Information is provided in accordance with Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general regulation on data protection, hereinafter: GDPR).
The Controller of your data processed in the Tax and Customs Information System (SISC) is the Head of the National Revenue Administration, whose Office is located in Warsaw (00-916 Warszawa), 12 Świętokrzyska St.
Data Controller’s contact details
The Controller may be contacted in writing at the address of his Office.
Data Protection Officer’s contact details
The Head of the National Revenue Administration has appointed a Data Protection Officer, who you can contact by e-mail at: IOD@mf.gov.pl
The Data Protection Officer may be contacted about all matters related to personal data processing and using the rights associated with data processing.
Purpose and legal basis of processing
Your personal data is processed for the purpose of carrying out the Controller's statutory duties in accordance with applicable laws, especially:
- service and support for the taxpayer and payer in the proper performance of tax obligations,
- service and support for entrepreneurs in the proper performance of customs duties,
- collection and reimbursement of taxes and customs duties, and recovery of the State Treasury’s receivables,
- service and control of foreign trade and trade in goods subject to excise duty,
- monitoring road and rail freight transport and fuel trading,
- handling and control of activities in the field of gambling,
- combating tax, financial and border crime, including money laundering and terrorist financing.
Your personal data may be made available and transferred to public authorities, public services, courts of law and prosecutors’ offices, in accordance with applicable laws.
Transfer of personal data to a third country or to an international organisation
In justified cases and on the basis of appropriate legislation, your personal data may be received by entities authorised to receive it, including in third countries which are not EU Member States.
Period of a data retention
Your personal data will be stored for a period necessary to achieve the purpose of its processing, but not shorter than the period prescribed by the applicable archiving legislation.
Data subjects’ rights
You have the right to:
- access your data, on the condition that the personal data which is made available must neither disclose undisclosed information nor infringe on lawful secrets which the Controller has the duty to preserve, and with due regard to Art. 5 of the 10 May 2018 Personal Data Protection Act;
- have your data rectified;
- have the processing of your data restricted.
Right to complain to a data protection authority
You have the right to lodge a complaint with a supervisory authority in charge of personal data protection in the Member State of your habitual residence, place of work or the place of the alleged infringement.
Office of the Head of the Personal Data Protection Authority
Address: 2 Stawki St., 00-193 Warsaw, Poland
Phone: +48 22 531 03 00
Sources of personal data
The data processed in SISC come from data subjects as well as institutions and bodies under the law.
Information on voluntary or obligatory data provision
Providing personal data is obligatory under the law, while in the scope of setting up an account on the Tax and Customs Electronic Services Portal (PUESC), it is based on your consent.
Automated decision-making and profiling
Your data may be processed in an automated way, which may involve automated decision-making, including profiling, performed by the Controller in accordance with applicable laws. It applies to the following cases:
- performing a risk analysis of law violations where the analysis is conducted on the basis of data declared in submitted documents, using certain criteria;
- performing a risk analysis of law violations where the analysis is conducted on the basis of data gathered from public registers and social media, using certain criteria.
As a consequence of the above analysis, in the above-mentioned cases, the Data Subject is automatically classified into a risk group. Being classified into the unacceptable risk group might result in a change of relation and additional measures being initiated in accordance with applicable laws.