Jan Matusiak

Radca prawny

LawyersThe FirmPracticeFor BusinessNewsContact🇵🇱PL

Legal Documents

Information Notice — AML-RODO

Information on the processing of personal data in connection with obligations under the AML Act · Effective from: 1 April 2026.

Legal basis

Jan Matusiak, conducting business under the name: Jan Matusiak Kancelaria Radcy Prawnego, as an obliged institution within the meaning of the Polish Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing (the "AML Act"), processes personal data of clients in order to fulfil obligations arising from that Act. The following notice contains information required by Articles 13 and 14 of the GDPR.

I.

Data Controller

The controller of personal data is Jan Matusiak, conducting business under the name: Jan Matusiak Kancelaria Radcy Prawnego, address: ul. Stańczyka 22/54, 30-126 Kraków, Poland, NIP: 6772488832, REGON: 524117386.

Contact with the Controller:

by email: jan.matusiak@matusiak.legal

by phone: +48 500 255 293

by post: ul. Stańczyka 22/54, 30-126 Kraków, Poland

II.

Sources and Scope of Personal Data

Personal data are collected directly from the data subject, from identity documents, contracts entered into, and from publicly available registers, in particular:

the Central Register of Beneficial Owners (CRBR),

the National Court Register (KRS),

the Central Register and Information on Economic Activity (CEIDG),

other public registers accessible under applicable law.

The Firm processes in particular the following categories of data:

identification data: first name, surname, nationality, PESEL number or date of birth,

identity document data: series, number, issuing authority,

address data: residential or registered address,

tax identification number (NIP),

a copy of the identity document — to the extent required by Art. 34 of the AML Act.

III.

Purposes of Processing

Personal data are processed solely for the purpose of fulfilling obligations under the AML Act, in particular:

assessing the risk of money laundering and terrorist financing,

identifying and verifying the identity of the client,

identifying the beneficial owner and verifying their identity,

assessing the nature and purpose of the business relationship,

ongoing monitoring of business relations with the client,

reporting information to the competent authorities — in cases provided for by law.

IV.

Legal Basis for Processing

Personal data are processed on the basis of Art. 6(1)(c) GDPR — processing is necessary to comply with a legal obligation incumbent on the Controller, arising from the provisions of the AML Act.

Provision of personal data is a statutory requirement. If the required data cannot be obtained, it will not be possible to establish or continue a business relationship.

V.

Retention Period

Personal data are retained for a period of 5 years, counted from the first day of the year following the year in which the business relationship with the client ended or in which the occasional transaction was carried out.

Pursuant to Art. 49(1) of the AML Act, the General Inspector of Financial Information may extend this period by a further 5 years.

VI.

Recipients of Personal Data

Recipients of personal data may only be authorities empowered by law, in particular:

the General Inspector of Financial Information (GIIF),

authorities maintaining the Central Register of Beneficial Owners,

prosecutors and other law enforcement authorities — in cases provided for by law.

VII.

Rights of Data Subjects

To the extent not precluded by the provisions of the AML Act, data subjects have the following rights:

the right of access to personal data (Art. 15 GDPR),

the right to rectification of data (Art. 16 GDPR),

the right to restriction of processing (Art. 18 GDPR),

the right to object (Art. 21 GDPR),

the right to data portability (Art. 20 GDPR) — where technically feasible,

the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland; uodo.gov.pl).

The exercise of some of the above rights may be restricted due to obligations under the AML Act — in particular the obligation to retain documentation for the required period.

VIII.

Profiling

Personal data may be used for profiling in the context of assessing the risk of money laundering and terrorist financing, in accordance with the requirements of the AML Act. Profiling is carried out with the use of IT systems but does not result in automated decision-making producing legal effects concerning the data subject.