Privacy Policy

„PKF BPO Sadowska-Malczewska Sp. k.” with its registered office in Warsaw

1. Definitions 

1.1.  Controller PKF BPO Sadowska – Malczewska sp. k. with its registered office in Warsaw, address: ul. Orzycka 6/1B, 02-695 Warsaw, entered into the Register of Entrepreneurs maintained by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register under number 0000593842, Tax Identification Number (NIP): 7541013035, National Business Registry Number (REGON): 00823260300000, hereinafter also referred to as “PKF BPO Sadowska – Malczewska”.

1.2. Personal Data – information concerning an identified or identifiable natural person, who can be identified, directly or indirectly, in particular by reference to one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural, or social identity of that person, including the IP address of a device, location data, an online identifier, and information collected through cookies or similar technologies.

1.3. Policy – the Privacy Policy

1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.5. Website – the website operated by the Controller and available at https://pkfbpo.pl.

1.6.User – any natural person visiting the Website or using one or more services or functionalities of the Website as described in this Policy.

2. Processing of Data by the Controller

2.1. In connection with the User’s use of the Website, the Controller collects data to the extent necessary for the provision of electronic services, as well as information regarding the User’s activity within the Website. The detailed rules and purposes of processing Personal Data collected in the course of the User’s use of the Website are described below.

3. Purposes and Legal Grounds for Data Processing by the Controller

USE OF THE WEBSITE

3.1. Personal Data of all individuals using the Website (including IP addresses or other identifiers, as well as information collected through cookies or similar technologies) are processed by the Controller for the following purposes:

  1. Provision of electronic services in the scope of making available to Users the content collected on the Website – the legal basis for the processing is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR);
  2. Establishment, exercise, or defence of legal claims by the Controller – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in the protection of its economic interests.

3.2. Personal Data of Users may also be processed for the marketing purposes of the Controller – the principles of processing Personal Data for marketing purposes are described in the MARKETING section.

CONTACT FORMS

3.3. The Controller provides the possibility to contact it through electronic contact forms. Using such a form requires the provision of Personal Data necessary to establish contact with the User and to respond to the inquiry. The User may also provide additional data to facilitate communication or the handling of the inquiry. Providing data marked as mandatory is required in order to accept and process the inquiry; failure to provide such data will result in the inability to process it. Providing other data is voluntary.

3.4. Personal Data of Users using the “Contact Us” forms are processed for the following purposes:

  1. To identify the sender and handle the inquiry submitted via the provided form – the legal basis for the processing is the necessity of processing for the performance of a contract for the provision of a service or to take steps prior to entering into such a contract (Article 6(1)(b) of the GDPR); for data provided voluntarily, the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
  2. To respond to the inquiry – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in responding to inquiries related to its business activity;
  3. To establish, pursue, or defend against claims – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in the protection of its rights.

3.5. Personal Data of Users using the “Order the Service” forms are processed for the following purposes:

  1. To take steps aimed at concluding and performing a service agreement – the legal basis for the processing is the legitimate interest of the Controller and the contractual party (Article 6(1)(f) of the GDPR), consisting in ensuring the reliable identification of the counterparty and its representatives;
  2. For accounting and bookkeeping purposes – the legal basis for the processing is the necessity to comply with legal obligations imposed on the Controller (Article 6(1)(c) of the GDPR) arising from tax and accounting regulations;
  3. To establish, pursue, or defend against potential claims – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in the protection of its economic interests.

NEWSLETTER

3.6. The Controller is a member of the PKF Polska Group. The internal organizational structure of the Group provides that all activities related to the development, implementation, and execution of the PKF Group’s marketing strategy, including the presentation of services offered by the Group’s companies, are carried out by PKF Consult Sp. z o.o. Sp. k., which, for this purpose, prepares and distributes a newsletter covering the services of all entities within the PKF Polska Group.

3.7. Within the Website, the User may express the intention to subscribe to the aforementioned newsletter.
In such a case, the Personal Data provided by the User via the newsletter subscription form will be processed by PKF Consult Sp. z o.o. Sp. k., with its registered office in Warsaw (02-695), ul. Orzycka 6, unit 1B, for the purpose of marketing communication promoting services offered by PKF Consult Sp. z o.o. Sp. k. as well as other entities belonging to the PKF Consult Group. The communication may also include legal alerts, publications, press releases, and information about events and conferences organized by the Group. The legal basis for processing is the legitimate interest of the Controller pursuant to Article 6(1)(f) of the GDPR. The legitimate interest of PKF Consult Sp. z o.o. Sp. k. consists in sending electronic marketing communications in connection with the consent expressed by the User. Providing such data is necessary for the purpose of newsletter delivery; failure to provide them will result in the inability to receive the newsletter.

SOCIAL MEDIA PLATFORMS

3.8. The Controller processes Personal Data of Users who visit the Controller’s profiles on social media platforms (Facebook, Instagram, LinkedIn, YouTube). These data are processed solely in connection with the operation of the profiles, including for the purpose of informing Users about the Controller’s activities, promoting various events, services, and products, as well as for analytical and statistical purposes. The legal basis for the processing of Personal Data by the Controller for this purpose is its legitimate interest (Article 6(1)(f) of the GDPR), consisting in the promotion of its own brand.

3.9. The above information does not concern the processing of data by the administrators of the social media platforms (Facebook, Instagram, LinkedIn, YouTube). Detailed information on the purposes and scope of data collection by these platforms can be found at the links below:

  1. Facebook: https://www.facebook.com/privacy/policy/?locale=pl_PL;
  2. Instagram: https://privacycenter.instagram.com/policy/?locale=pl_PL;
  3. LinkedIn: https://www.linkedin.com/legal/privacy-policy?_l=pl_PL;
  4. YouTube: https://policies.google.com/privacy?hl=pl.

4. Cookies and Similar Technologies

4.1. Cookies are small text files installed on the User’s device while browsing the Website. Cookies collect information that facilitates the use of the website — for example, by remembering the User’s visits and actions performed within the Website.

4.2. The Controller of the data processed in connection with the use of cookies is PKF BPO Sadowska – Malczewska sp. k., with its registered office in Warsaw, address: ul. Orzycka 6/1B, 02-695 Warsaw. The Website uses both first-party cookies, which are installed directly by the Website, and third-party cookies, originating from a domain other than that of the visited website — primarily for the Controller’s analytical and advertising purposes.

4.3. The Website uses cookies primarily to ensure its proper functioning and to remember the User’s preferences on the site — and, upon the User’s consent, also to analyze and monitor traffic within the Website and to tailor advertising content to the User’s interests. Based on the consent obtained from the User, the Website may also install cookies that enable the use of social media functionalities.

4.4. Below are detailed explanations regarding the types of cookies used by the Controller on the Website. The Controller regularly uses scanning tools to identify which cookies are stored on the User’s device, in order to keep the list of applied cookies as accurate as possible. The Controller uses the following categories of cookies: necessary cookies, functional cookies, analytical cookies, advertising cookies, and social media cookies.

NECESSARY COOKIES

4.5. The use of necessary cookies by the Controller is essential for the proper functioning of the Website. These cookies are installed in particular for the purposes of remembering login sessions, filling out forms, and setting privacy preferences. Their installation does not require the User’s consent.

4.6. The legal basis for processing data in connection with the use of necessary cookies is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR).

4.7. If the User wishes to obtain more detailed information about the cookies in this category — including the names of specific cookies, their functions, duration, and source — they may click the “CO” icon located in the lower-left corner of the Website. Once the cookie banner appears, the User should select the “Details” tab and then expand the “Necessary” section.

PREFERENCE AND STATISTICAL COOKIES

4.8. Preference cookies are used to remember and adapt the Website to the User’s choices, including language preferences. Such cookies may be installed by the Controller and its partners through the Website.

4.9. Statistical cookies make it possible to collect information such as the number of visits and traffic sources on the Website. They are used to determine which pages are more or less popular and to understand how Users navigate the Website by compiling statistics on site traffic. The data are processed for the purpose of improving the Website’s performance. The information collected by these cookies is aggregated and therefore not intended to identify the User. Statistical cookies may be installed by the Controller and its partners through the Website.

4.10. The legal basis for processing data in connection with the use of preference and statistical cookies by the Controller is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in ensuring the highest quality of services provided through the Website, in connection with the User’s consent to the storage of such cookies (given separately for analytical cookies and functional cookies).

4.11. The processing of data related to the use of preference and statistical cookies is conditional upon obtaining the User’s consent through the cookie consent management platform — separately for each cookie category. This consent may be withdrawn at any time through the same platform.

4.12. If the User wishes to obtain more detailed information about the cookies in these categories — such as the names of individual cookies, their functions, duration, and origin — they may click the “CO” icon located in the lower-left corner of the Website. Once the cookie banner appears, the User should select the “Details” tab and then expand the “Preferences” or “Statistics” section.

MARKETING COOKIES

4.13. Marketing cookies make it possible to tailor displayed advertising content to the interests of Users both within and outside the Website. Based on the information gathered from these cookies and the User’s activity on other websites, an interest profile of the User is created. Advertising cookies may be installed by the Controller and its partners through the Website.

4.14. The legal basis for the processing of data in connection with the use of marketing cookies by the Controller is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in promoting the Controller’s brand and informing about its current offer, including by directing marketing information to Website Users that corresponds to their interests — provided that the User has given consent to the storage of marketing cookies.

4.15. The processing of data related to the use of marketing cookies is permitted only after the User’s consent has been obtained through the cookie consent management platform. This consent may be withdrawn at any time via the same platform.

4.16. If the User wishes to obtain more detailed information regarding the cookies in this category — such as the names of specific cookies, their functions, duration, and source — they may click the “CO” icon located in the lower-left corner of the Website. Once the cookie banner appears, the User should select the “Details” tab and then expand the “Marketing” section.

5. Analytical and Marketing Tools Used by the Controller and the Controller’s Partners

5.1. To better understand how the Website operates, the Controller cooperates with providers of analytical and marketing tools and services, such as:

  1. Google Analytics - detailed information on the scope and rules of data collection related to this service can be found at: https://policies.google.com/technologies/partner-sites?hl=pl;
  2. Google Search Console - detailed information on the scope and rules of data collection related to this service can be found at: https://policies.google.com/privacy;
  3. Microsoft Clarity - detailed information on the scope and rules of data collection related to this service can be found at: https://clarity.microsoft.com/terms.

SOCIAL MEDIA PLUGINS

5.2. The Controller uses plugins on the Website that allow Users to interact with the Controller’s content published on its social media profiles (so-called social media plugins for Facebook, Instagram, LinkedIn, and YouTube). Through these plugins, the User can easily react to content published on the Website or on the Controller’s profiles on the aforementioned social media platforms, or share such content within those platforms. In connection with the use of these plugins on the Website, the User’s Personal Data are transferred to the aforementioned social media platforms to the extent that includes information regarding the User’s use of the Website. This may enable the platforms to link such information with the Personal Data contained in the User’s profile on the respective social media platform. The Controller is not responsible for determining the purposes and scope of data collection by these social media platforms. Detailed information on this subject can be found at the following links:

  1. Facebook: https://www.facebook.com/privacy/policy/?locale=pl_PL;
  2. Instagram: https://privacycenter.instagram.com/policy/?locale=pl_PL;
  3. LinkedIn: https://www.linkedin.com/legal/privacy-policy?_l=pl_PL;
  4. YouTube: https://policies.google.com/privacy?hl=pl.

LINKEDIN PLUGIN

5.3. The LinkedIn plugin is a tool that enables Users of the Website to access and view content available on LinkedIn pages. The tool may display information available on LinkedIn, search fields redirecting to content hosted on LinkedIn.com, LinkedIn advertisements, or third-party product advertisements. Additionally, through this tool, LinkedIn may collect data for the purposes of analyzing and tracking User activity within the Website or determining User preferences. Detailed information on the scope and principles of data collection related to this service can be found at the following link: 
https://www.linkedin.com/legal/privacy-policy?_l=pl_PL. 

6. Managing Cookie Settings

6.1. The use of cookies for the purpose of collecting data, including accessing information stored on the User’s device, requires the User’s consent. On the Website, the Controller obtains such consent from the User through a cookie consent management platform. This consent may be withdrawn at any time under the rules described in point 6.4 below.

6.2. Consent is not required only for cookies that are necessary for the provision of a telecommunications service (data transmission required to display content). The User cannot disable these cookies if they wish to use the Website.

6.3. In order to receive advertising tailored to the User’s preferences, in addition to providing consent for the installation of cookies through the consent management platform, it is also necessary to maintain appropriate browser settings that allow the storage of cookies from the Website on the User’s device.

6.4. The withdrawal of consent for the collection of cookies on the Website is possible through the cookie consent management platform. The User may return to the cookie banner by clicking the “CO” icon located in the lower-left corner of the Website.

6.5. Once the banner is displayed, the User may withdraw consent by clicking the “WITHDRAW CONSENT” button — in which case all previously granted consents will be revoked — or by clicking “CHANGE YOUR CONSENT”, selecting the “Details” tab, and sliding the toggle to the left for selected or all cookie categories.

6.6. The User may also withdraw consent by changing their browser settings. Detailed information on how to do so can be found at the following links:

  1. Microsoft Edge: https://support.microsoft.com/pl-pl/windows/zarz%C4%85dzanie-plikami-cookie-w-przegl%C4%85darce-microsoft-edge-wy%C5%9Bwietlanie-zezwalanie-blokowanie-usuwanie-i-u%C5%BCywanie-168dab11-0753-043d-7c16-ede5947fc64d;
  2. Mozilla Firefox: https://support.mozilla.org/pl/kb/ciasteczka;
  3. Google Chrome: https://support.google.com/chrome/answer/95647?hl=pl;
  4. Opera: https://help.opera.com/en/latest/web-preferences/#cookies;
  5. Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac.

6.7. The User may verify the status of their current privacy settings for the browser they are using at any time by means of the tools available at the following links:

  1. http://www.youronlinechoices.com/pl/twojewybory
  2. http://optout.aboutads.info/?c=2&lang=EN.

6.8. To exercise the rights of access, rectification, erasure, restriction, portability, objection to the processing of personal data, to lodge a complaint, or to submit any other inquiry regarding cookies, the User should send a request to the following email address: biurobpo@pkfpolska.pl, or use other contact details of the Controller provided in this Privacy Policy.

7. Period of Personal Data Processing

7.1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. As a general rule, data are processed for the duration of the service, until the withdrawal of consent, or until a valid objection to the processing is raised in cases where the legal basis for processing is the Controller’s legitimate interest.

7.2. The processing period may be extended if processing is necessary for the establishment, exercise, or defence of legal claims by the Controller, and thereafter only for the period required by applicable law. After the expiry of the processing period, the data are irreversibly deleted or anonymized.

8. Rights Related to the Processing of Personal Data

RIGHTS OF DATA SUBJECTS

8.1. The User has the right to request access to their personal data, their rectification, erasure, or restriction of processing, the right to object to the processing of their personal data, the right to data portability, as well as the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).

8.2. To the extent that the User’s data are processed based on consent (i.e., when optional data are provided in the contact form), the User may withdraw such consent at any time, in accordance with the provisions of the “CONTACT FORM” section above. The withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.

8.3. The User has the right to object to the processing of personal data in cases where:

  1. the processing of personal data is based on the legitimate interest of the Controller or for statistical purposes, and the objection is justified by the User’s particular situation, or
  2. the personal data are processed for the purposes of direct marketing, to the extent that the processing is related to such direct marketing.

9. Submitting Requests Related to the Exercise of Rights

9.1. A request concerning the exercise of the rights of data subjects may be submitted:

  1. in writing, to the postal address of the Controller;
  2. by electronic means, to the following email address: biurobpo@pkfpolska.pl.

10. Data Recipients

10.1. In connection with the provision of services, Personal Data may be disclosed to external entities providing services to the Controller, in particular to suppliers responsible for the operation and maintenance of IT systems, as well as to entities affiliated with the Controller, including companies belonging to its capital group.

10.2. The Controller reserves the right to disclose selected information concerning the User to competent authorities or third parties that request such information, provided that the request is based on an appropriate legal basis and made in accordance with the provisions of applicable law.

11. Transfer of Data Outside the EEA

11.1. The level of protection of Personal Data outside the European Economic Area (EEA) differs from that guaranteed under European law. For this reason, the Controller transfers Personal Data outside the EEA only when it is necessary and with the assurance of an appropriate level of protection, primarily by means of:

  1. cooperation with entities processing Personal Data in countries for which the European Commission has issued a decision confirming an adequate level of data protection;
  2. application of standard contractual clauses issued by the European Commission;
  3. application of binding corporate rules approved by the competent supervisory authority.

11.2. The Controller always informs data subjects of its intention to transfer Personal Data outside the EEA at the stage of data collection.

12. Security of Personal Data

12.1. The Controller continuously conducts risk analyses to ensure that Personal Data are processed securely — in particular, to guarantee that access to the data is granted only to authorized persons and only to the extent necessary for the performance of their duties. The Controller ensures that all operations involving Personal Data are properly logged and performed solely by authorized employees and associates.

12.2. The Controller takes all necessary measures to ensure that its subcontractors and other cooperating entities also provide adequate guarantees of applying appropriate security measures whenever they process Personal Data on behalf of the Controller.

13. Contact Details

13.1. The Controller may be contacted by sending an email to biurobpo@pkfpolska.pl, by post to the Controller’s correspondence address (ul. Orzycka 6/1B, 02-695 Warsaw), or via the contact form available in the “Contact” section of the Website.

13.2. The Controller has appointed a Data Protection Officer (DPO), who can be contacted by email at iod.bpo@pkfpolska.pl or in writing at the Controller’s registered office address, in any matter relating to the processing of Personal Data.

14. Amendments to the Privacy Policy

14.1. This Policy is subject to ongoing review and is updated whenever necessary.

14.2. The current version of the Policy was adopted and has been in effect since 2025.