1. What personal data do you process?

Data included in certificates.

Personal data may be included in certificates in accordance with the application for a certificate. This can be data such as: name, surname, address, company or organization to which the individual is connected, PESEL number, NIP number, identity document number, email.

In the case of qualified certificates, the minimum set of data to be included in the certificate includes: first name, surname and PESEL number, either NIP number or identity document number.

Additional information needed for the implementation of trust services.

In addition to the information contained in the certificate, when providing the service of issuing a certificate, we process additional personal data: e-mail, telephone number, data of the company or organization financing the issue of the certificate.

In the case of contracts for the issuance of a qualified certificate signed in the past, we also collect (and further process) additional data contained in these contracts: registered address, date and place of birth.

In the case of the time stamping service, we process personal data contained in the certificates used to sign time stamping requests.

Personal data obtained from the WWW portal

In the case of registering a user on the WWW portal in order to issue a certificate, we process the following data: data for the issue of the certificate, e-mail address, telephone, information on the status of payment. We do not process data concerning payment details (payment card numbers, etc.) – they are transferred directly to the electronic payment operator.

In case of certificate revocation via WWW, we collect the following data: first name, surname, content of the certificate serial number field (PESEL, NIP, or ID document number), password to revoke the certificate, IP number of the computer from which the operation was performed.


Cookies are small text files that are stored on your computer or mobile device while you are using websites. They are used to provide optimal service during your visit to our website and enable faster and easier access to information.

Our website uses cookies. They are not used to process personal data and their content does not allow the user to be identified. You can block and restrict the installation of  cookies by changing the settings of your browser or using the appropriate software. However, if the user rejects cookies, some of the functions of the Website may not work properly, which may even result in the user being unable to use the Website properly. Information on changing browser settings can be found on the pages of the respective browser providers.

Google Analytics and access log information

We use Google Analytics. For more information on how Google Analytics collects and processes data, please visit the website at https://www.google.com/intl/pl/policies/privacy/partners/. To control the information sent as part of Google Analytics, you may, among other things, install the Google Analytics blocking browser add-on or use your browser in incognito mode.

In accordance with the practice adopted by most websites, we may use web logs and IP addresses of users in order to collect information on the use of the website, diagnose errors related to the operation of the server, analyze possible security breaches and manage the website. These data are also used for statistical purposes. This data is not associated with specific users.


  1. For what purpose do we process personal data?

We process your personal data in the following situations:

  • Providing trust services.
  • Complaint handling.
  • Statistical analysis.
  • Security of rights and claims.


  1. Where do we obtain personal data from?

We obtain personal data primarily from data subjects.

In case of ordering certificates by a company or organization, the data used for the preparation of certification applications may be made available or entrusted to us by that company or organization. Once a previously prepared request has been signed by the data subject (with the possibility of data correction), the data shall be further processed as having been obtained from the data subject.

Unqualified certificates may be issued on the basis of data provided by the company or organisation financing the issue of certificates, which has the right to provide data.


  1. Who do we transfer personal data to?

We do not transfer or share personal data for purposes not related to the performance of trust services.

Personal data is processed by authorised Enigma staff. We may also entrust personal data, on the basis of an agreement, to companies cooperating with us as Registration Points – solely for the purpose of providing a given trust service.

Personal data may be made available to an electronic payment operator to the extent necessary to prevent, investigate and detect fraudulent activities related to the execution of payment services and the operation of a payment system by the competent authorities in accordance with the Payment Services Act of 19 August 2011.

Personal data may be made available to entities authorised to do so on the basis of generally applicable law.


  1. How do we secure personal data?

We apply technical and organizational measures to ensure the protection of the processed personal data referred to in art. 36-39 of the Act on Personal Data Protection and meet the requirements set out in art. 39a of the aforementioned Act, and in particular we protect the data against unauthorised access, collection by an unauthorised person, processing in breach of the applicable regulations and change, loss, damage or destruction.


  1. How long do we process personal data?

The personal data referred to in Article 17.1 of the Act of 5 September 2016 on trust services and electronic identification (e.g. data contained in certificates, applications or agreements for the issuance of a certificate, requests for certificate revocation) shall be stored for 20 years from the date of their development.

We store the data contained in logs related to the trust services provided for a maximum of 4 years after their development.

Data contained in unqualified certificates are processed until the end of the validity period of the Certification Centre key (indicated by a given DN identifier) used for signing certificates.


  1. The right to control and information

Each user has the right to control the processing of data relating to him or her, including the right to inspect, correct, request the completion, updating, rectification or deletion of his or her data, as specified in the applicable legislation.

In order to exercise these rights, you can contact us through the Central Registration Point.


  1. Profiling

We do not process personal data in order to target dedicated marketing content using profiling without your specific and informed consent.


  1. Formal information

Personal data controller.

„Administratorem danych osobowych” w rozumieniu ustawy z dnia 29 sierpnia 1997 r. o ochronie danych osobowych oraz „administratorem” w rozumieniu RODO jest Enigma Systemy Ochrony Informacji sp. z o.o..

The “personal data controller” within the meaning of the Personal Data Protection Act of 29 August 1997 and the “controller” within the meaning of the GDPR is Enigma Systemy Ochrony Informacji sp. z o.o..

In cases of processing of data on the basis of entrustment, the controllers are the relevant entities.