Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, I hereby inform you about your rights related to the processing of personal data.

I. Contact information of the Data Controller:

Name of the Data Controller: Leviatan Data Services sp. z o.o.
Address: ul. Gdańska nr 6, lok. 31, 50-344 Wrocław

The above address may be used to contact the Data Controller in matters related to the protection, collection, processing, modification, and deletion of personal data.

II. Definitions:

The Controller informs that:

1. Personal data/data – means information about an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person.
2. Recipient of data – means a natural or legal person, public authority, agency, or other body to which personal data are disclosed, whether or not it is a third party. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with applicable law shall not be regarded as recipients – the processing of such data by those public authorities must comply with the applicable data protection rules according to the purposes of the processing; “third party” means a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor, and persons who, under the authority of the Controller or processor, are authorized to process personal data.
3. Processor – means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
4. Processing – means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.
5. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
6. Erasure of data – permanent destruction of personal data or such modification that does not allow the identification of the data subject.
7. Consent of the data subject – means a freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Every person has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

III. Information about collected data:

1. Legal basis and purpose of processing personal data:

a) Article 6(1)(b) GDPR – processing is necessary for the performance of contractual obligations towards you, if you are or will be a party to a contract concluded with Leviatan Data Services Sp. z o.o. – the legal basis is the necessity to perform the contract.

b) Article 6(1)(b) GDPR – processing is necessary to take steps prior to entering into a contract – with respect to personal data of persons conducting business activity with whom Leviatan Data Services Sp. z o.o. may conclude a contract.

c) Article 6(1)(c) GDPR in connection with the Accounting Act of 29 September 1994 and the VAT Act of 11 March 2004 – fulfilment of legal obligations imposed on the Controller, in particular accounting obligations – the legal basis is the necessity to fulfil a legal obligation imposed on the Controller.

d) Article 6(1)(a) GDPR – for the purpose consistent with the granted consent, if consent has been given.

e) Article 6(1)(f) GDPR – processing is necessary for the purposes of legitimate interests pursued by Leviatan Data Services Sp. z o.o. or a third party and does not excessively affect your interests or fundamental rights and freedoms. When processing personal data on this basis, we always try to maintain a balance between our legitimate interest and your privacy. Such legitimate interests include:

a) maintaining business relations – the legal basis is the legitimate interest of the Controller;
b) verifying the potential and experience of the contractor and the possibility of using the information for sending inquiries (creating a supplier database) by Leviatan Data Services Sp. z o.o. – the legal basis is the legitimate interest of the Controller;
c) possible establishment, exercise, or defense of claims – the legal basis is the legitimate interest of the Controller to enable the establishment, exercise, and defense of claims related to its business activity;
d) verifying the credibility of contractors in order to assess the risk related to cooperation with the contractor, including verification in public registers.

2. Rules for providing personal data to the Controller: providing personal data is a condition for conducting business contacts.

3. Categories of relevant personal data: data of clients and contractors, including sole proprietorships and civil law partnerships, and natural persons representing contractors (employees, management).

4. Recipients of personal data or categories of recipients: entities providing services to the Controller, such as IT and software servicing, Microsoft 365 provider, security, legal, accounting, consulting and audit services, insurance, debt collection, and archiving services.

5. Information on data transfer to a third country or international organization: the Controller does not plan to transfer data outside the EEA, however such transfer may be carried out by global cloud service providers, e.g. Microsoft as a Microsoft 365 service provider. The transfer may include data of clients and contractors of Leviatan Data Services Sp. z o.o., including sole proprietorships and civil law partnerships, and natural persons representing contractors, when using global cloud services provided by Microsoft. Examples include authentication services (Azure Active Directory, MFA). Microsoft performs transfers in accordance with the EU–U.S. Data Privacy Framework and applies safeguards based on Standard Contractual Clauses under Article 46(2) GDPR.

6. Data retention period:

a) if personal data are provided by employees or associates when concluding a contract:

• • personal data will be processed for the duration of the contract (with the possibility of extending this period in case of claims between the parties)
  • for the document archiving period – 5 years (for tax reasons),

b) until withdrawal of consent if data are processed based on consent, e.g. for maintaining business contacts.

7. Information on profiling: not applicable.

IV. Rights of the data subject:

1. The data subject has the right to lodge a complaint regarding the processing of their personal data by the Controller or the entity/organization to which the personal data were transferred, to:

Name: President of the Personal Data Protection Office
Address: ul. Stawki 2, 00-193 Warsaw
Contact: Phone: 606 950 000, contact: uodo.gov.pl/pl/p/kontakt

2. If processing is based on Article 6(1)(a) or Article 9(2)(a) GDPR – every person has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

3. Information on the right to request information on processed data:

a) the data subject has the right to request information at any time.
b) the data subject has the right to access personal data and obtain a copy.
c) the Controller shall, without undue delay and no later than within one month, inform the data subject about actions taken regarding requests under Articles 15–22 GDPR (access, rectification, erasure, restriction, objection, data portability). This period may be extended by two months due to complexity or number of requests.
d) if the Controller does not act, it must notify the data subject within one month and explain reasons and inform about the right to file a complaint and seek legal protection in court.
e) if the Controller has reasonable doubts about the identity of the person, it may request additional information to confirm identity.
f) information is provided in writing or electronically; orally only if identity is confirmed.

4. Right to rectification: the data subject may demand immediate rectification of inaccurate data and completion of incomplete data, including by providing an additional statement; the request may be made at any time.

5. Right to data portability: the data subject has the right to receive data in a structured, commonly-used, machine-readable format and transmit them to another controller if:

a) processing is based on consent under Article 6(1)(a) or Article 9(2)(a) GDPR or on a contract under Article 6(1)(b) GDPR;
b) processing is automated.

6. Right to restriction of processing: the data subject may request restriction when:

a) accuracy of personal data is contested – for the period of verification;
b) processing is unlawful and deletion is opposed;
c) data are no longer needed by the Controller but required by the data subject to establish, exercise or defend claims;
d) objection is submitted – until verification whether Controller’s grounds override the objection.

If processing is restricted, data may be processed only with consent, for legal claims, protecting rights of others, or for reasons of public interest.

7. Right to object: the data subject may object at any time, on grounds relating to their particular situation, to processing, including profiling; the Controller may not process unless it demonstrates overriding legitimate grounds or grounds for legal claims.

8. Right to be forgotten: the data subject may request immediate erasure where:

a) data are no longer necessary;
b) no legal basis exists;
c) objection is raised and no overriding grounds exist;
d) data were unlawfully processed;
e) erasure is required by EU or Member State law;
f) data were collected in relation to information society services.