ENTRUST US WITH YOUR CASE

Privacy policy

ENTRUST US WITH YOUR CASE

Effective Date: 31st January 2026

For the purposes of this Privacy Policy, “Website” shall mean the site kancelaria-skarbiec.pl and the following thematic domains operated by the Administrator (in alphabetical order):

  1. cit-estonski.info
  2. dyrektywa-dac7.pl
  3. ekstradycja.com.pl
  4. europejski-nakaz-zaplaty.pl
  5. fundacja-rodzinna.info.pl
  6. ksiegowosc-skarbiec.pl
  7. opodatkowanie-marynarzy.pl
  8. ostrzezenia-publiczne.pl
  9. podatek-minimalny.pl
  10. pranie-brudnych-pieniedzy.pl
  11. prawo-ai-legal.pl
  12. procesy-sadowe.pl
  13. rezydencja-podatkowa-malta.pl
  14. skarga-paulianska.com
  15. spolka-na-cyprze.pl
  16. testamenty.eu
  17. upadlosci.biz
  18. weksle.info
  19. windykacja-naleznosci.com
  20. wywiad-gospodarczy.pl
  21. zachowek.info.pl
  22. zagraniczne-jednostki-kontrolowane.pl
  23. zakladanie-spolek.pl
  24. zero-tax-entity-poland.com

PART I: DATA CONTROLLER

1. Identity of the Controller

The controller of personal data collected via the Website is:

KANCELARIA PRAWNA “SKARBIEC” PLUS ROBERT NOGACKI SPÓŁKA KOMANDYTOWA (a limited partnership organized under Polish law) ul. Maciejki 13, 02-181 Warsaw, Poland National Court Register (KRS): 0000536926 Tax Identification Number (NIP): 5223021912 Statistical Number (REGON): 360489309 Registered with the District Court for the Capital City of Warsaw, 13th Commercial Division Date of Registration: December 30, 2014

Contact for Data Protection Matters:

2. Scope of Processing Activities

  1. This Privacy Policy applies exclusively to personal data collected via the Website (contact forms, newsletter subscriptions, cookies, technical data).
  2. Personal data processed in connection with the provision of legal services (client representation, legal and tax advisory) is subject to separate rules arising from:
    • Individual client engagement agreements
    • Statutory provisions governing legal counsel professional secrecy
    • Anti-money laundering legislation
    • Other applicable special provisions
  3. Clients of the Firm receive separate notice regarding the processing of their personal data in connection with the provision of legal services.

PART II: LEGAL BASIS

3. Applicable Legal Framework

The Administrator processes personal data in compliance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, “GDPR”)
  • The Polish Act of May 10, 2018 on Personal Data Protection
  • The Polish Act of July 18, 2002 on Provision of Electronic Services
  • The Polish Act of July 12, 2024 — Electronic Communications Law

PART III: SCOPE AND SOURCES OF DATA

4. Categories of Personal Data Collected

Category Examples Source
Identification Data Name, surname, company name, position Forms, correspondence
Contact Data Email address, telephone number, mailing address Forms, correspondence
Technical Data IP address, browser type and version, operating system, device identifiers Automatic collection
Activity Data Pages visited, time spent on Website, traffic source, interactions Automatic collection (cookies)
Correspondence Data Message content, attachments, communication history Correspondence
Public Registry Data Data from National Court Register (KRS), Central Register of Business Activity (CEIDG), professional registers Public sources

5. Methods of Data Collection

  1. Directly from Users:
    • Completion of contact forms
    • Newsletter subscriptions
    • Email correspondence
    • Telephone contact
  2. Automatically:
    • Cookies and similar technologies
    • Server logs
    • Analytics tools
  3. From External Sources:
    • Public registries (KRS, CEIDG)
    • Publicly available sources (LinkedIn, corporate websites)
    • To the extent necessary for data verification or service provision

PART IV: PURPOSES AND LEGAL BASES FOR PROCESSING

6. Detailed Processing Purposes

Purpose Legal Basis Data Categories Retention Period
Responding to general inquiries (informational, without potential for claims) Art. 6(1)(f) GDPR — legitimate interest Identification, contact 1 year from last contact
Responding to inquiries regarding potential engagement Art. 6(1)(f) GDPR — legitimate interest Identification, contact, correspondence Until matter concluded + 3 years
Establishing professional engagement — pre-contractual phase Art. 6(1)(b) GDPR — steps taken at the request of the data subject prior to entering into a contract Identification, contact, correspondence Until contract execution or declination
Establishing professional engagement — following declination Art. 6(1)(f) GDPR — legitimate interest (defense of claims) Identification, contact, correspondence 3 years from declination
Provision of legal services Art. 6(1)(b) GDPR — performance of contract and Art. 6(1)(c) GDPR — legal obligation All categories necessary for service provision 10 years from the end of the calendar year in which the proceeding or matter concluded (Art. 5c of the Act on Legal Counsels)
Newsletter and marketing — active subscription Art. 6(1)(a) GDPR — consent Name, email address Until withdrawal of consent
Newsletter and marketing — archival following withdrawal of consent Art. 6(1)(f) GDPR — legitimate interest (defense of claims, demonstration of lawful processing) Name, email address, date and evidence of consent, date of withdrawal 3 years from withdrawal of consent
Analytics and statistics (cookieless) Art. 6(1)(f) GDPR — legitimate interest Technical, activity (anonymized) Up to 14 months
Analytics and statistics (utilizing tracking cookies) Art. 6(1)(a) GDPR — consent Technical, activity Up to 26 months or until withdrawal of consent
Website security — system logs Art. 6(1)(f) GDPR — legitimate interest Technical (IP address, access logs) Up to 12 months
Security — video surveillance of premises (if applicable) Art. 6(1)(f) GDPR — legitimate interest Image Up to 3 months, unless the recording constitutes evidence in proceedings — then until final disposition
Defense of claims — business activities Art. 6(1)(f) GDPR — legitimate interest All categories 3 years from the event potentially giving rise to a claim
Defense of claims — general claims Art. 6(1)(f) GDPR — legitimate interest All categories 6 years from the event potentially giving rise to a claim
AML obligations (anti-money laundering) Art. 6(1)(c) GDPR — legal obligation As required by AML legislation 5 years from termination of client relationship
Accounting and tax obligations Art. 6(1)(c) GDPR — legal obligation Data from invoices and accounting records 5 years from the end of the tax year in which the tax payment deadline fell
Employment records (if applicable) Art. 6(1)(c) GDPR — legal obligation Employee data 10 years from the end of the calendar year in which employment terminated (for employment relationships commenced after January 1, 2019)

7. Legitimate Interests

  1. Where processing is based on the legitimate interests of the Administrator (Article 6(1)(f) GDPR), such interests include, inter alia:
    • Conduct of business operations and response to inquiries
    • Marketing of the Firm’s own legal services to existing clients during the course of an engagement
    • Ensuring security of information systems (Recital 49 GDPR)
    • Pursuit and defense of legal claims (Recital 47 GDPR)
    • Conducting analyses to improve services (exclusively utilizing cookieless technology or with user consent)
  2. Prior to commencing processing based on legitimate interest, the Administrator conducts and documents a Legitimate Interest Assessment (LIA), comprising:
    • Purpose test — identification of a specific, legitimate interest
    • Necessity test — verification that processing is genuinely necessary to achieve the purpose
    • Balancing test — assessment whether the interests, rights, and freedoms of the data subject override the Administrator’s interest
  3. Documentation of balancing tests is retained in accordance with the accountability principle (Article 5(2) GDPR) and made available upon request by the supervisory authority.

PART V: DATA SHARING

8. Categories of Recipients

  1. The Administrator does not sell personal data.
  2. Data may be disclosed to the following categories of recipients:
Recipient Category Purpose Basis
IT service providers (hosting, servers) Storage and technical support Data processing agreement
Analytics tool providers Website traffic analysis Data processing agreement
Email marketing service providers Newsletter distribution Data processing agreement
Accounting firm Bookkeeping services Data processing agreement
Cooperating attorneys Provision of legal services Professional secrecy
Public authorities Compliance with legal obligations Statutory requirements

A list of entities processing data on behalf of the Administrator is available upon request.

9. Transfers Outside the EEA

  1. As a general rule, data is processed within the European Economic Area.
  2. Where services of providers outside the EEA are utilized (e.g., Google, Microsoft), transfers are conducted on the basis of:
    • European Commission adequacy decisions; or
    • EU standard contractual clauses; or
    • Binding corporate rules of the provider
  3. Copies of applicable safeguards are available upon request.

PART VI: DATA SUBJECT RIGHTS

10. Catalogue of Rights

Under the GDPR, the following rights are available:

Right Description Legal Basis
Access Obtain a copy of personal data and information about processing Art. 15 GDPR
Rectification Correct inaccurate or complete incomplete data Art. 16 GDPR
Erasure Request deletion of data (“right to be forgotten”) Art. 17 GDPR
Restriction Request restriction of processing Art. 18 GDPR
Portability Receive data in a structured format Art. 20 GDPR
Objection Object to processing based on legitimate interests, including profiling Art. 21 GDPR
Withdrawal of Consent Withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal Art. 7(3) GDPR

10a. Right to Object — Detailed Information

  1. Where processing is based on legitimate interest (Article 6(1)(f) GDPR), you have the right to object to processing.
  2. An objection may be lodged on grounds relating to your particular situation.
  3. Upon receipt of an objection, the Administrator shall cease processing for the relevant purpose, unless the Administrator demonstrates:
    • Compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject; or
    • Grounds for the establishment, exercise, or defense of legal claims.
  4. Where personal data are processed for direct marketing purposes, you have the right to object at any time, without providing reasons. Upon receipt of such objection, the Administrator shall cease processing for such purposes without delay.

11. Exercise of Rights

  1. Channels for Submitting Requests:
  2. Procedure:
    • Acknowledgment of receipt: without undue delay
    • Substantive response: within one month (in complex cases, up to three months)
    • Identity verification: the Administrator may request additional information to confirm the identity of the requestor
  3. Costs:
    • Exercise of rights is free of charge
    • For manifestly unfounded or excessive requests: a reasonable fee may be charged or compliance may be refused

12. Right to Lodge a Complaint

Data subjects have the right to lodge a complaint with the supervisory authority:

President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych) ul. Stawki 2, 00-193 Warsaw www.uodo.gov.pl

We encourage data subjects to contact us first—we will endeavor to address any concerns.

PART VII: AUTOMATED PROCESSING

13. Automated Decision-Making

  1. The Administrator does not engage in decision-making based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects individuals.
  2. Analytics tools used on the Website serve solely for aggregate traffic analysis and are not used for individualized decision-making.

PART VIII: COOKIES

14. What Are Cookies

  1. Cookies are small text files stored on the User’s device when accessing the Website.
  2. Cookies may be set by the Website (first-party cookies) or by third-party services whose elements are embedded on the Website (third-party cookies).

15. Types of Cookies Used

Type Purpose Retention Period Consent Required Legal Basis
Strictly Necessary Proper functioning of the Website, security, cookie preferences Session / up to 12 months No Art. 6(1)(f) GDPR
Analytical (cookieless) Analysis of Website usage without user identification Up to 14 months No Art. 6(1)(f) GDPR
Analytical (with tracking cookies) Analysis of Website usage with user identification Up to 26 months Yes Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy Directive
Functional Remembering user preferences (language, font size) Up to 12 months Yes Art. 6(1)(a) GDPR
Marketing Personalization of advertising content Up to 12 months Yes Art. 6(1)(a) GDPR

16. Cookie Management

  1. Preference Panel: Upon first visit, a banner is displayed permitting selection of cookie categories. Preferences may be modified at any time via the “Cookie Settings” link in the Website footer.
  2. Browser Settings: Users may also manage cookies through browser settings (acceptance, rejection, deletion of cookies).
  3. Consequences of Disabling: Disabling certain cookies may limit Website functionality.

17. Google Analytics

  1. The Website may use Google Analytics, an analytics service provided by Google LLC.
  2. Use of Google Analytics requires prior user consent, expressed via the cookie management panel. Without consent, Google Analytics cookies are not installed.
  3. Google Analytics uses cookies to analyze Website usage. Information generated by cookies is transmitted to and stored on Google servers in the United States.
  4. Safeguards:
    • IP anonymization (final octet of IP address is removed prior to storage)
    • No combination with other Google data
    • Execution of EU standard contractual clauses with Google
  5. Opt-Out: Users may block Google Analytics by installing the browser add-on available at: https://tools.google.com/dlpage/gaoptout
  6. Google Privacy Policy: https://policies.google.com/privacy
  7. Alternative: The Administrator may utilize cookieless analytics tools (e.g., Matomo without cookies) that do not require user consent and process only anonymized data.

PART IX: DATA SECURITY

18. Security Measures

The Administrator implements appropriate technical and organizational measures to protect personal data, including:

  1. Technical Safeguards:
    • Encryption of data transmission (SSL/TLS)
    • Firewalls and intrusion detection systems
    • Regular software updates
    • Data backups
    • Access controls
  2. Organizational Safeguards:
    • Information security policies
    • Staff training
    • Incident response procedures
    • Need-to-know access restrictions
    • Confidentiality agreements

19. Security Limitations

Notwithstanding the implementation of appropriate safeguards, transmission of data over the internet involves inherent risks. The Administrator cannot guarantee complete security of data transmitted online.

PART X: CHILDREN’S DATA

20. Protection of Minors

  1. The Website is not directed to persons under 16 years of age.
  2. The Administrator does not knowingly collect personal data from persons under 16.
  3. If the Administrator becomes aware that data of a child has been collected, such data will be deleted without undue delay.
  4. Parents or legal guardians who suspect that a child has provided personal data are requested to contact the Administrator.

PART XI: DATA RETENTION

21. Retention Periods

Data Category Standard Retention Period Legal Basis Notes
General inquiry data (informational) 1 year from last contact Legitimate interest Without potential for claims
Inquiry data regarding potential engagement 3 years from last contact or declination Legitimate interest Following balancing test
Client data — provision of legal services 10 years from the end of the calendar year in which the proceeding/matter concluded Art. 5c Act on Legal Counsels Mandatory period, not subject to reduction
Newsletter data — active subscription Until withdrawal of consent Consent Removal from mailing list within 30 days of withdrawal
Newsletter data — archival following withdrawal 3 years from withdrawal of consent Legitimate interest Defense of claims, demonstration of lawful processing
Server logs 12 months Legitimate interest For security purposes
Video surveillance of premises (if applicable) Up to 3 months Legitimate interest Longer only if recording constitutes evidence in proceedings
Analytical cookies (cookieless) Up to 14 months Legitimate interest Anonymized
Analytical cookies (tracking) Up to 26 months Consent Per Google policy
Accounting and tax records 5 years from end of tax year Legal obligation Tax Ordinance, Accounting Act
AML data 5 years from termination of relationship Legal obligation Anti-Money Laundering Act
Employment records 10 years from end of year of employment termination Legal obligation For employment from January 1, 2019

22. Deletion Principles

  1. Upon expiration of the retention period, data is deleted or anonymized.
  2. Data may be retained longer if:
    • Necessary for establishment, exercise, or defense of legal claims
    • Required by law
    • The User has consented

PART XII: AMENDMENTS TO PRIVACY POLICY

23. Updates

  1. The Administrator reserves the right to amend this Privacy Policy.
  2. Material amendments will be communicated via:
    • Notice on the Website
    • Email (for newsletter subscribers)
  3. Continued use of the Website following such amendments constitutes acceptance thereof.

PART XIII: ACCESSIBILITY

24. Accessibility Statement

  1. The Administrator strives to ensure accessibility of the Website for persons with disabilities, in accordance with WCAG 2.1 guidelines.
  2. Measures undertaken include:
    • Semantic HTML structure
    • Appropriate color contrast
    • Keyboard navigation capability
    • Alternative descriptions for graphical elements
  3. Users experiencing difficulty accessing Website content are invited to contact the Administrator—we will endeavor to provide information in an alternative format.
  4. Accessibility feedback may be directed to: Robert.nogacki@kancelaria-skarbiec.pl

PART XIV: CONTACT

25. Contact Information

General Inquiries: KANCELARIA PRAWNA “SKARBIEC” ul. Maciejki 13, 02-181 Warsaw, Poland Email: Robert.nogacki@kancelaria-skarbiec.pl

Data Protection Inquiries: Email: Robert.nogacki@kancelaria-skarbiec.pl

Address: ul. Maciejki 13, 02-181 Warsaw with notation “Data Protection”

Last Updated: 31st January 2026

© KANCELARIA PRAWNA “SKARBIEC” PLUS ROBERT NOGACKI SPÓŁKA KOMANDYTOWA. All Rights Reserved.

Topical publications

When May the Tax Authority Inspect Your Bank Account?
2026-02-12

When May the Tax Authority Inspect...

I. Introduction: The Tension Between Fiscal Efficiency and Financial Privacy Few questions in modern tax law are as structurally revealing…

read more
When the State Freezes Your Money
2026-02-12

When the State Freezes Your Money

Poland built an algorithm to catch tax cheats. It works—except when it doesn’t. On a Monday morning in Warsaw, a…

read more
Board Member Liability for Statute-Barred Tax Obligations of a Limited Liability Company
2026-02-12

Board Member Liability for Statute-Barred Tax...

For nearly five years, the tax authority pursued fruitless enforcement proceedings against a company’s assets — only to turn, belatedly,…

read more
See more publications