GDPR

Following the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as GDPR”), we hereby inform that we process your personal data based on the following principles:

I. ADMINISTRATOR OF PERSONAL DATA

The Administrator of personal data is Scandinavian Method (hereinafter referred to as “Administrator”).

II. ADMINISTRATOR CONTACT DETAILS:

You can contact us: by email: info@scandinavianmethod.pl

III. INFORMATION ON THE APPOINTMENT OF DATA PROTECTION OFFICER

The Administrator has not appointed a Data Protection Officer.

IV. DATA SUBJECT CATEGORIES

We process personal data of: a. customers being natural persons, and in case of customers being either legal persons or business units without legal personality - personal data of persons authorized to represent such entities, employees and associates of such customers, b. providers of services and goods being natural persons as well as employees and associates of providers of services and goods acquired by the Administrator, including persons co-operating with the Administrator on either a permanent or occasional basis upon providing services by the Administrator, c. persons approaching the Administrator in order to be recruited by the Administrator, d. other persons who provided their personal data to the Administrator, i.e. in correspondence addressed to the Administrator, as well as persons whose data have been obtained by the Administrator upon provision of services.

V. DATA CATEGORIES

The Administrator shall process the following personal data categories: GDPR Information clause Basic identification and contact data; electronic identification and contact data; identification and contact data related to the conducted business activities; data necessary in order to prepare an offer; data necessary in order to conclude and execute an agreement as well as sell products and services, issue invoices and make payments, handle concluded contracts, including handle complaints, as well as pursue or defend potential claims. In particular, we shall process data such as: name (names), surname, e-mail address, phone number, title, position, company or name of the represented entity, contact details, name of the company, REGON state statistical number, legal address, address for correspondence, bank account number, data regarding education and professional experience as well as data regarding the marital status - if necessary in accordance with the aim of data processing, image - within the scope of monitoring conducted by the Administrator or photos submitted voluntarily to the Administrator, i.e. in CV documents, electronic data automatically submitted in case of visiting the Administrator’s website and/or social media profiles, including IP address, local IP address, host name. Furthermore, the Administrator may process other categories of personal data if such cannot be qualified to any of the indicated groups while the processing is conducted for purposes specified by hereby information, in particular when processing is required by applicable provisions of law for the fulfillment of such purposes.

VI. PURPOSE OF PERSONAL DATA PROCESSING, LEGAL BASIS AND PERIOD OF DATA PROCESSING

Your personal data may be processed for the following purposes, based on the following premises of lawfulness of data processing and for periods specified bellow: a. in the basis of your voluntary consent, i.e. based on Article 6 (1) (a) of GDPR for purposes set forth in the consent (in such case you may withdraw your consent at any time and this shall not affect the lawfulness of processing conducted prior the withdrawal; however, lack of consent or its withdrawal shall unable us to process data for the purposes indicated within the consent) - the period of data processing conducted on such basis shall expire upon withdrawal of consent, b. on the basis of contractual requirements, i.e. based on Article 6 (1) (b) of GDPR for the execution of an agreement concluded with the Administrator or launch of actions before its conclusion upon your request - data processed on such basis shall be subject to processing for a period essential for execution of the agreement concluded with the Administrator, this including the provision of services, warranty and post-warranty services, handling of complaints, c. on the basis of statutory requirements, i.e. based on Article 6 (1) (c) of GDPR for the purpose of fulfillment of the Administrator’s obligations arising from the law of the EU or Polish law, including keeping financial reporting - data processed on such basis shall be processed for a period indicated by the provisions of law in relation to data retention, i.e. if such data ought to be kept for financial reporting purposes the period of data retention shall be 5 years following the issue of a particular accounting document; d. on the basis of the Administrator’s legitimate interest, i.e. based on Article 6 (1) (f) of GDPR which the Administrator shall deem as: pursuing, determining and defending against claims, prevention of fraud, ensuring security of the ICT environment, applying internal control systems, monitoring the Administrator’s office/building and his possessions as well as registering the means of using it, determining conflicts of interests and infringements of ethical principles in areas necessary to prevent abuse, for archive, statistical, and verification purposes to ensure information security in case of legal need to produce facts, for the purpose of offering own services (direct marketing by the Data Administrator), for the purposes of running the website and social media profiles, communicating via such profiles (comments, chat, messages) as well as for analytical purposes in relation to the functioning, popularity and manner of use - data processed on such basis shall be processed until the purpose of such processing ceases to exist (i.e. data processed for the purpose of pursuing or defending against claims for a period equal to the limitation period of such claims) or submission of effective objection.

VII. DATA RECIPIENT CATEGORIES

The recipients of your personal data constitute entities of the following categories: a. entities providing services on behalf of the Administrator, including: • IT and new technologies services; • payment services, • accountant and financial or legal services • auditing and inspection services; • recovery services; • printing services, • document destruction services; • postal or courier services, • insurance services, • medical services • other entities providing services on behalf of the Administrator necessary for the purposes of data processing set forth in hereby information on the basis of relevant personal data processing agreements concluded with the Administrator b. public authorities and entities either performing public tasks or operating upon order from public authorities to the extent and purposes arising from provisions of generally applicable law and upon their reasonable demand or when it shall be necessary to defend against claims or pursue our claims c. if it is justified by the purpose of data processing for entities to which the Administrator provides services, i.e. in case of the need to verify their satisfactory performance d. in relation to data disclosed through the Administrator’s social media portals - to entities running such portals based on principles specified in terms and regulations of such portals

VIII. DATA TRANSMISSION OUTSIDE THE EUROPEAN ECONOMIC AREA In principle, the Administrator shall not transfer personal data outside the European Economic Area. However, the Administrator may subcontract the performance of specific services or IT tasks to service providers with registered offices located outside the European Economic Area, i.e. data processed by means of the Administrator’s website, social media portals or transferred through electronic mail; in case servers of operators responsible for managing such services are located outside the EEA personal data can be processed outside the EEA. In such case, data shall be transferred to a third country in relation to which the decision of the European Commission recognized a suitable level of data protection or based on typical contractual clauses approved by the European Commission. You can request further information regarding the applied means of protection and data copies.

IX. LEGAL RIGHTS

You have the right to: a. Access your data and receive copies of such data b. Rectify and supplement (correct) your data c. Erase your data - if you believe that there is no legal basis for our processing of your data d. Limit processing of data, i.e. demand to limit the processing of your personal data solely to retention or execution of actions agreed with you e. Object to data processing: “Marketing” objection: You have the right to object to data processing for the purposes of direct marketing. If you exercise this right we shall cease the processing of your data for this purpose. Objection due to a special situation: You have the right to object to data processing based on your legitimate interests for purposes other than direct marketing as well as in cases where processing is necessary for the fulfillment of a public interest task or execution of entrusted public authority. In such case, you will be required to indicate the special situation that justifies the discontinuation of processing subject to the your objection. In case of such objection, we shall cease processing of data for such purposes unless we indicate that the grounds for processing are superior towards your rights or that such data are necessary for us to determine, pursue or defend against claims. f. Transfer data. You have the right to receive from us your personal data, which you provided to us based on an agreement or consent, compiled in a structured, commonly-used and machine readable format. You can also commission us with sending such data directly to another entity. g. Lodge a complaint with the supervisory body, i.e. the Inspector General for Personal Data Protection, ul. Stawki 2; 00-193 Warsaw; https://www.uodo.gov.pl/pl/p/kontakt; phone no. (22) 531 03 00 - if you believe that processing of your personal data violates the provisions of GDPR or any other provisions regarding the processing of personal data. h. To withdraw your consent to the processing of personal data, provided that processing is conducted based on you consent. Withdrawal of your consent shall not affect the lawfulness of processing conducted based on your consent prior to the withdrawal. You can exercise your rights by sending a relevant request at info@scandinavianmethod.pl

X. INFORMATION REGARDING THE REQUIREMENT OR VOLUNTARINESS OF PROVISION OF DATA AND CONSEQUENCES OF NON-PROVISION

To the extent of processing of personal data for the purpose indicated in point VI (c) above, the obligation to provide data constitutes a statutory obligation. In relation to personal data processed for the purpose set forth in point VI (b), their provision constitutes a contractual condition which means that it is necessary for the conclusion and performance of agreement signed with the Administrator. In case of data processing for other purposes, their provision is voluntary and lack of such provision shall unable us to fulfill the purpose of processing.

XI. INFORMATION ON THE DATA SOURCE We obtained your personal data directly from you or the company for which you work (or with which you co-operate) based on consent, inquiry or agreement concluded by us, within the scope of access to publicly-available data bases of the Central Statistical Office, National Court Register and Central Registration and Information on Business, publicly-available websites.

XII. INFORMATION ON AUTOMATED DATA PROCESSING Your personal data shall not be subject to automated decision-making, including profiling.