„ATM LIGHTING” Sp. z o.o. with HQ in GdańskPERSONAL DATA PROTECTION Under applicable Personal Data Protection Law including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union 2016 Nr. 119, p. 1) „ATM LIGHTING” Sp. z o.o. with HQ in Gdańsk is the Personal Data Administrator and, therefore, ensures using of data in a way which is safe, compliant with the contract and with applicable law. 1. Purpose of processing personal data.Personal data of entities is processed for the following purposes: 1) conclusion and performance of the contract and processing an order; 2) performance of legal duties, especially accounting obligations e. g. issuing and storage of invoices, conducting staff matters; 3) seeking redresses; 4) direct marketing. Personal data shall be processed only during the time of: 1) processing orders, duration of the contract and making settlements after the contract is expired; 2) performing accounting and tax obligations, conducting staff matters; 3) realizing statutory tasks in legally justifiable purposes. 2. Categories of processed personal data.In purposes indicated in Point 1 „ATM LIGHTING” Sp. z o.o. processes the following personal data: name, surname, phone number, e-mail address, social security number and NIP number. Processing of the sensitive data by „ATM Lighting” Sp. z o.o. shall be done only in purpose of realizing employer’s obligations towards employees. Employer’s obligations are settled by labor law, OSH and contracts with insurance companies and medical entities. 3. Entities to whom personal data is handed on. Processed personal data is handed on to:1) entities providing legal assistance including recovery, tax assistance and accounting services; 2) entities conducting postal or courier activities; 3) entities providing transport and logistics services; 4) entities conducting payment activities; 5) entities providing marketing services; 6) entities providing insurance services; 7) entities providing medical services including occupational medicine services and OSH services. 4. Rights of the entities whose personal data is being processed.1) rectification – right to demand a correction of incorrect personal data and right to demand a complement of incomplete data; 2) deletion – right to demand a deletion of a data in the following circumstances: a) personal data is no longer needed for the realization of purposes of its collecting or processing in any other way, b) a person, to whom collected data is regarding, revokes consent for processing personal data and there is no other legal basis for processing, c) a person, to whom collected data is regarding, raises an objection toward processing of personal data and there is no others overriding, legally justifiable basis for processing personal data, d) personal data was processed illegally, e) in order to fulfill legal obligations settled by the EU Law and the law of Member Country which the Administrator subjects to, f) personal data was collected in accordance with offering information society services. 3) limitation of personal data processing – right to demand a suspension of processing personal data in the following circumstances: a) a person, to whom collected data is regarding, questions correctness of personal data – the Administrator may suspend processing for the time needed to check if processed personal data is correct, b) personal data is processed illegally and a person, to whom collected data is regarding, raises an objection toward deletion of processed personal data. A person needs to demand a limitation of personal data processing instead, c) the Administrator does not need any longer personal data for processing purposes and a person, to whom previously used data is regarding, needs it to establish, seek and defend a claim, d) a person, to whom processed data is regarding, raised an objection toward processing personal data – processing is limited for the period of time needed by the Administrator to tell if a legal basis of raised objection surpasses legally justifiable basis of the Administrator’s actions. 5. Consent.When processing of personal data is not needed for performing the contract. does not arose from the provisions of the law or there is no other legally justifiable basis of processing, the processing entity may demand consents of people to process their data for specified purposes. Entities, to whom processed data is regarding, have a right to withdraw their consent. 6. Right to raise an objection.A person, to whom processed data is regarding, has a right to raise an objection toward processing personal data. Objection might be based on the specific situation of a person. A person, to whom processed data is regarding, also has a right to raise an objection toward processing personal data in purposes of direct marketing. In the moment of raising objection, processing entity loses its right to process objected personal data. Nevertheless, objected data might be used by processing entity again. To do so processing entity has to prove there is important, legally justifiable basis on its side. Proven basis has to be superior to interests, rights and freedoms of a person who previously raised an objection. 7. Complaint. Public supervisory authority.In case of infringement of statutory law, entities, to whom processed data are regarding, have a right to lodge a complaint with the President of the Office of the Personal Character Data Protection.