Data Transfer to Third Countries

In accordance with Article 13(1)(f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: Regulation 2016/679 or GDPR), the obligation of the Data Controller is – when applicable – to provide information regarding:

1. The intention to transfer personal data to a third country or international organization,
2. The confirmation or lack thereof by the Commission of an adequate level of protection or, in the case of transfer mentioned in Article 46, Article 47, or Article 49(1), second paragraph of the GDPR, a mention of appropriate or suitable safeguards and information on ways to obtain copies of safeguards or their availability.

In connection with the above, Studio DR Ltd. based in Wisła, at Malinka Street 65D/2 (43-460), Poland, also referred to as „Data Controller,” hereby informs that during the provision of services and delivery of content, there is a probability of transferring collected personal data (including metadata) of users, contractors, or donors to third countries within the meaning of the GDPR. A detailed list of entities to which data may be made available, along with the purpose of processing and information regarding their security measures:

1. Entity: Salesforce.com, Inc. (USA)
   Processing purpose: Maintenance (technical) of user databases of content and services provided by the Controller and its contractors.Security measures, ways to obtain copies of safeguards, or their availability:

• Data Processing Addendum: Salesforce Data Processing Addendum
• EU-U.S. Data Privacy Framework approved by the European Commission on July 10, 2023: EU-U.S. Data Transfers
• Salesforce, Inc.’s entry into the Privacy Shield framework can be viewed at: Salesforce Privacy Shield
• Binding Corporate Rules: Salesforce Processor BCR

1. Entity: Google LLC (USA)
   Processing purposes:

• Analyzing website traffic (user behavior) and effectiveness of marketing campaigns (Google Analytics).
• Using the login mechanism for services with a user account created in the service.Security measures, ways to obtain copies of safeguards, or their availability:
  • EU-U.S. Privacy Shield. Mechanism approved by the European Commission on July 10, 2023: EU-U.S. Data Transfers
  • Google LLC’s entry into the Privacy Shield mechanism can be checked at: Google Privacy Shield
  • Description of safeguards and GDPR compliance, including the use of standard contractual clauses: Google GDPR Compliance
  • Data security for Google Ads service: Google Ads Processor Terms

1. Entity: Meta Platforms Inc. (formerly: Facebook) (USA)
   Processing purpose: Using the login mechanism for services with a user account created in the Facebook service.Security measures, ways to obtain copies of safeguards, or their availability:

• EU-U.S. Privacy Shield. Mechanism approved by the European Commission on July 10, 2023: EU-U.S. Data Transfers
• Meta Platforms, Inc.’s entry into the Privacy Shield mechanism can be checked at: Meta Platforms Privacy Shield
• Data security officer’s information on secure data transfer: Meta Platforms Data Transfer