Centrum Turystyki OSKAR sp. z o.o. with its registered office in Poznań (61-738), ul. Plac Wolności 2/7, National Court Register Number: 0000454393 as the owner of www.oskargroup.com.pl strives to do everything possible to ensure that your privacy is adequately protected. In order to implement lawful (GDPR), transparent and secure processing of your personal data, we adopt the following Privacy Policy. Pursuant to Article 13 (1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR), we inform:
1. General Information:

a. The Controller of Personal Data within the meaning of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Official Journal of the EU L 2016, Number 119)
(hereinafter referred to as the GDPR) is Centrum Turystyki OSKAR sp. z o.o, Tax Identification Number: 7831697817, National Business Registry Number: 30237806400000, National Court Register Number: 0000454393, based in Poznań, ul. Plac Wolności 2/7,
e-mail: rodo@oskar.com.pl
b. The User, within the meaning of this Privacy Policy, is an individual who uses the Controller’s website, including the Controller’s
contact forms
c. Contact in matters concerning the processing of personal data by the Controller: rodo@oskar.com.pl

2. Purpose of data processing by the Controller.

a. The User entrusts the processing of personal data to the Controller for the purpose of handling a recruitment, inquiry or order placed through the contact form.
b. The provision of personal data by the User when contacting us is voluntary, and the data provided will be used (when applicable) only for purposes:
a. Providing a response.
b. Presenting the Controller’s offer.
c. Securing the Controller’s network systems (e.g.: protection against spam and DDOS attacks).
d. In order to measure audiences on the Web.
e. Recruiting an employee.
c. Granting consent by providing contact information is voluntary, but in some instances, failure to provide such information may prevent us from handling an inquiry/order placed via the contact form.

3. Legal basis for data processing by the Controller.
a. The legal basis for the processing of personal data for the purposes stated in 2.b.a and 2.b.b. is the User’s consent (Art. 6. 1. a) of the GDPR), and/or Art. 6. 1. b) of the GDPR in the event
the User expresses a desire to enter into a contract.
b. The rationale for the processing of personal data for the purpose stated in 2.b.c is the legitimate interest pursued by the Controller (Art. 6 1. f) of the GDPR), and the legal basis
is provided by Recital 49 of the GDPR and the Regulation of the Minister of Internal Affairs and Administration of April 29, 2004 on the documentation of personal data
processing and the technical and organizational conditions to be met by devices and IT systems used for the processing of personal data.
c. The rationale for the processing of personal data for the purpose stated in 2.b.d is the legitimate interest pursued by the controller (Art. 6. 1. f) of the GDPR), and the legal basis
is Art. 8 point 1 d) of the Regulation of the European Parliament and of the Council on respect for private life and the protection of personal data in electronic communications and
repealing Directive 2002/58/EC (Regulation on privacy and electronic communications).
d. Personal data for the purpose stated in 2.b.e. are processed due to the desire to conclude a contract (Art. 6. 1. b) of the GDPR), and the legal basis for the data collected is Art. 221 Paragraph 1. of the Labor Code

4. Scope of data processing by the Controller
a. For the purposes indicated in 2.b.a. and 2.b.b., to the extent that the User voluntarily provides, the Controller may process:
a. name (contact person)
b. contact telephone number
c. contact e-mail address
d. Internet domain address (and any other related data provided by the User).
e. other data provided by the User
b. For the purpose stated in 2.b.c.:
a. IP address
b. meta data sent by the browser (or other end device establishing a connection to the Controller’s site)
c. For the purpose stated in 2.b.d.:
a. meta data sent by the browser
d. For the purpose stated in 2.b.e (recruitment), we will ask the applicant to provide data such as name, date of birth, place of residence (mailing
address), education and history of previous employment.
e. Recipients of personal data and transfer of personal data to a third country:
a. The User’s personal data related to the purposes listed in points 2.b.a. to 2.b.c. and 2.b.e. will be processed exclusively by the Controller.
b. Data related to the purpose in point 2.b.d. will be processed by the Controller and their partner, Google Inc. located in the USA which web audience measurement
tool (Google Analytics) is used by the Controller. This data is anonymous, and is not shared further.
c. Google, which performs the web audience measurement service for the Controller, has joined the EU-US Privacy Shield agreement, and according to the European Commission’s decision of July 12, 2016. IP/16/216, the transfer of personal data to entities based in the United States that have joined the aforementioned agreement ensures an adequate level of protection of personal data, in accordance with Article 45 of the GDPR;
f. The User’s personal data may be shared with the Controller’s group entities and the Controller’s partners with whom the Controller cooperates by bundling
products or services. If a partnership is entered into, data may also be accessed by subcontractors (processors), such as, for example: accounting firms, hosting
companies.

5. The rights of the User whose data is processed.
a. The User has the right to:
a. access to their personal data,
b. rectify personal data,
c. delete personal data,
d. restrict the processing of personal data
e. transfer the personal data
f. object to the processing of personal data
g. withdraw previously given consent to the processing of personal data
b. In order to exercise their rights, the User should send an e-mail to the address specified in 1.a., a letter to the registered office address specified in 1.a. or contact by phone at the number specified in 1.a.
c. The Controller shall execute the User’s request immediately, provided that the deletion or restriction of the possibility of processing the data may affect the possibility or scope of proper handling of the submitted inquiry/order.

6. The period of processing of personal data by the Controller.
a. The Controller shall store the Users’ personal data for a period no longer than it is necessary to process a submitted inquiry/order, including the preparation of
a personalized commercial offer, and to enable the Controller to perform their obligations.
b. At any time, the User may request deletion of their personal data. In such an event, they will be deleted immediately, but this may involve the interruption of service to the submitted request.

7. Information stored on the User’s end device (Cookies).
a. In order to ensure proper operation of the site, and in particular to adapt the content of the site and advertising to the User’s preferences and optimize the use of the site, the Controller may use the capabilities of the terminal device for processing and storage and may collect information from the User’s end device.
b. The data described in point 1. will be used by the Controller only to the extent necessary to provide the services requested by the User and to protect network
systems.
c. The User can decide themselves what data will be sent to the Controller by changing the settings of their browser (e.g. by blocking the storage of cookies).
d. The website uses web traffic analysis scripts (Google Analytics) provided by Google Inc. based in the USA, (Google Adwords) provided by
Google Ireland Limited based in Ireland, (Facebook) provided by Facebook Ireland Ltd. based in Ireland. These scripts may store data (e.g.: cookies)
on their end device. The User can disallow this by blocking cookies and other data from third-party sites in their browser.
e. Instructions on how to change the settings described in subsections 3 and 4 can be found in the browser’s settings, its user manual or on the manufacturer’s website.
f. The User can delete cookies at any time using the available functions in the web browser they are using. Restricting the use of cookies may
affect some of the functionality available on the website.
g. In order to opt out of displaying personalized Google advertisements (AdWords and others) based on the use of the Service, the User may make the appropriate changes in
the advertising settings with the help of the tool available at https://adssettings.google.pl/authenticated and clear the cookies in the web browser. Facebook ads based on the use of the Website, the User can make the appropriate changes to the ad settings with the help of the instructions provided at https://www.facebook.com/help/1075880512458213/ and clear the cookies in the web browser. To block data collection by Google analytical tools (Analytics, Optimize and others) and Facebook, the User can disable the acceptance of cookies and data of third-party sites in their browser settings, clear cookies in their web browser, use add-ons to block the tools (e.g. https://tools.google.com/dlpage/gaoptout/?hl=pl) or use the Website in browser mode without saving information in cookies.
h. more information on cookies can be found at: http://wszystkoociasteczkach.pl/

8. Filing a complaint:
a. The User has the right to object to the processing of their personal data, on the basis of which the Controller will stop processing the data in the indicated scope / purpose. In order to object, it is necessary to send a message as described in point 5.b.
b. The User has the right to file a complaint against the Controller to the supervisory authority, which is the President of the Office for Personal Data Protection.

9. Responsibilities of the Controller
a. The Personal Data Controller undertakes to undertake security measures for the processing of personal data to the extent specified in the Law, and in particular
undertakes to:
b. Safeguard the data from being accessed by unauthorized persons, from being taken by an unauthorized person, from being altered, damaged or destroyed.
c. Allow only persons with authorization issued by them to process personal data.
d. Ensure control over the correctness of personal data processing.
e. Maintain a record of persons authorized to process personal data, exercise special care to ensure that persons authorized to process such data
keep them confidential, even after the Controller’s implementation, including by informing them of the legal consequences of violating the confidentiality of the data and collecting declarations of the obligation to keep the data confidential.
f. Maintain documentation required by law describing the manner of processing entrusted personal data and technical and organizational measures to ensure
the protection of the processing of such data, including in particular: Register of Data Processing Processes, the Personal Data Security Policy, and the Management Manual for the Information System used for Personal Data Processing.
g. Ensure that IT and telecommunication devices and systems used for the processing of personal data comply with the requirements of the Regulation of the Ministry of
Internal Affairs and Administration of April 29, 2004 on the documentation of processed personal data and technical and organizational conditions to which
the devices and systems should conform.”