Personal data is processed in accordance with national and European laws, particularly the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: "GDPR").

The data controller is obligated to ensure the security, confidentiality, availability, integrity, and accountability of the personal data processing activities.

The Privacy Policy for the website www.mgmpharma.pl ("Privacy Policy") outlines the principles regarding the processing of personal data and the collection, processing, and use of information about Users. The definitions used in this Privacy Policy have the following meanings:

• GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
• Personal Data Controller (PDC) - means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

• 1. DATA CONTROLLER. In accordance with the provisions of Article 13(1) and (2) of the GDPR, we inform you that: A. The Data Controller of the personal data of the Purchaser is MGM Pharma limited liability company sp.j. with its registered office at: 90-554 Łódź, ul. Łąkowa 19, conducting business activities based on the entry in the register of entrepreneurs kept by the District Court for Łódź-Śródmieście in Łódź, XX Commercial Division of the National Court Register under the number KRS 0000899472, NIP 727-279-38-11. B. The Data Controller has not appointed a Data Protection Officer. C. For matters related to personal data protection, you can contact the Data Controller: by phone at: 608307061, by email at: mgmpharma@mgmpharma.pl, or in writing, by sending correspondence to ul. Aleksandrowska 42, 95-070 Rąbień.
• 2. PURCHASER. A. The Purchaser is, in particular, a Public Entity, a legal person, an organizational unit without legal personality, and any other entity that is an entrepreneur within the meaning of Article 4(1) of the Act of 6 March 2018 on Entrepreneurs' Law (Journal of Laws 2024.236 as amended on 2024.02.21).
• 3. DATA ACQUISITION AND PURPOSE OF PROCESSING PERSONAL DATA. A. To fulfill the Sales Agreement, the Purchaser entrusts the Seller with personal data of the Purchaser's employees and associates for processing. The purpose of entrusting personal data processing directly results from and is limited exclusively to the tasks arising from the Sales Agreement. B. To pursue the legitimate interests of the Data Controller (Article 6(1)(f) of the GDPR), which involves marketing its own products and services, and in the case of explicit consent – also the products and services of companies cooperating with the Data Controller (Article 6(1)(a) of the GDPR), using the following forms of communication: • Newsletter (sending information bulletin), • Voice calls (telephone marketing), • Sending commercial information (emails), • Sending commercial information (SMS), • Sending promotional materials by traditional mail, • Providing personalized content and advertisements. C. For the purposes indicated in the consent to process personal data - if such consents were given (Article 6(1)(a) of the GDPR). D. To comply with legal obligations (Article 6(1)(c) of the GDPR). E. Also in connection with the pursuit of other legitimate interests of the data controller, particularly to establish email contact with the User (Article 6(1)(f) of the GDPR). F. For statistical purposes, related to improving work efficiency, quality of services provided, and tailoring them to recipients. G. To execute the contract with the Purchaser or take actions before concluding the contract at the request of the Purchaser (Article 6(1)(b) of the GDPR - if you are a Contractor; Article 6(1)(f) of the GDPR - if you are acting on behalf of or for the benefit of the Contractor). H. For accounting, bookkeeping, and financial reporting (Article 6(1)(c) and (f) of the GDPR). I. To establish, assert, and defend claims. J. For statistical purposes, related to improving work efficiency, quality of services provided, and tailoring them to recipients. K. To manage correspondence and ensure the circulation and archiving of documents, which constitutes the legitimate interest of the data controller (Article 6(1)(f) of the GDPR). L. To consider complaints (Article 6(1)(f) of the GDPR). M. Data that is not necessary from the perspective of the above legal bases is processed based on consent, if such consent was given (Article 6(1)(a) or Article 9(2)(a) of the GDPR). N. The Data Controller does not process special categories of personal data. If the description of the circumstances underlying a complaint or other event indicated by the Purchaser contains special category data, it will be processed solely for the purpose of establishing, asserting, and defending claims (Article 9(2)(f) of the GDPR), and beyond that purpose, based on consent, which constitutes an explicit action by the Purchaser: providing it voluntarily for the purpose of complaint consideration (Article 9(2)(a) of the GDPR).
• 4. CATEGORIES OF PERSONAL DATA PROCESSING. A. The Purchaser entrusts the Seller with personal data of the following categories of persons and to the following extent: personal data of employees and associates who represent the Purchaser and coordinate the execution of the Agreement, i.e.: name and surname, email address, phone number, ID card number. Similarly, the Seller, as the data controller of the employees' personal data, entrusts the Purchaser with personal data of employees and associates who represent the Seller and coordinate the execution of the Sales Agreement, i.e.: name and surname, email address, phone number.
• 5. DATA STORAGE PERIOD. A. Generally, data will be processed for the duration of the contract with the Purchaser. Data will also be stored for the period required by law, particularly accounting regulations, and if justified - until the expiration of claims arising from the contract with the Purchaser, depending on which period is longer. B. Personal data will be stored for 1 year after the warranty period or the resolution of a complaint, and in case of processing to establish, assert, or defend claims - until their expiration or final conclusion of proceedings, including enforcement proceedings. C. The storage period of data constituting the content of correspondence depends on the purpose of processing the data to which the correspondence pertains. D. Provided personal data will be stored until consent is withdrawn or an objection is raised. Withdrawal of consent or objection can occur in any manner, i.e., in such a way that it is clearly stated that the Purchaser or a person acting on their behalf does not wish to remain in contact with the Seller and receive information about their activities. After withdrawal of consent or objection, personal data may be stored for the purpose of demonstrating the proper fulfillment of legal obligations resting on the Data Controller and related claims - until the expiration of claims, depending on which period is longer.
• 6. DATA RECIPIENTS. According to the provisions of the GDPR, the personal data of the Purchaser or persons acting on their behalf may be transferred by the Data Controller to data processors if necessary to achieve the processing purposes, particularly: A. Entities providing services or delivering IT solutions. B. Subcontractors and suppliers of the organization. C. Notaries and law firms. D. Entities providing advisory and audit services. E. Entities conducting marketing activities. F. Entities archiving and destroying documents. G. Entities providing courier and postal services. H. Banks, insurance companies, and other financial and payment institutions. I. Public authorities, receiving data in connection with the fulfillment of the administrator's legal obligations.
• 7. RIGHTS OF DATA SUBJECTS. The User has (in situations specified by the GDPR): A. The right to access data, including the right to obtain a copy of the processed personal data, provided this does not violate professional secrecy. B. The right to request correction or completion. C. The right to erasure of personal data ("right to be forgotten"). D. The right to restrict the processing of personal data. E. The obligation to notify about rectification or erasure of personal data or restriction of processing unless this proves impossible or involves disproportionate effort. F. To the extent that the processing of personal data is based on consent given under the GDPR, the Purchaser has the right to withdraw such consent; the withdrawal of consent does not affect the processing that was carried out before its withdrawal. G. The right to data portability. H. The right not to be subject to an automated decision, including profiling. I. The right to lodge a complaint with the Data Protection Authority if the User considers that the processing of their personal data violates the GDPR. Providing personal data by the Purchaser is voluntary but necessary for the conclusion and execution of the contract with the Seller. Failure to provide personal data necessary for contract execution will prevent the contract from being concluded and executed. Providing personal data for marketing purposes is voluntary and not necessary for the conclusion of a contract with the Seller.