Privacy Policy

Privacy Policy

BPI Real Estate Sp. z o.o.

1. Introduction

    1. This document is a description of the privacy policy (hereinafter Policy) of BPI Real Estate Sp. z o.o. with its registered office in Warsaw, 48 Komitetu Obrony Robotników Street, registered in the register of entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under the number KRS:  0000375842, REGON:  142696098, NIP (Tax ID):  7010268989, (hereinafter referred to as the Controller). 
    2. The purpose of the Policy is to determine the principles and method of processing personal data from natural persons who are users of websites administered by the Controller (hereinafter referred to as the User). The Policy also contains information on the rights of natural persons concerning personal data made available by them.
    3. The legal basis of the Policy is Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as GDPR), as well as the Act on the protection of personal data of 10 May 2018 (Journal of Laws 2018, item 1000). The Policy constitutes the implementation by the Controller of obligations under Articles 12 and 13 of the GDPR. 
    4. The Policy applies to any website, application or service referring to this information, as well as to data transmitted through them, by phone, electronically or in person at the Controller's premises. Please note that by leaving the websites controlled by the Controller (e.g. by clicking on a link to a page in another domain), the User enters an area where the Policy does not apply. The Controller is not responsible for the privacy policy rules applicable on websites operated by other entities.


    1. BPI Real Estate Sp. z o.o. is the Controller of personal data provided by Users of websites who visited and used the functionalities offered by websites administered by the Controller (hereinafter referred to as Internet Services):
    1. The Controller may obtain Users' data through:
  • Users contacting the Controller via the contact forms available on the Websites and providing personal data concerning them along with the content of the message,
  • Direct contact by phone, e-mail, as well as by post,
  • Submission of application documents by candidates for employees directly to e-mail addresses belonging to the Controller or through intermediary services,
  • State institutions and public authorities which, during their proceedings, transfer personal data to implement the law.
  • Users subscribing to the Controller's mailing list to receive information about ...,


    1. When collecting personal data, the Controller records information about the source of their acquisition. The collection of Users' data takes place directly from the data subjects, as well as from third parties.
    2. The Controller takes special care that personal data are processed by the purpose for which they were collected and used in accordance with the premises and categories of data processed permitted by law, in particular in accordance with the principles of personal data processing set out in Article 5 of the GDPR.

3. Purposes and legal basis for personal data processing

The Controller processes personal data in accordance with the business profile, only for the purposes indicated below. If, due to legal provisions, the characteristics of the service or the need to settle it, there is a need to process other personal data of data subjects, the Controller may process it to the extent necessary.

    1. In order to contact the Controller via the contact forms posted on the Websites in connection with a question or a submitted request, Users’ data such as first and last name, email address and telephone number are processed.

The legal basis for the processing of personal data is the legitimate interest of the Controller - Article 6 Section 1 (f) of the GDPR, consisting of ensuring the handling of messages and answering the resulting questions. Refusal to provide personal data will result in the inability to handle the sent message and thus its deletion.

    1.  In order to send Users electronically information about current offers for the sale of real estate, information about promotions, and personal data of Users such as first and last name, email address, and telephone number are processed.

The legal basis for the processing of personal data is the legitimate interest of the Controller - Article 6 Section 1 (f) of the GDPR,  which is to maintain constant contact with the Users by the Controller in order to provide information about current promotions, offers for sale of real estate.

    1. In order  to establish, pursue claims and defend against claims, including documenting objections raised against the processing of personal data, the personal data of Users, which they have provided to the Controller, will be processed.

The legal basis for the processing of personal data is Art. 6 para. 1 (f) GDPR, which allows the processing of personal data for possible establishment, investigation or defence against claims, which is the implementation of the legitimate interest of the Controller.

    1. In order to carry out the recruitment process, it is necessary to provide the candidates’ data in the scope resulting from the content of Article 22 1 §1 of the Labour Code: first name(s) and last name, date of birth, contact details indicated by the candidate, education, professional qualifications and the course of previous employment, if it is necessary to perform a specific type of work or a specific position.

The legal basis for conducting the recruitment process is:

  • Act of 26 June 1974. Labour Code (Journal of Laws 1974 No. 24 item 141 as amended),
  • art. 6 para. 1(b) GDPR, which allows for the processing of personal data if they are necessary to undertake activities aimed at the performance of the contract.

Providing by candidates with other data not listed in the catalogue of Article 22 1 §1 of the Labour Code is voluntary. The legal basis for the processing of such personal data is Art. 6 para. 1(a) GDPR, which allows the processing of personal data based on voluntary consent, which can be revoked at any time without affecting the lawfulness of the processing that was carried out based on consent before its withdrawal.

The recruitment process consists of several stages, during which the processing of candidates’ data takes place: pre-selection of applications received, contact with selected candidates, and selection of an employee.

In the event of the candidate's consent to the processing of the personal data provided in future recruitments, the legal basis for their processing is Art. 6 para. 1(a) GDPR, which allows the processing of personal data based on the consent voluntarily granted, which can be revoked at any time, without affecting the lawfulness of the processing which was carried out based on consent before its withdrawal.

4. Recipients of personal data

    1. The recipients of personal data provided to the Controller by data subjects are the following entities to which personal data are provided to the minimum extent necessary to achieve the purpose/purposes for which the data were obtained:
  • Authorized personnel of the Controller,
  • Entities processing personal data on behalf of the Controller (e.g. accounting office, technical service providers, hosting service providers),
  • Entities with which the Controller has concluded agreements entrusting the processing of personal data,
  • Competent authorities authorized in accordance with applicable law.
    1. The Controller declares that it does not sell, share or transfer the collected personal data for processing to other persons or institutions, unless it occurs with the explicit consent or at the request of data subjects or the request of state authorities authorized under the law for their proceedings or activities related to security or defence, for specific legal tasks carried out for the public good, when it is necessary to fulfil the legally justified purposes of the Controller.

5. Transfer of personal data to countries outside the European Economic Area (EEA)

Since the Controller uses applications whose servers are located outside the EEA , personal data obtained in connection with the use of websites by Users may be transferred to third countries. Therefore, the Controller made sure to use only providers offering guarantees of a high level of personal data protection. These guarantees are based on the participation of suppliers in the Privacy Shield Program established by Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US Privacy Shield.

6. Period of personal data processing

The controller processes the personal data obtained for the period necessary to achieve the purpose/purposes for which they were provided. The period of data processing is related to the purposes and grounds of their processing, therefore:

  • Data processed based on statutory (tax) requirements will be processed for the period in which the law requires data to be stored;
  • Data processed based on the legitimate interest of the Controller will be processed until the effective submission of an objection by the data subject or the termination of this interest. Data processed to assert or defend against claims will be processed for a period equal to the limitation period of these claims;
  • Data processed based on consent will be processed until the consent expressed by the data subject is withdrawn;
  • Personal data processed as part of the recruitment process will be processed until the end of this process.

7. Rights of data subjects

    1. The controller exercises the rights of data subjects related to the processing of their data. Each data subject shall have the right to:
  • Access their data,
  • Rectify personal data,
  • Delete ("right to be forgotten"),
  • Restrict personal data processing,
  • Object to the processing of personal data.
    1. If the basis for the processing of personal data is the legitimate interest of the Controller, the data subject has the right to object to the processing of personal data at any time, without the need to justify their decision, especially in the case where the legitimate interest is to conduct activities related to direct marketing.
    2.  Consent expressed by data subjects via the Websites may be withdrawn at any time, which will not affect the lawfulness of data processing carried out before its withdrawal.
    3.  The Controller informs that it is not obliged to delete data (i.e. exercise the "right to be forgotten") if data processing is necessary to:
  • Exercise of rights and freedoms of expression and information,
  • Compliance with a legal obligation to process under European Union or Polish law,
  • Archival purposes in the public interest, scientific or historical research purposes or statistical purposes,
  • To establish, pursue or defend claims.   
    1. The above rights, as well as the intention to withdraw consent, may be realized by sending a relevant request by e-mail to the following e-mail address:  or by letter to the address of the Controller’s registered office provided in point 1.1 of the Policy.
  1. Automated decision-making and profiling

Your data will not be used for automated decision-making, including profiling.

9. Security and storage of information

The Controller ensures the security of personal data against unauthorized access, seizure of data by unauthorized persons, destruction, loss, damage or alteration, and processing of personal data in a manner inconsistent with the provisions of the GDPR.

To protect personal data, the data Controller shall take technical and organizational measures that meet the requirements of the GDPR, in particular measures listed in Article 24 and Article 32 of the GDPR, ensuring the confidentiality, integrity and availability of the processing services of the personal data transferred.

10. Social Plugins

The Websites use so-called social plugins redirecting to the Controller's profiles maintained on social networks: Facebook, Instagram, LinkedIn, and Youtube. Using the functionality offered by these plugins, Users can share individual content or share it on social media. However, we would like to point out that by using these plugins, data is exchanged between the User and a given social network or website. The Controller does not process this data and does not know what User data is collected. Therefore, we encourage you to read the regulations and privacy policies of these social networks before using a given plugin.

11. Right to complain 

In any case, when it is considered that the rights of a natural person under the law and the Policy are violated, the Users have the right to complain to the Office for Personal Data Protection with its registered office in Warsaw at 2 Stawki Street.

12. Final provisions

To the extent not covered by this Policy, EU and national data protection laws apply.

Policy last updated on: 09/01/2024.