PREAMBLE

GREENFILL3D Sp. z o. o. in the scope of its activities, makes every effort to meet the highest standards ensuring the provision of services in a correct manner, in accordance with applicable regulations and standards of generally applicable law.

Given the above, in relation to the requirements introduced by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws EU L.2016.119.1 of 2016/05/04) in order to ensure by GREENFILL3D Sp. z o. o., for proper handling of personal data in the scope of each operation performed on personal data, these Regulations on the protection of personal data are adopted.

This document was developed after an internal audit of the GDPR, within the scope of which GREENFILL3D Sp. z o. o., has been classified as the Administrator of personal data, processing information constituting personal data within the meaning of the above-mentioned EU Regulation.

This document is managed by GREENFILL3D Sp. z o. o. to all cooperating entities, contractors as well as current and potential clients in order to present the scope of protection and the size of actions taken due to all processes directly or indirectly related to the processing of personal data.

Chapter I
DEFINITIONS

§ 1

Within the meaning of these regulations:

1. The administrator of personal data is GREENFILL3D Sp. z oo, address: Mikołaja Kopernika 36B, Poland, EU, NIP / VAT number: PL 727 285 10 52, REGON number: 389322819, which independently or jointly with others determines the purposes and methods of personal data processing, hereinafter referred to as the “Administrator”.
2. Personal data is information about an identified or identifiable natural person, therefore one who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of an individual.
3. Acting on the administrator’s own initiative – it is an action based on a decision made by the Administrator, which means there is no legal obligation in this respect and the Administrator is free to make decisions.
4. The data protection officer is a person appointed by the Administrator, responsible for monitoring compliance with the GDPR, other EU or Member States’ data protection regulations and the Administrator’s policies in the field of personal data protection, hereinafter referred to as “DPO”.
5. Entrusting data – is the activity of data processing consisting in the transfer of personal data by the Administrator for processing by a third party that processes data at the request of the Administrator for the purpose and in a manner indicated by the Administrator.
6. Processing is an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing or otherwise sharing, matching or combining, limiting, deleting or destroying, hereinafter referred to as Processing Regulations.
7. The GDPR Regulation is the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws EU L.2016.119.1 of 2016/05/04) , hereinafter also referred to as the GDPR Regulation.
8. Sharing data – is the activity of data processing consisting in making personal data available by the Administrator to a third party, without specifying the purpose of processing, without specifying the method of processing.
9. The act is the act of 10 May 2018. on the protection of personal data (Journal of Laws 2018.1000 of 2018/05/24) as amended d.
10. A dataset is an ordered set of personal data available according to specific criteria, regardless of whether the set is centralized, decentralized or functionally or geographically dispersed.

Chapter II
GENERAL PROVISIONS

§ 1

1. These Personal Data Protection Regulations constitute a set of rules and procedures applicable to the Processing of Personal Data and handling of Personal Data within the Administrator’s enterprise, both in electronic and paper version, regardless of the technique or method of recording or storing.
2. The regulations contained in these Personal Data Protection Regulations define the directions of the Administrator’s activities and support for ensuring the security of Personal Data, in particular:
   
   a.) define the rules for the management, protection and Processing of Personal Data;
   b.) define standards ensuring the correct and safe functioning of all Personal Data Processing systems and information flow in the scope of the Administrator’s enterprise
3. The basis for the development of these Regulations for the Protection of Personal Data and its implementation are the legal acts in force on the date of its adoption, in particular
   
   a.) The Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws 2018.1000 of 2018/05/24);
   b.) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws UE.L.2016.119.1 of 2016/05/04).
4. The entire documentation comprising the Personal Data Protection System in the scope of the Controller’s enterprise consists of:
   
   a.) Regulations for the Protection of Personal Data.
   b.) Personal Data Security Policy with attachments.
   c.) Instructions for the Management of the IT System used to process Personal Data, including attachments.
5. If there is a need for additional detailed regulation of the security of Personal Data within the Administrator’s enterprise, it is possible to introduce additional documentation regulating the necessary scopes in detail.

Chapter III
PERSONAL DATA ADMINISTRATOR

§ 1

1. Taking into account the nature, scope, context and purposes of the Processing and the risk of violating the rights or freedoms of natural persons with different probability and severity of risk, the Administrator, in accordance with the provisions of paragraph 3 of this paragraph, ensures the implementation and application of appropriate technical and organizational measures so that the Data Processing takes place in accordance with applicable regulations.
2. The technical and organizational measures referred to in paragraph 1 above include ensuring the Administrator implements the appropriate documentation required by applicable regulations, including, in particular, the personal data security policy, and making every effort to ensure the conclusion and application of individual contracts with external entities to whom The administrator entrusted the data, at least partially, as well as recording activities consisting in the provision of data.
3. When implementing and applying appropriate technical and organizational measures, the Administrator takes into account the state of technical knowledge, the cost of implementing these measures and their nature, scope, context and purposes of the Processing as well as the risk of violating the rights or freedoms of natural persons with a different probability and severity of the risk resulting from the Processing.
4. In the scope of the solutions used, the Administrator will make every effort to provide measures allowing for effective protection of Personal Data and the necessary security of Personal Data Processing.
5. The controller, in the event that there is a joint arrangement with another data controller of a common purpose and method of Data Processing, makes the necessary arrangements and clearly defines the scope of his responsibility and relations between him and the other controller as well as relations with data subjects by taking the necessary actions and measures in this regard.

Chapter IV
ENTITY PROCESSING PERSONAL DATA

§ 1

1. The Administrator may entrust data – for Processing at the request of the Administrator. The Administrator verifies the Personal Data Processor in order to ensure that the entity provides sufficient guarantees for the implementation of such technical and organizational measures so that the Processing commissioned by the Administrator meets the requirements of the applicable law and protects the rights of the data subjects.
2. The Administrator entrusts the data to the Processing Entity on the basis of an agreement or other legal instrument that is binding on both the Processor and the Administrator. With regard to the regulation of data entrustment, the Administrator ensures that in the scope of the concluded contract or other legal instrument, the following are specified in particular:
   
   a.) the subject and duration of the Processing,
   b.) the nature and purpose of the Processing,
   c.) type of Personal Data that will be Processed
   d.) categories of persons to whom the Personal Data relates,
   e.) the obligations and rights of the Administrator,

Chapter V
REGISTER OF PERSONAL DATA PROCESSING

§ 1

1. The administrator, on his own initiative and whenever he is obliged to do so in accordance with applicable law, ensures that a register of personal data processing activities is kept, which may be in written or electronic form.The administrator may also use dedicated software to keep the register.
2. In the scope of the personal data processing register, the Administrator provides the following information:
   
   a.) name and surname or name and contact details of the Administrator and any joint administrators, and the DPO when appointed;
   b.) the purposes of the Processing;
   c.) a description of the categories of data subjects and the categories of Personal Data;
   d.) categories of recipients to whom the Personal Data has been or will be disclosed, including recipients in third countries or in international organizations;
   e.) where applicable, transfers of Personal Data to a third country or international company, including the name of that third country or international company;
   f.) if possible, the planned dates of deletion of individual data categories;
   g.) where possible, a general description of the technical and organizational security measures.
3. The Administrator ensures the obligation of the Processor to keep a register of all categories of Processing activities performed on behalf of the Administrator.

Chapter VI
AUTHORIZATION TO PROCESS PERSONAL DATA

§ 1

1. The Administrator ensures, within his company, that the Processing is performed only by persons authorized to Process, issued by the Administrator in accordance with the internal regulations applicable to the Administrator’s company, which indicate detailed procedures regarding access to Personal Data.
2. The Administrator ensures that the persons Processing Personal Data have the necessary knowledge and skills in this regard, and that the period and scope of the Processing of Personal Data by these persons is consistent with the content of the authorization granted by the Administrator.
3. The Administrator, in accordance with the internal regulations applicable to the Administrator’s enterprise, regulating the detailed proceedings in the field of access to Personal Data, issues, records and stores personal authorizations to Process Personal Data and withdrawn authorizations.

§ 2

1. The administrator ensures that persons Processing Personal Data are aware of the obligation to maintain the confidentiality of the data to which they have access and that this fact is confirmed by a written statement of such persons.
2. The Administrator ensures that the person authorized to Processing performs all activities on Personal Data while maintaining organizational and technical measures within the Administrator’s enterprise dedicated to securing and protecting Personal Data against unauthorized access, modification and destruction.

Chapter VII
DATA PROTECTION INSPECTOR

§ 1

1. With regard to the Controller’s enterprise, there are no prerequisites for appointing a DPO, because:
   
   a.) the main activity of the Administrator does not consist in Processing operations which, due to their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale;
   b.) the main activity of the Administrator does not consist in the Large-scale Processing of specific categories of Personal Data and Personal Data related to criminal convictions and violations of law.

2. Due to the content of paragraph 1 above, in the absence of an obligation to appoint a DPO, the Administrator provides the possibility of contacting an internal specialist or directly the Administrator in all matters regarding the protection of Personal Data by providing contact details by providing an e-mail address or telephone number.
3. In view of the content of paragraph 1 above, in the absence of an obligation to appoint a DPO, the Administrator provides cooperation with a professional entity having the necessary knowledge and tools to provide advice on the protection of Personal Data in the scope of the Administrator’s enterprise.

§ 2

1. The administrator may, on his own initiative, provide for the appointment of the DPO, then the Administrator provides the publication of the contact details of the DPO and notifies the supervisory authority competent for the protection of personal data of his appointment, in accordance with the provisions of law in force on the date of appointment of the DPO.
2. If the Administrator has appointed a DPO in accordance with paragraph 1 of this paragraph, he ensures that he performs his tasks with due regard to the risks associated with Processing operations, taking into account the nature, scope, context and purposes of the Processing.

Chapter VIII
BASIS FOR THE PROCESSING OF PERSONAL DATA

§ 1

1. The Administrator ensures that, within his company, all operations on Personal Data are carried out in accordance with the following guidelines:
   
   a.) Personal data are processed in accordance with the law, fairly and transparently for the data subject;
   b.) Personal data is collected for specific, explicit and legitimate purposes and not further processed in a manner inconsistent with these purposes;
   c.) Personal data is adequate, relevant and limited to what is necessary for the purposes for which they are Processed;
   d.) Personal data is correct and, if necessary, updated, and the Administrator takes all reasonable steps to ensure that Personal Data that is incorrect in the light of the purposes of their Processing are immediately removed or corrected;
   e.) Personal data are stored in a form that permits the identification of the person they relate to for no longer than is necessary for the purposes for which the data are processed, and they can be stored for a longer period, as long as they will be processed only for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, provided that appropriate technical and organizational measures are implemented required to protect the rights and freedoms of data subjects;
   f.) Personal Data are Processed in a manner ensuring adequate security of Personal Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage, by appropriate technical or organizational measures.

§ 2

1. The Administrator ensures that, within his company, the Processing of Personal Data takes place for specific purposes and in a specific scope, if:
   
   a.) the data subject has consented to the Processing of his Personal Data for one or more specific purposes;
   b.) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
   c.) Processing is necessary to fulfill the legal obligation incumbent on the Administrator;
   d.) Processing is necessary to protect the vital interests of the data subject or another natural person;
   e.) Processing is necessary to perform a task carried out in the public interest or in the exercise of public authority entrusted to the Administrator;
   f.) Processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of Personal Data, in particular, when the data subject is a child.

2. The administrator will ensure that, if he is not authorized to do so by an express legal provision within his company, there is no Processing of Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the Processing of genetic data, biometric data for the purpose of unambiguous identifying an individual or data relating to that person’s health, sexuality or sexual orientation.
3. The Administrator ensures that the Personal Data processed by him are obtained in a manner consistent with generally applicable provisions of law, either directly from the data subject or in a manner other than from the data subject.

Chapter IX
RIGHTS OF PERSONS WHOSE PERSONAL DATA SUBJECT TO PROCESSING

§ 1

1. The administrator ensures that the acquisition of Personal Data is carried out in a consistent manner
   with generally applicable provisions of law, including in particular providing the data subject with all information required by the GDPR.
2. The administrator ensures that the person whose data is subject to Processing has the right to control Personal Data in accordance with the GDPR.
3. The person whose Personal Data is Processed at each stage of the Processing of their Personal Data is provided with a number of rights allowing them to gain access to Personal Data, verify the correctness of Personal Data Processing, correct them, as well as object to their Processing, request to limit the Processing, and transfer the Data personal.

Chapter X
TECHNICAL AND ORGANIZATIONAL MEASURES FOR PROTECTION OF PERSONAL DATA

§ 1

1. The administrator ensures that appropriate technical and organizational data protection measures are taken, in particular that the documents, both in electronic and paper version, containing Personal Data, are stored in properly secured buildings and rooms.
2. If, as part of the performance of the obligation specified in paragraph 1 of this paragraph above, the Administrator decides to place documentation containing Personal Data in locked buildings and rooms, the Administrator ensures that in particular:
   
   a.) in the scope of access to buildings and rooms where Personal Data is processed, control and verification measures have been taken,
   b.) the keys to the places where Personal Data are Processed were issued directly by the Administrator or another responsible person only to persons authorized to access these buildings and rooms
   c.) internal regulations in force in the Administrator’s enterprise – if the Administrator is the owner of the building, they obligated the person who was the holder of the keys to hand over the keys to the places where Personal Data is processed only to persons authorized to access these buildings and rooms,
   d.) internal regulations in force in the Administrator’s enterprise – if the Administrator is the owner of the building, they obligated the person responsible for issuing the keys to hand over the keys to the places where Personal Data is processed only to persons authorized to access these buildings and rooms,
   e.) the regulations applicable to the rented / leased / used buildings and premises – if the Administrator rents / leases / uses buildings or premises – obligated the person responsible for issuing the keys to hand over the keys to the places where Personal Data is processed only to authorized persons to access these buildings and rooms,
   f.) appropriate procedures have been introduced obliging the person who lost the keys to the place where Personal Data is Processed to immediately report this circumstance to the Administrator or a person designated by the Administrator.
3. The Administrator ensures that the detailed rules of access control to individual places where Personal Data are Processed are specified in internal procedures in force within the Administrator’s company.

§ 2

1. The Administrator ensures that the Administrator’s company has appropriate internal procedures in place that indicate the correct behavior when working with documentation containing Personal Data, in particular that:
   
   a.) when using multifunction devices to copy or scan documents containing Personal Data, documents containing Personal Data, if copied or scanned, as well as their copies were removed from the multifunction device immediately after their use,
   b.) in the event of sending documents containing Personal Data by means of electronic communication, special care is taken, in particular that the sent document is encrypted, if necessary,
   c.) the person authorized to Process Personal Data, after completing the Processing activities on documents containing Personal Data, secures documents and electronic media in specially designated places.
   d.) a person authorized to Process Personal Data, after completing the Processing operations, destroys useless paper documents containing Personal Data in a safe manner, in particular using a shredder.
2. The Administrator ensures that the Administrator’s company has appropriate internal procedures for the permanent destruction of documentation containing Personal Data, in particular, the Administrator may permanently destroy documents containing Personal Data through a professional entrepreneur dealing with the destruction of documents (after concluding an appropriate contract in accordance with the provisions of Chapter IV of this Of the Regulations).

§ 3

1. The Administrator ensures that every person authorized to Process data within the Administrator’s enterprise is aware of the applicable provisions on the protection of Personal Data.
2. The administrator, if necessary and indicated, trains persons authorized to Process Personal Data in the safe use of devices and programs related to the Processing and protection of Personal Data and securing the places where documents containing Personal Data are stored.
3. Detailed physical, technical and organizational measures for the protection of Personal Data have been included in the internal documents in force in the Administrator’s enterprise, in particular in the Personal Data Protection Security Policy and the IT System Management Instruction.

Chapter XI
PROCEDURE TO BE PROCEDURE IN CASE OF A BREACH OF PERSONAL DATA SECURITY

§ 1

1. The Administrator provides, as part of the Administrator’s enterprise, the development and implementation of a procedure to be followed in the event of a breach of the security of Personal Data, which regulates in particular:
   
   a.) reducing the occurrence of similar incidents in the future;
   b.) minimizing the consequences of the event;
   c.) explanation of the circumstances of the event;
   d.) securing evidence of the event.
2. The administrator ensures that the procedure for dealing with a breach of the security of Personal Data exhaustively and in accordance with applicable regulations regulates the correct operation at every stage, i.e. prevent, monitor, control and explain any threats to the breach of Personal Data.

§ 2

1. As part of his enterprise, the administrator treats as an event that is a breach of the protection of Personal Data every event, dependent and independent of human will, causing a threat to the security of Personal Data, in particular:
   
   a.) an event leading to the loss of integrity (completeness, credibility) of Personal Data;
   b.) an event that threatens the confidentiality of Personal Data;
   c.) an event that threatens the accountability of Personal Data.
2. The administrator ensures that all necessary steps and actions are taken in the field of Personal Data protection, if it has taken place:
   
   a.) breach of the internal policies, procedures or instructions regarding the protection of Personal Data in force in the scope of the Administrator’s enterprise,
   b.) breaches of the applicable provisions of law regarding the protection of Personal Data,
   c.) violations of the physical security applied by the Administrator.
3. Detailed rules of conduct in the event of a breach of Personal Data protection are regulated by the Administrator in internal documents, procedures and policies.

Chapter XII
RULES FOR SHARING PERSONAL DATA

§ 1

1. The Administrator provides Personal Data Processed as part of his enterprise only to persons or entities authorized to receive them, taking into account the legal provisions in force on the date of the Provision.
2. The Administrator ensures that the activity of Providing Personal Data does not violate the rights of persons to whom the Personal Data relates.

Chapter XIII
FINAL PROVISIONS

§1

1. These Personal Data Protection Regulations enter into force on 01/01/2022.