Information clause PEP, RCA, SL

INFORMATION CLAUSE

FOR POLITICALLY EXPOSED PERSONS (“PEP”), PERSONS ON SANCTION LISTS (“SL”), CLOSE ASSOCIATES OF POLITICALLY EXPOSED PERSONS

 

Pursuant to Article 14 (1)-(2) and (5)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119, pp. 1) – hereinafter GDPR- we direct the information presented below intended for politically exposed persons (“PEPs”), persons on sanction lists (“SLs”), and close associates of PEPs, from which you will learn in particular about:

  • the principles of collection, storage and use of your personal data;
  • purposes and legal grounds for processing your personal data;
  • Your rights related to the processing of your personal data.

The concept of politically exposed person (“PEP”), sanctioned list (“SL”), and close associate of a PEP is further defined in the Polish Law on Anti-Money Laundering and Terrorist Financing dated March 1, 2018 – hereinafter the AML Law.


Data administrator 

The administrator of your personal data is “Incaso Group” sp. z o. o. with its registered office in Koszalin (75-452), Jana Pawła II Street No. 20/70, Poland, (the “Data Administrator”), which can be contacted by e-mail at the following e-mail address: rodo@iaml.com.pl, by telephone at (+48) 22 100 36 93 or in writing at the address of the Data Administrator’s registered office indicated above.

 

Data Protection Officer contact information

The data controller has appointed a Data Protection Officer. Contact with the Data Protection Supervisor is possible via e-mail at: rodo@iaml.com.pl, by phone at (+48) 22 100 36 93 or in writing to the Administrator’s registered office address indicated above, marked “Personal Data Protection Inspector”.

 

Basis for processing personal data and purpose of processing

Your personal data is processed in order for the Data Controller to create and make available for a fee to the Data Controller’s clients, in particular obligatory institutions within the meaning of the AML Act, products that assist these entities in fulfilling their obligations under the law, in particular the AML Act, consisting in the identification of PEPs, close associates of politically exposed persons and appearances on sanction lists (Article 6(1)(f) of the DPA). The legitimate interest of the Data Controller (commercial purpose) is supported by the Data Controller’s entitlement to re- (secondary) use of public sector information, as stated in the Law on Open Data and Re-use of Public Sector Information of August 11, 2021, or, depending on the relevant legislation, in the relevant legislation implementing Directive (EU) 2019/1024 of the European Parliament and of the Council of June 20, 2019 on open data and re-use of public sector information. Once your personal data is removed from our products, your personal data will be retained by the Data Controller for the purpose of defending against possible claims, which is the legitimate interest of the Data Controller (Article 6(1)(f) of the RODO).

 

Categories of personal data processed

The data controller processes the following categories of your personal data:

  • Identification data (first and last name, PESEL number, date and place of birth – the last three only if the Data Controller obtained them from publicly available and official sources);
  • data on function held (official position, designation of function held, place of function/position held);
  • data on place of origin, nationality, citizenship, gender.

In the case of individual fulfillment of the obligation to provide information, the Data Controller, for the purpose of defense against claims, keeps information about your contact data, through which the obligation to provide information was fulfilled (i.e., the e-mail address used in connection with your function or residential address – only if the Data Controller obtained it from publicly available and official sources). Contact data are not processed in the products of the Data Controller.

 

Source of data acquisition:

The Data Controller obtained your personal data only from publicly available sources, in particular:

  • subject pages of the Public Information Bulletin,
  • the central repository of public information referred to in Article 9a of the Act of September 6, 2001 on access to public information,
  • National Court Register,
  • Court and Economic Monitor,
  • Register of political parties,
  • other websites.

In the case of individuals on sanction lists (“SL”), your personal information was taken from publicly available sanction lists.

 

Recipients of personal data

Your personal data may be transferred to the following categories of recipients:

  • Recipients of the Data Controller’s products and services, in particular obligatory institutions as defined in the AML Act,
  • service providers who supply the Data Controller with technical and organizational solutions enabling the management of the Data Controller’s organization, including entities operating ICT systems or providing ICT tools for the Data Controller (in particular, ICT service providers),
  • co-workers, employees of the Data Controller,
  • other entities and authorities to which the Data Controller is obliged or authorized to make personal data available on the basis of generally applicable laws.

 

Transfer of data to third countries or international organizations 

The data controller does not transfer your personal data to third countries or international organizations.

 

Duration of storage of personal data

In the case of Politically Exposed Persons (“PEPs”) and close associates of PEPs – your personal data will be processed in the products of the Data Controller for the time you are considered a Politically Exposed Person (“PEP”) or a close associate of a PEP, and thereafter for the period of time for which higher risk measures are mandated by law. Personal data of persons on sanction lists (“SL”) will be processed for the duration of such persons’ inclusion on sanction lists. Once the personal data of the above individuals is removed from the Data Controller’s products, your personal data will be kept for the period of the statute of limitations for claims, if the processing of personal data is necessary to defend against such claims.

 

Data protection rights

In accordance with applicable laws, you have the following rights:

  1. The right to access your data and receive a copy of it (Article 15 GDPR);
  2. the right to rectify (amend) your data (Article 16 GDPR);
  3. the right to erasure (Article 17 GDPR);
  4. the right to restrict data processing (Article 18 GDPR);
  5. the right to data portability (Article 20 GDPR);
  6. the right to lodge a complaint with the President of the Office for Personal Data Protection (2 Stawki Street 00-193 Warsaw) – if you consider that the Administrator is processing your personal data unlawfully, detailed access data is available on the Office’s website www.uodo.gov.pl.

 

Right to object

You have the right to object to the processing of your personal data for reasons related to your particular situation (Article 21.1, 4-5 GDPR). When lodging an objection, you should indicate the particular situation which, in your opinion, justifies the discontinuation of processing of personal data covered by the objection by the Data Controller. The Data Controller will cease processing your personal data for the purposes specified above, unless you demonstrate that there are valid legitimate grounds for the processing that override your rights and freedoms, or that your data are necessary for the Data Controller to establish, assert or defend claims.

We encourage you to read the above entitlements.

 

Automated decision-making, profiling

Your personal data is subjected to ordinary (i.e., human factor) profiling, which consists of: analyzing your fulfillment of the prerequisites for recognition as a politically exposed person (“PEP”) or a close associate of a politically exposed person (“PEP”) (this analysis is performed on the basis of publicly available data).

A consequence of profiling may be the recognition of you as a politically exposed person (“PEP”) or a close associate of a politically exposed person (“PEP”) by mandatory institutions within the meaning of the AML Act, which are recipients of the Data Controller’s products and services.

The Data Controller does not use your data as part of an automated decision-making system.