When a Postal Operator processes data in connection with the provision of postal services, it is not necessary to conclude a personal processing data agreement. If, however, the data controller uses other services of the postal operator and data transfer takes place, it is necessary to conclude such an agreement.

 In accordance with art. 6 of the Act on the protection of personal data, any information allowing for identification of a natural person (directly or indirectly) have the status of personal data. Without a doubt, data provided to the postal operator in order to deliver a shipment to a specific recipient are such data. 

 An entity to whom the recipient has provided its data in order to send a shipment is the data administrator. As a rule, only the data administrator can process personal data it manages. If it wants to share such data with other entities, usually it has to conclude with them an agreement to entrust the processing of personal data. The Act on the protection of personal data provides for situations where the transfer of personal data to another entity is possible without concluding an agreement, but these exceptions do not apply in this case (providing data to state authorities, the processing of central site data by a branch office of the same personal data administrator etc.).

 The Postal Operator may acquire personal data of the recipient only in two ways:

– by acquiring personal data of the recipient from the sender,

– by acquiring personal data of the recipient from the recipient.

 The legality of data processing by BackOffice Outsourcing Sp. z o.o. is guaranteed by the fulfilment of the provision of art 23, section 1, paragraph 2 of the Act of 29 August 1997 on the protection of personal data – data processing is necessary for exercising the permission or complying with the requirement resulting from the law (in connection with the Postal Act), and since 25 May 2018, based on art. 6, section 1(c) of the regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and the repeal of the directive 95/26/EC – the processing is necessary to fulfil the obligation resting on the administrator (in connection with the Postal Act).

 BackOffice Outsourcing Sp. z o.o. is a postal operator within the meaning of art. 3, paragraph 12 of the Postal Act of 23 November 2012, i.e. an entrepreneur authorized to provide postal services based on an entry in the register of postal operators.  In accordance with the provisions of art. 42 of the above-mentioned Act, information or data under postal secrecy can be collected, recorded, stored, developed, amended, deleted and made available only when such activities apply to a provided postal service, are necessary for its implementation, or when other regulations provide otherwise.

At the time of the transfer of personal data in order to provide services, BackOffice Outsourcing Sp. z o.o. becomes the data administrator.

 Only when the Postal Operator does not provide postal services, but provides other services, the transfer of personal data of the recipient (or other entity) must be made on the basis of a data processing agreement in order to purse the goal and within the scope provided in such agreement. Only then the postal operator has the status of data processor (entity entrusted with the processing of personal data), not data administrator (as in the case when the acquisition of personal data takes place on the occasion of providing postal services).

 Legal basis: 

the Act of 19 September 2019 on the protection of personal data (text: Journal).

the Act of 23 November 2012 – Postal Act (uniform text::Journal of Laws of 2020, item 1041, 2320).

 In accordance with Article 13, paragraph 1 and 2 of the General Regulation on the Protection of Personal Data of 27 April 2016, we inform that the administrator of your personal data is Backoffice Outsourcing Sp. z o.o., with its seat in Warsaw (04-036), at Al. Stanów Zjednoczonych 72/12, hereinafter referred to as the Administrator.


 The Administrator processes personal data of, among others:

  • customers who are natural persons;
  • customers of the Administrators who are legal persons or organizational units without legal personality – personal data of persons authorized to represent such entities, employees, and partners of such customers;
  • service providers who are natural persons, as well as employees and partners of such service providers;
  • persons cooperating in the provision of services by the Administrator on a regular or occasional basis;
  • persons that want to benefit from legal advisory services provided by the office, as well as persons whose data have been obtained on the occasion of the provision of such services to the Administrator’s customers.

Your personal data will be processed for the purposes of:

  • fulfillment of legal obligations encumbered on the Administrator of personal data pursuant to Art. 6, paragraph 1(c) of GDPR, under EU law or Polish law;
  • conclusion and performance of a contract, i.e. pursuant to Art. 6, paragraph 1(b) of  GDPR, in particular, a contract for the provision of legal, accounting or advisory services to the Administrator’s customers by service providers;
  • performance of legitimate interests of the Administrator or other third parties pursuant to Article 6, paragraph 1(f) of GDPR, which include in particular: investigation, determination, and defence against claims, fraud prevention, security of IT environment, in order to offer products and services, the use of internal control systems, monitoring the Administrator, recognition of conflicts of interests and ethical breaches to the extent necessary to prevent abuse, for archival and statistics purposes, as well as the provision of services for customers in a situation in which the customer’s interest takes precedence over the interests, rights, and freedoms of data subjects.

Categories of subjects covered by the processing of data:

The Administrator may process personal data of the following categories of persons:

  • employees;
  • co-workers;
  • customers;
  • suppliers, which the Customer processes as an administrator or processor in the case of having the right to further entrusting the processing of personal data.

The Administrator can process the following personal data:

  • to use the contact form: name, surname, company name, e-mail, data submitted in the message
  • basic identification and contact details: name (names) and surname, maiden name, PESEL number, date and place of birth, residence address, identification data allocated by public authorities; electronic identification data;
  • basic contact details such as phone number, e-mail address, residence address; tax identification data;
  • data that laws require the Customer to disclose, for example, marital status, health status, etc.
  • profession and employment; current employment; recruitment; end of work; career; remuneration; assets held by an employee – it is necessary for services provided or for recruitment purposes;
  • for invoices: name and surname, company name, address of residence or business address, NIP, REGON.

In addition, the Administrator may process other categories of personal data, as long as such data cannot be classified as one of the above groups and the processing is carried out for the purposes covered by this notice.

 Such data shall undergo the following operations: collection, recording, organizing, storage, adaptation or modification, downloading, viewing, use, disclosure by sending, distribution or provision, adjustment, and alignment, removal or destruction.

We may share your personal data with the following categories of entities:

  • subcontractors or entities we cooperate with in the processing of data,
  • law firms (solicitors, lawyers, auditors, notaries, accountants of the Administrator),
  • government agencies and public authority bodies within the framework of obligations imposed by law; debt buyers,
  • entities providing postal, courier, or printing services,
  • auditors,
  • control authorities,
  • entities supporting us in our business activities, in particular providers of external systems, e.g. IT services,
  • hosting services,
  • banks,
  • in case of settlements, state authorities or other entities authorized by law, in order to perform duties incumbent of us (Tax Office, KAS, PIP, ZUS, PFRON, GUS).

Your personal data will be stored for a period of:

  • in order to conclude a contract, we store personal data for a period of negotiating the contract to the end of the calendar year following the calendar year in which you contacted us for its conclusion;
  • in connection with the conclusion of the contract, to the end of the processing period for potential claims, and in any case for the period required by law until the end of the processing period for potential contractual claims, for example: In accordance with Art. 74 of the Accounting Act, accounting books and accounting records must be stored for at least five years from the beginning of the next financial year;
  • in order to fulfill the legal obligations of the Administrator – until the expiry of obligations under the law;
  • accounting records, books, and documents related to their maintenance until the expiration of the tax liability period, unless tax law provides otherwise.

As the Administrator, we are obliged to store documents containing data for the periods indicated by law or certain provisions of the contract or if it’s necessary for the proper operation of our company and ensuring compliance with the principles of accountability.

You have the right to:

  • access your personal data and rectify them;
  • remove your data if you think there is no basis for us to process them;
  • limit the processing of your data;
  • transfer your data;
  • lodge an objection;
  • withdraw your consent for the processing without affecting the lawfulness of the processing (if the processing is based on consent) based on the consent granted before its withdrawal.

In addition, when the processing violated the provisions of GDPR, you have the right to bring a complaint to the supervisory authority, i.e. the President of the Office for Personal Data Protection.


In regard to the processing of data for the purpose referred to in paragraph 1* above, the obligation to provide personal data is a statutory requirement. In regard to the processing for the purposes referred to in paragraph 2** and 3**, the obligation to provide personal data is a contractual obligation – the provision of personal data for the above-mentioned purposes is voluntary but necessary for the conclusion and implementation of the contract with the Administrator

You are required to provide  your personal data otherwise the consequences include

  1. refusal to conclude the agreement, submit a bid;
  2. seeking compensation or refusal to provide our services;
  3. loss of the right to insurance coverage;
  4. negative consequences before state authorities in the form of administrative penalties etc.


Your data may be processed in an automated way, including profiling.


adres pocztowy: Inspektor Ochrony Danych Backoffice Outsourcing Sp. z o.o. Robert Kütz, Al. Stanów Zjednoczonych 72/12, 04-036 Warszawa.