Confidentiality policy

Personal Data Processing

I, acting on my own behalf, hereby voluntarily and without any duress, give my consent by ticking the box next to the text “I consent to personal data processing under the terms of the Privacy Policy” and clicking the button to submit the completed form, to the following Personal Data Controller:

TRANSMEDIA LLC, Przejazd str. 2A, office 403, 15-430 Bialystok, Poland (hereinafter referred to as the “Data Controller”);

for automated, non-automated, or mixed data processing, including collection, recording, systematisation, accumulation, storage, rectification (updating, modification), retrieval, use, transfer (provision, access), blocking, erasure, and destruction of the following personal data:

1. General categories of personal data:
1.1. First name, last name
1.2. Contact phone number
1.3. Email address
1.4. Address (region, settlement, street, building number, apartment, office)

for the purpose of processing orders submitted via the website.

The validity period of this consent for personal data processing starts from the moment it is provided to the Data Controller and ends either upon achieving the purposes of personal data processing or upon receipt of a withdrawal of consent for that processing.

This consent may be withdrawn by sending a written notification to the Data Controller at the following address: Przejazd str. 2A, office 403, 15-430 Bialystok, Poland, or by submitting a corresponding request via email: sd@elartum.com.
In this case, the Data Controller shall cease processing the personal data, and the personal data shall be destroyed unless other legal grounds for processing are established by the legislation of the Republic of Poland.

Privacy Policy

GENERAL PROVISIONS

1.1. This Privacy Policy (hereinafter referred to as the “Policy” or “Privacy Policy”) has been developed in accordance with the “Personal Data Law” to ensure the protection of individuals’ rights and freedoms in the processing of their personal data, including the right to privacy, personal and family secrecy. This Policy is an integral part of the Public Offer (hereinafter referred to as the “Offer”), which is published and/or available online at https://elartum.pl via the “Offer” link, as well as of other agreements concluded with the User where this is explicitly specified in their terms.

1.2. This Policy applies to the following categories of Data Subjects whose personal data are processed by the Data Controller:
Users of the Data Controller’s Website;
Any individuals (clients, client representatives) who provide their personal data to the Data Controller.

1.3. Key definitions used in this Policy: Personal Data is any information that relates to an identified or identifiable natural person (Data Subject); Personal Data Controller (Data Controller) is TRANSMEDIA LLC, Przejazd str. 2A, office 403, 15-430 Bialystok, Poland; the Website is a collection of files and related resources accessible through the World Wide Web and organised under a particular domain name: https://elartum.pl.

1.4. Main Rights and Obligations of the Data Controller

1.4.1. The Data Controller shall be entitled to:
Independently determine the scope and list of measures necessary and sufficient to ensure compliance with the obligations established by the Personal Data Law and related regulations, unless otherwise provided for by the Personal Data Law or other laws;

Entrust the processing of personal data to another person with the consent of the Data Subject, unless otherwise provided for by the law, based on a contract to be entered into with such person. The Data Processor must adhere to the principles and rules established by the Personal Data Law;

Continue processing personal data without the consent of the Data Subject in cases where such processing is permitted under the Personal Data Law.

1.4.2. The Data Controller shall be obliged to:
Provide the Data Subject with information on the processing of their personal data upon request;

Use personal data solely for the purposes specified in this Policy;
Keep personal data confidential and not disclose or distribute it to third parties without the consent of the Data Subject;

Implement legal, organisational, and technical measures to ensure the confidentiality and security of personal data in line with standards commonly used in business practice for the protection of such information;

Block personal data upon request by the Data Subject, their authorised representative, or a competent authority responsible for protecting data subjects’ rights, during the verification period if instances of inaccurate or unlawful data processing are identified;

Rectify personal data if inaccuracies have been confirmed;
To cease personal data processing or ensure its cessation (if personal data processing is carried out by any Data Processor acting on behalf of the Data Controller), and to destroy the personal data or ensure their destruction (if personal data processing is carried out by any Data Processor acting on behalf of the Data Controller) within a period not exceeding thirty (30) days from the date the purpose of personal data processing has been achieved. The destruction of personal data shall be evidenced by a Certificate of Destruction.

1.5. Main Rights of Data Subjects
A Data Subject shall be entitled to:
Receive information regarding the processing of their personal data, unless otherwise provided for by the laws. The Data Controller provides the Data Subject with information in an accessible format, which must not include personal data of other Data Subjects unless there are legal grounds for disclosing such information. The list of information and the process for providing it are defined by the Personal Data Law.

Request rectification, blocking, or destruction of their personal data if they are incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose of processing, as well as take other actions provided by law to protect their rights;
Complaint against unlawful acts or omissions by the Data Controller in the processing of their personal data before the  Information Technology and Mass Media or in court.

The Data Subject may exercise their rights to access, rectification, blocking, or destruction of their personal data by submitting a request to the Data Controller at the address: Przejazd str. 2A, office 403, 15-430 Bialystok, Poland, or by email at sd@elartum.com.

1.6. Liability for violation of the requirements of the legislation of the Republic of Poland and internal regulations of the Data Controller in the field of processing and protection of personal data shall be determined in accordance with the legislation of the Republic of Poland.

PRINCIPLES OF PERSONAL DATA PROCESSING

2.1. Personal data processing is carried out by the Data Controller in accordance with the legislation of the Republic of Poland and based on the following principles:

Lawfulness and fairness of processing;

Limitation of processing to the achievement of specific, predetermined, and legitimate purposes;

Avoiding personal data processing in ways that are incompatible with the purposes for which it was collected;

Prohibition of combining databases containing personal data that are processed for purposes incompatible with each other;
Processing only personal data that are relevant and necessary for the specified purposes of processing;

Ensuring the relevance and adequacy of personal data for the purposes of their processing;

Avoidance of excessive data processing in relation to the declared purposes;

Ensuring the accuracy, adequacy, and relevance of personal data in relation to the purposes of their processing;

Destruction or anonymisation of personal data when the processing purposes are achieved or when there is no longer a need for such purposes, as well as in cases where the Data Controller cannot eliminate violations in personal data processing, unless otherwise required by the law.

LEGAL GROUNDS FOR PERSONAL DATA PROCESSING

3.1. The legal ground for personal data processing is a set of regulatory legal acts under which, and in accordance with which, the Data Controller processes personal data, including but not limited to:

The Constitution of the Republic of Poland;

The Civil Code of the Republic of Poland;

Other regulatory legal acts governing relations associated with the Data Controller’s activities.

3.2. The legal grounds for personal data processing also include:

The Data Controller’s Articles of Association;

The Data Subject’s consent to personal data processing.

By completing the relevant forms and/or submitting personal data to the Data Controller, the Website User is considered to have given consent to the processing of personal data through the performance of conclusive actions, specifically by ticking a designated box (“web marker”) on the registration form next to the statement: “I hereby consent to the processing of my personal data under the terms of the Privacy Policy,” provided that the User has had the opportunity to review the full text of this Policy whenever personal data are collected.

PURPOSES AND TERMS OF PERSONAL DATA PROCESSING

4.1. The processing of personal data shall be restricted to achieving specific, pre-defined, and legitimate purposes. The processing of personal data for purposes that are incompatible with the original ones is not allowed. Only personal data that are relevant and necessary for the specified purposes may be processed.

4.2. The scope and content of the personal data being processed shall correspond to the declared purposes of processing specified in this section. The personal data processed shall not be excessive in relation to these purposes.

4.3. In accordance with this Policy, the Data Controller may process personal data belonging to the following categories of Data Subjects:

Users of the Data Controller’s Website;

Any individuals (clients, client representatives) who provide their personal data to the Data Controller.

4.3.1. The Data Controller processes the personal data of users and other individuals for the following purposes:

Processing orders submitted via the Website;

Execution, performance, amendment, and termination of contracts with clients.

4.3.1.1. Processing of personal data of Data Subjects is conducted only after securing their prior consent.

4.3.1.2. For the purposes stated above, the Data Controller processes the following categories of personal data:
Last name, first name, and patronymic (if applicable);
Contact telephone number.

4.3.1.3. The Data Controller does not process biometric personal data (information describing an individual’s physiological or biological characteristics that may be used to identify that individual).

4.3.1.4. The Data Controller does not process special categories of personal data.

4.3.1.5. The Data Subject’s consent of the Data Subject to the processing of their personal data by the Data Controller remains valid from the moment it is given until the data processing purposes are achieved.

4.3.1.6. The Data Controller carries out automated, non-automated, and mixed processing of personal data, including the receipt and/or transmission of data via information and telecommunication networks.

4.3.1.7. The list of processing activities conducted by the Data Controller includes: collection, recording, systematisation, accumulation, storage, rectification (updating, modification), retrieval, use, transfer (provision, access), blocking, erasure, and destruction of personal data.

4.3.1.8. The Data Controller has the right to delegate personal data processing to another party, unless otherwise specified by federal law, based on a contract entered into with that party.
Any Data Processor must adhere to the principles and rules for processing personal data established by the Personal Data Law. By accepting this Privacy Policy on the Website, the Data Subject hereby agrees to the transfer and/or processing of their personal data by a third party chosen by the Data Controller in accordance with polish law, provided that such transfer and/or processing is necessary for the Data Controller to fulfil its obligations under a civil law contract with the Data Subject.

4.3.1.9. The Data Controller does not conduct cross-border transfers of personal data.

4.3.1.10. An informational banner displayed on the Website notifies users about the use of cookies and how their data are processed. Users may agree to such processing by continuing to
use the Website, or refuse consent by disabling cookies and user data collection in their browser settings or by leaving the Website.

4.3.1.11. Although most browsers automatically accept cookies, users can adjust their browser settings to choose whether to accept or block cookies (see the “Tools” or “Settings” menu in your browser). Users can delete cookies from their devices at any time. Please note that disabling cookies may result in the loss of some Website functionalities. For more detailed information on managing cookies, please refer to your browser’s help section or visit dedicated websites.

4.3.1.12. The Website uses Yandex. Metrica web analytics service provided by YANDEX LLC (16, L. Tolstoy St., Moscow, 119021, Russia) to monitor and analyse Website usage. For more information about Yandex. Metrica web analytics service, please visit: https://yandex.ru/support/metrica/

PROCEDURE FOR THE COLLECTION AND STORAGE OF PERSONAL DATA

5.1. When collecting personal data, including through the Internet information and telecommunication network, the Data Controller ensures that the recording, systematisation, accumulation, storage, rectification (updating, modification), and retrieval of personal data of citizens of the Republic of Poland are conducted using databases located within the territory of the Republic of Poland.

5.2. Persons who have provided the Data Controller with information about another Data Subject, including through the Website, without securing the consent of the Data Subject whose personal data have been provided, shall be held responsible in accordance with the legislation of the Republic of Poland.

5.3. The Data Controller stores personal data only for as long as necessary to achieve the purposes of personal data processing, unless a longer period is required by local law or a contract to which the Data Subject is a party, beneficiary, or guarantor.

5.4. Processed personal data shall be subject to destruction in the following cases:

upon the expiry of the personal data processing period;

upon achieving the purposes of personal data processing;

when the need to achieve such purposes no longer exists;

upon receipt of a withdrawal of consent for the processing of personal data;

upon the Data Controller’s removal from the Unified State Register of Legal Entities.

PROTECTION OF PERSONAL DATA

6.1. The Data Controller takes all necessary legal, organisational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, disclosure, and other unauthorised actions, including but not limited to the following:

identifying security threats to personal data during its processing;

adopting internal regulations and other documents governing relations in the field of personal data processing and protection;

appointing persons responsible for ensuring the security of personal data within the Data Controller’s structural divisions and information systems;

storing personal data under conditions that ensure its safety and prevent unauthorised access.

UPDATING, RECTIFICATION, ERASURE, AND DESTROYING PERSONAL DATA; RESPONSES TO DATA SUBJECTS’ REQUESTS FOR ACCESS

7.1. The Data Controller shall provide the Data Subject or their representative with confirmation of personal data processing, including the legal grounds and purposes, upon request or inquiry. The information provided shall not include personal data relating to other Data Subjects unless there are legal grounds for such disclosure. A request shall contain:

the number of the primary identification document of the Data Subject or their representative, as well as information about its issue date and issuing authority;

information confirming the Data Subject’s participation in relations with the Data Controller (contract number, date of conclusion, identifying reference, and/or other details), or other information confirming the fact of personal data processing by the Data Controller;

the signature of the Data Subject or their representative.
The request may be submitted electronically and signed with an electronic signature in accordance with the legislation of the Republic of Poland. If the inquiry (request) of the Data Subject does not include all the necessary information in accordance with the Personal Data Law or if the Data Subject does not have the right of access to the requested information, a reasoned refusal shall be sent to them. The Data Subject’s right to access their personal data may be restricted, including in cases where such access would infringe the rights and legitimate interests of third parties.

7.2. If inaccurate personal data are identified upon the enquiry by the Data Subject or their representative, upon their request, the Data Controller shall block the personal data relating to the respective Data Subject from the moment of such request or enquiry for the duration of the verification, provided that such blocking does not infringe the rights and legitimate interests of the Data Subject or third parties. If the inaccuracy of personal data is confirmed, the Data Controller shall update the data based on the information provided by the Data Subject, their representative or other relevant documents, within seven business days of receiving such information, and shall cease the data blocking.

7.3. If unlawful processing of personal data is identified upon the request (inquiry) of the Data Subject, their representative, the Data Controller shall block the unlawfully processed personal data relating to the respective Data Subject from the moment of such request or inquiry.

7.4. Upon achieving the purposes of personal data processing, or upon withdrawal of consent by the Data Subject, personal data shall be destroyed unless:

otherwise provided for by a contract to which the Data Subject is a party;

the Data Controller is entitled to process personal data without the Data Subject’s consent on the grounds established by the Personal Data Law or other laws;

otherwise stipulated by another agreement between the Data Controller and the Data Subject.

FINAL PROVISIONS

The Data Controller is permitted to send advertising and informational messages to the Data Subject via email, SMS, or instant messaging platforms only with the prior consent of the Data Subject to receive such messages. Consent to receive advertising messages from the Data Controller via email, SMS, or instant messaging platforms shall be given either in written form or electronically by ticking the appropriate box on the Website.

The Data Subject has the right to opt out of receiving advertising messages at any time by clicking the unsubscribe link in the Data Controller’s emails or by sending a notice of refusal to receive advertising messages to the Data Controller’s support team at the registered address: Przejazd str. 2A, office 403, 15-430 Bialystok, Poland, or by contacting the Data Controller via email: sd@elartum.com.

The Data Controller shall notify Data Subjects who have previously given their consent to this Policy of any amendments, selecting the notification method in a manner that ensures the Data Subject’s consent to personal data processing remains specific, informed, and unambiguous.

The place where consent is given and where this Policy is implemented shall always be the Data Controller’s registered address. The law governing the relationship between the Data Controller and the Data Subject shall always be the law of the Republic of Poland, regardless of the Data Subject’s location or the equipment they use. All disputes and disagreements shall be resolved at the Data Controller’s registered address, unless otherwise required by law.

The Data Controller shall be entitled to amend this Policy. The current version shall indicate the date of the latest update. The new version of the Policy shall come into force upon its publication on the Data Controller’s website. Previous versions shall remain available in the archive at the address specified in this Policy.

This Policy is made available at the Data Controller’s registered address and is published in open access on the Data Controller’s Website.

The Data Controller: