1. Legal Notice
Controller: Finoditax Spółka z ograniczoną odpowiedzialnością, ul. Kawia 23, 42-202 Częstochowa, Poland · NIP: 9492250781 · REGON: 520205981 · KRS: 0000927391 · e-mail: info@finoditax.com.
Legal basis: Regulation (EU) No 2016/679 (“GDPR”); Act of 10 May 2018 on the Protection of Personal Data; Accounting Act; Tax Ordinance; Telecommunications Law (art. 173–174); Labour Code; Civil Code.
Applicability: The Policy is binding for finoditax.com and subdomains: my.finoditax.com, billing.finoditax.com, support.finoditax.com, help.finoditax.com. In case of conflicts, the provision offering greater protection to the data subject prevails.
2. Preamble and Legal Bases
This Policy sets the rules for processing personal data at Finoditax, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure and destruction (art. 4(2) GDPR). Processing is carried out on lawful bases (art. 6), in line with principles (art. 5), with implementation of security measures (art. 32), records (art. 30), DPIA (art. 35–36), notifications (art. 33–34), transfer restrictions (Ch. V), as well as accountability (art. 5(2), 24).
3. Definitions (art. 4 GDPR)
Term | Definition |
---|---|
Personal data | Information relating to an identified or identifiable natural person (art. 4(1)). |
Processing | Any operation performed on data (art. 4(2)). |
Controller | Determines the purposes and means of processing (art. 4(7)). |
Processor | Processes on behalf of the controller (art. 4(8), 28). |
Joint controllers | Jointly determine purposes/means (art. 26). |
Data breach | An event causing loss of confidentiality/integrity/availability (art. 4(12)). |
DPIA | Data Protection Impact Assessment (art. 35). |
ROPA | Record of Processing Activities (art. 30). |
TOMs | Technical and organisational measures (art. 32). |
4. Principles and Lawfulness (art. 5–6)
- lawfulness, fairness, transparency;
- purpose limitation and data minimisation;
- accuracy and currency;
- storage limitation;
- integrity and confidentiality;
- controller accountability.
Bases: art. 6(1)(a–f); special categories — art. 9(2); automation — art. 22.
5. Scope and Subdomains
- finoditax.com — corporate website (content, forms, marketing, cookies).
- my.finoditax.com — client panel (accounts, reporting, document workflow).
- billing.finoditax.com — billing and payments (invoices, transactions).
- support.finoditax.com — support tickets, SLA, correspondence.
- help.finoditax.com — knowledge base, behavioural metrics.
Data flows between subdomains
Mutual transfer is on a need-to-know basis; cross-domain SSO is limited; TLS 1.3 encryption and logging are used. For cross-domain scenarios, a DPIA is performed and datasets are minimised.
6. Roles of Controller and Processor
Finoditax acts as controller of personal data of website users and clients; as processor when performing accounting/HR services on behalf of clients. In the latter case, a processing agreement (art. 28) applies, covering purposes, duration, data categories, TOMs, subprocessing, audit, and data return/erasure.
7. Data Categories and Classification
- Identification: first name, last name, company, NIP, REGON, KRS, PESEL, signature.
- Contact: address, e-mail, phone, correspondence address.
- Financial/Accounting: details, invoices, VAT/PIT/CIT, ZUS, reports.
- HR (clients’): contracts, salary, leave, sick leave, employee’s bank account.
- Technical: IP, cookies, user-agent, logs, tokens, connection parameters.
- Correspondence/Support: tickets, letters, call recordings (with notice).
- Marketing/Analytics: subscriptions, events, responses, identifiers.
8. Purpose–Legal Basis Matrix
Purpose | Data categories | Legal basis (GDPR) | Comment |
---|---|---|---|
Contract performance | identification, contact, accounting | art. 6(1)(b) | account creation, service delivery, client panel |
Legal obligations | accounting, tax, HR | art. 6(1)(c) | Accounting Act; Tax Ordinance; ZUS |
Legitimate interests | technical, correspondence | art. 6(1)(f) | security, support, evidence of communications |
Marketing | contact, analytics | art. 6(1)(a)/(f) | consent for cookies/newsletters |
Security | log data, IP, tokens | art. 6(1)(f), 32 | logging, IDS/IPS, incident investigations |
9. Data Sources and Legal Information (art. 13–14)
- directly from the data subject (forms, contracts, client panel);
- from Finoditax clients (under art. 28 processing for HR/accounting processes);
- public registers (KRS, CEIDG, GUS);
- government systems (ePUAP, PUE ZUS, KAS, e-Deklaracje);
- automatically — cookies, logs, SDKs, e-mail tags.
Information under art. 13 is provided at the time of collection; under art. 14 — no later than 30 days or at first contact, or upon first disclosure to the recipient.
10. Retention Periods (extended table)
Category | Period | Basis |
---|---|---|
Accounting documents | 5 years after the reporting year | Accounting Act, art. 74 |
Tax records | 5 years after the tax year | Tax Ordinance, art. 70 §1 |
HR/payroll | 10 years | Labour Code |
Contracts and correspondence | 3 years after end of service | art. 6(1)(f), Civil Code |
Marketing | until withdrawal/max. 3 years | art. 6(1)(a)/(f) |
Security logs | up to 12 months | art. 6(1)(f) |
Backups | up to 90 days | art. 5(1)(e) |
Upon expiry, secure deletion/anonimisation applies; backups are destroyed per the retention policy.
11. Recipients, Processors and Sub-processors
- Public authorities: KAS, ZUS, Tax Office, courts (on legal grounds).
- IT providers (hosting, CDN, mail services), banks/payment operators, legal/audit firms.
- Analytics/marketing platforms — only with valid consent.
- Internal Finoditax recipients — on a least-privilege basis.
Art. 28(3) GDPR agreements provide for: subject/duration, purposes and nature, data/subject categories, TOMs, authorised subprocessing, assistance with data subject rights (art. 12–23), return/erasure, audit.
12. International Transfers (Ch. V GDPR, SCC/DPF)
Transfers to third countries are permitted where: an adequacy decision applies (art. 45), appropriate safeguards exist (SCCs — art. 46), or under derogations (art. 49). For the U.S., the provider’s participation in the EU–US Data Privacy Framework and/or SCCs is required, with data minimisation and cryptographic protection.
13. TOMs: Technical and Organisational Measures (art. 32)
- TLS 1.3 encryption in transit; AES-256 at rest; key management.
- Multi-factor authentication, RBAC, least-privilege principle.
- Activity logging (≥ 12 months), log integrity controls.
- IDS/IPS, antivirus, CSP; XSS/CSRF/SQLi protection; environment isolation.
- Backups (up to 90 days), regular restore tests.
- Staff training, NDAs, password policy, phishing simulations.
15. DSAR Procedures (data subject rights)
- Submitting a request: e-mail info@finoditax.com or post (ul. Kawia 23, 42-202 Częstochowa).
- Identity verification: clarification of data/contact methods.
- Response time: 30 days; extension up to 60 if complex (art. 12(3)).
- Form of provision: electronic/written, machine-readable (for portability).
- Refusal/limitation: where legal impediments exist, with notice and the right to complain to UODO.
Access: art. 15; rectification: art. 16; erasure: art. 17; restriction: art. 18; portability: art. 20; objection: art. 21; automation: art. 22 (not applied).
16. Incidents, 72-hour Notification, Register
- Logging and isolating the incident; assessing risk and scope.
- Notification to UODO ≤ 72 hours (art. 33); notifying data subjects where high risk (art. 34).
- Root-cause remediation, prevention, training, TOMs updates.
- Maintaining a breach register and reporting.
17. DPIA/ROPA and Accountability
Finoditax maintains a ROPA (art. 30), conducts DPIAs (art. 35) for high-risk processes (large-scale processing, cross-domain integrations, clients’ employee data), documents risks, measures and residual risk; consults UODO where necessary (art. 36). Accountability — art. 5(2), 24.
18. Changes, Conflicts, Priorities
A new version takes effect upon publication. In case of conflict, the provision ensuring greater protection of the data subject prevails. The invalidity of any provision does not affect the validity of the remainder (severability).
19. Contacts and Supervisory Authority
Finoditax Sp. z o.o. · ul. Kawia 23, 42-202 Częstochowa, Poland · NIP: 9492250781 · REGON: 520205981 · KRS: 0000927391 · e-mail: info@finoditax.com · finoditax.com
UODO — Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa · +48 22 531 03 00 · uodo.gov.pl