Privacy policy

PRIVACY POLICY OF THE ARTTIME GROUP WEBSITE

This Privacy Policy of the ARTTIME Group sets out the rules for the processing and protection of personal data of Users visiting the Website: https:// art-time.pl and using the services offered through it. It also constitutes the fulfillment of the information obligation arising from Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, OJ EU L119 of May 4, 2016, p. 1).

Hereinafter referred to as: “Policy.”

§ 1
Co-administrators and contact point

1. The co-administrators of the Website: https://art-time.pl within the meaning of Article 26(1) of the GDPR are the following entities belonging to the ARTTIME Group:
   • ARTTIME HR sp. z o.o., with its registered office in Warsaw at Aleje Jerozolimskie 180, building A, postal code 02-486 Warsaw, entered in the National Register of Entrepreneurs under KRS number: 0000868432, REGON: 387531536, NIP: 8351614401, hereinafter also referred to as: “ARTTIME HR”;
   • EPS sp. z o.o., with its registered office in Włocławek at ul. Duninowska 9, 87-800 Włocławek, entered in the National Register of Entrepreneurs under KRS number: 0001126515, REGON: 529658030, NIP: 7011222937, hereinafter also referred to as: “EPS”;
   • EPS OUSTOURCING sp. z o.o., with its registered office in Łódź at ul. Łąkowa 7a, 90-562 Łódź, entered in the National Register of Entrepreneurs under KRS number: 0001001620, REGON: 523702964, NIP: 5252931947, hereinafter also referred to as: “EPSO”;

-hereinafter also referred to as: “Administrator” or collectively as: “Administrators”.

1. The co-administrators have established a joint contact point which you can contact regarding the protection of your personal data at the following e-mail address: rodo@art-time.pl or in writing by sending correspondence to the co-administrators address: EPS sp. z o.o., ul. Duninowska 9, 87-800 Włocławek.
2. The purpose and method of processing personal data by the co-administrators referred to in Article 26(1) of the GDPR results from the Agreement concluded by the co-administrators. In accordance with Article 26(2) of the GDPR, we hereby inform you that the Agreement between the co-administrators stipulates that the common purpose of processing is:
   • Maintaining and administering the ARTTIME Group website: art.-time.pl
   • Communicating via contact forms posted on the website: art-time.pl
   • Maintaining the ARTTIME Group’s social media profiles and marketing campaigns, including direct marketing.
   • Maintaining a joint database of candidates for employment/cooperation.
   • Ensuring that the transfer and storage of personal data in our IT systems is protected by adequate technical and organizational measures.
   • Ensuring that if a data subject withdraws their consent to the further processing of their personal data, the further processing of that personal data (including joint processing) will not take place.
3. Each Party to the Agreement separately processes personal data as a administrator in the course of its activities, including the personal data of customers, job applicants, contractors, subcontractors, suppliers, business partners, and other entities with which it cooperates.
4. Joint administration applies to all personal data processing operations performed by each of the Joint Administrators in connection with the administration of such data, and includes in particular: collecting, recording, organizing, structuring, storing, adapting, modifying, downloading, viewing, using, transferring, disseminating or otherwise making available, matching, combining, restricting, deleting, or destroying.
5. If the processing is to be carried out on behalf of the co-administrators, it shall only use the services of processors who provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of this Regulation and protects the rights of data subjects.
6. Co-administrators shall comply with the obligation to conclude agreements referred to in Article 28(3) of the GDPR (personal data processing agreement) wherever the conditions for the existence of a administrator-processor relationship are met.
7. Each co-administrator shall keep a record of the personal data processing activities for which it is responsible.
8. Personal data is processed by the co-administrators primarily for the purpose of performing or concluding a contract, exchanging correspondence and maintaining contact by electronic means or telephone, creating a database of job candidates, conducting marketing campaigns using social media and direct marketing, and ensuring the security of Users and Customers.

§ 2
Definitions

1. For the purposes of this Policy, the following meanings of terms have been adopted:
   • Administrator – means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
   • Personal data: means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
   • Recipient of personal data: a natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether a third party or not. Public authorities that may receive personal data in the context of a specific procedure in accordance with European Union law or Member State law are not considered recipients. The processing of personal data by these public authorities must comply with the data protection provisions applicable to the purposes of the processing.
   • Cookies – are small text files (IT data) that a website (the Website) saves on the User’s computer or mobile device when the User browses it.
   • Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adapting or altering, downloading, viewing, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, restricting, erasing, or destroying;
   • GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
   • Website/Site/Internet Page – the website operated by the co-administrators at: https://art-time.pl
   • User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.
   • Co-administrator – a administrator who, together with another administrator, determines the purposes and means of processing personal data (Article 26(1) of the GDPR).

§ 3
Scope of data collected

1. The catalog of personal data collected through the Website is based on the principle of processing minimization. The data obtained is adequate, relevant, and limited to the purposes for which it is processed.
2. Personal data may be freely (voluntarily) provided by the User using the contact forms available on the Website: first name, last name, e-mail address, telephone number, position/company, tax identification number, city, or automatically collected when using the Website, in connection with the use of cookies and other similar technological tools.
3. The data that may be collected when using the Website includes:
   • information entered in the form fields: first name, last name, email address, phone number, position/company, tax identification number, city;
   • information generated when using the Website, including information about the User’s visits;
   • information contained in any correspondence sent via the Website, including metadata;
   • any other personal data provided voluntarily and explicitly.
4. Information collected automatically from the Website may include IP addresses or domain names used by Users, URI (Uniform Resource Identifier) addresses, request times, methods used to send requests to the server, the size of the file received in response, a numerical code indicating the status of the server’s response, geographical location, browser and operating system type and version, visit parameters, including its length, access path details, and other parameters relating to the operating system of the device and/or the User’s IT environment.
5. In connection with the forms used, the Administrator automatically collects data in the form of: IP address and User’s browser signature. The above personal data is necessary in connection with the security measures used on the Website.
6. Users using the contact form are asked to enter only those personal data that contribute to the performance of the Website’s tasks that the User wishes to use. The User may voluntarily offer the Administrator other Personal Data, which will be processed by the Administrator in accordance with the purpose of the contact established by the User on the basis of Article 6(1)(b) or (f) of the GDPR – personal data will be processed for the duration of the contact and the handling of the matter.
7. If the User voluntarily decides to provide Personal Data other than that collected automatically, or data required by the contact form or newsletter subscription form, in particular by providing documents, copies/scans of documents, CVs, they do so voluntarily and grant the Administrator consent to process them for the purposes of conducting the recruitment process on the terms described in this Policy.
8. Please note that we may ask the User to provide additional information (for example, preferred work location or expected earnings). Based on such information, we may, within the scope of our legitimate interest, analyze job applications using specific, lawful criteria that are relevant to the position in question, such as expected salary or work location. For this purpose, we may use tools that facilitate the analysis of such information, including automatic selection of job applications (e.g., SalesForce, Sales Manago). However, we emphasize that we do not use these tools and additional information for the purpose of automatic processing of personal data, profiling, or automated decision-making.

§ 4
Purpose of Personal Data Processing

Personal data is processed in order to enable the use of the Website’s functionality, i.e. for the purpose of:

• contact and handling of email correspondence;
• conducting the recruitment process, including collecting, evaluating, and presenting offers and applications obtained through the Website;
• creating an internal database of job candidates (after obtaining the User’s consent via the consent form posted on the Website);
• enabling the use of services available on the Website;
• concluding contracts via the Website and the proper performance of concluded contracts;
• sending the subscribed newsletter to the email address provided by the User;
• analyzing data and maintaining statistics (Google Analytics, Google Search Console), marketing, retargeting, and remarketing activities (including Google Ads campaigns);
• sending non-marketing commercial information;
• presenting commercial information by electronic means;
• presenting commercial information by telephone;
• efficient functioning of the Website and administration of the Website;
• accounting and financial reporting;
• defense, establishment or pursuit of claims;

ensuring the security of the Website, preventing fraud, and disclosing abuse.

1. Automatically collected data may be used to analyze User behavior, obtain statistical and demographic data, and tailor the content of the Website and marketing communications to individual preferences.
2. You may withdraw your consent at any time, which will not affect the lawfulness of the processing that was carried out on the basis of your consent prior to its withdrawal; however, refusal to give consent or its withdrawal will result in the Administrator being unable to process your data for the purposes indicated in the consent. Consent may be withdrawn as follows: by sending a letter to the Administrator’s address indicated in point III above; or by sending an e-mail to: rodo@art-time.pl
3. Data processing is carried out in accordance with applicable regulations and only to the extent necessary to achieve the above-mentioned purposes.

§ 5
Legal basis for the processing of Personal Data

1. The legal basis for the processing of Personal Data is:
   • the consent of the data subject to the processing of their personal data (Article 6(1)(a) of the GDPR);
   • necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the GDPR);
   • necessity for compliance with a legal obligation to which the administrator is subject (Article 6(1)(c) of the GDPR);
   • necessity for the protection of the vital interests of the data subject (Article 6(1)(d) of the GDPR);
   • necessity for the purposes of the legitimate interests pursued by the administrator or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f) of the GDPR).
2. The administrator complies with applicable data protection regulations and takes appropriate security measures to protect the User’s data against unauthorized access, loss, alteration, or disclosure.
3. In matters related to Data Processing for the purpose of establishing contact, i.e., responding to questions submitted by the User via the contact form or providing information about the offer, the legal basis for Processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in the need to resolve the reported matter related to its business activity.
4. If the Data provided by the User proves necessary to establish a legal relationship between the User and the Administrator, or is transferred for the purpose of using the service offered by the Administrator, it will be processed in accordance with Article 6(1)(b) of the GDPR. In particular, personal data entered into the contact form, such as name and surname, e-mail address, telephone number, position/company, tax identification number, and city, may be processed for the purpose of recruitment processes offered by the Website. This data is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
5. In the case of data that the Administrator obtains and processes in order to perform obligations arising from legal provisions related to the employment process, including in particular the Labor Code (i.e., of February 14, 2025, Journal of Laws of 2025, item 277), the Act on the Employment of Temporary Workers (i.e. of February 21, 2025, Journal of Laws of 2025, item 236) – the legal basis for processing is the legal obligation incumbent on the Administrator (Article 6(1)(c) of the GDPR in conjunction with labor law provisions).
6. Personal data provided by the User to the Administrator for the purpose of conducting the recruitment process in the scope of data not required by law or by the Administrator, as well as for the purposes of future recruitment processes, are processed on the legal basis of consent (Article 6(1)(a) of the GDPR).
7. The processing of data for the purposes of the Administrator’s legitimate interests related to the operation of the Website, including for analytical and statistical purposes, is carried out on the basis of the Administrator’s legitimate interest (in accordance with Article 6(1)(f) of the GDPR).
8. Data processing for the purpose of establishing, pursuing or defending claims, preventing fraud, managing business activities, including risk management, is carried out on the legal basis of the Administrator’s legitimate interest (in accordance with Article 6(1)(f) of the GDPR).
9. Data processing for accounting and financial reporting purposes, including the fulfillment of tax and accounting obligations, is carried out on the legal basis of the necessity to fulfill the legal obligation incumbent on the administrator (in accordance with Article 6(1)(c) of the GDPR).
10. The Administrator also processes your personal data on the basis of Article 6(1)(f) of the GDPR, i.e. with regard to data whose processing is necessary for the purposes of the legitimate interests pursued by a third party, i.e. entities cooperating with the Administrator within the ARTTIME Group.
11. The processing of personal data for marketing purposes, including through newsletter subscriptions and the adaptation of services to the needs of Users, is based on the legitimate interest of the Administrator (in accordance with Article 6(1)(f) of the GDPR). The processing of personal data for marketing purposes, including direct marketing, may also be carried out on the basis of the User’s consent (in accordance with Article 6(1)(a) of the GDPR) granted, inter alia, through consent forms posted on the Website.
12. In terms of running social media accounts, the administrator process the Personal Data of Users visiting the ARTTIME Group’s profiles on social media (including Facebook, YouTube, LinkedIn, and TikTok). This data is processed solely in connection with the operation of the profile, including for the purpose of informing Users about the activities of the administrator and promoting various types of events, services, and products. The legal basis for the processing of Personal Data by the administrator for this purpose is their legitimate interest (Article 6(1)(f) of the GDPR), consisting in promoting their own brand.

§ 6
Voluntary provision of Personal Data

1. Providing the Personal Data required in the contact form fields is voluntary, but necessary to use the contact form functionality. Failure to provide personal data will result in the inability to send data via the form and the inability to use the services offered by the Website. Providing Personal Data in the form is necessary to achieve one or more of the purposes of Personal Data processing defined above.
2. Providing Personal Data for marketing purposes is voluntary and at the discretion of the data subject, and its processing by the Administrator depends on obtaining their consent, unless it is data processed on the basis of a legitimate interest. The consent of the data subject means a voluntary, specific, informed, and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
3. The processing of data for other purposes, such as tailoring the content of our websites to the User’s needs, detecting bots and abuse in our services, conducting statistical analyses, and improving our services, is necessary to ensure the high quality of the services offered by the Website.
4. The user may withdraw their consent at any time without affecting the lawfulness of the processing that was carried out on the basis of consent before its withdrawal.

§ 7
Period of Personal Data Processing

1. Personal data will be stored for the duration of the legal basis for its processing, unless longer storage is required by applicable law, for example, if it is necessary to use it in processes related to the operation of the Website.
2. Personal data collected via contact forms will be processed for the period necessary to respond to the user and for a period of 6 years after the response has been provided, in order to protect the rights of the Administrator.
3. Personal data provided via contact forms for the purpose of establishing a legal relationship will be processed for the duration of the legal relationship, but not earlier than until the Administrator’s legitimate interest ceases to exist.
4. Personal data provided via contact forms:
   • for recruitment purposes are generally processed for the duration of the recruitment process and then for the time necessary to defend against possible claims (which usually does not exceed 12 months) – if the User has agreed to participate in only one specific process.
   • if the User has consented to participate in various current and future recruitment processes, the User’s personal data is stored until the consent is withdrawn, but no longer than is justified for the purpose of recruitment and to defend against possible claims (which usually does not exceed 36 months).
   • In the event of establishing a legal relationship, personal data will be processed until the end of the legitimate interest of the Administrator.
5. Personal data processed for the purpose of fulfilling tax and accounting obligations, social security obligations, or any other legal obligations will be stored for the period necessary to fulfill the statutory obligation incumbent on the personal data administrator.
6. Personal data processed for the purpose of defending, pursuing, or establishing claims will be processed for the period specified in the law as the limitation period for claims.
7. Personal data processed on the basis of the User’s consent will be processed until the consent is withdrawn. Personal data processed for the purposes of pursuing the legitimate interests of the Administrator or a third party will be processed until the User’s objection is taken into account.
8. At the end of the processing period, personal data will be deleted or anonymized.

§ 8
User Rights

1. The user has the following rights:
   • the right to access personal data in accordance with Article 15 of the GDPR;
   • the right to request the rectification of personal data in accordance with Article 16 of the GDPR;
   • the right to withdraw consent to the processing of personal data;
   • the right to request the erasure of personal data in accordance with Article 17 of the GDPR;
   • the right to request restriction of processing of personal data in accordance with Article 18 of the GDPR;
   • the right to object to the processing of personal data in accordance with Article 21 of the GDPR;
   • the right to transfer personal data in accordance with Article 20 of the GDPR;
   • the right to lodge a complaint with a supervisory authority in accordance with Article 77 of the GDPR.
2. The User has the right to obtain confirmation from the Administrator as to whether Personal Data concerning him/her is being processed, and if so, he/she is entitled to access it and to obtain information concerning the purposes of processing, the categories of Personal Data being processed, information about the Recipients of the data or categories of Recipients to whom the Personal Data has been or will be disclosed, the planned period of storage of personal data, the right to request rectification, erasure, or restriction of processing of personal data and to object to such processing, the right to lodge a complaint with a supervisory authority, as well as the source of personal data—if the personal data has not been collected from the data subject. The right to information also includes obtaining information about automated decision-making, including profiling, together with relevant information about the rules for making such decisions, as well as the significance and anticipated consequences of such processing for the data subject. The user has the right to obtain a copy of the personal data being processed.
3. The administrator is obliged to supplement incomplete personal data and to remove inconsistencies or errors in the personal data being processed. The user has the right to request the rectification of data in the event of disclosure of inaccuracies or incompleteness.
4. To the extent that User data is processed on the basis of consent, the user has the right to withdraw consent to data processing at any time.
5. The User has the right to delete personal data, the “right to be forgotten,” with regard to Data that is no longer necessary for the purposes for which it was collected by the Administrator. The User also has the right to be forgotten if consent to the processing of data is withdrawn, the User objects to the processing of their Data, or the data is processed unlawfully. The above list of cases also includes situations where the data should be deleted in order to comply with a legal obligation or where the data has been collected in connection with the provision of information society services.
6. The administrator indicates that in certain cases specified by law, a request for data deletion cannot be fulfilled, i.e., among others, in a situation where data processing is necessary to establish, investigate or defend claims, exercise the right to freedom of expression and information, comply with a legal obligation requiring processing under Union law or the law of the Member State to which the administrator is subject, or perform a task carried out in the public interest or in the exercise of official authority vested in the administrator .
7. The User may also request the restriction of the processing of personal data (except for their storage) in situations where:
   • The User questions the accuracy of the personal data – for the period during which the Administrator verifies its accuracy;
   • the processing is unlawful, the User objects to the erasure of the personal data, requesting instead that its use be restricted;
   • the administrator no longer needs the Data, but it is needed by the User to whom the data relates to establish, pursue, or defend their claims;
   • the User has objected to the processing of their Data – until it is determined whether the legitimate grounds on the part of the administrator override the grounds for objection of the data subject.
8. If the processing of Personal Data has been restricted in accordance with the paragraph above, such data may continue to be processed with the consent of the data subject, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person. Important reasons of public interest of the European Union or a Member State are also grounds for further processing. The administrator is entitled to store such data regardless of the consent of the data subject.
9. The user also has the right to object to the processing of their Personal Data – for reasons related to their particular situation – when the processing of personal data is based on a legitimate interest, or on the basis of necessity to perform a task carried out in the public interest or in the exercise of public authority entrusted to the administrator, including profiling. The administrator may no longer process such Personal Data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
10. If Personal Data is processed for direct marketing purposes, the User has the right to object at any time to the processing of Personal Data concerning him or her for such marketing, including profiling, to the extent that the processing is related to such direct marketing. The administrator shall immediately cease processing Personal Data for such purposes.
11. The User has the right to transfer data when the processing of personal data is based on their consent or a contract concluded with them, and when the processing is carried out automatically. The User is entitled to receive, in a structured, commonly used, machine-readable format (e.g., Excel), the personal data concerning him/her that he/she has provided to the Administrator. The User has the right to send this data to another Administrator. The Administrator will fulfill the User’s request provided that such transfer is technically possible.
12. The User may exercise their rights at any time, with the proviso that the selection of specific rights referred to above may depend on the legal basis and purpose of the processing of Personal Data.
13. The Administrator reserves the right to verify the identity of the person exercising the rights referred to in this paragraph by requesting additional data from the User for authentication purposes.
14. In order to exercise the rights referred to in this paragraph, please send an email to: rodo@art-time.pl or write to the Co-Administrator’s address: EPS sp. z o.o., ul. Duninowska 9, 87-800 Włocławek.
15. If, in the User’s opinion, the processing of Personal Data violates the provisions of the GDPR or other provisions regarding the protection of personal data, the User may lodge a complaint with the supervisory authority in accordance with the procedure specified in the provisions of the GDPR. In the Republic of Poland, the supervisory authority is the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).

§ 9
Data recipients

1. The Administrator uses the services provided by external suppliers who process the User’s Personal Data on behalf of the Administrator, in particular: hosting service providers, IT system and service providers, e-mail service providers, accountants, auditors, shipping services, marketing or legal services, as well as administration, maintenance, and management of the Website, CRM service providers: Sales Manager, Sales Force. The Administrator may disclose the User’s Personal Data to its employees, members of management, representatives, suppliers, or subcontractors, if necessary for the purposes specified in this privacy policy. The Administrator transfers User data to suppliers only for the purpose of effective performance of their services.
2. In the case of the recruitment process, including the transfer of information about job offers, the Administrator may disclose the User’s personal data to target customers (employers, users) in accordance with their requirements, within the scope of services provided by the ARTTIME Group.
3. The recipients of the User’s personal data are also entities cooperating with the Administrator within the ARTTIME Group, if it is necessary for the purposes specified in this Policy. Entities within the ARTTIME Group comply with the provisions of the GDPR regarding agreements on the conditions for the use of personal data processing agreements and the principles of joint administration of personal data, by concluding relevant agreements and contracts in this regard.’
4. The Administrator may disclose the User’s Personal Data to public authorities, e.g. tax authorities, social security institutions, as well as pension funds, banks, and insurers to the extent related to the services provided, including recruitment and temporary work.
5. The collected Personal Data may be stored and processed in any country where the Administrator operates. Personal Data is generally processed in Poland, a member state of the European Union, or in a signatory to the European Economic Area (EEA) Agreement.
6. If no EU Commission decision on the adequate level of data protection is available for a specific country, the Administrator enters into an agreement in accordance with EU data protection guidelines that ensure adequate protection and guarantee the rights and freedoms of the User.
7. The information collected by the Website may be transferred to the following countries that do not have data protection regulations equivalent to those in force in the European Economic Area: e.g., Ukraine, the United States of America, Russia, Japan, China, and India.
8. The Administrator may share the User’s personal data with IT system and service providers, including social media advertising partners such as: Facebook/Meta, Instagram, LinkedIn, Google Analytics, Google Ads, Google Maps, Google Search Console, LinkedIn Ads, i.e.:
   • Meta Platforms Ireland Limited – formerly Facebook Ireland Limited LTD, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, DO2X525, Ireland
   • LinkedIn Ireland Unlimited Company, Legal Dept. Wilton Place, Dublin 2, Ireland
   • Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland
   • Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
9. The administrator uses the Sales Force system (Sales Cloud, Marketing Cloud, CRM) for the purpose of managing the recruitment process and the candidate database. This tool allows for: central storage and handling of candidate data, communication support (email, notifications), data analysis (e.g., preliminary matching of candidates), error reduction/prevention, and process improvement. The data may be shared with related entities within the group and service providers for system operation and communication purposes. In the case of data transfers outside the EEA, appropriate safeguards (e.g., Standard Contractual Clauses) are used.
10. The administrator may use the Sales Manago platform to: send notifications about new job offers, conduct marketing activities related to recruitment, and improve communication with candidates. The legal basis for data processing in Sales Manago is the candidate’s consent (Article 6(1)(a) of the GDPR). The data is processed only to the extent covered by the consent and for the period necessary to achieve the purpose, and then deleted or anonymized.
11. The data may be disclosed to entities providing services to the Administrator (e.g., IT providers, communication system operators) only on the basis of data processing agreements.
12. The administrator does not make recruitment decisions based on automated profiling. However, marketing profiling may be used to match job offers to the candidate’s interests and preferences – always on the basis of their consent.
13. The Administrator cooperates with entities based in the EEA. However, due to the use of international entities’ services, the User’s personal data may be transferred outside the EEA or to a country where restrictions on the international transfer of personal data apply. In such a situation, the Administrator will require an adequate level of data protection and the application of compliance mechanisms provided for in the GDPR, including standard contractual clauses specified by the European Commission. More information on this subject can be found here: https://eur-lex.europa.eu/legal-content/PL/TXT/HTML/?uri=CELEX:32021D0915&from=PL
14. If the User voluntarily consents to being contacted via instant messaging services (WhatsApp, Viber, Messenger, Signal, Telegram), the Administrator processes the data for the purpose of presenting job offers and conducting recruitment communication. The recipients of personal data may be communication service providers and social media operators, including: Meta Platforms Ireland Ltd. (WhatsApp, Messenger), Viber Media S.? r.l., Telegram Messenger Inc., and Signal Messenger, LLC. The use of instant messaging services implies the User’s acceptance of the terms and conditions and privacy policies of individual providers. The User has the right to withdraw their consent to contact via instant messaging at any time, which does not affect the lawfulness of processing prior to withdrawal.

§ 10
Personal Data Security

1. The Administrator processes the entrusted Personal Data in accordance with applicable law, in particular, makes efforts to maximize the security of data processing. In order to achieve the above, the Administrator applies the technical and organizational measures required by law, i.e.:
   • uses data encryption,
   • monitors IT systems,
   • implements, tests, and updates security procedures,
   • applies measures to ensure the ability to continuously ensure the integrity, confidentiality, availability, and resilience of processing systems and services,
   • ensures the ability to immediately restore the availability of personal data in the event of a technical or physical incident.
2. The Administrator will inform the User of any incident of violation or suspected violation of their Personal Data.
3. Any incidents affecting the security of information or data transmission should be reported to the Administrator at the following e-mail address: rodo@art-time.pl.
4. The Administrator informs that any transmission of information via the Internet is subject to potential risk, and ensuring the complete and absolute security of data shared on the network is not possible with current technological standards.

§ 11
Cookies

The website uses cookies. Detailed information on the management of cookies and similar technologies on the Website is available in the Cookie Policy published at https://art-time.pl/polityka-cookies/.

§ 12
Changes to the Privacy Policy and period of validity

1. This Privacy Policy is effective as of August 19, 2025.
2. The co-administrators reserve the right to change this Privacy Policy at any time.
3. Changes to the Privacy Policy come into effect upon their publication on the Website.