PRIVACY
POLICY

§ 1 PRIVACY POLICY

At Bahlsen, we respect the privacy rights of individuals who have entrusted us with their personal information, including our service users, contractors, and their employees. We assure you that your data is processed in compliance with national and EU laws, and that measures are in place to protect it.
In line with Article 13(1) and (2) of Regulation (EU) 2016/679 from the European Parliament and Council of 27 April 2016—concerning the protection of natural persons regarding personal data processing and its free movement, which also repeals Directive 95/46/EC (General Data Protection Regulation or ‘GDPR’)—we wish to inform you of the following:

Data controller

1. The entity responsible for deciding how personal data is processed is BAHLSEN POLSKA sp. z o.o. sp. komandytowa, located at ul. Piłsudskiego 1, 32-050 Skawina, Tax ID: 9441833751.
2. We have appointed a Data Protection Officer, who can be reached via email at daneosobowe@bahlsen.pl.

Data acquisition and the purpose of processing

1. Personal data collected through contact forms, phone calls, email correspondence, text messages, and meetings will be processed for the following purposes:
   1. Ongoing communication related to a contract or activities aimed at finalising and fulfilling a contract in line with the controller’s activities – Article 6(1)(b) and (f) of the GDPR,
   2. providing services, including fulfilling a contract and selling products – Article 6(1)(b) of the GDPR,
      delivering newsletters, subject to prior consent – Article 6(1)(a) of the GDPR,
   3. processing applications and managing requests – Article 6(1)(f) of the GDPR,
   4. conducting marketing campaigns to promote our services, in pursuit of our legitimate interest through conventional direct marketing and other advertising methods – Article 6(1)(a) of the GDPR,
   5. responding to inquiries and maintaining correspondence – Article 6(1)(f) of the GDPR,
   6. defending against claims and pursuing rights based on the legitimate interest of the Data Controller until the claim’s limitation period lapses – Article 6(1)(f) of the GDPR,
   7. managing human resources, which includes employees and collaborators, as well as organising recruitment processes – Article 6(1)(c) and (f) of the GDPR.
2. The Controller ensures that data is processed lawfully, collected for specific and legitimate purposes, and not subjected to further processing that is incompatible with those purposes. We collect only the data necessary and relevant for the purposes for which it is processed.
3. The Controller may delegate the processing of collected personal data of Users to another entity under a contractual agreement, in accordance with Article 28 of the GDPR.

Data recipients

1. We may share your personal data with third parties as part of promotions, competitions, contracts, or similar services that we offer in collaboration with our partners. You will receive additional information about this when you provide your personal data, or you can refer to the terms of use for more details.
2. Within the scope of our business operations, your personal data may be shared with the following categories of recipients: individuals conducting business activities that provide services to the Controller, entities that are legally authorised to receive such data, and providers of hosting and IT support, including external IT solution providers.

Sharing data with Bahlsen

1. It is essential to provide your data to Bahlsen to facilitate cooperation and fulfil the contract, as well as to meet any legal obligations. This is particularly relevant when using our services, purchasing products, or if you are interested in joining our team.
2. In other circumstances (particularly concerning data processing for marketing purposes), providing your data is entirely voluntary.

Security of personal data processed

1. Bahlsen is committed to safeguarding customers’ and users’ personal data from unauthorised access by implementing organisational and technical security measures that align with the risks associated with processing personal data, pursuant to Article 32 of the GDPR. All employees are required to adhere to our confidentiality, security, and privacy policies and procedures.

Retention Period for Personal Data

1. The Controller retains personal data for as long as necessary to achieve the purposes of processing, fulfil contractual obligations, and comply with legal requirements—ensuring it does not exceed the duration specified in the applicable laws and only for as long as needed to serve the legitimate interests of the Administrator. For instance:
   1. personal data related to complaints, requests, and claims will be processed for the contract’s duration, continuing until the warranty period ends or the complaint process is completed;
   2. data processed to defend against claims and pursue legitimate interests will be held until the expiration of any contractual claims, in line with legal regulations;
   3. accounting documents shall be retained for the period required by law, typically five years from the end of the year in which the event that prompted the creation of the document occurred;
   4. video recordings will be kept only for the purpose for which they were made, for a maximum of three months from the recording date, or until a legitimate objection is raised, unless they are needed as evidence in legal proceedings, in which case they will be stored until the proceedings are concluded;
   5. personnel data will be retained according to legal requirements for archiving employee records, such as personal files, for a period of ten years;
   6. after a recruitment process is completed, the data will be deleted promptly, or it will be stored if consent is given for participation in future recruitment until such consent is revoked;
   7. data linked to newsletters, marketing products and services offered will be stored until consent is withdrawn;
   8. data processed due to the Controller’s legitimate interests will be retained until those interests are fulfilled, unless the interests or fundamental rights of the individual outweigh these interests, at which point retention will continue only until an objection is raised;
   9. Other personal data will be processed until an objection to their processing is submitted.

Your rights regarding personal data processing by Bahlsen

1. Concerning the processing of your personal data, you have the right to:
   1. access the content of your data being processed (Article 15 of the GDPR),
   2. correct any inaccuracies in your data (Article 16 of the GDPR),
   3. request the deletion of your data (Article 17 of the GDPR),
   4. limit the processing of your data (Article 18 of the GDPR),
   5. transfer your processed data (Article 20 of the GDPR),
   6. object to the processing of your data (Article 21 of the GDPR),
   7. and file a complaint with the PUODO (Polish Data Protection Commissioner) regarding the processing of your personal data by the Controller (Article 77 of the GDPR).

Data transfer to third countries

1. The data controller does not plan to transfer personal data to any third countries or international organisations.
2. If any of our service providers or partners operate outside the European Economic Area (EEA), we will make sure to inform you about the potential implications in the offer’s description.

Automated processing of personal data

1. Personal data will not be subject to automated decision-making, including profiling, that could have legal consequences or significantly impact customers, suppliers, their employees or associates, as well as employees or associates or job applicants.

§ 2 USE OF COOKIES

1. In line with the ‘opt-in’ principle, when you access our website, you can choose to accept or decline not just the automatically set necessary cookies but also any additional cookies of your preference. Alongside your choice of cookies on the Bahlsen website, you can also adjust your browser settings to reflect your preferences, such as blocking third-party cookies or all cookies. Please be aware that blocking automatically set cookies may result in some website features becoming unavailable.
2. Our website utilises the following cookies:
   1. temporary cookies,
   2. persistent cookies,
   3. third-party cookies.
3.  Temporary cookies are automatically deleted when you close your browser. This especially applies to session cookies, which store a session ID that tracks requests made during your time on our website. This allows your computer to be recognised when you next visit our website. Session cookies are removed when you log out or shut down your browser.
4. Persistent cookies, on the other hand, are deleted after a predetermined period, which can vary depending on the file type. You can delete these cookies at any time in your browser’s security settings.
5. We collaborate with various external service providers who assist us in displaying relevant ads to you. These third-party service providers may also place cookies on your computer’s hard drive (third-party cookies). You’re free to delete these at any time using your browser’s security settings.
6. We employ cookies to recognise your subsequent visits to our website if you have an account. Otherwise, you would need to log in each time you visit.
7. Flash cookies are stored by the Flash plug-in rather than your browser. We also utilise HTML5 storage objects, which are saved directly on your device and are independent of your browser, with no automatic expiry date. If you wish to disable Flash cookies on your computer, you must install the corresponding add-on for your browser. You can also block the use of HTML5 storage objects by enabling private mode in your browser. Furthermore, we recommend manually deleting cookies and clearing your browsing history regularly.

§ 3 MATOMO ANALYTICS

1. Once you provide your consent, we utilise a cookie that enables us to analyse your behaviour while browsing the website. This helps us continuously improve our website’s quality, content, and user experience. We achieve this using the open-source software tool Matomo, offered by InnoCraft Ltd, located at 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769 (hereafter “Matomo”).
2. The legal basis for processing your personal data is your consent in line with Article 6(1)(a) of the GDPR.
3. With Matomo, no data is sent to external servers beyond our control. All data processing occurs solely on our website servers. We also use an add-on for Matomo that obfuscates your IP address, ensuring it cannot be personally linked to you. For additional details on terms of use and data protection, please visit matomo.org/privacy/.
4. If you agree to enable website analysis through Matomo, the following data will be collected and processed:
   1. your IP address (which is shortened by Matomo and cannot be personally identified)
   2. the website you visited
   3. the website that referred you to the visited page
   4. the subpages you accessed on the visited site
   5. time spent on the website
   6. the number of times you visited the website
5.  We delete the data as soon as it is no longer necessary for our analytical purposes, with a typical retention period of 30 days.
6. You can revoke your consent to future data collection at any time by adjusting your browser’s cookie settings. However, please bear in mind that this may limit your ability to use all website features fully.

§ 4 FRIENDLY CAPTCHA

1. Our website utilises the “Friendly Captcha” service, provided by Friendly Captcha GmbH, located at Am Anger 3-5, 82237 Wörthsee, Germany. This privacy-friendly protection solution effectively hinders automated programmes and scripts, known as “bots”, from exploiting our site.
2. Friendly Captcha serves to verify whether data entries on our website (e.g., in a contact form) originate from a human user or an automated programme (spam bot). To this end, Friendly Captcha analyses user behaviour across a range of characteristics. Importantly, it does not retain any user personal data; any data that could identify a user, such as IP addresses, is anonymised using one-way hashing.
3. The following data may be collected during this process:
   1. IP address
   2. Connection data
   3. Environmental data
   4. Interaction data
   5. Functional data
   6. More information on Friendly Captcha can be found here.
4.  The processing of this data is based on Article 6(1)(f) of the GDPR, as we have a legitimate interest in protecting our website from automated detection and spam abuse. Once the processing requirement has been met, the data will be deleted.
5. To ensure compliance with data protection regulations, we have established a data processing agreement with Friendly Captcha, which guarantees that the aforementioned data will be handled appropriately.

§ 5 SOCIAL MEDIA

1. Use of social media plug-ins
   1. We currently incorporate plugins from the following social media platforms: Facebook, Google+, Twitter, Instagram, and Pinterest. To prioritise your privacy, we use the “two-click method.” This means that when you visit our website, we do not automatically share any of your personal data with the plugin operators. You can recognise each plug-in operator by its respective logo or initial letters on the button. We offer you the opportunity to connect directly with the plugin operator by utilising the designated button. By clicking on the marked area, you consent to the use of cookies, and at that moment, the plugin operator receives information about your visit to our website. This leads to the transfer of the data specified in § 3 of this privacy policy. According to information from the respective plugin operators based in the EU, Facebook anonymises your IP address immediately upon retrieving it. Once you activate the plugin, your personal data is sent to the operator, which stores it (in the case of American operators, this will be in the USA). As these plugin operators primarily collect data through cookies, we suggest that you clear your cookies or adjust your cookie settings on the Bahlsen website before you click the grey box in your browser’s security settings. This action equates to not providing your consent.
   2. We have no control over the data collected and the processing mechanisms. Furthermore, we are not fully aware of the extent of this data collection, the reasons behind its use, or how long it is stored. We also lack information regarding when or how the plugin operators delete the collected data.
   3. The plugin operators retain the data collected about you to create user profiles for advertising, market research, and/or to tailor their websites according to your preferences. This analysis mainly serves to display advertisements that meet your needs and to inform other users of the social media platform about your activity on our site. You have the right to object to the creation of such a user profile, but to exercise this right, you will need to contact the relevant plugin operator. By providing these plugins, we enable social media and user interaction, ultimately helping us enhance our offerings and make them more appealing to you. In line with Article 6(1)(a) of the GDPR, the legal basis for utilising these plugins is your consent.
   4. Data transfer occurs regardless of whether you have an account with the plugin operator or whether you are logged in. If you are logged into your account with the plugin operator, the data we collect will be directly linked to your profile. For instance, if you click the activated button and share a link to a page, the plugin operator will save this information in your user account and share it publicly with your contacts. We recommend that you log out of your social media accounts regularly after use, especially before activating the button, to prevent the plugin operator from linking your data to your user profile.
   5. For further information about the purpose and scope of data collection and processing by the plugin operators, please refer to their privacy policies linked below. These documents also provide additional information on your rights and settings options to safeguard your privacy.
   6. Below are the contact details of the respective plugin operators along with links to their data protection policies:
      • Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA: http://www.facebook.com/help/186325668085084 and http://www.facebook.com/about/privacy/your-info#everyoneinfo.
      • Facebook has complied with EU-US Privacy Shield regulations, https://www.privacyshield.gov/EU-US-Framework.
      • Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://www.google.com/policies/privacy/partners/?hl=de. Google has complied with the EU-US Privacy Shield regulations: https://www.privacyshield.gov/EU-US-Framework.
      • Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. Twitter has complied with Privacy Shield regulations
      • UE-USA, https://www.privacyshield.gov/EU-US-Framework.
      • Instagram LLC, 1601 Willow Rd, Menlo Park, CA 94025, USA; https://help.instagram.com/155833707900388
      • Pinterest Inc., 651 Brannan Street, San Francisco, CA 94103, USA; https://policy.pinterest.com/pl/privacy-policy