1. The administrator of the Personal Data processed in the company for various purposes related to the company’s business activities is Asseco Data Systems S.A., seated in Gdańsk, ul. Jana z Kolna 11, 80 – 864 Gdańsk, entered in the Register of Entrepreneurs of the National Court Register under the number KRS 0000421310, kept by the District Court of Gdańsk – North in Gdańsk, VII Commercial Department of the National Court Register, NIP 517-03594-58, REGON 180853177, whose share capital amounts to PLN 120,002,940.00 (paid in full);
2. You can contact us:
   • by letter (snail mail), writing to the address indicated above,
   • via email at kontakt@assecods.pl,
   • By phone at +48 58 550 95 00.
3. Data Protection Officer
   We have appointed a Data Protection Officer whom you can contact:
   • by letter (snail mail), writing to: Asseco Data Systems S.A., Office in Lodz, 136 Narutowicza St., 90-146 Lodz,
   • via e-mail at: IOD@assecods.pl,
   • By phone at +48 42 675 63 60.
4. Asseco Data Systems S.A. complies with all privacy and processing rules set forth in the RODO also with respect to data entrusted by other Administrators or Entrustors.

In connection with the provision of training services and contact with Asseco Data Systems S.A., the following personal data may be processed:

• First and last name,
• Email address,
• Phone number,
• Residential or business address,
• VAT ID number (for entrepreneurs),
• Invoice details,
• Data identifying the training participant,
• Information related to payments and settlements.

1. Personal data – all information about a natural person identified or identifiable by one or more specific factors that determine physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, Internet ID and information collected through cookies and other similar technology.
2. The Personal Data Administrator processes data in accordance with the following principles:
   • Reliability and lawfulness – meaning that data will be processed fairly, in accordance with correctly identified, RODO-compliant legal bases that are adequate for each processing activity. The Personal Data Controller identifies and determines the appropriate legal basis for each processing activity.
   • Transparency – meaning that data subjects are informed in a transparent, accessible and understandable manner about who will process their data, on what basis, for what purpose, to what extent and for how long. Data subjects are further informed about: the recipients of the data, their rights and how to exercise them, and whether the data will be transferred to countries outside the EU and whether the data will be subject to automated decision-making and, if so, what impact this will have on the data subject. The Personal Data Controller ensures that the information obligation will be fulfilled:
     • in the case of collection of data from the data subject – at the latest at the time of collection,
     • in the case of collection of data from a source other than the data subject – no later than within 30 days of their acquisition;
     • Purpose limitation – meaning that personal data is collected and processed for specific, explicit and legitimate purposes and that it is not further processed in a manner incompatible with those purposes.
     • Data minimization – meaning that data is adequate and limited to what is necessary to achieve the purpose for which it is processed.
     • Correctness – meaning that the processed data are correct, truthful and are subject to updates when necessary.
     • Storage limitations – meaning that data will be stored in a way that allows the data subject to be identified for no longer than necessary to fulfill the purposes for which the data are processed.
     • Integrity and confidentiality – which means that the data are processed in a manner that ensures their adequate security and, in particular, in a manner that ensures protection against: accidental or unauthorized loss, modification, damage or destruction. The Personal Data Administrator shall ensure data security through the use of adequate technical and organizational measures. The Personal Data Controller shall develop a personal data protection system taking into account the risks defined in his organization to which the processed data are exposed (risk-based approach). A description of the measures used is included in this document.
     • Accountability – meaning that the Personal Data Controller processes personal data in a manner that ensures compliance with the provisions of the RODO in connection with their processing operations, and that it will be able to demonstrate the implementation of organizational and technical measures to ensure data processing in accordance with applicable laws. Demonstration of the implementation of these measures will take place in particular through the implementation of appropriate rules, procedures and policies describing the rules of conduct for data processing.
3. The Data Controller strives to ensure that every process, solution or business idea, as early as in the design phase, should be analyzed for the use of personal data in that solution and take into account the protection of that data. This analysis should be carried out further, including already during the processing itself (privacy by design).

1. During a User’s visit to the Website, the following information is automatically collected through the use of Google Analytics or Cookies:
   • IP address and domain name,
   • type of web browser used,
   • device-related data, such as the operating system.
2. The Website also automatically collects geographic data as well as information regarding actions performed by the User, which are used solely for marketing or statistical analysis purposes. The Controller does not undertake any activities aimed at identifying natural persons based on the data collected through the Website.
3. Asseco Data Systems S.A., within certain Websites, applies mechanisms designed for profiling a given User within the scope of such Website. In these Websites, data concerning the User’s activity is collected, namely: search history, clicks, visits to the Website and its subpages, dates of User logins and registrations, as well as data concerning the use of specific services. Profiling of the aforementioned information may result in the User receiving personalized information related to their activity within the Website.

1. During the use of the Website, DoubleClick Cookies are stored in the storage memory of the User’s device. These cookies:

   • collect information regarding the manner in which the User makes use of the Website’s content (they contain a randomly generated, 18-digit unique identifier assigned to web browsers installed on specific User devices),

   • are used to store data of a logged-in User of the Website (active sessions), including, among others: the selected language of the Website, search filter settings, User data (login or username) used for logging into the Website, or an authorization token for the Website.

2. The identifier of a given device, stored in a DoubleClick Cookie, is added to a remarketing list, which is stored on Google’s servers and subsequently grouped into specified categories.
3. The information stored in Cookies located in the storage memory of the User’s device is later used for remarketing purposes.
4. Remarketing consists of the use of data collected in Cookies by external providers for the purpose of displaying advertisements based on data gathered during the User’s interaction with the Website content.
5. The User may independently manage Cookies in their web browser by selecting the Privacy and Security tab in the browser options. The User may also opt out of receiving advertisements through the Google Ads opt-out option or via the Network Advertising Initiative website.
6. Cookies in no way modify other data contained in the storage memory of the User’s device, nor do they affect the proper functioning of the operating system.
7. The Controller does not use cookies for the direct identification of Users of the Website.

1. The Personal Data Administrator shares (including entrusts) personal data with other entities (data recipients) on the basis of:
   • legislation in force
   • Business decisions on outsourcing selected parts of the business.
2. In the case of sharing data with entities to which the Personal Data Controller subcontracts services in its name and on its behalf, a written entrustment agreement is required. The decision to entrust is preceded by an analysis of the credibility and reliability of the entity.
3. Any decision to outsource services, requires it to be analyzed by the Personal Data Controller also in terms of entering into an entrustment agreement for processing.

Asseco Data Systems, in its role as a controller of personal data, ensures that the rights of the persons whose data it processes can be realized. Requests arising from the rights of data subjects can be realized:

• by writing to: daneosobowe@assecods.pl or IOD@assecods.pl,
• by reporting directly to one of the administrator’s offices and making the request in person.

Asseco Data Systems S.A., as controller, provides each individual with information about the processing of his/her personal data. The Data Controller, upon the request of an individual, shall respond whether it processes his/her personal data. If he/she processes his/her data, he/she grants access to personal data and provides information about:

• person and contact information of the administrator,
• Person and contact information of the Personal Data Inspector,
• purpose of processing,
• The legal basis for processing, information about the recipients or categories of recipients to whom the data will be disclosed, tThe planned period of storage of personal data,
• the right to request rectification, erasure or restriction of data processing, data portability, and to object to such processing (the rights due to data subjects depend on the basis of processing applied in a given case),
• the right to lodge a complaint with the supervisory authority for the protection of personal data,
• Information about the intention to transfer data outside the EU,
• information about the obligation to provide data and the consequences thereof,
• information about whether the data will be processed by automated means and whether it will be subject to profiling,
• the categories of data involved and the source from which the person’s data was obtained – in case it did not come directly from the person.

The information specified above is, in accordance with the implementation of the principle of transparency, provided to data subjects in information clauses.

Asseco Data Systems makes every effort to ensure that the data processed in its enterprise are protected to the highest standards. It conducts a risk analysis for the processing activities for which it is the administrator and for the processing of data it has been entrusted with in order to select optimal technical and organizational means by which to ensure confidentiality, integrity and availability of personal data.

The Personal Data Administrator will regularly test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of processing and adjust security measures according to the results of the measurements.

Asseco Data Systems regularly conducts internal audits and undergoes independent assessments by external auditing firms for standards: ISO 9001, ISO 27001, ISO 22301.