Privacy policy

Grant Thornton Technology Sp. z o.o. (former IMMUSEC Sp. z o.o.) is a company supporting clients in the field of broadly understood security, of which an important element is protection of information security, including protection of privacy. We present this Privacy Policy to show you what actions we take to protect the privacy of our clients, their clients and users visiting our website.


As part of the services provided to clients, generally we do not decide about the purposes and methods of personal data processing or do not process personal data.

“Personal data” is information that concerns living individuals (including individuals conducting business activity based on the entry into the Central Register and Information on Economic Activity) and allows identifying such individuals directly or indirectly (including by linking these individuals’ data with other data held). Examples of personal data types are: first name, last name, home address, e-mail address, PESEL number or location data. Data on corporations, organizational units without legal personality (including contact details of such entities) or deceased individuals, are not personal data.

In case of deciding about the purposes and methods of personal data processing or processing personal data by us as part of our services or for our own activities, we meet the requirements of Regulation (UE) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation), so-called “GDPR”. This means that any personal data will always be processed by us as a personal data administrator or as a processor of personal data (so-called “processor”) and in compliance with obligations that the GDPR imposes on each of these roles.

If we provide services to customers electronically (“Electronic Services”), documents related to such services (primarily the regulations for the provision of electronic services) contain detailed provisions as to whether and how personal data are processed in connection with specific Electronic Services. Below, we present the general principles and requirements of GDPR related to the processing of personal data, which we use (“General Principles”). If you use any of the Electronic Services and the General Rules are contrary to the principles of personal data processing in the Electronic Services you use – priority is always given to the rules set out for your Electronic Service.


We maintain a website at, in Polish and English language versions.

Our website is operated using secure technologies, such as the https protocol, which provides encryption of data sent between the device, from which you visit our website, and the server where our website is located.

In certain situations it is possible that individuals visiting our website will provide us with their personal details. This applies to the following situations:

– filling out the contact form (“Contact Form”);

– submitting an inquiry via the contact form (“Inquiry”);

– sending us your CV in response to a job offer or to register in our CV database (“Curriculum Vitae”).


In the event that personal data is provided to us and we decide about the purposes and methods of its processing, the personal data administrator is: Grant Thornton technology (former IMMUSEC Sp. z o.o.), with its registered office in Warsaw, operating at ul. Chłodna 52, 00-872 Warsaw, entered into the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Division of the National Court Register, under KRS number 0001057462, NIP: 9512317130, REGON: 142487704.

The administrator of personal data can be contacted at the address indicated in paragraph 1 above, as well as by sending a contact form, located in the “contact” tab on our website or by sending an e-mail to:

Hereby we provide information required by the GPRD regarding the situation when we are the administrator of personal data:

Lp. Processing operation Purpose of personal data processing Legal basis for the processing of personal data The period of storage of personal data
1. Contact Form making a contact to reply to your message depending on the situation:


a) performance of the contract to which you are a party (if you already have a contract with us and you are contacting us via the Contact Form) or taking action on your request, before concluding the contract (when the potential goal of the contact may be the conclusion of a contract between us)

– art. 6 par. 1 letter b) GDPR

b) the legitimate interest of the administrator

– art. 6 par. 1 letter f) GDPR


the legitimate interest lies in the possibility of acquiring new customers or building a positive image of our brand

3 years from the date of sending a message via the Contact Form


2. Inquiry providing you with our commercial offer, for your express order, related to specific services provided by us take action at your request, before concluding the contract

– art. 6 par. 1 letter b) GDPR

3 years from the date of sending an Inquiry, or 5 years in the case when submitting an Inquiry will result in a contract between you and us
3. Curriculum vitae conducting the recruitment process for a specific position or using your CV for the future recruitments the legitimate interest of the administrator

– art. 6 par. 1 letter f) GDPR


the legitimate interest lies in the search for new employees

up to 1 year from the date of sending your CV to us

Providing personal data in connection with the above situations is not a requirement under the law or a condition for entering into any contract with us. However, refusal to provide personal data in the above situations will result in the fact that we will not be able to meet the above-mentioned purposes of processing to individuals.


According to the GDPR, if we are the administrator of your personal data, you have the following rights:

  1. you can get confirmation that your personal data is processed by us;
  2. if we process your personal data, you can obtain information about: (i) the purpose of processing this data; (ii) categories of personal data processed; (iii) recipients of your personal data; (iv) periods of personal data storage; (v) your rights related to the processing of personal data; (vi) the right to lodge a complaint with the supervisory authority; (vii) the source of your personal data – if there was a situation that the data was not collected from you; (viii) applying or not applying of profiling and automatically making decisions about you;
  3. you can get a copy of your personal data which is processed by us.
  1. you can request correction of incorrect personal data or
  2. you may request completion of incomplete personal data if it is related to the purpose of personal data processing.
  1. you may request removal of your personal data, but only if one of the following circumstances occurs: (i) personal data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) personal data have been processed unlawfully; (iii) personal data must be removed in order to comply with a legal obligation under European Union law or the law of the Member State to which we are subject; (iv) personal data were collected in connection with the offering of information society services (in other words, simplifying: services provided via the internet), the processing of which was based on the consent given by the child (we note that we do not provide such services);
  2. in addition, your personal data must be deleted by us when (i) you use the right to object or (ii) you withdraw your consent to the processing of personal data and have no other legal basis for processing.
  1. personal data, the processing of which has been limited, can only be stored by us. We can not perform any other operations on these personal data;
  2. the processing restriction applies when you (i) report that the processing of your personal data is unlawful, but you do not request their removal, only processing restrictions; (ii) we no longer need this personal data for processing but you need it to settle your claims, pursue claims or defend claims;
  3. in addition, the restriction of processing applies when: (i) you question the correctness of your personal data processing – the processing of personal data is limited for the period when we check the correctness of this data; (ii) you object to the processing of your personal data – until it is considered, the only operation allowed on your personal data is its storage.
  1. until the objection is considered, we limit the processing of your personal data;
  2. accepting the objection removes your personal data (exception: they are needed for another purpose for which there is a legal basis for data processing);
  3. it concerns a situation where (i) the basis for processing your personal data is either to perform a task carried out in the public interest or in the exercise of public authority that would be entrusted to us or our legitimate interest; (ii) there are reasons related to your particular situation; (iii) we have no valid, legitimate grounds for processing that override your interests, rights and freedoms and we have no grounds to establish, assert or defend claims.
  4. if the object was made becuse of the use of direct marketing, it is enough to bring it in, and the use of such marketing must be discontinued.
  1. if two conditions are met: (i) processing is done on the basis of consent or for the performance of the contract to which you are a party, or to take action before the conclusion of the contract; and (ii) the processing takes place in an automated manner – you have the right to receive your personal data that we have in an electronic format. You can send such personal data to another administrator;
  2. if technically possible, you can request us to transfer your personal data to another administrator;
  3. executing the right to transfer personal data does not mean that your data will be deleted by us. If you wish that we delete your data, you must clearly indicate it.
  1. We will notify the person making the request about the actions taken in connection with the submitted request – without undue delay, and in any case within 1 month from the date we receive the request.
  2. If we determine that there are no grounds to consider the submitted request, it will notify the person making the request – without undue delay, and in any case within one month from the date we receive the request. In this situation, we will also inform about the reason for not taking action, the possibility of submitting a complaint to the supervisory body and the use of legal protection measures before a court.
  3. If the submitted request proves to be complicated or the number of requests will be large, we may extend the deadline for consideration of the request. The person concerned will be notified about the deadline extension within the original one month from the date of receipt of the request by us, stating the reasons for the delay. The extension may be a maximum of two additional months, which means that the submitted request will be considered within a maximum of three months from the date of receipt of the request by us.


We use cookies on its website. The types of cookies used and the details of their operation can be found in our Cookies Policy.

We may profile your behaviour on our website by using certain third party cookies. Read the current version of the Cookie Policy to find out if, and to what extent, profiling can relate to you. We do not use profiling in other cases.

We never use automatic decision-making for individuals (including this based on profiling).


On our website there are links to other websites, for example social networks and our business partners.

Remember that by clicking on such a link, you go to another website managed by another entity, that may present a different approach to personal data protection and privacy than ours.



IMMUSEC Sp. z o.o.

ul. Chłodna 52
00-872 Warszawa, Polska
Tel. +48 22 205 4800