Legal
GDPR Statement
1. Our commitment
Syndicai sp. z o.o. is committed to the principles of the EU General Data Protection Regulation (GDPR, Regulation 2016/679). This statement describes how we apply those principles.
For all GDPR-related enquiries, contact contact@syndicai.co.
2. Data controller
For data processed via this website and our pre-contract enquiries, Syndicai sp. z o.o. is the data controller.
For data processed under a client engagement, the client is typically the data controller and Syndicai sp. z o.o. acts as data processor under a written data-processing agreement (DPA).
3. Principles we follow (Art. 5)
- Lawfulness, fairness, transparency — we only process data on a clear legal basis and tell you why.
- Purpose limitation — data is collected for explicit purposes and not used beyond them.
- Data minimisation — we collect only what we need.
- Accuracy — we keep data correct and current.
- Storage limitation — retention periods are defined and enforced.
- Integrity and confidentiality — appropriate technical and organisational measures are in place.
4. Your rights as a data subject
You have the right to:
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate data.
- Erasure (“right to be forgotten”) — request deletion, subject to lawful retention obligations.
- Restriction — limit how we use your data.
- Portability — receive your data in a structured, machine-readable format.
- Object — to processing based on legitimate interest.
- Withdraw consent — at any time, where consent is the legal basis.
- Lodge a complaint — with the Polish supervisory authority (UODO, uodo.gov.pl).
To exercise these rights, email contact@syndicai.co. We respond within one calendar month.
5. International transfers
Where personal data is transferred outside the European Economic Area (EEA) — for example, to US-based service providers — we rely on EU Standard Contractual Clauses (SCCs) or equivalent legal safeguards. A list of relevant sub-processors is available on request.
6. Data breach notification
In the event of a personal data breach likely to affect data subjects, we notify the supervisory authority within 72 hours of becoming aware, in accordance with Art. 33 GDPR. Affected individuals are notified without undue delay where the breach is likely to result in high risk to their rights.
7. Data Protection Officer
Syndicai sp. z o.o. is not legally required to appoint a Data Protection Officer (DPO), but we maintain a clear contact for data protection matters: contact@syndicai.co.
8. Client engagements
When we process data on behalf of a client, the terms of the engagement-specific Data Processing Agreement (DPA) apply, including:
- documented instructions from the client (controller);
- confidentiality obligations on all personnel with access to client data;
- agreed technical and organisational measures;
- sub-processor authorisation requirements;
- assistance with data-subject requests and breach notifications;
- audit rights and proof-of-compliance reporting;
- defined return or deletion of data at the end of the engagement.
A DPA template is available on request.