EXCO A2A Polska Sp. z o.o.’s Privacy Policy
 
ABOUT PRIVACY POLICY
This privacy policy (“Privacy Policy”) determines the rules for the processing of personal data by EXCO A2A Polska Sp. z o.o. with its registered office in Warsaw (02-585), at: al. Niepodległości 106 (postal address: ul. Rotmistrza Witolda Pileckiego 67, p. II, 02-781 Warszawa); “the Controller” or “the Company”), pursuant to the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; “GDPR”), as well as describes the types of cookies used on the Controller's website at the following address: www.exco.pl (“Website”).

In each section of the Privacy Policy you will find the following information (after clicking on each of the titles below you will be directed to the appropriate section):

• Contact details of the Controller and the Data Protection Officer (DPO)
• Processing of data of persons contacting the Company (by e-mail, telephone, contact form)
• Processing of Clients’ data
• Processing of Contractors’ data
• Processing of Representatives’ data (persons representing Clients or Contractors)
• Processing of Candidates’ data
• Processing of data of persons visiting Company profiles in social media
• Processing of data of persons sending requests concerning the exercise of rights deriving from the GDPR
• Automated decision-making
• Recipients of the data
• Data subjects’ rights
• Cookies
• Changes in Privacy Policy

Contact details of the Controller and the Data Protection Officer (DPO)

EXCO A2A POLSKA Sp. z o.o. with its registered office in Warsaw is the Controller of personal data. It may be contacted by mail at the following address: ul. Rotmistrza Witolda Pileckiego 67 p. II, 02-781 Warszawa or by an e-mail sent to: war@exco.pl.
The Controller appointed a Data Protection Officer who can be contacted in writing at the following e-mail address: iod@exco.pl or to the Controller's address for correspondence indicated above, with a note “IOD” (“DPO”).

Processing of data of persons contacting the Company (by e-mail, telephone, contact form)

The Controller processes personal data of persons contacting the Company for the following purposes and with the following legal bases:

1. enabling contact with the Controller and communication with the data subject in connection with a message sent electronically or transmitted by telephone (response to a forwarded enquiry), contacting the addressees, documenting the arrangements made with clients, contractors, other persons, receiving letters, applications and requests in electronic form–pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller (the legitimate interest of the Controller is to establish business relations, communicate with persons contacting the Controller and answer their questions);
2. establishing, exercising or defending legal claims–pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller (the legitimate interest of the Controller is to establish, exercise and defend legal claims);
3. providing marketing information, including information on events or other activities concerning the Controller–on the basis of a consent, i.e. Article 6(1)(a) of the GDPR and pursuant to Article 10 of the Act on Provision of Electronic Services or Article 172 of the Telecommunications Act.

The provision of personal data is voluntary, but necessary for the above purposes.
Personal data processed pursuant to Article 6(1)(f) of the GDPR shall be stored until the legitimate interest of the Controller is realised or until the effective objection to the processing of personal data is raised, whichever occurs first. Personal data processed on the basis of consent shall be processed until it is withdrawn, without prejudice to the lawfulness of the processing which took place on the basis of consent before its withdrawal.

Processing of Clients’ data

The Controller processes personal data of Clients (i.e. natural persons carrying out economic activity) for the following purposes and with the following legal bases:

1. taking steps at the request of the Clients prior to entering into a contract, i.e. sending an offer concerning services provided by the Company–pursuant to Article 6(1)(b) of the GDPR;
2. concluding a contract between the Company and the Client and implementing it–pursuant to Article 6(1)(b) of the GDPR;
3. making tax settlements and keeping accounting records–pursuant to Article 6(1)(c) of the GDPR, i.e. processing is necessary for compliance with legal obligations to which the Company is subject and which result from the generally applicable provisions of law, including tax law and accounting regulations;
4. establishing, exercising or defending legal claims between the Client and the Company, which constitutes the legitimate interest of the Company–pursuant to Article 6(1)(f) of the GDPR;
5. marketing its own products or services on paper (traditional mail)–pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller (the legitimate interest of the Controller is to send marketing materials concerning the Controller's own products or services);
6. where consent has been given–providing marketing information by e-mail or telephone, including information on events or other activities concerning the Controller–pursuant to Article 6(1)(a) of the GDPR and pursuant to Article 10 of the Act on Provision of Electronic Services or Article 172 of the Telecommunications Act.

The provision of data necessary to issue an invoice and to pay for the services provided by the Company is obligatory and results from tax and accounting regulations. The provision of other personal data by the Client is voluntary, but necessary to meet the objectives laid down above. In the case of concluding a contract with a Client, personal data is processed for the duration of the contract, and then the Company shall store it until the expiry of the limitation period for claims related to the contract or until the expiry of the obligation to store data resulting from legal regulations (e.g. tax law and accounting regulations). In the case of consent to marketing communications, personal data for these purposes is processed until the withdrawal of consent.

Processing of Contractors’ data

The Controller processes personal data of Contractors (i.e. natural persons carrying out economic activity) for the following purposes and with the following legal bases:

1. establishing or maintaining business relations with the Contractor, which constitutes the legitimate interest of the Company–pursuant to Article 6(1)(f) of the GDPR;
2. concluding a contract between the Controller and the Contractor and implementing it–pursuant to Article 6(1)(b) of the GDPR; i.e. processing is necessary for the performance of the contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into the contract;
3. making tax settlements and keeping accounting records–pursuant to Article 6(1)(c) of the GDPR, i.e. processing is necessary for compliance with legal obligations to which the Controller is subject and which result from the generally applicable provisions of law, including tax law and accounting regulations;
4. establishing, exercising or defending legal claims between the Contractor and the Controller, which constitutes the legitimate interest of the Controller–pursuant to Article 6(1)(f) of the GDPR;
5. providing marketing information, including information on events or other activities concerning the Controller–on the basis of a consent, i.e. Article 6(1)(a) of the GDPR and pursuant to Article 10 of the Act on Provision of Electronic Services or Article 172 of the Telecommunications Act.

The provision of data necessary to issue an invoice and to pay for the services provided by the Company is obligatory and results from tax and accounting regulations. The provision of other personal data by the Contractor is voluntary, but necessary to meet the objectives laid down above. In the case of concluding a contract with a Contractor, personal data is processed for the duration of the contract, and then the Company shall store it until the expiry of the limitation period for claims related to the contract or until the expiry of the obligation to store data resulting from legal regulations (e.g. tax law and accounting regulations). Personal data processed pursuant to Article 6(1)(f) of the GDPR shall be stored until the legitimate interest of the Controller is realised or until the effective objection to the processing of personal data is raised, whichever occurs first. In the case of consent to marketing communications, personal data for these purposes is processed until the withdrawal of consent.

Processing of Representatives’ data (persons representing Clients or Contractors)

Personal data of the Representatives comes from the following sources:

1. personal data of persons representing clients or contractors is made available to the Controller by the client or contractor whom the person represents, or is provided to the Controller directly by the person representing them;
2. personal data of employees and associates of clients or contractors is made available to the Controller by the client or contractor who is the entity employing such a person, or is provided directly by the client or contractor's employee or associate.

The Controller processes the following categories of personal data of the Representatives:

1. persons representing clients or contractors–identification data (e.g. name, surname, name of the entity which the person represents, name of the position/function), data concerning the authorisation granted (e.g. date of the authorisation granted, type and scope of the authorisation granted);
2. employees and associates of clients or contractors–identification data (e.g. name, surname, name of the entity employing a given person, name of the position/function, scope of matters dealt with by the person), contact details (e.g. company telephone number, e-mail).

The Controller processes personal data of the Representatives for the following purposes and with the following legal bases:

1. establishing or maintaining business relations with the client or the contractor, which constitutes the legitimate interest of the Controller–pursuant to Article 6(1)(f) of the GDPR;
2. taking steps at the request of the clients prior to entering into a contract, i.e. sending an offer concerning services provided by the Company, which constitutes the legitimate interest of the Controller–pursuant to Article 6(1)(f) of the GDPR;
3. concluding a contract between the client or contractor and the Controller and executing it, and in particular verifying the authority of the person concluding the contract with the Controller on behalf of the client or contractor and contacting the persons indicated as contact persons in connection with the execution of the contract–pursuant to Article 6(1)(f) of the GDPR, i.e. on the basis of the legitimate interest pursued by the Controller and the client or contractor, which is to enable the Controller and the client or contractor to perform the contract efficiently on a current basis and to enable the Controller to verify the authority of the person concluding the contract with the Controller on behalf of the client or contractor;
4. establishing, exercising or defending legal claims between the client or the contractor and the Controller–pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller (it is the Controller's legitimate interest to establish, exercise or defend legal claims).
5. making tax settlements and keeping accounting records–pursuant to Article 6(1)(c) of the GDPR, i.e. processing is necessary for compliance with legal obligations to which the Company is subject and which result from the generally applicable provisions of law, including tax law and accounting regulations;
6. where consent has been given–providing marketing information, including information on events or other activities concerning the Controller–pursuant to Article 6(1)(a) of the GDPR and pursuant to Article 10 of the Act on Provision of Electronic Services or Article 172 of the Telecommunications Act.

Personal data of the Representatives shall be processed for the period necessary to fulfil the purposes indicated above. In case of conclusion of a contract between the client or contractor and the Company, personal data of the Representatives shall be processed for the period necessary to perform the contract. After that, the Company shall store it until any other claims related to the above-mentioned contract are time-barred or until the expiry of the obligation to store data resulting from legal regulations (e.g. tax law and accounting regulations). In the case of consent to marketing communications, personal data for these purposes is processed until the withdrawal of consent.

Processing of Candidates’ data

The Controller processes personal data in order to assess the qualifications and skills needed to work in the position for which the candidate applies, to select a suitable candidate to work in the Company and possibly to select a suitable candidate in future recruitment processes, on the following legal bases:

1. if the employment is to take place on the basis of an employment contract–Article 6(1)(c) of the GDPR–within the scope of personal data indicated in Article 22(1) § 1 of the Polish Labour Code (name or names, surname, date of birth, contact details, education, professional qualifications, career history)–the processing of personal data is necessary to fulfil the legal obligation to which the Company is subject;
2. if the employment is to take place on the basis of a civil law contract–Article 6(1)(b) of the GDPR–with regard to data necessary for the assessment of the candidate's competence and qualifications (name, surname, date of birth, contact details, education, professional qualifications, career history), since the processing of this data is necessary to take action at the request of the data subject before concluding the contract;
3. with regard to the personal data additionally provided by the candidate in the application pack (regardless of the legal form of future employment)–Article 6(1)(a) of the GDPR, i.e. consent (given by a prominent statement or just by sending the application if there are no specific categories of data in the file);
4. as a general rule, the Company requests not to include specific categories of data in the application pack, i.e., for example, data relating to health, including disabilities; however, if, on one’s own initiative, one includes this information in their application pack, the legal basis for processing this information will be Article 9(2)(b) of the GDPR in connection with the provisions of the Act on Social and Vocational Rehabilitation and Employment of Disabled–processing is necessary for the fulfillment of duties and exercise of special rights by the Company or by the data subject in the field of labour law, social security and social protection (if the employment is to take place on the basis of an employment contract) or Article 9(2)(a) of the GDPR (the candidate's prominent consent–if the employment is to take place on the basis of a civil law contract);
5. with regard to personal data collected during the recruitment interview and the results of possible job tests (regardless of the legal form of future employment)–Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller, consisting in verifying the qualifications and skills of the candidates in order to select a suitable person for the post for which the recruitment is being carried out;
6. Article 6(1)(a) of the GDPR and Article 9(2)(a) of the GDPR, i.e. the candidate's voluntary consent to have their personal data processed for the purposes of future recruitment processes, for all the personal data contained in the application pack sent by the candidate (regardless of the legal form of future employment).

The provision of the following data: name, surname, date of birth, contact details, education, professional qualifications, career history, is necessary in order to participate in the current recruitment process and possibly future recruitments. The consequence of failure to provide this data is that it is impossible to consider a given application in the recruitment process. The provision of other personal data is voluntary.
Personal data will be processed until the end of the current recruitment process, i.e. for a maximum period of 6 months or until the candidate withdraws their consent to the processing of personal data. In case of granting additional, separate consent to the processing of personal data for the purposes of future recruitment, personal data will be processed for a period of 18 months or until the candidate's consent to the processing of personal data is withdrawn.

Processing of data of persons visiting Company profiles in social media

The Controller obtains personal data in connection with natural persons subscribing to the Company's fanpages or channels in social media (by clicking on the “Like”, “Watch”, “Subscribe” icon, etc.), with the publication of their comments under any of the comments posted on the fanpage or channel, as well as in connection with the sending of messages to the Controller via a social networking site (in the case of Facebook, using the Messenger application). By running fanpages or channels on social networking sites, the Controller processes the following personal data:

1. user IDs (usually containing name and surname);
2. basic identification data to the extent published by the natural person on their own profile on a given social networking site;
3. other data to the extent published by the natural person on their own social media profile (e.g. achievements, interests, skills, etc.);
4. a profile photo (it makes it possible, in some cases, for the Controller to see the image of the person visiting the profile in social media);
5. other photos (which may also present an image) posted by the natural person voluntarily under the Controller's posts;
6. the content of the comments and the content of the conversation conducted with the natural person through a given social networking service;
7. anonymous statistical data on visitors to the Company's social media profile; in the case of Facebook, this is accessible via the “Facebook Insights” function provided by Facebook in accordance with the unchanged terms and conditions of use of Facebook, collected by means of cookies, each of which contains a unique user code that can be linked to the connection data of users registered on Facebook, which is downloaded and processed when the fanpage is opened.

The Controller processes personal data for the following purposes and with the following legal bases:

1. maintaining the Company's profile in social media, under the terms and conditions set out by these social networking sites and informing by means of this profile about the Company's activities, services, promoting various events organised by the Controller, sharing knowledge, as well as building and maintaining the community connected with the Controller and communicating by means of the available functionalities of social networking sites (comments, chat, messages, including registrations to events), which constitutes the legitimate interest of the Controller in accordance with Article 6(1)(f) of GDPR;
2. conducting analyses of the functioning, popularity and use of the Company's profiles in social media, which constitutes the legitimate interest of the Controller in accordance with Article 6(1)(f) of the GDPR;
3. taking action with a view to concluding a contract due to a person's interest in the Company's services–pursuant to Article 6(1)(b) of the GDPR, i.e. processing is necessary to take action prior to the conclusion of the contract, upon request of the data subject;
4. establishing, exercising or defending legal claims, which constitutes the legitimate interest of the Controller–pursuant to Article 6(1)(f) of the GDPR.

The provision of personal data is voluntary. Information on users that is contained in private messages sent through social media will be stored for as long as the questions sent are answered or until the cooperation is terminated or the user's profile on the social networking site is deleted.
In the case of information possessed by the Controller as part of the comments shared by the users, it will be available on the Controller's profile until the author removes it.
Personal data collected by a given social networking service, i.e. the history of posts, activity history and messages sent, are subject to retention under the terms of the regulations of the given social networking site.
Data processed on the basis of the legitimate interest of the Controller shall be processed until the effective objection is raised or this interest is realised (e.g. until the expiry of the limitation period for claims).
Statistics on visitors to social media profiles, e.g. in relation to Facebook–accessible via the “Facebook Insights” function–will be processed for as long as the data is available on the social network concerned in accordance with its terms of use.

Processing of data of persons sending requests concerning the exercise of rights deriving from the GDPR

The Controller obtains personal data in connection with natural persons subscribing to the Company's fanpages or channels in social media (by clicking on the “Like”, “Watch”, “Subscribe” icon, etc.), with the publication of their comments under any of the comments posted on the fanpage or channel, as well as in connection with the sending of messages to the Controller via a social networking site (in the case of Facebook, using the Messenger application).
By running fanpages or channels on social networking sites, the Controller processes the following personal data:

1. user IDs (usually containing name and surname);
2. basic identification data to the extent published by the natural person on their own profile on a given social networking site;
3. other data to the extent published by the natural person on their own social media profile (e.g. achievements, interests, skills, etc.);
4. a profile photo (it makes it possible, in some cases, for the Controller to see the image of the person visiting the profile in social media);
5. other photos (which may also present an image) posted by the natural person voluntarily under the Controller's posts;
6. the content of the comments and the content of the conversation conducted with the natural person through a given social networking service;
7. anonymous statistical data on visitors to the Company's social media profile; in the case of Facebook, this is accessible via the “Facebook Insights” function provided by Facebook in accordance with the unchanged terms and conditions of use of Facebook, collected by means of cookies, each of which contains a unique user code that can be linked to the connection data of users registered on Facebook, which is downloaded and processed when the fanpage is opened.

The Controller processes personal data for the following purposes and with the following legal bases:

1. maintaining the Company's profile in social media, under the terms and conditions set out by these social networking sites and informing by means of this profile about the Company's activities, services, promoting various events organised by the Controller, sharing knowledge, as well as building and maintaining the community connected with the Controller and communicating by means of the available functionalities of social networking sites (comments, chat, messages, including registrations to events), which constitutes the legitimate interest of the Controller in accordance with Article 6(1)(f) of GDPR;
2. conducting analyses of the functioning, popularity and use of the Company's profiles in social media, which constitutes the legitimate interest of the Controller in accordance with Article 6(1)(f) of the GDPR;
3. taking action with a view to concluding a contract due to a person's interest in the Company's services–pursuant to Article 6(1)(b) of the GDPR, i.e. processing is necessary to take action prior to the conclusion of the contract, upon request of the data subject;
4. establishing, exercising or defending legal claims, which constitutes the legitimate interest of the Controller–pursuant to Article 6(1)(f) of the GDPR.

The provision of personal data is voluntary.
Information on users that is contained in private messages sent through social media will be stored for as long as the questions sent are answered or until the cooperation is terminated or the user's profile on the social networking site is deleted.
In the case of information possessed by the Controller as part of the comments shared by the users, it will be available on the Controller's profile until the author removes it.
Personal data collected by a given social networking service, i.e. the history of posts, activity history and messages sent, are subject to retention under the terms of the regulations of the given social networking site.
Data processed on the basis of the legitimate interest of the Controller shall be processed until the effective objection is raised or this interest is realised (e.g. until the expiry of the limitation period for claims).
Statistics on visitors to social media profiles, e.g. in relation to Facebook–accessible via the “Facebook Insights” function–will be processed for as long as the data is available on the social network concerned in accordance with its terms of use.

Automated decision-making

With regard to data subjects, the Controller shall not take decisions based solely on automated processing of personal data, including profiling.

Recipients of the data

The recipients of personal data are:

1. entities authorised to process personal data under the law;
2. entities which, on the basis of relevant personal data processing agreements, process personal data on behalf of the Controller, entities providing the Controller with legal, marketing, IT, HR, translation, consulting services, entities providing recruitment services, training companies, entities providing the Company with personal data protection support;
3. courier and postal services providers;
4. persons visiting the Company's profiles on social media;
5. owners of social networking sites, in particular Facebook, LinkedIn, YouTube, Twitter, under unchanged rules on the processing of personal data, as defined by these entities (these entities are also controllers of personal data of users visiting the Company's profiles on social networking sites).

In connection with visiting the Controller's profiles in social media, personal data may be transferred by the owners of these sites to countries outside the European Economic Area. These entities are obliged to guarantee compliance with the high standards of personal data protection that apply in the European Union.

Data subjects’ rights

In connection with the processing of personal data by the Controller, the data subjects have the following rights:

1. the right to access the content of their data, including a copy of their personal data;
2. the right to rectification of (to correct) personal data or to have incomplete personal data completed;
3. the right to erasure and to restriction of processing;
4. the right to data portability, where processing is carried out by automated means based on the data subjects’ consent or in the performance of a contract;
5. the right to object to the processing of personal data, when the legal basis for such processing is Article 6(1)(f) of the GDPR (i.e. the legitimate interest of the Controller);
6. the right to withdraw their consent at any time, with effect for the future, where the legal basis for the processing is Article 6(1)(a) of the GDPR.

You may exercise the above rights by submitting a written statement to the Controller's address: EXCO A2A POLSKA Sp. z o.o., ul. Rotmistrza Witolda Pileckiego 67 p. II, 02-781 Warszawa or by sending an e-mail to: iod@exco.pl.
Data subjects also have the right to lodge a complaint with the data protection supervisory authority, i.e. the Head of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), at: ul. Stawki 2, 00-193 Warszawa (detailed information on how to lodge a complaint can be found at the following website: https://uodo.gov.pl/pl/83/155), if you believe that the processing of your personal data by the Controller violates the GDPR.

Cookies

The Company's website uses cookies. These are IT data, in particular text files, which are stored in the end device of the Website user and are intended to use the Website. Cookies usually contain the name of the website from which they originate, the time they were stored on the end device and a unique number.
We use cookies for the following purposes:

1. adjusting the content of the Website to the User's preferences and optimising the use of the Website; in particular, these files allow the User's device to be recognised and the Website to be displayed accordingly, tailored to their individual needs;
2. producing statistics that provide a basis for analysing how users use the Website.

We use two types of cookies within the Website:

1. session cookie, i.e. temporary files which are stored in the User's end device until the User leaves the website or turns off the Internet browser;
2. persistent cookie, i.e. files which are stored in the User’s end device for the time specified in the parameters of cookie files or until their deletion by the User.

Cookies on the Website include the following types of cookies:

1. “necessary” cookies are used to enable you to use the services available on the Website;
2. security cookies are used, for example, to detect authentication fraud within the Website;
3. “performance” cookies are used specifically for gathering data on how visitors use the Website;
4. “functional” cookies are used to enable “remembering” the settings selected by the User and personalising the User's interface, e.g. in terms of the selected language or region from which the User comes from, font size, look of the Website, etc.

Personal data collected through the use of cookies may only be collected for the purpose of performing specific functions for the user, as indicated above. Such data is encrypted in such a way as to prevent unauthorised access. The data is processed on the basis of Article 6(1)(f) of the GDPR, i.e. the Controller's legitimate interest in ensuring the proper functioning of the Website and adapting it to the User's preferences.
We use Google Analytics, to which we pass on information collected by means of cookies (statistical information).    To learn more about processing of such information, please visit: https://policies.google.com/privacy
Web browsers very often allow cookies to be stored in the user's end device by default. You can change your cookie settings at any time in the settings of the browser you are using. For more detailed information about the possibilities and ways of managing cookies, please check the settings of your Internet browser.
However, changing the settings for the use of cookies at the level of the browser by which you browse the Website may affect some of the functionalities available on the Website and make it difficult or impossible to use some of them.

Changes in Privacy Policy

This Privacy Policy may be amended if at least one of the important reasons indicated in the following directory occurs:

1. amendment to the provisions of the applicable law which regulates the Company's business;
2. the need to adjust the content of the Privacy Policy to the applicable laws or the need to make editorial changes to the Privacy Policy;
3. change in the way in which the Website is run or maintained, which will be caused by objective and independent reasons of a technological or technical nature;
4. change of the terms and conditions of use of the Website, which does not exacerbate the situation of persons using the Website compared to the previous terms and conditions;
5. the need to update the information indicated in the Privacy Policy in areas other than indicated above.