In accordance with Article 13 and Article 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as GDPR), in connection with the receipt of your personal data as a representative of our contractors/partners or their employee, we hereby inform you that:

1. The controller of your personal data is PHN PROPERTY MANAGEMENT Sp. z o.o. (formerly: PHN PROPERTY MANAGEMENT PHN K Spółka z ograniczoną odpowiedzialnością S.K.A. with its registered seat in Warsaw, at al. Jana Pawła II 12 lok. V/24,  registered in the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, XII Commercial Department under KRS number 0001053856, REGON: 147393971 NIP: 5252593551, (Hereinafter referred to as the "Controller").

2. The contact person for all matters related to the processing of personal data and the exercise of rights related to the processing of personal data by the Controller is the Data Protection Officer, who can be contacted via the following email address:  iod[@]regent-warsaw.com

3. The processing of your personal data in connection with the conclusion and performance of agreements between the Controller and Contractor is based on and carried out for the following purposes:

1. a. Article 6(1)(c) of the GDPR, which means that the processing is necessary for compliance with a legal obligation to which the Controller is subject, namely ensuring the Controller's compliance with applicable financial, accounting, and tax regulations, as well as fulfilling rights under the GDPR.
2. b. Article 6(1)(f) of the GDPR, which means that the processing is necessary for the purposes of the legitimate interests pursued by the Controller, including communicating regarding the performance of agreements concluded with the Contractor, sending offers to the Contractor, as well as establishing, pursuing, and/or defending any potential claims.

4. The Controller processes the following categories of your personal data: first name, last name, telephone number, email address, job position, and workplace.

5. You have the right to:

1. a. Access your personal data, including the right to request copies of the data.
2. b. Rectify inaccurate data and request the completion of incomplete data.
3. c. Erase your data ("right to be forgotten") if one of the following circumstances applies.
   1. i. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
   2. ii. The data subject (you) objects to the processing pursuant to Article 21(1) of the GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR concerning direct marketing purposes.
   3. iii. The personal data has been unlawfully processed.
   4. iv. The erasure of personal data is necessary for compliance with a legal obligation in Union or Member State law to which the Controller is subject.
4. d. Restriction of processing in the following cases:
5.  
   1. i. The data subject questions the accuracy of the personal data - for a period enabling the Controller to verify the accuracy of the data.
   2. ii.The processing is unlawful, but the data subject opposes the erasure of the personal data and requests restriction of their use instead.
   3. iii. The Controller no longer needs the personal data for processing purposes, but they are required by the data subject for the establishment, exercise, or defense of legal claims.
   4. iv. The data subject has objected to processing pursuant to Article 21(1) of the GDPR (relating to processing based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or for the purposes of legitimate interests pursued by the Controller or a third party) - pending the verification of whether the legitimate grounds of the Controller override those of the data subject's objection.
6. e. Data portability, if:
   1. i. The processing is based on consent or a contract, and
   2. ii. The processing is carried out by automated means.
7. f. The right to object:
   1. i. At any time, when your personal data is processed for direct marketing purposes.
   2. ii. In case of a particular situation where your personal data is processed based on the legitimate interests pursued by the Controller, except where the Controller demonstrates compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

You can exercise your rights by, among other methods, sending a request to the Data Protection Officer at the address provided in point 2 above, as well as through written correspondence or in person at the Controller's headquarters.

6. You have the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych) located at ul. Stawki 2, 00-193 Warsaw if you believe that the processing of your personal data violates the provisions of the GDPR or other applicable data protection laws.

7. Your personal data may be disclosed to the following categories of recipients:

1. a. Persons authorized by the Controller, employees, and collaborators, as well as members of the Controller's bodies who need access to personal data to perform their duties.
2. b. Service providers, including those supplying the Controller with technical and organizational solutions enabling the management of the Controller's organization (in particular, providers of IT, postal, freight, legal, accounting, auditing, security, and data storage services) based on appropriate data processing agreements.

8. Your personal data will be stored as follows:

a. For the purpose of fulfilling the agreements mentioned in point 3 above - until the completion of the agreements concluded with the Contractor.

b. For the purpose of sending offers - for a period of 3 years from the termination of agreements concluded with the Contractor.

c. For the purpose of potential establishment, pursuit, and defense of claims - for the period specified in the applicable legal provisions regarding the statute of limitations for each type of claim.

d. For the purpose of fulfilling legal obligations - for the time required by the applicable laws or until the completion of those obligations, but not longer than the time within which the Controller may incur legal consequences for non- compliance with the obligation.

9. Providing your personal data is voluntary, but it is necessary for the execution of the agreement concluded with the Contractor. Failure to provide the required data will prevent us from maintaining contact with the Contractor.

10. Your personal data will not be transferred to third countries (outside the EEA) or international organizations.

11. Furthermore, we inform you that if the Controller does not obtain your personal data directly from you, the personal data has been obtained from the Contractor through public

registers or information available on the Contractor's website.

12. Your personal data is not subject to automated decision- making, including profiling.

Additionally, we kindly inform you that individuals whose data is being processed have the right to object to the processing of their data in cases where the processing is based on the legitimate interests pursued by the Controller - in the event of a particular situation, in accordance with Article 21 of the GDPR.