2. Preamble and Legal Bases

This Policy sets the rules for processing personal data at Finoditax, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure and destruction (art. 4(2) GDPR). Processing is carried out on lawful bases (art. 6), in line with principles (art. 5), with implementation of security measures (art. 32), records (art. 30), DPIA (art. 35–36), notifications (art. 33–34), transfer restrictions (Ch. V), as well as accountability (art. 5(2), 24).

3. Definitions (art. 4 GDPR)

TermDefinition
Personal dataInformation relating to an identified or identifiable natural person (art. 4(1)).
ProcessingAny operation performed on data (art. 4(2)).
ControllerDetermines the purposes and means of processing (art. 4(7)).
ProcessorProcesses on behalf of the controller (art. 4(8), 28).
Joint controllersJointly determine purposes/means (art. 26).
Data breachAn event causing loss of confidentiality/integrity/availability (art. 4(12)).
DPIAData Protection Impact Assessment (art. 35).
ROPARecord of Processing Activities (art. 30).
TOMsTechnical and organisational measures (art. 32).

4. Principles and Lawfulness (art. 5–6)

  • lawfulness, fairness, transparency;
  • purpose limitation and data minimisation;
  • accuracy and currency;
  • storage limitation;
  • integrity and confidentiality;
  • controller accountability.

Bases: art. 6(1)(a–f); special categories — art. 9(2); automation — art. 22.

5. Scope and Subdomains

  • finoditax.com — corporate website (content, forms, marketing, cookies).
  • my.finoditax.com — client panel (accounts, reporting, document workflow).
  • billing.finoditax.com — billing and payments (invoices, transactions).
  • support.finoditax.com — support tickets, SLA, correspondence.
  • help.finoditax.com — knowledge base, behavioural metrics.

Data flows between subdomains

Mutual transfer is on a need-to-know basis; cross-domain SSO is limited; TLS 1.3 encryption and logging are used. For cross-domain scenarios, a DPIA is performed and datasets are minimised.

6. Roles of Controller and Processor

Finoditax acts as controller of personal data of website users and clients; as processor when performing accounting/HR services on behalf of clients. In the latter case, a processing agreement (art. 28) applies, covering purposes, duration, data categories, TOMs, subprocessing, audit, and data return/erasure.

7. Data Categories and Classification

  • Identification: first name, last name, company, NIP, REGON, KRS, PESEL, signature.
  • Contact: address, e-mail, phone, correspondence address.
  • Financial/Accounting: details, invoices, VAT/PIT/CIT, ZUS, reports.
  • HR (clients’): contracts, salary, leave, sick leave, employee’s bank account.
  • Technical: IP, cookies, user-agent, logs, tokens, connection parameters.
  • Correspondence/Support: tickets, letters, call recordings (with notice).
  • Marketing/Analytics: subscriptions, events, responses, identifiers.

8. Purpose–Legal Basis Matrix

PurposeData categoriesLegal basis (GDPR)Comment
Contract performanceidentification, contact, accountingart. 6(1)(b)account creation, service delivery, client panel
Legal obligationsaccounting, tax, HRart. 6(1)(c)Accounting Act; Tax Ordinance; ZUS
Legitimate intereststechnical, correspondenceart. 6(1)(f)security, support, evidence of communications
Marketingcontact, analyticsart. 6(1)(a)/(f)consent for cookies/newsletters
Securitylog data, IP, tokensart. 6(1)(f), 32logging, IDS/IPS, incident investigations

9. Data Sources and Legal Information (art. 13–14)

  • directly from the data subject (forms, contracts, client panel);
  • from Finoditax clients (under art. 28 processing for HR/accounting processes);
  • public registers (KRS, CEIDG, GUS);
  • government systems (ePUAP, PUE ZUS, KAS, e-Deklaracje);
  • automatically — cookies, logs, SDKs, e-mail tags.

Information under art. 13 is provided at the time of collection; under art. 14 — no later than 30 days or at first contact, or upon first disclosure to the recipient.

10. Retention Periods (extended table)

CategoryPeriodBasis
Accounting documents5 years after the reporting yearAccounting Act, art. 74
Tax records5 years after the tax yearTax Ordinance, art. 70 §1
HR/payroll10 yearsLabour Code
Contracts and correspondence3 years after end of serviceart. 6(1)(f), Civil Code
Marketinguntil withdrawal/max. 3 yearsart. 6(1)(a)/(f)
Security logsup to 12 monthsart. 6(1)(f)
Backupsup to 90 daysart. 5(1)(e)

Upon expiry, secure deletion/anonimisation applies; backups are destroyed per the retention policy.

11. Recipients, Processors and Sub-processors

  • Public authorities: KAS, ZUS, Tax Office, courts (on legal grounds).
  • IT providers (hosting, CDN, mail services), banks/payment operators, legal/audit firms.
  • Analytics/marketing platforms — only with valid consent.
  • Internal Finoditax recipients — on a least-privilege basis.

Art. 28(3) GDPR agreements provide for: subject/duration, purposes and nature, data/subject categories, TOMs, authorised subprocessing, assistance with data subject rights (art. 12–23), return/erasure, audit.

12. International Transfers (Ch. V GDPR, SCC/DPF)

Transfers to third countries are permitted where: an adequacy decision applies (art. 45), appropriate safeguards exist (SCCs — art. 46), or under derogations (art. 49). For the U.S., the provider’s participation in the EU–US Data Privacy Framework and/or SCCs is required, with data minimisation and cryptographic protection.

13. TOMs: Technical and Organisational Measures (art. 32)

  • TLS 1.3 encryption in transit; AES-256 at rest; key management.
  • Multi-factor authentication, RBAC, least-privilege principle.
  • Activity logging (≥ 12 months), log integrity controls.
  • IDS/IPS, antivirus, CSP; XSS/CSRF/SQLi protection; environment isolation.
  • Backups (up to 90 days), regular restore tests.
  • Staff training, NDAs, password policy, phishing simulations.

14. Cookies, Analytics and Marketing — extended table

Consent for cookies is requested via a banner (art. 173–174 Telecommunications Law). Category management is available in “Cookie settings”.

CategoryPurposeExamplesPeriodBasis
Necessarysessions, security, authorisationsession_id, XSRF-TOKENsessionart. 6(1)(b)/(f)
FunctionalUI preferencesui_theme, localeup to 12 monthsart. 6(1)(f)
Analyticsmetrics, conversions_ga, _ga_*, _gidup to 24 monthsart. 6(1)(a)
Marketingremarketing, ad effectiveness_fbp, _gcl_auup to 180 daysart. 6(1)(a)

15. DSAR Procedures (data subject rights)

  1. Submitting a request: e-mail info@finoditax.com or post (ul. Kawia 23, 42-202 Częstochowa).
  2. Identity verification: clarification of data/contact methods.
  3. Response time: 30 days; extension up to 60 if complex (art. 12(3)).
  4. Form of provision: electronic/written, machine-readable (for portability).
  5. Refusal/limitation: where legal impediments exist, with notice and the right to complain to UODO.

Access: art. 15; rectification: art. 16; erasure: art. 17; restriction: art. 18; portability: art. 20; objection: art. 21; automation: art. 22 (not applied).

16. Incidents, 72-hour Notification, Register

  • Logging and isolating the incident; assessing risk and scope.
  • Notification to UODO ≤ 72 hours (art. 33); notifying data subjects where high risk (art. 34).
  • Root-cause remediation, prevention, training, TOMs updates.
  • Maintaining a breach register and reporting.

17. DPIA/ROPA and Accountability

Finoditax maintains a ROPA (art. 30), conducts DPIAs (art. 35) for high-risk processes (large-scale processing, cross-domain integrations, clients’ employee data), documents risks, measures and residual risk; consults UODO where necessary (art. 36). Accountability — art. 5(2), 24.

18. Changes, Conflicts, Priorities

A new version takes effect upon publication. In case of conflict, the provision ensuring greater protection of the data subject prevails. The invalidity of any provision does not affect the validity of the remainder (severability).

19. Contacts and Supervisory Authority

Finoditax Sp. z o.o. · ul. Kawia 23, 42-202 Częstochowa, Poland · NIP: 9492250781 · REGON: 520205981 · KRS: 0000927391 · e-mail: info@finoditax.com · finoditax.com

UODO — Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa · +48 22 531 03 00 · uodo.gov.pl