PRIVACY POLICY AND COOKIE POLICY OF XOOG.PL

I. OVERVIEW

This Privacy Policy outlines the general principles for the processing and protection of personal data that we apply in connection with our business activities and the website www.xoog.pl (the “Website”).

XOOG Holding sp. z o.o. respects the privacy rights of Users of the www.xoog.pl website. We are committed to protecting Users’ personal data and implementing appropriate organisational and technical measures to prevent unauthorised access by third parties. Our efforts are aimed at ensuring a level of security required under applicable laws, including:

1. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, the “GDPR”);

2. Personal Data Protection Act of 10 May 2018 (uniform text, Journal of Laws of 2019, item 1781, the “Act”);

3. Act of 18 July 2002 on Providing Electronic Services (uniform text, Journal of Laws of 2020, item 344);

4. Telecommunications Law of 16 July 2004 (uniform text, Journal of Laws of 2024, item 34).

In the interest of transparency and the protection of the informational autonomy of data subjects, and in accordance with Article 13(1) and (2) of the GDPR, we provide the following overview of the personal data processing practices within our organisation.

II. DATA CONTROLLER

The administrator of the website with the domain www.xoog.pl (the “Website”) and the controller of personal data of:

  1. recipients of our services,
  2. our partners, whatever the scope of cooperation,
  3. individuals who contact us using the contact details provided on the Website,
  4. individuals who contact us using the contact forms available on the Website,
  5. individuals who apply for a job with us through our recruitment processes, as well as individuals who submit their CVs when there is no ongoing recruitment,
  6. subscribers to our newsletter

is XOOG Holding sp. z o.o. with registered office in Warsaw, ul. Wróbla 24/1, 02-736 Warszawa, recorded in the register of entrepreneurs of the National Court Register kept by the District Court for the capital city of Warsaw in Warsaw, XIII Commercial Division of the National Court Register with KRS no.: 0000956193, NIP (taxpayer ID no.): 1070008585 (“XOOG” or the “Controller”).

The Controller has not appointed a Data Protection Officer (DPO). Duties related to the processing and protection of personal data at XOOG are fulfilled by a designated employee with the necessary expertise and qualifications. For any inquiries regarding data processing, you can contact them at the following email address: rodo@xoog.pl.

III. PURPOSE AND LEGAL BASIS OF PROCESSING, AND STORAGE PERIOD

Purpose and legal basis of the processing of personal data or legitimate interest of the controller

Data storage period

Individuals and entities that use our services and collaborate with us

Article 6(1)(b) of the GDPR, i.e. taking steps at the request of the data subject with the aim of entering into a contract for services included in our offering, and performing obligations
arising from the concluded contract

Until the fulfilment of the contract

Article 6(1)(c) of the GDPR,
i.e. compliance with our legal obligation to store source documents according to tax and accounting regulations

5 years from the end of the calendar year in which a tax liability arose

Article 6(1)(f) of the GDPR,
i.e. our legitimate interest in communicating with our clients, including organisations and natural persons represented by entities authorised to act on their behalf in order to conclude and perform contracts for services included in our offering

Until the fulfilment of the contract or resolution of the inquiry received

Individuals who contact us using the contact details provided on the Website or through the contact form

Article 6(1)(f) of the GDPR,
i.e. our legitimate interest in communicating with individuals interested in our offering or establishing a business relationship with us, including responding to inquiries and taking necessary actions
as requested by the individual

Until the resolution of the inquiry received

Individuals who submit their CVs or apply for open positions as part of an ongoing recruitment process

Article 6(1)(a) of the GDPR,
i.e. 1) consent for data processing regarding data beyond the scope of labour laws (applicable only to job candidates)

2) consent for data processing for the purposes of any future recruitment process

Until the recruitment process is concluded. If individuals have consented to data processing for future recruitment or submitted their CVs without an active recruitment process – for up to 12 months from the recruitment conclusion or CV submission

Article 6(1)(b) of the GDPR,
i.e. taking steps at the request of the candidate prior to entering into a contract

Article 6(1)(c) of the GDPR,
i.e. ensuring compliance with legal obligations under labour laws, to which we are subject as the controller (applicable only to job candidates)

Website users, contact persons

Article 6(1)(f) of the GDPR,
i.e. our legitimate interest in conducting communications, including marketing, informational, and sales activities

Until an objection is raised or the inquiry is resolved

Article 6(1)(f) of the GDPR,
i.e. our legitimate interest in pursuing civil claims, including seeking redress for damage and losses, and defending against potential claims

Until the civil claims become statute barred

Subscribers to our newsletter

Article 6(1)(a) of the GDPR,
i.e. consent to receive marketing and informational materials, including details about our business, products, and services, via means of electronic communication

Until the consent is withdrawn

Article 6(1)(f) of the GDPR,
i.e. our legitimate interest in conducting communications, including marketing, informational, and sales activities

Until an objection is raised or the subscription is cancelled

IV. RECIPIENTS OF PERSONAL DATA

We share the personal data you provide with the following recipients:

a. Our employees and associates who require access to data to perform their duties. Each individual involved in data processing requires appropriate authorisation;

b. Other members of our group, including:

  • XOOG Development sp. z o.o. with registered office in Warsaw (KRS: 0000888212),
  • XOOG Operator sp. z o.o. with registered office in Warsaw (KRS: 0000932208),
  • XOOG Energy sp. z o.o. with registered office in Warsaw (KRS: 0000916189),
  • Renewables Construction sp. z o.o. with registered office in Warsaw (KRS: 0000956598);

c. Data processors with whom we cooperate on a regular basis and whose services support our operations, including:

  • IT service providers, including providers of IT resource management and maintenance services, especially email services and website maintenance;
  • providers of legal services;
  • providers of web tools that we use to manage our newsletter, collect and analyse Website traffic and performance data (e.g. Google Analytics, GetResponse).Podane nam dane osobowe udostępniamy następującym grupom odbiorców:

V. TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA

As a rule, we do not transfer your personal data to third countries, i.e. outside the European Economic Area (EEA). However, some online tools we use have servers in the United States. Your data may be transferred outside the European Economic Area when you subscribe to our newsletter service or consent to web analytics tools used for collecting and analysing traffic data for our website. In such cases, we ensure appropriate safeguards to protect your personal data, as specified in the GDPR, in compliance with the EU laws, including the use of standard contractual clauses.

VI. RIGHTS OF DATA SUBJECTS

You have the following rights regarding the processing of your personal data:

Right

Legal basis of processing

consent
(Article 6(1)(a) of the GDPR)

conclusion and performance of a contract
(Article 6(1)(b) of the GDPR)

compliance with a legal obligation

(Article 6(1)(c) of the GDPR)

controller’s legitimate interest

(Article 6(1)(f) of the GDPR)

right to withdraw consent

YES

NO

NO

NO

right of access to your personal data

YES

YES

YES

YES

right to rectification, erasure or restriction of processing


YES

YES

YES

YES

right to data portability

YES

YES

NO

NO

right to object to processing


NO

NO

NO

YES

You may withdraw your consent at any time. The withdrawal will not affect the lawfulness of processing carried out before withdrawal.

To exercise your rights, please contact us using the details provided in Section I. DATA CONTROLLER.

Additionally, if you believe your data has been processed unlawfully, you have the right to lodge a complaint with President of the Personal Data Protection Office.

VII. CONSEQUENCES OF FAILURE TO PROVIDE DATA

Legal basis of processing

Consequences of failure to provide data

consent
(Article 6(1)(a) of the GDPR)

The provision of personal data is voluntary,
however, it is necessary to achieve the purposes of processing.
Failure to provide data will prevent the achievement of these purposes.

conclusion and performance of a contract

(Article 6(1)(b) of the GDPR)

The provision of personal data is voluntary,
however, it is necessary to conclude a contract.
Failure to provide data will prevent the conclusion of the contract.

compliance with a legal obligation

(Article 6(1)(c) of the GDPR)

The processing of personal data is a legal requirement,
and data storage is required
under tax and accounting regulations

controller’s legitimate interest
(Article 6(1)(f) of the GDPR)

The provision of personal data for communication, marketing, and recruitment is voluntary,
however, it is necessary to achieve the purposes of processing.


VIII. COOKIE POLICY

Cookies are small text files stored on your end device (computer, tablet, smartphone) that save settings and other information from visited websites. The website sends cookies to your browser, where they are stored and later retrieved during subsequent visits on the website.

Our Website may contain external links that allow Users to access other websites directly. Additionally, cookies from third-party providers such as Facebook, X, and Google+ may be stored on your device to enable you to use Website functionalities integrated with these websites. Each provider sets its own cookie policies as part of its privacy policies. Consequently, we do not control the privacy or cookie policies of such providers. For security reasons, we recommend that Users review the privacy and cookie policies of any external websites before using their resources, if available. If no such policies are available, Users are advised to contact the website administrators for more information.

Use of cookies on the Website

In accordance with Article 173 of the Telecommunications Law of 16 July 2004, the Website uses cookies—IT data, primarily text files stored on the user’s end device. These cookies typically contain the name of the website they originate from, the duration of storage on the end device, and a unique identifier.

Cookies are used for:

  1. facilitating the User’s navigation and use of the Website;
  2. recognising the User when reconnecting from the same device;
  3. creating statistics to understand how Users interact with the Website, helping to improve its structure and content;
  4. adapting the content of Website pages to individual User preferences and optimising the browsing experience based on individual User needs;

The Website uses the following types of cookies:

  • Session cookies – stored on the User’s end device until they log out, leave the website, or close their web browser;
  • Permanent cookies – stored on the User’s end device for a period specified in the cookie settings or until manually deleted by the User;
  • Performance cookies – they collect information on how Users interact with the Website pages;
  • Essential cookies – they enable the use of essential services available on the Website;
  • Functional cookies – they remember User-selected settings and personalise the User’s interface;
  • First-party cookies – set by the Website;
  • Third-party cookies – set by external websites other than the Website.

The information is not linked to the Website User’s personal data and is not used to identify the User. The range of information collected automatically depends on the User’s browser settings. The User should review their browser settings to see what information is automatically shared or to adjust these settings. We recommend consulting the Help section of the browser you are using for further guidance.

You can change the settings for storing or saving cookies by changing the settings of your browser, e.g.:

  • Microsoft Edge
  • Firefox
  • Chrome
  • Opera
  • Safari

Web browsing software (i.e. a web browser) typically allows cookies to be stored on the User’s end device by default. However, Users of the Website can modify these settings. Browsers also allow for the deletion of cookies and provide the option to automatically block them. For detailed instructions, you should refer to the Help section or documentation of your web browser.

If you do not wish to receive cookies, you can adjust your browser settings. However, disabling essential cookies required for authentication, security, or maintaining User preferences may hinder or, in some cases, prevent the use of the Website.