1. Controller - Arc Consulting Group sp. z o.o. sp. k., based in Kraków, 57 Królewska street, 30-081,
2. Personal Data – any information about an individual identified or identifiable by one or more specific factors determining a physical, physiological, genetic, psychological, economic, cultural or social identity, including image, recording of voice, contact details, location data, information included in correspondence, information collected via recording equipment or other similar technology.
3. GDPR - Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC.
4. Data Subject - any individual whose personal data is processed by the Controller, e.g. a person visiting Controller’s premises or sending a query to Controller by e-mail.

1. The Controller has appointed the Inspector of Data Protection: Monika Matyjek-Góra; contact with IOD is possible via e-mail address: dpo@arc-consulting.pl or to mailing address: Królewska street 57, 30-081 Kraków.

EMAIL AND POSTAL CORRESPONDANCE

1. In case of directing towards the Controller, by means of email post or traditional post, correspondence unrelated to the services provided towards the sender, other agreement concluded with him or another manner unrelated to any relation with the Controller, personal data contained in the correspondence are processed solely for the purpose of communication and termination of a matter to which such correspondence refers.
2. Legal basis for the processing is the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR), consisting of the conduct of correspondence directed at him pursuant to his economic activity.

TELEPHONE CONTACT

1. In case of contacting the Administrator via telephone regarding matters related to the concluded agreement or the provided services, the Controller may demand indication of personal data only when it is deemed as necessary in order to handle a given matter to which the contact refers.
2. Legal basis is such case is the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR) consisting of the necessity to handle the submitted matter related to the economic activity conducted by him.

DATA COLLECTION IN CONNECTION WITH THE PROVISION OF SERVICES OR THE PERFORMANCE OF OTHER CONTRACTS

1. Where data is collected for purposes related to the performance of a specific contract, the Controller provides the data subject with detailed information regarding the processing of their personal data upon conclusion of the contract.

RECRUITMENT

1. As part of recruitment processes, the Controller process personal data included in application form and in all attached documents (e.g. in a CV or resume). Personal data are processed:
   1. to comply with legal obligations related to a recruitment process, including in particular the Labour Code – the legal grounds for processing is the legal duty of the Controller (Article 6(1)c) of GDPR in connection with the provisions of the Labour Code);
   2. to carry out the process of recruitment in the scope of data not required by the provisions of law nor by the Controller, as well as for the purposes of future recruitment processes – legal basis for the processing is consent (art. 6 sec. 1 letter a of GRDP);
   3. to establish, pursue or defend against claims – the legal grounds for data processing is a legitimate interest of the Controller (Article 6(1)f) of GDPR).

OTHER CASES OF DATA COLLECTION

1. In connection with its business activity, the Controller also collects personal data in other cases – e.g. during business meetings, at industry events or through exchange of business cards - for purposes related to initiating and maintaining business contacts. In such cases, the legal grounds for processing is a legitimate interest of the Controller (Article 6(1)f) of GDPR) which consists in developing a network of contacts in connection with its business.
2. Personal data collected in such cases are processed only for the purpose for which they were collected and the Controller ensures their adequate protection.

1. The Controller can disclose personal data to third parties, in particular suppliers responsible for the operation of IT systems and equipment, entities providing legal or accounting services, couriers, marketing agencies or recruitment agencies.
2. Controller reserves the right to disclose selected information about a data subject to competent authorities or third parties who request such information on appropriate legal basis and in accordance with applicable law.

1. The period of data processing by the Controller depends on the type of service provided and the purpose of the processing. Data processing period can also arise from regulations, where processing is carried out based on such regulations:
   1. If processing is carried out based on a consent, data will be processed until such consent is withdrawn;
   2. Where data is processed based on a legitimate interest of the Controller – for example for security reasons - data is processed for a period of time making it possible to achieve such interest or to effectively object to data processing;
   3. The data processing period may be extended where processing is necessary to establish, pursue or defend against claims.
   4. If data is processed based on the need of such processing to enter into and perform a contract, such data will be processed until such contract is terminated. After the end of the processing period data is irreversibly deleted or anonymized.

1. Data subjects have rights to:
   1. right of access and right to information about the processing of personal data;
   2. right to obtain a copy of the data;
   3. the right to transfer data;
   4. the right to have inaccurate personal data rectified, or completed if it is incomplete;
   5. the right to erasure (to be forgotten);
   6. right to restrict processing;
   7. the right to object to the processing;
   8. the right to withdraw consent at any time. If data is processed based on a consent given, the data subject has the right to withdraw such consent at any time, which does not affect the lawfulness of processing carried out prior to the withdrawal of the consent;
   9. the right to complain to the Information Commissioner.
2. A request regarding the exercise of the rights of data subjects can be submitted to the Inspector of Data Protection indicated by Administrator.

1. Data processed by the Controller will not be transferred to recipients located in countries outside the European Economic Area.
2. Your data might be processed automatically and will not be profiled.
3. If the processing of personal data is carried out on the basis of the consent expressed by the data subject, submitting your personal data is voluntary
4. Providing personal data is mandatory if it is required by law or if it is required by agreement between the parties.

Cookies used by the Administrator are safe for the User's Device. In particular, it is not possible for viruses or other unwanted software or malware to enter Users' Devices in this way.

The administrator uses cookies to:

1. recognize the Website User's device and its location, and properly display the website, tailored to his individual needs;
2. optimization and increasing the efficiency of services provided by the Administrator, by creating anonymous statistics that help to understand how Website Users use Website pages using the Google Analytics service.

The User may independently and at any time change the settings for Cookies, specifying the conditions for their storage and access by Cookies to the User's Device. Changes to the settings referred to in the previous sentence can be made by the User using the web browser settings or by using the service configuration by clicking here.

The user may at any time delete cookies using the features available in the web browser he uses.

Restricting the use of cookies may affect some of the functionalities available on the Website.