Processing of personal data

1. Who is responsible for processing personal data?

The administrator, i.e. the entity that decides how Your personal data will be used, is Transparent Data spółka z ograniczoną odpowiedzialnością sp.k. headquartered in Poland, Poznań at Mickiewicza Street 27/5, 60-835 Poznań (the "Company").

You may contact the Company's Data Protection Officer on matters related to the processing of Your personal data by writing to the Company's address or at the following email address: gdpr@transparentdata.pl.

2. Where did the Company obtain the personal data from?

The Company processes personal data disclosed in public registers, which include, in particular, the following: the National Court Register (KRS), the Central Register and Information on Business Activity (CEIDG), the REGON database of the Central Statistical Office and the Monitor Sądowy i Gospodarczy. The full list of sources from which the Company obtains personal data is available at: transparentdata.pl/data-sources

3. For what purposes and on what legal basis does the Company process personal data?

The Company processes personal data in order to:

1. provide business data access services through APIs, data platforms, and file sharing to the Company's customers who are seeking data about their contractors or potential business partners, including, in particular, confirming the authenticity of basic registration data and identifying personal and capital relationships of entities, as well as software services to support the digital transformation of organizations and automation of processes (the "Services"), on the basis of legitimate interests pursued by the administrator and third parties (Article 6(1)(f) GDPR), consisting of:
   1. in case of the Company - conducting the business of providing Services to the Company's customers;
   2. in case of the Company's customers - obtaining comprehensive business information on entities with which they have or intend to establish business relations, in order to reduce business risks;
2. to exercise the rights of the data subjects referred to in Section 8 below, following their requests, in order to fulfill the controller's legal obligation (Article 6(1)(c) of the DPA), as set forth in the provisions of Articles 15-22 of the DPA;
3. where applicable, for the purposes of litigation, arbitration or mediation (Article 6(1)(f) GDPR).

4. What categories of personal data does the Company process?

The Company processes categories of personal data disclosed in the relevant public registers referred to the Section 2 above, which constitute business data.The scopes of personal data processed with respect to specific individuals may vary, depending on what information about the individual is disclosed in the various public registers used by the Company. The maximum scope of personal data, processed by the Company, does not exceed the sum of the categories of personal data, disclosed in all public registers mentioned above.

5. Who has access to personal data?

The Company may share data with:

1. the Company's customers, in the course of providing the Services;
2. to public authorities and entities performing public tasks or acting on behalf of public authorities, to the extent and for the purposes that follow from the law;
3. the Company's suppliers or contractors, to the extent and for the purposes necessary for the Company to provide the Services, in particular software providers, hosting services, companies providing IT support services.

6. Does the Company transfer personal data to countries outside the EU/EEA?

Personal data are processed, for the purposes indicated above, only in the territory of the European Union or the European Economic Area.

7. How long does the Company keep your personal information?

The Company stores personal data:

1. In order to provide the Services:
   1. for the period. during which such personal data remain disclosed in the public records referred to in Section 2 above; or
   2. until the data subject objects to the processing of his/her personal data for this purpose;
2. for the purpose of exercising the rights of data subjects - for the time necessary to process the request;
3. for the purposes of litigation, arbitration or mediation - for the period of the statute of limitations for claims (usually 3 years) and the possible duration of the proceedings.

8. What are the rights of the data subject?

The data subject has the right to:

1. request access to his/her personal data (Article 15 GDPR);
2. demand rectification of inaccurate or incomplete personal data (Article 16 GDPR);
3. demand erasure of her personal data (Article 17 GDPR), in case the data are no longer necessary for the purposes for which they were collected by the Company; she has previously objected to the processing of such data; the data are being processed unlawfully; the data should be erased in order to comply with an obligation under the law;
4. demand restriction of the processing of her personal data (Article 18 GDPR), in case the data are incorrect - for a period allowing the Company to verify the correctness of the data; the data are processed unlawfully, but will not want them deleted; the data are no longer needed by the Company, but may be needed by the subject to defend or assert claims; will object to the processing of the data - until it is determined whether the legitimate grounds for the processing override the grounds for the objection;
5. object to the processing of his or her personal data (Article 21 GDPR) when it is processed on the basis of a legitimate interest or for statistical purposes, and the objection is justified by his or her particular situation.

The above rights may be exercised by the data subject by contacting the Company via the contact information provided in Section 1. In addition, the data subject has the right to lodge a complaint regarding the Company's processing of his/her personal data with the Director of the Office for Personal Data Protection (Article 77 of the GDPR).

9. Does the Company use automated decision-making based on personal data?

The Company processes personal data automatically by searching public records for matching records relating to the data subject. The Company does not use personal data for automated decision-making, in particular profiling, defined as the automated processing of data that involves its use to evaluate certain factors concerning, in particular, the analysis or forecasting of aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movement of the data subject.