Privacy Protection Principles
for production and project execution carried out by The Farm Group S.A.
General information
This document defines the principles of privacy protection and personal data processing in connection with the production and execution of projects (including, but not limited to: film, advertising, creative, event, digital and multimedia projects) carried out by The Farm Group S.A., with its registered office in Poland (hereinafter referred to as the “Company”, “The Farm Group”).
The Company places particular emphasis on protecting privacy and personal data security, processing personal data in accordance with applicable laws, in particular:
- Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR),
- the Personal Data Protection Act,
- other applicable national and European Union regulations.
Personal data controller
The controller of personal data is:
The Farm Group S.A.
Ligocka 60D, 44-105 Gliwice
NIP 6312631819 | KRS 0000383606 | REGON 241925607
Any matters related to personal data protection may be addressed via e-mail: support@thefarm51.com.
Scope of processed data
In the course of project execution, the Company may process the following categories of personal data:
- identification data (first and last name, image/likeness, artistic pseudonym),
- contact details (e-mail address, phone number),
- professional data (position, company name, professional experience),
- data contained in production materials (e.g. audio-visual recordings, photographs, casting materials),
- data included in correspondence and project documentation,
- other data necessary for the execution of a specific project.
The scope of processed data is always adequate, relevant and limited to what is necessary for the specific project.
Purposes of data processing
Personal data are processed in particular for the purpose of:
- performance of contracts and production projects,
- organization and execution of shooting schedules, production and post-production,
- communication with clients, partners, creators, actors, subcontractors and collaborators,
- conducting castings, rehearsals and recruitment for projects,
- financial and accounting settlements,
- archiving project documentation,
- securing claims and pursuing rights,
- fulfilling legal obligations incumbent on the Company,
- promotional and marketing activities (where separate consent has been granted).
Legal basis for processing
Personal data are processed on the basis of:
- Article 6(1)(a) GDPR – consent of the data subject,
- Article 6(1)(b) GDPR – performance of a contract or steps taken prior to entering into a contract,
- Article 6(1)(c) GDPR – compliance with a legal obligation of the controller,
- Article 6(1)(f) GDPR – legitimate interests of the controller.
Data recipients
Personal data may be disclosed only to entities cooperating with the Company, in particular:
- clients and project partners,
- subcontractors, production crews, creative agencies,
- IT, archiving and production support service providers,
- accounting, legal and audit service providers,
- public authorities – only to the extent required by applicable law.
All entities processing personal data act on the basis of data processing agreements or other legally permissible grounds.
Transfers of data outside the EU
Where necessary to transfer personal data outside the European Economic Area, the Company ensures the application of appropriate safeguards, including Standard Contractual Clauses in accordance with the GDPR.
Data retention period
Personal data are retained:
- for the duration of the project,
- after its completion – for the period required by law or necessary to secure claims,
- until consent is withdrawn – where processing is based on consent.
Rights of data subjects
Each data subject has the right to:
- access their personal data,
- rectify personal data,
- erasure (the right to be forgotten),
- restriction of processing,
- data portability,
- object to processing,
- withdraw consent at any time,
- lodge a complaint with the President of the Personal Data Protection Office (PUODO).
Data security
The Company applies appropriate technical and organizational measures to protect personal data, including IT system security, access control, internal procedures and staff training.
Image and production materials
The use of image/likeness, voice and other data recorded in production materials is based on contracts, consents and applicable regulations concerning copyright and personal rights.
Compliance with VRC Privacy Requirements (VRC.Privacy.1 – VRC.Privacy.4)
The Company declares compliance with the privacy requirements defined as VRC.Privacy.1 – VRC.Privacy.4, including in particular:
VRC.Privacy.1 – Transparency
Personal data are processed in a transparent manner. Data subjects are informed about the scope, purposes, legal basis and duration of data processing through this document, contractual clauses and information notices.
VRC.Privacy.2 – Data minimization and purpose limitation
The Company processes only such personal data that are necessary and proportionate for the execution of a given production or project. Data are not used for purposes incompatible with the original purpose of collection.
VRC.Privacy.3 – Security and confidentiality
Appropriate technical and organizational measures are applied to protect personal data against unauthorized access, disclosure, loss or alteration, including access control, secure storage, encryption where applicable, and confidentiality obligations imposed on personnel and collaborators.
VRC.Privacy.4 – Data subject rights and control
The Company ensures effective mechanisms enabling data subjects to exercise their rights, including access, rectification, erasure, restriction, objection and withdrawal of consent, in accordance with applicable data protection laws.
Changes to the document
The Company reserves the right to update these Privacy Protection Principles. The current version of the document shall be effective as of the date of its publication or disclosure.