Privacy Policy of Arctic Paper Kostrzyn SA title

Information on the processing of personal data.

1. Who is who in this privacy policy?

We, i.e. the controller of your personal data, as described in section 3.

You, i.e. the natural person whose personal data we process.

2. What is GDPR?

GDPR is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

3. Who is the controller of your personal data and what are their contact details?

The controller of your personal data is us, namely:

Arctic Paper Kostrzyn SA

ul. Fabryczna 1, 66-470 Kostrzyn nad Odrą, Poland

KRS number: 0000082646

We have also appointed a Data Protection Officer, whom you can contact by email: [email protected]

4. For what purpose and on what basis do we process your personal data? How long do we keep them?

Choose your role from the list below:

Purpose of processing	Description of the legal basis	GDPR provision
Personnel recruitment – current recruitment processes	Fulfilment of legal obligations imposed on us by legislation (in particular Article 22¹of the Labour Code) – as far as the personal data provided for by the legislation is concerned	Article 6(1)(c)
	Consent – for personal data not provided for by legislation	Article 6(1)(a)
Personnel recruitment – future recruitment processes	Consent	Article 6(1)(a)

If we provide you with our services or products and you are therefore our customer or a representative of our customer, we process your personal data as follows:

Purpose of processing	Description of the legal basis	GDPR provision
Processing of customer data – for the purpose of fulfilling a contract with a customer or taking action prior to concluding a contract	Necessity for the performance of a contract to which the data subject is party or for taking steps prior to entering into a contract	Article 6(1)(b)
Processing of customer's representative data – for the purpose of fulfilling a contract with a customer or taking action prior to concluding a contract	Legitimate interest in being able to conclude and perform a contract between us and the customer	Article 6(1)(f)
Fulfilment of legal obligations related to the customer contract	Fulfilment of legal obligations imposed on us by law, in particular tax and accounting obligations	Article 6(1)(c)
Redressing or defending against possible claims	Legitimate interest to establish, assert or defend against claims, including debt collection	Article 6(1)(f)
Processing of customer data – to handle complaints	Necessity for the performance of a contract to which the data subject is party (as regards complaints)	Article 6(1)(b)
Processing of customer representative data – to handle complaints	Legitimate interest in being able to perform the contract between us and the customer (as regards complaints)	Article 6(1)(f)

Processing of customer data – for the purpose of fulfilling a contract with a customer or taking action prior to concluding a contract

Purpose of processing: Processing of customer data – for the purpose of fulfilling a contract with a customer or taking action prior to concluding a contract
Description of the legal basis: Necessity for the performance of a contract to which the data subject is party or for taking steps prior to entering into a contract
GDPR provision: Article 6(1)(b)

Processing of customer's representative data – for the purpose of fulfilling a contract with a customer or taking action prior to concluding a contract

Purpose of processing: Processing of customer's representative data – for the purpose of fulfilling a contract with a customer or taking action prior to concluding a contract
Description of the legal basis: Legitimate interest in being able to conclude and perform a contract between us and the customer
GDPR provision: Article 6(1)(f)

Fulfilment of legal obligations related to the customer contract

Purpose of processing: Fulfilment of legal obligations related to the customer contract
Description of the legal basis: Fulfilment of legal obligations imposed on us by law, in particular tax and accounting obligations
GDPR provision: Article 6(1)(c)

Redressing or defending against possible claims

Purpose of processing: Redressing or defending against possible claims
Description of the legal basis: Legitimate interest to establish, assert or defend against claims, including debt collection
GDPR provision: Article 6(1)(f)

Processing of customer data – to handle complaints

Purpose of processing: Processing of customer data – to handle complaints
Description of the legal basis: Necessity for the performance of a contract to which the data subject is party (as regards complaints)
GDPR provision: Article 6(1)(b)

Processing of customer representative data – to handle complaints

Purpose of processing: Processing of customer representative data – to handle complaints
Description of the legal basis: Legitimate interest in being able to perform the contract between us and the customer (as regards complaints)
GDPR provision: Article 6(1)(f)

Your data will be retained until the expiration of the statute of limitations for civil law claims and tax liabilities, and until the mandatory retention periods for accounting records have elapsed, as stipulated by civil, tax and accounting legislation.

If you provide us with services or goods and are therefore our contractor or a representative of our contractor, we process your data as follows:

Purpose of processing	Description of the legal basis	GDPR provision
Contractor data processing – for the purpose of fulfilling a contract with a contractor or taking action prior to entering into a contract with a contractor	Necessity for the performance of a contract to which the data subject is party or for taking steps prior to entering into a contract	Article 6(1)(b)
Processing of data of the contractor's representative – for the purpose of fulfilling the contract with the contractor or taking steps prior to its conclusion	Legitimate interest in being able to conclude and perform a contract between us and a contractor	Article 6(1)(f)
Processing of data resulting from a medical certificate issued to a representative of a contractor who performs skilled work for us	The processing is necessary for the fulfilment of obligations and the exercise of specific rights in the field of labour law, social security, and social protection	Article 9(2)(b)
Performance of legal obligations related to the contract with the contractor	Fulfilment of legal obligations imposed on us by law, in particular tax and accounting obligations	Article 6(1)(c)
Redressing or defending against possible claims	Legitimate interest to establish, assert or defend against claims	Article 6(1)(f)
Creation of analyses of cooperation with the contractor	Legitimate interest in producing analyses of cooperation with the contractor, including quality control	Article 6(1)(f)

Contractor data processing – for the purpose of fulfilling a contract with a contractor or taking action prior to entering into a contract with a contractor

Purpose of processing: Contractor data processing – for the purpose of fulfilling a contract with a contractor or taking action prior to entering into a contract with a contractor
Description of the legal basis: Necessity for the performance of a contract to which the data subject is party or for taking steps prior to entering into a contract
GDPR provision: Article 6(1)(b)

Processing of data of the contractor's representative – for the purpose of fulfilling the contract with the contractor or taking steps prior to its conclusion

Purpose of processing: Processing of data of the contractor's representative – for the purpose of fulfilling the contract with the contractor or taking steps prior to its conclusion
Description of the legal basis: Legitimate interest in being able to conclude and perform a contract between us and a contractor
GDPR provision: Article 6(1)(f)

Processing of data resulting from a medical certificate issued to a representative of a contractor who performs skilled work for us

Purpose of processing: Processing of data resulting from a medical certificate issued to a representative of a contractor who performs skilled work for us
Description of the legal basis: The processing is necessary for the fulfilment of obligations and the exercise of specific rights in the field of labour law, social security, and social protection
GDPR provision: Article 9(2)(b)

Performance of legal obligations related to the contract with the contractor

Purpose of processing: Performance of legal obligations related to the contract with the contractor
Description of the legal basis: Fulfilment of legal obligations imposed on us by law, in particular tax and accounting obligations
GDPR provision: Article 6(1)(c)

Redressing or defending against possible claims

Purpose of processing: Redressing or defending against possible claims
Description of the legal basis: Legitimate interest to establish, assert or defend against claims
GDPR provision: Article 6(1)(f)

Creation of analyses of cooperation with the contractor

Purpose of processing: Creation of analyses of cooperation with the contractor
Description of the legal basis: Legitimate interest in producing analyses of cooperation with the contractor, including quality control
GDPR provision: Article 6(1)(f)

Your data will be retained until the expiration of statute of limitations for civil law claims and tax liabilities, and until the mandatory retention periods for accounting records have elapsed as stipulated by civil, tax and accounting legislation.

Purpose of processing	Description of the legal basis	GDPR provision
Identity card management	Ensuring security and order as well as protection of persons and property	Article 6(1)(f)

Purpose of processing	Description of the legal basis	GDPR provision
Access control to the premises of the Arctic Paper Kostrzyn S.A. plant.	Ensuring security and order as well as protection of persons and property	Article 6(1)(f)

Purpose of processing	Description of the legal basis	GDPR provision
Video surveillance	Ensuring security and order as well as protection of persons and property	Article 6(1)(f)

If you are a supplier or a supplier's representative (driver), we process your personal data as follows:

Purpose of processing	Description of the legal basis	GDPR provision
Handling of deliveries dispatched from our premises and received at our premises (in the case of an agreement with Arctic Paper Kostrzyn S.A.)	Necessity for the performance of a contract to which the data subject is party or for taking steps prior to entering into a contract	Article 6(1)(b)
Processing of supplier representatives' data – to handle deliveries sent from our premises and received at our premises (in the case of an agreement with Arctic Paper Kostrzyn S.A.)	Legitimate interest in being able to conclude and perform a contract between us and the supplier	Article 6(1)(f)
Processing of data related to suppliers or their representatives in order to handle deliveries sent to or received on our premises (in cases where a contract has not been concluded with Arctic Paper Kostrzyn S.A.).	Legitimate interest in being able to conclude and perform	Article 6(1)(f)

Handling of deliveries dispatched from our premises and received at our premises (in the case of an agreement with Arctic Paper Kostrzyn S.A.)

Purpose of processing: Handling of deliveries dispatched from our premises and received at our premises (in the case of an agreement with Arctic Paper Kostrzyn S.A.)
Description of the legal basis: Necessity for the performance of a contract to which the data subject is party or for taking steps prior to entering into a contract
GDPR provision: Article 6(1)(b)

Processing of supplier representatives' data – to handle deliveries sent from our premises and received at our premises (in the case of an agreement with Arctic Paper Kostrzyn S.A.)

Purpose of processing: Processing of supplier representatives' data – to handle deliveries sent from our premises and received at our premises (in the case of an agreement with Arctic Paper Kostrzyn S.A.)
Description of the legal basis: Legitimate interest in being able to conclude and perform a contract between us and the supplier
GDPR provision: Article 6(1)(f)

Processing of data related to suppliers or their representatives in order to handle deliveries sent to or received on our premises (in cases where a contract has not been concluded with Arctic Paper Kostrzyn S.A.).

Purpose of processing: Processing of data related to suppliers or their representatives in order to handle deliveries sent to or received on our premises (in cases where a contract has not been concluded with Arctic Paper Kostrzyn S.A.).
Description of the legal basis: Legitimate interest in being able to conclude and perform
GDPR provision: Article 6(1)(f)

Your data will be retained until the expiration of the statute of limitations for civil law claims and tax liabilities, and until the mandatory retention periods for accounting records have elapsed as stipulated by civil, tax and accounting legislation.

Purpose of processing	Purpose of processing	GDPR provision
Correspondence management and documentation	Legitimate interest to ensure continuity of business actions consisting of correspondence in connection with business activities	Article 6(1)(f)

Purpose of processing	Purpose of processing	GDPR provision
Organisation of events and workshops	Consent	Article 6(1)(a)
Documentation and dissemination of information about events and workshops organised	Consent for image processing	Article 6(1)(a)
Websites (website, LinkedIn portal) and the printed newsletter "Kormoran"	Consent for image processing	Article 6(1)(a)
Websites (website, LinkedIn portal) and the printed newsletter "Kormoran"	Legitimate interest in being informed about the activities carried out by Arctic Paper Kostrzyn S.A.	Article 6(1)(f)

If you provide us with services or goods and are therefore our contractor or representative of our contractor and the performance of the contract relates to an EU project or grant, we process your data as follows:

Purpose of processing	Description of the legal basis	GDPR provision
Contractor data processing – for the purpose of fulfilling a contract (concerning an EU project or grant) with the contractor or taking action prior to its conclusion	Necessity for the performance of a contract (relating to an EU project or grant) to which the data subject is a party, or to take steps prior to entering into a contract	Article 6(1)(b)
Processing of the contractor's representative data – for the purpose of fulfilling a contract (concerning an EU project or grant) with the contractor or taking action prior to its conclusion	Legitimate interest in being able to conclude and perform a contract (relating to an EU project or grant) between us and the contractor	Article 6(1)(f)
Performance of legal obligations relating to a contract (concerning an EU project or grant) with a contractor	Fulfilment of legal obligations imposed on us by law, in particular tax and accounting obligations	Article 6(1)(c)
Redressing or defending against possible claims	Legitimate interest to establish, assert or defend against claims	Article 6(1)(f)
Oversight, evaluation, control, audit, evaluation of information and promotion activities, reception, evaluation, and financial settlement of the contract	Legitimate interest in supervising, evaluating, inspecting, auditing, assessing information and promotion activities, acceptance, evaluation, and financial settlement of the contract	Article 6(1)(f)

Contractor data processing – for the purpose of fulfilling a contract (concerning an EU project or grant) with the contractor or taking action prior to its conclusion

Purpose of processing: Contractor data processing – for the purpose of fulfilling a contract (concerning an EU project or grant) with the contractor or taking action prior to its conclusion
Description of the legal basis: Necessity for the performance of a contract (relating to an EU project or grant) to which the data subject is a party, or to take steps prior to entering into a contract
GDPR provision: Article 6(1)(b)

Processing of the contractor's representative data – for the purpose of fulfilling a contract (concerning an EU project or grant) with the contractor or taking action prior to its conclusion

Purpose of processing: Processing of the contractor's representative data – for the purpose of fulfilling a contract (concerning an EU project or grant) with the contractor or taking action prior to its conclusion
Description of the legal basis: Legitimate interest in being able to conclude and perform a contract (relating to an EU project or grant) between us and the contractor
GDPR provision: Article 6(1)(f)

Performance of legal obligations relating to a contract (concerning an EU project or grant) with a contractor

Purpose of processing: Performance of legal obligations relating to a contract (concerning an EU project or grant) with a contractor
Description of the legal basis: Fulfilment of legal obligations imposed on us by law, in particular tax and accounting obligations
GDPR provision: Article 6(1)(c)

Redressing or defending against possible claims

Purpose of processing: Redressing or defending against possible claims
Description of the legal basis: Legitimate interest to establish, assert or defend against claims
GDPR provision: Article 6(1)(f)

Oversight, evaluation, control, audit, evaluation of information and promotion activities, reception, evaluation, and financial settlement of the contract

Purpose of processing: Oversight, evaluation, control, audit, evaluation of information and promotion activities, reception, evaluation, and financial settlement of the contract
Description of the legal basis: Legitimate interest in supervising, evaluating, inspecting, auditing, assessing information and promotion activities, acceptance, evaluation, and financial settlement of the contract
GDPR provision: Article 6(1)(f)

Your data will be retained for the term of the contract execution, oversight of project execution, its evaluation, control, audit, evaluation of information and promotion activities, its receipt, evaluation and financial settlement and possible establishment, investigation or defence of claims, and thereafter your personal data will be retained for a period of ten years.

5. Where do we get your personal data from?

In most cases, we obtain your personal data directly from you.

However, if you are a representative of our contractor who supplies us with goods or services, we obtain personal data such as:

identifying information (e.g. name, surname),
contact details (e.g. e-mail address, telephone number, fax number),
data relating to your profession or business, your participation in a partnership, your employment with a contractor or your cooperation with a contractor (e.g. company name, position),
data relating to your ability to perform work, including work with special legal conditions, such as information on the validity and category of OHS training, information on the validity of the occupational physician's certificate, information and qualification categories for work with special legal conditions, if the scope of the contract between us and the contractor so requires.

If you are our client, our client's representative, our contractor, or our contractor's representative, we also verify (obtain) the data contained in public registers, i.e. the Central Register and Information on Economic Activity (CEIDG) and the National Court Register (KRS).

6. To whom do we transfer your personal data, i.e. who will be the recipient of your data?

Recipients of your personal data may be:

providers of services to us, in particular IT, hosting, security, accounting, bookkeeping, document destruction, repair of business equipment, agency, postal, transport, courier, audit, legal, consultancy,
public authorities,
receivables insurers (in the cases referred to in "Customers" section above),
Internet service providers (in the cases referred to in "Participants in events and workshops" section above),
grant awarding bodies (in the cases referred to in "Contractors under an EU project or grant" section above).

7. Will your personal data be transferred to a third country (i.e. a country outside the European Economic Area) or an international organisation?

We aim to process your data within the European Union/European Economic Area. For certain services provided by our subcontractors, your personal data may be transferred to a third country.

When transferring your personal data to a third country, we will ensure that appropriate security measures are applied. Such security measures may include the European Commission's standard contractual clauses (SCCs), binding corporate rules or a decision stating the appropriate level of protection for a particular country. We will also assess whether additional organisational or technical security measures should be applied to ensure an adequate level of protection for personal data transferred to a third country.

Accordingly, your personal data may be transferred to the UK, where one company in our group is based (i.e.: Arctic Paper UK Limited). The European Commission has concluded that there is an adequate level of protection for personal data in the UK. This is based on Implementing Regulation (EU) 2021/1772 of 28 June 2021, issued under the GDPR, stating the adequacy of the UK's level of protection for personal data (notified as document No. C(2021) 4800).

8. What rights do you have as we process your personal data?

You have the right to object at any time to the processing of your data based on legitimate interests, on grounds relating to your particular situation.

In addition, you are entitled to the following rights:

You have the right to request access to your personal data, and to receive a copy of the data that we process free of charge,
the right to request the rectification of your personal data, if it is incorrect or incomplete,
the right to delete your personal data. We are obliged to delete your personal data if we have no legitimate interest in storing it,
the right to request the restriction of the processing of your personal data under certain circumstances, e.g. if you have requested rectification of your data and we need to control this,
the right to data portability, which means that you have the right to transfer your personal data to another controller upon request.

If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. This will not affect the lawfulness of any processing carried out before the withdrawal.

You also have the right to lodge a complaint with the President of the Personal Data Protection Office.

9. Is the provision of personal data voluntary?

The provision of personal data is necessary:

for the performance of concluded contracts or to undertake pre-contractual activities, or
to ensure security and order and the protection of persons and property, or
to provide information on our activities, or
for the correspondence in connection with our business activities, or
for the fulfilment of our legal obligations.

If data is not provided, the above actions cannot be carried out.

10. What about automatic decision-making?

We will not make decisions about you that are based solely on automated processing, including profiling, and that produce legal effects or otherwise materially affect you in a similar way.

11. Changes to this Privacy Policy

This Privacy Policy will be reviewed and updated once a year, if necessary. If we make any material updates to our processing of your personal data, we will notify you of such changes and obtain your consent where necessary. Non-material changes will be reflected in this Privacy Policy, and we encourage you to review it regularly. This Privacy Policy was updated on 2 January 2025.