Investor Relations

Big Cheese Studio

Privacy Policy

Out of concern for the comfort and safety of individuals who entrust us with their personal data, we have prepared information for you regarding the processing of your personal data by us. As we aim to maintain transparency in the information provided to you, below we present all information regarding the processing of your personal data.

BIG CHEESE STUDIO S.A. processes your personal data according to the highest standards, ensuring appropriate organizational and technical measures based on the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Journal of Laws of the European Union L No. 119, hereinafter referred to as “GDPR”.

Thank you for your trust.

What is personal data?

In the understanding of applicable regulations, personal data means any information relating to an identified or identifiable natural person. An identifiable person is one whose identity can be determined directly or indirectly, in particular by reference to an identification number or one or more specific factors characterizing their physical, physiological, mental, economic, cultural, or social traits.

Who is the controller of your personal data?

We are the Controller of your personal data – BIG CHEESE STUDIO S.A. with its registered office in Łódź, ul. Wólczańska 143, 90-525 Łódź, KRS 0000867639, NIP 5213795368, REGON 368343870.

The Controller determines the purposes and methods of personal data processing in various business processes. The Data Controller is responsible for the lawful processing of personal data.

How can you contact us?

For all matters related to the protection of personal data, you can contact us in the following ways:

  • Via email: contact@bigcheesestudio.com (entering “BCS S.A. personal data” in the subject line);
  • By letter: BIG CHEESE STUDIO S.A. ul. Wólczańska 143, 90-525 Łódź, with the note “RODO” (GDPR).

What is the purpose of the privacy policy?

We attach great importance to the protection of your privacy and your personal data. In this privacy policy, we explain how we use your personal data. You will also find information about your rights related to the processing of your personal data and how you can exercise these rights.

Where can you exercise your rights?

Through this website, we explain how you can exercise your rights resulting from applicable regulations.

How do we protect your personal data?

The Controller continuously conducts analyses to ensure that personal data is processed securely – primarily ensuring that only authorized persons have access to the data and only to the extent necessary for their tasks. We make every effort to ensure that all actions carried out on personal data are performed only by authorized persons.

What personal data can we process?

To best carry out our services, we may process your personal data necessary for a given business process, including, for example: name and surname, telephone number, or email address. Depending on the purpose for which we process your personal data, the scope is adequately adjusted to the action being performed.

What data do we collect in connection with using the service?

In connection with your use of our service, we collect data to the extent necessary for providing individual offered services. We may also process data that does not contain your contact information but can be used to identify a specific device with which you access the service. We may obtain, for example: IP addresses and internet identifiers, as well as your data from cookies, if you have consented to them. The data obtained this way is used to enable identification of your session, customize displayed content, and for statistical purposes. More details can be found in the Cookie Policy.

For what purpose, on what basis, and for how long do we process your personal data?

We process your personal data for the following purposes, among others:

Processing Purpose

Legal Basis for Processing

Data Retention Period

Using the website (www)

– For the provision of services by electronic means (Art. 6(1)(b) GDPR); – For analytical and statistical purposes, where the legitimate interest is conducting analyses of your activity and examining your preferences to improve functionality and services provided (Art. 6(1)(f) GDPR); – For the potential establishment and assertion of claims or defense against claims, where the legitimate interest is the protection of our rights (Art. 6(1)(f) GDPR).

– Until actions related to concluding an agreement; – Until the realization of the Controller’s legitimate interest; – Until the expiry of the statute of limitations for potential claims.

Marketing activities

– For the marketing of the Controller’s own services, where the legitimate interest is directing marketing content of own services (Art. 6(1)(f) GDPR).

– Until the realization of the Controller’s legitimate interest; – Until an objection is filed.

Assertion of claims or defense against claims

– For the potential establishment and assertion of claims or defense against claims, where the legitimate interest is the protection of our rights (Art. 6(1)(f) GDPR).

– Until the expiry of the statute of limitations for potential claims.

Document archiving

– For compliance with legal obligations incumbent on the Controller (Art. 6(1)(c) GDPR); – For the potential establishment and assertion of claims or defense against claims, where the legitimate interest is the protection of our rights (Art. 6(1)(f) GDPR).

– For periods required by law, e.g., for tax purposes, we will process for 5 years from the end of the year in which the tax obligation arose; – Until the expiry of the statute of limitations for potential claims.

Statistical analysis

– Conducting analyses and statistics, where the legitimate interest is improving the quality of services provided (Art. 6(1)(f) GDPR); – For the potential establishment and assertion of claims or defense against claims, where the legitimate interest is the protection of our rights (Art. 6(1)(f) GDPR).

– Until the expiration of any processing purpose accompanied by statistical analysis; – Until the expiry of the statute of limitations for potential claims.

Recruitment

– For the purpose of conducting the recruitment process (Art. 6(1)(c) GDPR in connection with Art. 22¹ of the Labor Code); – For taking steps prior to entering into a contract (Art. 6(1)(b) GDPR); – For data not required by law, the legal basis for processing is your consent (Art. 6(1)(a) GDPR); – For the potential establishment and assertion of claims or defense against claims, where the legitimate interest is the protection of our rights (Art. 6(1)(f) GDPR); – Accordingly, in the scope of processing special categories of data, Art. 6(1)(c) GDPR in connection with Art. 9(2)(b) GDPR and Art. 10 GDPR, and Art. 6(1)(a) GDPR in connection with Art. 9(1)(a) GDPR.

– Until the expiry of the statute of limitations for potential claims; – Until the end of the recruitment process, unless the candidate has consented to the processing of their data in future recruitment processes – this period will increase to 12 months.

Communication with Proxies

– For the purpose of performing actions covered by the scope of the power of attorney, where the legitimate interest is the performance of activities related to the Controller’s business (Art. 6(1)(f)); – For the potential establishment and assertion of claims or defense against claims, where the legitimate interest is the protection of our rights (Art. 6(1)(f) GDPR).

– Until the expiry of the statute of limitations for potential claims.

Handling incoming inquiries/requests

– For the purpose of responding to the inquiry, where the legitimate interest is providing an answer to the inquiry (Art. 6(1)(f) GDPR).

– Until the inquiry is answered; – Until the expiry of the statute of limitations for potential claims.

Collecting data within business contacts

– For the purpose of conducting business contacts, where the legitimate interest is initiating and maintaining business contacts, creating a network of contacts in connection with the conducted activity (Art. 6(1)(f) GDPR).

– Until an objection is raised.

Managing social media profiles

– For the purpose of managing social media profiles, where the legitimate interest is promoting the brand, products and services, building and maintaining the community related to the Controller, and for communication, customer satisfaction surveys, or determining the quality of our products and services (Art. 6(1)(f) GDPR); – For the potential establishment and assertion of claims or defense against claims, where the legitimate interest is the protection of our rights (Art. 6(1)(f) GDPR).

– Until the expiry of the statute of limitations for potential claims.

Processing data of shareholders and other persons related to the status of a public company

– For compliance with legal obligations incumbent on the Controller in the scope of processing data of shareholders, close persons, persons performing managerial functions at the Controller, resulting from legal tasks and obligations in connection with the status of a public company/issuer (Art. 6(1)(c) GDPR).

– Up to 5 years from the preparation or update of the list of close persons, persons performing managerial functions at the Controller; – In the case of shareholders, up to 12 months from the date of obtaining information that the person ceased to be a shareholder of the Controller.

 

Who may be the recipient of your personal data?

Big Cheese Studio informs you in detail about the recipients of your data in its information clauses provided to you. The scope of transferred data is always limited to what is necessary for the specific action or to fulfill a legal obligation.

Within the internal organization, access to personal data is restricted to authorized employees and collaborators of the Controller. In connection with service provision, the recipients of your personal data may be external entities, including, among others, providers responsible for IT system services or other entities such as legal firms or other entities, information about which is provided in dedicated information clauses.

Based on specific regulations, recipients of your personal data may also be public authorities who may request the Controller to provide them with selected data as part of a specific procedure conducted by that authority in accordance with Union law or Member State law.

In the case of portals and pages allowing for feedback about Big Cheese Studio, conducted on social media or other publicly available services, other users of those services may be the recipients of the data.

Will your data be transferred outside the European Economic Area (EEA)?

Due to the fact that we use the services of external tool and service providers, your personal data may be transferred to third countries, i.e., countries outside the European Economic Area. We ensure that in such a case, the data transfer will be based on an appropriate legal basis that allows for the transfer of personal data to a third country. The Controller always informs about the intention to transfer Personal Data outside the EEA at the stage of their collection.

How is your data processed within the service?

Within this Service, Big Cheese Studio processes information regarding the user’s interaction with this Service and the content and services contained therein, in order to improve the service and adapt it to the user’s needs. The information mentioned above is not associated with specific individuals using this Service and is not used by the Company to identify the user. Therefore, the Company does not identify a specific user of this Service by linking this information with their other data, placed, for example, in a contact form. The service performs the above functions by installing “cookies,” in accordance with the Cookie Policy of this Service.

How will your data be processed in connection with our initiatives?

Big Cheese Studio reserves the right to conduct initiatives and organize events, including competitions. Information about the processing of your data related to their implementation will be provided in the content of separate documents, including separate regulations.

Do you have to provide your data?

The provision of data is necessary, for example, for concluding contracts and fulfilling legal obligations. Your personal data may be provided to Big Cheese Studio by the entity with which Big Cheese Studio has a contract. In the remaining scope, the provision of data is voluntary.

What are your rights related to personal data processing?

Every natural person whose data is processed by Big Cheese Studio has the rights resulting from applicable regulations, i.e., the possibility to submit a request for:

  • access to their personal data,
  • erasure of their personal data,
  • rectification of their personal data,
  • objection to the processing of their personal data,
  • restriction of the processing of their personal data,
  • data portability.

Do we process your personal data in an automated manner?

We do not process personal data in a fully automated manner (including in the form of profiling). The decision to deliver specific information is ultimately made by an employee of the Controller.

How to file a complaint with us?

We are always very grateful for all your suggestions and comments, including those concerning the processing of personal data, which allow us to improve the quality of services provided. If you wish to submit them, as well as formulate a potential complaint regarding the processing of personal data, please send detailed information regarding the matter:

  • Via email to the address: contact@bigcheesestudio.com, entering “BCS S.A. personal data” in the subject line;
  • By letter to the address: BIG CHEESE STUDIO S.A. ul. Wólczańska 143, 90-525 Łódź, with the note “RODO” (GDPR).

All messages received by us will be subjected to a detailed analysis. Natural persons have the right to lodge a complaint with the supervisory authority dealing with personal data protection (the President of the Personal Data Protection Office – Prezes Urzędu Ochrony Danych Osobowych). Detailed information in this regard can be obtained on the Office’s website: www.uodo.gov.pl.

Selected information clauses

Below we present information clauses containing selected information regarding the processing of personal data, dependent on which processing process you participate in.

Information clause concerning the purchase of a product or services

Pursuant to Art. 13(1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union L No. 119, page 1) (hereinafter referred to as “GDPR”), we inform that:

Data controller

The Controller of your personal data is BIG CHEESE STUDIO S.A. with its registered office in Łódź at ul. Wólczańska 143, 90-525 Łódź. You can contact the Controller regarding all matters related to personal data protection:

  • Via email to the address: contact@bigcheesestudio.com, entering “BCS S.A. personal data” in the subject line;
  • By letter to the address: BIG CHEESE STUDIO S.A. ul. Wólczańska 143, 90-525 Łódź, with the note “RODO” (GDPR).

Purpose and legal basis for data processing

Your personal data may be processed for the following purposes:

  • Taking steps aimed at concluding an agreement regarding products or services purchased from the Controller – in each case based on your request for the preparation of such an agreement (Art. 6(1)(b) GDPR).
  • Implementation of the agreement regarding products or services purchased from the Controller – in each case if it is concluded – based on the performance of the agreement (Art. 6(1)(b) GDPR).
  • Fulfillment of legal obligations incumbent on the Controller (Art. 6(1)(c) GDPR).
  • Customer satisfaction survey and determining the quality of service and product, which is the Controller’s legally justified interest (Art. 6(1)(f) GDPR).
  • Potential establishment, assertion, or defense against claims, which is the Controller’s legally justified interest (Art. 6(1)(f) GDPR).
  • Direct marketing of products and services, which is the Controller’s legally justified interest (Art. 6(1)(f) GDPR).

Source of data origin and voluntary nature of data provision

Your data comes directly from you. Its processing is voluntary, but at the same time is a condition for the preparation and subsequent conclusion of agreements regarding products or services purchased from the Controller. The consequence of not providing this data will be the inability to prepare and conclude the aforementioned agreements.

Data storage period

Your personal data will be processed for the period necessary to achieve the indicated processing purposes:

  • In the scope of actions aimed at concluding an agreement – for the period necessary to take such actions.
  • In the scope of agreement implementation – for the period necessary to implement the agreement.
  • In the scope of fulfilling legal obligations incumbent on the Controller – for the period necessary for the Controller to fulfill these obligations.
  • In the scope of customer satisfaction survey and determining the quality of service and product – for a period not longer than the statute of limitations for claims.
  • In the scope of establishment, assertion, or defense against claims – for the statute of limitations period for such claims provided for by law.
  • In the scope of direct marketing – until an objection is raised.

Data recipients

The recipients of your personal data are entities to whom the Controller commissions the performance of activities that involve the necessity of personal data processing, particularly in the scope of email service, hosting, IT, marketing, administrative support, legal or advisory services. Recipients of your personal data may also be entities or authorities authorized to receive your data – only in justified cases and based on universally applicable legal regulations. The recipients of your personal data may also be entities necessary for the conclusion and implementation of the agreement, particularly banks, notaries, and housing communities.

Your rights

In connection with the processing of personal data, you have the rights to: access your personal data, its rectification, erasure, restriction of its processing, and the right to data portability. If the processing of your personal data is based on a legally justified interest, you have the right to object to the processing for reasons related to your particular situation. You also have the right to object to the processing of personal data for the purpose of direct marketing. To the extent you have granted consent to the processing of personal data, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal. You have the right to lodge a complaint with the supervisory authority dealing with personal data protection (the President of the Personal Data Protection Office).

Transfer of data outside the European Economic Area

Due to the Controller’s use of tools provided by external providers, some of your personal data may be transferred to countries outside the European Economic Area, but exclusively based on an appropriate legal basis. Detailed information on the legal basis for such a transfer is available from the Controller.

Information clause concerning communication with proxies

Pursuant to Art. 13(1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union L No. 119, page 1) (hereinafter referred to as “GDPR”), we inform that:

Data controller

The Controller of your personal data is BIG CHEESE STUDIO S.A. with its registered office in Łódź at ul. Wólczańska 143, 90-525 Łódź. You can contact the Controller regarding all matters related to personal data protection:

  • Via email to the address: contact@bigcheesestudio.com, entering “BCS S.A. personal data” in the subject line;
  • By letter to the address: BIG CHEESE STUDIO S.A. ul. Wólczańska 143, 90-525 Łódź, with the note “RODO” (GDPR).

Purpose and legal basis for data processing

Your personal data will be processed for the purpose of:

  • Implementation of actions covered by the scope of the power of attorney, which is the Controller’s legally justified interest (Art. 6(1)(f) GDPR).
  • Potential establishment, assertion, or defense against claims, which is the Controller’s legally justified interest (Art. 6(1)(f) GDPR).

Source of data origin

The data may have been obtained directly from you or the principal on whose behalf you execute the power of attorney.

Voluntary nature of data provision

The provision of personal data is voluntary, but at the same time is a condition for the implementation of actions covered by the scope of the power of attorney. The consequence of not providing this data will be the inability to implement these actions.

Data storage period

Your personal data will be processed for the period of the statute of limitations for claims provided for by law.

Data recipients

The recipients of your personal data are entities to whom the Controller commissions the performance of activities that involve the necessity of personal data processing, particularly in the scope of email service, hosting, IT, administrative support, legal or advisory services. Recipients of your personal data may also be entities or authorities authorized to receive your data – only in justified cases and based on universally applicable legal regulations. The recipients of your personal data may also be entities necessary for the conclusion and implementation of the agreement, particularly banks, notaries, and housing communities.

Your rights

In connection with the processing of personal data, you have the rights to: access your personal data, its rectification, erasure, restriction of its processing, and the right to data portability. If the processing of your personal data is based on a legally justified interest, you have the right to object to the processing for reasons related to your particular situation. You have the right to lodge a complaint with the supervisory authority dealing with personal data protection (the President of the Personal Data Protection Office).

Transfer of data outside the European Economic Area

Due to the Controller’s use of tools provided by external providers, some of your personal data may be transferred to countries outside the European Economic Area, but exclusively based on an appropriate legal basis. Detailed information on the legal basis for such a transfer is available from the Controller.

Information clause concerning agreements with contractors

Pursuant to Art. 13(1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union L No. 119, page 1) (hereinafter referred to as GDPR), we inform that:

Scope and definitions of the information clause

The Clause concerns the processing of data of potential and current Contractors and Persons acting on behalf of Contractors. The definitions used in the clause mean:

  • Contractor – a natural person conducting business activity or a legal person or other organizational unit with whom the Controller establishes business cooperation.
  • Persons acting on behalf of Contractors – a natural person who contacts the Controller or persons acting on its behalf in order to establish or implement business cooperation, including concluding an agreement, in particular, these may be employees and collaborators of the Contractor or other persons designated by the Contractor.

Data Controller

The Controller of your personal data is BIG CHEESE STUDIO S.A. with its registered office in Łódź at ul. Wólczańska 143, 90-525 Łódź. You can contact the Controller regarding all matters related to personal data protection:

  • Via email to the address: contact@bigcheesestudio.com, entering “BCS S.A. personal data” in the subject line;
  • By letter to the address: BIG CHEESE STUDIO S.A. ul. Wólczańska 143, 90-525 Łódź, with the note “RODO” (GDPR).

Purpose and legal basis for data processing

Categories of Persons

Processing Purposes

Legal Basis and Data Processing Time

Rights Granted under GDPR

 
 

Potential Contractors and Contractors (natural persons conducting business activity)

* Establishing business cooperation; * Conclusion and implementation of agreements; * Defense and assertion of potential claims; * Presenting an offer of goods and services; * Answering questions asked; * Fulfillment of a legal obligation (agreement settlement).

* Communication conducted in connection with taking steps prior to concluding the Agreement, including presenting offers at the request of a potential Contractor, and implementation of the concluded Agreement (Art. 6(1)(b) GDPR). * Controller’s legally justified interest, which is enabling defense and assertion of claims (Art. 6(1)(f) GDPR). * Controller’s legally justified interest, which is the possibility of establishing business relations and answering questions of potential Contractors, if they do not concern potential or ongoing cooperation (Art. 6(1)(f) GDPR). * Legal obligation resulting from tax law, the Accounting Act, and tax laws (Art. 6(1)(c) GDPR). Data Processing Time: * Potential Contractors: Until cooperation is established and the Agreement is concluded (from this moment, data is processed as Contractor data). If cooperation is not established, personal data is immediately deleted, unless their processing will be justified in defense against claims, in which case – until the statute of limitations for those claims. * Contractors: Until the fulfillment of the legal obligation resulting from the implementation of the Agreement or until the statute of limitations/satisfaction of any claims arising from it (whichever is longer).

* Right of access to their personal data. * Right to request rectification of personal data. * Right to request erasure of personal data. * Right to request restriction of personal data processing. * Right to request data portability. * Right to object to the processing of personal data for reasons related to your particular situation when personal data is processed based on the Controller’s legally justified interest. * Right to lodge a complaint with the supervisory authority (President of the Personal Data Protection Office).

 

Persons acting on behalf of Contractors (personnel and representatives – members of the management board, proxies)

* Establishing business cooperation with the Contractor on whose behalf that person acts; * Presenting a business cooperation offer; * Enabling the conclusion and implementation of the Agreement with the entity on whose behalf that person acts; * Defense and assertion of potential claims; * Answering questions asked; * Fulfillment of a legal obligation (agreement settlement).

* Controller’s legally justified interest, which is the proper fulfillment of business obligations and contact with persons acting on behalf of Contractors in matters related thereto (Art. 6(1)(f) GDPR). * Controller’s legally justified interest, which is the possibility of establishing business relations and answering questions of potential or current Contractors (Art. 6(1)(f) GDPR). * Controller’s legally justified interest, which is enabling defense and assertion of claims (Art. 6(1)(f) GDPR). * Legal obligation resulting from tax law, the Accounting Act, and tax laws (Art. 6(1)(c) GDPR). Data Processing Time: * Until the fulfillment of the legal obligation resulting from the implementation of the Agreement or until the statute of limitations/satisfaction of any claims arising from it (whichever is longer).

* Right of access to their personal data. * Right to request rectification of personal data. * Right to request erasure of personal data. * Right to request restriction of personal data processing. * Right to object to the processing of personal data for reasons related to your particular situation when personal data is processed based on the Controller’s legally justified interest. * Right to lodge a complaint with the supervisory authority (President of the Personal Data Protection Office).

 

Source of data origin and categories of processed data

The Controller obtains data of persons acting on behalf of the Contractor (identification, professional, and other data indicated in the content of the concluded Agreement or in connection with its implementation) through the Contractor, as well as directly from the persons themselves. The Controller obtains personal data of the potential Contractor and the Contractor directly from them. The Controller may also obtain data of Contractors and their representatives from publicly available sources such as the National Court Register (KRS), the Central Register and Information on Economic Activity (CEIDG), or the white list of taxpayers in order to attempt to establish cooperation or verify the Contractor’s registration data. The scope of data obtained is consistent with the scope of information publicly available in these registers.

Voluntary nature of data provision

The provision of your data is necessary for the conclusion and implementation of the Agreement and the fulfillment of legal obligations resulting from it. Failure to provide it will make it impossible to conclude or execute the Agreement.

Data recipients

The recipients of your personal data are entities to whom the Controller commissions the performance of activities that involve the necessity of personal data processing, particularly in the scope of email service, hosting, IT, administrative support, legal or advisory services. Recipients of your personal data may also be entities or authorities authorized to receive your data – only in justified cases and based on universally applicable legal regulations. The recipients of your personal data may also be entities necessary for the conclusion and implementation of the agreement, particularly banks, notaries, and housing communities.

Your rights

In connection with the processing of personal data, you have the following rights: the right to access your personal data, its rectification, erasure, restriction of its processing, and the right to data portability. If the processing of your personal data is based on a legally justified interest, you have the right to object to the processing for reasons related to your particular situation. You have the right to lodge a complaint with the supervisory authority dealing with personal data protection (the President of the Personal Data Protection Office).

Data transfer outside the European Economic Area

Due to the Controller’s use of tools provided by external providers, some of your personal data may be transferred to countries outside the European Economic Area (EEA), but exclusively based on an appropriate legal basis.

Detailed information on the legal basis for such a transfer is available from the Controller.

Information clause concerning data processing during the handling of incoming inquiries

Pursuant to Art. 13(1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/WE (General Data Protection Regulation) (OJ EU L No. 119, p. 1) (hereinafter “GDPR”), we inform that:

Data controller

The Controller of your personal data is BIG CHEESE STUDIO S.A. with its registered office in Łódź at ul. Wólczańska 143, 90-525 Łódź. You can contact the Controller regarding all matters related to personal data protection:

  • Via email to the address: contact@bigcheesestudio.com, entering “BCS S.A. personal data” in the subject line;
  • By letter to the address: BIG CHEESE STUDIO S.A. ul. Wólczańska 143, 90-525 Łódź with the note “RODO” (GDPR).

Scope of the information clause

This Information Clause concerns incoming inquiries and requests to the Controller, including the exercise of rights resulting from the GDPR.

Purpose and legal basis for data processing

Your personal data is processed for the purpose of:

  • Arranging a meeting with a representative of the Controller, which is the Controller’s legitimate interest (Art. 6(1)(f) GDPR).
  • Implementing your inquiry/request, which is the Controller’s legitimate interest (Art. 6(1)(f) GDPR).
  • Potential establishment, assertion, or defense against claims, which is the Controller’s legitimate interest (Art. 6(1)(f) GDPR).

Source of data origin and voluntary nature of data provision

Your personal data has been obtained from you. The provision of personal data is voluntary, but at the same time is a condition for the performance of activities covered by the scope of the inquiry. The consequence of not providing this data will be the inability to perform these activities.

Data storage period

Your personal data will be stored until the statute of limitations for claims provided for by law.

Data recipients

The recipients of your personal data are entities to whom the Controller commissions the performance of activities that involve the necessity of personal data processing, particularly in the scope of email service, hosting, IT, administrative support, legal or advisory services. Recipients of your personal data may also be entities or authorities authorized to receive your data – only in justified cases and based on universally applicable legal regulations. The recipients of your personal data may also be entities necessary for the conclusion and implementation of the agreement, particularly banks, notaries, and housing communities.

Your rights

In connection with the processing of personal data, you have the rights to: access your personal data, its rectification, erasure, restriction of its processing, and the right to data portability. If the processing of your personal data is based on a legally justified interest, you have the right to object to the processing for reasons related to your particular situation. You have the right to lodge a complaint with the supervisory authority dealing with personal data protection (the President of the Personal Data Protection Office).

Data transfer outside the European Economic Area

Due to the Controller’s use of tools provided by external providers, some of your personal data may be transferred to countries outside the European Economic Area (EEA), but exclusively based on an appropriate legal basis.

Detailed information on the legal basis for such a transfer is available from the Controller.

Information clause concerning data processing in connection with investor relations

Pursuant to Art. 13(1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/WE (General Data Protection Regulation) (OJ EU L No. 119, p. 1) (hereinafter “GDPR”), we inform that:

Data controller

The Controller of your personal data is BIG CHEESE STUDIO S.A. with its registered office in Łódź at ul. Wólczańska 143, 90-525 Łódź. You can contact the Controller regarding all matters related to personal data protection:

  • Via email to the address: contact@bigcheesestudio.com, entering “BCS S.A. personal data” in the subject line;
  • By letter to the address: BIG CHEESE STUDIO S.A. ul. Wólczańska 143, 90-525 Łódź with the note “RODO” (GDPR).

Purpose and legal basis for data processing

Your personal data is processed for the purpose of:

  • Fulfilling legal tasks and obligations resulting from the status of a public company/issuer, including in particular maintaining lists of persons closely associated and persons performing managerial functions at the Controller, and persons with access to confidential information (Art. 6(1)(c) GDPR in connection with the Market Abuse Regulation, MAR). Your personal data must be included on such a list.
  • Preparing a list of persons entitled to participate in the General Meeting of the Controller (“GM”), enabling participation in it, and verifying the entitlement to participate in person or to represent an entitled person, including a shareholder, at the GM (Art. 6(1)(c) GDPR in connection with the Code of Commercial Companies), if you are a shareholder of the Controller or your personal data must be on such a list.
  • Enabling the identification of its shareholders, ensuring direct communication with them, and facilitating the exercise of shareholder rights and involvement in the Controller’s affairs.
  • Potential establishment, assertion, or defense against claims, e.g., in connection with contesting a GM resolution, which constitutes the Controller’s legitimate interest (Art. 6(1)(f) GDPR).

Source of data origin

  • If you are a shareholder of the Controller, your personal data comes from the National Depository for Securities S.A. (“KDPW S.A.”) system or directly from you.
  • If you are a proxy of a shareholder, your data comes from the power of attorney received by the Controller and the presented or transferred copy of the identity document.
  • If you are a closely associated person, your personal data comes from the person performing a managerial function at the Controller.

Voluntary nature of data provision

  • If you are a shareholder of the Controller, the provision of your personal data is mandatory for participation in the GM, for preparing and transferring the list of persons entitled to participate in the GM, and for verifying the right to participate in the GM.
  • If you are a person performing a managerial function at the Controller, the provision of your data and the data of closely associated persons is mandatory to meet the legal requirements incumbent on the Controller.

Data storage period

Your personal data will be processed for the duration of the legal obligation to store it for the purpose of achieving the goals, in particular:

  • For the purpose of fulfilling legal tasks and obligations resulting from the status of a public company/issuer: 5 years from the preparation or update of the list.
  • For the purpose of preparing the list of persons entitled to participate in the GM and verifying the entitlement to participate: 10 years from the date the Controller receives the list of persons entitled to participate in the GM or 10 years from the date the Controller receives the power of attorney.
  • For the purpose of enabling the identification of its shareholders, ensuring direct communication, and facilitating the exercise of shareholder rights: up to 12 months from the date of obtaining information that the person ceased to be a shareholder of the Controller.
  • Until the statute of limitations for claims in accordance with the law.

Data recipients

The recipients of your personal data are entities to whom the Controller commissions the performance of activities that involve the necessity of personal data processing, particularly in the scope of email service, hosting, IT, administrative support, legal or advisory services. Recipients of your personal data may also be entities or authorities authorized to receive your data – only in justified cases and based on universally applicable legal regulations.

  • If you are a shareholder of the Controller, the recipients of personal data may be other shareholders (due to their right to review and receive a copy of the list of shareholders) and the Polish Financial Supervision Authority (KNF).

Your rights

In connection with the processing of personal data, you have the rights to: access your personal data, its rectification, erasure, restriction of its processing, and the right to data portability. If the processing of your personal data is based on a legally justified interest, you have the right to object to the processing for reasons related to your particular situation. You have the right to lodge a complaint with the supervisory authority dealing with personal data protection (the President of the Personal Data Protection Office).

Data transfer outside the European Economic Area

Your personal data, as a rule, is not transferred outside the EEA. However, if you are a shareholder of the Controller, personal data may be sent outside the EEA based on Art. 407 § 1.1 of the Code of Commercial Companies (KSH), which allows a shareholder to request the list of shareholders to be sent to an address indicated by them. Similarly, if you are a bondholder, data may be sent outside the EEA based on Art. 56 of the Bonds Act. Furthermore, due to the Controller’s use of tools provided by external providers, some of your personal data may be transferred to countries outside the EEA, but exclusively based on an appropriate legal basis.

Detailed information on the legal basis for such a transfer is available from the Controller.

Information clause concerning data processing during recruitment

Pursuant to Art. 13(1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/WE (General Data Protection Regulation) (OJ EU L No. 119, p. 1) (hereinafter “GDPR”), we inform that:

Data controller

The Controller of your personal data is BIG CHEESE STUDIO S.A. with its registered office in Łódź at ul. Wólczańska 143, 90-525 Łódź. You can contact the Controller regarding all matters related to personal data protection:

  • Via email to the address: contact@bigcheesestudio.com, entering “BCS S.A. personal data” in the subject line;
  • By letter to the address: BIG CHEESE STUDIO S.A. ul. Wólczańska 143, 90-525 Łódź with the note “RODO” (GDPR).

Scope of personal data

The Controller requires the candidate to provide only the personal data indicated in the applicable legal regulations. In the recruitment process, the Controller may process your personal data (identification, contact, education, employment history, and all other data provided by you, including voluntarily in recruitment documents).

Source of data origin and voluntary nature of data provision

Your personal data was obtained directly from you or through a recruitment agency.

  • If you are applying for employment based on an employment contract, the provision of personal data requested by the Controller is a statutory requirement resulting from Art. 22¹ of the Labor Code. Failure to provide this data will result in the impossibility of considering your application. The provision of personal data not required by law is voluntary.
  • If you are applying for cooperation based on a civil law contract, the provision of personal data requested by the Controller is voluntary, but it is a requirement of the Controller for the purpose of conducting recruitment. Failure to provide this data will result in the impossibility of considering your application.

Purpose and legal basis for data processing

Your personal data is processed for the purpose of:

  • Taking steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) GDPR).
  • Conducting the recruitment process for the position you are applying for:
    • Employment Contract: Legal obligation (Art. 6(1)(c) GDPR re: Labor Code) and necessity for pre-contractual steps (Art. 6(1)(b) GDPR). For data not required by law—your consent (Art. 6(1)(a) GDPR).
    • Civil Law Contract: Necessity for pre-contractual steps (Art. 6(1)(b) GDPR). For optional data—your consent (Art. 6(1)(a) GDPR).
  • Conducting future recruitment processes—based on your consent (Art. 6(1)(a) GDPR).
  • Potential establishment, assertion, or defense against claims—the Controller’s legitimate interest (Art. 6(1)(f) GDPR).

Data recipients

The recipients of your personal data are entities to whom the Controller commissions the performance of activities that involve the necessity of personal data processing, particularly in the scope of email service, hosting, IT, administrative support, legal or advisory services. Recipients of your personal data may also be entities or authorities authorized to receive your data – only in justified cases and based on universally applicable legal regulations.

Data storage period

Your personal data will be processed until the end of the current recruitment process. For processing based on consent for future recruitment processes, your personal data will not be processed for longer than 1 year from the date consent was given. Data processed for the Controller’s legitimate interests may be stored until the statute of limitations for claims.

Your rights

You have the rights to: access, rectification, erasure, restriction of processing, and data portability. If processing is based on a legitimate interest, you have the right to object to the processing. To the extent you have granted consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before its withdrawal. You have the right to lodge a complaint with the supervisory authority.

Consent to participate in future recruitments

Providing personal data exceeding the scope required by the Controller means you consent to the processing of this additional personal data for the ongoing recruitment process. You have the right to withdraw consent at any time. If you consent to the processing of personal data for future recruitment processes, please include the following clause in your application documents:

I consent to the processing of personal data contained in the application documents by BIG CHEESE STUDIO S.A. with its registered office in Łódź for the purposes of future recruitment processes. I have been informed that I have the right to withdraw consent to the processing of my personal data at any time. Withdrawal of consent to the processing of personal data does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

The expression of the above consent is entirely voluntary and remains without prejudice to the recruitment process conducted by the Controller.

Data transfer outside the European Economic Area

Due to the Controller’s use of tools provided by external providers, some of your personal data may be transferred to countries outside the European Economic Area (EEA), but exclusively based on an appropriate legal basis.

Detailed information on the legal basis for such a transfer is available from the Controller.

Security incident notification (January 24, 2025)

Dear Sir or Madam,

On behalf of Big Cheese Studio S.A. with its registered office in Łódź (hereinafter: the “Controller” or “Company”), we inform you that on January 24, 2025, we identified a security breach of confidentiality in our IT system that could result in unauthorized third-party access to the personal data of users who used the contact form located on the Company’s portal: https://bigcheesestudio.com/kontakt/.

This potentially concerned: email addresses, first names, last names, or other data that you included using the above form.

We sincerely apologize for this situation.

Out of concern for the security of your personal data and in accordance with internal procedures, the Company took appropriate steps to clarify the incident, determined its causes, and immediately after detecting the incident, took the necessary actions to minimize its potential effects. At the same time, we assure you that the Administrator has restored the proper functioning of the processes and immediately changed access data, thus preventing further third-party access to your data.

Fulfilling the requirements resulting from Art. 34 of the GDPR, we inform you about the details of the breach, its potential consequences for you, possible ways to counteract the negative effects of the breach, and present the actions we have taken in connection with this event.

Potential consequences and risks

The security breach identified in our IT system could lead to unauthorized third-party access to your personal data. Furthermore, in the Company’s assessment, this situation constituted an unintended incident resulting in a personal data breach, the possible consequences of which (also indicated as examples in decisions issued by the President of the Personal Data Protection Office) may include:

  • Obtaining access to the personal data and restricting your control over this personal data.
  • Attempted identity theft or forgery.
  • Attempted fraud to obtain broader information and force the provision of additional data to perform unauthorized transactions.

Given the risk that the data may have been visible to an unauthorized person, we inform you about the potential consequences of the breach for your data:

  • Conducting phishing attempts by impersonating the Company or other entities to obtain additional information or financial resources from you.
  • Using your data to send unwanted messages, marketing content, or unsolicited commercial information.

Actions taken by the controller

After detecting the security incident, we took a number of actions (measures applied to minimize the effects of the breach), including:

  • Changed access privileges, which eliminated the possibility of further access to the data by unauthorized persons.
  • Conducted a security audit to prevent similar incidents in the future.
  • Reported the breach to the President of the Personal Data Protection Office (UODO) and CSIRT NASK, and notified the prosecutor’s office about the possibility of a crime being committed. The Administrator also instructed its employees on the need for increased vigilance.

Recommended preventive actions

To prevent potential negative consequences of the personal data breach and minimize the risk of your data being used, we recommend exercising special caution, especially regarding emails that appear to come from the Company or are allegedly sent on behalf of the Company’s personnel or other entities, and taking the following preventive actions:

  • Check the sender of the email message.
  • Carefully read the content of received messages and report suspicious messages as spam.
  • Exercise special vigilance if you are asked by phone to verify your identity or actions in which you did not participate.
  • Exercise due diligence in your actions and double-check personal data in ongoing correspondence.
  • Do not open links or attached files in messages from unknown/suspicious senders.
  • Report every suspicious website, email, and SMS to the Polish CSIRT NASK via the form on the website https://incydent.cert.pl or by sending suspicious SMS messages to the Polish number 8080.
  • Be cautious about received SMS and emails. We recommend checking the URL of the pages you may be redirected to, making sure it is the official website of the given entity.

We also recommend caution if messages contain requests for:

  • Suspicious content and incorrect Polish characters.
  • Making payments or transferring any financial funds.
  • Providing additional personal data.
  • Using a link placed in the email content.
  • Downloading a file from an attachment.

If you have any questions or need additional information, please contact us at the email address rodo@bigcheesestudio.pl.

We assure you that we are making every effort to prevent similar situations in the future.

Apologizing for any inconvenience, we extend our best regards.