Rules for processing your personal data
In accordance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter referred to as GDPR), we hereby inform you that:
1. Data Controller
Your personal data is processed by companies belonging to the Forvis Mazars Group in Poland (hereinafter referred to as the Controller, Forvis Mazars or we), i.e.:
- Forvis Mazars Polska Sp. z o.o. with its registered office in Warsaw, ul. Piękna 18, 00-549 Warsaw, registered in the Register of Entrepreneurs of the National Court Register under KRS number 0000083094, NIP: 5260019051, REGON: 010381827, share capital PLN 300,000.00,
- Forvis Mazars Audyt Sp. z o.o. with its registered office in Warsaw, ul. Piękna 18, 00-549 Warsaw, entered in the Register of Entrepreneurs of the National Court Register under KRS number 0000086577, NIP 5260215409, REGON 011110970, share capital PLN 1,268,000.00, and
- Forvis Mazars Expertise Sp. z o.o. with its registered office in Warsaw, ul. Piękna 18, 00-549 Warsaw, entered in the Register of Entrepreneurs of the National Court Register under KRS number 0000429432, NIP 7010351265, REGON 146251766, share capital PLN 5,000.00.
You can contact us by e-mail:rodo_weryfikacja.pl@forvismazars.com , by phone at +48 22 255 52 00 or via the contact form on the Forvis Mazars website at https://www.forvismazars.com/pl/pl/kontakt/formularz-kontaktowy.
Which Forvis Mazars Group company in Poland is responsible for processing personal data in a given case depends on the purpose of processing such data.
Each of the companies belonging to the Forvis Mazars Group acts as a personal data controller in those processing operations in which it is a party to the contract, a service provider or a recipient of services provided by business partners.
In the following situations involving the processing of personal data, the companies of the Forvis Mazars Group jointly determine the purposes and means of processing (i.e. they act as joint controllers):
PURPOSE OF PROCESSING | CATEGORIES OF PERSONS | TYPES OF PERSONAL DATA |
Maintaining a database of business customers for the purposes of direct communication and maintaining business relationships, conducting and organising event projects, promoting the Group's activities, preparing and presenting offers and disseminating knowledge in the area of the Parties' activities, collecting data on the market in which the Group operates | · customers and their representatives · contractors and their representatives · potential customers and their representatives | · e-mail address, · first and last name, · position/role, · entity where the person is employed, · telephone number |
Keeping records of entries and exits for the purposes of ongoing registration of persons entering and leaving individual offices | · persons visiting the Group's offices | · first name and surname |
Conducting video surveillance (CCTV) to ensure the safety of employees, associates and property, including systems | · persons entering the office space | · image |
Coordination and streamlining of work within the Group, including the operation of Forvis Mazars offices (including room, desk and parking space reservations) | · employees, associates · clients and their representatives · contractors and their representatives · potential clients and their representatives | · e-mail address, · first name and surname, · position/role, · entity where the person is employed, · telephone number |
Exercise of rights and obligations arising from internal procedures in force within the Group or legal regulations applicable to the activities conducted by entities within the Group, including in particular those relating to the security and quality of services provided by Forvis Mazars, i.e. procedures for the control of conflicts of interest, prohibition of the provision of prohibited services, anti-money laundering, public procurement, cybersecurity, personal data protection, ESG and sanctions | · employees, associates, members of governing bodies · clients and their representatives · contractors and their representatives · potential clients and their representatives | · information on personal connections, · first name and surname · position/role, · entity where the person is employed, · nationality, · country of residence, · Personal Identification Number (PESEL) or date of birth |
Conducting recruitment processes for the purpose of hiring new employees and associates | persons applying for advertised in particular via the website and social media positions | · contact details (e-mail address, telephone number, correspondence or residential address, social media profile), · data confirming identity (first and last name, residential address, mailing address, email address, telephone number, date of birth, identity document number), · data concerning education, information on professional experience, professional qualifications, · other information provided by the data subject that is necessary or useful for recruitment processes and for employment purposes |
Maintaining a website and social media profiles, including the provision of electronic services via the website, receiving messages sent via the form on this website or via social media messengers , taking measures to improve the functionality of services provided electronically and to facilitate the use of these services, including adapting the website to user preferences | persons visiting the website or the Group's social media profiles, respectively | · the IP address of the device or the IP address of the Internet provider, · domain name, · type of browser used by the person, · access time, · type of operating system used by the device, · navigation data, · data posted on the data subject's social media profile or provided via instant messaging |
Organisation of events and training courses | · persons interested in participating in events or training · persons invited to participate in events or training courses · persons participating in events or training courses | · e-mail address, · first name and surname, · position/role, · entity where the person is employed, · telephone number |
Direct marketing – sending marketing and informational messages related to the Group's activities (promotion and development of the Group's services and sending information such as newsletters and invitations to workshops, conferences, seminars and other events) | · customers and their representatives · contractors and their representatives · potential customers and their representatives | · e-mail address, · first and last name, · position/role, · entity where the person is employed, · telephone number |
Applying (in particular, bidding) for and implementing joint substantive projects for clients (does not apply to subcontracting) | · clients and their representatives · contractors and their representatives · potential clients and their representatives | · e-mail address, · first and last name, · position/role, · entity where the person is employed, · telephone number · Personal Identification Number (PESEL) · ID card number |
In the cases described above, the companies acting as joint controllers have entered into an agreement governing the joint processing of personal data, which regulates in detail the scope of their responsibilities. In the case of joint processing, Forvis Mazars Polska Sp. z o.o., supported by other companies from the Forvis Mazars Group, is responsible for exercising your rights as data subjects.
2. Purpose and basis of processing
Forvis Mazars collects and processes only those of your personal data whose processing is justified by at least one of the purposes described below and only if there is an appropriate legal basis for such processing among those listed below.
Your personal data is processed by us on the following legal bases and for the following purposes, as applicable:
1) the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in:
i. providing information and contacts necessary to conduct business activities, including establishing and implementing cooperation with the entity on behalf of which you act (hereinafter referred to as the Entity), including preparing proposals for the Entity, as well as managing this relationship, and handling and implementing the activities you undertake,
ii. conducting activities aimed at coordinating and streamlining work within the Administrator's organisation, including servicing the Administrator's office, keeping internal records (e.g. recording correspondence), conducting analytical and statistical activities, exercising administrative, accounting and corporate rights and obligations, accounting and corporate activities, maintaining and using IT systems, managing access to Forvis Mazars offices and ensuring security, quality, as well as developing the Administrator's activities and services,
iii. establishing, pursuing and enforcing claims or defending against them, including in proceedings before courts and other public authorities,
iv. undertaking actions by the Administrator aimed at improving the functionality of services provided electronically and facilitating the use of these services, including adapting the website to user preferences,
v. conducting direct marketing – sending you, in accordance with your preferences, marketing and information messages related to the activities conducted by Forvis Mazars in order to promote and develop our services and provide information that we believe will be of interest to you, including in particular newsletters and invitations to workshops, conferences, seminars and other events. In each case, we will give you the opportunity to opt out of our direct marketing services. You can opt out by responding to one of the unsubscribe options in the information we send you or by using the contact form on the Forvis Mazars website;
2) fulfilling the legal obligation incumbent on the Controller (Article 6(1)(c) of the GDPR), consisting of:
i. keeping the Controller's accounts, resulting in particular from the Tax Ordinance Act of 29 August 1997, the Accounting Act of 29 September 1994, the Goods and Services Tax Act of 11 March 2004, including keeping accounting records relating to cooperation with the Entity,
ii. ensuring compliance with legal requirements, regulations or the rules of the organisations to which we belong – in particular with regard to the archiving of data and documents, as we are required to store certain records in order to demonstrate that our services are provided in accordance with legal, regulatory or professional obligations, and these records may contain personal data,
iii. fulfilling information obligations (responding to letters and requests, providing information on data processing methods, etc.);
3) processing is necessary for the conclusion and performance of a contract with us, as well as for taking other actions at your request prior to its conclusion (Article 6(1)(b) of the GDPR), including sending responses to your questions, making arrangements regarding the terms of cooperation, reviewing responses to job offers at Forvis Mazars for the purpose of recruiting new employees, ensuring participation in events (including webinars) for which you have registered, and handling any complaints;
4) your consent (Article 6(1)(a) of the GDPR), given in particular by ticking the appropriate functional boxes, which in particular concerns the processing of your email address and telephone number for the purpose of receiving commercial information from the Controller (including newsletters and information about the Controller's offer, industry events and training courses organised by the Controller) and for analytical and statistical purposes related to their sending, as well as other data provided by you voluntarily, other than that necessary for the purposes indicated in points 1-3 above.
Providing data is voluntary, but failure to do so will result in the inability to cooperate with you or the Entity.
3. Scope of data processed and method of obtaining it
Your personal data processed by us includes contact details and identity verification data (which may include, in particular: first and last name, residential address, mailing address, email address, telephone number, date of birth, identity document number), as well as information about your position in the Entity or other relationship between you and the Entity. Depending on the case, we have obtained this data directly from you or received it from the Entity.
For human resources management purposes, in particular for recruitment and subsequent employment, in addition to contact details and identity verification data, we also process your education data, information about your professional experience, professional qualifications, as well as any other data you have provided that is necessary or useful for recruitment processes and for the purposes of employment at Forvis Mazars.
For accounting and payment purposes, we process data relating to payment processing, in particular bank account numbers.
In addition, we process information that is relevant to the services we provide, including personal data such as: first name, surname, email address, company name, position, country, whereby Forvis Mazars Audyt Sp. z o.o. or Forvis Mazars Expertise sp. z o.o. is the sole controller of this personal data, depending on which company provides the services (i.e. in this case there is no joint controller). Forvis Mazars Polska Sp. z o.o. or Forvis Mazars Expertise sp. z o.o., depending on which company provides the services (i.e. in this case there is no joint administration).
We also process personal data that you have provided to us via our website www.forvismazars.com/pl. The type of personal data we process in connection with your visits to our website depends on the data you provide to us. If your visit is limited to browsing and there is no interaction with us, we will only process data from cookies (for more information, see section X below) that is necessary for our website to function. If you decide to contact us, for example via an online form, we will process the data you provide in the completed form for the purpose specified in the form. We mark some fields as mandatory because without them we would not be able to contact you to respond to your enquiry. You have the option of providing us with additional data, including personal data belonging to special categories. By providing us with this type of data, you consent to its processing by us.
4. Transfer of data to other entities
The Controller may transfer your personal data solely for the purpose of performing its tasks and to the extent necessary to the following entities:
- authorised personnel of the Controller,
- entities belonging to the Forvis Mazars network (consisting of Forivs Group S.C. and its member companies, as well as Forvis Mazars US and Forvis Mazars Global), including entities belonging to the Forvis Mazars network (in Poland and worldwide) within the meaning of the Act of 11 May 2017 on statutory auditors, audit firms and public supervision, in connection with close cooperation between these entities regarding the joint implementation of economic projects, the performance of organisational and administrative activities, the provision of accounting, bookkeeping, HR and IT services, as well as the secondment of employees or associates to perform specific activities for other entities. If you send us an enquiry concerning one of our subsidiaries abroad or another company belonging to the Forvis Mazars Group or Forvis Mazars US, we will forward your enquiry to the appropriate entity on your behalf. Detailed information about the companies of the Forvis Mazars Group can be found at https://www.forvismazars.com/pl/pl/o-nas/o-nas,
- entities providing services to the Controller (including its subcontractors), including through other entities within the Forvis Mazars Group, such as entities handling processes carried out for the purpose of performing activities for which personal data is transferred, in particular for the purpose of conducting customer satisfaction surveys and analysing their results, as well as entities providing IT and technical support services, cooperating law and tax firms, marketing companies, external auditors, post offices, couriers, insurers, banks, transport companies, which must have access to your data in order to perform their duties,
- entities or authorities authorised by law, in particular tax offices.
Due to the global nature of our business, your personal data may also be transferred to so-called "third countries" (i.e. outside the European Economic Area comprising the European Union, Norway, Liechtenstein and Iceland), where data protection laws may not be as extensive as in the EU. In the case of data transfers outside the EEA, we will only transfer personal data (i) to a country whose legislation has been recognised by the European Commission as providing adequate protection for personal data, (ii) to a place where we have implemented an appropriate mechanism for data transfer, such as European standard contractual clauses, in order to ensure adequate protection of your personal data.
5. Data processing period
Your personal data will be stored for the duration of the activities for which it was collected, no longer than the period necessary for the implementation and settlement of cooperation, and until the expiry of the periods resulting from the relevant legal provisions, i.e. until the expiry of the limitation period for tax liabilities related to accounting documentation, which may be extended in appropriate cases by the limitation period for civil law claims, unless the Controller is obliged under generally applicable regulations to store such data for a longer period (in particular in connection with the archiving obligations incumbent on audit firms).
Within the scope of the consent given, your personal data will be processed for the duration of the marketing offer, no longer than until the consent is withdrawn. You may withdraw your consent to the presentation of this offer at any time by sending an email to:rodo.pl@forvismazars.com .
After the expiry of the personal data storage period, your personal data will be deleted or anonymised.
6. Your rights related to data processing
In connection with our processing of your personal data, you have a number of rights. You may:
- access your personal data that we store;
- request that we correct any of your personal data that we store and that is incorrect;
- request the deletion of your personal data;
- restrict our processing of your personal data;
- submit a request to us to transfer your personal data to another controller (right to data portability).
Furthermore, if the processing of data is based on:
1) the legitimate interest of the Controller – you have the right to object at any time to the processing of personal data for reasons related to your particular situation,
2) the Controller's legitimate interest in direct marketing – you have the right to object to the processing of your personal data at any time,
3) your consent to the processing of personal data – you have the right to withdraw your consent, but despite its withdrawal, the Administrator will not be able to remove your data from materials (including analyses) produced during the period of validity of the consent.
If you wish to exercise any of your rights related to the processing of your personal data or if you have any questions regarding the information we have provided, please contact us as described in Part I of this information above.
If you believe that our processing of your personal data violates the provisions of the GDPR, you have the right to lodge a complaint with the supervisory authority, i.e. the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, tel. +48 22 531 03 00, e-mail: kancelaria@uodo.gov.pl.
7. Automated processing
Your data will not be subject to automated decision-making or profiling.
8. Data security
We ensure appropriate technical and organisational controls to protect your personal data against loss, misuse, alteration or accidental destruction. This control consists of the use of antivirus software, firewalls, server security, hard drive encryption software, password protection, physical access control, two-step authentication, intrusion detection and anomaly detection.
Members of our staff who have access to your personal data have been trained to ensure the confidentiality of such data. They only have access to your personal data to the extent necessary for the proper performance of their duties. Persons who have access to your data are also bound by strict professional secrecy.
Requirements for the protection of personal data at least equivalent to those applicable to Forvis Mazars apply to all our contractors (processors) whose services we use and our suppliers.
Our security measures are monitored and tested regularly to ensure their effectiveness in the event of any threat.
Data transmitted by us via the Internet and our website is protected by encryption technologies. However, security cannot be fully guaranteed for transactions via the Internet.
9. Children and our website
Forvis Mazars understands the importance of protecting children's privacy, especially in the online environment. Our websites are not designed for children, who are not their intended audience. We do not knowingly collect or store information about persons under the age of 16 through our website. Such persons, if they wish to provide us with any information through our website, are required to obtain the prior consent of a parent or legal guardian. Please provide this information to such persons before contacting us.
10. Cookies
Navigation on our website depends on cookies stored on your computers. Cookies are small text files that are placed on computers in connection with the websites you visit. For more information, please see our Cookie Policy at https://www.forvismazars.com/pl/pl/legals/cookies.