Information clause - Komisja Nadzoru Finansowego

General information clause regarding the processing of personal data

Modification date:

Under Article 13(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as ‘GDPR’, please be informed that:

1. The controller of personal data is the Polish Financial Supervision Authority (PL: Urząd Komisji Nadzoru Finansowego, hereinafter: ‘UKNF’) with its registered office in Warsaw (postcode: 00-549) at ul. Piękna 20, or the KNF Board (PL: Komisja Nadzoru Finansowego, hereinafter: ‘KNF Board’) with its registered office in Warsaw (postcode: 00-549) at ul. Piękna 20, hereinafter jointly also referred to as ‘Controllers’. 

The KNF Board remains the controller of data processed for supervisory purposes, as part of measures which support the development of innovativeness of the financial market, as well as information measures with regard to the functioning of the financial market and its risks and participants, to safeguard the legitimate interests of financial market participants. 

The UKNF, on the other hand, should be considered the controller of personal data processed, inter alia, in connection with the performance of tasks related to ensuring security with the use of IT systems, an entry and exit register, a visitor book and monitoring, as well as conducting public procurement proceedings or concluding agreements to which the UKNF is a party. 

You may contact the Controllers in writing by sending a letter to: ul. Piękna 20, skr. poczt. nr 419, 00-549 Warszawa, or by e-mail to:

2. The Controllers provide the possibility of contacting the Data Protection Officer by e-mail ( or by post (by sending a letter to the Controllers’ correspondence address). 

3. The Controllers will process personal data for a period which is necessary for the specific purpose of processing, subject to the provisions on archiving which specify the mandatory storage period for documents.

4. The basis for the processing of personal data is:

1) Article 6(1)(f) of the GDPR, i.e. the legitimate interest pursued by the Controllers consisting in the need to process personal data for the purpose of correspondence and for the establishment, exercise or defence of any legal claims,
2) Article 6(1)(e) of the GDPR, i.e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller due to the performance of tasks and achievement of objectives related to supervising the financial market, which involve processing requests and answering questions,
3) Article 6(1)(c) of the GDPR, i.e. for compliance with a legal obligation to which the controller is subject, consisting in supervising the financial market, in conjunction with Article 2 and Article 3(4) point 1 of the Act of 21 July 2006 on financial market supervision (Journal of Laws 2020, item 2059, as amended) and in conjunction with the Act of 14 July 1983 on national archive resources and archives (Journal of Laws 2020, item 164, as amended), in connection with the need to archive documents.

5. Providing data is voluntary, but a failure to do so may prevent the effective exchange of correspondence, processing requests, answering the received questions in an effective manner or performing other activities. 

6. Personal data may be received by public administration bodies and/or other entities authorised under the law or performing tasks carried out in the public interest or in the exercise of official authority, entities providing services to the Controllers, including IT services, and as part of the correspondence being exchanged. 

7. As a rule, the Controllers do not intend to transfer personal data to recipients outside the European Economic Area, i.e. to third countries, or to international organisations.

8. In cases specified in provisions of law, a data subject has the right of access to their personal data, the right to rectification, erasure, and restriction of processing. 

9. In cases specified in provisions of law, a data subject has the right to object to the processing of personal data. 

10. If you consider that the processing of personal data infringes provisions of law, you have the right to lodge a complaint with the President of the Personal Data Protection Office (PL: Urząd Ochrony Danych Osobowych).

11. No personal data will be used for automated individual decision-making, including profiling.

This information clause is a general clause; a specific data storage period, additional legal bases for processing, information on processing activities as part of which providing data is obligatory or personal data may be transferred to third countries, information on additional rights of data subjects, and other information relevant to a particular process are provided in an accurate manner in detailed information clauses provided in connection with that process.