XELTO DIGITAL Sp. z o.o.
Kurniki 9, 31-156 Kraków, Poland, entered into the National Court Register of KRS entrepreneurs brought by the DISTRICT COURT FOR KRAKÓW-ŚRÓDMIEŚCIE IN KRAKÓW, XI COMMERCIAL DIVISION OF THE NATIONAL COURT REGISTER – KRS under the number: 0000841003, NIP: 6762580430, REGON: 386040730, share capital PLN 50,000.00, Website: https://xeltodigital.com/ (hereinafter referred to as the “Website“)

(hereinafter referred to as the “Company“)

As part of its business, it manages and processes personal data of the entities listed below. These Personal Data Processing Principles (hereinafter referred to as the “Policy“) explain to data subjects the circumstances of the processing of their personal data and the rights they have in relation to such processing.

1. DATA SUBJECTS, PURPOSES, SCOPE, DURATION AND LEGAL BASIS FOR PROCESSING

  1. CLIENTS – ENTREPRENEURS (SELF-EMPLOYED)

As an administrator, the Company processes personal data of clients – entrepreneurs (self-employed) for the purposes of, according to the legal grounds and in the periods indicated below:

  • Purpose: To negotiate the conclusion of a contract for the provision of services, the conclusion of such a contract and the performance of such a contract.
    Scope of data: Name and surname / company name, registered office, data on entry in the public register, telephone number, e-mail address, bank account number, signature.
    Legal basis: The need to process personal data for the performance of a contract to which the data subject is a party or to implement measures taken at the request of the data subject prior to entering into a contract.
    Period: For the period necessary to negotiate the conclusion of the contract and the performance of the contract.
  • Purpose: Accounting and tax purposes and fulfillment of archiving obligations.
    Data scope: Name and surname / company name, registered office, data on entry in the public register, bank account number, signature.
    Legal basis: Necessity of processing to comply with legal obligations imposed on the Company by law.
    Period: For a mandatory period of 10 years, unless longer periods are provided for by law.
  • Purpose: Execution of any claims of the Company (storage of data necessary as evidence in court proceedings).
    Scope of data: Name and surname / company name, identification number, registered office, data on entry in the public register, signature.
    Legal basis: Legitimate interest.
    Term: During the term of the contract and after its termination until the expiry of the limitation periods.
  • Purpose: To send unsolicited commercial communications.
    Scope of data: Name, surname, email address.
    Legal basis: Legitimate interest (direct marketing).
    Duration: During the period of cooperation with the client, after the end of cooperation – for a period of 3 years.
  • Purpose: Sending commercial communications for marketing and advertising purposes.
    Scope of data: Name, surname and email address.
    Legal basis:
    Period: For as long as reasonably necessary until consent is withdrawn.
  1. CONTACT PERSONS OF CUSTOMERS – LEGAL ENTITIES: A MEMBER OF THE STATUTORY BODY OR ANOTHER PERSON AUTHORIZED TO NEGOTIATE THE CONCLUSION AND TERMS OF THE CONTRACT FOR THE PROVISION OF SERVICES OR TO CHANGE THE TERMS OF THE CONTRACT AND TO COMMUNICATE REGARDING THE PERFORMANCE OF THE CONTRACT ON THE PART OF THE CLIENT

As a processor, the Company processes personal data of a member of the statutory body or other person authorized to negotiate the conclusion and terms of the contract or change the terms of the contract and to communicate regarding the performance of the contract on the client’s side for the purposes, to the extent and according to the legal bases and in the periods indicated below:

  • Purpose: Negotiations on the conclusion, terms or amendment of the terms of the Service Agreement and communication regarding the performance of the Agreement, communication regarding the provision of other services of the Company.
    Scope of data: Name, surname, email address, telephone number, signature.
    Legal basis: Service contract concluded with the customer.
    Period: For the period necessary to negotiate the conclusion, terms or amendment of the terms of the contract and for the period of communication regarding the performance of the contract.
  • Purpose: Execution of any claims of the Company (storage of data necessary as evidence in court proceedings).
    Data scope: Name, surname, signature.
    Legal basis: Legitimate interest.
    Term: During the term of the contract and after its termination until the expiry of the limitation periods.

As the controller of personal data for the above-mentioned data subjects, the Company processes personal data for the purposes, to the extent, according to the legal grounds and for the periods indicated below:

  • Purpose: To send unsolicited commercial communications.
    Scope of data: Name, surname, email address.
    Legal basis: Legitimate interest (direct marketing).
    Period: For the duration of the cooperation with the customer who is a legal entity and after the termination of the cooperation for a period of 3 years or until the data subject ceases to represent the customer.
  • Purpose: Sending commercial communications for marketing and advertising purposes.
    Scope of data: Name, surname and email address.
    Legal basis:
    Period: For as long as reasonably necessary until consent is withdrawn.
  1. DATA SUBJECTS WHOSE PERSONAL DATA ARE STORED IN THE CLIENT’S IT SYSTEMS

As a processor, the Company processes personal data of third parties contained in the IT systems of the Company’s clients for the purposes, to the extent, according to the legal grounds and in the periods indicated below:

  • Purpose: Provision of services by the Company to clients on the basis of a contract for the provision of services.
    Scope of data: To the extent specified by the customer, usually name, surname, bank account, email address, date of birth, identification number, VAT number, billing address.
    Legal basis: The need to process personal data for the purpose of performing a contract for the provision of services to which the customer is a party.
    Term: For the duration of the Service Agreement.
  1. CONTACT PERSONS OF POTENTIAL CUSTOMERS

As the controller, the Company processes personal data of contact persons of potential customers of the Company for the purposes of, according to the legal grounds and in the periods indicated below:

  • Purpose: Contact with a person for the purpose of establishing cooperation and presenting the Company’s service offer, concluding a contract for the provision of services.
    Data scope: Name, surname, email address or telephone number.
    Legal basis: Legitimate interest (acquiring new customers).
    Period: For the period necessary to present the Company’s services and establish business cooperation, at the latest until the acceptance or rejection of the Company’s offer.

If the Company does not obtain the above personal data directly from the data subject,  the source of personal data obtained by the Company is:

    • the prospective client’s website or other publicly accessible website, or
    • a publicly accessible profile of the data subject on the social network LinkedIn.
  1. JOBSEEKERS

As the controller, the Company processes personal data of job candidates for the purposes of, according to the legal grounds and in the periods indicated below:

  • Purpose: To carry out the procedure of selecting an employee for the position.
    Scope of data: Data provided in the CV, usually name, surname, position, date of birth, address of residence, email address, telephone number, education, previous place of employment.
    Legal basis: The need to process personal data for the performance of a contract to which the data subject is a party or to implement measures taken at the request of the data subject prior to entering into a contract.
    Duration: For the duration of the selection procedure.
  1. EMPLOYEES – EMPLOYMENT CONTRACT
  • Purpose: To negotiate the conclusion of an employment contract, conclude such a contract and perform such a contract.
    Scope of data: Name, surname, position, birth number, date of birth, address of residence, telephone number, email address, signature, education, health information (mandatory medical examinations), bank account number.
    Legal basis: The need to process personal data for the performance of a contract to which the data subject is a party or to implement measures taken at the request of the data subject prior to entering into a contract.
    Period: For the period necessary to negotiate the conclusion of the contract and the performance of the contract.
  • Purpose: Accounting, payroll and tax purposes as well as fulfillment of archiving obligations.
    Scope of data: Name, surname, birth number, date of birth, address of residence, marital status (information on the number of children you have, information about your spouse), name and code of the company providing health insurance, number of the insured person, signature.
    Legal basis: Necessity of processing to comply with legal obligations imposed on the Company by law.
    Period: For a mandatory period of maximum 30 years, unless otherwise required by law.
  • Purpose: Execution of any claims of the Company (storage of data necessary as evidence in court proceedings).
    Scope of data: Name, surname, birth number, date of birth, address of residence, signature.
    Legal basis: Legitimate interest.
    Term: During the term of the contract and after its termination until the expiry of the limitation periods.
  • Purpose: To present the Company on the Website.
    Data scope: Name, surname, position, profile.
    Legal basis:
    Period: For the duration of the employment relationship or until consent is withdrawn.
  1. EMPLOYEES – CONTRACTS FOR THE PERFORMANCE OF WORK OUTSIDE THE EMPLOYMENT RELATIONSHIP
  • Purpose: To negotiate the conclusion of an out-of-employment contract (hereinafter referred to as the “Agreement”), to conclude such an Agreement and to implement such an Agreement.
    Scope of data: Name, surname, position, birth number, date of birth, address of residence, telephone number, email address, signature, bank account number.
    Legal basis: The need to process personal data for the performance of a contract to which the data subject is a party or to implement measures taken at the request of the data subject prior to entering into a contract.
    Period: For the period necessary to negotiate the conclusion of the contract and the performance of the contract.
  • Purpose: Accounting, payroll and tax purposes as well as fulfillment of archiving obligations.
    Scope of data: Name, surname, birth number, date of birth, address of residence, marital status (information on the number of children you have, information about your spouse), name and code of the company providing health insurance, number of the insured person, signature.
    Legal basis: Necessity of processing to comply with legal obligations imposed on the Company by law.
    Period: For a maximum period of 10 years, unless otherwise required by law.
  • Purpose: Execution of any claims of the Company (storage of data necessary as evidence in court proceedings).Data
    range: Name, surname, birth number, date of birth, address, signature.
    Legal basis: Legitimate interest.
    Term: During the term of the contract and after its termination until the expiry of the limitation periods.
  • Purpose: To present the Company on the Website.
    Data scope: Name, surname, position, profile.
    Legal basis:
    Period: For the duration of the employment relationship or until consent is withdrawn.
  1. SUPPLIERS (SELF-EMPLOYED)

As a controller, the Company processes personal data of suppliers (self-employed) for the purposes of, according to the legal grounds and in the periods indicated below:

  • Purpose: To negotiate the conclusion of a contract with the supplier, the conclusion of such a contract and the performance of such a contract.
    Scope of data: Name and surname / company name, registered office, information on entry in the public register, telephone number, e-mail address, bank account number, signature.
    Legal basis: The need to process personal data for the performance of a contract to which the data subject is a party or to implement measures taken at the request of the data subject prior to entering into a contract.
    Period: For the period necessary to negotiate the conclusion of the contract and the performance of the contract.
  • Purpose: Accounting and tax purposes and fulfillment of archiving obligations.
    Data scope: Name and surname / company name, registered office, bank account number, signature.
    Legal basis: Necessity of processing to comply with legal obligations imposed on the Company by law.
    Period: For a mandatory period of 10 years, unless longer periods are provided for by law.
  • Purpose: Execution of any claims of the Company (storage of data necessary as evidence in court proceedings).
    Scope of data: Name and surname / company name, identification number, registered office, signature.
    Legal basis: Legitimate interest.
    Term: During the term of the contract and after its termination until the expiry of the limitation periods.
  • Purpose: To present the Company and its partners on the Website.
    Data scope: Name, surname, relationship with the company, photos.
    Legal basis:
    Period: For the duration of cooperation with the Company or until the consent is withdrawn.
  1. WEBSITE VISITORS

As an administrator, the Company processes cookies related to visitors to the Website.

Cookies are text files containing small pieces of information that are downloaded to your mobile device, computer or other device when you visit the Website. With each subsequent visit to the Website, cookies are sent back to the original Website or another website that recognises cookies. By using cookies, the Website simply stores information about visits to the Website.

The website uses different categories of cookies for different purposes. Necessary cookies are necessary to maintain the basic functionality of the Website. Therefore, in order for the Website to fulfill its basic function, the Company cannot do without such cookies. Necessary cookies may be processed by the Company without the consent of the person visiting the Website. All other cookies may be processed by the Company only with the consent of the Website visitor, which the Website visitor may withdraw (reject) at any time in  the cookie settings. However, withdrawing consent or not giving it may affect your browsing experience.

  1. PERSON WHO CONTACTS THE COMPANY

As the controller, the Company processes personal data of persons who contact the Company via e-mail, telephone or form on the Website, for the purposes, to the extent, according to the legal grounds and in the periods indicated below:

  • Purpose: To answer the questions of the people asking them.
    Scope of data: Name, surname, e-mail address, telephone number or company name, identification number, registered office, position.
    Legal basis: Legitimate interest in replying.
    Time: Absolutely necessary for the answer to the question and further communication.
  • Purpose: To arrange a meeting with a representative of the Company through the calendar on the Website.
    Scope of data: Name, surname, e-mail address, telephone number, position.
    Legal basis: Legitimate interest in arranging a meeting.
    Time: Absolutely necessary for the organization of the meeting and further communication.
  • Purpose: Sending commercial communications for marketing and advertising purposes.
    Scope of data: Name, surname and e-mail address, telephone number or company name, identification number, registered office, position.
    Legal basis:
    Period: For as long as reasonably necessary until consent is withdrawn.
  1. MANAGING DIRECTOR AND PARTNER OF THE COMPANY

The Company processes personal data of directors and associates of the Company for the purposes of, according to the legal grounds and in the periods indicated below:

  • Objective: Administration of the enterprise.
    Scope of data: Name and surname, date of birth or birth number, place of residence and permanent residence, email address, telephone number, signature.
    Legal basis: Necessity of processing to comply with legal obligations imposed on the Company by law.
    Duration: For as long as necessary.
  • Purpose: Accounting and tax purposes, fulfillment of archiving obligations.
    Scope of data: Name and surname, date of birth or birth number, place of residence and permanent residence, bank account number, signature.
    Legal basis: Necessity of processing to comply with legal obligations imposed on the Company by law.
    Period: For the strictly necessary period of 10 years, unless longer periods are provided for by law.
  • Purpose: To present the Company on the Website.Data
    range: Name, surname, position, photo.
    Legal basis:
    Period: During the term of office of the Managing Director of the Company or until the consent is withdrawn.

2. VOLUNTARY SHARING OF DATA

The data subject provides the Company with his/her personal data voluntarily. Failure to provide personal data may affect the Company’s ability to conclude a contract or perform its obligations towards the data subject, based on the necessary knowledge of information about the data subject, including personal data.

3. RECIPIENTS AND PROCESSORS OF PERSONAL DATA

Entities processing personal data:

  • Accounting services
  • Storage, e-mail server, calendar, teleconferencing
  • Marketing services
  • IT service providers, sales representatives: Xelto Digital Sp. z o.o.
  • Processing of cookies

The recipients of personal data may be competent state administration authorities (tax office, social insurance institution, etc.).

It should be noted, however, that – due to changing persons who are providers of certain services – it is not possible to identify all current and future processors of personal data. Therefore, the above list of processors may change over time.

The Company does not transfer personal data to any international organization.

4. METHOD OF PERSONAL DATA PROCESSING

The Company and, where applicable, processors process personal data manually (in electronic form) and electronically by automated means.

When processing personal data, no automated decision-making processes, including profiling, are used.

5. SECURITY OF PERSONAL DATA

In order to secure personal data, the Company makes every effort to protect it from misuse. As part of its business, the Company will do everything in its power to prevent security incidents from occurring and will always use only proven technical solutions.

However, there is always some risk that there will be a leak, misuse or loss of personal data. If, despite the Company’s best efforts, a security incident occurs and poses a serious risk to the rights and freedoms of the data subject, the Company will immediately inform the data subject by means of the email address provided and by publishing such information on the Website, taking into account all necessary details.

6. RIGHTS OF DATA SUBJECTS

The data subject has the following rights:

a) Right of access to personal data

The data subject has the right to obtain confirmation from the Company as to whether or not personal data concerning him or her is being processed and, if so, the right to access such personal data and the following information:

    1. the purposes of the processing of personal data;
    2. the categories of personal data concerned;
    3. the recipients or categories of recipients to whom the personal data have been or will be disclosed;
    4. the envisaged period during which the personal data will be processed or, if this cannot be determined, the criteria used to determine such period;
    5. the existence of the right to request the Company to rectify or delete personal data of the data subject, to restrict their processing or to object to such processing;
    6. the right to lodge a complaint with a supervisory authority;
    7. any available information on the source of the personal data, if it has not been obtained from the data subject.

The data subject has the right to request from the Company a copy of the processed personal data, provided that this does not adversely affect the rights and freedoms of other persons. For additional copies issued at the request of the data subject, the Company may charge a reasonable fee based on administrative costs. Where the data subject submits the request in electronic form, the information will be made available in commonly used electronic form, unless the data subject requests otherwise.

b) Right to rectification

The data subject has the right without undue delay to obtain from the Company the correction of incorrect personal data about him. Taking into account the purposes of the processing, the data subject has the right to complete incomplete personal data, including a supplementary statement.

c) Right to erasure (right to be forgotten)

    • The data subject has the right to request the Company to erase personal data relating to the data subject without undue delay, and the Company is obliged to erase the personal data without undue delay if any of the following reasons apply:
    • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • the data subject withdraws consent on the basis of which the personal data were processed and there is no other legal ground for the processing;
    • the data subject raises reasonable objections to the processing of personal data;
    • the personal data have been unlawfully processed;
    • personal data must be deleted in order to comply with a legal obligation set out in the regulations of the European Union and the Poland;
      • Personal data were collected in connection with the offer of information society services on the basis of the consent given by the child.

d) Right to restriction of processing

The data subject has the right to request the Company to restrict processing in any of the following cases:

      • the data subject denies the accuracy of the personal data – for the period needed by the Company to verify the accuracy of the personal data;
    • the processing is unlawful and the data subject refuses to erase the personal data and requests the restriction of their use instead;
    • The Company no longer needs the personal data for the purposes of processing, but the data subject needs them for the establishment, exercise or defence of legal claims.

e) Right to transfer personal data

The data subject shall have the right to receive personal data concerning him or her which he or she has provided to the Company in a structured, commonly used and machine-readable format and the right to transfer such data to another controller without the Company withholding such transfer where:

    1. the processing is based on consent to the processing of personal data or it concerns the processing of personal data for the purpose of concluding and performing a contract with the data subject; and at the same time
    2. Processing is automatic.

When exercising the right to data portability, the data subject has the right to request the Company to transfer personal data directly to another controller, if technically feasible. The right to transfer personal data must not adversely affect the rights and freedoms of others.

f) Right to object

The data subject has the right to object to the processing of personal data. If the data subject substantiates processing for direct marketing or profiling purposes, the personal data will no longer be processed for those purposes.

The objection will be assessed and then the Company will inform the data subject whether the objection has been accepted and the Company will no longer process the data or whether the objection was not justified and the processing will continue to take place. Until the objection is resolved, the processing will be limited.

g) The right not to be subject to automated decisions, including profiling

The data subject has the right not to be subject to any decision based solely on automated processing, including profiling (i.e. any form of automated processing of personal data consisting of their use for the assessment of certain personal aspects concerning the data subject) which produces legal effects for him or her or affects him or her substantially in a similar way. This right does not apply if automated decisions are necessary for the conclusion or performance of a contract between the data subject and the Company or are based on the explicit consent of the data subject; in such cases, however, the data subject has the right to human intervention in the automated decisions of the Company, the right to express his or her own opinion and the right to contest automated decisions.

h) Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint regarding the processing of his personal data by the Company to the supervisory authority.

  1. Final provisions

The company has not appointed a personal data protection officer.

The Company has the right to unilaterally change these rules for the protection and processing of personal data.

This Privacy and Processing Policy enters into force on [11.08.2023].