Taking into account the obligations arising from Article 25 and Article 32RegulationsEuropean Parliament and Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, p. 1), to ensure that personal data in Designers sp. z o.o. are processed and secured in accordance with the provisions of the law by implementing appropriate technical and organisational measures designed to effectively implement the principles of data protection and to provide the processing with the necessary safeguards; and Designers sp. z o.o. ensures that by default only those personal data that are necessary to achieve each specific purpose of processing are processed.

1. Preliminary provisions

1.1. The Policy specifies the principles of processing and securing Personal Data in the Enterprise in order to ensure compliance of Processing with the requirements of the GDPR and the provisions of mandatory Polish law regarding the processing of personal data. The Policy constitutes a collection and basis of the requirements, procedures and principles of personal data protection implemented in the Enterprise. The Policy includes:

AND. contains a description of the data protection principles applicable in the Enterprise;

II. a set of procedures, instructions and detailed regulations concerning the processing of Personal Data in the Enterprise, concerning individual areas of personal data protection; constituting annexes to the Policy.

1.2. The Policy applies to all Employees and associates of the Company. The following are responsible for observing and maintaining the provisions of the Policy:

AND. Undertaking;

II. organizational units established in the Enterprise in which Personal Data are processed;

III. Employees.

1.3. For the effective implementation of the Policy, taking into account the scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons with varying probability and severity of the threat, the Company ensures:

AND. implementation of appropriate technical and organizational measures to ensure compliance of the processing of Personal Data with legal requirements and the necessary security of the processed Personal Data;

II. securing IT system resources, technical infrastructure, equipment and accessories against destruction, damage or theft;

III. preventing access to Personal Data contained in computer systems and stored in paper form by unauthorized persons;

IV. constant monitoring of the compliance of the processing of Personal Data with legal requirements and subjecting the measures referred to in paragraph above to continuous review and updating;

V. controls and supervision over the processing of Personal Data.

1.4. Supervision over compliance with the provisions of the Policy is ensured by the Management Board of the Enterprise. The supervision referred to in the preceding sentence aims in particular, but not exclusively, to ensure that activities related to the processing of Personal Data in the Enterprise are in accordance with the requirements of the law and the provisions of the Policy.

1.5. The Company shall ensure that the conduct of the Company's contractors, in particular the Processors, complies with the provisions of the Policy to the appropriate extent in all situations in which Personal Data is transferred to these entities for processing, including storage.

1.6. The Policy is stored and made available in paper and electronic form at the Company's headquarters.

1.7. The policy is available:

AND. mandatory for all persons authorized to process Personal Data in the Enterprise, in order to provide authorized persons with appropriate knowledge and information on the principles and requirements regarding Personal Data processing in the Enterprise;

II. interested parties, in particular natural persons whose data is processed – at their request.

2. Dictionary of terms

Whenever the following definitions or phrases are used in this Policy, they shall have the following meanings:

1) IT System Administrator – means a person responsible for supervision and security of IT systems used in the Enterprise and the IT infrastructure;

2) Personal data – means information about an identified or identifiable natural person, such as name, surname, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person; referred to in Article 4, point 1 of the GDPR;

3) Sensitive Data – means Personal Data referred to in Article 9 of the GDPR;

4) Documents containing personal data – means all documents containing personal data, with the exception of business cards, calendars and notebooks kept in paper or electronic form;

5) Head of organizational unit – means the person coordinating the work of Employees in individual organizational units created in the Enterprise;

6) Login – means a sequence of letters, numbers or other characters identifying the User for the Processing of Personal Data in the IT system;

7) Data carriers – means all carriers on which information is recorded in electronic form, in particular: CD-ROMs, DVD-ROMs, BluRays, disks, USB memory and other portable memories, magnetic cards and paper documents containing personal data;

8) Recipient - means a natural or legal person, public authority, agency or other body to which personal data are disclosed, whether or not it is a third party. Public authorities which may receive personal data within the framework of a specific proceeding in accordance with Union or Member State law;

9) Authorized person – means a person authorized by the Company to process Personal Data in a given scope;

10) Processor - means a natural or legal person, public authority, entity or other entity that processes personal data on behalf of the Enterprise;

11) Policy – means this Personal Data Protection Policy of Designers Sp. z o.o. of 21 May 2018, together with any Annexes;

12) Employees – means both persons employed in the Enterprise on the basis of an employment relationship, as well as natural persons cooperating with the Enterprise on the basis of a civil law agreement;

13) Company (Personal Data Administrator) – means the company Designers sp. z o.o., ul. F. Szuberta 27, 02-408 Warsaw, entered into the National Court Register, File No. RDF/171687/19/315, under number 0000492638, NIP number: 1180036097, Regon: 011055478

14) Processing – means an operation or set of operations performed on Personal Data or sets of Personal Data by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or other type of making available, matching or combining, restriction, erasure or destruction, as referred to in Article 4, point 2 of the GDPR;

15) Register - means the Register of Personal Data Processing Activities of the Enterprise;

16) GDPR – means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, p. 1);

17) Local network – means the connection of the Enterprise's IT systems exclusively for its own needs using telecommunications devices and networks;

18) Wide area network – this should be understood as a public (telecommunications) network within the meaning of the Act of 16 July 2004, the Telecommunications Law (Journal of Laws 2004, No. 171, item 1800);

19) System – means the Personal Data Protection System in the Enterprise, referred to in § 5 of the Policy;

20) IT system – means a set of cooperating devices, programs, information processing procedures, software tools used to process Personal Data;

21) Mobile Device – means mobile telephones, tablets and other mobile devices which, by means of their properties, are intended or may be used to Process Personal Data;

22) Authentication – means an action aimed at verifying the declared identity of the User;

23) User – means a person authorized by the Personal Data Administrator to process Data placed in systems, software, network resources, files and folders saved on computers, servers, data carriers and other electronic devices;

24) Data Set – means any structured set of Personal Data, available according to specific criteria.

3. Personal data

3.1. The Company processes Personal Data collected in data sets. The data sets processed in the Company are specified in Annex 1 to the Policy.

3.2. The list of Data Sets is updated or expanded after conducting an analysis of the effects and risks of processing Personal Data for the rights and freedoms of natural persons covered by the set.

3.3. The Company does not undertake Processing activities that could involve a significant risk of violating the rights and freedoms of persons whose Personal Data are concerned. In the event of planning to undertake the activities referred to in the preceding sentence, the Company must carry out a prior assessment of the effects of processing, as referred to in Article 35 of the GDPR.

3.4. Personal Data is processed by default in the area covering the premises located at the Company's registered office at ul. F. Szuberta 27, 02-408 Warsaw. An additional area in which Personal Data is processed consists of all computers portable and other Mobile Devices and Data Carriers located outside the area indicated in the preceding sentence.

4. Basics of Personal Data Protection in the Enterprise

4.1. The Company ensures the application of technical and organizational measures necessary to ensure the confidentiality, integrity, accountability and continuity of the processed data.

4.2. Authorized persons and all other persons to whom the Personal Data Processed in the Enterprise is made available are obliged to Process Personal Data in accordance with the requirements of the law and in accordance with the provisions of the Policy, as well as other internal legal acts of the Enterprise or internal procedures related to the Processing of Personal Data.

4.3. When hiring Employees and during the employment period, the Company ensures that:

AND. Employees before starting to perform their official duties receive appropriate knowledge regarding the principles of Processing and protecting Personal Data in the Enterprise;

II. each Employee is authorized in writing to Process Personal Data to the extent necessary, in accordance with the template constituting Annex No. 2 to the Policy;

III. each Employee is obliged to maintain the confidentiality and integrity of Personal Data, in accordance with the template constituting Annex No. 3 to the Policy, and Employees are obliged in particular, but not exclusively, to:

and) strict adherence to the scope of authorization;

b) compliance with legal requirements and the provisions of the Policy regarding processing;

c) keeping Personal Data confidential;

d) maintaining confidentiality and integrity of Personal Data;

e) immediately report to the Company any incidents related to a breach of Personal Data security.

4.4. The Company ensures that Personal Data Processed in the Company are:

AND. processed lawfully, fairly and transparently for the data subject;

II. collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;

III. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

IV. correct and, where necessary, updated; the Company ensures that actions are taken to delete or rectify Personal Data that are incorrect in light of the purposes of their processing ("accuracy");

V. kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data is processed;

VI. processed in a manner that ensures appropriate security of Personal Data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.

4.5. In ensuring the Processing of Personal Data in accordance with the principles indicated in the above paragraph, the Company bases the Processing on the following bases:

1) Legality – The Company takes care to protect privacy and processes Personal Data in accordance with legal requirements;

2) Security − The Company ensures an appropriate level of security of Personal Data by taking continuous actions in this area;

3) Individual Rights - The Company enables individuals whose Personal Data is processed to exercise their rights and implements these rights;

4) Accountability – The Company ensures proper documentation of how it fulfills its obligations regarding the protection of Personal Data.

5. Personal Data Protection System

The Company ensures compliance of Personal Data Processing with legal requirements also by designing, implementing and maintaining the System. The System consists of organizational measures and technical protection measures, adequate to the level of risk identified for individual Data Sets and data categories. The System consists of, in particular, the following measures:

AND. limiting access to the premises in which Personal Data is processed, only to authorized Persons and ensuring that other persons may stay in the premises used for Personal Data Processing only in the company of an authorized Person;

II. closing the rooms constituting the area referred to in paragraph 3.4 of the Policy during the absence of Employees, in a way that prevents third parties from accessing them;

III. ensuring that the area referred to in paragraph 3.4 of the Policy is protected against accidental factors such as fire or flood;

IV. using locked cabinets, drawers, safes or other technical means that prevent unauthorised persons from accessing the Personal Data stored therein;

V. implementation of the principles of management of the IT system used to process Personal Data;

VI. implementation of backup policies;

VII. implementation of the principles of storing and archiving collected documentation containing Personal Data;

VIII. implementation of the principles of archiving and storing documentation containing Personal Data;

IX. implementation of the rules for transferring Personal Data within the Enterprise

X ensuring effective removal or destruction of documents containing Personal Data, in a manner that prevents their subsequent reconstruction;

XI. ensuring hardware and IT security, including:

and) protection of the local network against externally initiated activities,

b) ensuring that the software used is up to date,

c) securing computer equipment used in the Enterprise against malicious software,

d) ensuring constant and frequent backup of data stored on computers, servers and networks Enterprises,

e) limiting access to computer equipment, server and local network by applying Authentication rules;

f) conducting risk analysis for data processing activities or categories thereof;

g) implementation of standards for verification and selection of Processing Entities, as well as conditions for entrusting data processing to individual Processing Entities;

h) monitoring changes in the scope of Personal Data Processing processes in the Enterprise and ongoing management of changes affecting the protection of Personal Data in the Enterprise.

6. Register

6.1. The Register includes categories of Personal Data processing activities in the Enterprise. Through the Register, the Enterprise documents Personal Data processing activities and inventories and monitors the manner in which it uses Personal Data. The Register constitutes Annex No. 6 to the Policy.

6.2. Through the Register, in particular by indicating in the Register general measures for the protection of Personal Data covered by a separate processing activity, the Enterprise also aims to demonstrate compliance of the Processing of Personal Data with legal requirements.

6.3. The Register shall record, separately for each identified category of Personal Data processing activities, at least:

1) name of activity;

2) purpose of processing;

3) a description of the categories of persons whose Personal Data are processed within the framework of a given activity;

4) description of the categories of Personal Data processed within a given activity;

5) the legal basis for processing, including a specification of the category of the legitimate interest of the Company, if the basis for processing is a legitimate interest;

6) description of the categories of Data Recipients, including Processors,

7) information about any transfer of Personal Data outside the territory of the European Union or the European Economic Area;

8) a general description of the technical and organizational measures for the protection of Personal Data applicable to the given activity.

6.4. In the event of updating or expanding the category of Personal Data processing activities, the Enterprise shall immediately update the Register in order to ensure that the Register is consistent with the actual state of affairs and the scope of Personal Data processing operations in the Enterprise.

6.5. The provisions of the above paragraph do not exclude the possibility of including additional information in the Register, as needed, increasing the details or readability of the Register or facilitating the management of compliance with the protection of Personal Data with legal requirements and the implementation of the accountability principle.

6.6. The Company documents in the Register the legal basis for data processing for individual processing activities by indicating the general legal basis for processing, such as: consent, contract, legal obligation imposed on the Company, legitimate purpose of the Company.

7. Fulfillment of obligations towards persons whose personal data relates

7.1. The company implements consent management methods enabling registration and verification of the possession of a person's consent to the processing of their specific data for a specific purpose, consent to remote communication (e-mail, telephone, text message, and others) and registration of refusal of consent, withdrawal of consent and similar actions, such as filing an objection or limiting processing.

7.2. The Company takes care of the readability and style of the information provided and communication with persons whose Personal Data it processes.

7.3. The Company leaves the Policy available for inspection at the Company's registered office.

7.4. In order to exercise the rights of the person whose Personal Data is concerned, the Company provides procedures and mechanisms that allow to identify the data of specific persons processed by the Company, integrate this data, introduce changes to it and delete it in an integrated manner.

7.5. The company documents the handling of information obligations, notifications and requests of persons, informing the data subject about:

and) processing of his/her Personal Data, when obtaining data from that person.

b) planned change of the purpose of data processing;

c) lifting the restriction on the processing of Personal Data before lifting the restriction on processing;

d) rectification, erasure or restriction of data processing, unless this involves disproportionately great effort or is impossible;

e) the right to object to the processing of Personal Data at the latest upon the first contact with that person.

7.6. The entrepreneur shall, without undue delay, notify the person about a breach of Personal Data protection if it may cause a high risk of violating the rights or freedoms of that person.

7.7. Regardless of the provisions of paragraph above, the Company determines the method of informing individuals about the processing of unidentified data, where possible.

7.8. At the request of a person regarding access to their data, the Company informs the person whether it processes their Personal Data and informs the person about the details of processing, in accordance with Article 15 of the GDPR, and also grants the person access to the data concerning them. Access to the data may be implemented by issuing a copy of the data.

7.9. The Entrepreneur shall issue to the person whose Personal Data relates a copy of the data relating to him/her and shall record the fact of issuing the first copy of the data.

7.10. The Company rectifies incorrect data at the request of the person whose Personal Data is being processed. The Company has the right to refuse to rectify the data unless the person reasonably demonstrates the incorrectness of the data that they are requesting to be rectified. In the event of rectification of the data, the Company informs the person about the recipients of the data, at the request of that person.

7.11. The Company supplements and updates data at the request of the person whose Personal Data is being processed. The Company has the right to refuse to supplement the data if the supplementation would be incompatible with the purposes of data processing. The Company may rely on the person's statement regarding the supplemented data, unless this is insufficient in light of the procedures or law adopted by the Company or there are grounds to consider the statement unreliable.

7.12. Subject to the paragraph below, at the request of a person, the Company deletes data when:

and) the data is not necessary for the purposes for which it was collected or processed for other purposes,

b) consent to their processing has been withdrawn and there is no other legal basis for processing,

c) the person has filed an effective objection to the processing of such data,

d) the data was processed unlawfully,

e) the need for deletion results from a legal obligation,

7.13. When deleting Personal Data, the Company takes into account to ensure the effective implementation of this right while respecting all data protection principles, including security, as well as to verify whether there are no exceptions referred to in Article 17.3 of the GDPR.

7.14. If the data subject to deletion has been made public by the Company, then the Company takes reasonable steps, including technical measures, to inform other administrators processing this personal data, about the need to delete the data and access it. In the case of deletion of data, the Company informs the person about the recipients of the data, at the request of that person.

7.15. The Company restricts the Processing of data at the request of a person when:

and) the person questions the accuracy of the data – for a period allowing to verify its accuracy,

b) the processing is unlawful and the data subject opposes the deletion of the Personal Data, requesting instead that their use be restricted,

c) The company no longer needs the personal data, but the data subject needs them to establish, pursue or defend legal claims,

d) the person has objected to the processing for reasons related to his particular situation - until it is determined whether the Company has legally justified grounds that override the grounds for objection.

7.16. During the processing restriction, the Company stores the data, but does not process it (does not use it, does not transfer it), without the consent of the data subject, unless for the purpose of establishing, pursuing or defending claims, or for the purpose of protecting the rights of another natural or legal person, or for important reasons of public interest. The Company informs the person before the processing restriction is lifted. In the event of a data processing restriction, the Company informs the person about the recipients of the data, at the request of that person.

7.17. At the request of a person, the Enterprise issues in a structured, commonly used, machine-readable format or transfers to another entity, if possible, data concerning that person that he/she provided to the Enterprise, processed on the basis of that person's consent or in order to conclude or perform a contract concluded with him/her, in the IT systems of the Enterprise.

7.18. If a person raises an objection to the processing of their data, justified by their special situation, as referred to in Article 21 of the GDPR, and the data are processed by the Company based on the Company's legitimate interest or on a task entrusted to the Company in the public interest, the Company undertakes to take the objection into account, unless the Company has valid, legally justified grounds for processing that override the interests, rights and freedoms of the person raising the objection, or grounds for establishing, pursuing or defending claims.

7.19. If a person objects to the processing of their data by the Company for direct marketing purposes, the Company will take the objection into account and discontinue such processing.

8. Data minimization

8.1. The Company implements procedures to implement the principle of minimizing the processed Personal Data in terms of:

and) adequacy of Personal Data for the purposes of Processing, including limiting the amount of Personal Data processed and the scope of processing for the purpose of Processing;

b) limiting access to Personal Data only to Authorized Persons for whom the use of Personal Data to a specific extent is necessary for the proper performance of their obligations;

c) limiting the storage time of Personal Data to the period for which the storage of Personal Data is necessary due to the implementation of the purpose of Processing or obligations imposed on the Enterprise.

8.2. The Company periodically reviews the amount of data processed, its type and the scope of its processing at least once a year.

8.3. The Company applies restrictions on access to Personal Data by:

and) the obligation of Employees to maintain confidentiality, including in the scope of Personal Data;

b) verification of the circle of internal recipients of Personal Data by granting individual Employees detailed authorizations to Process Personal Data only to the extent to which it is necessary to perform official duties related to the purposes disclosed to the person to whom the Data relates;

c) implementation of technical measures to protect Personal Data by limiting access to systems, software and network resources, including servers, mailboxes and Personal Data processed on computers, telephones and other Data carriers used in the Processing of Personal Data;

8.4. The Company updates access authorizations in the event of changes in staff composition and changes in the roles of individuals and changes in the processing entities. The Company performs a periodic review of established Users of systems, mailboxes and software and updates them no less than once a year.

8.5. The Company processes Personal Data in accordance with the criteria specified in the Register. The Company implements lifecycle control mechanisms for Personal Data in the Company, including verification of the continued usefulness of data in relation to deadlines and control points specified in the Register.

8.6. Data whose scope of usefulness is limited with the passage of time are deleted from systems, software, computers and other data carriers of the Enterprise, as well as from handheld and main files. Such data may be archived and located on backup copies of systems and information processed by the Enterprise. Procedures for archiving and using archives, creating and using backup copies take into account the requirements of control over the data life cycle, including data deletion requirements.

9. Security

9.1. The Company obliges all persons who, within the scope of performing their official duties, obtain access to Personal Data processed by the Company in any scope to familiarize themselves with the applicable Personal Data protection principles specified in the Policy before starting work.

9.2. Taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons with varying probability of occurrence and severity of the threat, the Company implements technical and organizational measures ensuring an adequate level of protection of Personal Data, corresponding to the risk of violating the rights and freedoms of natural persons as a result of the processing of personal data by the Company.

9.3. The Company conducts and documents analyses of the adequacy of Personal Data security measures. For this purpose, the Company:

and) categorizes data and processing activities in terms of the risks they pose;

b) conducts risk analyses of violations of the rights or freedoms of natural persons for data processing activities or their categories. The Company analyses possible situations and scenarios of violations of the protection of Personal Data, taking into account the nature, scope, context and purposes of processing, the risk of violations of the rights or freedoms of natural persons with different probability of occurrence and severity of the threat;

9.4. The company implements measures to ensure business continuity and disaster prevention, i.e. the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident.

9.5. The IT Systems Administrator established in the Enterprise takes action to ensure the lawful processing of Personal Data in the IT systems used by the Enterprise and to maintain the highest level of security of Personal Data in the IT systems. The duties of the IT Systems Administrator include:

and) constant control and monitoring of User rights;

b) ensuring proper operation of the IT system, in accordance with the established purposes of processing Personal Data and the principles of lawful processing;

c) supervising the making of backup copies and controlling the copy system within the scope of their further usefulness for reproducing Personal Data in the event of a failure of systems, software and network resources;

d) informing the Members of the Management Board of the Company about all detected irregularities and incidents violating or threatening the security of Personal Data and the IT system;

e) taking action to prevent the occurrence of system failures, irregularities and incidents that violate or threaten the security of Personal Data and the IT system;

f) performing reviews, maintenance and modifications in the scope of implementing updates to the IT system and software used to process Personal Data;

g) exercising constant control over the level of security of the IT system in the scope of processing Personal Data,

h) authentication of Users, in particular by granting, changing the scope, depriving them of access rights to the IT system, network resources, servers, supported programs, in accordance with the management principles referred to in § 10 of the Policy;

and) performing other activities and tasks related to the Processing of Personal Data using servers, network resources, IT systems and software, as well as ensuring the security of Personal Data related to the Processing.

9.6. Users are obliged to comply with the principles of Personal Data protection specified in this Policy and to properly perform their obligations in the scope of:

and) processing of Personal Data in accordance with the purposes established and disclosed to the person whose Personal Data relates;

b) participation in training on the protection of Personal Data organized by the Company;

c) following recommendations, official orders and announcements issued by superiors regarding the efficient functioning of the System;

d) compliance with the principles regarding the protection of Personal Data provided for in this Policy together with the Annexes, as well as not specified in the Policy but implemented in the Enterprise;

e) ensuring safe operation of the IT and network system used by the User, including: compliance with the rules related to changing passwords on computers and mobile devices, turning off the computer each time after finishing work and leaving the workstation, not sending Personal Data collected on computers, servers, mailboxes and other network resources to unauthorised persons, showing caution when receiving e-mail from unknown recipients whose identification raises doubts;

f) refrain from taking documents with Personal Data outside the Company's headquarters in any form, except for persons authorized to do so;

g) compliance with the principles related to the protection of Personal Data processed in connection with the performance of official duties contained in business cards and notebooks and calendars kept in written or electronic form;

h) lack of independent duplication of spare keys enabling access to premises on the Company's premises,

and) not making any changes to the content of existing seals containing Personal Data, in particular adding or removing characters, making additional or new seals on your own, making periodic or permanent changes to existing seals among themselves;

j) computer monitor settings in a way that prevents unauthorised persons from viewing the displayed Personal Data while in the office.

10. Rulesarchiving and storing collected documentation containing Personal Data

10.1. The Company's headquarters contain rooms adapted for the purpose of archiving documents. The Company takes steps to limit unauthorized persons to designated rooms and applies electronic access control, preventing unauthorized persons from accessing documentation.

10.2. The premises adapted for the purpose of archiving documentation are protected against unauthorized access by unauthorized persons through, among other things: storing documentation in locked cabinets and entrusting the key only to Employees authorized to access documentation. The keys to the cabinets are stored in places inaccessible to unauthorized persons; it is prohibited to provide keys to persons who are not Employees of the Company.

10.3. Documents that are not used in the course of the current functioning of the Enterprise are subject to archiving. The decision to transfer the documentation to a room adapted for the needs of the archive is made by the managers of the individual organizational units or the President of the Management Board.

10.4. Documents containing Personal Data in paper form are stored in folders, binders or sleeves, or in another manner adopted by the Head of the organizational unit and segregated in a manner adopted by the Head of the organizational unit. One folder cannot contain documents containing Personal Data for the Processing of which Employees of a given organizational unit are authorized and documents containing Personal Data for the Processing of which Employees of a given organizational unit are not authorized. In the event of the possibility of document segregation, as referred to in the previous sentence, the Head of the organizational unit, in consultation with the Member of the Management Board, shall take other technical and organizational measures to prevent unauthorized Employees from accessing the Data.

10.5. Documents containing Personal Data in rooms where Employees' workstations are located are stored after the Employees have finished their work in locked cabinets and drawers.

10.6. In the event of the presence in the room where the Employees' workstations are located of a person who is not authorized to process Personal Data of a specific category in accordance with Annex 9 to the Policy, the Employees shall take all necessary actions to prevent unauthorized persons from accessing the Personal Data.

10.7. The principles set out in this paragraph also apply in the event of storing Personal Data outside the Company's registered office, as referred to in paragraph 3.4 of the Policy.

11. Removal of personal data

11.1. The Company stores Personal Data for a period no longer than is necessary for the purposes of Processing. After the expiry of the period indicated in the Register, the Company deletes Personal Data permanently.

11.2. The Company deletes Personal Data using its own measures and mechanisms or entrusts the deletion of Personal Data to cooperating entities that provide sufficient guarantees for the implementation of appropriate technical and organizational measures to prevent threats of breach or breaches of Personal Data security.

11.3. Personal data contained in documents which, due to the need to maintain continuity of cooperation with contractors, customers and other entities, the current proper functioning of the Enterprise or for other important reasons, cannot be deleted after the time specified in the Register, are subject to anonymization.

11.4. Notwithstanding the provisions of paragraph 11.1 above, the Company deletes Personal Data in the cases referred to in paragraph 7.13 of the Policy.

11.5. The entity authorized to remove Personal Data from servers is the IT System Administrator.

11.6. Before transferring computers, Mobile Devices, Data Carriers containing Personal Data, intended for destruction or repair, to an external entity, the IT System Administrator deletes the Personal Data stored on the device. If it is impossible to delete the Personal Data, the IT System Administrator takes the necessary steps to prevent unauthorized persons from accessing the Data, e.g. encrypts or anonymizes the Data.

12. Personal data protection breach

12.1. The following are considered to be a violation or attempted violation of the principles of processing and protection of Personal Data in particular, but not exclusively:

and) breach of security of IT systems, software and network resources in which Personal Data is processed;

b) disclosure of Personal Data to unauthorized persons;

c) processing of Personal Data contrary to the intended scope and purpose of their Processing;

d) unauthorized or accidental damage, loss, destruction or alteration of Personal Data.

12.2. In the event of a breach of Personal Data protection, the Company assesses whether the breach could have caused a risk of violating the rights or freedoms of natural persons and estimates the scale of the risk.

12.3. In the event of a breach of Personal Data protection, the Company shall, without undue delay - if possible, no later than 72 hours after the breach has been identified - notify the competent supervisory authority, unless it is unlikely that the breach will result in a risk to the rights or freedoms of natural persons.

12.4. Regardless of the obligations set out in paragraph 12.2 above, the Company shall document all personal data protection breaches, including the circumstances of the personal data protection breach, its effects and remedial actions taken.

13. Processing entrustment

13.1. The Company may entrust the Processing of Personal Data to the Processor only by means of an agreement concluded in writing or another legal instrument (e.g. Regulations or general Principles for entrusting Personal Data) in accordance with the requirements indicated in Article 28 paragraph 3 of the GDPR.

13.2. The Company shall only use the services of such Processors that provide sufficient guarantees of implementing appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and protects the rights of persons whose Personal Data is concerned. In order to verify compliance with the obligation referred to in the preceding sentence, the Company, before entrusting the processing to a potential Processor, shall, to the extent possible, obtain information on the principles of Personal Data protection applied by the potential Processor and on the practices of that entity concerning the protection of Personal Data.

13.3. The details and principles of entrusting Personal Data are specified in the relevant agreement or legal instrument.

14. Transfer of Personal Data within the Enterprise

14.1. Documentation containing Personal Data is transferred between individual organizational units and Employees, taking into account the principles of Personal Data protection indicated in this Policy.

14.2. In the absence of authorization from the Employee receiving the document to process Personal Data, it is transferred in a way that prevents the infringement of Personal Data using sufficient technical and organizational measures:

and) e-mails are sent to another Employee who is not authorized to process the Data after previously removing Personal Data from the footers of the e-mail and its content or encrypting the Data in a way that prevents identification of the person to whom the Data relates;

b) paper and electronic documents transferred to another Employee who is not authorized to process Personal Data are subject to anonymization or encryption within the scope of the Data;

c) documents in paper form transferred to the person whose Personal Data concerns through another Employee not authorized to process the Data are placed in envelopes or opaque folders described in a way that prevents identification of the addressee.

14.3. Paper documents transferred to the person whose Personal Data concerns through another Employee are stored and transported until they are issued to the addressee in a way that prevents breach of Personal Data.

15. Transfer of data to a third country

15.1. The Company does not transfer Personal Data to a third country located outside the territory of the European Union or the European Economic Area, except in situations where this occurs at the request of the person whose Personal Data it concerns.

15.2. In order to avoid situations of unauthorized data export, particularly in connection with the use of publicly available cloud services, the Company periodically verifies user behavior and, where possible, provides equivalent solutions that are compliant with data protection law.

16. Final provisions

16.1. The policy comes into effect on the date of announcement.

16.2. In matters not regulated in the Policy, the provisions of the GDPR and generally applicable provisions of Polish and European law shall apply accordingly.

16.3. Any changes or additions to the Policy require written form to be effective, otherwise being null and void. Changes or additions to the Policy shall enter into force no earlier than 7 days after their announcement.