The Data Controller for Passengers' data is InnoBaltica Sp. z o.o.

Access to Passenger data is defined in the Information Clause for Passengers (available at: https://innobaltica.pl/innobaltica/dla-pasazerow/) in the section regarding data recipients, which states:

Recipients of your personal data are entities authorized to receive such data under the law. These also include the following ticket issuers:

• Zarząd Transportu Miejskiego w Gdańsku (ZTM Gdańsk);

• Zarząd Komunikacji Miejskiej w Gdyni (ZKM Gdynia);

• Zarząd Infrastruktury Miejskiej w Słupsku (ZIM Słupsk);

• Miejski Zakład Komunikacji spółka z o.o. w Chojnicach (MZK Chojnice);

• Zakład Komunikacji Miejskiej w Lęborku Spółka z o.o. (ZKM Lębork);

• Miejski Zakład Komunikacji Wejherowo Sp. z o.o. (MZK Wejherowo);

• Przewozy Autobusowe Gryf sp. z o.o. sp. k.;

• PKS Gdynia S.A.;

• POLREGIO S.A.;

• PKP Szybka Kolej Miejska w Trójmieście Sp. z o.o. (PKP SKM).

Personal data will be shared primarily with the Controller's employees, in accordance with their authorizations and permissions, to ensure the proper management of data processing operations, within the necessary time and scope.

The Controller’s employees have been trained in applicable personal data protection laws as well as the Controller’s internal data protection policies. They are also bound by a confidentiality agreement regarding all personal data and security measures.

Personal data may also be disclosed to persons authorized by the Controller, IT service providers, postal or courier operators, the card manufacturer, other entities providing services under the designated transport agreement, and entities providing services to the Controller.

Obligations under the GDPR will be fulfilled promptly, professionally, and in accordance with applicable law.