privacy policy

Date of last update: 10.06.2025
  1. Introductory information
    1. Definitions
      1. For the purposes of the Privacy Policy:
        1. "Administrator" means Biznesomnia Sp. z o. o., ul. Podolska 21, 81-321 Gdynia, NIP: 958-174-03-92,
        2. "IT System Administrator" means a person acting under the authorisation of the Administrator who manages and supervises the Administrator's IT system,
        3. “Personal Data” means the following types of personal data relating to Data Subjects or their representatives: first name, last name, e-mail address, contact telephone number, date of birth, residential address, correspondence address, health data;
        4. "Supplier" means an entity that delivers goods or services to the Administrator,
        5. "Customer" means an entity that has made or expresses the will to make a purchase of goods or services offered by the Administrator or is in permanent business relations with the Administrator or has consented to the placement of its personal data in the database maintained by the Administrator,
        6. "supervisory authority" means the President of the Personal Data Protection Office,
        7. "Data Subject" means the entity whose personal data are processed by the Controller, including the Customer, the Supplier and their representatives,
        8. "Privacy Policy" means this document,
        9. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 4.5.2016, p. 1),
      2. For the purposes of the Privacy Policy, the definitions set out in the GDPR shall also apply, provided they do not conflict with the definitions set out in point 1.1 above.
    2. The purpose of creating the Privacy Policy
      1. The Privacy Policy is a measure implemented by the Administrator, the purpose of which is to define the actions taken by the Administrator in the scope of protection of Personal Data made available to the Administrator by Data Subjects, and also to inform Data Subjects about the procedure for handling Personal Data in force in the enterprise run by the Administrator, including in particular the purposes and legal basis of processing and the categories of recipients to whom Personal Data processed by the Administrator are further transferred, and the implementation by the Administrator towards Data Subjects of the information obligation resulting from the content of Art. 13 of the GDPR in the remaining scope .

    Administrator and processing of Personal Data
    1. The Personal Data Controller within the meaning of the GDPR regulations is Biznesomnia Sp. z o. o., ul. Podolska 21, 81-321 Gdynia, NIP: 958-174-03-92. The above means that the Controller determines the purposes and methods of processing Personal Data on its own and under its own responsibility.
    2. The Administrator has not appointed a data protection officer within the meaning of the GDPR.
    3. Processing of Personal Data means all actions and operations performed on Personal Data .

    Purposes and legal basis of processing and storage period of Personal Data concerning the Client
    1. The Administrator processes Personal Data relating to the Client or his representatives for the following purposes:
      1. proper performance of the contract under which the Administrator has undertaken to deliver goods or services to the Customer,
      2. conducting direct marketing of services or goods offered by the Administrator, including via e-mail correspondence such as a newsletter,
      3. performance of obligations arising from legal regulations, including tax and accounting regulations,
      4. conducting court, arbitration, administrative, judicial-administrative, enforcement and mediation proceedings,
      5. pursuing, establishing or defending claims or other rights arising from legal provisions,
      6. handling complaints and claims.
    2. The legal basis for processing Personal Data for the purposes specified above in point 3.1. letter a) is that it is necessary for the performance of the contract, and in the case of the purpose contained in point 3.1. letter a) it concerns the performance of the contract on the basis of which the Administrator has undertaken to deliver goods or services to the Customer. The legal basis for processing Personal Data for the purpose specified above in point 3.1. letter c) is that it is necessary to fulfill the legal obligations incumbent on the Administrator. The legal basis for processing Personal Data for the other purposes indicated above in point 3.1. is the legitimate interest pursued by the Administrator.
    3. Processing of Personal Data for the purposes indicated above in point 3.1. includes in particular collecting, modifying, storing, viewing, updating, analysing and archiving.
    4. Personal Data concerning the Client may be transferred to public administration bodies or to other persons or third parties - to the extent and in cases where the obligation to make them available is imposed on the Administrator by law. In addition, Personal Data concerning the Client, to the extent necessary to achieve the purpose specified in point 3.1. letter c) above, may also be transferred to entities performing accounting and bookkeeping services for the Administrator on the basis of a separate agreement.
    5. Personal data relating to the Customer, to the extent necessary to achieve the purposes specified in point 3.1. letter d) above, may be transferred to courts or other bodies appointed to hear cases or enforce claims, as well as to entities performing debt collection or legal assistance services for the Administrator on the basis of a separate agreement.
    6. The provision of Personal Data by the Client concerning him/her is a condition for concluding an agreement with the Administrator, under which the Administrator undertakes to deliver goods or services to the Client, and is not obligatory, but failure to provide them will prevent the conclusion of this agreement.
    7. The implementation of the processing purposes described above, in the vast majority of cases, does not require the processing of special categories of personal data, i.e. also data concerning the Client's health. In connection with the above, persons deciding to transfer personal data to the Controller should not carry out such transfer to an excessive extent. The basis for the processing of data concerning the Client's health is Article 9 paragraph 2 letter h of the GDPR.
    8. Personal data relating to the Customer will be stored by the Administrator for the following period:
      1. in the case of Personal Data, the legal basis for their processing by the Administrator is the fact that it is necessary for the proper performance of the contract – until the limitation period for claims arising from that contract expires,
      2. in the case of Personal Data, in relation to which the basis for their processing by the Administrator is a legitimate interest - until such basis for processing ceases to exist, in particular until the limitation period for the Administrator's claims and the Client's claims arising from their legal relationship, the termination of the legal existence of the Administrator or a legally binding or final determination or award or satisfaction or defense of a claim or other right of the Administrator or Client in court, arbitration, administrative, court-administrative, enforcement or mediation proceedings,
      3. in the case of Personal Data, the basis for their processing is that it is necessary to fulfill the legal obligations incumbent on the Administrator - until such time as this basis for processing ceases to apply .

    Purposes and legal basis of processing and storage period of Personal Data concerning the Provider
    1. The Administrator processes Personal Data relating to the Supplier or its representatives for the following purposes:
      1. proper performance of the contract under which the Supplier undertakes to deliver goods or services to the Administrator,
      2. performance of obligations arising from legal regulations, including tax and accounting regulations,
      3. conducting court, arbitration, administrative, judicial-administrative, enforcement and mediation proceedings,
      4. pursuing, establishing or defending claims or other rights arising from legal provisions,
    2. The legal basis for processing Personal Data for the purpose specified above in point 4.1. letter a) is that it is necessary for the performance of the contract under which the Supplier has undertaken to deliver goods or services to the Administrator. The legal basis for processing Personal Data for the purpose specified above in point 4.1. letter b) is that it is necessary to fulfill the legal obligations incumbent on the Administrator. The legal basis for processing Personal Data for the other purposes indicated above in point 4.1. is the legitimate interest pursued by the Administrator.
    3. The processing of Personal Data relating to the Supplier includes, in particular, collecting, modifying, storing, viewing, updating, analysing and archiving them.
    4. Personal data concerning the Supplier may be transferred to public administration bodies or other persons or third parties – to the extent and in cases where the obligation to make them available is imposed on the Administrator by law. Personal data concerning the Supplier, to the extent necessary to achieve the purpose specified in point 4.1. letter b), may also be transferred to entities performing accounting and bookkeeping services for the Administrator on the basis of a separate agreement.
    5. Personal data relating to the Supplier, to the extent necessary to achieve the purposes specified in point 4.1. letter c) and d) above, may be transferred to courts or other bodies appointed to hear cases or enforce claims, as well as to entities performing debt collection or legal assistance services for the Controller on the basis of a separate agreement.
    6. The provision of Personal Data by the Supplier concerning him is a condition for concluding an agreement with the Controller, under which the Supplier assumes the obligation to provide the Controller with goods or services, and is not mandatory, but failure to provide them will prevent the conclusion of this agreement.
    7. Personal data relating to the Supplier will be stored by the Administrator for the following period:
      1. in the case of Personal Data, the legal basis for their processing by the Administrator is the fact that it is necessary for the proper performance of the contract – until the limitation period for claims arising from that contract expires,
      2. in the case of Personal Data, in relation to which the basis for their processing by the Administrator is a legitimate interest - until such basis for processing ceases to exist, in particular until the limitation period for the Administrator's claims and the Supplier's claims arising from their legal relationship, the termination of the legal existence of the Administrator or a legally binding or final determination or award or satisfaction or defense of a claim or other right of the Administrator or Supplier in court, arbitration, administrative, court-administrative, enforcement or mediation proceedings .

    Data Subject Rights Related to Personal Data Protection
    1. The right to information
      1. When obtaining personal data, the Administrator is obliged to provide the person from whom the data originates with all of the following information:
        1. your identity and contact details and, where applicable, the identity and contact details of your representative,
        2. where applicable, contact details of the data protection officer,
        3. the purposes of processing Personal Data, and the legal basis for processing,
        4. information about the recipients of Personal Data or categories of recipients, if any,
        5. where applicable – information on the intention to transfer Personal Data to a third country or an international organisation,
        6. the period for which the Personal Data will be stored or, if this is not possible, the criteria for determining this period,
        7. information whether the provision of Personal Data is a statutory or contractual requirement or a condition for entering into a contract and whether the data subject is obliged to provide the Personal Data and what the possible consequences are of not providing the Data.
      2. If the Data Controller plans to further process the personal data for a purpose other than that for which the personal data were collected, the Data Controller shall, prior to such further processing, inform the Data Subject of that other purpose and provide him or her with any other relevant information.
    2. The right to withdraw consent to the processing of Personal Data
      1. The data subject has the right to withdraw consent to the processing of Personal Data at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
    3. The right to access Personal Data
      1. The data subject is entitled to obtain from the Controller confirmation as to whether his or her Personal Data are being processed and, if so, is entitled to access them and the following information:
        1. purposes of processing;
        2. the categories of Personal Data concerned;
        3. information on the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations;
        4. if possible, the planned period for which the Personal Data will be stored or, if not possible, the criteria for determining that period;
        5. information about the right to request that the Controller rectify, delete or limit the processing of Personal Data and to object to such processing;
        6. information on the right to lodge a complaint with the supervisory authority;
        7. if the personal data were not collected from the Data Subject, any available information about their source;
        8. information on automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR, and – at least in those cases – meaningful information on the principles governing its making and the significance and envisaged consequences of such processing for the data subject.
      2. The Controller is obliged to provide the Data Subject with a copy of the Personal Data. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs. If the Data Subject requests a copy electronically and unless otherwise indicated, the information shall be provided in a commonly used electronic manner.
    4. The right to request the rectification and deletion of Personal Data
      1. The Data Subject has the right to request the Controller to immediately rectify their Personal Data that is incorrect. Taking into account the purposes of processing, the Data Subject has the right to request that incomplete Personal Data be supplemented, including by submitting an additional statement.
      2. The data subject is entitled to demand that the Controller immediately delete his or her Personal Data, and the Controller is obliged to delete the Personal Data without undue delay if one of the following circumstances occurs:
        1. Personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
        2. The data subject withdraws consent to which the processing is based pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of the GDPR and where there is no other legal ground for the processing,
        3. The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR,
        4. Personal data were processed unlawfully,
        5. Personal data must be deleted in order to comply with a legal obligation under Union law or the law of a Member State to which the Controller is subject,
        6. The personal data were collected in connection with the offering of information society services referred to in Article 8(1) of the GDPR.
      3. The rights of the Data Subject indicated in point 5.2. above do not apply to the extent that processing is necessary for the exercise of the right to freedom of expression and information, for the establishment, exercise or defence of legal claims, for compliance with a legal obligation requiring processing under Union law or the law of a Member State to which the Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, for reasons of public interest in the area of public health in accordance with Article 9 paragraph 2 letters h) and i) of the GDPR and Article 9 paragraph 3 of the GDPR for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 paragraph 1 of the GDPR, insofar as it is likely that this right will make it impossible or seriously impede the achievement of the purposes of such processing.
      4. The Controller is obliged to provide the Data Subject with information about the rectification or deletion of Personal Data, unless this proves impossible or involves a disproportionately large effort.
    5. The right to restrict the processing of Personal Data
      1. The data subject has the right to request the Controller to limit the processing of his or her Personal Data in the following cases:
        1. The data subject questions the accuracy of the Personal Data – for a period allowing the Controller to verify their accuracy,
        2. the processing is unlawful and the Data Subject opposes the deletion of the Personal Data, requesting instead the restriction of their use,
        3. The Administrator no longer needs the Personal Data for the purposes of processing, but they are necessary for the Data Subject to establish, pursue or defend legal claims,
        4. The Data Subject has objected to the processing under Article 21(1) of the GDPR – pending the determination of whether the legitimate grounds on the part of the Controller override the grounds for the Data Subject’s objection.
      2. The Controller is obliged to provide the Data Subject with information about the restriction of the processing of Personal Data, unless this proves impossible or involves a disproportionately large effort.
    6. The right to transfer Personal Data
      1. The Data Subject has the right to receive the Personal Data concerning him/her provided to the Controller in a structured, commonly used and machine-readable format and has the right to transmit this Personal Data to another controller without hindrance from the Controller, where the processing is carried out by automated means and a) is based on the Data Subject's consent or b) is necessary for the performance of a contract.
      2. In exercising the right specified in point 5.1 above, the Data Subject has the right to request that Personal Data be sent by the Controller directly to another controller, if technically possible. This right does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority entrusted to the Controller. This right may also not adversely affect the rights and freedoms of other entities.
    7. Right to object and rights related to automated individual decision-making
      1. The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her Personal Data based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on these provisions. The Controller is no longer permitted to process these Personal Data unless he or she can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or grounds for establishing, pursuing or defending claims.
      2. If Personal Data are processed by the Controller for the purposes of direct marketing, the Data Subject has the right to object at any time to the processing of his or her Personal Data for the purposes of such marketing, including profiling, to the extent that the processing is related to such direct marketing.
      3. The data subject has the right to obtain the information specified above in points 5.1 and 5.2 separately from any other information and in a clear and distinct form. The data subject has the right to exercise the objection by automated means using technical specifications.
      4. If the Data Subject objects to processing for direct marketing purposes, the Personal Data must no longer be processed for such purposes.
      5. Where Personal Data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the GDPR, the Data Subject shall have the right to object, on grounds relating to his or her particular situation, to the processing of his or her Personal Data, unless the processing is necessary for the performance of a task carried out in the public interest.
      6. The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar manner, unless the decision is necessary for entering into, or the performance of, a contract between the Data Subject and the Controller, is authorised by Union or Member State law to which the Controller is subject and which lays down suitable measures to safeguard the Data Subject's rights, freedoms and legitimate interests or is based on the Data Subject's explicit consent .

    Personal Data Security
    1. The Administrator processes Personal Data in a manner consistent with the provisions of generally applicable law in the territory of the Republic of Poland. The Administrator declares that it has implemented appropriate technical and organizational measures ensuring an adequate level of security corresponding to the risk related to the processing of Personal Data entrusted to it, referred to in Article 32 of the GDPR. The Administrator regularly verifies and updates the technical and organizational measures used by it in order to ensure an adequate level of protection for the Personal Data entrusted to it.
    2. The Administrator declares that in order to ensure the security of Personal Data processing, it has introduced the Personal Data Protection Policy. The Personal Data Protection Policy is a measure implemented by the Administrator in accordance with art. 24 sec. 1 and 2 of the GDPR, the purpose of which is to introduce a procedure for handling Personal Data in the enterprise run by the Administrator, based on which their processing by the Administrator will take place in accordance with the GDPR .

    Administrator's contact details
    1. In all matters relating to the processing of Personal Data, including in particular matters relating to the provisions of this Privacy Policy, the Data Subject should contact the Administrator.
    2. The current management of the Administrator's IT system is handled by the IT Systems Administrator.

The law on your side.

We act as your in-house legal department.

Schedule a call
Arrow right up icon
Menu
HomeFor YouFor BusinessAbout UsContact
Logo Asesoria Lex