The NRA Head privacy notice

Information clause on personal data processing by the Head of the National Revenue Administration in the KAS SPOE system

In accordance with Articles 13 and 14 of the GDPR[1], I would like to inform you that:

Controller

The Controller of your personal data is the Head of the National Revenue Administration with its seat in Warsaw, 00-916, ul. Świętokrzyska 12.

Data Protection Officer

In matters concerning the exercise of your rights under the GDPR in relation to the processing of personal data, you can contact the Data Protection Officer by sending an email at the following address:  IOD@mf.gov.pl.

Purposes and basis of data processing

Your personal data is processed for the purpose of:

  1. charging a toll for the use of toll roads, i.e. a toll within the meaning of the Act on Toll Motorways and the National Road Fund and an electronic toll within the meaning of the Act on Public Roads, including with the use of electronic or telephonic tools related to the provision of this service - a legal obligation on the Controller - Article 6(1)(c) of the GDPR,
  2. sending information materials regarding the toll collection system and road infrastructure - on the basis of the consent of the data subject - Article 6(1)(a) of the GDPR.

Providing data necessary for the toll collection process is a statutory requirement - failure to provide such data will result in a lack of possibility to pay electronic toll or toll in the KAS SPOE System.  

An e-mail address is required for online registration. Failure to provide it will result in the inability to register in this form.

Provision of data necessary for sending information materials (e-mail address or telephone number) is voluntary.

The recipients of the personal data

Entities entitled to obtain personal data on the basis of legal regulations will be the recipients of your personal data. A separate category of recipients, to whom your data may be disclosed, are entities processing personal data on behalf of the Controller, in particular, those entities which have entered into contracts for the provision of maintenance services for the IT systems used by us.

If you use a fleet card system, the recipients will also be the relevant fleet card providers and the intermediary entity for the transfer of data between the KAS SPOE System and the fleet card providers. Your data will only be transferred to third countries if you use a fleet card provider located outside the European Economic Area.

Data storage period

Your personal data will be stored until the purpose of the processing has been fulfilled, taking into account the period of limitation of claims, as well as the archiving period in accordance with applicable legislation. In particular:

  1. data processed on the basis of Article 6(1)(c) of GDPR- are stored in the system for 12 months, counting from the end of the calendar year in which the toll road was travelled,
  2. geolocation data - shall be maintained for a maximum of 6 months from the date of completion of the national road journey in question
    • unless, before the expiry of that period, administrative or legal proceedings have been instituted in which the data are necessary; in such a case the data shall be stored until the end of the relevant proceedings;
  3. data processed by virtue of consent - will be processed until you withdraw your consent to their processing.

Source of personal data

We receive processed personal data:

  • directly from you during the registration process;
  • from entities obliged to pay the toll;
  • from fleet card providers;
  • From reference systems, i.e.: CEPIK, CRP KEP.

Rights of data subjects

You are entitled to:

  • access to the content of the data, on the basis of Article 15 of the GDPR, with the proviso that the personal data made available may not disclose classified information or violate legally protected secrets that the Administrator is obliged to keep, and with the proviso of Article 5 of the Personal Data Protection Act of 10 May 2018;
  • rectification of data pursuant to Article 16 of the GDPR;
  • erase your data pursuant to Article 17 of the GDPR;
  • limit data processing pursuant to Article 18 of the GDPR;
  • withdraw your consent to processing at any time (in the case of data processed on the basis of consent), provided that the withdrawal of consent does not affect the processing carried out before its withdrawal.

If you consider the processing of your personal data by the Administrator to be in violation of regulations, you have the right to lodge a complaint to the President of the Office for Personal Data Protection.

Automated decision making and profiling

The processing of your data may be carried out by automated means, which may involve automated decision-making, including profiling, which is performed by the Controller under applicable laws.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)