1. This “Personal Data Protection Policy” (hereinafter: the Policy) constitutes a set of requirements, principles, and regulations for personal data protection at VISIONCUBE SA, based in Kraków (hereinafter: the Company). This Policy is a personal data protection policy within the meaning of the GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119, p.1).

2. The Policy includes:
a) a description of the data protection principles applicable in the Company,
b) references to annexes providing further details (model procedures or instructions related to specific areas of personal data protection).

3. The responsibility for implementing, maintaining, and applying this Policy lies with the Company’s Management Board and, to the appropriate extent:
a) the organizational unit responsible for information security,
b) organizational units processing personal data on a large scale,
c) other organizational units,
d) other members of the Company’s personnel.

4. ABBREVIATIONS AND DEFINITIONS

Policy refers to this Personal Data Protection Policy unless explicitly stated otherwise in the context.

GDPR refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119, p.1).

Data refers to personal data unless explicitly stated otherwise in the context.

Personal data refers to information about an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Special categories of data refers to data listed in Article 9(1) of the GDPR, i.e., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, or data concerning health, sexuality, or sexual orientation.

Criminal data refers to data listed in Article 10 of the GDPR, i.e., data relating to criminal convictions and offenses.

Children’s data refers to data of individuals under the age of 16.

Person refers to the data subject unless explicitly stated otherwise in the context.

Processor refers to an organization or individual to whom the Company has entrusted the processing of personal data (e.g., an IT service provider, external accounting).

Profiling refers to any form of automated processing of personal data involving the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects concerning that person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Processing refers to any operation or set of operations performed on personal data or sets of personal data, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data export refers to the transfer of data to a third country or an international organization.

DPO (Data Protection Officer) refers to the Data Protection Officer.

RCPD (Register of Processing Activities) refers to the Register of Personal Data Processing Activities.

Company refers to VISIONCUBE Spółka Akcyjna, based in Kraków, KRS 0000681341, NIP 6793089422, REGON 122780360, address: ul. gen. Bohdana Zielińskiego 22, 30-320 Kraków.

5. ABBREVIATIONS AND DEFINITIONS

5.1. Pillars of Personal Data Protection in the Company

(1) Accountability – The Company documents how it fulfills its obligations to demonstrate compliance at any time.5.2. Zasady ochrony danych
(2) Legality – The Company ensures privacy protection and processes data in compliance with the law.
(3) Security – The Company ensures an appropriate level of data security.
(4) Individual Rights – The Company enables individuals whose data it processes to exercise their rights and ensures these rights are fulfilled.

5.2. Data Protection Principles

The Company processes personal data in accordance with the following principles:

(1) Ensuring appropriate data security (security).
(2) Based on a legal basis and in compliance with the law (legality);
(3) Fairly and honestly (fairness);
(4) Transparently for the data subject (transparency);
(5) For specific purposes and not excessively (purpose limitation);
(6) No more than necessary (data minimization);
(7) With a focus on data accuracy (accuracy);
(8) No longer than necessary (storage limitation);

5.3. Data Protection System

The personal data protection system in the Company consists of the following elements:

1. Data Inventory. The Company identifies its personal data resources, data classes, dependencies between data resources, and methods of data usage (inventory), including:
a) processing of special categories of data and criminal data;
b) processing of data of unidentified individuals (unidentified data/UFO);
c) processing of children’s data;
d) profiling;
e) joint data administration.

2. Register.The Company develops, maintains, and updates a Register of Personal Data Processing Activities (Register), which serves as a compliance monitoring tool.

3. Legal Bases.The Company identifies, verifies, and records the legal bases for data processing, including:
a)managing the consent system for data processing and remote communication,
b)documenting cases where the Company processes data based on its legitimate interest.

4. Handling Individual Rights. The Company fulfills its informational obligations and enables individuals to exercise their rights by processing received requests, including:
a) Informational obligations – Providing legally required information when collecting data and in other relevant situations;
b) Processing requests – Ensuring the ability to fulfill different types of requests;
c) Handling requests – Allocating appropriate resources and procedures to process requests in accordance with GDPR deadlines and documentation requirements;
d) Breach notifications – Implementing procedures to determine whether individuals affected by a data breach need to be notified.

5. Minimization. The Company follows principles of privacy by default, including:
a) Managing data adequacy;
b) Regulating and managing data access;
c) Setting and reviewing data retention periods.

6. Security. The Company ensures an appropriate level of data security by:
a) Conducting risk assessments for data processing activities;
b) Conducting Data Protection Impact Assessments (DPIA) where risks to individuals’ rights and freedoms are high;
c) Adjusting security measures according to identified risks;
d) Implementing an information security management system;
e) Managing data breaches, including identification, evaluation, and reporting to the Data Protection Authority.

7. Data Processors. The Company follows procedures for selecting data processors, establishing data processing agreement, verifying compliance with contractual obligations.

8. Data Transfers.The Company regularly verifies whether data is transferred outside the EU, Norway, Liechtenstein, or Iceland or to international organizations and ensures legal compliance if such transfers occur.

9. Privacy by Design. The Company manages privacy-related changes by incorporating data protection requirements into new projects and investments, risk analysis, ensuring data security and minimization from the design phase.

10. Cross-Border Processing. The Company regularly assesses whether cross-border processing occurs and determines the lead supervisory authority and main establishment in accordance with GDPR.

6. DATA INVENTORY

6.1. Special Categories of Data and Criminal Data
The Company identifies cases where it processes or may process special categories of data or criminal data and maintains dedicated mechanisms to ensure the lawful processing of such data. When such cases are identified, the Company follows the established principles in this regard.

6.2. Unidentified Data
The Company identifies cases where it processes or may process unidentified data and maintains mechanisms to facilitate the exercise of rights for individuals whose data is unidentified.

6.3. Profiling
The Company identifies instances where it conducts profiling of processed data and ensures compliance with legal requirements. In cases of profiling or automated decision-making, the Company follows the established principles for such processes.

6.4. Joint Controllership
The Company identifies instances of joint data controllership and adheres to the established principles in this area.

7. RECORD OF PROCESSING ACTIVITIES (RPA)

7.1. The Record of Processing Activities (RPA) serves as a means of documenting data processing activities, acts as a data processing map, and is one of the key elements enabling compliance with the accountability principle.

7.2. The Company maintains a Record of Processing Activities, in which it inventories and monitors how personal data is used.

7.3. The RPA is one of the fundamental tools that enable the Company to demonstrate compliance with data protection obligations.

7.4. For each processing activity that the Company deems separate for RPA purposes, the following details are recorded:
a) name of the processing activity,
b) purpose of processing,
c) description of data subject categories,
d) description of data categories,
e) legal basis for processing,
f) data source,
g) planned data deletion date (if applicable),
h) name of the joint controller (if applicable),
i) description of data recipient categories (including processors),
j) general description of technical and organizational data protection measures,
k) information about data transfers outside the EU/EEA, to third countries, or international organizations.

7.5. A template for the RPA is provided as Annex No. 1 to this Policy – “Template for the Record of Processing Activities.” The template also includes optional columns. The Company records information in optional columns as needed and where possible.

8. LEGAL BASES FOR PROCESSING

8.1. The Company documents the legal bases for data processing in the Record of Processing Activities for each processing activity.

8.2. When indicating a general legal basis in documents (e.g., consent, contract, legal obligation, vital interests, public task/public authority, legitimate interest of the Company), the Company specifies the basis in a precise and transparent manner when necessary. For example: consent – specifying its scope, legal basis – citing specific legal provisions and related documents (e.g., contract, administrative agreement), vital interests – identifying categories of events where they materialize, legitimate interest – specifying a concrete purpose, such as direct marketing or claim enforcement.

8.3. The Company implements consent management methods that allow for the registration and verification of individuals’ consent for processing their specific data for specific purposes, consent for remote communication (e.g., email, phone, SMS), as well as the registration of consent withdrawal, objections, restrictions, and similar actions.

9. HANDLING INDIVIDUAL RIGHTS AND INFORMATION OBLIGATIONS

9.1. The Company ensures clarity and accessibility in the information and communication it provides to individuals whose data it processes.

9.2. To facilitate the exercise of individual rights, the Company undertakes various actions, including: posting information on its website or providing links to details about individuals’ rights, explaining how these rights can be exercised within the Company, outlining identification requirements, providing contact methods for submitting requests, disclosing any applicable fees for “additional” requests.

9.3. The Company ensures compliance with legal deadlines for fulfilling its obligations towards individuals.

9.4. Adequate methods of identification and authentication are implemented to support the exercise of individual rights and the fulfillment of information obligations.

9.5. To facilitate the execution of individual rights, the Company ensures procedures and mechanisms that allow it to identify specific individuals’ data processed by the Company, integrate this data, modify or delete the data in a coordinated manner.

9.6. The Company documents the handling of information obligations, notifications, and individuals’ requests.

10. INFORMATION OBLIGATIONS

10.1. The Company establishes lawful and effective methods for fulfilling its information obligations.

10.2. The Company informs individuals if the deadline for processing their request is extended beyond one month.

10.3. The Company notifies individuals about the processing of their data when collecting it directly from them.

10.4. The Company notifies individuals about the processing of their data when collecting it indirectly from other sources.

10.5. Where possible, the Company defines methods for informing individuals about the processing of unidentified data (e.g., a sign indicating an area is under video surveillance).

10.6. The Company informs individuals about any planned changes to the purpose of data processing.

10.7. The Company notifies individuals before lifting any restrictions on data processing.

10.8. The Company informs data recipients about data rectification, deletion, or restriction of processing unless this requires disproportionate effort or is impossible.

10.9. The Company informs individuals of their right to object to data processing no later than at the first contact.

10.10. The Company promptly notifies individuals of personal data breaches if they may pose a high risk to their rights or freedoms.

11. REQUESTS FROM INDIVIDUALS

11.1. Rights of Third Parties. When fulfilling the rights of data subjects, the Company implements procedural safeguards to protect the rights and freedoms of third parties. In particular, if the Company receives reliable information that fulfilling a data subject’s request for a copy of data or the right to data portability may adversely affect the rights and freedoms of others (e.g., data protection rights of other individuals, intellectual property rights, trade secrets, personal rights), the Company may ask the data subject for clarification or take other legally permitted actions, including refusal to comply with the request.

11.2. Non-Processing. If a person submits a request concerning their rights, and the Company does not process any data concerning them, the Company informs the person of this fact.

11.3. Refusal. The Company informs the person within one month of receiving a request if it refuses to consider the request and provides information about the person’s rights in connection with the refusal.

11.4. Access to Data. Upon request, the Company informs the person whether it processes their data and provides details about the processing in accordance with Article 15 of the GDPR (covering information obligations at the time of data collection). The Company also grants access to the person’s data, which may be provided in the form of a copy of the data.

11.5. Copies of Data. Upon request, the Company provides the data subject with a copy of their data and records the issuance of the first copy. The Company establishes and maintains a pricing policy for additional copies of data, based on the estimated unit cost of processing such requests.

11.6. Data Rectification. The Company corrects inaccurate data upon the data subject’s request. The Company has the right to refuse rectification unless the person reasonably demonstrates the inaccuracy of the data they wish to correct. When data is rectified, the Company informs the data subject about data recipients upon request.

11.7. Data Completion. The Company completes and updates data upon request. However, it may refuse to complete data if the requested addition is inconsistent with the purposes of data processing (e.g., if the data is unnecessary for the Company). The Company may rely on the data subject’s statement regarding the additional data unless Company procedures, applicable law, or reasonable doubts require further verification.

11.8. Data Erasure. The Company erases data upon the person’s request if:
(a) the data is no longer necessary for the purposes for which it was collected or processed,
(b) consent for processing has been withdrawn, and no other legal basis exists,
(c) the person has submitted a valid objection to processing,
(d) the data was processed unlawfully,
(e) deletion is required to comply with a legal obligation,
(f) the request concerns data collected from a child based on consent in connection with information society services (e.g., a child’s social media profile, participation in an online contest).

The Company defines the procedure for handling the right to data erasure in a way that ensures the effective exercise of this right while respecting all data protection principles, including security, as well as verifying whether any exceptions under Article 17(3) of the GDPR apply.

If the data subject to erasure has been made public by the Company, the Company takes reasonable measures, including technical means, to inform other controllers processing such personal data about the need to erase the data and restrict access to it. In the event of data erasure, the Company informs the data subject about the recipients of the data upon request.

11.9. Restriction of Processing. The Company restricts processing upon request if:
(a) the person contests the accuracy of the data, for a period allowing verification of its accuracy,
(b) processing is unlawful, and the person opposes deletion, requesting restriction instead,
(c) the Company no longer needs the data, but the data subject requires it for the establishment, exercise, or defense of legal claims,
(d) the person objects to processing based on their specific situation until the Company determines whether it has compelling legitimate grounds that override the objection.

During the restriction of processing, the Company stores the data but does not process it (i.e., does not use or transfer it) without the consent of the data subject, unless it is for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for important reasons of public interest. The Company informs the data subject before lifting the restriction on processing.

In the event of a restriction on data processing, the Company informs the data subject about the recipients of the data upon request.

11.10. Data Portability. Upon request, the Company provides the data subject with their data in a structured, commonly used, machine-readable format or transfers it to another entity if technically feasible. This applies to data provided by the data subject that is processed based on consent or a contract and is stored in the Company’s IT systems.

11.11. Objection Based on Special Circumstances. If a person objects to processing based on their specific situation and the data is processed under the Company’s legitimate interest or a public interest task assigned to the Company, the Company will honor the objection unless it has compelling legitimate grounds for processing that override the person’s rights or if the processing is necessary for legal claims.

11.12. Objection in Research, Historical, or Statistical Processing. If the Company processes data for scientific, historical, or statistical purposes, the data subject may object to such processing based on their specific situation. The Company will consider the objection unless the processing is necessary to perform a task carried out in the public interest.

11.13. Objection to Direct Marketing. If a person objects to processing for direct marketing purposes (including potential profiling), the Company will honor the objection and cease such processing.

11.14. Right to Human Intervention in Automated Processing. If the Company processes data automatically, including profiling, and makes decisions with legal or similarly significant effects on a person, it ensures that the person can request human intervention and decision-making. This does not apply if the automated decision is: (i) necessary for entering into or performing a contract between the person and the Company, or (ii) explicitly permitted by law, or (iii) based on the person’s explicit consent.

12. MINIMIZATION

The Company ensures data processing minimization in terms of: (i) adequacy of data for its purposes (amount of data and processing scope), (ii) access to data, (iii) data retention period.

12.1. Scope Minimization

The Company has reviewed the scope of collected data, the extent of its processing, and the amount of processed data for adequacy in relation to processing purposes as part of its GDPR implementation. The Company conducts periodic reviews of the amount and scope of data processing at least once a year. The Company verifies changes in the amount and scope of data processing as part of its change management procedures (privacy by design).

12.2. Access Minimization

The Company applies data access restrictions, including: legal (confidentiality obligations, authorization scopes), physical (access zones, locked premises), logical (restricted permissions for data processing systems and network resources where personal data resides).

The Company enforces physical access controls.

The Company updates access rights when personnel changes occur, roles are modified, or when data processors change.

The Company conducts periodic reviews of system users and updates their access rights at least once a year.

12.3. Retention Minimization

The Company implements mechanisms for controlling the lifecycle of personal data, including assessing data relevance against the timelines and checkpoints specified in the Register. Data that loses its relevance over time is removed from the Company’s production systems, as well as from working and main records. Such data may be archived or stored in backup copies of systems and processed information.Archiving and backup procedures take into account data lifecycle management requirements, including obligations to delete data when necessary.

13.  SECURITY

The Company ensures a level of security appropriate to the risk of violating the rights and freedoms of individuals as a result of the processing of personal data by the Company.

13.1. Risk Analysis and Adequacy of Security Measures

The Company conducts analyses to assess the adequacy of personal data security measures. To achieve this:
a) The Company ensures an appropriate level of knowledge regarding information security, cybersecurity, and business continuity—either internally or with the support of specialized entities.
b) The Company categorizes data and processing activities based on the level of risk they present.
c) The Company conducts risk assessments regarding potential violations of individuals’ rights and freedoms related to data processing activities or their categories. This includes analyzing potential scenarios and situations that may lead to data breaches, considering factors such as the nature, scope, context, and purposes of processing, as well as the probability and severity of risks to individuals’ rights and freedoms.
d) The Company determines applicable organizational and technical security measures and evaluates the cost of their implementation. These measures include, among others:
– Data encryption,
– Other cybersecurity measures to ensure the continuous confidentiality, integrity, availability, and resilience of processing systems and services,
– Business continuity and disaster recovery measures, ensuring rapid restoration of personal data access and availability in case of a physical or technical incident.

13.2. Data Protection Impact Assessments

The Company conducts Data Protection Impact Assessments (DPIAs) for planned processing operations where risk analysis indicates a high risk of rights and freedoms violations. The Company follows a standardized methodology for conducting such assessments.

13.3. Security Measures

The Company applies security measures established through risk analysis, security adequacy assessments, and data protection impact assessments. Personal data security measures form part of the Company’s broader information security and cybersecurity framework.

The Company implements, among others, the following security measures:

– Locked cabinets,
– Secured office spaces,
– Alarm systems,
– Password-protected computer systems,
– Antivirus software,
– Access level restrictions in software applications.

13.4. Breach Reporting

The Company follows procedures for identifying, assessing, and reporting data breaches to the Data Protection Authority within 72 hours of detecting a violation.

14. PROCESSORS

The Company has established principles for selecting and verifying data processors acting on its behalf. These principles are designed to ensure that processors provide sufficient guarantees of implementing appropriate organizational and technical measures to ensure security, enforce individual rights, and fulfill other data protection obligations imposed on the Company.

The Company has adopted minimum requirements for data processing agreements, which are outlined in Annex No. 2 to the Policy – “Template Data Processing Agreement.”

The Company holds processors accountable for their use of sub-processors and for compliance with other requirements set forth in the Principles of Data Processing Delegation.

15. DATA EXPORT

The Company records cases of data export, meaning the transfer of data outside the European Economic Area (EEA), in the Register.

To prevent unauthorized data exports, particularly through the use of publicly available cloud services (shadow IT), the Company periodically reviews user activities and, whenever possible, provides legally compliant, data protection-friendly alternatives.

16. PRIVACY BY DESIGN

The Company manages changes affecting privacy in a way that ensures appropriate data security and processing minimization from the outset.

To achieve this, the Company’s project and investment guidelines incorporate principles of data security and minimization. These guidelines require privacy and data protection impact assessments, ensuring security and minimal data processing are built into projects and investments from the design phase.

17. FINAL PROVISIONS

This Policy has been in effect since May 25, 2018.

Annex No. 1 to the Policy – “Template of the Data Processing Activities Register”

Annex No. 2 to the Policy – “Template of the Data Processing Agreement”

Cookies:

Our website uses cookies for statistical, advertising, and functional purposes. These allow us to tailor the website to your individual needs. You can accept cookies or disable them in your browser settings, preventing any data collection.

GDPR Compliance:

Dear Users,

Following the enforcement of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and on the free movement of such data (GDPR), we inform you that:

1. The Data Controller of your personal data is VISIONCUBE S.A., headquartered in Kraków, address: ul. gen. Bohdana Zielińskiego 24, 30-320 Kraków, Poland, registered in the National Court Register (KRS 0000681341), NIP 6793089422.
2. Your personal data is processed for the following purposes:
   a) Entering into and performing contracts – providing services.
   b) Maintaining records of electronic correspondence.
   c) Analytical and marketing purposes.
   The legal basis for processing is contract performance (Article 6(1)(b) GDPR) and, regarding correspondence records, analytics, and marketing activities, the legitimate interest of the Controller (Article 6(1)(f) GDPR).
3. Recipients of personal data may include:
   • Service providers supporting the Controller (e.g., accounting, IT, and legal firms).
   • Business partners (e.g., distributors, insurance companies, financial entities).
   • Public authorities where required by law.
4. Providing personal data is necessary for entering into and performing a contract. Failure to provide data will result in the inability to conclude and perform the contract.
5. Personal data will be stored for the duration of the cooperation and for up to 10 years after its termination.
6. Your data is not transferred outside the European Economic Area (EEA) or to any international organizations.
7. Automated decision-making, including profiling, is not applied to your data.
8. You have the right to:
   • Access your data and obtain a copy.
   • Request correction, deletion, or restriction of processing.
   • Data portability.
   • File a complaint with the President of the Office for Personal Data Protection (UODO).

For any inquiries regarding personal data processing, please contact us at: info@visioncube.pl.