PRIVACY POLICY (GDPR)

Last updated: 08.03.2026

1. Introduction

1.1. RAZMIK KHACHATRIAN LEX AGENCY (hereinafter — the “Company”, “we”, the “Data Controller”), registered in Poland under NIP 8971947077 and REGON 540489158, with its address at 53-633, Poland, Wroclaw, Dluga Street 57c, and email address mail@razmikkhachatrian.com, acts as the operator (controller) of the website https://razmikkhachatrian.com/ (the “Website”) and gives high priority to the protection of personal data of clients, partners, contractors, job applicants, representatives of legal entities and Website visitors.

1.2. This Privacy Policy (the “Policy”) defines what personal data may be collected, from which sources such data is obtained, on what legal grounds and for what purposes it is processed, how long it is stored, to whom it may be transferred, what security measures are applied, and what rights belong to data subjects.

1.3. The Company seeks to comply with applicable data protection laws to the extent they apply to the relevant relationships, including, among other things, the laws of the European Union, including the General Data Protection Regulation (GDPR), Polish data protection rules (RODO), as well as other applicable legal acts in relevant jurisdictions, where their application is determined by the nature of the service, the territory where the service is provided, the composition of the parties, or other legally significant circumstances.

2. Data Controller and Contact Information

2.1. The controller of your personal data is RAZMIK KHACHATRIAN LEX AGENCY (NIP: 8971947077, REGON: 540489158).

2.2. If you have any questions related to this Policy, the processing of personal data, the exercise of your rights, or the submission of requests, notices and communications, you may contact us using the following details:

Email: mail@razmikkhachatrian.com

Phone: +48 572 288 621

Address: 53-633, Poland, Wroclaw, Dluga Street 57c

3. Data Protection Officer (DPO)

3.1. In cases where this is required by applicable law or by the internal organisation of data processing activities, the Company may appoint a responsible person or use a dedicated contact point for issues related to personal data protection.

3.2. For matters related to personal data protection, you may use the following contact details:

Email: mail@razmikkhachatrian.com

Phone: +48 572 288 621

4. Categories of Personal Data That May Be Processed

Depending on the nature of the interaction, the type of request, the scope of the service, the applicable law and the information actually provided, we may process the following categories of personal data:

4.1. Identification and contact data: first name, last name, patronymic (if applicable), date of birth, citizenship, contact phone number, email address, postal address, identity document details, and other identifiers necessary for the provision of services or compliance with legal obligations.

4.2. Social, professional and related information: information about place of work, position, education, family status, family composition, residence status, migration status, business role, as well as other information if required for the provision of a specific service or if you provide it voluntarily.

4.3. Interaction data: history of requests, correspondence, content of enquiries, information about ordered or discussed services, dates and times of contacts, files and documents sent through the Website, email, messengers or other communication channels.

4.4. Photo, video and documentary materials: images, videos, copies of documents, powers of attorney, identity confirmations, payment documents and other materials that you send voluntarily or that are necessary to verify a request, identify a person, perform a contract or comply with legal requirements.

4.5. Technical data: IP address, browser and device data, cookies, information about Website visits, referrer URL, technical logs, information about actions performed on the Website, approximate geographic data, system metadata and other technical information generated during the use of the Website.

4.6. Special categories of data: health data, biometric data, religious or philosophical beliefs, data concerning origin and other sensitive information — solely in cases where such data is voluntarily provided by you, is objectively necessary for the provision of the relevant service, or where its processing is expressly permitted or required by applicable law.

5. Sources of Personal Data and Purposes of Processing

5.1. Sources of data

directly from you — when filling out forms on the Website, corresponding with us, making calls, sending documents and requests;

from publicly available sources — where necessary to verify information, perform obligations or protect legitimate interests;

from your representatives, partners, contractors, intermediaries, employers or other third parties — where an appropriate legal basis exists;

from technical systems and logs generated during the use of the Website.

5.2. Purposes of data processing

reviewing requests, applications and enquiries;

preparing offers, documents, replies, legal and organisational materials;

providing legal, consulting, business consulting, IT and related services;

identifying the client, representative or contractor;

performing a contract and taking pre-contractual steps;

maintaining correspondence and supporting the project;

issuing invoices, recording payments, and providing accounting and tax support;

complying with legal requirements, interacting with government authorities and fulfilling mandatory procedures;

ensuring the security of the Website, preventing fraud, abuse and unauthorised access;

improving the quality, structure, functionality and user experience of the Website;

internal audit, risk management, and protection of the Company’s rights and legitimate interests.

6. Legal Bases for Processing Personal Data

We process personal data on one or more legal bases provided by applicable law, including:

6.1. Consent of the data subject — where processing is carried out on the basis of your freely given, specific, informed and unambiguous consent.

6.2. Necessity for the performance of a contract or for taking steps prior to entering into a contract — where processing is objectively necessary to provide a service, review a request, prepare an offer or fulfil assumed obligations.

6.3. Compliance with a legal obligation — where processing is required to comply with tax, accounting, migration, procedural, corporate, compliance and other legal requirements.

6.4. Protection of vital interests — in exceptional cases, where processing is necessary to protect the life or health of the data subject or another person.

6.5. Legitimate interests of the Company or third parties — where such processing is necessary to protect rights, ensure security, prevent abuse, carry out internal administration, conduct business activities, and does not disproportionately infringe your fundamental rights and freedoms.

7. Retention Periods for Personal Data

7.1. Personal data is stored no longer than necessary to achieve the purposes of processing, perform a contract, comply with legal obligations, resolve disputes, protect the rights of the Company or fulfil requirements arising from applicable law.

7.2. Approximate retention periods may include:

identification and basic client data — up to 5 years after the end of cooperation, unless a different period is required by law;

interaction, correspondence and request data — up to 3 years, unless longer retention is required to protect rights or fulfil obligations;

technical data and logs — usually up to 12 months, unless a different period is required by security concerns or law;

documents and materials related to specific cases — for the period necessary to perform the service, provide follow-up support, reporting, protect rights and fulfil archiving obligations;

special categories of data — only for the period strictly necessary for the relevant purpose and where an appropriate legal basis exists.

7.3. After the applicable retention period expires, data is deleted, anonymised, archived or destroyed in a secure manner, unless further retention is required by law, court proceedings, tax obligations, protection of the Company’s rights or other lawful grounds.

8. Transfer of Personal Data to Third Parties

8.1. Depending on the nature of the service and the purpose of processing, personal data may be transferred to the following categories of recipients, subject to compliance with the law and the principle of necessity:

IT providers, hosting providers, cloud services, data storage and technical support services;

payment providers, accounting and tax services;

lawyers, attorneys, consultants, notaries, translators, compliance specialists and other professional partners, where necessary to provide the service;

government authorities, courts, administrative institutions, banks and other authorised entities — where transfer is required by law, by a competent authority’s request or for the protection of rights;

contractors and partners involved in the performance of a specific service or project.

8.2. Data transfers are carried out on the basis of a contract, data processing arrangement, legal obligation, legitimate interest or another lawful mechanism, and are accompanied by measures aimed at ensuring an adequate level of data protection.

9. International Data Transfers

9.1. Your personal data may be processed or stored both in Poland and in other countries, where this is necessary for the provision of the service, operation of the Website, use of international infrastructure, interaction with partners or technical hosting of data.

9.2. If data is transferred outside the European Economic Area (EEA) or to other jurisdictions with a different data protection regime, the Company seeks to use appropriate legal safeguards, including Standard Contractual Clauses (SCC), contractual guarantees, organisational measures and other lawful instruments provided by applicable law.

9.3. International transfers are carried out only to the extent objectively necessary for the relevant processing purpose.

10. Security of Personal Data

10.1. The Company takes reasonable technical, organisational and physical measures to protect personal data against unauthorised access, alteration, disclosure, loss, destruction and other unlawful use.

10.2. Such measures may include:

Technical measures:

encryption of data during transmission and, where applicable, during storage;

use of network protection, logging, antivirus and anti-spam systems;

restriction of access to data based on roles and the need-to-know principle;

multi-factor authentication where appropriate;

software updates, patch management and vulnerability control.

Organisational measures:

internal rules for access to information and allocation of authority;

staff training on confidentiality and security matters;

contractual confidentiality obligations for employees and contractors;

internal control, audit and regular risk assessment.

Physical measures:

restriction of access to premises, devices and data carriers;

protection of paper and electronic archives against unauthorised access.

11. Notification of Security Breaches

11.1. If an incident involving the security of personal data occurs, the Company acts with due regard to the nature of the incident, applicable law, the level of risk and the scope of potential consequences.

11.2. Where legally required, the Company may:

notify the competent supervisory authority within the prescribed time frame;

notify affected data subjects if the incident poses a high risk to their rights and freedoms;

take measures to contain, investigate and remedy the consequences of the incident;

review internal procedures and strengthen safeguards to prevent recurrence of similar incidents.

12. Joint Processing and Data Processors

12.1. Where data processing is carried out jointly with other controllers or with the involvement of processors, the Company may enter into appropriate agreements governing the subject matter of processing, purposes, allocation of roles, security measures and obligations of the parties.

12.2. Such third parties are required to comply with confidentiality and security requirements to the extent provided by law and contract.

13. Legal Bases for Processing Special Categories of Data

13.1. Special categories of personal data are processed only in exceptional cases and where an appropriate legal basis exists, including:

explicit consent of the data subject;

necessity for the establishment, exercise or defence of legal claims;

necessity to protect vital interests;

performance of obligations and exercise of rights in areas permitted by law;

other grounds expressly provided by applicable law.

14. Rights of the Data Subject

Depending on the applicable law and the circumstances of processing, you may have the following rights:

14.1. Right of Access — the right to obtain confirmation that personal data is being processed, a copy of such data and information about the conditions of processing.

14.2. Right to Rectification — the right to require the correction of inaccurate data or the completion of incomplete data.

14.3. Right to Erasure — the right to request deletion of data in cases provided by law.

14.4. Right to Restrict Processing — the right to request temporary restriction of processing where lawful grounds exist.

14.5. Right to Object — the right to object to processing based on legitimate interests, as well as to direct marketing if such marketing is used.

14.6. Right to Data Portability — the right to receive certain data in a structured, commonly used, machine-readable format and, where possible, to request its transfer to another controller.

14.7. Right to Withdraw Consent — where processing is based on consent, you may withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.

14.8. Right to Lodge a Complaint — the right to lodge a complaint with the competent supervisory authority if you believe that your rights have been violated.

15. Procedure for Exercising the Right to Data Portability

15.1. To exercise the right to data portability, you may send a request to mail@razmikkhachatrian.com, stating your identification details, the scope of data to be transferred and, where necessary, information about the recipient.

15.2. The Company reviews the request within a reasonable period provided by applicable law and, if the right to data portability actually applies to the specific processing, provides the data in the appropriate format or issues a reasoned response.

16. Procedure for Restricting Data Processing

16.1. If you wish to request restriction of data processing, send a request to mail@razmikkhachatrian.com stating the reasons, circumstances and, where necessary, supporting documents.

16.2. After reviewing the request, the Company will notify you of its decision and, where grounds exist, will restrict processing to the extent required by law.

17. Loss, Theft or Compromise of Data

17.1. In the event of loss, theft, compromise or any other incident affecting personal data, the Company takes measures to establish the circumstances, contain the incident, minimise consequences and restore security.

17.2. Where necessary, the Company may:

conduct an internal investigation;

take technical and organisational measures to prevent recurrence of the incident;

notify affected persons and competent authorities, where required by law;

provide recommendations to reduce possible risks for the data subject.

18. Storage of Logs and Metadata

18.1. The Company may store log files and technical metadata generated during visits to and use of the Website for the purposes of:

ensuring the security of the Website and network infrastructure;

detecting and preventing abuse, attacks and technical failures;

administration, diagnostics and improvement of the Website’s quality.

18.2. The retention period for such data generally does not exceed 12 months, unless longer retention is required for reasons of security, law or protection of rights.

19. Anonymisation and Pseudonymisation

19.1. Where necessary, the Company may use anonymisation, aggregation and pseudonymisation methods to reduce the risks of identifying a data subject.

19.2. Anonymisation means processing data in such a way that identification of a specific individual becomes impossible or practically impossible using reasonable means.

19.3. Pseudonymisation means replacing direct identifiers with codes, designations or other conditional identifiers, which reduces risks while preserving the possibility of lawful processing.

20. Audit and Risk Assessment

20.1. To maintain an appropriate level of data protection, the Company may conduct internal reviews, process audits, risk assessments, vulnerability analysis, review access procedures and take other internal control measures.

20.2. Such measures may include both technical and organisational assessment, including analysis of legislative changes, staff training and updates to internal policies.

21. Review and Update of the Privacy Policy

21.1. The Company reserves the right to periodically review, supplement and update this Policy.

21.2. In the event of material changes, the new version is published on the Website. In appropriate cases, additional methods of notification may be used where required by law or considered appropriate.

21.3. The current version of the Policy is available at: https://razmikkhachatrian.com/5-privacy-policy-gdpr-final-en.html.

22. Consequences of Refusal or Withdrawal of Consent

22.1. If the processing of certain data is based on your consent, you have the right not to provide such consent or to withdraw it in the future.

22.2. In such a case, certain functions of the Website, some methods of communication, marketing communications or certain services may be restricted or unavailable to the extent that their performance is impossible without the relevant processing.

22.3. After withdrawal of consent, the Company ceases processing based specifically on that consent, unless further processing is required on another lawful basis.

23. Processing of Children’s Data

23.1. The Website and the Company’s services are not intended for persons under 18 years of age, unless this directly follows from the nature of a specific service and a legal basis.

23.2. The Company does not knowingly seek to collect children’s personal data without an appropriate legal basis. If you become aware that such data has been provided to us by mistake or without the necessary grounds, please immediately notify us at mail@razmikkhachatrian.com.

24. Contact Details for Personal Data Requests

For all questions related to the processing of personal data, the exercise of data subject rights, submission of requests, objections, notices and complaints, you may use the following contacts:

Name: RAZMIK KHACHATRIAN LEX AGENCY

NIP: 8971947077

REGON: 540489158

Email: mail@razmikkhachatrian.com

Phone: +48 572 288 621

Postal address: 53-633, Poland, Wroclaw, Dluga Street 57c

25. Use of Cookies

25.1. What cookies are. Cookies are small text files stored on your device when you use the Website and allow the Website to recognise the device, remember settings, ensure the technical functioning of the Website, analyse user behaviour and, where applicable, support certain marketing functions.

25.2. Categories of cookies used may include:

strictly necessary cookies — for the basic operation and security of the Website;

session cookies — active during the current browser session only;

persistent cookies — stored on the device for a specific period of time;

analytical cookies — to assess traffic and improve the Website structure;

functional cookies — to store user preferences;

advertising or targeting cookies — if such tools are used.

25.3. Purposes of using cookies may include:

ensuring the proper and secure operation of the Website;

saving user settings;

analysing traffic and improving user experience;

improving ease of navigation and effectiveness of certain functions.

25.4. More detailed information about cookies, their retention periods and management mechanisms may be contained in a separate Cookie Policy.

26. Final Provisions

26.1. All matters not expressly regulated by this Policy are governed by the applicable law of the country where the Data Controller is located, as well as other mandatory rules applicable to the relevant legal relationship.

26.2. A new version of this Policy enters into force from the moment it is published on the Website, unless otherwise expressly stated in the new version itself.

27. Entry into Force

27.1. This Policy is effective from the moment it is published on the Website at https://razmikkhachatrian.com/5-privacy-policy-gdpr-final-en.html and remains in force until replaced by a new version or revoked.

27.2. Last update of this Policy: 08.03.2026.

28. How to Contact Us Regarding the Processing of Personal Data

28.1. If you have any questions, suggestions or comments, or if you intend to exercise one or more rights related to the processing of personal data, please contact us using the following details:

Organisation name: RAZMIK KHACHATRIAN LEX AGENCY

NIP: 8971947077

REGON: 540489158

Email: mail@razmikkhachatrian.com

Phone: +48 572 288 621

Postal address: 53-633, Poland, Wroclaw, Dluga Street 57c

28.2.

By using the Website, you confirm that you have reviewed with this Privacy Policy to the extent applicable. In cases where consent is required for specific processing, such consent is provided separately or by taking the relevant action, if permitted by law.