EXCO A2A Polska Sp. z o.o.’s Privacy Policy
ABOUT PRIVACY POLICY
This privacy policy (“Privacy Policy”) determines the rules for the processing of personal data by EXCO A2A Polska Sp. z o.o. with its registered office in Warsaw (02-585), at: al. Niepodległości 106 (postal address: ul. Rotmistrza Witolda Pileckiego 67, p. II, 02-781 Warszawa); “the Controller” or “the Company”), pursuant to the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; “GDPR”), as well as describes the types of cookies used on the Controller's website at the following address: www.exco.pl (“Website”).
In each section of the Privacy Policy you will find the following information (after clicking on each of the titles below you will be directed to the appropriate section):
- Contact details of the Controller and the Data Protection Officer (DPO)
- Processing of data of persons contacting the Company (by e-mail, telephone, contact form)
- Processing of Clients’ data
- Processing of Contractors’ data
- Processing of Representatives’ data (persons representing Clients or Contractors)
- Processing of Candidates’ data
- Processing of data of persons visiting Company profiles in social media
- Processing of data of persons sending requests concerning the exercise of rights deriving from the GDPR
- Automated decision-making
- Recipients of the data
- Data subjects’ rights
- Cookies
- Changes in Privacy Policy
Contact details of the Controller and the Data Protection Officer (DPO)
EXCO A2A POLSKA Sp. z o.o. with its registered office in Warsaw is the Controller of personal data. It may be contacted by mail at the following address: ul. Rotmistrza Witolda Pileckiego 67 p. II, 02-781 Warszawa or by an e-mail sent to: war@exco.pl. The Controller appointed a Data Protection Officer who can be contacted in writing at the following e-mail address: iod@exco.pl or to the Controller's address for correspondence indicated above, with a note “IOD” (“DPO”).Processing of data of persons contacting the Company (by e-mail, telephone, contact form)
The Controller processes personal data of persons contacting the Company for the following purposes and with the following legal bases:- enabling contact with the Controller and communication with the data subject in connection with a message sent electronically or transmitted by telephone (response to a forwarded enquiry), contacting the addressees, documenting the arrangements made with clients, contractors, other persons, receiving letters, applications and requests in electronic form–pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller (the legitimate interest of the Controller is to establish business relations, communicate with persons contacting the Controller and answer their questions);
- establishing, exercising or defending legal claims–pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller (the legitimate interest of the Controller is to establish, exercise and defend legal claims);
- providing marketing information, including information on events or other activities concerning the Controller–on the basis of a consent, i.e. Article 6(1)(a) of the GDPR and pursuant to Article 10 of the Act on Provision of Electronic Services or Article 172 of the Telecommunications Act.
Processing of Clients’ data
The Controller processes personal data of Clients (i.e. natural persons carrying out economic activity) for the following purposes and with the following legal bases:- taking steps at the request of the Clients prior to entering into a contract, i.e. sending an offer concerning services provided by the Company–pursuant to Article 6(1)(b) of the GDPR;
- concluding a contract between the Company and the Client and implementing it–pursuant to Article 6(1)(b) of the GDPR;
- making tax settlements and keeping accounting records–pursuant to Article 6(1)(c) of the GDPR, i.e. processing is necessary for compliance with legal obligations to which the Company is subject and which result from the generally applicable provisions of law, including tax law and accounting regulations;
- establishing, exercising or defending legal claims between the Client and the Company, which constitutes the legitimate interest of the Company–pursuant to Article 6(1)(f) of the GDPR;
- marketing its own products or services on paper (traditional mail)–pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller (the legitimate interest of the Controller is to send marketing materials concerning the Controller's own products or services);
- where consent has been given–providing marketing information by e-mail or telephone, including information on events or other activities concerning the Controller–pursuant to Article 6(1)(a) of the GDPR and pursuant to Article 10 of the Act on Provision of Electronic Services or Article 172 of the Telecommunications Act.
Processing of Contractors’ data
The Controller processes personal data of Contractors (i.e. natural persons carrying out economic activity) for the following purposes and with the following legal bases:- establishing or maintaining business relations with the Contractor, which constitutes the legitimate interest of the Company–pursuant to Article 6(1)(f) of the GDPR;
- concluding a contract between the Controller and the Contractor and implementing it–pursuant to Article 6(1)(b) of the GDPR; i.e. processing is necessary for the performance of the contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into the contract;
- making tax settlements and keeping accounting records–pursuant to Article 6(1)(c) of the GDPR, i.e. processing is necessary for compliance with legal obligations to which the Controller is subject and which result from the generally applicable provisions of law, including tax law and accounting regulations;
- establishing, exercising or defending legal claims between the Contractor and the Controller, which constitutes the legitimate interest of the Controller–pursuant to Article 6(1)(f) of the GDPR;
- providing marketing information, including information on events or other activities concerning the Controller–on the basis of a consent, i.e. Article 6(1)(a) of the GDPR and pursuant to Article 10 of the Act on Provision of Electronic Services or Article 172 of the Telecommunications Act.
Processing of Representatives’ data (persons representing Clients or Contractors)
Personal data of the Representatives comes from the following sources:- personal data of persons representing clients or contractors is made available to the Controller by the client or contractor whom the person represents, or is provided to the Controller directly by the person representing them;
- personal data of employees and associates of clients or contractors is made available to the Controller by the client or contractor who is the entity employing such a person, or is provided directly by the client or contractor's employee or associate.
- persons representing clients or contractors–identification data (e.g. name, surname, name of the entity which the person represents, name of the position/function), data concerning the authorisation granted (e.g. date of the authorisation granted, type and scope of the authorisation granted);
- employees and associates of clients or contractors–identification data (e.g. name, surname, name of the entity employing a given person, name of the position/function, scope of matters dealt with by the person), contact details (e.g. company telephone number, e-mail).
- establishing or maintaining business relations with the client or the contractor, which constitutes the legitimate interest of the Controller–pursuant to Article 6(1)(f) of the GDPR;
- taking steps at the request of the clients prior to entering into a contract, i.e. sending an offer concerning services provided by the Company, which constitutes the legitimate interest of the Controller–pursuant to Article 6(1)(f) of the GDPR;
- concluding a contract between the client or contractor and the Controller and executing it, and in particular verifying the authority of the person concluding the contract with the Controller on behalf of the client or contractor and contacting the persons indicated as contact persons in connection with the execution of the contract–pursuant to Article 6(1)(f) of the GDPR, i.e. on the basis of the legitimate interest pursued by the Controller and the client or contractor, which is to enable the Controller and the client or contractor to perform the contract efficiently on a current basis and to enable the Controller to verify the authority of the person concluding the contract with the Controller on behalf of the client or contractor;
- establishing, exercising or defending legal claims between the client or the contractor and the Controller–pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller (it is the Controller's legitimate interest to establish, exercise or defend legal claims).
- making tax settlements and keeping accounting records–pursuant to Article 6(1)(c) of the GDPR, i.e. processing is necessary for compliance with legal obligations to which the Company is subject and which result from the generally applicable provisions of law, including tax law and accounting regulations;
- where consent has been given–providing marketing information, including information on events or other activities concerning the Controller–pursuant to Article 6(1)(a) of the GDPR and pursuant to Article 10 of the Act on Provision of Electronic Services or Article 172 of the Telecommunications Act.
Processing of Candidates’ data
The Controller processes personal data in order to assess the qualifications and skills needed to work in the position for which the candidate applies, to select a suitable candidate to work in the Company and possibly to select a suitable candidate in future recruitment processes, on the following legal bases:- if the employment is to take place on the basis of an employment contract–Article 6(1)(c) of the GDPR–within the scope of personal data indicated in Article 22(1) § 1 of the Polish Labour Code (name or names, surname, date of birth, contact details, education, professional qualifications, career history)–the processing of personal data is necessary to fulfil the legal obligation to which the Company is subject;
- if the employment is to take place on the basis of a civil law contract–Article 6(1)(b) of the GDPR–with regard to data necessary for the assessment of the candidate's competence and qualifications (name, surname, date of birth, contact details, education, professional qualifications, career history), since the processing of this data is necessary to take action at the request of the data subject before concluding the contract;
- with regard to the personal data additionally provided by the candidate in the application pack (regardless of the legal form of future employment)–Article 6(1)(a) of the GDPR, i.e. consent (given by a prominent statement or just by sending the application if there are no specific categories of data in the file);
- as a general rule, the Company requests not to include specific categories of data in the application pack, i.e., for example, data relating to health, including disabilities; however, if, on one’s own initiative, one includes this information in their application pack, the legal basis for processing this information will be Article 9(2)(b) of the GDPR in connection with the provisions of the Act on Social and Vocational Rehabilitation and Employment of Disabled–processing is necessary for the fulfillment of duties and exercise of special rights by the Company or by the data subject in the field of labour law, social security and social protection (if the employment is to take place on the basis of an employment contract) or Article 9(2)(a) of the GDPR (the candidate's prominent consent–if the employment is to take place on the basis of a civil law contract);
- with regard to personal data collected during the recruitment interview and the results of possible job tests (regardless of the legal form of future employment)–Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller, consisting in verifying the qualifications and skills of the candidates in order to select a suitable person for the post for which the recruitment is being carried out;
- Article 6(1)(a) of the GDPR and Article 9(2)(a) of the GDPR, i.e. the candidate's voluntary consent to have their personal data processed for the purposes of future recruitment processes, for all the personal data contained in the application pack sent by the candidate (regardless of the legal form of future employment).
Processing of data of persons visiting Company profiles in social media
The Controller obtains personal data in connection with natural persons subscribing to the Company's fanpages or channels in social media (by clicking on the “Like”, “Watch”, “Subscribe” icon, etc.), with the publication of their comments under any of the comments posted on the fanpage or channel, as well as in connection with the sending of messages to the Controller via a social networking site (in the case of Facebook, using the Messenger application). By running fanpages or channels on social networking sites, the Controller processes the following personal data:- user IDs (usually containing name and surname);
- basic identification data to the extent published by the natural person on their own profile on a given social networking site;
- other data to the extent published by the natural person on their own social media profile (e.g. achievements, interests, skills, etc.);
- a profile photo (it makes it possible, in some cases, for the Controller to see the image of the person visiting the profile in social media);
- other photos (which may also present an image) posted by the natural person voluntarily under the Controller's posts;
- the content of the comments and the content of the conversation conducted with the natural person through a given social networking service;
- anonymous statistical data on visitors to the Company's social media profile; in the case of Facebook, this is accessible via the “Facebook Insights” function provided by Facebook in accordance with the unchanged terms and conditions of use of Facebook, collected by means of cookies, each of which contains a unique user code that can be linked to the connection data of users registered on Facebook, which is downloaded and processed when the fanpage is opened.
- maintaining the Company's profile in social media, under the terms and conditions set out by these social networking sites and informing by means of this profile about the Company's activities, services, promoting various events organised by the Controller, sharing knowledge, as well as building and maintaining the community connected with the Controller and communicating by means of the available functionalities of social networking sites (comments, chat, messages, including registrations to events), which constitutes the legitimate interest of the Controller in accordance with Article 6(1)(f) of GDPR;
- conducting analyses of the functioning, popularity and use of the Company's profiles in social media, which constitutes the legitimate interest of the Controller in accordance with Article 6(1)(f) of the GDPR;
- taking action with a view to concluding a contract due to a person's interest in the Company's services–pursuant to Article 6(1)(b) of the GDPR, i.e. processing is necessary to take action prior to the conclusion of the contract, upon request of the data subject;
- establishing, exercising or defending legal claims, which constitutes the legitimate interest of the Controller–pursuant to Article 6(1)(f) of the GDPR.
Processing of data of persons sending requests concerning the exercise of rights deriving from the GDPR
The Controller obtains personal data in connection with natural persons subscribing to the Company's fanpages or channels in social media (by clicking on the “Like”, “Watch”, “Subscribe” icon, etc.), with the publication of their comments under any of the comments posted on the fanpage or channel, as well as in connection with the sending of messages to the Controller via a social networking site (in the case of Facebook, using the Messenger application). By running fanpages or channels on social networking sites, the Controller processes the following personal data:- user IDs (usually containing name and surname);
- basic identification data to the extent published by the natural person on their own profile on a given social networking site;
- other data to the extent published by the natural person on their own social media profile (e.g. achievements, interests, skills, etc.);
- a profile photo (it makes it possible, in some cases, for the Controller to see the image of the person visiting the profile in social media);
- other photos (which may also present an image) posted by the natural person voluntarily under the Controller's posts;
- the content of the comments and the content of the conversation conducted with the natural person through a given social networking service;
- anonymous statistical data on visitors to the Company's social media profile; in the case of Facebook, this is accessible via the “Facebook Insights” function provided by Facebook in accordance with the unchanged terms and conditions of use of Facebook, collected by means of cookies, each of which contains a unique user code that can be linked to the connection data of users registered on Facebook, which is downloaded and processed when the fanpage is opened.
- maintaining the Company's profile in social media, under the terms and conditions set out by these social networking sites and informing by means of this profile about the Company's activities, services, promoting various events organised by the Controller, sharing knowledge, as well as building and maintaining the community connected with the Controller and communicating by means of the available functionalities of social networking sites (comments, chat, messages, including registrations to events), which constitutes the legitimate interest of the Controller in accordance with Article 6(1)(f) of GDPR;
- conducting analyses of the functioning, popularity and use of the Company's profiles in social media, which constitutes the legitimate interest of the Controller in accordance with Article 6(1)(f) of the GDPR;
- taking action with a view to concluding a contract due to a person's interest in the Company's services–pursuant to Article 6(1)(b) of the GDPR, i.e. processing is necessary to take action prior to the conclusion of the contract, upon request of the data subject;
- establishing, exercising or defending legal claims, which constitutes the legitimate interest of the Controller–pursuant to Article 6(1)(f) of the GDPR.
Automated decision-making
With regard to data subjects, the Controller shall not take decisions based solely on automated processing of personal data, including profiling.Recipients of the data
The recipients of personal data are:- entities authorised to process personal data under the law;
- entities which, on the basis of relevant personal data processing agreements, process personal data on behalf of the Controller, entities providing the Controller with legal, marketing, IT, HR, translation, consulting services, entities providing recruitment services, training companies, entities providing the Company with personal data protection support;
- courier and postal services providers;
- persons visiting the Company's profiles on social media;
- owners of social networking sites, in particular Facebook, LinkedIn, YouTube, Twitter, under unchanged rules on the processing of personal data, as defined by these entities (these entities are also controllers of personal data of users visiting the Company's profiles on social networking sites).
Data subjects’ rights
In connection with the processing of personal data by the Controller, the data subjects have the following rights:- the right to access the content of their data, including a copy of their personal data;
- the right to rectification of (to correct) personal data or to have incomplete personal data completed;
- the right to erasure and to restriction of processing;
- the right to data portability, where processing is carried out by automated means based on the data subjects’ consent or in the performance of a contract;
- the right to object to the processing of personal data, when the legal basis for such processing is Article 6(1)(f) of the GDPR (i.e. the legitimate interest of the Controller);
- the right to withdraw their consent at any time, with effect for the future, where the legal basis for the processing is Article 6(1)(a) of the GDPR.
Cookies
The Company's website uses cookies. These are IT data, in particular text files, which are stored in the end device of the Website user and are intended to use the Website. Cookies usually contain the name of the website from which they originate, the time they were stored on the end device and a unique number. We use cookies for the following purposes:- adjusting the content of the Website to the User's preferences and optimising the use of the Website; in particular, these files allow the User's device to be recognised and the Website to be displayed accordingly, tailored to their individual needs;
- producing statistics that provide a basis for analysing how users use the Website.
- session cookie, i.e. temporary files which are stored in the User's end device until the User leaves the website or turns off the Internet browser;
- persistent cookie, i.e. files which are stored in the User’s end device for the time specified in the parameters of cookie files or until their deletion by the User.
- “necessary” cookies are used to enable you to use the services available on the Website;
- security cookies are used, for example, to detect authentication fraud within the Website;
- “performance” cookies are used specifically for gathering data on how visitors use the Website;
- “functional” cookies are used to enable “remembering” the settings selected by the User and personalising the User's interface, e.g. in terms of the selected language or region from which the User comes from, font size, look of the Website, etc.
Changes in Privacy Policy
This Privacy Policy may be amended if at least one of the important reasons indicated in the following directory occurs:- amendment to the provisions of the applicable law which regulates the Company's business;
- the need to adjust the content of the Privacy Policy to the applicable laws or the need to make editorial changes to the Privacy Policy;
- change in the way in which the Website is run or maintained, which will be caused by objective and independent reasons of a technological or technical nature;
- change of the terms and conditions of use of the Website, which does not exacerbate the situation of persons using the Website compared to the previous terms and conditions;
- the need to update the information indicated in the Privacy Policy in areas other than indicated above.