Processing of personal data (GDPR)

If you want to know how and for what purpose we process personal data, here you will find the answer to your questions. If you need more information, please write to: iod@igoriatrade.com

Some pieces of information about your personal data processing at Igoria Trade S.A.

The information that is included in this document regards the Customers’ personal data to be processed by IGORIA TRADE S. A. with the seat in Warsaw at 111A Pulawska Street, apartment 109, 02-707 Warsaw (hereinafter Igoria Trade or the Payment Institution) in association with agreements concluded for providing payment services and some additional services. The information provided is compliant with the EU regulations regarding the personal data processing (General Data Protection Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data – so called GDPR or RODO).

Irrespective of the laws binding the processing of personal data in accordance with the highest standards and respect as well as the Customers’ privacy are the priorities of the most importance for Igoria Trade S.A.

The controller and a possible contact point
The controller is Igoria Trade S.A.
A possible contact point at Igoria Trade: office@igoriatrade.com
A possible designated contact person for personal data issues: iod@igoriatrade.com

The aim of the personal data processing
The Customers’ personal data, including biometric data is processed in the purpose of: the execution of a Customer’s agreement; the fulfillment of any and all legal obligations that the controller is responsible for as well as to perform some issues for and on behalf of public interest (e.g. performing issues associated with security and/or defense, storing the files for the purpose of the supervisory authority’s request); the matters that come from the legitimate interests being performed by the Payment Institution (e.g. ownproducts direct marketing, claims securitization and claiming claims towards a Customer, claims securitization and claiming claims against a Customer and/or any third party); marketing matters that do not result from the legitimate interests that are pursued by the Payment Institution (e.g. any third parties’ products and services marketing, own-marketing not being a direct marketing).

Legal backgrounds for the personal data processing
Legal backgrounds for the personal data processing are as follows: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), in particular Article 6 of the said Regulation that statutes the general conditions of lawfulness of the personal data processing [Official Journal of the European Union L 119 of 4.5.2006]; Act of the Personal Data Protection of 10 May 2018 [a unified text – Journal of Laws of 2019 item 1781]; Act of the Payment Services of 19 August 2011 [a unified text – Journal of Laws of 2020 item 794]; Act of Anti-Money Laundering and Terrorist Financing of 1 March 2018 [a unified text – Journal of Laws of 2020 item 971]; a Customer’s consent – in the event that the Payment Institution is entitled or obliged to process the personal data under an explicit consent and that results from the prior mentioned legal acts and regulations.

Legitimate interests
In the event of the personal data processing under Article 6 paragraph 1 letter (f) of General Data Protection Regulation (when the personal data processing is necessary for the purposes of the legitimate interests pursued by the Payment Institution or by any third party), the Payment Institution informs a Customer that the legitimate interests pursued by the controller are as follows: own-products direct marketing, claims securitization and claiming claims towards a Customer as well as claims securitization and claiming claims against a Customer.

The personal data recipients
Accordingly to the definition of “recipient” that is placed in General Data Protection Regulation in Article 4 point (9) the Payment Institution informs a Customer that while processing his/her personal data may be disclosed to the following categories of recipients: a Customer and the persons granted by a Customer; the persons granted by the Payment Institution who are employed at the Payment Institution or at the companies that belong to the capital group of Igoria Trade; the entities that process the personal data for the interest and on behalf of the Payment Institution and the persons granted and employed at those entities (e.g. marketing performance provided by external providers, debt collection and claiming claims upon an external provider’s services basis); third parties – in the case of a Customer’s consent for the personal data transferring (e.g. in case of the personal data transferring in the purpose of marketing, in case of verifying a Customer’s reliability to be performed by the Commercial Information Office, in case of ordering a payment) or in the case the Payment Institution uses its lawful rights; public authorities that may request and/or may be delivered the personal data in other cases than within specific proceedings being carried out accordingly with the Union law or the Polish law.

Processing of the personal data in third countries
The Payment Institution does not transfer any personal data, including biometric data to any third countries (outside the European Economic Area) or to international organisations. In the case such an intention has occurred the Payment Institution will make its best efforts, if necessary, the personal data is transferred to any third country or any international organisation, such third country or such international organisation will be the one(s) the European Commission has confirmed an adequate level of data protection (accordingly to General Data Protection Regulation). In any other case the Payment Institution may be entitled to transfer the personal data to a third country or an international organisation only under the condition an adequate level of data protection has been ensured by that third country or by that international organisation and under the condition the rights of the persons the personal data regards have been protected as enforceably and lawfully effectively as mentioned in General Data Protection Regulation as well as a Customer has been respectfully informed with respect to a possibility a Customer to be delivered copies of the personal data, or a place the personal data have been disclosed.

Storage periods of the personal data
The personal data are stored:

  • in the case of the personal data collection, including biometric data in purpose of conclusion a Contract [legal background: Article 6 paragraph 1 letter (b) of GDPR or RODO]: as from the moment of the personal data is collected prior concluding a Contract or within concluding a Contract or within executing a Contract (in case of completing or updating the personal data within executing a Contract) up to a Contract is terminated or an Agreement is still executed following its termination (e.g. claim-handling);
  • in the case of the personal data collection in purpose of fulfilling the obligations that result from binding laws and regulations or that remain in connection with the performance of a task carried out in the public interest [legal background: Article 6 paragraph 1 letter (c) and (e)] within a period necessary to execute rights and tasks that may result from specific laws or regulations;
  • in the case of the personal data processing, including biometric data in purpose of the Payment Institution’s legitimate interests [legal background: Article 49 of Act of Anti-Money Laundering and Terrorist Financing of 1 March 2018 (Journal of Laws of 2020 971) and Article 75 of Act of Payment Services of 11 August 2011 (Journal of Laws of 2020 item 794) as well as Article 6 paragraph 1 letter (f) of GDPR or RODO] these data shall not be stored any longer than a period of six (6) years as from the moment a Contract is terminated or a relevant and reasonable objection has been submitted against the data processing in this purpose;
  • in the case of the personal data collection, including biometric data under a Customer’s consent [legal background: Article 6 paragraph 1 letter (a) or (f) of GDPR or RODO]: as from the moment a Customer’s consent has been given to process the data (as well within executing a contract) up to the moment an application of a consent withdrawal is fully processed, in case of a consent withdrawal or an objection has been noted;
  • apart from the abovementioned situations the personal data may be stored within a period of a limited data processing set up under a Customer’s application as well as on public authorities’ request – in the situations as provided in Article 18 and Article 58 of GDPR or RODO.

Each time the personal data are processed the Payment Institution follows the principles of limiting the aim(s), minimalizing the data provided and limiting the storage periods.

A customer’s rights related to the personal data processing
A Customer has the right to have an access to the personal data and its content, and to correct, delete and/or limit the processing. In addition a Customer has the right to submit an objection to processing his/her personal data as well as the right to transfer the data. Performance of the rights as mentioned in this paragraph complies with the provisions of General Data Protection Regulation (GDPR or RODO) – upon a basis of the definitions and mechanisms as stipulated in that General Regulation.

Without prejudice to the compliance of the data processing, in the case the Payment Institution processes the personal data under a Customer’s consent, then a Customer has a right to withdraw his/her consent for the data processing which was performed under a Customer’s relevant consent prior its withdrawal.

A Customer has the right to lodge a complaint with a supervisory authority under the principles as stipulated in General Data Protection Regulation, in particular Article 77 of that General Regulation. Since 25 May 2018 the supervisory authority in Poland in this respect has been the Polish Supervisory Authority [Urząd Ochrony Danych Osobowych].

The data categories. Requirement of providing the personal data. Lack of providing the personal data and its consequences.
The Payment Institution informs that providing the following data is a contractual requirement and the condition to conclude a contract at the same time: forename, surname, type of ID document, its serial number, PESEL, place of living, address for correspondence, facial images. Providing any other data such as: phone numbers, phone numbers for contact purposes, e-mail address is a contractual requirement. Providing all required data is voluntarily. The consequence of lack of providing the data is no possibility to conclude a Contract with the Payment Institution. The consequence of lack of providing the data that are not a condition to conclude a Contract is no possibility to use these data in purpose that is connected with the data collection (e.g. contact a Customer through these data aiming to execute a Contract, possibility of marketing offer delivering).

The remaining pieces of information/ statements
The Payment Institution informs a Customer that in purpose of charging the fees for Products and Services, bank inter-charging as well as under the principles as stipulated in the binding laws and regulations and in purpose of marketing payment services or providing payment services all the personal data are processed within a period of existing a Contract or a consent, and after termination of a Contract within a period of claiming claims, but no longer than the term of the limitation of claims or performing tasks or duties provided in the binding laws and regulations.

Final provisions
The principles described in this document have been applicable since 25 May 2018 – i.e. as from the date GDPR or RODO provisions have been in full force and effect.
While drafting the above pieces of information, on one hand, we attempted to deliver them as most specific and precise as possible (including accordingly with spefic notions and definitions as provided in GDPR or RODO provisions), and simple, clear and understandable, on the other hand. In purpose of constant complying and in association with often changing the provisions of the laws and regulations we restrict the right to permanent updating and improving a form and content of these pieces of information. We are aware of this material being extremaly extensive and therefore, just in any remarks, questions or doubts (in particular all those connected with the personal data processing in specific purposes and situations) we are kindly asking you to contact the Igoria Trade data protection inspector at iod@igoriatrade.com

A fully complete English wording of General Data Protection Regulation (GDPR or RODO) is available on the web page: https://eur-lex.europa.eu/eli/reg/2016/679/oj