Back to homePL

KHAOS Legal

PRIVACY POLICY

1. Preliminary information

To comply with the obligations arising from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, the “GDPR”), we provide information on the scope, purposes, legal bases and retention periods for the processing of your personal data.

This Policy applies to the use of the KHAOS Legal website, the forms available on the Website, correspondence with the Controller, the preliminary assessment of enquiries, the possible conclusion and performance of a contract, and the use of cookies and similar technologies.

Submitting a contact form or enquiry through the Website does not constitute the conclusion of a contract or the acceptance of a matter for handling. At this stage, please do not submit excessive information or special categories of personal data, or other particularly sensitive information, unless this is necessary to understand the enquiry.

2. Controller of personal data

The controller of your personal data is Karol Halak conducting business under the business name Praktyka Prawna Karol Halak i Współpracownicy, ul. Mehoffera 103 lok. 27, 03-158 Warsaw, Poland, NIP: 1182200336, REGON: 384544194, using the designation KHAOS Legal on the Website (the “Controller”, “KHAOS”, “we”, “us”).

In matters concerning personal data protection, this Privacy Policy and cookies, you may contact the Controller:

  • by post: ul. Mehoffera 103 lok. 27, 03-158 Warsaw, Poland;
  • by email: kh@khaos.legal

The Controller has not appointed a Data Protection Officer. In matters concerning personal data, please contact the Controller directly.

“Website” means the website available at https://khaos.legal, including its language versions, subpages, forms and informational content published within the khaos.legal domain.

3. Purposes, legal bases and retention periods

We process data only to the extent necessary for the relevant purpose and for the period indicated below or for the period required by law.

A. Contact through a form, intro-call enquiry, email or telephone

Data categories: first name, last name, email address, company or organisation name, business identifier (e.g. NIP, KRS, REGON or another number), selected matter category, preferred date and time of the call, content of the enquiry, information contained in correspondence, any attachments provided by you and basic technical metadata connected with sending the form or message.

Purpose: handling the enquiry, preliminary assessment of whether the matter falls within the scope of KHAOS services, return contact, confirmation or refusal of the proposed call time, conducting correspondence, and protection against spam and abuse.

Legal basis: Article 6(1)(f) GDPR (the Controller’s legitimate interest in conducting correspondence, handling enquiries and securing the Website), Article 6(1)(b) GDPR (steps taken prior to entering into a contract, where the enquiry is aimed at concluding a contract), and, to the extent required by laws on electronic communications, the consent of the person contacting us.

Retention period: as a rule, up to 12 months from the end of correspondence, unless a contract is concluded earlier or longer retention is necessary for the establishment, exercise or defence of legal claims.

B. Verification of company or organisation data

Data categories: the business or organisation identifier provided in the form, registration data or publicly available data retrieved from or checked in public registers, in particular CEIDG, KRS, REGON/GUS or similar registers.

Purpose: facilitating identification of the entity to which the enquiry relates, reducing errors in data, and preparing a response appropriate to the status and type of the entity.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in the correct identification of a counterparty or contact person) and Article 6(1)(b) GDPR, where verification forms part of steps taken prior to entering into a contract.

Retention period: as for correspondence or, if a contract is concluded, as for the documentation relating to that contract.

C. Conclusion and performance of a contract

Data categories: identification and contact details of the client, representatives, attorneys-in-fact, contact persons and persons indicated in the case documents; billing data; data required to perform the service; documents, information and correspondence provided in connection with the engagement.

Purpose: conclusion, performance, settlement and archiving of the contract, handling the matter, working contact and handling mutual rights and obligations.

Legal basis: Article 6(1)(b) GDPR (performance of a contract or steps taken prior to entering into a contract), Article 6(1)(f) GDPR (contact with representatives, contact persons and co-workers of the client and defence of the Controller’s rights) and Article 6(1)(c) GDPR (legal obligations, in particular tax and accounting obligations).

Retention period: for the duration of the contract and, after its termination, for the period required by law or necessary for the establishment, exercise or defence of legal claims.

D. Tax, accounting and administrative obligations

Data categories: data necessary to issue invoices, maintain accounting records, make tax settlements, handle payments and retain documentation required by law.

Purpose: performance of obligations arising from tax, accounting and other legal provisions.

Legal basis: Article 6(1)(c) GDPR.

Retention period: for the period required by applicable law.

E. IT security, prevention of abuse and establishment, exercise or defence of claims

Data categories: IP address, technical identifiers, information about the device and browser, server logs, event times, data from anti-spam mechanisms, form submission history or correspondence history.

Purpose: ensuring the security of the Website, detecting abuse, counteracting spam, handling technical errors, securing evidence, and establishing, exercising or defending legal claims.

Legal basis: Article 6(1)(f) GDPR.

Retention period: for the period necessary to achieve these purposes, no longer than until the expiry of the relevant limitation periods for claims, unless the law requires longer retention.

F. Direct marketing, newsletter or service communications

Data categories: first name, last name, email address, telephone number, company name, communication preferences and data confirming that consent has been granted or withdrawn — only if you subscribe to such communications or give the relevant consent.

Purpose: sending information about KHAOS services, publications, events or updates, provided that such communications are launched and you have given consent to them where consent is required.

Legal basis: Article 6(1)(a) GDPR (consent), and, in the case of marketing of our own services, also Article 6(1)(f) GDPR, taking into account separate rules on electronic communications and telemarketing.

Retention period: until consent is withdrawn, an objection is effectively raised or the marketing purpose ends; evidence data concerning consent or objection may be retained until the expiry of the limitation period for claims.

G. Statistics, analytics and advertising using cookies

Data categories: cookie identifiers, IP address, device and browser data, source of visit, visited subpages and Website events — only to the extent resulting from implemented tools.

Purpose: analysing how the Website is used, improving its structure and content, measuring the effectiveness of publications or promotional activities and, if advertising tools are implemented, conducting advertising activities.

Legal basis: for cookies other than strictly necessary cookies — your consent, Article 6(1)(a) GDPR. Refusal to consent does not affect your ability to use the basic functions of the Website.

Retention period: according to the lifecycle of the relevant cookie or the settings of the tool provider, and, in the case of data processed on the basis of consent, until consent is withdrawn.

As at the date of this version of the Policy, the Website is not intended to activate tools such as Google Analytics, Google Tag Manager, Meta Pixel or similar analytics and advertising tools without an appropriate consent mechanism. If such tools are implemented, the Policy should be supplemented and the user should be given the ability to manage consents.

H. Social media profiles

Data categories: data visible in the user’s profile, the content of comments, messages, reactions and statistical data made available by the relevant social media service — if KHAOS maintains social media profiles and you interact with them.

Purpose: maintaining profiles, communication, content moderation, building professional relationships and profile statistics.

Legal basis: Article 6(1)(f) GDPR; in relation to statistical tools provided by a social media service provider, joint controllership or separate controllership by the platform provider may arise.

Retention period: in accordance with the terms and settings of the relevant service and until the interaction is deleted or an objection is effectively raised, to the extent this is possible within the relevant service.

I. Anti-money laundering and counter-terrorist financing — AML

Data categories: identification and contact details of the client, persons acting on the client’s behalf, representatives, attorneys-in-fact, contact persons, beneficial owners, shareholders, members of corporate bodies and other persons indicated in the case documents; registration data; information on the ownership and control structure; information on the purpose and intended nature of the business relationship or transaction; information on the source of funds or wealth, where establishing this is required or justified by the circumstances; information concerning politically exposed person status, sanctions lists and AML risk, as well as documents, statements, analyses and correspondence connected with the performance of AML obligations.

Purpose: performance of obligations arising from laws on anti-money laundering and counter-terrorist financing, if and to the extent the Controller is subject to such obligations in connection with a given matter or service. In particular, data may be processed for the purposes of identifying and verifying the client, persons acting on the client’s behalf and the beneficial owner, establishing the ownership and control structure, assessing AML risk, ongoing monitoring of the business relationship or transaction, documenting applied customer due diligence measures, fulfilling archiving obligations and performing obligations towards the General Inspector of Financial Information or other competent authorities.

Legal basis: Article 6(1)(c) GDPR, i.e. compliance with a legal obligation to which the Controller is subject, in connection with applicable laws on anti-money laundering and counter-terrorist financing; in relation to documenting the proper performance of obligations, risk management and protection of the Controller’s rights — also Article 6(1)(f) GDPR.

Retention period: for the period required by AML laws, generally for 5 years from the date of termination of the business relationship with the client or from the date of carrying out an occasional transaction, and in cases provided for by law — for a longer period, if a competent authority requests further retention of the documentation.

J. Recovery of receivables and protection of the Controller’s rights

Data categories: identification and contact details of the client, counterparty, representatives, attorneys-in-fact, contact persons and other persons connected with the matter; data concerning the contract, enquiry, engagement, services performed, correspondence, arrangements, settlements, invoices, payments, balances, bank accounts, payment history, documents confirming the performance of services, payment demands, complaints, settlements, court, administrative, enforcement, mediation or other proceedings connected with the recovery of receivables or the protection of rights.

Purpose: establishing, securing, pursuing, enforcing or defending the Controller’s receivables, claims and rights, including monitoring payments, sending reminders and payment demands, conducting pre-litigation correspondence, negotiations or settlements, handling disputes, pursuing claims before courts, authorities or other competent entities, conducting enforcement proceedings and securing evidence.

Legal basis: Article 6(1)(f) GDPR, i.e. the Controller’s legitimate interest in protecting its rights, recovering receivables, pursuing or defending claims and documenting the course of cooperation; to the extent processing is required by law or by a competent authority — Article 6(1)(c) GDPR; to the extent necessary for the performance, settlement or termination of a contract — Article 6(1)(b) GDPR.

Retention period: for the time necessary to recover receivables, protect rights or defend against claims, no longer than until the expiry of the relevant limitation periods, and if proceedings are initiated — until their final conclusion, the enforcement of a judgment, the completion of enforcement proceedings or the conclusion and performance of a settlement, unless the law requires longer retention of the data.

4. Voluntary provision of data

Providing data is voluntary; however, certain data are necessary for us to respond to an enquiry, confirm a proposed call time, verify an entity, prepare an offer, conclude or perform a contract, or fulfil legal obligations.

If you provide data that are insufficient to handle the matter, we may ask you to supplement them. If you provide excessive data or data that we do not need, we may delete them, anonymise them or restrict their use.

5. Recipients of personal data

We may disclose personal data only to the extent necessary to achieve the purposes described in this Policy. Recipients of data may include:

  • providers of hosting, Website maintenance, email, form systems, security, anti-spam, technical support, analytics or advertising tools — where used;
  • providers of email delivery and form-handling services, in particular the provider used to forward form submissions to the Controller;
  • entities maintaining public registers or providing access to public registers, if we use verification of company or organisation data;
  • persons cooperating with the Controller, advisers, experts, accountants, auditors, subcontractors and other professional service providers — where necessary to handle an enquiry, perform a contract or protect the Controller’s rights;
  • banks, payment operators and accounting service providers — for settlement purposes;
  • public authorities, courts, offices or other authorised entities — where required by law;
  • the General Inspector of Financial Information, AML control or supervisory authorities, law enforcement authorities, courts, offices and other authorised entities — where the disclosure of data is required or permitted under laws on anti-money laundering and counter-terrorist financing or other applicable laws;
  • courts, enforcement officers, mediators, attorneys, law firms, entities providing debt-collection, enforcement, accounting or advisory services and other entities participating in the recovery of receivables, protection of rights or defence against claims — where this is necessary to achieve those purposes.

Entities processing data on our behalf act on the basis of appropriate agreements or other instruments required by the GDPR. We make available the list of key categories of providers upon request, to the extent permitted by law and security rules.

6. Retention period for data

We process data no longer than necessary to achieve the purpose for which they were collected, unless the law requires longer retention or the data are necessary for the establishment, exercise or defence of legal claims.

  • Data from correspondence and the contact form are retained, as a rule, for up to 12 months from the end of correspondence, if no contract is concluded.
  • Data relating to a contract are retained for the duration of its performance and then for the period required by law or necessary to secure claims.
  • Accounting, tax and settlement data are retained for the periods required by applicable laws.
  • Data processed on the basis of consent are retained until consent is withdrawn, unless there is another legal basis for further retention.
  • Technical and security data are retained for the period necessary to secure the Website, detect abuse or handle incidents.
  • Data processed for AML purposes are retained for the period resulting from laws on anti-money laundering and counter-terrorist financing, generally for 5 years from the date of termination of the business relationship with the client or from the date of carrying out an occasional transaction, and in cases provided for by law — for a longer period, if a competent authority requests further retention of the documentation.
  • Data connected with the recovery of receivables, protection of rights or defence against claims are retained for the time necessary to achieve those purposes, in particular until the expiry of the relevant limitation periods, and if proceedings are initiated — until their final conclusion, the enforcement of a judgment, the completion of enforcement proceedings or the conclusion and performance of a settlement.

When the data are no longer needed, we will take reasonable steps to delete them, anonymise them or restrict their further processing.

7. Your rights in connection with the processing of personal data

In connection with the processing of personal data, you have the rights provided for in the GDPR, including:

  • the right of access to data and to receive a copy of the data (Article 15 GDPR);
  • the right to rectification of data (Article 16 GDPR);
  • the right to erasure of data in the cases provided for by law (Article 17 GDPR);
  • the right to restriction of processing of data (Article 18 GDPR);
  • the right to data portability where processing is based on consent or a contract and is carried out by automated means (Article 20 GDPR);
  • the right to object to processing of data based on the Controller’s legitimate interest, including to direct marketing (Article 21 GDPR);
  • the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before its withdrawal (Article 7(3) GDPR).

To exercise your rights, contact the Controller by email at kh@khaos.legal or by post at: ul. Mehoffera 103 lok. 27, 03-158 Warsaw, Poland.

You also have the right to lodge a complaint with the supervisory authority: the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stanisława Moniuszki 1A, 00-014 Warsaw, Poland, tel. +48 22 531 03 00.

8. Automated decision-making and profiling

Your personal data are not used to make decisions concerning you based solely on automated processing that would produce legal effects concerning you or similarly significantly affect you.

If analytics or advertising tools are implemented in the future, they may create statistics or audience segments for traffic analysis or promotional activities, but they will not be used to make automated legal decisions concerning Website users without a separate legal basis and information.

9. Transfers of data outside the European Economic Area

Personal data may be transferred outside the European Economic Area if we use providers of electronic services, email, hosting, security, forms, analytics or communications that have their registered office, infrastructure or subprocessors outside the European Economic Area.

In particular, data submitted through a form may be handled by an email/form service provider whose infrastructure or subprocessors may be located outside the European Economic Area, including in the United States. In such a case, appropriate safeguards provided for in the GDPR should be applied, such as an adequacy decision, standard contractual clauses, data processing agreements and technical and organisational measures.

If tools such as Google Analytics, Meta Pixel or similar solutions are implemented on the Website, data may be transferred outside the European Economic Area on the terms applicable to the relevant provider and only after the consent requirements have been met, where consent is required.

10. Links to other websites

The Website may contain links to external websites, public registers, social media profiles, publications or services of other entities. External websites operate independently of the Controller and may use their own privacy and cookie policies.

We are not responsible for the data-processing rules applied by third parties after you proceed to their websites. Before using external services, we recommend that you read their privacy documents.

11. Cookies

The Website may use cookies and similar technologies, i.e. small files or identifiers stored on, or read from, the user’s terminal equipment. Cookies do not interfere with the operation of the device, but they may enable the proper operation of the Website, remembering settings, security handling, traffic analysis or advertising activities, if such tools are implemented.

Cookies may be used for the following purposes:

  • ensuring the proper operation and security of the Website;
  • handling the contact form, including anti-spam safeguards;
  • remembering technical, language or user preference settings, if such functionality is used;
  • creating aggregated statistics on the use of the Website — only if the implemented tools require such processing;
  • conducting advertising or remarketing activities — only if such tools are implemented and the user gives the required consent;
  • displaying content in the best reasonably achievable quality and adapting it to the user’s device.
  • The Website may use the following types of cookies:
  • session cookies — stored until the user leaves the website or closes the browser;
  • persistent cookies — stored for the period specified in the cookie parameters or until deleted by the user;
  • strictly necessary cookies — needed for the operation of the Website, security, prevention of abuse or maintenance of basic functions;
  • preference cookies — remembering user settings, where used;
  • analytics and advertising cookies — used only after appropriate tools have been implemented and the required consent has been obtained.

12. Managing cookies

You can change cookie settings in your web browser settings. A browser usually allows you to block cookies, delete cookies, block third-party cookies or set notifications about their use.

Instructions for managing cookies are usually available in the browser help section, for example Google Chrome, Microsoft Edge, Mozilla Firefox, Safari or Opera.

Disabling strictly necessary cookies may hinder or prevent the use of certain Website functions. Refusal to consent to analytics or advertising cookies should not affect the basic use of the Website.

13. Google Analytics and similar tools

As at the date of this version of the Policy, the Website is not intended to use Google Analytics or similar analytics tools without a consent mechanism. If Google Analytics is implemented, the service provider will be Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and the processing of analytics data will take place on the basis of the user’s consent, in accordance with the settings of the cookie panel.

Google may use data to evaluate the use of the Website, create reports on activity and provide other services connected with the use of the Website. In such a case, data may be transferred outside the European Economic Area with the application of appropriate transfer mechanisms, in particular standard contractual clauses, an adequacy decision where applicable, or other safeguards provided for in the GDPR.

More information on Google’s rules can be found in Google’s documents on privacy, Google Analytics and disabling Google Analytics measurement.

14. Social media plugins and links

The Website may contain links to social media profiles or content. A link itself does not have to mean that data are automatically transferred to the relevant social media service. After clicking a link or interacting with a profile, the privacy rules of the relevant provider apply.

If active social media plugins are implemented on the Website, they may cause data, including cookies, to be transmitted to providers such as Meta, LinkedIn or other platform operators. Such solutions should be covered by appropriate information and, where required by law, by a consent mechanism.

15. Changes to the Privacy and Cookies Policy

The Policy may be amended, in particular if laws, Website functions, technical tools, service providers or the manner of data processing change.

A new version of the Policy will be published on the Website and will apply from the date indicated in the document or from the time of publication, if no other date is indicated.

Previous versions of the Policy may be made available upon request, provided that they are available in the Controller’s archive.