contact@pegasus.pl | 22 877 22 18Pegasus group English
contact@pegasus.pl | 22 877 22 18Pegasus group English

Privacy Policy

Privacy Policy

Privacy Policy

1. Purpose

This Policy aims to establish the general principles for handling personal data by Pegasus Advertising Poland Sp. z o.o., with its registered office in Warsaw (04-030), at Al. Waszyngtona 33/61, hereinafter referred to as the Company, in compliance with the requirements set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR.

2. Scope of Application

2.1. This Policy applies to the processing of personal data in a fully or partially automated manner and to the processing of personal data in a non-automated manner where such data form part of a filing system or are intended to form part of a filing system.

2.2. This Policy applies to all personal data processing activities conducted by the Company, regardless of whether it acts as a data controller or a data processor.

2.3. This Policy must be followed whenever Company employees process personal data, without prejudice to specific procedures applicable in particular cases.

3. Limitations

3.1. This Policy does not constitute a complete compilation of all provisions of Regulation (EU) 2016/679 that may apply to the Company. Rather, it serves as a practical guide to the most important obligations arising from the Regulation.

4. General Provisions

4.1. All terms used in this Policy have the meaning assigned to them in Regulation (EU) 2016/679, in particular:

a) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

b) “processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;

c) “controller” means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

d) “processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

4.2. The person responsible for ensuring compliance with this Policy is the Data Controller.

5. Rules for Processing Personal Data by the Company

5.1. When processing personal data as a controller, the Company:

a) has a legal basis for processing personal data as set out in Article 6 or Article 9 of Regulation (EU) 2016/679;

b) can demonstrate that it meets the legal basis referred to in point (a);

c) provides data subjects with all the information specified in Article 13 of GDPR when collecting data directly from them;

d) provides data subjects with all the information specified in Article 14 of GDPR within 30 days of obtaining personal data from a source other than the data subject, unless the data are to be used for communication or disclosed to another recipient, in which case the deadline for providing the information may be adjusted accordingly;

e) ensures that data processing purposes are clearly defined and that data collection is limited to what is necessary to achieve those purposes;

f) reports any personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it; if the breach poses a high risk to individuals’ rights or freedoms, the Company also notifies the affected individuals;

g) conducts Data Protection Impact Assessments (DPIA) as required under Article 35 of GDPR;

h) consults the supervisory authority before processing if a DPIA indicates high risk to individuals’ rights or freedoms without sufficient mitigation measures.

5.2. When acting as a data processor, the Company has a data processing agreement with the data controller, meeting the requirements of Article 28 of GDPR and adheres strictly to its provisions.

5.3. The Company implements appropriate technical and organisational measures to ensure the security of personal data, considering the state of the art, implementation costs, nature, scope, context, and purposes of processing, as well as risks to individuals’ rights and freedoms.

5.4. Every employee with access to personal data has written authorisation specifying the scope of authorised processing activities.

5.5. The Company maintains a record of processing activities in accordance with Article 30(5) of GDPR.

5.6. The transfer of personal data to third countries outside the European Economic Area (EEA) occurs only where an adequate level of data protection is ensured as per Article 46, 47, or 49 of GDPR.

5.7. The Company adheres to the principles of:

  • Legality – ensuring a lawful basis for processing;
  • Fairness – ensuring compliance with legal requirements at every stage;
  • Purpose limitation – processing data only for specified, explicit, and legitimate purposes;
  • Data minimisation – processing only the necessary amount of data;
  • Storage limitation – retaining data only as long as necessary;
  • Accuracy – ensuring data accuracy and updating as required;
  • Transparency – ensuring clarity in processing operations;
  • Confidentiality and integrity – preventing unauthorised access or disclosure.

6. Employee Obligations Regarding Data Processing

6.1. All employees must familiarise themselves with this Policy.

6.2. Employees processing personal data must have written authorisation specifying the scope of data processing activities.

6.3. Employees using Company-provided IT equipment must have individual login credentials and must not share their passwords.

6.4. Employees are prohibited from using personal devices for processing Company data unless explicitly authorised.

6.5. Paper-based personal data must be stored securely and locked away when unattended.

7. Final Provisions

7.1. Employees are reminded of their obligations under this Policy annually.

7.2. This Policy is subject to regular review, at least once every two years, to ensure it remains aligned with the Company’s operations and regulatory requirements.