GENERAL INFORMATION CLAUSE

Spoco Sp. z o.o.

GENERAL INFORMATION CLAUSE

​

Acting on behalf of Spoco Sp. z o.o., with its registered office at ul. Stępińska 45/6, 00-739 Warsaw, NIP: 5213797137, REGON: 3684649410, KRS: 0000698036, pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, p. 1) (hereinafter: "GDPR"), we hereby inform you that:

​

I. Data Controller
The controller of personal data, deciding on the purposes and means of processing, is:
Spoco Sp. z o.o., with its registered office at ul. Stępińska 45/6, 00-739 Warsaw, NIP: 5213797137, REGON: 3684649410, KRS: 0000698036.The Data Controller can be contacted by traditional mail or by email at: hello@spoco.co

​

II. Data Protection Officer (DPO)
To ensure an appropriate level of protection for personal data, the Controller has appointed a Data Protection Officer who can be contacted via email: iod@spoco.co or by traditional mail to the Controller’s registered address.

​

III. Collection, Processing, and Use of Personal Data
We process personal data for the following purposes and on the following legal bases:
• to conclude and perform individual contracts, including the settlement of cooperation between the parties (legal basis – Article 6(1)(b) GDPR – “performance of a contract”),
• to fulfill legal obligations arising from applicable laws, in particular tax regulations (Tax Ordinance, VAT Act, Accounting Act) (legal basis – Article 6(1)(c) GDPR – “legal obligation”),
• to pursue potential claims and defend the rights of the Controller, respond to inquiries addressed to the Controller, contact requests, present offers, and conduct traditional marketing of own services during the term of the agreement (legal basis – Article 6(1)(f) GDPR – “legitimate interest of the Controller” as stated above),
• to fulfill obligations under GDPR, such as exercising data subjects' rights who have objected or withdrawn consent, and creating necessary registers or records (Article 6(1)(c) GDPR – legal obligation, and Article 6(1)(f) GDPR – legitimate interest of the Controller, i.e. having knowledge of individuals who have exercised the rights granted to them).

The provided personal data are processed for the period necessary to fulfill the purposes described above. Depending on the legal basis, this will be:
• the duration of the cooperation between the parties and final settlement,
• the duration of legal obligations as specified by applicable law determining data retention periods (e.g., Article 70 of the Tax Ordinance),
• the period until potential claims based on the legal grounds for processing expire (e.g., Article 118 of the Civil Code).

IV. Sharing Personal Data with Third Parties

1. With due regard for data security, we may transfer personal data to other entities, including:
   a) entities entrusted with data processing, such as providers of technical services and those offering advisory, hosting, payroll, and accounting services, on the basis of a data processing agreement compliant with GDPR,
   b) other data controllers, such as the Polish postal service, with appropriate data sharing safeguards in place.

2. We also inform you that data will not be transferred outside the European Economic Area, except in cases of the transnational nature of data flows where such transfer is based on Chapter V of the GDPR, e.g., standard contractual clauses, binding corporate rules, or European Commission adequacy decisions – for example, under the EU-US Data Privacy Framework when using services from trusted monopoly providers (e.g., Microsoft, Apple).

​

V. Data Security
To ensure data confidentiality, the Controller has implemented procedures and organizational and technical measures to allow data access only to authorized persons processing them as part of their duties. Necessary steps are taken to ensure that subcontractors and cooperating entities provide guarantees for the application of appropriate security measures whenever they process data on behalf of the Controller.

​

VI. Source and Obligation to Process
The processed data have been collected directly from the data subject in connection with the specific processing purpose (e.g., through direct contact with the Controller, collecting data required by law to conclude a contract). The Controller processes only data necessary for the chosen processing purposes, adhering to the principle of data minimization.
Providing personal data is voluntary; however, failure to do so may prevent cooperation between the parties or achieving the intended purpose, or is mandated by law that determines the required scope of data processing.

​

VII. Rights of the Data Subject

1. Every person whose personal data is held by the Controller has the right to:
   a) the right to access their personal data;
   b) the right to rectify their personal data;
   c) the right to restrict the processing of personal data;
   d) the right to request the erasure of their personal data (unless specific laws require the Controller to retain the data);
   e) the right to withdraw consent to data processing – withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal and may be done at any time;
   f) the right to data portability (in cases where processing is based on a contract or consent and is carried out by automated means);
   g) the right to object to the processing of personal data (based on Article 6(1)(e) or (f), including profiling) – an objection to processing for direct marketing purposes, including profiling, will result in the Controller immediately ceasing such processing;
   h) the right not to be subject to a decision based solely on automated processing, including profiling – the Controller states that it does not make decisions based solely on automated processing.

2. In the event of unlawful data processing, you have the right to lodge a complaint with the national data protection authority – the President of the Personal Data Protection Office.

3. If you wish to exercise any of these rights, you can send an email to iod@spoco.co or submit a request to the Controller’s registered office address.