I. GENERAL

1.1. This Privacy Policy (hereinafter referred to as the “Policy”) defines the principles of processing of personal data of the users of the website (hereinafter referred to as the “Users”) operating at www.arteria.pl (hereinafter referred to as the “Website”), as well as other categories of persons indicated in the Policy by Arteria S.A. with its registered office in Warsaw, ul. Stawki 2A, 00-193 Warszawa, entered into the register of entrepreneurs kept by the District Court for the capital city of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under KRS number 0000226167, NIP [Tax Id No.]: 5272458773, REGON [Business Id No.]: 140012670 (hereinafter referred to as the “Service Provider”).

II. CONTROLLER OF PERSONAL DATA AND PURPOSES AND LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

2.1. The controller of personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (hereinafter referred to as the “GDPR”) is the Service Provider – Arteria S.A. seated in Warsaw, ul. Stawki 2A, 00-193 Warszawa, entered into the register of entrepreneurs kept by the District Court for the capital city of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under KRS number 0000226167, NIP [Tax Id No.]: 5272458773, REGON [Business Id No.]: 140012670, to the following extent:

THE DATA SUBJECT	PERSONAL DATA PROCESSING PURPOSE AND LEGAL BASIS
Website User	a) necessity for the purposes of the legitimate interests pursued by the Company, in particular ensuring the proper operation of the Website, the ability to navigate the Website and use its basic functions, as well as the establishment, investigation or defence against possible claims on the basis of art. 6(1)(f) of the GDPR; b) necessity to improve the performance of the Website and to collect information on how Users use the Website, to improve the Website, to adapt the operation of the Website to the User’s preferences and to compile statistics on the use of the Website on the basis of art. 6(1)(a) of the GDPR;
A natural person running a sole proprietorship who has concluded an agreement with the Company or who has been subject to actions taken against him/her prior to concluding the agreement at his/her request	a) necessity for the performance of a contract concluded with the Company or to take action at the request of the data subject prior to the conclusion of the contract on the basis of art. 6(1)(b) of the GDPR; b) necessity to fulfil the Company’s legal obligations, in particular under tax law and accounting regulations on the basis of art. 6(1)(c) of the GDPR; c) necessity for the purposes arising from the legitimate aims pursued by the Company, in particular the provision of contact prior to the conclusion of the contract and for the duration of the contract, as well as the establishment, investigation or defence against possible claims on the basis of art. 6(1)(f) of the GDPR.
An authorised representative, contact person or other person on the part of an entity that has entered into a contract with the Company or other person involved in the performance of a contract entered into with the Company or in contact with the Company.	a) necessity for the purposes of the legitimate interests pursued by the Company, in particular ensuring contact with an entity that is a party to a contract concluded with the Company, verifying that the person who contacts the Company is authorised to take action on behalf of that entity, the correct execution of a contract concluded with the Company, answering a question in connection with communication with the Company and establishing, investigating or defending against possible claims on the basis of art. 6(1)(f) of the GDPR; b) necessity to fulfil the Company’s legal obligations, in particular under tax law and accounting regulations on the basis of art. 6(1)(c) of the GDPR.

III. CONTACT IN MATTERS RELATING TO THE PROCESSING OF PERSONAL DATA

3.1. The Company has appointed a Data Protection Officer who can be contacted on matters relating to data protection in writing at: ul. Stawki 2A, 00-193 Warsaw or by e-mail to odo_arteria@arteriasa.com.

IV. PERSONAL DATA RECIPIENTS

4.1. Recipients of personal data may be – only where necessary and to the necessary extent – entities cooperating with the Company in the scope of services provided to the Company and in support of the Company’s current business processes, in particular IT, marketing and legal service providers. Recipients of personal data may also be the Partners, as indicated in section 9.2 of the Policy.

V. PERSONAL DATA STORAGE PERIOD

5.1. If the processing is based on freely given consent, personal data will be stored until withdrawal of the consent to process personal data for specific, explicit and legitimate purposes. Consent to the processing of personal data may be withdrawn at any time. Withdrawal of consent to the processing of personal data shall be made by contacting us by e-mail at odo_arteria@arteriasa.com. The withdrawal of consent shall not affect the lawfulness of data processing which was carried out on the basis of the expressed consent before its withdrawal.

5.2. If the processing of the data is necessary for the performance of a contract to which you are a party, or to take action at your request, prior to the conclusion of the contract, your personal data will be processed for the duration of the contract, and thereafter for the period of limitation of possible claims under generally applicable law.

5.3. If the processing is necessary for the fulfilment of a legal obligation incumbent on the Company, your personal data will be processed for a period of time resulting from generally applicable laws.

5.4. If the processing is necessary for purposes arising from legitimate interests pursued by the Company or by a third party, your personal data will be processed for no longer than is necessary for the purposes for which the data is processed or until you object to the processing of your personal data for such purposes, on grounds related to your particular situation, unless the Company demonstrates the existence of valid legitimate grounds for the processing, overriding your interests, rights and freedoms, or grounds for the establishment, assertion or defence of claims.

VI. IS IT MANDATORY TO PROVIDE PERSONAL DATA?

6.1. Where personal data is processed on the basis of the data subject’s consent, the provision of personal data is voluntary.

6.2. If the personal data is processed for purposes necessary for the performance of a contract to which the data subject is a party or to take action at the request of the data subject prior to entering into a contract, the provision of personal data is voluntary, but necessary to enter into a contract with the Company.

6.3. If the processing of personal data is necessary for the fulfilment of a legal obligation incumbent on the Company, the provision of personal data is a statutory requirement.

6.4. If the personal data is processed for purposes arising from legitimate interests pursued by the Company or by a third party, the provision of personal data is voluntary, but necessary for these purposes.

VII. YOUR RIGHTS IN RELATION TO THE PROCESSING OF YOUR PERSONAL DATA

7.1. The data subject has the right to access, rectification, erasure, restriction of processing, portability of his/her personal data – to the extent that the data is processed on the basis of consent or for purposes necessary for the performance of the contract and by automated means, and the right to object to the processing of personal data – to the extent that the data is processed for purposes arising from the legitimate interests pursued by the Company, unless the Company demonstrates the existence of valid legitimate grounds for the processing overriding the interests, rights and freedoms of the data subject or grounds for the establishment, assertion or defence of claims.

7.2. Where personal data is processed on the basis of the data subject’s consent, the data subject has the right to withdraw consent to the processing of personal data at any time, without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal. Withdrawal of consent to the processing of personal data shall be made by contacting us by e-mail at odo_arteria@arteriasa.com.

7.3. The data subject also has the right to lodge a complaint with the supervisory authority for data protection – the President of the Office for Personal Data Protection.

VIII. EXERCISING THE RIGHTS OF DATA SUBJECTS

Any individual (hereinafter referred to as the “Applicant”) has the right to make a request to the Service Provider: (A) to exercise the right of access to personal data, i.e. to obtain confirmation that the Service Provider is processing personal data concerning him or her, and to exercise the right of access to the personal data concerning him or her; (B) to rectification of personal data; (C) to erasure or restriction of the processing of personal data; (D) to portability of personal data, which includes the right to receive personal data and send it to another controller or to request, if technically possible, that the data be sent directly to another controller (to the extent that the data is processed on the basis of consent or contract and by automated means); (E) to object to the processing of personal data (insofar as the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party or for direct marketing purposes).

8.2. The above requests will be submitted by the Applicant taking into account the provisions of the GDPR. The above means that in certain cases listed in the provisions of the GDPR, the above-mentioned rights may not be available to the data subject.

8.3. The application must be submitted in writing to ul. Stawki 2A, 00-193 Warsaw or by e-mail to odo_arteria@arteriasa.com. If the Service Provider does not process the Applicant’s personal data (other than the fact of processing personal data for the purposes of the Application itself), the application will not be processed and the Applicant’s data will be deleted immediately.

8.4. The Service Provider shall inform the Applicant immediately upon receipt of the application and include information on the application in the records it maintains.

8.5. The Service Provider reserves the right to verify the identity of the Applicant. Failure to successfully verify the identity of the Applicant for reasons for which the Applicant is responsible means that the Service Provider will not process the submitted application, of which the Applicant will be informed without delay.

8.6. The application shall be processed in the Service Provider’s designated substantive unit without undue delay, but no later than one month from the date of receipt of the application by the Service Provider. The Data Protection Officer appointed by the Service Provider shall be consulted on how to deal with the submitted request.
The Service Provider shall provide the Applicant with a response to the request within one month of receipt. In objectively complicated cases (i.e. requiring a lot of work on the part of the Company), the aforementioned deadline shall be extended to 2 (two) months, of which the Applicant shall be informed without delay. At the same time, the Service Provider will endeavour to ensure that the deadline is not extended.

8.7. The Service Provider shall provide the Applicant with a response to the request within one month of receipt. In objectively complicated cases (i.e. requiring a lot of work on the part of the Company), the aforementioned deadline shall be extended to 2 (two) months, of which the Applicant shall be informed without delay. At the same time, the Service Provider will endeavour to ensure that the deadline is not extended.

IX. COOKIES

9.1. The Website uses cookies (i.e. small text files sent to the User’s device to identify it in a way necessary to simplify or cancel a given operation) to collect information related to the User’s use of the Website.

9.2. Information, including personal data, obtained in connection with the use of cookies on the Website is processed by the Service Provider and may be processed by its Partners, a list of which is available within the Cookie Settings panel (hereinafter referred to as the “Partners”).

9.3. The following types of cookies are used on the Website:

9.4. Types of cookies by period of storage in the browser:

9.5. Types of cookies by origin:

9.6. Cookies are used on the Website on the basis of the User’s consent given by selecting the appropriate option when using the Website, adjusting the cookie choices via the Cookie Settings panel or by configuring the User’s browser settings accordingly. Your consent to the use of cookies on the Website is voluntary.

9.7. Before giving your consent to the use of cookies, you are informed of the purposes for which cookies are used and of the possibility to change your cookie settings at any time.

9.8. The User can withdraw the consent previously given for the use of cookies and change the cookie settings at any time via the Cookie Settings panel, as well as delete cookies from the memory of the User’s device.

9.9. In addition, the User may at any time change the settings regarding cookies used on the Website in the settings of his/her Internet browser. Detailed information on how and where to change the cookie settings of the most popular web browsers can be obtained from the following addresses: