logo XELTO DIGITAL

Privacy Policy

Xelto Sp. z o.o., Xelto Digital Sp. z o.o., Xelto Czechia s.r.o.attach great importance to the transparency of operation and value the basic right of every person to privacy. Guaranteeing the confidentiality and protection of your data is important to us, which is why we strive to ensure that the adopted data processing rules comply with the provisions of applicable law, as well as with respect for fundamental rights and freedoms, and ensure their confidentiality and proper security.

The purpose of this Privacy Policy, hereinafter referred to as the “Policy,” is to inform you about issues related to the processing of personal data and privacy protection in connection with the use of our service. In the content of the Policy, we provide you with information on how your personal data will be processed and in what manner and for what purposes this data will be used. A person who visits the service and actively uses it, thereby accepts the terms specified in this document.

Information about the Data Controller

The Controller of your personal data within the meaning of Article 4, section 7 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/WE (General Data Protection Regulation, hereinafter “GDPR”) is:

  • Xelto Sp. z o.o., ul. Winogrady 18, 61-663 Poznań, NIP: 972-12-43-826, REGON: 302415061, KRS: 0000472643;
  • Xelto Digital Sp. z o.o., ul. Kurniki 9, 31-156 Kraków, NIP: 6762580430, REGON: 386040730, KRS 0000841003;
  • Xelto Digital Czechia s.r.o., Rybná 716/24, 110 00 Prague, DIČ CZ10964452.

The specific Controller depends on which company’s services you use.

In the case of the recruitment process and marketing activities, we are the Controllers of your personal data, performing co-administration of your personal data. Within the framework of the concluded written co-administration agreement, we have agreed on the scope of our responsibility regarding the fulfillment of obligations arising from the GDPR, in particular that:

  • We, as Controllers, are responsible for fulfilling the information obligation towards you.
  • The company Xelto Sp. z o.o. as Co-Administrator is responsible for enabling the exercise of your rights. Notwithstanding the above, you may also exercise your rights against each of the Co-Administrators. In such a case, we will forward your request to the Co-Administrator who will implement your request.

Contact with the Controller is possible via the correspondence data indicated above and the following contact details:

  • Xelto Sp. z o.o.: phone number: +48 608 92 00 33; email address: office@xelto.com.
  • Xelto Digital Sp. z o.o.: phone number: +48 503 639 324; email address: sales_rpa@xelto.com.
  • Xelto Digital Czechia s.r.o.: phone number: +420 737 261 457; email address: xd_czechia@xelto.com.

Voluntariness of Providing Personal Data

The provision of personal data by you is voluntary but necessary for the achievement of the Controller’s purposes.

Data Subject Rights

You have the following rights related to the processing of your personal data:

  1. The right to request access to the content of your personal data;
  2. The right to request rectification of your personal data, if you consider the data to be incorrect or incomplete;
  3. The right to request erasure of your personal data, when:
    • Your data are no longer necessary for the purposes for which they were collected,
    • You withdraw consent for data processing, and the Controller does not have another legal basis for their further processing,
    • You object to the processing of personal data and there are no overriding legitimate grounds for their further processing on the part of the Controller,
    • You object to the processing of personal data for direct marketing purposes,
    • Your personal data have been processed unlawfully,
    • Your personal data must be erased in order to comply with a legal obligation,
    • Your personal data have been collected in relation to the offer of information society services to a child.
  4. The right to erasure does not apply to data processed based on applicable law or data processed for the purpose of establishing, defending, or pursuing possible claims.
  5. The right to request restriction of processing of your personal data, when:
    • You consider the personal data to be inaccurate,
    • Your personal data is processed unlawfully, but you do not want it to be erased by the Controller,
    • The Controller no longer needs your personal data, but they are needed by you for establishing or defending against claims,
    • You object to the processing of personal data;
  6. The right to object to the processing of personal data, when the processing is based on the legitimate interest of the Controller, and the objection is justified by your particular situation;
  7. The right to withdraw consent to the processing of your personal data, where the withdrawal of consent does not affect the lawfulness of processing based on your consent before its withdrawal;
  8. The right to data portability, when the data is processed based on consent or a contract;
  9. The right to lodge a complaint with the supervisory authority dealing with personal data protection, i.e.:
    • The President of the Personal Data Protection Office (PUODO), when you consider that the processing of personal data violates the provisions of the GDPR. Detailed information is available at: https://uodo.gov.pl/pl/83/155.

To exercise the above-mentioned rights, please contact the Controller: Xelto Sp. z o.o.; Xelto Digital Sp. z o.o.; Xelto Digital Czechia s.r.o. via the contact details indicated above

Transfer of Data to a Third Country

Personal data – as a rule – will not be transferred to a third country or international organization. However, in some situations, personal data may be transferred to countries outside the European Economic Area. This will happen only when the conditions specified in Chapter V of the GDPR are met. In the case of transferring personal data to countries outside the European Economic Area, the Administrator will take care of all formalities related to the proper security of personal data, including, among others : the application of standard contractual clauses adopted by the Commission (EU).

Profiling

The User’s personal data may also be processed in an automated manner, including in the form of profiling. The consequence of profiling will be the assignment of a profile to a given User for the needs of carrying out analyses or predicting User preferences, their behaviour, attitudes, and tailoring information transmitted to the User via the Portals.

Purposes, Legal Bases, and Period of Processing

PROCESSING OF PERSONAL DATA OF JOB CANDIDATES (RECRUITMENT)

PURPOSE AND LEGAL BASIS:

  1. Art. 6 sec. 1 lit. b GDPR – right to request data necessary to take steps before concluding a contract in the scope indicated in Art. 22(1) of the Labour Code Act
  2. Art. 6 sec. 1 lit. c GDPR – in connection with Art. 22(1) of the Labour Code Act.
  3. Art. 6 sec. 1 lit. a GDPR – consent of the job candidate for the processing of personal data exceeding the catalogue indicated in Art. 22(1) of the Labour Code Act and in case of expressing consent for the processing of personal data for future recruitment processes.
  4. Art. 6 sec. 1 lit. f GDPR – establishing, pursuing, and securing possible claims and defending against these claims related to recruitment processes.
  5. Art. 9 sec. 2 lit. a GDPR – in case the job candidate indicates special categories of personal data.

OBLIGATION TO PROVIDE DATA:

Providing personal data is voluntary. However, failure to provide the information indicated in Art. 22(1) of the Labour Code Act will result in the received application documents not being considered by the Co-Administrators.

STORAGE PERIOD:

Data will be stored for the period necessary to conduct the recruitment process – maximum 3 months, counting from the date of its completion.
In the case of expressing appropriate consent for the purpose of conducting future recruitment processes, personal data will be stored for a maximum period of 12 months.

RECIPIENTS OF DATA:

The recipients of personal data may include:

  1. Entities cooperating with the Co-Administrators under data processing entrustment agreements, ensuring adequate technical and organizational measures;
  2. Group Pracuj.pl;
  3. Entities to whom the Co-Administrators are obliged to transfer data under applicable law.

PROCESSING OF PERSONAL DATA OF CONTRACTORS

PURPOSE AND LEGAL BASIS:

Personal data will be processed for the purpose of:

  1. Art. 6 sec. 1 lit. b GDPR – actions aimed at concluding a contract – in the case of a potential Client being a natural person conducting business activity or a partner in a civil law partnership, being a potential Party to the contract.
  2. Art. 6 sec. 1 lit. b GDPR – conclusion and execution of the subject of the contract, on which cooperation is based – in the case of a Contractor being a natural person conducting business activity or a partner in a civil law partnership, being a Party to the contract.
  3. Art. 6 sec. 1 lit. f GDPR – defense or pursuit of mutual claims.
  4. Art. 6 sec. 1 lit. f GDPR – contact for the purpose of accepting and executing orders.
  5. Art. 6 sec. 1 lit. f GDPR – execution of the subject of the contract – familiarization with instructions for solutions.
  6. Art. 6 sec. 1 lit. f GDPR – contact with natural persons whose data were provided by Contractors for the purpose of executing the subject of the contract, including, among others, persons authorized to represent the Contractor, employees/co-workers of the Contractor.
  7. Art. 6 sec. 1 lit. c GDPR – fulfillment of obligations incumbent on the Administrator resulting from tax and accounting law provisions.

OBLIGATION TO PROVIDE DATA:

The provision of personal data is voluntary, but necessary for drawing up an offer, executing the contract, and financial settlements. Failure to provide data is associated with the impossibility of achieving the Administrator’s purposes.

SOURCE OF DATA:

If the data Administrator has not obtained the data directly from the data subject , the personal data in the scope of, among others: name(s) and surname, electronic mail address, telephone number, position/function, place of employment could have been obtained by the data Administrator from the contract on the basis of which the data Administrator processes the data or were provided by the Contractor.

STORAGE PERIOD:

Personal data will be stored for the period necessary to achieve the purpose, i.e.:

  1. personal data will be stored for the duration of the contract;
  2. personal data contained in the contract will be processed for the period resulting from applicable law, including tax and financial reporting regulations – 5 years – counting from the beginning of the year following the financial year in which operations, transactions and proceedings were finally completed, repaid, settled or expired: Art. 86 of the Act of August 29, 1997, Tax Ordinance; Art. 74 sec. 2 of the Act of September 29, 1994, on Accounting;
  3. personal data may be processed for securing or defending against possible claims for the period required by applicable law;
  4. in the case of potential Contractors – personal data is stored for the period necessary to achieve the processing purpose, no longer than 3 years – Civil Code Act.

RECIPIENTS OF DATA:

The recipients of personal data may be:

  1. entities cooperating with the Data Administrator under concluded personal data processing entrustment agreements and ensuring the application of adequate technical and organizational measures ensuring data protection by the aforementioned entities;
  2. law firms cooperating with the Administrator;
  3. banks – for the purpose of financial settlements;
  4. entities to whom the Administrator is obliged to transfer data under applicable law.

PROCESSING OF PERSONAL DATA OF PERSONS SUBJECT TO MARKETING ACTIVITIES

PURPOSE OF PERSONAL DATA PROCESSING AND LEGAL BASIS:

  1. Art. 6 sec. 1 lit. f GDPR – sending marketing information about products, services, promotions, and events, as well as satisfaction surveys regarding provided services to the electronic communication channels indicated by you in connection with consent expressed under Art. 398 sec. 1 of the Act of July 12, 2004, Electronic Communication Law.
  2. Art. 6 sec. 1 lit. f GDPR – defense or pursuit of mutual claims.

OBLIGATION TO PROVIDE DATA:

The provision of personal data is voluntary, but necessary for the realization of the processing purpose by the Co-Administrators.

STORAGE PERIOD:

Personal data will be processed until the expressed consent is withdrawn, a successful objection to processing is raised, or the period of claims limitation expires.

RECIPIENTS OF DATA:

The recipients of personal data may be:

  1. entities cooperating with the Data Administrator under concluded personal data processing entrustment agreements and ensuring the application of adequate technical and organizational measures ensuring data protection by the aforementioned entities;
  2. entities to whom the Administrator is obliged to transfer data under applicable law.

COOKIES AND EXTERNAL TOOLS

TYPES OF COOKIES:

The Administrator uses two types of Cookies:

  1. Session Cookies: are stored on the User’s Device and remain there until the end of the given browser session. The recorded information is then permanently erased from the Device’s memory. The Session Cookies mechanism does not allow the retrieval of any personal data or any confidential information from the User’s Device;
  2. Persistent Cookies: are stored on the User’s Device and remain there until they are deleted. Ending the given browser session or switching off the Device does not result in their removal from the User’s Device. The Persistent Cookies mechanism does not allow the retrieval of any personal data or any confidential information from the User’s Device.

ANALYTICAL AND EXTERNAL TOOLS:

  1. The Administrator uses various systems for monitoring User activity on the network offered by third parties, such as Google Analytics, i.e., web analysis, a service offered by Google Inc. Google Analytics uses “cookies,” which are text files placed on the User’s computer and enabling the analysis of how the Portals are used.
  2. The Administrator also uses standard web server log files to count visitors to the Portal and to evaluate its technical capabilities. The Administrator uses this information to determine how many people visit the Portal, to arrange the Portal in the most User-friendly way, and to make it simpler and more friendly to operate.
  3. The information generated by “cookies” about the User’s use of the Portals (including their IP address) is transferred, inter alia, to the Google Inc. server located in the USA and stored in accordance with Google’s privacy policy (available at: http://www.google.com/intl/pl/privacy/privacy-policy.html). Google uses this information to evaluate the use of the Portals, create reports for website operators regarding activity on the site, and to provide other services related to the use of the Portals and the Internet.
  4. Links (e.g., in the form of third-party logos) may be placed in the Service, which, if activated, redirect the User to an external website. The fact that such links are used cannot be equated with the existence of a link between the Administrator and the entity to which the external website belongs. The Administrator is in no case responsible for the consequences of such redirects or has influence on the content contained on such websites. The Administrator is not responsible for the content of the privacy and security policies applicable on these websites, nor for the “cookies” used during their browsing.

PROCESSING OF PERSONAL DATA FOR CONTACT PURPOSES (CONTACT FORM)

PURPOSE OF PERSONAL DATA PROCESSING AND LEGAL BASIS:

Personal data will be processed for the purpose of:

  1. providing an answer to a question directed via the contact form, and thus for the purpose of realizing our legitimate interest in the form of communication with service users, as well as for the purpose of securing possible claims related to answering the question – that is, on the basis of Art. 6 sec. 1 lit. f) GDPR;
  2. establishing, pursuing, and securing possible claims and defending against these claims – on the basis of Art. 6 sec. 1 lit. f) GDPR.

OBLIGATION TO PROVIDE DATA:

The provision of personal data by you is voluntary, but necessary to provide an answer to the inquiry submitted by you via the contact form.

STORAGE PERIOD:

Personal data will be stored for the period necessary to answer the inquiry submitted via the contact form. Personal data may also, to an adequate extent, be left and processed for securing possible claims until their statute of limitations – for the period required by law.

RECIPIENTS OF DATA:

The recipients of personal data may be:

  1. entities cooperating with the Data Administrator under concluded personal data processing entrustment agreements and ensuring the application of adequate technical and organizational measures ensuring data protection by the aforementioned entities;
  2. entities to whom the Administrator is obliged to transfer data under applicable law.

Personal Data Protection Measures

The Administrator applies technical and organizational measures ensuring the protection of processed personal data appropriate to the risks and categories of data covered by protection, and in particular secures data against their disclosure to unauthorized persons, unauthorized taking by an unauthorized person, processing in violation of applicable regulations, and change, loss, damage, or destruction. When processing your personal data, we apply connection encryption using an SSL certificate.

Final Provisions

Xelto Sp. z o.o., Xelto Digital Sp. z o.o., Xelto Czechia s.r.o. reserve the right to change this Policy at any time without the need to inform Users about it. Introduced changes to this Policy will always be published on the Administrators’ website. Introduced changes enter into force on the date of publication of the Policy. In the event of any questions or suggestions regarding the information presented in the Service, as well as questions regarding personal data protection, please contact Xelto Sp. z o.o., Xelto Digital Sp. z o.o., Xelto Czechia s.r.o. We will try to clarify any doubts.