Personal Data Protection

PRIVACY POLICY

Definitions:

1. Data Controller - a natural or legal person, public body, unit or other which independently or jointly with others sets the purposes and means of processing personal data;

2. Personal data – any information regarding an identified or identifiable natural person;

3. Filing system – any structured set of personal data which are accessible according to specific criteria;

4. Data processing – any operation which is performed on Personal Data, such as collection, recording, storage, adaptation, alteration, making available, or erasure in traditional form or in computer systems.

I. General Provisions

1. This Policy concerns the Personal Data processed at VINCI IMMOBILIER POLSKA SP. Z O.O., regardless of the processing form (traditionally processed data collections, computer systems) and whether or not data are or can be processed in filing systems.

2. We receive your Personal Data:

a) when you use the contact form made available on our website;

b) by electronic mail;

c) by phone when you contact VINCI IMMOBILIER POLSKA SP. Z O.O.;

d) when you enter into an agreement with the company;

e) when you agree to contact you for marketing purposes.

3. The Data Controller ensures that activities performed in connection with personal data processing and protecting are consistent with this policy and applicable laws.

I. Information on the processing of personal data

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council dated 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free transfer of such data and repealing Directive 95/46/EC (hereinafter: “GDPR”).

Controller:

VINCI IMMOBILIER POLSKA SP. Z O.O. having its registered office in Warsaw, ul. Domaniewska 32, entered in the Register of Businesses of the National Court Register, under number KRS: 0000682823, at the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, NIP: 5213785217, REGON: 36755339300000;

II. The purposes of data processing, legal basis and the period of storage of personal data

1. In the case of a query submitted via the contact form on the website or by e-mail, the data will be processed for the purposes of:

a) Answering questions, processing and responding to applications. The legal basis for data processing is the legitimate interest of the Data Controller which is to provide reliable information for the persons contacting us and to refer the case to an appropriate department in our company (legal basis – Article 6 section 1 letter f of GDPR),

b) Documenting closed cases evidential purposes in connection with defence against possible claims. (legal basis Art. 6 section 1 letter f of GDPR),

The data will be stored for a period of 1 year and in some cases until the claims expire, i.e. for 6 years.

2. In connection with providing the data for the purpose of conclusion of a reservation or development contract, the data will be processed for the purposes of:

a) concluding and implementing a contract. (legal basis: Art. 6 section 1 letter b of GDPR),

b) keeping accounting and tax documentation (legal basis: Art. 6 section 1 letter c of GDPR),

c) resolving any disputes and pursuing claims under a signed contract and conducting investigations of fraud - which is the legitimate interest of the Administrator (legal basis of Art. 6 section 1 letter f of GDPR),

d) fulfilling legal obligations incumbent on the Data Controller, in particular those arising from the Act of 16 September 2011 on the protection of the rights of buyers of an apartment or a single-family house and the Act of 24 June 1994 on the ownership of premises (legal basis: Art. 6 section 1 letter c of GDPR)

e) performing activities arising from a performance guarantee for a development contract. The legal basis for data processing is a separate act, i.e. the Civil Code. The data will be processed for a period of 6 years.

f) providing data to loan advisors cooperating with us. The legal basis for data processing is the consent of the person.

g) providing contact details to designers and subcontractors to determine changes introduced by tenants at the finishing stage. The legal basis for data processing is the need to provide data to perform the contract with a buyer of the premises.

h) debt collection resulting from the signed contract. The legal basis is the legitimate interest of the Data Controller which is the pursuit of financial claims in connection with the contract. The data will be processed for the period of claim limitation and in the case of a pending court case until the end of the proceedings.

The data will be stored for a period resulting from legal provisions, in particular accounting regulations, and in addition to that until limitation of claims in connection with the signed contract. In the event of a possible dispute, personal data will be stored at least until the final conclusion of the proceedings related to this case.

3. Marketing purposes.

In connection with providing us with personal data, our legitimate interest is the ability to process data for direct marketing purposes. The data will be processed until sending us an objection.

If a person wishes to receive information about our investments and services by electronic means or on telephone, using telecommunications equipment and the so-called automatic call systems, we will send information about our offer, by e-mail or by phone in a conversation with our consultant, depending on the consent given. The legal basis for data processing is a voluntary consent expressed by checking an appropriate checkbox on the form or leaving us an e-mail address or phone number for this purpose.

In some cases it will be possible to leave contact details only for the purpose of receiving information on a specific construction project. In this case the form will specify precisely what the consent relates to.

In the event that you contact us by phone to obtain information about the offer we will save your phone number in the database for future information regarding the query. In this situation, we will ask you for your consent.

The data will be processed until the consent is withdrawn.

4. In connection with our cooperation with contractors and suppliers, we process the data of their representatives and employees appointed to cooperate, for the purposes of

a) negotiating and implementing the contract, which is the legal basis for data processing in the case of persons representing the entity. The data will be processed for the period resulting from relevant laws, in particular accounting laws and regulations.

b) negotiating contracts

c) collecting evidence in relation to claims, which is the legitimate interest of the Data Controller. The data will be processed until we are sent an objection.

5. Video monitoring of the office and construction site in order to ensure safety of persons and property on the premises, which is the legitimate interest of the Data Controller. The data will be processed for a period of 1 month, and in the event of ongoing legal proceedings, until the end of the proceedings.

III. Data recipients:

a) Employees and associates of the Data Controller authorized to process data.

b) Entities processing personal data at the request of the Controller and only on the basis of a data entrustment agreement, e.g. in the field of IT services, debt collection, consulting services, marketing services, real estate management and administration services.

c) In the event of conclusion of a development contract, the data will also be made available to the Office of Notary Public Bartosz Walenda, Dominik Piotrowski s.c. in order to prepare a contract.

d) Loan advisors in connection with loan agreements.

e) Banks operating housing trust accounts in connection with the operated account.

IV. Rules for collecting personal data

Providing data to the extent necessary to conclude a contract is voluntary, but a failure to do so shall result in the inability to conclude a contract. Providing data for marketing purposes is voluntary.

V. Rights related to the processing of personal data

The data subject may exercise the following rights in relation to the Data Controller:

a) the right to request access to personal data and obtain information on its processing, and in the event that it is incorrect, such a person has the right to request its rectification (in accordance with Art. 15 and 16 of GDPR),

b) the right to request the restriction of the processing of their data in situations and on the principles set out in Art. 18 of GDPR (a data subject may request the restriction of the processing of their personal data for the period of verification of its correctness or until their opposition to data processing is considered. This right also applies if, in the opinion of the data subject, the processing of his data is unlawful, but he subject does not want that data to be deleted immediately or if the data is needed longer than assumed in the adopted processing period due to the determination or support of claims),

c) the right to request the deletion of data in accordance with Art. 17 of GDPR ("the right to be forgotten"),

d) the right to transfer personal data in accordance with Art. 20 of GDPR, i.e. to receive from the Data Controller of Data Subject’s data in a structured, commonly used machine-readable format (by computer), as well as to request its transfer to another Data Controller; This right applies only to data provided to the Controller by a Data Subject, which is processed in connection with the contract execution and the data is in the electronic form,

e) the right to withdraw at any time the previously granted consent to the processing of their personal data, which, however, will not affect the lawfulness of the processing of personal data, which was based on this premise and took place before exercising the right to withdraw the consent,

f) the right to object at any time to the processing of their personal data for reasons related to their special situation, in the event that the data is processed by the Controller as part of the implementation of their legitimate interests (in accordance with Art. 21 section 1 of GDPR),

g) the right to object at any time to the processing of their personal data for direct marketing purposes (in accordance with Art. 21 section 2 of GDPR),

In order to exercise the above rights, please contact the Data Controller.

In addition, a person has the right to lodge a complaint regarding the processing of his/her personal data to the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00-193 Warsaw).

VI. Safety Management

1. All personal data are processed in accordance with the processing rules provided by law:

a) In each case, there is at least one ground for data processing provided for by legal regulations;

b) The data are processed in a reliable and transparent manner;

c) The personal data are collected for specific, explicit and legally justified purposes and are not further processed in a manner inconsistent with the said purposes;

d) The personal data are processed solely to the extent necessary to achieve the purpose of data processing;

e) The personal data are correct and updated if necessary;

f) The data are stored for such period as they are useful for the purpose for which they were collected, and thereafter they are anonymized or erased;

g) The information obligation is performed with respect to the data subject in accordance with Articles 13 and 14 of the GDPR, depending on the source from which the data is obtained.

2. The data are protected against potential breaches of their security.

3. VINCI IMMOBILIER POLSKA SP. Z O.O. has implemented technical and organisational measures appropriate to ensure, during the processing of Personal Data, a level of security appropriate to the risk of infringement of the rights or freedoms of natural persons with varying likelihood and severity.

4. VINCI IMMOBILIER POLSKA SP. Z O.O. has taken the necessary actions to ensure that its employees and collaborators guarantee that appropriate security measures are applied whenever they process the Personal Data for the Controller.

VII. Breach of Personal Data Protection Rules

1. In the case of a personal data breach, the Controller shall assess whether the breach is likely to result in a risk of infringement of the rights and freedoms of natural persons.

2. Whenever the breach is likely to result in a risk of infringement of the rights and freedoms of natural persons, the Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.

3. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the data subject.

4. In accordance with Article 33 (5) of the GDPR, the Controller shall document any personal data breaches.

VIII. Outsourcing Personal Data Processing

1. The Personal Data Controller may appoint another entity to process personal data solely based on a written contract, in accordance with the requirements set out in Article 28 of the GDPR.

2. Before outsourcing the processing of personal data, the Controller shall, as far as possible, obtain information about the processor’s practices to date regarding the protection of personal data.

IX. Cookies and Google Analytics

1. The website http://vipolska.pl uses cookies. Cookies are small text files sent by the web server and stored by the computer browser software. They are saved on the disk of the end user’s device to facilitate navigation and adapt the website to the user's preferences. Owing to cookies, your individual settings are saved and you can log into e.g. your e-mail account. Cookies may be blocked on or removed from the terminal device after configuration of the web browser settings. However, this may hamper the operation or disable some of the website functions. If the web browser settings do not block cookies, you are considered to have agreed to saving the same.

2. This website uses two types of Cookies:

a) session Cookies, which are permanently deleted upon the end of the session of the User's browser;

b) permanent Cookies, which remain saved on the User's device until deleted.

3. It is not possible to identify the User based on session or permanent Cookies. The Cookies mechanism does not allow downloading any personal data.

4. Files generated directly by the Website cannot be read by other websites. Third Party Cookies (i.e. Cookies installed by entities cooperating with VINCI IMMOBILIER POLSKA SP. Z O.O.) may be read by a third party server.

5. Users may change Cookie settings at any time on their own and specify their storage conditions by changing the web browser settings or by configuring the service. Users may also delete Cookies stored on their device at any time on their own, according to the instructions of the browser manufacturer.

6. The User may prevent Cookies from being saved on his/her device, according to the instructions of the browser manufacturer, but this may disable the Website functions in whole or in part.

7. Detailed information about the handling Cookies is available in the User’s browser settings.

8. The site may save http queries. Therefore, some information may be saved in the server log files, including the IP address of the query, User’s station name – identification is carried out by the http protocol if possible, date and system time of registration and arrival of the query, information about errors that occurred during the execution of the http transaction. Logs can be collected as data for proper administration of the Application. Only the persons authorised to administer the computer system shall have access to the data. Log files may be analysed in order to prepare statistics on Website traffic and errors. Summary of such information does not identify the User.

9. The Website http://vipolska.pl uses Google Analytics. You will find more information on using Google Analytics at http://www.google.com/analytics/learn/privacy.html. In order to give users of our Website more options to choose the method of using their data collected by Google Analytics, Google has developed a browser plug-in that blocks Google Analytics. The add-on communicates with the Google Analytics JavaScript (ga.js) protocol to provide information that data on Website visits should not be sent to Google Analytics. The Google Analytics blocker add-on does not block the transfer of data to the website itself or to other network analytics services.

X. Contact Details

You can contact us by:

- traditional mail to: Domaniewska 32, 02-672 Warszawa

- electronic mail to rodo@vinci-immobilier.com

Privacy policy enter into force on 7 January 2020