General principles of personal data processing
This general privacy notice is intended for all those natural persons who are not covered by our specific privacy notice. The intended addressees of this document may include:
a) persons interested in our services,
b) clients,
c) visitors of this website and social media accounts,
d) recipients of our newsletters,
e) contracting parties who are service providers.
The above list also applies to the attorneys and all sorts of representatives of the entities listed (including employees and contacts).
Personal Data Controller
1. Your personal data are controlled by Grant Thornton Frąckowiak spółka z o. o. sp. k. with its registered office in Poznań at ul. Abpa Antoniego Baraniaka 88 E (61-131 Poznań), entered into the Register of Entrepreneurs kept by the District Court for Poznań Nowe Miasto and Wilda in Poznań, 8th Commercial Division of the National Court Register under KRS number: 0000369868, tax code NIP: 7781476013 – hereinafter: the Controller.
2. The Controller provides this information to natural persons in connection with the duty to fulfil the obligations stipulated in articles 13(1) and (2) and article 14(1) and (2) of the General Data Protection Regulation of 27 April 2016 – hereinafter: GDPR.
How can you contact the Controller’s representative for more information on the processing of your personal data?
You can contact the Data Protection Officer (Kacper Rączkowiak) by email to: iod@pl.gt.com.
The purpose of and legal basis for the processing of your personal data
1. We process your personal data lawfully, on specific legal bases and for identified purposes:
a) provision of our newsletter service, which includes sending commercial information – basis for the processing – your consent and the Controller’s legitimate interest in the marketing of own services (i.e. article 6(1)(a) and (f) GDPR read with article 10 of the Act on providing services by electronic means),
b) answering enquiries sent in particular via the Contact Form – basis for the processing – your consent and the Controller’s legitimate interest in the marketing of own services and/or action undertaken by the Controller at your request prior to entering into a potential contract (i.e. article 6(1)(a) and (f) GDPR read with article 10 of the Act on providing services by electronic means and/or article 6(1)(b) GDPR),
c) other forms of marketing of own services, including operation of Fanpage-type websites and organisation of promotions and other types of corporate events – basis for the processing – your consent and/or the necessity to process your personal data in the performance of a contract and the Controller’s legitimate interest in the marketing of own services (i.e. article 6(1)(a) and/or (b) and (f) GDPR) – in the case of events and actions which entail a significant change in the principles of personal data processing, the Controller will notify you separately,
d) performance of a contract with a client, supplier or another type of contracting party who is a natural person, which also applies to the processing activities prior to entering into such a contract – basis for the processing – the necessity to process your personal data in the performance of a contract (i.e. article 6(1)(b) GDPR),
e) contract performance in connection with your signing up for training or another corporate event and participation in such an event – basis for the processing – the necessity to process your personal data in the performance of a contract (i.e. article 6(1)(b) GDPR) – in the case of events and actions which entail a significant change in the principles of personal data processing, the Controller will notify you separately,
f) compliance with any of the legal obligations to which the Controller is subject, e.g. accounting and taxation obligations, obligations related to counteracting money laundering and terrorism financing, and obligations imposing the duty of professional secrecy – basis for the processing – the necessity to process your personal data to comply with a legal obligation to which the Controller is subject (i.e. article 6(1)(c) GDPR),
g) performance of existing contracts, i.e. processing of the personal data of employees or representatives acting for clients, suppliers and other contracting parties in the course of performance of these contracts – basis for the processing – the Controller’s legitimate interest in fulfilling the statutory objectives of the Controller (i.e. article 6(1)(f) GDPR),
h) acquisition and subsequent processing of non-confidential data or data listed in publicly available registers of entities, e.g. registers of business entities– basis for the processing – the Controller’s legitimate interest in fulfilling the statutory objectives of the Controller (i.e. article 6(1)(f) GDPR),
i) identification of potential contracting parties, i.e. personal data processing for the purposes of proper performance of contracts with clients by identifying the above prospective contracting parties for the Controller’s clients – basis for the processing – the Controller’s legitimate interest in fulfilling the statutory objectives of the Controller (pursuant to article 6(1)(f) GDPR),
j) protection of the Controller’s interests and property and defence of own claims as well as defence against the claims of others – basis for the processing – the Controller’s legitimate interest in fulfilling the statutory objectives of the Controller (pursuant to article 6(1)(f) GDPR),
k) promotion of the Controller’s own product/service range and that of the business partners – basis for the processing – the Controller’s legitimate interest in fulfilling the statutory objectives of the Controller (pursuant to article 6(1)(f) GDPR),
l) profiling, if any, for the purposes of personalisation of the information provided to the client’s needs – basis for the processing – the Controller’s legitimate interest in fulfilling the statutory objectives of the Controller (pursuant to article 6(1)(f) GDPR.
2. In the situations described above, additional detailed personal data processing information may apply, in which case you will be notified thereof separately by the Controller. This applies in particular to the recruitment process and specific services provided by electronic means.
Sources of your personal data processed by the Controller
The Controller points out that unless provided directly by you, your personal data may originate in particular from the following sources:
a) a client of the Controller (i.e. in particular, your employer or contracting party),
b) publicly available information sources (i.e. in particular, websites or registers of business entities),
c) a contracting party of the Controller (i.e. in particular, other member firms of Grant Thornton International or companies with equity links to the Controller).
What scope of your personal data will be subject to processing?
1. In the course of processing, the Controller applies the principle of data minimisation. In line with this principle, unless explicitly set out by the law, the minimal necessary scope of your personal data is processed.
2. You are obliged to provide complete, up-to-date and accurate data.
3. To achieve the purposes of processing listed above, for the most part it is not necessary to process special categories of data, including data concerning health status. In light of the above, if you are providing your personal data to the Controller, do not provide an excessive scope.
4. A data subject or another data controller should not provide to the Controller the personal data of third parties. If they provide such data regardless, they declare on each occasion that they have the relevant authorisation to do so or that they have made sure that a different legal basis exists authorising the provision of the data to the Controller.
5. If the Controller processes the personal data of natural persons obtained from a different source, the scope of the data processed is usually limited to: name, basic contact and address data and job title/credentials or type of business activity.
Who will receive your personal data?
1. The personal data processed by the Controller may be provided to entities authorised to obtain them under the applicable legal regulations, including the competent national authorities.
2. Moreover, the personal data processed by the Controller, depending on the purpose of processing, may be provided to:
a) data processors, such as: marketing and event management agencies, providers of document storage and secure destruction services, external advisors and auditors, subcontractors engaged in service provision to some clients, providers of technical services related in particular to maintaining and supplying IT systems and Web services, providers of services related to organising trainings, conferences and other corporate events, couriers, translation agencies, and companies with equity links to the Controller (potentially also other entities within Grant Thornton International),
b) recipients who are independent data controllers, such as: the provider of postal services, banks, law firms and companies with equity links to the Controller (and potentially other entities within Grant Thornton International).
3. In most cases, personal data will not be transferred to a third country/international organisation.
4. With respect to the newsletter service, personal data may be transferred to a third country, i.e. the USA. The engaged subcontractor ensures an adequate level of protection in personal data processing by participating in the Privacy Shield programme and obtaining the relevant certification (re. supplier of the IT service used to deliver the newsletter service).
5. With regard to services provided to some clients, personal data, including the personal data of their employees, may be transferred to another entity affiliated within Grant Thornton International located in a third country. Such a transfer is secured by standard contractual clauses annexed to the Inter Firm Agreement functioning within Grant Thornton International structures.
How long will the Controller process your personal data?
1. The fundamental criterion determining how long your personal data will be kept is the time necessary to fulfil the purpose of processing.
2. If the processing is based on your consent, you can withdraw such consent at any time. The Controller wishes to point out, however, that if you do so, some other grounds may still apply justifying further processing of your personal data.
3. The Controller shall not engage in personal data processing by automated means. In the case of the newsletter service, profiling of natural persons may take place to better match the information included to the specific interests and needs of those natural persons.
4. Where processing takes place for the purposes of compliance with a legal obligation to which the Controller is subject, or in connection with the performance of a contract, or a legitimate interest pursued by the Controller, the periods of data storage and the criteria determining them may depend on:
a) the duration of the given contractual relationship,
b) the obligation to store accounting documents – 5 years from the beginning of the year following the business year in which a given transaction was effectively completed or settled,
c) the obligation to store documents and information required to carry out the necessary measures to counteract money laundering and terrorism financing provided for the obliged institution – e.g. 5 years from the beginning of the year following the year in which business relations with the client were ended,
d) the obligation to store files, documents and information related to the provision of specific services – e.g. 5 years from the day of closing the file of an audit carried out by the audit firm,
e) the need to secure and subsequently exercise legal claims – the standard term being 6 years from the day the claim became enforceable.
What rights do you have in connection with personal data processing by the Controller?
1. Depending on the processing activity, the list of rights you may have includes the following:
a) right of access to data,
b) right to rectification,
c) right to erasure,
d) right to restriction of processing,
e) right to data portability,
d) right to object.
2. The Controller indicates that the preferred form of contact when exercising the above-listed rights is by email to: iod@pl.gt.com.
3. You also have the right to lodge a complaint regarding the processing activities carried out by the Controller with the competent supervisory authority.
Do you have to give us your personal data?
Unless the obligation to provide your personal data arises directly from contractual or legal provisions, providing your personal data is voluntary but necessary to use the Controller’s services or to communicate with the Controller.