← Home

Privacy Policy

Last updated: June 2026

1. Data controller

The controller of your personal data is CZ Cybersecurity sp. z o.o., with its registered office in Warsaw, ul. Wielicka 40 lok. U1, 02-657 Warszawa, entered in the Register of Entrepreneurs of the National Court Register (KRS) under number KRS: 0000527250, NIP: 1132881297, REGON: 147469817.

2. Purpose of data processing

Your personal data is processed for the following purposes:

• Responding to an enquiry submitted via the contact form on czcyber.pl.
• Establishing business contact in connection with the services provided by CZ Cybersecurity sp. z o.o.
• Initial assessment of an entity's status in the context of the Act on the National Cybersecurity System.

3. Legal basis for processing

Personal data is processed on the basis of:

• Article 6(1)(a) GDPR, the consent of the data subject given by ticking the relevant box in the contact form.
• Article 6(1)(f) GDPR, the legitimate interest of the controller in responding to enquiries and conducting business correspondence.

4. Data retention period

Your personal data will be stored:

• Until consent to processing is withdrawn, where processing is based on consent.
• Until the correspondence is concluded and the purpose for which the data was collected is fulfilled.
• For no longer than 24 months from the date the form was submitted, unless further processing is necessary due to the controller's legal obligations.

5. Rights of the data subject

Under the GDPR you have the following rights:

1. Right of access, that is, the right to obtain information on whether your personal data is being processed and to obtain a copy of the data (Article 15 GDPR).
2. Right to rectification of inaccurate data or completion of incomplete data (Article 16 GDPR).
3. Right to erasure of personal data (the "right to be forgotten") in the cases set out in Article 17 GDPR.
4. Right to restriction of processing in the cases set out in Article 18 GDPR.
5. Right to data portability in a structured, commonly used, machine-readable format (Article 20 GDPR).
6. Right to object to processing based on the controller's legitimate interest (Article 21 GDPR).
7. Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

6. Contact regarding personal data

For matters relating to the processing of personal data, please contact us:

• E-mail:
• Postal address: CZ Cybersecurity sp. z o.o., ul. Wielicka 40 lok. U1, 02-657 Warszawa.

We will respond to your request without undue delay and no later than one month from receipt of the request.

7. Right to lodge a complaint with the supervisory authority

If you consider that the processing of your personal data infringes the provisions of the GDPR, you have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO):

• Urząd Ochrony Danych Osobowych
• ul. Stanisława Moniuszki 1A, 00-014 Warszawa
• Website: uodo.gov.pl

8. Automated decision-making and profiling

The controller does not use automated decision-making, including profiling, as referred to in Article 22(1) and (4) GDPR, in relation to personal data collected via the contact form.

9. Transfers of data to third countries

Your personal data is not transferred to third countries (outside the European Economic Area) or to international organisations.

10. Direct marketing, postal correspondence

As part of its marketing activities, CZ Cybersecurity sp. z o.o. may send postal correspondence (traditional letters) to persons holding positions in the governing bodies of enterprises in sectors potentially covered by the Act on the National Cybersecurity System (Journal of Laws 2026, item 252).

10.1. Source of data

The personal data used for this purpose is obtained solely from publicly available registers:

• National Court Register (KRS), on the basis of Article 8(1) of the Act on the KRS ("The Register is public. Everyone has the right of access to the data contained in the Register"): the first name and surname of the management board member, their position, and the address of the enterprise's registered office.

10.2. Purpose and legal basis

The purpose of processing is direct marketing of our own services, that is, informing entities potentially covered by the regulations about obligations arising from the KSC Act and about the services of CZ Cybersecurity.

Legal basis: Article 6(1)(f) GDPR, the legitimate interest of the controller in conducting direct marketing (Recital 47 GDPR).

10.3. Categories of data processed

• The first name and surname of a person holding a position in the governing body of an enterprise.
• Position (e.g. President of the Management Board).
• Registered office address (correspondence address).

We do not process sensitive data (Article 9 GDPR).

10.4. Data recipients

Data may be transferred solely to:

• a postal operator (Poczta Polska S.A. or another operator) for the purpose of delivering correspondence,
• an entity providing printing and mailing services (hybrid mail) for the purpose of preparing and dispatching mailings, on the basis of a personal data processing agreement (Article 28 GDPR),
• a hosting service provider to the extent necessary for the operation of the website.

Data is not shared with third parties for marketing purposes.

10.5. Retention period

Data processed for direct marketing purposes is stored until an objection is raised (Article 21(2) GDPR), the purpose of processing ceases, or 12 months have elapsed since the last contact, whichever occurs first. After an objection is raised, the data is immediately removed from the marketing database and transferred to an objection register (suppression list) solely to ensure that correspondence will not be sent again.

10.6. Right to object to direct marketing

11. Objection form

If you do not wish to receive marketing correspondence from us, please complete the form below.

Company name *

KRS or NIP number *

Contact e-mail (optional, for confirmation)

Submit objection