Dear Sir or Madam,

in connection with Art. 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of individuals with regard to the processing of personal data and on the free flow of such data, and repealing Directive 95/46 / EC (GDPR), we inform you that:

1. The administrator of your personal data is Cleanproject z o.o. sp.k, Aleja Krakowska 110/114, Building B-25, 02-256 Warsaw, hereinafter referred to as the Administrator, contact regarding data protection is possible at the following e-mail address: office@cleanproject.pl or tel. +48 786 863 790.

2. The purpose of processing personal data by Cleanproject z o.o. sp.k, is mostly the fulfillment of orders/sale contracts and contracts for the provision of services, including trainings, in compliance with our offer, as well as the execution of legal obligations and enforcing any claims arising from civil law and defense against claims, if they appear.

3. The legal basis for the processing of your personal data is:

4. • 6 sec. 1 letter b of the GDPR, i.e. processing is necessary to conclude and/or execute the contract that binds us;
   • 6 sec. 1 lit. c GDPR, i.e. processing is necessary to fulfill our obligations, such as accounting and financial settlements, including tax settlements;
   • 6 sec. 1 lit. f GDPR, i.e. processing is necessary for the purposes of the legitimate interests of the Administrator, which may be: the possible need to defend or implement civil law claims, direct marketing of products and services, as well as the execution of the contract concluded with Cleanproject Sp. z o.o. sp.k on your behalf as a third party, when a party to the contract is another entity or when you are the contact person for the purpose of executing the contract.
   • 6 sec. 1 lit. a GDPR, i.e. processing takes place on the basis of the given consent (exceptional situations, e.g. using your image)

4. We usually receive your data directly from you as a result of establishing business contacts. It may happen that we receive it from third parties, e.g. your employer/contractor if you are the person for whom the contract is being executed or when, for example, you are given as a contact person for the purpose of executing the contract.

5.The recipients of personal data are only entities authorized to obtain personal data on the basis of legal provisions or in connection with contracts concluded with the Administrator. The following can be considered recipients:

• banks and other entities in the field of payment processing
• postal operators, courier companies
• entities cooperating with us in the field of IT services, e.g. maintenance and updating of the IT system, hosting services, website maintenance, entities providing HR and accounting services,
• entities cooperating with us in the implementation of trainings, eg the Polish Association of Clean Technologies or ICCCS (International Confederation of Contamination Control Societies) as an accreditation institution.

6. Providing personal data is voluntary, but necessary for the conclusion and execution of the contract, refusal to provide it may result in the inability to conclude and/or execute the contract.

7. Personal data will be stored for the period required by law, not longer than 10 years, as this is the period of possible claim assertion. In the case of data processing on the basis of consent, it will be processed until the purpose of processing ceases or the consent is withdrawn.

8. Your data, as a rule, is not transferred outside the European Economic Area. However, it may happen that as part of the use of sub-supplier tools, such as Microsoft Teams, the data is placed on servers in the USA. In such a case, Microsoft, within the scope of applicable contractual clauses, ensures that this processing is carried out in accordance with applicable regulations, using appropriate legal mechanisms and security standards. In the case of organizing IEC training accredited by ICCCS and passing the exams, the names and surnames of people who have obtained the certificate, as well as their country of origin, and the date and type of the course are entered and published in the register, available at the link: https://www.icccs.net / graduate-register /. ICCCS is the data controller and its privacy policy is available at https://www.icccs.net/privacy-policy-2/.

9. Under the terms of the GDPR, you have the right to:

• access to the content of the data, including the right to obtain a copy of this data,
• rectification of data,
• deletion of data,
• data processing restrictions,
• data portability,
• raise an objection,
• withdrawal of consent in the event that the Administrator has obtained such consent to the processing of personal data (however, this withdrawal will not affect the lawfulness of the processing carried out before its withdrawal),
• bring a complaint with the supervisory body (the President of the Personal Data Protection Office) if it is found that the processing of personal data violates the provisions of Regulation EU 2016/679 on data protection (GDPR).

10. We do not make decisions that would be based on the automated processing of your data, including profiling.