1. Definitions 1. Administrator: AUTO.DIA2.PL POLAND Sp. z o.o., located in Warsaw, Modlińska 6A/222, 03-216 Warsaw, registered by the District Court for the capital city of Warsaw, XIV Economic Division of the National Court Register under KRS number 0001107109, NIP 5243007559 2. Personal Data: Information about an identified or identifiable natural person through one or more specific factors defining physical, physiological, genetic, mental, economic, cultural, or social identity, including image, voice recording, contact data, location data, information contained in correspondence, information collected via recording equipment or similar technology. 3. Supervisory Authority: The President of the Personal Data Protection Office or the competent supervisory authority for Personal Data designated by another EU member state. 4. Data Subject: A natural person whose Personal Data is processed by the Administrator. 5. Policy: This Data Protection Policy. 6. Employee: A natural person employed by the Administrator under an employment contract. 7. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. 8. Associate: A natural person providing services to the Administrator under a civil law contract (e.g., mandate contract, contract for specific work). 2. General Principles 2.1. This Policy is the fundamental document regulating the principles of Personal Data processing by the Administrator. 2.2. The implementation of the Policy aims to ensure compliance with GDPR in the processes of Personal Data processing by the Administrator, regardless of the form (electronic or paper) in which the processing occurs. 2.3. In connection with its operations, the Administrator collects and processes Personal Data in accordance with applicable laws, including GDPR, and the principles of processing provided therein, namely: 2.3.1. The Administrator ensures that the processing of Personal Data is lawful and based on one of the grounds for processing specified in GDPR, i.e., Article 6(1), Article 9(2), or Article 10 (principle of lawfulness). 2.3.2. The Administrator ensures fairness and transparency in the processing of Personal Data, particularly by always informing about the processing of Personal Data at the time of collection, including the purpose and legal basis for processing (principle of fairness and transparency). 2.3.3. The Administrator ensures that Personal Data is collected for specific, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes (principle of purpose limitation). 2.3.4. The Administrator ensures that Personal Data is processed only to the extent necessary to achieve the purpose for which it was collected (principle of data minimization). 2.3.5. The Administrator ensures that the processed Personal Data is accurate and, where necessary, kept up to date, and takes all reasonable steps to ensure that inaccurate Personal Data is erased or rectified without delay (principle of accuracy). 2.3.6. The Administrator ensures that Personal Data is processed only for as long as necessary to achieve the processing purposes (principle of storage limitation). 2.3.7. The Administrator ensures the security of Personal Data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, by implementing appropriate technical or organizational measures (principle of integrity and confidentiality). 2.4. The Administrator ensures compliance with the Policy by all Employees and Associates of the Administrator. 3. Organization of the Personal Data Protection System 3.1. Before granting access to Personal Data processing, the Administrator familiarizes each Employee, Associate, or other persons processing Personal Data on its behalf with the Policy, including procedures and principles regarding Personal Data protection in the Administrator's organization. 3.2. The processing of Personal Data by Employees and Associates may only occur based on documented authorization from the Administrator. Furthermore, the Administrator requires authorized persons to maintain the confidentiality of Personal Data and information about Personal Data security, as well as to comply with the Policy, including procedures and principles regarding Personal Data protection in the Administrator's organization. 3.3. The Administrator designates a person responsible for the area of Personal Data protection and ensures adequate measures and resources necessary for performing the assigned tasks. 3.4. The tasks of the person designated in point 3.3 include, in particular: 3.4.1. Informing the Administrator and Employees and Associates who process Personal Data of their obligations under GDPR and other European or national data protection laws and advising them in this regard. 3.4.2. Monitoring compliance with GDPR and other European and national data protection laws by authorized persons, as well as internal policies and procedures implemented by the Administrator in this area. 3.4.3. Taking actions to raise awareness in the field of Personal Data protection, including training for staff involved in processing operations, and conducting related audits. 3.4.4. Providing recommendations upon request regarding Data Protection Impact Assessments and monitoring their performance in accordance with Article 35 of GDPR. 3.4.5. Cooperating with the Supervisory Authority. 3.4.6. Acting as a contact point for the Supervisory Authority on issues related to processing, including prior consultations mentioned in Article 36 of GDPR, and, where appropriate, conducting consultations on any other matters. 3.5. Employees and Associates processing Personal Data are obliged to: 3.5.1. Process Personal Data in accordance with the authorization granted and with due diligence. 3.5.2. Immediately report any event that may constitute a Personal Data protection breach. 3.5.3. Participate in organized training in the field of Personal Data protection. 3.5.4. Maintain the confidentiality of Personal Data and information on how it is secured, in accordance with the signed confidentiality clause. 4. Personal Data Security 4.1. The Administrator implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of violating the rights or freedoms of natural persons with varying probabilities and severity of the threat. The Administrator takes into account the state of technical knowledge, implementation costs, and the nature, scope, context, and purposes of processing. 4.2. When assessing whether the security level is appropriate, the Administrator considers, in particular, the risk associated with processing, especially resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure, or unauthorized access to Personal Data transmitted, stored, or otherwise processed. 4.3. To ensure the integrity and confidentiality of Personal Data, the Administrator ensures access to Personal Data only to authorized persons and only to the extent necessary for their tasks. The Administrator uses organizational and technical solutions to ensure that all operations on Personal Data are recorded and performed only by authorized persons. 4.4. The Administrator conducts continuous risk analysis related to the processing of Personal Data and monitors the adequacy of the applied security measures to the identified threats. If necessary, the Administrator implements additional measures to enhance Personal Data security. 4.5. If the type of processing – particularly using new technologies – due to its nature, scope, context, and purposes is likely to result in a high risk to the rights or freedoms of natural persons, the Administrator assesses the impact of planned processing operations on the protection of Personal Data before starting processing. If the assessment indicates that processing would result in a high risk, unless the Administrator takes measures to mitigate this risk, the Administrator consults the Supervisory Authority before starting the processing. 4.6. If the purposes for which the Administrator processes Personal Data do not require the identification of the Data Subject, the Administrator is not obligated to maintain, obtain, or process additional information to identify the Data Subject solely to comply with GDPR requirements. 5. Personal Data Breaches 5.1. The Administrator ensures the reporting of Personal Data breaches to the Supervisory Authority unless it is unlikely to result in a risk to the rights or freedoms of natural persons. 5.2. The Administrator ensures that Data Subjects are notified of Personal Data breaches without undue delay if the breach is likely to result in a high risk to their rights or freedoms. 5.3. In any case, the Administrator investigates the breach and implements appropriate organizational and technical corrective measures. 5.4. The Administrator documents all Personal Data breaches, including the circumstances of the breach, its effects, and the remedial actions taken. 6. Exercising Data Subject Rights 6.1. The Administrator ensures that Data Subject rights are exercised under GDPR principles, including: 6.1.1. The right to information about data processing – The Administrator provides the requesting person with information about the processing of Personal Data, including the purposes and legal basis for processing, the scope of held Personal Data, the entities to whom it is disclosed, and the planned date of Personal Data deletion. 6.1.2. The right to obtain a copy of data – The Administrator provides the requesting person with a copy of the Personal Data concerning them. 6.1.3. The right to rectification of data – The Administrator deletes any discrepancies or errors in processed Personal Data and supplements it if incomplete, upon request. 6.1.4. The right to erasure of data – The Administrator deletes or anonymizes Personal Data upon request if processing is no longer necessary to achieve any of the purposes for which it was collected. 6.1.5. Right to Restrict Data Processing Upon request, the Administrator shall cease operations on Personal Data—except for operations consented to by the Data Subject—and shall store them in accordance with the adopted retention policies or until the reasons for restricting the processing of Personal Data cease to exist (e.g., a decision by the Supervisory Authority permitting further processing is issued). 6.1.6. Right to Data Portability To the extent that Personal Data is processed in an automated manner in connection with a contract or consent, the Administrator shall, upon request, provide the Personal Data supplied by the Data Subject in a format that allows the Personal Data to be read by a computer. 6.1.7. Right to Object to Data Processing for Marketing Purposes The Data Subject may object to the processing of Personal Data for marketing purposes at any time without the need to justify such an objection. 6.1.8. Right to Object to Other Data Processing Purposes The Data Subject may object at any time—on grounds relating to their particular situation—to the processing of Personal Data, which is based on the legitimate interest of the Administrator. 6.1.9. Right to Withdraw Consent If Personal Data is processed based on consent, the Data Subject has the right to withdraw it at any time, which does not affect the lawfulness of processing carried out before its withdrawal. 7. Contacts with the Data Subject 7.1. The Administrator shall implement appropriate measures to ensure that communication with the Data Subject is concise, transparent, easily accessible, and in clear and plain language. 7.2. The Administrator shall provide the Data Subject with information in writing or by other means, including electronically where appropriate. If the Data Subject so requests, the Administrator shall provide the information orally, provided the identity of the Data Subject can be verified by other means. 7.3. The Administrator shall facilitate the exercise of rights granted to Data Subjects under the GDPR, including the rights provided for in Articles 15–22 of the GDPR. 7.4. The Administrator shall inform the Data Subjects without undue delay about actions taken in response to a request made pursuant to Articles 15–22 of the GDPR. 8. Sharing and Entrusting the Processing of Personal Data 8.1. The Administrator shall share Personal Data with another Administrator only when one of the conditions referred to in Article 6(1) or Article 9(2) of the GDPR is met. 8.2. The entrusting of the processing of Personal Data by the Administrator shall be based on a data processing agreement or another legal instrument referred to in Article 28 of the GDPR. 8.3. The entrusting of the processing of Personal Data by the Administrator shall follow a prior verification to ensure that the processor provides sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and protects the rights of Data Subjects. The Administrator shall also take all necessary measures to ensure that its subcontractors and other cooperating entities provide guarantees of appropriate security measures whenever they process Personal Data on behalf of the Administrator. 9. Transfer of Personal Data to a Third Country 9.1. The level of Personal Data protection outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Administrator transfers Personal Data to a third country only when necessary, and with an appropriate level of protection, primarily through: 9.1.1. Cooperation with entities processing Personal Data in countries with an appropriate adequacy decision issued by the European Commission. 9.1.2. Using standard contractual clauses issued by the European Commission. 10. Ensuring Continuous Compliance 10.1. The Administrator shall ensure the ongoing compliance of the organization's activities with the Personal Data protection requirements set out in the GDPR, including by verifying and optimizing the records and procedures implemented in the organization. 10.2. To this end, the Administrator, among other things, monitors changes in the law, guidelines from national and international Data Protection Authorities, court and tribunal rulings, and takes into account best market practices. 11. Final Provisions 11.1. This policy shall enter into force on 05.06.2024 .