RSM Cloud Privacy Policy
§1 General provisions
- The RSM Cloud Privacy Policy defines the rules of the processing of the Users’ Personal Data and the rules of the provision by Users of Personal Data for RSM Cloud processing.
- The RSM Cloud Privacy Policy was prepared and is regularly updated by RSM Poland Sp. z o.o. sp. k. (formerly RSM Poland Audyt S.A.) seated in Poznań (61-555), registered address: ul. Droga Dębińska 3B.
- Every User must read and comply with the RSM Cloud Privacy Policy. The commencement of the use of the RSM Cloud shall be tantamount to accepting the RSM Cloud Privacy Policy, including the conclusion of a processing agreement, with no need for an additional written agreement.
- The RSM Cloud Privacy Policy shall apply as of 29 October 2019 until further notice.
§2 Definitions
The terms used in the RSM Cloud Privacy Policy shall have the following meaning:
- RSM Cloud or Service – the virtual data server where the User of the Service saves and manages (retrieves, changes and consults) data,
- User – RSM’s customer using an activated RSM Cloud Service,
- RSM – RSM Poland Sp. z o.o. sp. k. (formerly RSM Poland Audyt S.A.) seated in Poznań (61-555), registered address: ul. Droga Dębińska 3B,
- Terms of Service – RSM Cloud Terms of Service.,
- RSM Cloud Privacy Policy – this document,
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
- Personal Data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,
- Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,
- Processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
§ 3 The Controller’s contact details
- The Users’ personal data shall be processed in accordance with the applicable law, including the GDPR provisions.
- The Controller of the Users’ personal data is RSM Poland Sp. z o.o. sp. k. (formerly RSM Poland Audyt S.A.) seated in Poznań, registered address: ul. Droga Dębińska 3B, 61-555 Poznań (hereafter: the ‘Controller’).
- You may contact the Controller in personal data protection matters as follows:
- electronically, at the e-mail addres: [email protected] or
- by letter sent to the registered address of the Controller.
§ 4 Treatment of Users’ Personal Data
- The User’s Personal Data shall be processed for specific purposes on the following legal bases:
- for the purpose of providing services and ensuring proper functioning of the RSM Cloud (legal basis: Article 6(1)(b) of the GDPR),
- for the purpose of preventing abuse, infringements of the RSM Cloud Terms of Service, of the RSM Cloud Privacy Policy and other unlawful activities (legal basis: Article 6(1)(f) of the GDPR),
- for internal administrative purposes of RSM, including for statistical purposes, in pursuing the legitimate interests of RSM (legal basis: Article 6(1)(f) of the GDPR),
- for the purpose of handling potential complaints lodged by the User and exercising or defending legal claims (Article 6(1)(f) of the GDPR),
- for analytical purposes and for User satisfaction surveys (legal basis: Article 6(1)(f) of the GDPR).
- The recipients of the Users’ Personal Data shall only be undertakings supplying and supporting the IT systems of RSM as well as entities authorised to receive them in accordance with the applicable law.
- The Users’ Personal Data may be provided to affiliates such as:
- RSM Poland Technology Sp. z o.o.
- RSM Poland Fiscal Representation Sp. z o.o.
- RSM Poland Fiscal Representation Sp. z o.o. sp. k.
- Firma Audytorsko-Księgowa Sp. z o.o. sp.k.
- RSM Poland Legal Sp. z o.o.
- User data shall not be transferred outside the European Economic Area.
- The Users’ Personal Data shall be retained until their respective RSM Cloud accounts are deleted and, subsequently, until the applicable limitation periods expire.
- The User shall have the right to obtain access to his or her Personal Data, including a copy thereof, to request data rectification, erasure, restriction of processing, to object to such processing and to transmit the data provided to another controller (data portability).
- The User shall have the right to lodge a complaint with the President of the Personal Data Protection Authority if a personal data breach is found with regard to his or her Personal Data.
- If processing is solely based on the User’s consent, the User shall have the right to withdraw his or her consent at any time; such withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- The provision of personal data by the User is voluntary but necessary for the User to be able to use the RSM Cloud Service. Refusal to provide Personal Data shall preclude registration and the use of the RSM Cloud Service.
§ 5 Entrusting the processing of personal data
- The User as the Controller entrusts his or her Personal Data for processing and the Processor agrees to process such Personal Data on the terms indicated in the provisions hereof and in compliance with the requirements of the GDPR and other applicable data protection rules as well as in accordance with the Controller’s instructions.
- The Controller and the Processor intend to enable lawful processing by the Processor of Personal Data in connection with the provision by the Processor of the RSM Cloud service.
- The data referred to in point 1 above shall only be processed by the Processor for the purpose and period of using the RSM Cloud.
- The Processor shall be entitled to process all categories of personal data provided by the Controller to the RSM Cloud, in particular the following:
- Full name (organisation name),
- NIP, REGON, PESEL,
- Address of residence, registered address, business address,
- Telephone number, e-mail address,
- Billing data,
- Non-special categories of data shall be processed.
§ 6 Confidentiality and accountability of operations performed on personal data
- The Processor shall only use information obtained, including Personal Data, for the purposes indicated herein and as necessary to the provision of the RSM Cloud Service.
- The Processor and all persons authorised by the Processor shall maintain the secrecy of Personal Data.
§ 7 Manner of the execution of processing
- The Processor declares to have appropriate technical and organisational measures in place to ensure the protection of Personal Data, at least as laid down in Article 32 of the GDPR, in particular:
- protection against unauthorised access to Personal Data,
- protection against damage to or destruction of Personal Data,
- encryption of Personal Data,
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the Personal Data processing systems used by the Processor in the provision of the RSM Cloud service.
- The Processor warrants that all persons authorised to process personal data shall be bound by a confidentiality obligation, also after the termination of the provision of the RSM Cloud service, including with regard to the personal data they became aware of in connection with the provision of the Service.
§ 8 Cooperation between the Controller and the Processor
- The Controller and the Processor shall engage in close cooperation as necessary to the personal data processing under the provision of the Service.
- The Processor shall inform the Controller if an instruction given to the Processor infringes the GDPR provisions or other applicable laws.
- The Processor shall assist the Controller in the fulfilment of the Controller’s obligations arising from the applicable law, i.e. in particular:
- communication to the data subject of a personal data breach caused by a wrongful act or omission of the Processor,
- assistance to the Controller by the Processor’s knowledge and technical measures, insofar as this is possible, in the fulfilment of the Controller’s obligations related to the exercise of the data subject’s rights,
- taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter 3 of the GDPR,
- taking into account the nature of processing and the information available to the Processor, the Processor shall assist the Controller in the fulfilment of other obligations pursuant to Articles 32 to 36 of the GDPR.
- The Controller gives its general approval for the Processor to further entrust the processing of Personal Data to other processors (hereafter: further processors) of Personal Data for the purpose of supplying the RSM Cloud service, on the same terms as those set out herein.
- The Processor warrants that the Processor shall solely engage such entities as ensure adequate guarantees of implementing appropriate technical and organisational measures for processing to comply with the requirements imposed by the applicable law.
- The Processor shall be entitled to further commission the processing of Personal Data to its affiliates (the so-called sub-contracted processing), specifically to the following:
- RSM Poland Technology Sp. z o.o.
- RSM Poland Fiscal Representation Sp. z o.o.
- RSM Poland Fiscal Representation Sp. z o.o. sp. k.
- Firma Audytorsko-Księgowa Sp. z o.o. sp.k.
- RSM Poland Legal Sp. z o.o.
- The Controller shall have the right to request, within 14 days, written explanations by the Processor regarding the Personal Data processing.
- The Controller shall have the right to inspect the manner of the processing of Personal Data by the Processor in the form of Personal Data processing audits conducted by an auditor mandated by the Controller. The Controller shall notify the Processor, 14 working days in advance, of an audit planned.
- After the audit referred to in point 8 above, the Controller shall prepare a report to be signed by the Processor. The Processor shall be entitled to raise objections to such a report.
- Without undue delay, the Processor shall follow any post-audit instructions referred to point 9 above, insofar as those are consistent with the provisions hereof and with the applicable law.
- The exercise by the Controller of its right of inspection shall not infringe the Processor’s business secrets.
- The Controller agrees that the Processor may transfer personal data to a third country outside the European Economic Area, solely for the purpose of proper performance of the RSM Cloud Service. Personal Data shall only be transferred if the legal requirements applicable at the time of transfer commencement are complied with.
§ 9 Duration of the processing
- The Processor shall be entitled to process Personal Data for the duration of the provision to the Controller of the RSM Cloud Service.
- The entitlement shall expire upon the termination of the provision of the RSM Cloud Service, with no need for additional statements by the Controller or the Processor.
- After the termination of the provision of the RSM Cloud Service, the Processor shall delete personal data and all existing copies thereof unless mandatory law requires retention of the Personal Data.
§ 10 Final provisions
- The Controller and the Processor shall ensure the compliance of personal data processing with all the requirements imposed on them by the provisions of the GDPR or other applicable personal data protection rules.
- Any disputes between the Controller and the Processor shall be settled by the competent court of law having jurisdiction in accordance with the applicable rules.
- This Privacy Policy is available at the Website: rsm.global/poland/en/RSM-cloud-privacy-policy and www.rsmpoland.pl/pl/polityka-prywatnosci-chmury-rsm
- The Controller reserves the right to amend the RSM Cloud Privacy Policy at any time. Any amendments to the Privacy Policy shall apply from the date indicated in such an amended Privacy Policy published at the Website.