data in the rest is voluntary.
8. Automated decision-making
Based on your personal data, HRK S.A. will not make automated decisions against you, including decisions resulting from profiling.
Third party witness clause
Pursuant to Article 14(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”), HRK S.A. provides the following information:
1. Personal data controller
The contoller of your personal data is HRK S.A. with headquarters in Warsaw 00-095, Pl. Bankowy 2
2. Data Protection Officer
Correspondence on issues related to personal data protection should be addressed to HRK S.A.’s designated Inspector for Personal Data Protection:
- by mail to the address of the registered office of HRK S.A.
- by e-mail to: i[email protected]
3. Purposes and legal basis for processing personal data
Personal data obtained in connection with the notification of violation of the law in HRK S.A., i.e. first and last names and other data indicated by a person filing a report (a whistleblower) are processed for the following purposes and on the basis of:
| Basis for processing personal data | Purpose of personal data processing |
| Article 6(1)(c) of the GDPR
Authorizing the processing of personal data if it is necessary for the performance of legal obligations incumbent on the controller | Performing legal obligations under Article 8(4) of the Act on the Protection of Whistleblowers to the extent necessary to accept a report and/or take follow-up action. |
| Article 9(2)(g) of the GDPR
Permittee has processing is necessary for reasons of important public interest, based on the law | Performing legal obligations under Article 8(4) of the Act on the Protection of Whistleblowers to the extent necessary to accept a report and/or take follow-up action. |
4. Recipients of personal data
Personal data obtained from you will not be transferred to third parties except for:
- Entities that provide services or goods to HRK S.A. and to whom HRK has entrusted the processing of personal data in accordance with Article 28 of the GDPR, such as IT service providers, data storage and archiving;
- Public authorities or entities authorized to obtain data under applicable law, such as courts, law enforcement agencies or state institutions.
HRK S.A. does not transfer your personal data to a third country (i.e. a country that is not part of the European Economic Area comprising the European Union, Norway, Liechtenstein and Iceland) nor to international organizations.
5. Period of personal data processing
Your personal data will be processed:
- for a period of 3 years after the end of the calendar year in which the follow-up actions are completed, or after the completion of the proceedings initiated by these actions;
- in the case of transmission of a notification to a public body, for a period of 3 years after the end of the calendar year in which the notification was transmitted to the public body competent to take follow-up action or follow-up action was completed, or after the completion of the proceedings initiated by these actions.
6. Rights of data subjects:
In accordance with the GDPR, you shall have the following rights:
- The right to access your personal data
- The right to request the rectification of your personal data that is incorrect and the completion of incomplete personal data
- The right to request the deletion of your personal data
- The right to request restrictions on the processing of your personal data
- The right to portability of your personal data
- The right to lodge a complaint with the supervisory authority in charge of personal data protection, i.e. the President of the Office for Personal Data Protection, based in Warsaw, ul. Stawki 2.
To the extent that your data are processed on the basis of consent, you shall have the right to withdraw your consent to data processing at any time. Withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of your consent before its withdrawal. You may withdraw your consent by sending a statement of withdrawal of consent to our mailing address or e-mail address, i.e. [email protected].
7. Information about the requirement /voluntariness of provision of personal data
The provision of personal data whose purpose of processing is the implementation of the controller’s legal obligations is mandatory.
8. Automated decision-making
Based on your personal data, HRK S.A. will not make automated decisions against you, including decisions resulting from profiling.
9. Data source
HRK has acquired your data from a person filing a report on a violation(s) of the law (a whistleblower).