1. Who is the data controller with respect to your personal data? How to contact the data protection officer at ING Commercial Finance Polska S.A.?

The data controller with respect to your personal data is ING Commercial Finance Polska Spółka Akcyjna seated in Warsaw at ul. Puławska 2, entered in the National Court Register under the entry number KRS 0000005577 ("ING”). You may contact the ING Data Protection Officer by writing to the above-mentioned ING postal address, preferably with the annotation: "Data Protection Officer", by phone at: 22 558 7400, or by e-mail at: abi.commercial.finance@ingcomfin.pl

2. What is the purpose and legal basis of the processing of your personal data by ING?

ING processes your personal data:
1) for the purpose of activities related to the consent(s) granted by you. It may be a consent to process your personal data for marketing purposes, a consent to process your personal data after expiration of contractual obligations for the purpose of continued evaluation of your creditworthiness/credit rating and credit risk analysis, or any other consent. The legal basis is the Regulation or a specific Act relevant for a given consent or authorisation, in particular Banking Law Act and the Act on Access to Business Information;
2) in order to execute, perform, and terminate a factoring agreement or any other similar contract/agreement - this means all preparatory activities, analyses, risk assessments and activities involved in the process of executing, performing or terminating a contract/agreement or other activities related to a contract/agreement (e.g. powers of attorney / authorisations) or ordered by other entities, but related to servicing a contract/agreement; what is meant here is all contracts/agreements and all activities, including the ones performed by ING on behalf of or for third parties. The legal basis for such processing is the contracts/agreements or other legal transactions;
3) in order to fulfil legal obligations imposed on ING by various regulations, in particular by the Act on Prevention of Money-Laundering and Terrorism Financing, and obligations related to transferring data to and retrieving data from data bases used for the purpose of evaluating  creditworthiness/credit rating or assessing credit risk; other ING's obligations may also stem from tax law or accounting law;
4) in order to maintain and display websites or communicate via websites - the data processed for that purpose may include IP addresses, device ID numbers and other data, subject to and based on relevant provisions of the telecommunication law. 
for purposes justified by legitimate interests of ING (based on the Regulation, Civil Code, Code of Civil Procedure, of Commercial Companies Code), such as:

1) ensuring security of people (most importantly, employees and customers) and of ING's property, including CCTV monitoring of ING branches, with respect for the privacy and dignity of people,

2) pursuing ING's claims or defending against claims by third parties against ING

3. Other information on other purposes ING may use your personal data for ING processes personal data in relation to the purposes for which they were collected (primary purpose).
However, personal data may be also processed for other lawful purposes (secondary purposes) as long and the primary and secondary purposes are closely interrelated. In general, the following secondary purposes are allowed:
(a) archiving purposes; (b) audits or investigatory proceedings; (c) implementation of business and management controls, (d) statistical and historical or scientific research purposes, (e) dispute resolution; (f) business, economic and legal consultancy; (g) purposes related to financial or electronic services, such as insurance, including the
services provided by other entities via or with the participation of ING.

4. Categories of recipients of your personal data
ING may transfer your personal data to:
1) entities or bodies authorised under applicable provisions of law to receive personal data;
2) entities or bodies, who need to receive your personal data in order to be able to perform a specific action, including a payment transaction, legal service or debt enforcement service;
3) entities receiving personal data from ING on the basis of a consent/authorisation granted by the data subject;
4) entities maintaining data bases for the purpose of assessing creditworthiness/credit risk or risk analysis, in particular to Biuro Informacji Kredytowej S.A., Związek Banków Polskich [Polish Bank Association] and business information bureaus (BIG). 

We may also transfer your personal data to other members of ING Group¹ - under binding corporate rules and legal provisions. If we transfer data to ING Group members outside the European Economic Area, we shall apply appropriate security measures provided for in corporate rules and standard personal data security clauses approved by the European Commission. ING may also entrust personal data to other entities while remaining the data controller.

5. How long will ING process your personal data?
1) The period of processing of personal data by ING depends on the purpose of processing of given personal data: ING processes personal data related to:
1) a contract/agreement or other legal action – for a period necessary to perform a given action or execute a given contract/agreement. When the action or contract/agreement has been executed - for the time necessary to complete the performance thereof; when the action or contract/agreement has not been eventually executed - for three years;
2) calculating financial ratios and capitals - for a period prescribed by law;
3) archival data – for a period of six years from termination of cooperation with a given person, unless a dispute, court litigation, or other proceeding is pending, in particular a criminal proceeding; in such case, the period of processing of archival data will run from the moment of ending the dispute or the final and binding resolution of the proceeding, unless applicable legal provision provides for a longer statue of llimitation period applicable to the right/claim concerned;
4) court adjudication – for a period of up to six years from issuing the final and binding adjudication ending the proceeding concerned;
5) customer's consent – for a period indicated in the relevant consent or - if the period in not defined - until the consent is withdrawn; discontinuation of processing of personal data during the period covered by the consent does not waive the ING's right to process the data for other purposes or even for the same purpose, provided that there is another legal basis for such processing, e.g. the customer's consent refers to a different manner of data processing or transferring. You may withdraw any or all your
consents at any time.
6) business information data bases maintained by other entities or data transferred by other entities – for a period depending on the purpose of such transfer, e.g. data transferred by Biuro Informacji Kredytowej S.A. are kept for the purpose of assessing creditworthiness/credit rating for a period adequate for a given type of activity, and may be subsequently processed either on the basis of relevant legal provisions or on the basis of customer's consent. When ING has obtained data from such data base, but a given contract/agreement or transaction has not been executed, the data will be deleted within three years of obtaining the same, unless the customer has consented to the processing of their personal data for other purposes or for a longer period.
2) The above-mentioned periods are not cumulative. The data may be processed separately for each individual purpose and legal basis, e.g. you may withdraw your consent to processing for marketing purposes, but ING may still process your data for other purposes or under a different legal basis.
6. Information on the data subject's rights
1) You have the right to request from ING access to your personal data, to correct any error in your personal data, and - in instances envisaged by law - to delete your personal data or limit the scope of their processing.
Furthermore, you have the right to object to processing of your personal data. In instances envisaged by law, subject to the reservation that this right must not adversely affect the rights and obligations of other people, including business secrets and intellectual property rights, as long as it is technically possible, you have the right to data portability and to obtain copies of your personal data. The first requested copy of your data shall be provided free of charge. Due to other legal regulations, data portability may require the consent of the customer or other person, or satisfaction of other requirements prescribed in such legal regulations.
When performing the customer's request concerning portability of the personal data or a copy thereof, ING shall provide the data along with the information on the data format and data carrier used.
2) If the processing of specific data or for specific purpose is based on your consent, you have the right to withdraw all or any of your consents concerning the processing of the specific data or for a specific purpose. Withdrawal of the consent does not affect the processing prior to such withdrawal or the legal basis for such processing.
3) The supervisory authority competent for ING with respect to personal data is the President of the Personal Data Protection Office. You have the right to lodge a complaint with the supervisory authority.
4) Your personal data are necessary to execute or perform a contract/agreement. You may be required under legal provisions to provide your personal data for the purpose prescribed therein (e.g. identification or verification). Moreover, the provision of your personal data may be necessary to execute certain transactions. If you fail to provide the personal data required under the contract/agreement or legal provisions, ING will not execute the contract/agreement with you or perform any other applicable action.
5) Any consent to data processing for marketing purposes is voluntary. Execution of contracts/agreements with third parties may involve transferring to such parties the information protected under separate legal provisions. Should this be the case, your separate consent will be required for such transfer, unless a separate legal basis for such transfer exists. Should you refuse to grant such consent or withdraw your consent, ING will not have the legal basis for transferring the information to the third party concerned. This, in consequence, may affect the execution or performance of the contract/agreement with a given third party or of a given action, if the transfer of such data in necessary to execute or perform a given contract/agreement or action.
6) ING can use automated decision-making process, which may result in refusal to execute a contract/agreement or perform an action, or in offering an action or service to be provided under specific terms and conditions. Information relevant for a given automated decision depends on the type of activity, e.g. information relevant in the case of factoring, affecting the automated decision, also with the use of profiling tools, is the information affecting creditworthiness and credit rating. 

¹Presently, ING Group consists of the following entities: ING Bank Śląski S.A. of Katowice, ING Investment Holding (Polska) S.A. of Katowice,
ING Lease (Polska) Sp. z o.o., ING Finance Sp. z o.o., ING Bank N.V. of Amsterdam (the Netherlands) and ING Usługi dla Biznesu S.A. of Katowice.
The list of subsidiaries of ING Bank Śląski S.A. can be found at: https://www.ingcomfin.pl/o-nas