Welcome to the MER Scandinavia website.

Please, read the following documents:

• GENERAL INFORMATION CLAUSE

• COLLECTIVE INFORMATION OBLIGATION

• PRIVACY POLICY

• INFORMATION OBLIGATION – REGISTRATION AND SECTION MY ACCOUNT

GENERAL INFORMATION CLAUSE

We would like to inform you that our websites use technologies such as cookies to collect and process personal data in order to personalize the content and analyse the traffic on the websites and on the Internet. Please, read the information below. Be informed that, if you do not agree to the processing of your data as described, you should leave the website.

In connection with the valid since 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of individuals with re- gard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC – referred to as GDPR, we inform you on what basis we will process your personal data collected through this website.

Type of data:

Personal data is, according to the GDPR, information about an identified or identifiable natural person. If you use our website, such data is e.g. your e-mail address, IP address. This clause applies to personal data collected in the context of your use of the website and applications constituting the property of CPD, including cookies.

Controller of Personal Data:

The controller of your personal data, i.e. the entity which decides on the manner and purpose of personal data processing is MER Scandinavia, Noordlaan 3, 1861 GM Bergen, Netherlands, info@merscandinavia.com, www.merscandinavia.com, +31617502180

The basis for collecting your personal data:

The processing of your personal data requires legal grounds. Article 6(1) of the GDPR provides for several types of such grounds for data processing and the following premises of lawfulness are provided for the use of the website:

1. The data subject has consented to the processing of his/her personal data for one or more specified purposes.

2. The processing is necessary for the purposes resulting from legitimate interests pursued by the Controller

 Within the scope of our services, your data shall only be processed if we or another data processor has one of the legal grounds permitted by the GDPR and only for the purpose adapted to the respective grounds. Your data will be processed until there are grounds for processing – that is, if your consent is given until it is revoked, limited or otherwise restricted, if the data is necessary for the execution of a contract – for the duration of the contract and, if the grounds for processing is the legitimate interest of the controller, until such legitimate interest exists.

Transfer of your personal data:

In accordance with the applicable law, we may transfer your data to entities processing it on behalf of the Personal Data Controller. Examples of contractors include companies cooperating with the Controller, subcontractors of our services and entities entitled to obtain data under the applicable law, e.g. courts, public prosecutor’s office etc., based on the relevant legal grounds.

Cookies:

Our websites and applications use technologies such as cookies, local storage and similar technologies to collect and process personal and usage data in order to analyse traffic to our websites. Cookies are IT data recorded in files and stored on your terminal device (i.e. computer, tablet, smartphone, etc.), which your browser sends to the server each time you access a website from that device, while you are visiting different websites on the Internet. Using our website means that we process your cookies.

Your rights:

In accordance with GDPR, you have the following rights to data and the processing of data by us and by entities with which we have entered into entrustment agreements.

If you have given your consent to data processing, you can withdraw your consent at any time.

You shall also have the right to request access to your personal data, to rectify, delete or restrict the processing of your data, the right to transfer your data, to object to the data being processed and the right to lodge a complaint with the supervisory authority – the POPDR. You shall also have the above rights in case of proper data processing by the controller.

 COLLECTIVE INFORMATION OBLIGATION

1. The Controller of your personal data is MER Scandinavia, Noordlaan 3, 1861 GM Bergen, Netherlands, info@merscandinavia.com, www.merscandinavia.com, +31617502180

2. Your data will be processed for the following purposes:

a) If you send us a question via the contact tab – the basis for data processing is Article 6(1) (f) of the GDPR, where the legitimate interest of the controller is to respond to the question and to maintain business contacts, including the promotion of our services.

b) Direct marketing – in case of granting your consent. Based on your explicit consent, we send: commercial information as well as advertisements for our services.

However, the transmission of commercial information by electronic means in accordance with the Act on the provision of services by electronic means of 18 July 2002 will take place on the basis of a separate consent if you provide us with your e-mail address.

However, the use of telecommunications terminal equipment and automatic calling systems for direct marketing purposes pursuant to the Act of 16 July 2004, the Telecommunication Law shall be based on your consent if you provide us with your telephone number.

c) Subscribing to the newsletter – the basis for the processing is art. 6.1.a of the GDPR- that is your consent.

d) Publication of an opinion – the basis for data processing is Article 6(1)(f) of the GDPR- where a legitimate interest is the evaluation of services provided by the Controller.

e) Registration as a practitioner – the basis for the processing of personal data is Article 6(1)(b) of the GDPR. If you provide us with your photo, we need your consent, if it is gran- ted, we will process your image data on the basis of Article 6(1)(a) of the GDPR.

f) Creating an account – the basis for processing personal data is Article 6(1)(b) of the GDPR.

g) Booking activities – we may process your personal data in order to register your booking and attendance at activities pursuant to Art. 6(1)(b) of GDPR.

h) Registration of sales of products and services purchased by the customer – the basis for the processing of personal data is Article 6(1)(b) of GDPR.

i) The fulfillment of obligations arising from legal regulations, including tax or accounting regulations – the basis for the processing of personal data is Article 6(1)(c) of the GDPR

j) The basis for processing of personal data is Article 6(1)(f) of the GDPR- where the legitimate interest of the controller is to improve its services, and in the case of processing for archiving purposes – to defend against possible claims.

4. The recipients of your personal data shall only be entities entitled to obtain personal data or entities participating in cooperation with us as well as subcontractors, e.g. providing IT support services to the Company, legal entities, marketing agencies.

5. We shall use your personal data until the completion of the purposes specified above and thereafter for the period and to the extent required by generally applicable law. Your personal data processed on the basis of your consent will be stored until it is revoked. Users shall have the right to revoke their consent at any time without affecting the lawfulness of Processing that was carried out on the basis of their consent prior to revoking it.

   6. You shall have the right to demand from the Controller access to your personal data, the right to rectify, delete or limit the processing, the right to object to the processing and the right to transfer the data.

7. You shall have the right to lodge a complaint with the supervisory authority, i.e. the President of the Office for Personal Data Protection.

8. Providing the data is voluntary, but necessary to achieve the aforementioned purposes.

9. Your data will not be processed automatically and will not be transferred to a third country.

 PRIVACY POLICY

I. General Information

The controller of your personal data is MER Scandinavia, Noordlaan 3, 1861 GM Bergen, Netherlands, info@merscandinavia.com, www.merscandinavia.com, +31617502180

This Policy may be amended and updated to reflect changes in the Controller’s Personal Data Processing practices or changes in generally applicable law. We encourage you to read this Policy carefully and check this page regularly to verify any changes that the Controller may make in accordance with this Policy.

II. Processing of Users’ Personal Data

Collection of Personal Data:

The Controller may collect Users’ Personal Data, such as: name, surname, and contact details, including e-mail address. The Controller may collect Users’ Personal Data, in particular in the following cases:

• providing Personal Data by Users (e.g. contact by e-mail, telephone, form or any other means).

• obtaining Personal Data from third parties (e.g. contractors, financial intermediaries, law enforcement agencies, including administrative bodies or courts, etc.).

• obtaining or asking Users to provide Personal Data of Users, during Users’ visits to the Controller’s websites or using any functions or resources available on or via the Website. When Users visit the Website, the User’s devices and browsers may automatically pro- vide certain information (such as device type, operating system, browser type, browser settings, IP address, language settings, dates and times of connection to the Site and other technical information regarding communication), some of which may constitute Personal Data.

• During a visit to the Website, no Personal Data of Users will be stored by the Controller without the prior, express consent of the Users. However, temporary storage of log files and cookies facilitates the use of our Website. For this reason, Users are asked to agree to this on our Website. Granting the aforementioned consent is optional and does not affect the possibility of using the Website. In some cases, the use of our Website may be restricted to a certain extent without such consent.

Legal grounds for the Processing of Personal Data: When Processing Users’ Personal Data for the purposes as set out in this Policy, the Controller shall refer to one or more of the following legal grounds, as appropriate:

• Processing takes place on the basis of the User’s prior voluntary, specific, informed and unambiguous consent to the Processing;

• Processing is necessary for execution of the agreement that the User has entered into or intends to enter into with the Controller;

• Processing is necessary to fulfill the legal obligation imposed on the Controller; • Processing is necessary to protect the vital interests of any natural person;

• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the Controller

 • Processing is necessary to manage, conduct and promote the Controller’s activities and does not prejudice the interests or fundamental rights and freedoms of the User.

In connection with User’s use of the Service, the Controller collects data to the extent necessary to provide particular offered services, as well as information about User’s activity in the Service. Below are described detailed rules and purposes of processing of Personal Data collected during the use of the Service by the User.

Your data will be processed for the following purposes:

a) If you send us a question via the contact tab – the basis for data processing is Article 6(1)(f) of the GDPR, where the legitimate interest of the controller is to respond to the question and to maintain business contacts, including the promotion of our services.

b) Direct marketing – in case of granting your consent. Based on your explicit consent, we send: commercial information as well as advertisements for our services.

However, the transmission of commercial information by electronic means in accordance with the Act on the provision of services by electronic means of 18 July 2002 will take place on the basis of a separate consent if you provide us with your e-mail address.

However, the use of telecommunications terminal equipment and automatic calling systems for direct marketing purposes pursuant to the Act of 16 July 2004, The telecommunication law shall be based on your consent if you provide us with your telephone number.

c) Subscribing to the newsletter – the basis for the processing is art. 6.1.a of the GDPR- that is your consent.

d) Publication of an opinion – the basis for data processing is Article 6(1)(f) of the GDPR- where a legitimate interest is the evaluation of services provided by the Controller.

e) Registration as a practitioner – the basis for the processing of personal data is Article 6(1)(b) of the GDPR. If you provide us with your photo, we need your consent, if it is gran- ted, we will process your image data on the basis of Article 6(1)(a) of the GDPR.

f) Creating an account – the basis for processing personal data is Article 6(1)(b) of the GDPR.

g) Booking activities – we may process your personal data in order to register your booking and attendance at activities pursuant to Art. 6(1)(b) of GDPR.

h) Registration of sales of products and services purchased by the customer – the basis for the processing of personal data is Article 6(1)(b) of GDPR.

i) The fulfillment of obligations arising from legal regulations, including tax or accounting regulations – the basis for the processing of personal data is Article 6(1)(c) of the GDPR

j) Use of the service

• Personal data of all persons using the Service (including IP address or other identifiers and information collected through cookies or other similar technologies) are processed by the Controller:

 • in order to provide services by electronic means within the scope of the content collected on the Website made available to Users – then the legal basis for the processing is the necessity of the processing for the performance of the agreement (Article 6(1)(b) of the GDPR);

• for analytical and statistical purposes – then the legal basis for processing is the legally justified interest of the Controller (Article 6(1)(f) of the GDPR), consisting in conducting analyses of Users’ activity and their preferences in order to improve the functionality and services provided;

• in order to possibly establish and pursue claims or defend against claims – the legal basis for the processing is the Controller’s legally justified interest (Article 6(1)(f) of the GDPR), consisting in the protection of his rights;

k) Collection of data in the framework of business contacts

• In connection with the conducted activity, the Controller collects personal data also in other cases – e.g. during business meetings or by exchanging business cards – for the purposes related to initiating and maintaining business contacts. The legal basis for the processing in this case is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) to form networks in connection with its activities. Personal data collected in such cases are processed only for the purpose for which they were collected, and the Controller ensures their adequate protection.

Providing the data is voluntary, but necessary to achieve the aforementioned purposes.

III. Sharing Personal Data with third parties

The Controller may share Users’ Personal Data:

• with administrative or judicial authorities, at their request, in order to inform about an actual or suspected violation of the applicable law;

• with persons carrying out audits, lawyers, contractors performing service activities ta- king into account the obligation of confidentiality resulting from the contract or burdening these entities by law;

• Third parties processing the entrusted data on behalf of the Controller, regardless of their registered office, in accordance with the requirements of this point III below;

• Any entity competent for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal measures, including the safeguarding and prevention of threats to public security;

Notwithstanding the above, the Website may use plugins or content presented by third parties. If Users choose to use them, their Personal Data may be shared with third parties or social networking platforms. The Controller hereby recommends that you review the privacy policy of the third party before using its plugins or content.

If we engage a third party to process Users’ Personal Data in accordance with an entrustment agreement entered into with such entity, the Processor shall be obliged to: (i) Process only the Personal Data as instructed in advance by the Controller in writing; and (ii) take all measures to protect the confidentiality and security of the Personal Data and ensure compliance with all other requirements of generally applicable law.

 IV. International transfer of Personal Data

At present, the Controller does not transfer and does not intend to transfer any Users’ Personal Data to third countries which are not members of the European Union or to international organizations. If necessary, this Policy shall be amended and the transfer of your Personal Data may take place only in accordance with the standard contractual arrangements that Controller implements before the transfer of such Personal Data takes place. In such a case, Users shall be entitled to request a copy of the standard contractual provisions applied by the Controller, using the contact details indicated in Section XII below.

V. Data protection

The Controller shall inform that it has implemented appropriate technical and organisational protection measures to protect Personal Data, in particular including safeguards against accidental or unlawful destruction, loss, alteration, unauthorized publication, unauthorized access and other unlawful and unauthorized forms of Processing, in accordance with applicable law.

The Controller shall not be liable for the actions or omissions of the Users. Users are responsible for ensuring that all Personal Data is sent to the Controller in a secure manner.

VI. Accuracy of data

The Controller shall take all appropriate measures to ensure that:

• The Users’ Personal Data that the Controller processes are accurate and, where necessary, up to date; and

• All Users’ Personal Data which are processed by the Controller and which are incorrect (having regard to the purpose for which they are being processed) shall be deleted or corrected without undue delay.

The Controller, at any time, may ask Users about the accuracy of the Processed Personal Data.

VII. Data scope minimization

The Controller takes all appropriate measures to ensure that the scope of the Users’ Personal Data that it processes is limited to Personal Data that are adequately required for the purposes set out in this Policy.

VIII. Storage of Data

The criteria determining the duration of the period in which the Controller stores Users’ Personal Data are as follows: the Controller keeps a copy of Users’ Personal Data in a form that allows for its identification only as long as is necessary to achieve the purposes set out in this Policy, unless the provisions of generally applicable law require a longer retention period for Personal Data. In particular, the Controller may retain Users’ Personal Data for the entire period necessary to establish, use or defend claims.

IX. Users’ rights

In accordance with the provisions of the General Data Protection Regulation, with re- spect to the Users’ Personal Data which are Processed by the Controller, the Users shall have the following rights:

• the right of access personal data; • the right to correct personal data;

 • the right to delete personal data;

• the right to limit the processing of personal data;

• the right to transfer personal data;

• the right to object to the processing of personal data;

• the right not to be subject to a decision involving automated processing.

If the Processing of Personal Data is carried out on the basis of the consent granted by the Users, the Users have the right to withdraw their consent at any time without affecting the lawfulness of the Processing carried out on the basis of their consent before its withdrawal.

In the case of incorrect Processing of Personal Data, Users shall have the right to lodge a complaint to the state supervisory body for data protection, i.e. to the President of the Office for Personal Data Protection.

The above does not affect the rights of the Users resulting from the acts or other provisions of generally applicable law.

In order to exercise one or more rights or inquire about those rights or any other pro- visions of this Policy or about the Processing of Users’ Personal Data, please contact us using the contact details indicated in point XII below.

X. Cookie files (cookies)

A cookie file is a small file placed in the User’s device during a visit on the website (also on our Website). It records information about your device, browser, and in some cases, also about your preferences and typical actions that you perform while browsing the Website. The Controller may Process Users’ Personal Data through the Cookie technology.

XI. Contact details

In case of any questions, doubts or comments concerning the information contained in this Policy or other issues related to the Processing of Users’ Personal Data by the Controller, including for the purpose of exercising the rights referred to in point IX of this Policy, please contact:

The Controller of your personal data MER Scandinavia, Noordlaan 3, 1861 GM Bergen, Netherlands, info@merscandinavia.com, www.merscandinavia.com, +31617502180

 XII. Definitions

• Controller means the entity that decides how and for what purposes Personal Data is processed. The controller shall be responsible for the compliance of the processing with applicable data protection law.

• Personal Data means any information about an identified or identifiable natural per- son. Examples of the Personal Data that the Controller may process are listed in section II above.

• To process, Processing or Processed means any activity relating to Personal Data whether or not performed by automatic means, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, making available by transmission, dissemination or otherwise making available, organizing or combining, limiting, deleting or destroying.

• Processor means any person or entity that processes Personal Data on behalf of the Controller (other than an employee of the Controller).

 INFORMATION OBLIGATION – REGISTRATION AND SECTION MY ACCOUNT

1. MER Scandinavia, Noordlaan 3, 1861 GM Bergen, Netherlands, info@merscandinavia.com, www.merscandinavia.com, +31617502180

2. Your data will be processed for the purpose of registration for the workshop. As you can provide us with your special categories of personal data, we need your express consent.

3. The legal grounds for the processing are Article 9(2)(a) of the GDPR- explicit consent. Therefore, the legal grounds for the processing of your personal data for these purposes are also Article 6(1)(a) of the GDPR (the data subject has consented to the processing of his personal data for one or more specific purposes).

4. The recipients of your personal data shall only be entities entitled to obtain personal data or entities participating in cooperation with us as well as subcontractors, e.g. providing IT support services to the Company, legal entities, marketing agencies.

5. We shall use your personal data until the completion of the purposes specified above and thereafter for the period and to the extent required by generally applicable law. Your personal data processed on the basis of your consent will be stored until it is revoked. Users shall have the right to revoke their consent at any time without affecting the lawful- ness of Processing that was carried out on the basis of their consent prior to revoking it.

6. You shall have the right to demand from the Controller access to your personal data, the right to correct, delete or limit the processing, the right to object to the processing and the right to transfer the data.

7. You shall have the right to raise a complaint to a supervisory authority i.e. the President of the Personal Data Protection Office.

8. Providing the data is voluntary, but necessary to achieve the aforementioned purposes.

9. Your data will not be processed automatically and will not be transferred to a third country.