PRIVACY POLICY

This privacy policy concerns the Controller's processing (defined below) of personal data, which will be made available to the Controller by you as the other party to the agreement (hereinafter referred to as " Supplier") in connection with the negotiation, conclusion and performance of the agreement concluded with the Controller in connection with its business (hereinafter referred to as "Agreement", and the Supplier and the Controller as the " Parties").

Personal data pertain to individuals who are employees or associates of any of the Parties (or entities co-operating with any of the Parties), as well as of the Party itself (where that Party is a natural person). The Parties undertake to respect each other's obligations in relation to the protection of personal data.

The Supplier undertakes to provide Natural Persons (as defined below) with the following information.

1. PERSONAL DATA CONTROLLER

The Controller of personal data is GSSM Warsaw spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw, al. Jana Pawła II 82, 00-175 Warsaw, holding NIP 5272635896 and REGON 142564741, entered into the Register of Entrepreneurs kept by the District Court for the capital city of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under number KRS 0000364145, with the share capital of PLN 14,867,800.00 (hereinafter referred to as the "Controller").

Contact details of the Controller: GSSM Warsaw spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw - Centrum Handlowe Arkadia, al. Jana Pawła II 82, 00-175 Warsaw, e-mail address: recepcja.ARKADIA@urw.com. The Controller has not appointed a Data Protection Officer.

2. SCOPE OF PERSONAL DATA PROCESSING

In view of the need to comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR"), the Controller hereby informs:

(i) the Supplier (if is a natural person);

(ii) natural persons who are employees (associates) of the Supplier and whose personal data has been provided to the Controller (by the Supplier or directly by such persons) in connection with the negotiation, conclusion or performance of the Agreement (the "Natural Persons").

about the rules of processing of their personal data and their rights.

The Controller processes personal data including: name, surname, company, position, telephone number, e-mail address, other information related to employment, if it is necessary for the performance of the Agreement, as well as other related data resulting from the Agreement (hereinafter referred to as the "Personal Data").

In order to ensure that only actual and current data are processed, the Controller may regularly update the data also from public sources (mainly the Central Registration and Information on Business, the National Court Register, the Supplier's website).

3. PURPOSE, SCOPE AND LEGAL BASIS OF THE PROCESSING OF PERSONAL DATA

The Controller processes the Supplier's personal data in order to take actions aimed at concluding the Agreement with the Supplier and to perform the Agreement (Article 6(1)(b) of the GDPR). On the other hand, in the case of Natural Persons, the Controller processes the personal data of such persons in order to conclude the Agreement with the Supplier and to execute it, i.e. in the Controller's legitimate interest (Article 6(1)(f) of the GDPR). Additionally, the Controller processes the above-mentioned personal data due to the pursuit of other legitimate interests of the Controller as indicated below, in particular:

· to contact the Supplier or a Natural Person;

· where it is done for purposes related to the conduct of litigation, as well as proceedings before public authorities;

· for reporting within the Controller’s group (i.e. Unibail-Rodamco-Westfield);

· in order to optimise the terms of Controller's co-operation with third parties.

In other cases, the Controller may process personal data of the Supplier and the Natural Persons on the basis of previously granted consents, within the scope and for the purpose specified in the content of such consent.

To the extent that the Supplier's or the Natural Persons' personal data are obtained directly from them, providing personal data may be a condition of performance of the Agreement between the Controller and Supplier or is necessary for the attaining objectives resulting from the Controller's legitimate interests. The Supplier's or the Natural Person's failure to provide the required personal data may constitute an obstacle or impediment to the conclusion or performance of the Agreement.

The personal data of the Supplier and the Natural Persons will not be used for profiling or automated decision making.

4. CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Personal data of the Supplier and Natural Persons may be disclosed to the following categories of recipients: (i) public authorities and entities performing public tasks or acting on behalf of public authorities within the scope of their statutory competence; (ii) entities co-operating with the Controller in the performance of the Agreement; (iii) entities of the Unibail-Rodamco-Westfield group, in particular: Unibail-Rodamco Polska spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw, ul. Złota 59, 00-120 Warszawa, holding NIP 526262678510 and REGON 015337972, entered in the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under KRS number 0000153593, with the share capital in the amount of PLN 3,066,047,000.00.

The Controller does not intend to transfer Personal Data outside the territory of the European Union, however, in justified cases, it may transfer personal data of the Supplier and the Natural Persons to entities located outside the European Economic Area (the "EEA"). In the event of such transfers outside the EEA, the Controller shall include model clauses adopted by the European Commission to ensure an adequate level of protection of personal data when accessing and processing data, or use other authorised methods of processing personal data outside the EEA, such as binding corporate rules or the EU-US Privacy Shield agreement.

The Controller has concluded appropriate agreements with the recipients mentioned above regulating the rules of personal data processing, ensuring the same level of protection of the processed Personal Data as provided under this privacy policy.

5. DATA SECURITY

We have adopted and follow necessary and appropriate technical and organisational measures, internal control measures and data security processes in accordance with best market practice, adequate to the potential risks for you as the data subject. At the same time, we take into account the state of technological development in order to protect your Personal Data against accidental loss, destruction, modification, unauthorized disclosure or access. These measures may include taking appropriate steps to ensure the liability of employees who have access to Personal Data, training of employees, making regular back-up copies, data recovery and accident management processes, software protection of the equipment in which Personal Data are stored, etc.

6. DURATION OF THE PROCESSING OF PERSONAL DATA

Personal data of the Supplier and the Natural Persons shall be processed for the period necessary for the performance of the Agreement, i.e. for the duration of its term, and thereafter for the period necessary to secure the possibility of asserting potential claims, i.e. not longer than 3 years, and to the extent required by law or to fulfil the Controller's legitimate interest.

7. RIGHTS OF THE DATA SUBJECTS

You have the right to demand that the Controller rectify inaccurate Personal Data or supplement incomplete Personal Data, the right to request processing restrictions, the right to object or lodge a complaint against the processing of Personal Data, the right to transfer Personal Data, the right to request access to Personal Data, the right to information about breaches of the protection of Personal Data, the right to request the removal of Personal Data and other rights granted under the applicable laws.

Data subjects can exercise their rights by contacting us by e-mail at the address: recepcja.ARKADIA@urw.com.

If you exercise your rights, we may ask you to provide additional personal data that you have already given to us. The provision of such data is necessary to verify that the request was actually made by a person authorised to do so. The Controller shall reply within one month from the date of receipt of the request but reserves the right to extend this period by an additional two months in particularly complex cases.

Your rights:

a) Rectification of Personal Data

Pursuant to applicable law, you have the right to obtain rectification of factually inaccurate or completion of incomplete Personal Data that have been provided to us.

The Controller takes appropriate measures to enable you to ensure that your Personal Data is up to date and that it is in accordance with the facts.

b) Deletion of personal data

You can request the deletion of your Personal Data at any time.

In case of receiving such a request from you, the Controller will immediately delete all of your Personal Data in its possession, unless there is a need for further storage of your Personal Data in order to perform contractual or statutory obligations or to ensure the protection of the Controller's legitimate interests to the extent indicated above.

c) Access to and portability of personal data

You have the right to receive information about whether or not your Personal Data are processed by the Controller and to what extent their processing takes place. At the same time, you have the right to request access to your Personal Data, which has been made available to the Controller by you, as well as other personal data concerning you.

If you request the transfer of your Personal Data processed in connection with the performance of the Agreement, you may request its transfer directly to a third party (another data controller) indicated in your request, provided that such request does not adversely affect the rights and freedoms of other persons and is technically feasible.

d) Right to object

Where your Personal Data is processed on the basis of a legitimate interest, you have the right at any time to object to such processing on grounds relating to your specific situation.

If, in such case, the Controller does not prove serious and legitimate grounds for processing, overriding your interests, rights or freedoms, or if the Controller does not prove that these data are necessary to determine, exercise or defend your rights, we will no longer process such data and delete them.

e) Restriction of processing

If you demand that the processing of your personal data be restricted, e.g. if the correctness or lawfulness of the processing of your personal data is questioned, the Controller will limit the processing of your personal data to the necessary minimum (storage), and will process them only to assert, exercise or defend the rights, or to ensure the protection of the rights of another natural person or legal entity, or for other reasons expressly provided for in the applicable legal regulations.

f) Complaints to the data protection authority

You have the right to lodge a complaint concerning the processing of Personal Data by the Controller with the President of the Personal Data Protection Office at the address: ul. Stawki 2, 00-193 Warszawa, or via electronic inbox available on the website: https://uodo.gov.pl/pl/p/kontakt.

This document may be reviewed or updated from time to time.

Last amended on 30 November 2018.