PEAC (Poland) Sp. z o.o.
ul. Mielżyńskiego 14, 61-725 Poznań


The policy of personal data protection has been developed and implemented in the Data Administrator structure to ensure compliance of the processing of personal data with the requirements of Polish and European legal acts in force in this respect, including guidelines, in particular:

1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation) – hereinafter GDPR

2. The Act of May 10, 2018 on the protection of personal data (consolidated text in Polish Official Journal of 2018, item 1000, as amended), hereinafter the Act

3. Guidelines of the Working Party, Article 29 (currently the European Data Protection Board)

4. Guidelines of the President of the Office for Personal Data Protection

5. Guidelines of the European Union Agency for Cybersecurity (ENISA)
The personal data protection policy applies to all natural persons whose data are processed by the Data Administrator.


Data Administrator (DA) – PEAC (Poland) sp.z o.o. with its registered office in Poznań (61-725), ul. Seweryna Mielżyńskiego 14, entered into the National Court Register kept by the District Court Poznań – Nowe Miasto and Wilda, in Poznań, VIII Commercial Department of the National Court Register under KRS number 0000002358, with tax identification number NIP: 778-13-70-639, with a share capital of PLN 16,000.000,

Personal data – information about an identified or identifiable natural person ("data subject"), where an identifiable natural person is a person who can be directly or indirectly identified, in particular based on an identifier such as name and surname, identification number, location data, online identifier or one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person,

Supervisory authority – Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw,

Third country – a country not belonging to the European Economic Area

Processing entity – a natural or legal person, public authority, entity or other entity that processes personal data on behalf of the Data Administrator,

Employee – a person cooperating with the Data Administrator on the basis of an employment contract or a civil law contract,

Processing – an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, disseminating or otherwise sharing, matching or combining, limiting, deleting or destroying,

Consent of the data subject – means any, arbitrarily defined, specific, conscious and unambiguous indication of the data subject by means of a statement or explicit confirming action, expressing consent to the processing of personal data related to such data subject. The consent must be properly documented to serve as evidence.

Profiling – means any form of automated processing of Personal Data that involves the use of personal data to evaluate certain personal factors of a natural person, in particular to analyze or forecast aspects of the natural person's work effects, economic situation, health, personal preferences, interests, credibility, behavior, location or movement.

Recipient – means a natural or legal person, public authority, entity or other entity to whom personal data is disclosed, regardless of whether it is a third party. However, public authorities that may receive personal data as part of a specific procedure under Union or Member State law are not considered to be recipients; the processing of these data by these public authorities must comply with the data protection rules applicable to the purposes of the processing

Enterprise group – means an enterprise exercising control and enterprises controlled by it

Cross-border processing – means:

a) the processing of personal data that takes place in the Union as part of the activities of organizational units in more than one Member State of an administrator or a processing entity in the Union having organizational units in more than one Member State; or

b) the processing of personal data that takes place in the Union as part of the activities of a single organizational unit of the controller or processor in the Union, but which significantly affects or may significantly affect data subjects in more than one Member State.

International organization – means an organization and its subordinate bodies operating under public international law or another body set up by agreement between at least two countries or under such an agreement

Entities capital-related with the Data Administrator : PEAC (France) SARL and Still Location SARL with headquarters in Serris, France, PEAC Pénzügyi Lizing Zrt. and PEAC Bérlet Kft. with headquarters in Budapest, Hungary, PEAC (Czech Republic) s.r.o. with headquarters in Prague, Czech Republic, PEAC (Austria) GmbH with headquarters in Vienna, Austria, PEAC Mobility GmbH with headquarters in Neu-Isenburg, Germany, PEAC (Germany) GmbH and PEAC Holdings (Germany) GmbH & Co.KG with headquarters in Hamburg, Germany – in detailed data protection policies – referred to as PEAC GROUP .


The processing of personal data in the Data Administrator's structure takes place in accordance with the general principles for the processing of personal data set out in art. 5 GDPR. This means that personal data are processed:

3.1 in accordance with the law, based on at least one condition of the lawfulness of personal data processing indicated in art. 6 or in art. 9 GDPR (principle of legality),

3.2 in a fair manner, taking into account the interests and reasonable expectations of data subjects (principle of reliability),

3.3 in a transparent manner for data subjects (principle of transparency),

3.4 for specific, explicit and legitimate purposes (purpose limitation principle),

3.5 to the extent adequate, relevant and necessary for the purposes for which they are processed (data minimization principle),

3.6 taking into account their regularity and possible updating (principle of regularity),

3.7 for a period not longer than necessary for the purposes for which they are processed (storage restriction principle),

3.8 in a manner that ensures adequate security (integrity and confidentiality).


The Data Administrator has appointed a Data Protection Officer (Mr. Damian Dziuba), who can be contacted by sending a message to