Privacy Policy.

Who is the controller of your data?
Przedsiębiorstwo Handlu Zagranicznego “BALTONA” S.A. with its registered office in Warsaw, ul. Komitetu Obrony Robotników 49, 02-146 Warszawa.

How can you contact the data controller?
By post: ul. Komitetu Obrony Robotników 49, 02-146 Warszawa.
By e-mail: rodo@baltona.pl.

How can you contact the data protection officer?
rodo@baltona.pl.

What are the purposes of and the basis for our processing of your personal data?

• To take steps at your request necessary to enter into a contract (Article 6.1(b) of the GDPR).
• To carry out the recruitment process within the scope arising directly from the provisions of law, including but not limited to Article 22(1) § 1 of the Labour Code (Article 6.1 (c) of the GDPR).
• To carry out the requirement process if your provide voluntarily data other than those required by the provisions of law (Article 6.1(a) of the GDPR). NOTE: It the candite provides information exceeding the minimum scope of data required by the labour law, it is an explicit action equal to giving consent to the processing of such data for the purpose of the recruitment process.
• For the Controller to pursue the legitimate interests consisting in the establishment, exercise or defence of legal claims (Article 6.1(f) of the GDPR, and where special categories of data are provided, also Article 9.2(f) of the GDPR).
• To consider you as a candidate in future recruitment processes, if you give additional consent (Article 6.1(a) of the GDPR).
• To verify your credentials, if you give additional consent (Article 6.1(a) of the GDPR).
• To share your pseudonymised CV (applies to selected candidates) with (premium brand) suppliers in order for the Controller to pursue the legitimate interest (Article 6.1(f) of the GDPR) consisting in enabling such suppliers to verify the (selected) candidate’s abilities to sell premium products.

How long will we process your data?
The data will be stored until the end of the recruitment process and for a period of 4 months thereafter, so that we can contact you should we decide to hire you in that additional period.

If in the course of the recruitment process or within 4 months thereafter – we become aware of a need to defend legal claims arising from the recruitment process carried out, then the data will be stored until the claim limitation period expires. If you are hired, we will continue to process your data in accordance with the periods applicable for an employee/a contractor.

Data of persons who provide credentials will be stored no longer than for the period of storing your application documents.

If we process specific data on the basis of the legitimate interests of the Controller (Article 6.1(f) of the GDPR) and you file a reasoned objection to the processing, then for the specific purpose your data will be processed for a shorter period, namely until your objection is granted.

If we process specific data based on your consent (Article 6.1(a) of the GDPR) and you withdraw your consent before the end of the basic storage period, then for the specific purpose your data will be processed for a shorter period, namely until you withdraw your consent.

Which of your data do we process?
Normally, we process those data which you provide to us yourself, namely the data contained in your application documents. Those include, but are not limited to, your contact details, data regarding your qualifications or experience.

In the course of the recruitment process, we may also collect additional data, e.g., data provided verbally during the interview, data regarding test results.

Where do we get your data from?
Normally, we collect data directly from you. If we use e.g. services of recruitment agencies (including temporary employment agencies) or entities supporting and organising recruitments processes (e.g. Polish Airports Academy sp. z o.o.) which acquire candidates and then provide us with their data, the agencies or the said entities are the source of data.

Do you have to provide us with your data?
Providing some data is the candidate’s statutory obligation, especially the data referred to in Article 22(1) § 1 of the Labour Code (name(s) and surname, date of birth, contact details named by you, education, professional qualifications, your employment history). Providing some data may also be a condition to enter into the employment contract/cooperation contract.

What will happen if you do not provide us with your data?
If you do not provide the data the provision of which is a statutory or contractual obligation, we will not be able to carry out the recruitment process, and thus we will not be able to hire you.

Who are the recipients of your data – processors and separate controllers?
The recipients are third parties to whom we transfer your data. We transfer your data to:

• providers of IT recruitment tools,
• providers of IT tools to store your data,
• entities supporting our recruitment process and verification of candidates (inter alia, Polish Airports Academy sp. z o.o.), including temporary employment agencies,
• suppliers of premium brands (applies to selected candidates),
• healthcare facilities which conduct occupational medical check-ups if we decide to hire the candidate.

Will we transfer your data to third countries, namely outside the European Economic Area?
No, we will not transfer your data outside the European Economic Area.

Will we make automated decisions based on your data?
No, we will not make automated decisions, namely decisions without human intervention, based on your data.

What are your rights?

• You have the right of access to your data – within the limits of Article 15 of the GDPR.
• You have the right to rectification of your data – within the limits of Article 16 of the GDPR.
• You have the right to erasure of your data – within the limits of Article 17 of the GDPR.
• You have the right to restriction of processing of your data – within the limits of Article 18 of the GDPR.
• You have the right to portability of your data – within the limits of Article 20 of the GDPR.
• You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent shall not, however, affect the lawfulness of processing based on consent before its withdrawal.

How can you file an objection to the processing of your data?
If you wish to exercise your right to file an objection, contact us. Your will find the contact details in the section How can you contact the data protection officer?.

How can you lodge a complaint with the Personal Data Protection Office?
If you believe that we process your personal data unlawfully, you can lodge a complaint with the President of the Personal Data Protection Office [Polish: Prezes Urzędu Ochrony Danych Osobowych]. More information in this regard is available from the website of the Office.

Who is the controller of your data?
PRZEDSIĘBIORSTWO HANDLU ZAGRANICZNEGO “BALTONA” S.A. with its registered office in Warsaw, ul. Komitetu Obrony Robotników 49, 02-146 Warszawa

How can you contact the data controller?
By post: ul. Komitetu Obrony Robotników 49, 02-146 Warszawa
By e-mail: rodo@baltona.pl

How can you contact the data protection officer?
rodo@baltona.pl

What are the purposes of and the basis for our processing of your personal data?

• To perform the employment contract / civil-law contract (Article 6.1(b) of the GDPR).
• To maintain accounting and financial reporting (Article 6.1(c) and (f) of the GDPR).
• To exercise rights regarding labour law, social security and social protection (Article 6.1(c) and Article 9.2(b) of the GDPR).
• For the Controller to pursue the legitimate interests consisting in the establishment, exercise or defence of legal claims (Article 6.1(f) of the GDPR, and where special categories of data are provided, also Article 9.2(f) of the GDPR).
• Fulfilment of the Controller’s legal obligations towards temporary workers, in particular the keeping of temporary worker records, working time records and health and safety obligations – if you are a temporary worker (Article 6(1)(c) of the GDPR).
• To comply with the Controller’s legal obligations, including but not limited to those arising from the provisions of labour law, which we understand also as compliance with obligations towards the Social Insurance Institutions, the Tax Office, National System of e-Invoices or the National Health Fund, obligations regarding health and safety at work, settlement of any receivables, archiving personnel files (Article 6.1(c) and Article 9.2(b) of the GDPR).
• The purposes stated in the consents to the processing of personal data, if any (Article 6.1(a) of the GDPR, Article 9.2(a) of the GDPR).
• To ensure organising work in a way to enable full utilisation of working time and proper use of the working tools made available to the employee or the contractor, including company cars – GPS – if you are a company car user (Article 6.1(f) of the GDPR).
• To ensure safety for persons staying at the organisation’s premises and protection of property, including by use of a video surveillance system (Article 6.1(f) of the GDPR).
• To organise social events and initiatives, if you express the wish to participate in the same (Article 6.1(f) of the GDPR).
• Fulfilment of the Controller’s legal obligations relating to countering the risks of sex offences against children, i.e. 1. in order for the Controller to check whether the person’s data is listed in the Sex Offender Registry (Restricted Access Registry and State Commission Registry), 2. in order for the Controller to verify the information from the National Criminal Register submitted to it by the person; 3. (in the case of a foreign national) in order for the Controller to verify the criminal record information from the state of nationality obtained for the purposes of professional or voluntary activities involving contact with children or, in the absence of the above, the criminal record information from that state or, in the absence of the above, a declaration that this state does not penalise for the offences indicated by law where that state does not maintain a criminal record; 4. in order for the Controller to verify the declaration of the state(s) in which the person has lived during the past 20 years, other than the Republic of Poland and the country of nationality, together with the submission of information on the criminal records of these states obtained for the purposes of professional or voluntary activities involving contact with children or, in the absence of the above, information from the criminal record of the country/countries concerned, or, in the absence of the above, a declaration that this state(s) does not penalise for the offences indicated by law where that state does not maintain a criminal record – before the person is allowed to engage in other activities related to the upbringing, education, recreation, treatment or care of minors – if you are an employee/co-worker of the Flyport Education and Entertainment Zone (Article 10 of the GDPR in connection with Article 6(1)(c) of the GDPR in connection with Article 3 in connection with Article 12(6)) and in connection with Article 21(1) and (2) of the Act of 13 May 2016 on countering the risk of sex offences (i.e. Journal of Laws 2023, item 31 as amended),
• Organisation of events and social initiatives, if you express your willingness to participate (Article 6(1)(f) of the GDPR).
• Performance of contracts with customers, contractors and suppliers of the Controller (Article 6(1)(f) of the GDPR).
• To conduct marketing of products and services of the Controller for potential clients, using personal data of employees/ contractors under civil-law contracts (Article 6.1(f) of the GDPR).
• Use of contact details provided by the employee (telephone number and/or e-mail address) for the purposes of internal communication, HR matters and the fulfilment of the employer’s obligations under the law (Article 6(1)(a) of the GDPR).
• Fulfilment of the legal obligations incumbent upon the controller in relation to compliance with the security requirements applicable to deliveries to airport premises, in particular those concerning the issuance and administration of personal access passes, the conduct of the required background checks, including criminal record checks, the provision of civil aviation security training, the verification of compliance with the conditions governing access to restricted areas, and the application of airport supply security measures in accordance with the Security Programme for Known Suppliers to the Airport, as required under the regulations governing civil aviation security and airport security (Article 6(1)(c) of GDPR) – where you are an employee or contractor covered by the Security Programme for Known Suppliers to the Airport.

How long will we process your data?
The data will be stored for a period of 10 years from the end of the calendar year in which the employment relationship expires/is terminated, if the relationship was established on or after 01.01.2019.

The data will be stored for a period of 50 years from the end of the calendar year in which the employment relationship expires/is terminated, if the relationship was established before 01.01.2019.

In respect of contractors under civil-law contracts, the data will be stored until the expiry of the limitation periods regarding claims arising from the contract or the expiry of the data storage obligations arising from provisions of law, including but not limited to the storage of accounting documents and under the regulations governing civil aviation security and airport security.

The video surveillance footage will be stored for up to 3 months, and where necessary for the purpose of the establishment, exercise or defence of legal claims – until the claims are finally satisfied or until the limitation period expires.

Data of temporary employees will be processed for the period arising from legal provisions regarding temporary employment or until the expiry of the limitation period regarding claims under the agreement between the Controller and the temporary employment agency; or alternatively until a reasoned objection is filed, in a situation where the legal basis for the processing of personal data is the legitimate interest of the Controller.

Personal data of the Flyport Education and Entertainment Zone employees/co-workers collected in connection with countering the risk of sex offences and protecting minors in the form of hard copies of information from the Sex Offenders Registry and information from the National Criminal Register provided by the person employed will be kept for the duration of storage of the employee’s personnel file or documentation relating to the person admitted to work with children.

If we process specific data on the basis of the legitimate interests of the Controller (Article 6.1(f) of the GDPR) and you file a reasoned objection to the processing before the end of the basic storage period, then for the specific purpose your data will be processed for a shorter period, namely until your objection is granted.

If we process specific data based on your consent (Article 6.1(a) of the GDPR) and you withdraw your consent before the end of the basic storage period, then for the specific purpose your data will be processed for a shorter period, namely until you withdraw your consent.

Which of your data do we process?
Upon the moment of hiring you we process the data which you provide to us yourself. Those are data which are necessary in order to enter into the employment contract or the civil-law contract – also data relating to the performance of a number of the employer’s obligations, such as data regarding your family members, your disability, or your ability to work.

If you are an employee/co-worker of the Flyport Education and Entertainment Zone, in relation to our organisation’s Child Protection From Harm Policy and legislation, we will obtain from you the data necessary for verification relating to counteracting the risk of sex offences against children.

If you are a temporary employee, we collect your data from the temporary employment agency: name, surname, telephone number; we also may receive some data relating to temporary employment directly from you.

If you are an employee or contractor subject to the requirements arising from the regulations governing civil aviation security and airport security, we may also process data necessary for obtaining access passes and carrying out the required verification procedures, in particular identification data and data contained in identity documents, information relating to criminal records or data obtained in connection with background checks, information concerning employment, education and gaps in employment or education, as well as data contained in certificates confirming completion of civil aviation security training.

In the course of your employment or civil law contract, we acquire a range of new data about you. These include, for example, data on training courses you have attended, data on your use of employee benefits, your image (obtained, for example, in connection with the production of a promotional film or to improve internal communication, onboarding of a new employee/co-worker), data on your activity in the resources made available to you (so-called logs), data on your geolocation if you use a company car and a number of other data which may vary at different stages of the duration of your employment or civil law contract.

Where do we get your data from?
Normally, we collect data directly from you.

In exceptional cases we collect such data from sources other than from you. An example of such a situation is a receipt of a seizure by a court enforcement officer, which the employer is obliged to comply with. Another example is a situation where we received the data from a temporary employment agency which is your employer. We received from the agency the following personal data: name and surname, telephone number.

Do you have to provide us with your data?
The provision of certain data is a statutory obligation for an employee employed under an employment contract, in particular, the data referred to in Article 22(1) of the Labour Code or those specified in the Act on the Employment of Temporary Workers or, in relation to both employees and co workers, other special provisions relating to countering the risks of sex offences against children – if you are an employee/co-worker of the Flyport Educational and Entertainment Zone. The provision of certain data may also be a condition for the conclusion of an employment or civil law contract.

What will happen if you do not provide us with your data?
If you do not provide the data the provision of which is a statutory or contractual obligation, we will not be able to hire you or to comply with your rights / our obligations arising from specific provisions of law.

Who are the recipients of your data – processors and separate controllers?
The recipients are third parties to whom we transfer your data. We transfer your data to:

• state authorities or other entities entitled under provisions of law – where necessary for the compliance with legal obligations,
• our clients,
• our business partners,
• our suppliers, including providers of the services referred to below,
• suppliers of IT tools to store your data or entities which have access to your data in the course of IT system maintenance,
• our auditors,
• providers of accounting, HR and legal services,
• temporary employment agencies,
• website users, social media users, or other public, if your data are made public,
• providers of services of destruction and archiving of documents and other data storage devices,
• providers of courier and postal services,
• healthcare facilities,
• banks, social insurance companies and other financial and payment institutions,
• provides of security services and services of monitoring work tools, e.g. GPS,
• providers of training services,
• hotels and transportation companies,
• entities providing services in the form of employee benefits (e.g. Benefitsystems -Multiport),
• airports,
• shareholders,
• to airports and airport operators, and the President of the Civil Aviation Authority (UCL), in connection with the need to ensure compliance with the security requirements applicable to deliveries to airport premises.

Will we transfer your data to third countries, namely outside the European Economic Area?
No, we will not transfer your data outside the European Economic Area.

Will we make automated decisions based on your data?
No, we will not make automated decisions, namely decisions without human intervention, based on your data.

What are your rights?

• You have the right of access to your data – within the limits of Article 15 of the GDPR.
• You have the right to rectification of your data – within the limits of Article 16 of the GDPR.
• You have the right to erasure of your data – within the limits of Article 17 of the GDPR.
• You have the right to restriction of processing of your data – within the limits of Article 18 of the GDPR.
• You have the right to portability of your data – within the limits of Article 20 of the GDPR.
• You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent shall not, however, affect the lawfulness of processing based on consent before its withdrawal.

How can you file an objection to the processing of your data?
If you wish to exercise your right to file an objection, contact us. Your will find the contact details in the section How can you contact the data protection officer?.

How can you lodge a complaint with the Personal Data Protection Office?
If you believe that we process your personal data unlawfully, you can lodge a complaint with the President of the Personal Data Protection Office [Polish: Prezes Urzędu Ochrony Danych Osobowych]. More information in this regard is available from the website of the Office.

Who is the controller of your data?
PRZEDSIĘBIORSTWO HANDLU ZAGRANICZNEGO “BALTONA” S.A. with its registered office in Warsaw, ul. Komitetu Obrony Robotników 49, 02-146 Warszawa

How can you contact the data controller?
By post: ul. Komitetu Obrony Robotników 49, 02-146 Warszawa
By e-mail: rodo@baltona.pl

How can you contact the data protection officer?
rodo@baltona.pl

What are the purposes of and the basis for our processing of your personal data?

• To perform a contract with the business partner or in order to take steps prior to entering into a contract at the request of the business partner expressed in any manner whatsoever, e.g. by filling in the online contact form or in an e-mail (Article 6.1(b) of the GDPR – if you are a business partner; Article 6.1(f) of the GDPR – if you are a natural person acting for or on behalf of the business partner).
• To comply with legal obligations, including but not limited to tax and accounting obligations (Article 6.1(c) of the GDPR).
• For the Controller to pursue the legitimate interests consisting in the establishment, exercise or defence of legal claims (Article 6.1(f) of the GDPR).
• Fulfilment of the legal obligations incumbent upon the controller in relation to compliance with the security requirements applicable to deliveries to airport premises, in particular those concerning the issuance and administration of personal access passes, the conduct of the required background checks, including criminal record checks, the provision of civil aviation security training, the verification of compliance with the conditions governing access to restricted areas,arising in particular from the regulations governing civil aviation security and airport security, including the Annex to Commission Implementing Regulation (EU) 2015/1998 of 5 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security – additionally, where you are a contractor or a member of the contractor’s personnel covered by the Security Programme for Known Suppliers to the Airport (Article 6(1)(c) of GDPR).

How long will we process your data?
The personal data will be stored until the expiry of the limitation periods regarding claims arising from the contract with the business partner.

Specific data will be also stored until the expiry of the data storage obligations arising from specific provisions of law, including but not limited to the obligation to store accounting documents.

The data will be processed from the date on which the entity is designated as a known supplier for the duration of that status, and thereafter for a period of 6 months following its withdrawal. Irrespective of the above, certain data may be retained for longer periods until the expiry of mandatory retention periods laid down by specific regulations, in particular those governing civil aviation security and airport security.

If we process specific data on the basis of the legitimate interests of the Controller (Article 6.1(f) of the GDPR) and you file a reasoned objection to the processing before the end of the basic storage period, then for the specific purpose your data will be processed for a shorter period, namely until your objection is granted.

Which of your data do we process?
Our business partner (a party to a contract) may be a natural person or an institution (e.g. a commercial company). In the latter case, we do not process the personal data of the institution, but personal data of persons acting on behalf of the institution, e.g., the president, the attorney or the contact persons for the performance of the contract.

Before entering into the contract with the business partner, we collect data necessary in order to enter into negotiations as to the terms and conditions of the cooperation. Usually those are basic contact details such as the name and surname, e-mail address, telephone number. In respect of business partners who are natural persons, before entering into the contract, we collect additional data necessary in order to enter into the contract, e.g. PESEL number or the residence address.

During the term of the contract with the business partner we collect or process other data, such as e.g. data regarding invoices issued by the business partner or data regarding generally the cooperation history.

If you are a contractor or a member of a contractor’s personnel subject to the requirements arising from the regulations governing civil aviation security and airport security, your personal data, including identification data (such as your name and surname and data disclosed in public registers), contact details (including your business e-mail address, business telephone number and the name of the entity you represent), as well as, to the extent necessary for obtaining access passes and carrying out the required verification procedures, data contained in identity documents, information relating to criminal records or data obtained in connection with background checks, information concerning employment, education and gaps in employment or education, and data contained in certificates confirming completion of civil aviation security training, will be processed for the purpose of conducting proceedings for the designation of a known supplier to Warsaw Chopin Airport and for ensuring protection and security within the airport premises.

Where do we get your data from?
Normally, we collect data directly from you.

Your personal data may be collected from another source – e.g. from our business partner – the company (if you are an employee or a representative of the company). Sometimes we collect personal data from the so-called business intelligence agencies if we wish to verify the business partner before entering into cooperation.

Do you have to provide us with your data?
Providing some of the data is necessary in order to enter into and thereafter to perform the contract.

What will happen if you do not provide us with your data?
If you do not provide the data the provision of which is the condition to enter into the contract, it will not be possible to enter into the contract.

Who are the recipients of your data – processors and separate controllers?
The recipients are third parties to whom we transfer your data. We transfer your data to:

• state authorities or other entities entitled under provisions of law – where necessary for the compliance with legal obligations,
• suppliers of IT tools to store your data or entities which have access to your data in the course of IT system maintenance,
• our auditors or experts,
• providers of accounting or legal services,
• providers of services of destruction and archiving of documents and other data storage devices,
• providers of courier and postal services,
• banks and other financial and payment institutions,
• our clients,
• airports.

Will we transfer your data to third countries, namely outside the European Economic Area?
No, we will not transfer your data outside the European Economic Area.

Will we make automated decisions based on your data?
No, we will not make automated decisions, namely decisions without human intervention, based on your data.

What are your rights?

• You have the right of access to your data – within the limits of Article 15 of the GDPR.
• You have the right to rectification of your data – within the limits of Article 16 of the GDPR.
• You have the right to erasure of your data – within the limits of Article 17 of the GDPR.
• You have the right to restriction of processing of your data – within the limits of Article 18 of the GDPR.
• You have the right to portability of your data – within the limits of Article 20 of the GDPR.
• You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent shall not, however, affect the lawfulness of processing based on consent before its withdrawal.

How can you file an objection to the processing of your data?
If you wish to exercise your right to file an objection, contact us. Your will find the contact details in the section How can you contact the data protection officer?.

How can you lodge a complaint with the Personal Data Protection Office?
If you believe that we process your personal data unlawfully, you can lodge a complaint with the President of the Personal Data Protection Office [Polish: Prezes Urzędu Ochrony Danych Osobowych]. More information in this regard is available from the website of the Office.

Who is the controller of your data?
PRZEDSIĘBIORSTWO HANDLU ZAGRANICZNEGO “BALTONA” S.A. with its registered office in Warsaw, ul. Komitetu Obrony Robotników 49, 02-146 Warszawa

How can you contact the data controller?
By post: ul. Komitetu Obrony Robotników 49, 02-146 Warszawa
By e-mail: rodo@baltona.pl

How can you contact the data protection officer?
rodo@baltona.pl

What are the purposes of and the basis for our processing of your personal data?

• To perform a contract with the client or in order to take steps prior to entering into a contract at the request of the client expressed in any manner whatsoever, e.g. by filling in the online contact form (Article 6.1(b) of the GDPR – if you are a client; Article 6.1(f) of the GDPR – if you are a natural person acting for or on behalf of the client).
• To examine and handle a complaint or a notification filed (Article 6.1(f) of the GDPR).
• To comply with legal obligations, including but not limited to tax and accounting obligations (Article 6.1(c) of the GDPR).
• For the Controller to pursue the legitimate interests consisting in the establishment, exercise or defence of legal claims (Article 6.1(f) of the GDPR).

How long will we process your data?
The personal data will be stored until the expiry of the limitation periods regarding claims arising from the contract with the client (in principle for 3 years from the maturity date of the claim).

Specific data will be also stored until the expiry of the data storage obligations arising from specific provisions of law, including but not limited to the obligation to store accounting documents.

If we process specific data on the basis of the legitimate interests of the Controller (Article 6.1(f) of the GDPR) and you file a reasoned objection to the processing before the end of the basic storage period, then for the specific purpose your data will be processed for a shorter period, namely until your objection is granted.

Which of your data do we process?
Our client (a party to a contract) may be a natural person or an institution (e.g. a commercial company). In the latter case, we do not process the personal data of the institution, but personal data of persons acting on behalf of the institution, e.g., the president, the attorney or the contact persons for the performance of the contract.

Before entering into the contract with the client, we collect data necessary in order to present an offer. Usually those are basic contact details such as the name and surname, e-mail address, telephone number. In respect of clients who are natural persons, before entering into the contract, we collect additional data necessary in order to enter into the contract, e.g. data from the boarding pass.

During the term of the contract with the client we collect or process other data, such as e.g. data regarding complaints notified, including the name and surname and the bank account number of the account owner (named by the client) to which the refund is to be made if the complaint is granted.

Where do we get your data from?
Normally, we collect data directly from you.

We may also collect the data from our clients if you are the owner of the bank account to which the refund is to be made if the complaint is granted.

Do you have to provide us with your data?
Providing some of the data is necessary in order to enter into and thereafter to perform the contract.

What will happen if you do not provide us with your data?
If you do not provide the data the provision of which is the condition to enter into the contract, it will not be possible to enter into the contract.

Who are the recipients of your data – processors and separate controllers?
The recipients are third parties to whom we transfer your data. We transfer your data to:

• state authorities or other entities entitled under provisions of law – where necessary for the compliance with legal obligations,
• our suppliers, including providers of the services referred to below,
• suppliers of IT tools to store your data or entities which have access to your data in the course of IT system maintenance,
• providers of accounting or legal services,
• providers of services of destruction and archiving of documents and other data storage devices,
• providers of courier and postal services,
• banks and other financial and payment institutions,
• marketing companies,
• our business partners.

Will we transfer your data to third countries, namely outside the European Economic Area?
No, we will not transfer your data outside the European Economic Area.

Will we make automated decisions based on your data?
No, we will not make automated decisions, namely decisions without human intervention, based on your data.

What are your rights?

• You have the right of access to your data – within the limits of Article 15 of the GDPR.
• You have the right to rectification of your data – within the limits of Article 16 of the GDPR.
• You have the right to erasure of your data – within the limits of Article 17 of the GDPR.
• You have the right to restriction of processing of your data – within the limits of Article 18 of the GDPR.
• You have the right to portability of your data – within the limits of Article 20 of the GDPR.
• You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent shall not, however, affect the lawfulness of processing based on consent before its withdrawal.

How can you file an objection to the processing of your data?
If you wish to exercise your right to file an objection, contact us. Your will find the contact details in the section How can you contact the data protection officer?.

How can you lodge a complaint with the Personal Data Protection Office?
If you believe that we process your personal data unlawfully, you can lodge a complaint with the President of the Personal Data Protection Office [Polish: Prezes Urzędu Ochrony Danych Osobowych]. More information in this regard is available from the website of the Office.

Who is the controller of your data?
PRZEDSIĘBIORSTWO HANDLU ZAGRANICZNEGO “BALTONA” S.A. with its registered office in Warsaw, ul. Komitetu Obrony Robotników 49, 02-146 Warszawa

How can you contact the data controller?
By post: ul. Komitetu Obrony Robotników 49, 02-146 Warszawa
By e-mail: rodo@baltona.pl

How can you contact the data protection officer?
rodo@baltona.pl

What are the purposes of and the basis for our processing of your personal data?

• The Controller’s promotion, including with the use of social media (Article 6.1(f) of the GDPR).
• To organise and conduct contests, including to handle entries, to inform about the results and to select winners and to award and to present contest prizes, which constitutes the Controller’s legitimate interest (Article 6.1(f) of the GDPR).
• The purposes stated in the consents to the processing of personal data, if any (Article 6.1(a) of the GDPR).
• To comply with obligations arising from provisions of law, including those relating to taxes and accounting (Article 6.1(c) of the GDPR).
• For the Controller to pursue the legitimate interests consisting in the establishment, exercise or defence of legal claims (Article 6.1(f) of the GDPR).

How long will we process your data?
Personal data will be stored until an objection to marketing is filed.

Specific data will be also stored until the expiry of the data storage obligations arising from specific provisions of law, including but not limited to the Electronic Communications Law (in principle for 3 years from the maturity date of the claim).

Data of contest participants will be stored for a period that is necessary in order to achieve the purpose for which the data were collected, namely realising and organising the contest, as well as for the claim limitation period (in principle for 3 years from the maturity date of the claim).

Your image will be stored as long as the legal basis to disseminate the image remain valid, and if a contract is entered into – until the limitation of the claims arising from the contract (in principle for 3 years from the maturity date of the claim).

If we process specific data on the basis of the legitimate interests of the Controller (Article 6.1(f) of the GDPR) and you file a reasoned objection to the processing before the end of the basic storage period, then for the specific purpose your data will be processed for a shorter period, namely until your objection is granted.

If we process specific data based on your consent (Article 6.1(a) of the GDPR) and you withdraw your consent before the end of the basic storage period, then for the specific purpose your data will be processed for a shorter period, namely until you withdraw your consent.

Which of your data do we process?
Name, surname, e-mail address, telephone number, postal address, image.

Where do we get your data from?
Normally, we collect data directly from you.

Do you have to provide us with your data?
Providing the data is not a contractual obligation nor a statutory obligation.

What will happen if you do not provide us with your data?
No consequences due to the above.

Who are the recipients of your data – processors and separate controllers?
The recipients are third parties to whom we transfer your data. We transfer your data to:

• state authorities or other entities entitled under provisions of law – where necessary for the compliance with legal obligations,
• our suppliers, including providers of the services referred to below,
• providers of marketing activities,
• suppliers of IT tools to store your data or entities which have access to your data in the course of IT system maintenance,
• providers of accounting or legal services,
• providers of services of destruction and archiving of documents and other data storage devices,
• providers of courier and postal services.

Will we transfer your data to third countries, namely outside the European Economic Area?
No, we will not transfer your data outside the European Economic Area.

Will we make automated decisions based on your data?
No, we will not make automated decisions, namely decisions without human intervention, based on your data.

What are your rights?

• You have the right of access to your data – within the limits of Article 15 of the GDPR.
• You have the right to rectification of your data – within the limits of Article 16 of the GDPR.
• You have the right to erasure of your data – within the limits of Article 17 of the GDPR.
• You have the right to restriction of processing of your data – within the limits of Article 18 of the GDPR.
• You have the right to portability of your data – within the limits of Article 20 of the GDPR.
• You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent shall not, however, affect the lawfulness of processing based on consent before its withdrawal.

How can you file an objection to the processing of your data?
If you wish to exercise your right to file an objection, contact us. Your will find the contact details in the section How can you contact the data protection officer?.

How can you lodge a complaint with the Personal Data Protection Office?
If you believe that we process your personal data unlawfully, you can lodge a complaint with the President of the Personal Data Protection Office [Polish: Prezes Urzędu Ochrony Danych Osobowych]. More information in this regard is available from the website of the Office.

Who is the controller of your data?
PRZEDSIĘBIORSTWO HANDLU ZAGRANICZNEGO “BALTONA” S.A. with its registered office in Warsaw, ul. Komitetu Obrony Robotników 49, 02-146 Warszawa

How can you contact the data controller?
By post: ul. Komitetu Obrony Robotników 49, 02-146 Warszawa
By e-mail: rodo@baltona.pl

How can you contact the data protection officer?
rodo@baltona.pl

What are the purposes of and the basis for our processing of your personal data?

• To promote the Controller’s business using social media and to enable social media users to contact the Controller (Article 6.1(f) of the GDPR).
• To conduct analysis and statistics regarding the users’ use of the Controller’s social media profiles (Article 6.1(f) of the GDPR).

How long will we process your data?
We store/process your data as long as we hold the same in the given social medium. We do not delete posts or comments under the posts (unless they are in breach of the regulations) or private messages sent to us.

If we process specific data on the basis of the legitimate interests of the Controller (Article 6.1(f) of the GDPR) and you file a reasoned objection to the processing, then for the specific purpose your data will be processed for a shorter period, namely until your objection is granted. In practice it means that in such a situation we will delete your data from the post or your private message.

Which of your data do we process?
Normally, those are the data which you share with us yourself by the mere fact of using our social media profile. Hence, we process data relating the fact that you like/follow our profile, as well as the contents of your comments or private messages. It will also often include your name and surname, although it depends on your user name in the given social medium. We may also derive some statistical data on the basis of your social media activity, e.g. regarding your interests in particular topics.

Where do we get your data from?
Normally, we collect data directly from you.

Do you have to provide us with your data?
Providing the data is not a contractual obligation nor a statutory obligation.

What will happen if you do not provide us with your data?
No consequences due to the above.

Who are the recipients of your data – processors and separate controllers?
The recipients are third parties to whom we transfer your data. We transfer your data to:

• suppliers of IT tools to process your data, including entities providing so-called tracking technologies,
• marketing agencies, in particular if we engage the agencies to maintain our social media profiles.

Will we transfer your data to third countries, namely outside the European Economic Area?
No, we will not transfer your data outside the European Economic Area.

Will we make automated decisions based on your data?
No, we will not make automated decisions, namely decisions without human intervention, based on your data.

What are your rights?

• You have the right of access to your data – within the limits of Article 15 of the GDPR.
• You have the right to rectification of your data – within the limits of Article 16 of the GDPR.
• You have the right to erasure of your data – within the limits of Article 17 of the GDPR.
• You have the right to restriction of processing of your data – within the limits of Article 18 of the GDPR.
• You have the right to portability of your data – within the limits of Article 20 of the GDPR.
• You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent shall not, however, affect the lawfulness of processing based on consent before its withdrawal.

How can you file an objection to the processing of your data?
If you wish to exercise your right to file an objection, contact us. Your will find the contact details in the section How can you contact the data protection officer?.

How can you lodge a complaint with the Personal Data Protection Office?
If you believe that we process your personal data unlawfully, you can lodge a complaint with the President of the Personal Data Protection Office [Polish: Prezes Urzędu Ochrony Danych Osobowych]. More information in this regard is available from the website of the Office.

Latest revision date
11.01.2024

Who is the controller of your data?
PRZEDSIĘBIORSTWO HANDLU ZAGRANICZNEGO “BALTONA” S.A. with its registered office in Warsaw, ul. Komitetu Obrony Robotników 49, 02-146 Warszawa

How can you contact the data controller?
By post: ul. Komitetu Obrony Robotników 49, 02-146 Warszawa
By e-mail: rodo@baltona.pl

How can you contact the data protection officer?
rodo@baltona.pl

What are the purposes of and the basis for our processing of your personal data?

• To ensure safety for persons and property at the Controller’s premises by recording image of persons staying at such premises (Article 6.1(f) of the GDPR).
• In case of employees of the Controller, the purpose of the video surveillance is also to maintain confidentiality of information the disclosure of which could expose the employer to damage (Article 6.1(f) of the GDPR).
• For the Controller to pursue the legitimate interests consisting in the establishment, exercise or defence of legal claims (Article 6.1(f) of the GDPR).

How long will we process your data?
The basic surveillance data storage period is 3 months from the date of recording the footage. Due to so-called overwriting of data caused by a limited data storage space, such data may be erased earlier.

If we process specific data on the basis of the legitimate interests of the Controller (Article 6.1(f) of the GDPR) and you file a reasoned objection to the processing before the end of the basic storage period, then for the specific purpose your data will be processed for a shorter period, namely until your objection is granted.

Which of your data do we process?
Your image.

Where do we get your data from?
You are the source of the data, we do not collect your image from other entities.

Do you have to provide us with your data?
Providing the data is not a contractual obligation nor a statutory obligation.

What will happen if you do not provide us with your data?
No consequences due to the above. Simultaneously, technically it is not possible to enter the Controller’s premises without being recorded by the surveillance cameras.

Who are the recipients of your data – processors and separate controllers?
The recipients are third parties to whom we transfer your data. We transfer your data to:

• state authorities or other entities entitled under provisions of law – where necessary for the compliance with legal obligations,
• suppliers of IT tools to process your data.

Will we transfer your data to third countries, namely outside the European Economic Area?
No, we will not transfer your data outside the European Economic Area.

Will we make automated decisions based on your data?
No, we will not make automated decisions, namely decisions without human intervention, based on your data.

What are your rights?

• You have the right of access to your data – within the limits of Article 15 of the GDPR.
• You have the right to rectification of your data – within the limits of Article 16 of the GDPR.
• You have the right to erasure of your data – within the limits of Article 17 of the GDPR.
• You have the right to restriction of processing of your data – within the limits of Article 18 of the GDPR.
• You have the right to portability of your data – within the limits of Article 20 of the GDPR.
• You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent shall not, however, affect the lawfulness of processing based on consent before its withdrawal.

How can you file an objection to the processing of your data?
If you wish to exercise your right to file an objection, contact us. Your will find the contact details in the section How can you contact the data protection officer?.

How can you lodge a complaint with the Personal Data Protection Office?
If you believe that we process your personal data unlawfully, you can lodge a complaint with the President of the Personal Data Protection Office [Polish: Prezes Urzędu Ochrony Danych Osobowych]. More information in this regard is available from the website of the Office.

Who is the controller of your data?
PRZEDSIĘBIORSTWO HANDLU ZAGRANICZNEGO “BALTONA” S.A. with its registered office in Warsaw, ul. Komitetu Obrony Robotników 49, 02-146 Warszawa

How can you contact the data controller?
By post: ul. Komitetu Obrony Robotników 49, 02-146 Warszawa
By e-mail: rodo@baltona.pl

How can you contact the data protection officer?
rodo@baltona.pl

What are the purposes of and the basis for our processing of your personal data?

• Evaluation of the submitted offers using the recordings made available to suppliers, followed by selection of the supplier. The legal basis is legitimate interest (Article 6(1)(f) of the GDPR), consisting in enabling the selection of the best supplier and testing the solution.
• Testing the solution by analysing recordings. The legal basis is legitimate interest (Article 6(1)(f) of the GDPR), consisting in testing the solution and finding the most effective method of analysis.
• Post-event analysis (not in real time) of customer interest in product categories in the current product shelf arrangement. The legal basis is legitimate interest (Article 6(1)(f) of the GDPR), consisting in an improvement of our services.
• Post-event (not real-time) analysis of recordings from the checkout area in terms of queue waiting time, number of people in the queue, queue exits, customer service time, purchase cancellations, correlation with the number of cashiers working. The legal basis is legitimate interest (Article 6(1)(f) of the GDPR), consisting in an improvement of our services.

How long will we process your data?
We retain your personal data for 3 months. Afterwards, we only store aggregate data that is not linked to specific individuals.

If we process certain data on the basis of the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) and you raise a justified objection to the processing before the end of the basic retention period, the data will be processed for that specific purpose for a shorter period, i.e. until your objection is taken into account.

Which of your data do we process?
Your image and information about your journey in our store.

Where do we get your data from?
You are the source of the data.

Do you have to provide us with your data?
Providing the data is not a contractual obligation nor a statutory obligation.

What will happen if you do not provide us with your data?
No effect due to the above. At the same time, it is technically impossible to enter the Controller’s premises without being recorded by CCTV cameras.

Who are the recipients of your data – processors and separate controllers?
Receivers are external entities to whom we transfer your data. We transfer your data to:

• state authorities or other entities authorised by law, if this is necessary to fulfil legal obligations,
• providers of IT solutions for the analysis of recordings.
• entities that provide us with IT tools for processing your data.

Will we transfer your data to third countries, namely outside the European Economic Area?
No, we will not transfer your data outside the European Economic Area.

Will we make automated decisions based on your data?
We process your data using artificial intelligence, which draws general conclusions on the basis of aggregated information about our customers’ behaviour. The purpose of processing is not to assess a specific person.

We will not make automated decisions on the basis of your data, i.e. decisions without human involvement.

What are your rights?

• You have the right of access to your data – within the limits of Article 15 of the GDPR.
• You have the right to rectification of your data – within the limits of Article 16 of the GDPR.
• You have the right to erasure of your data – within the limits of Article 17 of the GDPR.
• You have the right to restriction of processing of your data – within the limits of Article 18 of the GDPR.
• You have the right to portability of your data – within the limits of Article 20 of the GDPR.
• You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent shall not, however, affect the lawfulness of processing based on consent before its withdrawal.

How can you file an objection to the processing of your data?
If you wish to exercise your right to file an objection, contact us. Your will find the contact details in the section How can you contact the data protection officer?.

How can you lodge a complaint with the Personal Data Protection Office?
If you believe that we process your personal data unlawfully, you can lodge a complaint with the President of the Personal Data Protection Office [Polish: Prezes Urzędu Ochrony Danych Osobowych]. More information in this regard is available from the website of the Office.

Who is the controller of your data?
PRZEDSIĘBIORSTWO HANDLU ZAGRANICZNEGO “BALTONA” S.A. with its registered office in Warsaw, ul. Komitetu Obrony Robotników 49, 02-146 Warszawa

How can you contact the data controller?
By post: ul. Komitetu Obrony Robotników 49, 02-146 Warszawa
By e-mail: rodo@baltona.pl

How can you contact the data protection officer?
rodo@baltona.pl

What are the purposes of and the basis for our processing of your personal data?

• To perform the legal obligations of the Controller with regard to appointing and later activities of the members of the Management Bord and the Supervisory Board (Article 6.1(c) of the GDPR), with regard to complying with the Articles of Association of the company relating to the functioning of the Company’s authorities (Article 6.1(f) of the GDPR).
• To perform the contract or another legal relationship under which the member of the Management Board or of the Supervisory Board holds the office (Article 6.1(b) of the GDPR),
• To comply with your rights and the Controller’s obligations arising from provisions of law regarding social security, health insurance, employee capital plans, taxes, accounting (Article 6.1(c) and Article 9.2(b) of the GDPR).
• To comply with obligations imposed on the Controller under provisions of law, including but not limited to the Commercial Companies Code, the Act on the National Court Register, the Act on the rules for managing state property relating to bookkeeping and reporting, accounting and tax settlements (Article 6.1(c) of the GDPR).
• For the Controller to pursue the legitimate interests consisting in the establishment, exercise or defence of legal claims (Article 6.1(f) of the GDPR).

How long will we process your data?
The personal data will be processed for the period required by specific provisions of law.

Data will processed for the purpose of the establishment, exercise or defence of legal claims util the date of the until the claims limitation periods expire.

If we process specific data on the basis of the legitimate interests of the Controller (Article 6.1(f) of the GDPR) and you file a reasoned objection to the processing before the end of the basic storage period, then for the specific purpose your data will be processed for a shorter period, namely until your objection is granted.

Which of your data do we process?
Name, surname, date of birth, PESEL number / identity document number, residence address, address for service, telephone number, e-mail address, education and employment history, licences and certificates, image, bank account number, data relating to verification of rights to sick leaves and other relating to social security, data regarding no criminal record.

Where do we get your data from?
In principle, we process data provided by you. If you did not provide us with your data, we collected such data from our shareholder.

Do you have to provide us with your data?
In principle, providing the data is voluntary, but in respect of some data it may be a statutory obligation arising, inter alia, from the provisions of commercial law.

What will happen if you do not provide us with your data?
No possibility of being a candidate for or holding an office in the authorities of the Controller.

Who are the recipients of your data – processors and separate controllers?
The recipients are third parties to whom we transfer your data. We transfer your data to:

• state authorities or other entities entitled under provisions of law – where necessary for the compliance with legal obligations,
• suppliers of IT tools to process your data,
• providers of HR, accounting, or legal services,
• providers of audit and tax services,
• providers of services of destruction and archiving of documents and other data storage devices,
• shareholders.

Will we transfer your data to third countries, namely outside the European Economic Area?
No, we will not transfer your data outside the European Economic Area.

Will we make automated decisions based on your data?
No, we will not make automated decisions, namely decisions without human intervention, based on your data.

What are your rights?

• You have the right of access to your data – within the limits of Article 15 of the GDPR.
• You have the right to rectification of your data – within the limits of Article 16 of the GDPR.
• You have the right to erasure of your data – within the limits of Article 17 of the GDPR.
• You have the right to restriction of processing of your data – within the limits of Article 18 of the GDPR.
• You have the right to portability of your data – within the limits of Article 20 of the GDPR.
• You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent shall not, however, affect the lawfulness of processing based on consent before its withdrawal.

How can you file an objection to the processing of your data?
If you wish to exercise your right to file an objection, contact us. Your will find the contact details in the section How can you contact the data protection officer?.

How can you lodge a complaint with the Personal Data Protection Office?
If you believe that we process your personal data unlawfully, you can lodge a complaint with the President of the Personal Data Protection Office [Polish: Prezes Urzędu Ochrony Danych Osobowych]. More information in this regard is available from the website of the Office.

Who is the controller of your data?
PRZEDSIĘBIORSTWO HANDLU ZAGRANICZNEGO “BALTONA” S.A. with its registered office in Warsaw, ul. Komitetu Obrony Robotników 49, 02-146 Warszawa

How can you contact the data controller?
By post: ul. Komitetu Obrony Robotników 49, 02-146 Warszawa
By e-mail: rodo@baltona.pl

How can you contact the data protection officer?
rodo@baltona.pl

What are the purposes of and the basis for our processing of your personal data?

• The Controller’s legal obligation – to verify and examine a reported breach of law (Article 6.1(c) of the GDPR in conjunction with the Whistleblowers Protection Act dated 14 June 2024 (hereinafter: the “Act”).
• For the Controller to pursue the legitimate interests consisting in the establishment, exercise or defence of legal claims (Article 6.1(f) of the GDPR).
• In a situation where the whistleblower has consented to disclosing their identity (Article 6.1(a) of the GDPR).
• In a situation where data of a special category are processed (Article 9.2(f) of the GDPR).

How long will we process your data?
The personal data and other information in the internal reports register are stored by the Controller for a period of 3 years after the end of the calendar year in which the follow-up was completed or after the proceedings initiated by such follow-up ended.

Which of your data do we process?
Name, surname, title, information, if applicable, about the whistleblower’s participation in the reported breach/actions taken by the whistleblower.

Where do we get your data from?
We collect your data from you.

Do you have to provide us with your data?
The obligation for the reporting person to provide their data or the right to anonymous reporting are regulated by the Internal Reporting Procedure.

What will happen if you do not provide us with your data?
The Internal Reporting Procedure provides that anonymous reports will not be examined, which means that it will not be possible to initiate the procedure to verify your report.

Who are the recipients of your data – processors and separate controllers?
The controller does not plan to make the personal data processed in the course of the breach reporting procedure available in the meaning of Article 4(9) of the GDPR, except as provided for in applicable provisions of law.

Will we transfer your data to third countries, namely outside the European Economic Area?
Data will not be transferred outside the European Economic Area.

Will we make automated decisions based on your data?
No, we will not make automated decisions, namely decisions without human intervention, based on your data.

What are your rights?

• You have the right of access to your data – within the limits of Article 15 of the GDPR.
• You have the right to rectification of your data – within the limits of Article 16 of the GDPR.
• You have the right to erasure of your data – within the limits of Article 17 of the GDPR.
• You have the right to restriction of processing of your data – within the limits of Article 18 of the GDPR.
• You have the right to portability of your data – within the limits of Article 20 of the GDPR.
• You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent shall not, however, affect the lawfulness of processing based on consent before its withdrawal.

How can you file an objection to the processing of your data?
If you wish to exercise your right to file an objection, contact us. You will find the contact details in the section How can you contact the data protection officer?.

How can you lodge a complaint with the Personal Data Protection Office?
If you believe that we process your personal data unlawfully, you can lodge a complaint with the President of the Personal Data Protection Office [Polish: Prezes Urzędu Ochrony Danych Osobowych]. More information in this regard is available from the website of the Office.

Who is the controller of your data?
PRZEDSIĘBIORSTWO HANDLU ZAGRANICZNEGO “BALTONA” S.A. with its registered office in Warsaw, ul. Komitetu Obrony Robotników 49, 02-146 Warszawa

How can you contact the data controller?
By post: ul. Komitetu Obrony Robotników 49, 02-146 Warszawa
By e-mail: rodo@baltona.pl

How can you contact the data protection officer?
rodo@baltona.pl

What are the purposes of and the basis for our processing of your personal data?

• The Controller’s legal obligation – to verify and examine a reported breach of law (Article 6.1(c) of the GDPR in conjunction with the Whistleblowers Protection Act dated 14 June 2024 (hereinafter: the “Act”).
• For the Controller to pursue the legitimate interests consisting in the establishment, exercise or defence of legal claims (Article 6.1(f) of the GDPR).
• In a situation where data of a special category are processed (Article 9.2(f) of the GDPR).

How long will we process your data?
The personal data and other information in the internal reports register are stored by the Controller no longer than for a period of 3 years after the end of the calendar year in which the follow-up was completed or after the proceedings initiated by such follow-up ended.

Which of your data do we process?
The person concerned: name, surname, title, circumstances of the attributed breach.
Witness: name, surname, information, if applicable, about the witness’s participation in the reported breach/actions taken by the witness.

Where do we get your data from?
We collected your data in relation to the breach report in the meaning of the Act, including but not limited from the reporting person.

Do you have to provide us with your data?
The controller does not plan to make the personal data processed in the course of the breach reporting procedure available in the meaning of Article 4(9) of the GDPR, except as provided for in applicable provisions of law.

Will we transfer your data to third countries, namely outside the European Economic Area?
Data will not be transferred outside the European Economic Area.

Will we make automated decisions based on your data?
No, we will not make automated decisions, namely decisions without human intervention, based on your data.

What are your rights?

• You have the right of access to your data – within the limits of Article 15 of the GDPR.
• You have the right to rectification of your data – within the limits of Article 16 of the GDPR.
• You have the right to erasure of your data – within the limits of Article 17 of the GDPR.
• You have the right to restriction of processing of your data – within the limits of Article 18 of the GDPR.
• You have the right to portability of your data – within the limits of Article 20 of the GDPR.
• You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent shall not, however, affect the lawfulness of processing based on consent before its withdrawal.

How can you file an objection to the processing of your data?
If you wish to exercise your right to file an objection, contact us. You will find the contact details in the section How can you contact the data protection officer?.

How can you lodge a complaint with the Personal Data Protection Office?
If you believe that we process your personal data unlawfully, you can lodge a complaint with the President of the Personal Data Protection Office [Polish: Prezes Urzędu Ochrony Danych Osobowych]. More information in this regard is available from the website of the Office.