1. Personal data can be accessed only by authorized employees and subcontractors of the trading and service company ARIES, run by Mariusz Barański (hereinafter called the “Park”). All employees will exercise due diligence in personal data protection and have been appropriately trained by external experts.
2. Mr Mariusz Barański is the Administrator of and gives authorization for accessing personal data.
3. Personal data will be processed according to the law, especially with regard to the Regulation of the European Parliament and Council 2016/679 of 27 April 2016 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data and repeal of directive 95/46/EC (the General Data Protection Directive) (hereinafter called “GDPR”).
4. Personal data is processed in accordance with retention periods defined by the PARK on the basis of legal obligations as in Art. 5 section 1 e) GDPR.
5. The PARK will not maintain a data-processing register for GDPR compliance (according to Art. 30 section 5 of the GDPR Processing Activities Register), as it employs under 250 people.
6. The PARK will not appoint a Data Protection Inspector as the size of the company and the scope of data processing does not require it and the company’s financial, technical and legal abilities make it difficult.
7. Personal Data will be processed only for specific purposes:
a. marketing
b. processing of contracts with employees and subcontractors
c. acquiring consent for the services rendered by the PARK, as required by law
8. The extent of data processing is limited to the scope required by law or by the marketing activity of the Ministry of Public Security, according to Art. 5 section 1 a), b) and c) GDPR.
9. Personal data in paper form will be processed only in cases required by law.
10. Data in paper form will be destroyed after the retention period defined in the PARK’s information clause.
11. Digital data will be safely deleted after the retention period defined in the PARK’s information clause.
12. All incidents of personal data violation will be reported by the Administrator to the regulatory authority, as required by Art. 33 GDPR. Should the violation of data induce hight risk of legal rights or personal freedom infringement, the Administrator will inform the data subject without undue delay  (Art. 34 GDPR).
13. Collection of personal data will ensue only after prior information given to the data subject (Art 12 and Art. 13 GDPR). Whenever possible, data will not be obtained from any other party except the data subject. Personal data of individuals under the age of 18 – in accordance with Art. 8 GDPR – will be obtained based on the ascent of the person holding parental custody over or caring for the individual in question.
14. Consent to data processing is obtained only for marketing purposes.
15. Each and every individual whose data has been obtained by the PARK has the right to:
a. access their personal information (Art. 15 GDPR)
b. correct their personal information (Art. 16 GDPR)
c. “be forgotten” (Art. 17 GDPR)
d. restriction of data processing (Art. 18 GDPR)
e. data portability (Art. 20 GDPR)
f. object (Art. 21 GDPR)
16. According to Art. 19 GDPR the Administrator will inform each receiver of personal information about any correction or erasure of the data, unless impossible or disproportionately demanding. The Administrator will make these receivers known to the data subject upon his/her demand.
17. The Administrator uses cloud services from a trusted provider: Google. Due to the business profile and financial assets, the Administrator is unable to build, run and maintain IT systems ensuring safe processing of personal information unaided.