Privacy policy (04/07/2022)

Introductory information

Respecting the right to privacy of people who entrusted ODO 24 sp.z o.o. (hereinafter "ODO 24") your personal data, including people using our services, our contractors and theirs employees and subscribers of the newsletter, we would like to declare that we process the obtained data in accordance with the national and European law and in conditions guaranteeing their safety.

To ensure the transparency of the processing processes carried out, we present applicable in the ODO 24 rules for the protection of personal data, established on the basis of Regulation (EU) 2016/679 of the European Parliament and the EU Council of 27 April, 2016 on on the protection of individuals with regard to the processing of personal data and in the matter of free flow of such data and repealing Directive 95/46 / EC (General Data Protection Regulation, hereinafter "GDPR").

Data administrator

The administrator of your personal data, i.e. the entity deciding about the goals and methods of processing, is ODO 24 sp.z o.o. with its headquarters in Warsaw, ul. Kamionkowska 45 (postal code: 03-812). In matters related to the processing of personal data you can also contact us by e-mail at:

Acquiring data and the purpose of their processing

ODO 24 offers comprehensive solutions in the field of personal data protection and information security. In carrying out our business functions, we process personal data for the following purposes:

Purpose of processing: Purpose of processing: Purpose of processing:
Activities aimed at concluding and implementing a contract with a client or contractor. Art. 6 (1) (b) GDPR
(applies to clients);
Art. 6 (1) (f) GDPR
(applies to cooperating persons
with us on behalf of the client /contractor).
The need to contact employees/associates of clients and contractors in connection with actions taken to conclude a contract or its implementation.
Consideration of requests and complaints. Art. 6 (1) (b, c and f) GDPR
For the duration of the contract or until the warranty expires or the complaint is settled.
The need to contact employees /associates of clients in connection with the consideration of complaints and requests. 
Establishing, investigating and defending claims. Art. 6 (1) (f) GDPR
For the period of limitation of claims under the contract – in accordance with applicable law
Processing data of clients or contractors and their employees/ associates in connection with the establishment, investigation and defense of claims.
Keeping settlements, accounting and financial reporting. Art. 6 (1) (c) GDPR
Until the data storage obligations resulting from legal provisions expire, in particular the storage of accounting documents (as a rule, for 5 years after the year in which the legal event that required the issuance of an accounting document occurred).
Keeping statistics. Art. 6 (1) (f) GDPR
For the duration of another processing operation indicated in this table. We do not store personal data solely for statistical purposes.
Improvement business activities thanks to the conclusions drawn from statistical activities.
Conducting marketing activities (including using electronic means of communication). Art. 6 (1) (f) GDPR
In the case of marketing using a telephone number or e-mail address, the administrator will obtain consent for the communication channel in accordance with the Act on the provision of electronic services or the Act - Telecommunications Law. Until the objection is raised, i.e. you show us in any way that you do not want to stay in touch with us or receive information about our actions, or until the claims are time-barred.
Conducting marketing activities promoting products and services.
Monitoring on the premises of the data administrator in order to increase the safety of employees and protection of property as well as to keep information secret. Art. 6 (1) (f) GDPR
Image recordings are processed only for the purposes for which they were collected and stored for a period not exceeding 3 months from the date of recording or until a reasoned objection is raised, unless the recording constitutes evidence in the proceedings – then until the final conclusion of the proceedings.
Conducting access control for people staying at the premises of ODO 24 is our legitimate goal, and in the case of employees, it results from the law (Article 222 of the Labour Code). 
Data processing as a part of the ODO 24 profile on the Facebook social network. The data is jointly administered by ODO 24 and Facebook.
The data will be processed until an objection to the data processing is raised.
Conducting current correspondence using the tools provided by Facebook, including Messenger, and conducting other marketing activities.
Processing cookies. The administrator uses the necessary cookies to enable the operation of the basic functions of the website. In addition, in the case of conducting statistical research, marketing or saving user preferences using cookies, the administrator will obtain consent to save cookies on the user's device.
In this case, the data will be processed for the periods specified in the Cookie Policy or until an objection to data processing is raised.
The objection may only be made by clicking on the "Change cookie consent" option.
Enabling basic website functions to work. Adapting the content of websites to the needs of users, including for marketing and statistical purposes, optimization of the use of websites.
Human resource management – employees and associates. Art. 6 (1) (a, b, c and f) GDPR;
Art. 9 (2) (b) GDPR
In accordance with applicable regulations obliging to archiving documents in the field of labor law, i.e we keep personal files for 50 or 10 years.
The 10-year period of keeping documentation in matters related to the employment relationship and the employee's personal files is applied to all employees employed after January 1, 2019.
In the case of employees employed after December 31, 1998, and before January 1, 2019, the documentation related to the employment relationship and the employee's personal files will be kept for 50 years from the date of termination or expiry of the employment relationship, and for those of the above-mentioned employees for which the employer submits the information report referred to in Art. 4 point 6a of the Act of 13 October 1998 on the social insurance system, the period of keeping documentation and files is reduced to 10 years from the end of the calendar year in which this report was submitted.
If the retention period for selected documents is shorter, the administrator will respect this shorter period.
Civil law contracts will be stored until the expiry of the limitation periods for the resulting claims.
Disseminating the image of an employee/associate on the basis of the copyright consent.
Conducting recruitment. Art. 6 (1) (a and c) GDPR
(applies to candidates for employees);
Art. 6 (1) (a and b) GDPR
(applies to candidates for associates)
Up to 6 months from the end of the recruitment process, and in the case of consent to further recruitment processes, no longer than a year.

If the deadlines for storing documents indicated in the column "Keeping settlements, accounting and financial reporting” are longer than the appropriate dates for pursuing possible claims, the indicated longer periods shall apply.

Data recipients

In connection with the activities carried out, ODO 24 will disclose your personal data to the following entities:

  • persons running a business, including lawyers and legal advisers, cooperating with ODO 24 in the field of consulting services provided to the clients of ODO 24, and trainers in the field of conducting an accredited DPO course and open trainings,
  • the Masovian Superintendent of Education in the scope of participation in the accredited DPO course,
  • Foundation „Wiedza to bezpieczeństwo” in the scope of the service "Pomoc ODO 24", („Get help from ODO 24”),
  • state authorities or other entities authorized under the law,
  • entities supporting us in our activities on our behalf, in particular: suppliers of external ICT systems supporting our operations, including Microsoft, our auditors, an entity providing accounting services or entities cooperating with ODO 24 as a part of marketing campaigns, wherein such entities will process data on the basis of a contract with ODO 24 and only in accordance with with our recommendations,
  • payment service providers within the meaning of the Act of 19 August 2011 on services payment, i.e. PayU S.A. based in Poznań, as well as banks, in the case of the need to conduct settlements,
  • in the case of job applicants - also online recruitment portals.

The rights in the field of data processed and the voluntary providing the data

Each person whose data is processed by ODO 24 has the right to:

  • access to the data and receive a copy of it,
  • rectify (correct) the data,
  • delete the data,
  • restrictions on the processing of the data,
  • transfer the data – if the legal basis for their processing is consent (Art. (1) (a) or Art. (2( (a) GDPR) or a contract (Article 6 (1) (b) GDPR),
  • object to the processing of the personal data – if the legal basis for their processing is a legitimate interest (Article 6 (1) (f) GDPR),
  • withdraw consent at any time, without affecting legal compliance of the processing which was carried out on the basis of consent before its withdrawal.

For more information on the rights of data subjects, see the regulations of the Art. 12-23 GDPR.

In addition, the person whose data is processed by ODO 24 has the right to submit complaints to the supervisory authority, i.e. the President of the Personal Data Protection Office. More information at:

Do you have to provide ODO 24 with your personal data?

Providing data is necessary to conclude contracts and settle the business activity and compliance with the legal requirements by ODO 24. This means that if you want to take advantage of the services we offer (including open training, GDPR audits, support in the implementation of the GDPR), become our contractor (supplier) or employee/ co-worker, you must provide your personal data.

If your employer or another entity has indicated you as a contact person in relation to conclusion/ implementation of the contract with ODO 24 (including in connection with your participation in training organized by us), your data will be processed to the extent disclosed by this entity (standard is your name, surname, position, e-mail address and telephone number).

In the remaining scope (in particular, it concerns data processing by ODO 24 in marketing purposes) providing data is voluntary.

Data transfer to third countries

As a rule, personal data will not be transferred outside the European Economic Area (hereinafter: "EEA"). However, bearing in mind the provision of services by our subcontractors when implementing support for ICT services and IT infrastructure, ODO 24 may outsource specific IT activities or tasks to some recognized subcontractors operating outside the EEA, which may result in the transfer of your data outside the EEA.

According to the decision of the European Commission, recipient countries outside the EEA provide an adequate level of personal data protection in accordance with EEA standards. In case of recipients in the territory of countries not covered by the decision of the European Commission, to ensure the appropriate level of this protection, the administrator concludes contracts with data recipients which are based on standard contractual clauses issued by the Commission European pursuant to Art. 46 (2) (c) GDPR.

A copy of the standard contractual clauses can be obtained from the administrator – his contact details are given above. The method used by the administrator to protect yours data complies with the principles set out in Chapter V of the GDPR. You can request further information on the security features applied in this regard, obtain a copy of these security features and find out where they are available.

Processing of personal data in an automated manner

Your personal data will not be used for automated decision-making (including in the form of profiling) in such a way that as a result of such automated processing, any decisions could be made that would have legal effects or similarly affect any effects on clients or contractors, their employees/ associates, as well as employees/ associates of the administrator or job applicants.