Personal Data shall be processed by the Controller for purposes related to:

1. performance of the contract concluded with the Partner, including its administration, monitoring of proper execution, and settlement (legal basis: Article 6 clause 1 letter "b" of the GDPR),
2. evaluation of the Partner for the purpose of making decisions regarding further cooperation – which constitutes a legitimate interest of the Controller (legal basis: Article 6 clause 1 letter "f" of the GDPR),
3. maintaining accounting and financial records (legal basis: Article 6 clause 1 letter "c" of the GDPR),
4. handling potential disputes and pursuing claims related to business activities – which constitutes a legitimate interest of the Controller (legal basis: Article 6 clause 1 letter "f" of the GDPR),
5. realization of the provisions of the Anticorruption Policy of the Jeronimo Martins Group in order to prevent corruption in the Jeronimo Martins Group companies and also in order to establish, enforce and defend against claims (legal basis: Article 6 clause 1 letter "f" of the GDPR).

For the purposes listed in point 1, Data Controller may in principle process the following Categories of Personal Data:

1. Identification data:
   • in the case of a sole proprietor: name and surname, residential address, ID card series and number, business name, business address, NIP, REGON, and business registration number,
   • in the case of partners in a civil law partnership: name and surname, PESEL number, residential address of the partners, company name, registered office address, NIP, REGON,
2. Contact data: e.g. e-mail address, telephone number, fax number, correspondence address,
3. Banking data: bank account number and name of the bank,
4. potential information regarding personal or business relations with Data Controller's employees/associates (detailed information on which information are collected from our employees/associates in this respect can be received by contacting the following e-mail address: dpo.polska@jeronimo-martins.com).

Access to Personal Data may be granted to:
– other companies of the Jeronimo Martins Group;
- service providers providing serviced to Data Controller, including specifically: entities operating IT systems or providing IT tools, entities conducting postal and courier activities, entities conducting payment activities (banks, payment institutions), entities cooperating with Data Controller in handling accounting, tax, legal, advisory, and audit matters, document archiving and shredding companies, however solely to an extent required for proper provision of such services - access to Personal Data shall only be granted to persons whose access is justified in view of the tasks they perform and services they provide. All persons authorized to process Personal Data are obliged to keep the secrecy of data and to protect them against disclosure to unauthorized persons
- legal authorities receiving data in connection with enforcing or defending against claims by Data Controller or in connection with realization of legal obligations by Data Controller.

1. Personal Data shall be processed throughout the duration of the Agreement, and after its termination, until the expiration of any claims arising from the business activity,
2. In the event of a potential court dispute, the Partner's Personal Data shall be retained at least until the final conclusion of the proceedings in that matter.
3. for accounting data the retention period is set at 5 years according to the accounting provisions,
4. for realisation of the provisions of the Anticorruption Policy of the Jeronimo Martins Group Personal Data shall be stored no longer than for 5 years after the termination of the legal relationship with the person who has submitted the report to Data Controller. In case specific anticorruption provisions oblige Data Controller to store data then Data Controller shall store data for the period indicated in such provisions.

Provision of Personal Data by the Partner is a contractual requirement. When obtaining data from the Partner, the Controller informs them of the data that is necessary for the performance of the contract. Failure to provide this data will result in the inability to conclude the contract.

If we have not obtained Personal data directly from the Business Partner, the source of their acquisition is our employee/associate. Providing personal data by them is necessary for the proper verification of the report in accordance with the anti-corruption policies applicable in the Jeronimo Martins Group.

The data subject may exercise the following rights against Data Controller:

1. the right to demand access to his/her Personal Data and to be informed about their processing, and if the data are incorrect – the right to demand their rectification (pursuant to Articles 15 and 16 GDPR),
2. the right to demand restriction of data processing in situations and on terms stated in Article 18 GDPR (the Partner may demand restriction of processing of his/her data for a period enabling verification of their accuracy or until disposal of his/her objection to data processing. The right may also be exercised if the data subject considers the processing of his/her data to be illegal but does not wish such data erased immediately, or if the data are needed longer than the assumed processing period for the purposes of determination or defense of claims),
3. the right to demand erasure of his/her Personal Data pursuant to Article 17 GDPR ("right to be forgotten"),
4. the right to transfer Personal Data in accordance with Article 20 of the GDPR, i.e. the right to receive from the Controller his/her personal data in a structured, commonly used format suitable for machine reading (by a computer), as well as the right to request the transfer of such data to another data controller. This right applies only to the data provided to the Controller by the Partner, which are processed in connection with the performance of the agreement and are in electronic form.
5. the right to object at any time against the processing of his/her Personal Data for reasons related to the data subject's special situation (pursuant to Article 21 clause 1 GDPR).

In matters related to Personal Data processing and to the exercise of data subject's rights, Data Controller may be contacted (address: bok@biedronka.pl). Partner who has filed an application or demand relating to the processing of his/her Personal Data within the exercise of his hear rights may be requested to answer several questions permitting verification of such person's identity.

Besides, the data subject may lodge a complaint against the processing of his/her Personal Data; the complaint is lodged via Data Controller to President of the Personal Data Protection Office.

The Data Controller has appointed a Data Protection Officer who can be contacted via email: dpo.polska@jeronimo-martins.com. The Data Protection Officer can be contacted in all matters concerning the processing of personal data.