CRIST S.A. is committed to informing you about the processing of your personal data collected through our website, www.crist.com.pl. This Privacy and Cookies Policy outlines the personal data we collect, use, and disclose.

Personal data encompasses any information pertaining to an identified or identifiable natural person, whose identity can be ascertained directly or indirectly based on such data. This may include names, contact details, identification data, online identifiers, or other characteristics unique to an individual.

This Privacy and Cookies Policy applies when you access our websites, utilize our solutions and other services, including event pages that reference this Policy or display a link to it. This Privacy Policy may be supplemented by additional privacy statements or terms provided to you. No identifying data is transferred to any third party for any purposes.

§ 1
Identifying Information

CRIST S.A., headquartered in Gdynia at Czechosłowacka Street 3, serves as the Data Controller for all personal data collected through our website. We are committed to safeguarding the personal information of our customers, users, employees, and other stakeholders.

To this end, we have implemented robust internal frameworks across the company, including procedures and minimum standards to ensure the security of your data. We take appropriate technical and organizational measures to guarantee the confidentiality and integrity of your personal data and how we process it. For inquiries related to your personal data, please refer to the "CONTACT" section for our contact details.

§ 2
Categories of Processed Data

The type of personal data we collect depends on your relationship with us. For purposes related to the aforementioned relationship, we may collect the following personal data from you:

• Personal details such as name, email address, postal address, and phone number
• Job-related information, such as job title and other employment or educational information

We obtain this data from direct interactions when you fill out the contact form on our website.

§ 3
Legal Basis for Data Processing

The personal data collected is used for the purpose for which you provided it; more broadly, it may only be used for legally defined purposes and other legitimate purposes. For example, if you use the contact form on our website, we will use the information you provided to respond to your inquiry.

Lawfulness of processing is one of the fundamental principles of processing your personal data – we process it based on the following legal grounds:

• Processing is necessary to perform a contract or take appropriate steps before entering into a contract;
• Processing is necessary for purposes related to our legitimate interests, such as improving the quality of our products and services;
• Processing is necessary to comply with a legal obligation to which we are subject or which is otherwise lawful under applicable data protection laws;
• Based on your consent.

§ 4
Purposes of Data Processing

Depending on the actions you take in relation to us, we may use your personal data for the following purposes:

• Conducting recruitment, including assessing job candidates. This type of processing is intended to take appropriate steps before entering into a contract or is based on your consent;
• Reporting ethics or anti-discrimination issues;
• Other business support purposes, such as order management, financial and tax management, risk and compliance management, and reporting to external entities. This type of processing is necessary to comply with a legal obligation to which we are subject or is otherwise lawful under applicable data protection laws or due to our legitimate interests.

§ 5
Data Sharing

To provide you with the best possible services and ensure the growth of our business, we may share certain information with internal recipients or selected third parties. There may also be a specific legal or statutory obligation that we believe in good faith requires us to disclose your personal data to external entities. We may share data with:

• Other units within the Crist group;
• Our service providers, e.g., for service management or hosting services and/or managing technological solutions supporting the services we provide or hosting such solutions;
• Organizations involved in business transfers, such as a buyer or legal successor in the event of a sale or any other commercial transaction related to our business or a part of it;
• Other entities, e.g., for the purposes of external audits, compliance, risk management, business development, and/or corporate governance issues;
• Government authorities as required by applicable laws.

Whenever we share personal data within the company or with third parties in other countries, we apply appropriate safeguards in accordance with applicable data protection laws, including EU standard contractual clauses. Entities are required to apply appropriate safeguards to ensure the protection of personal data and may only access personal data necessary to perform specific tasks.

Your personal data will be processed to the extent necessary to fulfill our obligations and for the period necessary to achieve the purposes for which the data was collected, in accordance with our data protection policy and applicable data protection laws. When your information is no longer needed, we will take all reasonable steps to remove it from our systems and records or to appropriately anonymize it to prevent identifying you.

§ 6
Your Rights

We will respect your rights under applicable laws. To the extent provided by your local data protection laws, including European data protection laws, you have the following rights:

• Right of Access: the right to obtain information about your personal data that we process.
• Right to Rectification: the right to request that we correct or supplement your data if it is incorrect or incomplete.
• Right to Erasure: the right to request that we delete your personal data to the extent permitted by law. In certain circumstances, fulfilling your request may be impossible, such as when processing is necessary to comply with a legal obligation or to perform a contract.
• Right to Data Portability: the right to request that we transfer your personal data directly to you. This applies to specific personal data processed automatically and based on your consent or a contract you have entered into with us. At your request and where technically feasible, we can transfer your personal data to a third party you choose.
• Right to Restrict Processing: the right to request that we restrict or cease processing your personal data for a specified or unlimited period. In certain circumstances, fulfilling your request may be impossible, such as when processing is necessary to comply with a legal obligation or when we can demonstrate another legitimate basis.
• Right to Object: the right to object to the processing of your personal data. The grounds for objection should relate to your specific situation and processing based on the condition of legitimate legal basis. In such cases, we will cease processing your personal data unless we demonstrate compelling reasons for continuing to process it.
• Withdrawal of Consent: the right to withdraw your consent to the processing of your personal data at any time; for example, after consenting to receive information about our services, you have the right to withdraw it at any time.

If you believe we are not responding to your inquiries (requests) or disagree with our data privacy practices, you may also file a complaint with your national data protection authority.

§ 7
Cookies Mechanism

Cookies and similar technologies (collectively "Cookies") are small text files or pixels that can be stored on your computer or mobile device. Cookies may be necessary to facilitate website browsing and make it more user-friendly.

In many cases, web browsing software (web browser) allows cookies to be placed on the end device by default. Website users can change their cookie settings at any time. These settings can be modified to block automatic handling of cookies in the web browser settings or to inform you each time they are sent to the user's device. Detailed information on the possibilities and ways of handling cookies is available in the user's software (web browser) settings.

The Cookies mechanism is not used to obtain any information about website users or to track their navigation. Cookies do not store any personal data or other information collected from users.

We may use cookies in one of the two categories presented below. The cookie banner on our website allows you to manage your preferences regarding non-mandatory cookie categories. Additionally, the banner provides a summary of all cookies used in these categories.

• Necessary Cookies – these mandatory cookies are needed to ensure the smooth operation of our websites.
• Functional Cookies – these cookies provide access to additional features on our websites.

§ 8
Links to Other Sites

Our websites may contain links to other sites whose privacy policies may differ from ours. We are not responsible for collecting, processing, or disclosing personal data collected through other websites.

Additionally, we are not responsible for the information or content posted on such sites. Links to other sites are provided solely for convenience. Your use of and browsing on such sites is subject to the terms specified in their policies. Please review the privacy policies posted on such other sites you may visit via our site.

If you believe we are not responding to your inquiries (requests) or disagree with our data privacy practices, you may also file a complaint with your national data protection authority. In response to your request, we may ask for proof of identity if appropriate, and information to help us better understand your request. If we do not comply with your request, we will provide the reason for our decision.

§ 9
Policy Changes

We may update this Privacy and Cookies Policy and any other specific privacy statement. When changes are made to this Privacy and Cookies Policy, we will add a new date to this Privacy Statement. This version is effective as of January 2021.