PERSONAL DATA

I.        DEFINITIONS

1.      Administrator - ORLEN Laboratorium S.A. with its registered office in Płock, ul. Chemików 7 , entered in the register of entrepreneurs of the National Court Register under numer 0000628738. Contact telephone numbers for ORLEN Laboratorium SA: (24) 256 81 25.

2.      Personal data / data - any information about a natural person identified or identifiable by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact details, location data , information contained in correspondence, information collected via recording equipment or other similar technology.

3.      GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and the repeal of Directive 95/46 / EC.

4.      Data subject - a natural person to whom the personal data processed by the Administrator relate, e.g. a person using the Administrator's services , providing services to the Administrator or sending an inquiry to the Administrator in traditional or electronic written form .

II.       DATA PROCESSING BY THE ADMINISTRATOR

1.      In connection with the conducted business activity, the Administrator collects and processes personal data in accordance with the provisions on the protection of personal data , in particular with the provisions of RODO and the rules provided for therein.

2.      The Administrator:

2.1.   ensures transparency of the processing of personal data ;

2.2.   informs about the processing of data, in particular about the purpose and legal basis of the processing of personal data, unless it is not obliged to do so pursuant to separate provisions;

2.3.   ensures that the data are collected only to the extent necessary for the indicated purpose and the data are processed only for the period in which it is necessary;

2.4.   ensures the security and confidentiality of data as well as access to information on processing to data subjects.

III.     CONTACT WITH THE ADMINISTRATOR

1.      Contact with the Administrator is possible via the e-mail address : daneosobowe@orlenLaboratorium.pl or by correspondence address: ORLEN Laboratorium S.A., ul. Chemików 7, 09-411 Płock . It is also possible to contact the Administrator by phone to the phone numbers indicated in point 1.1.

2.      The administrator appointed the Data Protection Officer Marlena Sosnowska. You can contact the Data Protection Officer in ORLEN Laboratorium S.A. by e-mail to: daneosobowe@orlenLaboratorium.pl in any matter regarding the processing of personal data or in writing to the following address: ORLEN Laboratorium S.A., ul. Chemików 7, 09-411 Płock with the note "Data Protection Officer" .

IV.      SECURITY OF PERSONAL DATA

1.      In order to ensure the integrity and confidentiality of the personal data, the Administrator has implemented procedures providing access to personal data only to authorized persons and only to the extent that it is necessary due to the tasks performed by them. The administrator uses organizational and technical solutions to ensure that all operations on personal data are registered and performed only by authorized persons.

2.      The administrator shall take all necessary measures to also its subcontractors and other cooperating entities guarantee the application of appropriate security measures in each case when they process personal data at the request of the Administrator.

3.      The administrator shall conduct an ongoing risk analysis and monitors the adequacy of the personal data security applied to the identified threats. If necessary, the Administrator implements additional measures to increase security .

V.       PURPOSES AND LEGAL BASIS FOR PROCESSING

CORRESPONDENCE ( EMAIL , TRADITIONAL )

1.      In the case of sending to the Administrator via e- mail or traditionalcorrespondence not related to the contract concluded with the sender or the services provided, the personal data contained in this correspondence are processed solely for the purpose of communication and resolve the matter, which concerns the correspondence.

2.      The legal basis for the processing of personal data is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) consisting in conducting correspondence addressed to him in connection with his business activity.

3.      The administrator processes only personal data relevant to the case related to the correspondence. All correspondence is stored in a manner ensuring the security of the personal data contained therein (and other information ) and disclosed only to authorized persons .

TELEPHONE CONTACT

4.      In the event of contacting the Administrator by phone, in matters not related to the concluded contract or services provided, the Administrator may request the provision of Personal Data only if it is necessary to handle the case to which the contact relates. In this case, the legal basis is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) consisting in the need to resolve the reported matter related to his business activity.

CONTACT FORMS

5.      The administrator provides the option of contacting with him using electronic contact forms available on the Administrator^ websites. In the case of using the contact form, it is required to provide personal data necessary to make contact and answer the inquiry. Providing personal data is necessary to the extent necessary to accept and handle the inquiry as well as to answer the inquiry.

6.      Personal data areprocessed in order to identify the sender and handle his inquiry sent via the provided form. In the case of inquiries related to the contract concluded with the sender or the services provided, the legal basis for processing is the necessity of processing to perform the contract (Article 6 (1) (b) of the GDPR). In the case of inquiries not related to the contract concluded with the sender or the services provided, the legal basis for processing is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) consisting in answering the inquiry.

7.       The administrator processes only personal data necessary to answer the inquiry.

DATA PROCESSING IN CONNECTION WITH THE PROVISION OF SERVICES OR THE PERFORMANCE OF OTHER CONTRACTS

8.      In the case of collecting data for purposes related to the conclusion or performance of a specific contract, the Administrator provides the data subject with detailed information regarding the processing of his/her personal data at the time of concluding the contract or at the time of obtaining personal datawhen processing is necessary for the administrator to take action on request from the data subject, prior to concluding the contract. The scope of the transferred data is in any case limited to the extent necessary for the above- mentioned goals. The legal basis in this case is the necessity to perform the contract to which the data subject is a party, or to take action at the request of the data subject before concluding the contract (Article 6 (1) (b) of the GDPR).

DATA PROCESSING IN CONNECTION WITH THE PROVISION OF SERVICES RELATED TO THE USE OF PROGRAMS / APPLICATIONS OFFERED BY THE ADMINISTRATOR

9.      In the case of collecting data for purposes related to the use of programs / applications offered by the Administrator, the Administrator provides the data subject with detailed information on the processing of his/her personal data at the time of joining the program / application , this information can be found in the regulations dedicated to a specific program and / or application. The scope of the transferred data is in any case limited to the extent necessary for the above-mentioned goals. The legal basis in this case is the necessity to perform the contract to which the data subject is a party, or to take action at the request of the data subject before concluding the contract (Article 6 (1) (b) of the GDPR).

PROCESSING OF PERSONAL DATA MEMBERS OF BODIES, PROXIES , AGENTS OR CONTRACTORS OR PERSONNEL CUSTOMERS COOPERATING WITH THE ADMINISTRATOR

10.    In connection with concluding contracts as part of the conducted activity, the Administrator obtains from contractors / clients the data of members of bodies, proxies or persons involved in the implementation of such contracts (e.g. contact persons, executing orders, etc.). The scope of the transferred data is in any case limited to the extent necessary to confirm the rights to represent and perform the contract and usually does not include information other than the name and business contact details.

11.    Such personal data are processed in order to implement the legitimate interest of the Administrator and its contractor (Article 6 (1) (f) of the GDPR), consisting in enabling the correct and effective performance of the contract. Such data may be disclosed to third parties involved in the performance of the contract.

12.    The data are processed for the period necessary to implement the above-mentioned interests and fulfill the obligations resulting from the regulations.

DATA COLLECTION AS PART OF BUSINESS CONTACTS

13.     In connection with the conducted activity, the Administrator collects personal data also in other cases - e.g. during business meetings - for purposes related to initiating and maintaining business contacts. The legal basis for processing in this case is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) consisting in creating a network of contacts in connection with the conducted activity.

14.     Personal data collected in such cases are processed only for the purpose for which they were collected, and the Administrator ensures their appropriate protection.

RECRUITMENT

15.     As part of the recruitment processes, the Administrator expects the transfer of personal data (e.g. in a CV or curriculum vitae) only to the extent specified in the Labor Code . If the position for which the candidate is applying requires the submission of a certificate of clean criminal record , the transfer of the certificate takes place in accordance with applicable law ( Article 6 (1) (c) of the GDPR). Information should not be provided to a wider extent.. In the event that the submitted applications contain additional data, exceeding the scope indicated in the law , their processing will be based on the consent of the candidate (Article 6 (1) (a) of the GDPR, and in the case of transfer of data belonging to a specific category of personal data Article 9 (1) (a) of the GDPR) expressed by an unequivocal act of confirmation, which is checking the appropriate checkbox. If the submitted applications contain information inadequate for the purpose of recruitment, they will not be used or taken into account in the recruitment process.

16.     Personal data are processed:

16.1.   in the event that the preferred form of employment is an employment contract - in order to perform obligations arising from legal provisions related to the employment process, in particular the Labor Code - the legal basis for processing is the legal obligation incumbent on the Administrator (Article 6 (1) (b) of the GDPR in connection with the provisions of labor law);

16.2.   if the preferred form of employment is a civil law contract - in order to conduct the recruitment process - the legal basis for the processing of data contained in the application documents is taking action before concluding the contract at the request of the data subject (Article 6 (1) (b) of the GDPR) ;

16.3.   in order to carry out the recruitment process in the field of data not required by law or by the Administrator, as well as for the purposes of future recruitment processes - the legal basis for processing is consent (Article 6 (1) (a) of the GDPR or Article 9 (1) (a) of the GDPR );

16.4.   in order to verify the qualifications and skills of the candidate and to establish the terms of cooperation - the legal basis for data processing is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR). The Controller's legitimate interest is the verification of job candidates and the definition of the terms of possible cooperation;

16.5.   in order to establish or pursue possible claims by the Administrator or to defend against claims made against the Administrator - the legal basis for data processing is the Administrator's legitimate interest (Article 6 (1) (f) of the GDPR) ,

16.6.   in the case of use of the recruitment process tests and / or questionnaires the Administrator implements them with the consent of the candidate (art. 6 (1) (a) of the GDPR). The candidate has the right to refuse to take part in completing the test and / or questionnaire, which does not affect the recruitment process .

17.     To the extent that Personal data are processed based on the expressed consent can be withdrawn at any time without affecting the lawfulness of the processing done before its withdrawal. If consent is given for the purposes of future recruitment processes, personal data will be deleted no later than after 12 months - unless the consent has been withdrawn earlier.

18.     Providing data in the scope specified in art. 22 (1) of the Labor Code is required - if the candidate prefers employment based on an employment contract - by law, including primarily the Labor Code, and in the case of preferring employment based on a civil law contract - by the Administrator. The consequence of not providing this data is the inability to consider a given candidacy in the recruitment process. Providing other data is voluntary.

DATA COLLECTION IN CONNECTION WITH PERSONAL AND MATERIAL MOVEMENT

19.   The administrator of personal data of employees and guests staying in the facilities/areas covered by mandatory protection of ORLEN S.A./ANWIL S.A./ORLEN POŁUDNIE S.A. is each of the companies respectively.

20.   The Administrator processes personal data of employees and guests staying in the Administrator's facilities in order to ensure safety and protection of persons, areas, facilities and devices of ORLEN S.A./ANWIL S.A./ORLEN POŁUDNIE S.A., i.e. to ensure the movement of people and materials on the premises of ORLEN S.A./ANWIL S.A./ORLEN POŁUDNIE S.A.

21.   The legal basis for the processing of personal data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) consisting in ensuring the movement of persons and materials on the premises of ORLEN S.A./ANWIL S.A./ORLEN POŁUDNIE S.A.

PROFILES ON SOCIAL PORTALS AND WEBSITES

22.             The administrator has public profiles on social networks (LinkedIn) and websites . In connection with the above, the Administrator processes data that has been left by people visiting these profiles ( e.g. likes, comments, shares).

23.             The personal data of such persons are processed in order to enable them to be active on profiles, to provide information about initiatives taken by the Administrator, to promote various types of events, services and products, to conduct competitions and for statistical and analytical purposes. In addition, the data of such persons may be processed for the purpose of pursuing and defending against claims.

24.             The legal basis for the processing of personal data is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR), consisting in promoting its own brand, improving the quality of services provided and, if necessary, in pursuing claims and defending against claims.

NOTE: The above information does not apply to the processing of personal data by administrators of social networks.

VI.        DATA RECIPIENTS

1.      In connection with the conduct of business that requires the processing of personal data, personal data may be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and equipment, entities providing accounting services, postal operators, couriers.

2.      The Administrator reserves the right to disclose selected information about the Data Subject to the competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with applicable law.

VII.       TRANSFER OF DATA OUTSIDE THE EEA

1.      The administrator does not transmit the personal data outside the European Economic Area ( " EEA "). If the transfer of personal data outside the EEA is necessary, it will be carried out only with an adequate level of protection, primarily through:

1.1.  cooperation with entities processing personal data in countries for which an appropriate decision of the European Commission has been issued regarding the assurance of an adequate level of protection of personal data;

1.2.   use of standard contractual clauses issued by the European Commission;

1.3.   application of binding corporate rules approved by the competent supervisory authority;

1.4.  in case of transfer of data to the US - cooperation with entities participating in the Privacy Shield approved by the decision of the European Commission.

2.      The administrator informs the data subject about the intention to transfer personal data outside the EEA at the stage of their collection.

VIII.     PERIOD OF PROCESSING OF PERSONAL DATA

1.      The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. The period of data processing may also result from regulations, when they constitute the basis for processing. In the case of data processing on the basis of the Administrator's legitimate interest - e.g. for security reasons - the data are processed for a period enabling the implementation of this interest or until an effective objection to data processing is raised. If the processing is based on the consent, the data are processed until it is withdrawn. When the basis for processing is necessary to conclude and perform the contract, the data are processed until its termination.

2.      The data processing period may be extended if the processing is necessary to establish or pursue claims or defend against claims, and after this period - only if and to the extent that it will be required by law. After the expiry of the processing period, the data is irreversibly deleted or anonymized .

IX.        RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA

RIGHTS OF DATA SUBJECTS

1.      Data subjects have the following rights:

1.1.  the right to information about the processing of personal data - on this basis, the Administrator provides the natural person submitting the request with information about the processing of personal data , including in particular about the purposes and legal grounds for processing, the scope of data held, entities to which they are disclosed, and the planned date of data deletion ;

1.2.   the right to obtain copies of data - on this basis, the Administrator shall transmit a copy of the data processed personal information concerning the person physically submitting the request;

1.3.   the right to rectify - the Administrator is obliged to remove any possible inconsistencies or errors in the processed personal data and to supplement them if they are incomplete;

1.4.   the right to delete data - on this basis, you can request the deletion of data, the processing of which is no longer necessary to achieve any of the purposes for which it was collected;

1.5.   the right to limit processing - in the event of such a request, the Administrator will stop performing operations on personal data with the exception of operations for which the data subject has consented - and their storage, in accordance with the adopted retention rules or until the reasons for limiting data processing have ceased to exist (e.g. a decision of the supervisory authority is issued allowing for further data processing);

1.6.   the right to transfer data - on this basis - to the extent that the data is processed in an automated manner in connection with the concluded contract or consent - the Administrator issues the data provided by the data subject in a computer-readable format. It is also possible to request that this data be sent to another entity, provided, however, that there are technical possibilities in this regard, both on the part of the Administrator and the indicated entity;

1.7.   the right to object to data processing - the data subject may at any time object - for reasons related to his/her particular situation - to the processing of personal data, which takes place on the basis of the legitimate interest of the Administrator (e.g. for marketing, analytical or statistical purposes or for reasons related to the protection of property); objection in this respect should contain a justification;

1.8.   the right to withdraw consent - if personal data are processed on the basis of expressed consent, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before its withdrawal;

1.9.   the right to complaint - where it consider that the processing of personal data violates the provisions of the GDPR or other provisions on the protection of personal data, the data subject may submit a complaint to the authority supervising the processing of personal data. In Poland, the supervisory body is the President of the Personal Data Protection Office.

SUBMISSION OF REQUESTS RELATED TO THE IMPLEMENTATION OF RIGHTS

1.      A request regarding the exercise of the rights of Data Subjects may be submitted in writing :

1.1.   To the Administrator's correspondence address : ORLEN Laboratorium S.A., 09-411

Płock, ul. Chemików 7, with the note "Data Protection Officer";

1.2.   to the e-mail address : daneosobowe@orlenlaboratorium.pl

2.      If the Administrator is not able to identify a natural person on the basis of the submitted request, the Administrator will ask the applicant for additional information. Providing such data is not obligatory, however, failure to provide them will result in a refusal to fulfill the request.

3.      The request may be submitted in person or through a proxy (e.g. a family member). Due to the security of personal data the administrator encourages use that power of attorney in the form certified by a notary public or an authorized solicitor or lawyer, which significantly accelerate the verification of the authenticity of the request.

4.      A response to the application will be given within 30 days of its receipt. If necessary, the extension of the term the administrator after inform the applicant of the reasons for this action and the period in which the request is processed .

5.      The Administrator replies to the request in the same form in which it was addressed to the Administrator, , unless , the applicant requested to respond in a different form. In the event that the deadline for fulfilling the request prevents the Administrator from responding in writing, and the scope of the applicant's personal data processed by the Administrator enables contact by electronic means, the Administrator shall provide the answer by electronic means.

6.      The administrator stores information about the request and the person who made the request, in order to ensure compliance and to establish, defend or pursue any claims of data subjects.