PERSONAL DATA PROCESSING AT XTPL S.A., WROCŁAW

The controller of your personal data

XTPL S.A. with its registered office in Wrocław (54-066 Wrocław, ul. Stabłowicka 147, 54-066 Wrocław, “XTPL“), a company entered in the business register of the National Court Register kept by the District Court for Wrocław-Fabryczna, VI Commercial Division of the National Court Register under KRS No. 0000619674: NIP: 9512394886, with a share capital of PLN 230,422.20 (fully paid up), which can be contacted at the address provided above, by email at rodo@xtpl.com or by phone on +48 717 072 204, is the controller of your personal data (“Personal Data“), i.e. decides on the purposes and methods of their processing (“Controller“).

This applies primarily to situations where, for example, you enter into a contract with XTPL (including a contract of employment), conduct business or engage in investor relations with XTPL, contact us for another reason, or use our newsletter service.

The context of Personal Data processing

Your Personal Data may be processed in a number of situations: (i) if you have provided your Personal Data to us personally through various communication channels (e.g. by submitting an inquiry/offer/application by e-mail or via the forms on our web pages); (ii) as part of our collaboration when signing or performing a contract; (iii) when we have obtained your Personal Data from other sources (e.g. from a company you work for and which is our business partner/client).

Processing related to business relations, commercial relations and contact

a. The scope of Personal Data processing
As a Controller, we process the Personal Data of our clients and business partners and their employees/collaborators, the Personal Data of other persons provided to us for the purpose of entering into contracts, including contracts for service provision, contracts of mandate (umowa zlecenia), employment contracts and non-disclosure agreements, under contracts signed, or persons contacting us by e.g. telephone, email or the forms available on our web pages.

In connection with these relationships, we may process the following Personal Data: identification data, contact details, job position and professional qualifications data and other Personal Data provided to us in connection with a relationship or contact.

If you are a party to a contract concluded with the Controller, for the purpose of executing and performing the contract we may process the following Personal Data in particular: first name(s) and surname(s), company name(s) (if a business activity is conducted), address of residence or place of business, PESEL (Personal ID Number) or NIP (Tax Identification Number), as appropriate, as well as the number and series of the identity document (passport or ID card).

We collect the above Personal Data directly from you as well as from other people, eg from your employers/clients.

b. The purpose and basis of processing
In connection with the above relationships, we process Personal Data for the following purposes:

  • to start a relationship/collaboration;
  • to enter into or perform a contract;
  • to settle contracts;
  • to reply to enquiries and requests as well as to pursue further correspondence/contact in this respect;
  • to pursue marketing activities and contact related to other information and services of the Controller;
  • to defend and/or make claims, if applicable;
  • to meet the Controller’s legal obligations (eg regarding public, tax and accounting companies and the processing of complaints).

The Controller processes Personal Data on the following basis:

  • the processing of Personal Data is necessary to perform a contract or to take steps before a contract is executed at the request of the data subject;
  • the Controller must meet its legal obligations;
  • the Controller’s legitimate interest in the form of: marketing of the Controller’s products and services; contact, including correspondence; and determination, making of and defense against potential claims.

In general, providing Personal Data is voluntary, but it may be necessary for entering into or performing a contract, for responding to a directed inquiry, or to conducting correspondence.

c. How long will Personal Data be processed?
The Personal Data collected for the purposes of entering into and performing a contract will be processed for the duration of the contract or until you object to the processing based on our legitimate interest, unless the law (eg archiving, tax or accounting law) obliges us to prolong the processing of the Personal Data, or we store it longer to defend ourselves against potential claims, for their period of limitation prescribed by law, depending on which period is longer.

Your Personal Data provided under a contact with XTPL S.A. will be processed until the communication with you is finally ended, and in the case of marketing activities, until you object against such processing, unless by analogy to the information given above, the law obliges us to continue processing the data or until the potential claims expire.

Processing of Personal Data in connection with recruitment

a. The scope of Personal Data processing
As a Controller, we process the Personal Data of people who seek employment, transferred through any recruitment channels available, in particular the Personal Data submitted in the application and collected in the recruitment process.

In connection with recruitment, we may process the following Personal Data (processing of some Personal Data may depend on your consent): identification data, contact details, educational data, skills and past employment data, professional qualifications data and other Personal Data provided to us in the recruitment process.

b. The purpose and basis of processing
In connection with recruitment, we process Personal Data for the following purposes:

  • to consider the candidacy and carry out the recruitment process and, if consent is granted, also for the purposes of future recruitment;
  • to defend ourselves against potential claims, and to make claims.

The Controller processes Personal Data on the following basis: your request; the provisions of applicable law, in particular the Labour Code and its implementing acts and, in the scope wider than that specified in these regulations and in relation to any future recruitment, your voluntary consent (which may be withdrawn at any time, which will not affect the legality of prior processing).

The Controller processes Personal Data related to the defense against potential claims on the basis of the Controller’s legitimate interest.

Providing Personal Data is voluntary but necessary to carry out the recruitment process and to start a potential relationship/collaboration.

c. How long will Personal Data be processed?
Personal Data is stored by the Controller for the duration of the recruitment process or, depending on your additional voluntary consent, for the duration of future recruitment or until the consent is withdrawn. The Personal Data will be deleted in any event after two years from their receipt, unless the law requires us to process it for a longer time or we store it for longer in the event of potential claims, for their period of limitation prescribed by law, in particular the Labor Code or Civil Code (the longer processing period applies in either case).

Processing of Personal Data in connection with newsletter subscription

a. The scope of Personal Data processing
If you want to receive our newsletter, we will ask you for your email address. Providing your email address is voluntary, but if you do not provide it, you will not be able to receive our newsletter.

The e-mail address provided by you may contain your Personal Data (eg if it includes your name and surname).

b. The purpose and basis of processing
We process your Personal Data for XTPL S.A.’s marketing purposes to email you information about our activities and products. We will also be able to inform you about our financial situation and issued securities. Of course, you can object to this and opt out of the newsletter (our legitimate interest is the legal basis for data processing in this case).

We will also process your data for purposes related to the potential of disputes in the course of the provision of the newsletter service (here, too, our legitimate interest is the legal basis for data processing).

c. How long will Personal Data be processed?
In principle, we will process your Personal Data until you opt out of the newsletter, ie primarily until you submit an objection, unless the law obliges us to process it for a longer period or we store it for a longer period in the case of potential claims, for a limitation period prescribed by law, in particular the Civil Code.

Processing of Personal Data in connection with investor relations

a. The scope of Personal Data processing
As a Controller, we process the Personal Data of potential and current investors, collected primarily in connection with the acquisition of our securities.

In relation to investor relations, we may process the following Personal Data: identification data, contact details, issue details and other Personal Data provided to us in connection with contact or a relationship/collaboration.

Your Personal Data may have been transferred to the Controller by an entity handling security subscriptions or the National Depositary of Securities (KDPW S.A.).

b. The purpose and basis of processing
We process Personal Data for the following purposes:

  • to perform contracts to purchase securities;
  • to exercise rights arising from securities;
  • to redeem or cancel securities;
  • for tax and accounting purposes;
  • to market XTPL S.A.’s products and services;
  • in relation to the potential of disputes.

The Controller processes Personal Data on the following basis:

  • the processing of Personal Data is necessary to perform a contract or to take steps before a contract is executed at the request of the data subject;
  • the Controller must meet its legal obligations;
  • the Controller’s legitimate interest in the form of: marketing of the Controller’s products and services; contact, including correspondence; and defense against potential claims.

In general, providing Personal Data is voluntary, but it may be necessary to enter into or perform a contract.

c. How long will Personal Data be processed?
Personal Data collected for the purposes of entering into and performing a contract will be processed for the duration of the contract or until you object to the processing based on our legitimate interest, unless the law (eg archiving, tax, accounting or securities law) obliges us to prolong the processing of the Personal Data, or we store it longer to defend ourselves against potential claims, for their period of limitation prescribed by law, depending on which period is longer.

Data processing in connection with access to confidential information

a. The scope of Personal Data processing
As a Controller, we process the Personal Data of persons who have access to confidential information referred to in Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC (“MAR”).

To meet our obligations arising under MAR, we may process the following Personal Data: first names, surname (including family name), business phone number, company name and address, position and reasons for classifying a person as having access to confidential information, the date and time of including a person in the section of persons with access to confidential information, date of birth, national identification number, private telephone numbers, full address of residence.

b. The purpose and basis of processing
We process Personal Data in order to compile and maintain a list of persons with access to confidential information referred to in Article 18(1) of MAR

The Controller processes Personal Data to meet its legal obligations.

Providing Personal Data to the Controller is required by law.

c. How long will Personal Data be processed?
We store your Personal Data for a period of at least five years from the compiling or updating of a list of persons with access to confidential information, in accordance with the provisions of article 18(5) of MAR, unless the law (eg archiving legislation) obliges or authorises us to process the data for a longer period, or we store it for a longer period in case of potential claims for their period of limitation prescribed by law.

Processing of the data of persons discharging managerial responsibilities and persons closely associated with them

a. The scope of Personal Data processing
As a Controller, we process the Personal Data of persons discharging managerial responsibilities (PDMRs) and their closely associated persons (CAPs) in compliance with MAR.

To meet our obligations arising under MAR, we may process the following Personal Data: name and surname, role at XTPL S.A. (PDMR) or reasons for being qualified as a CAP; business telephone number (PDMR); e-mail address (PDMR); address (if provided); national identification number (if provided). or number in the relevant register.

b. The purpose and basis of processing
We process Personal Data in order to:

  • compile and maintain a list of persons discharging managerial responsibilities and their closely associated persons them referred to in Article 19(5) of MAR, and
  • notify persons discharging managerial responsibilities of their obligations under Article 19(5) of MAR.

The Controller processes Personal Data to meet its legal obligations.

Providing Personal Data to the Controller is required by law.

c. How long will Personal Data be processed?

We store your Personal Data for the period of the discharge of managerial duties, unless the law (eg archiving legislation) obliges or authorises us to process the data for a longer period, or we store it for a longer period in the case of potential claims, for the duration of their period of limitation prescribed by law.

Who is the recipient of Personal Data?

The Personal Data that we process may be passed on to entities that help us communicate with our business partners and clients (they support us in sending emails and, in the case of advertising activities, in running marketing campaigns), run our website, they provide support for and ensure operation of ICT tools and systems (eg data storage), as well as entities handling shipments, providing ongoing legal services, conducting audits, providing scanning and printing services, handling correspondence, document archiving and shredding, etc., banks (in the case of financial settlements) and entities working with the Controller in the area of sales services.

With regard to recruitment, we may also disclose your Personal Data to entities providing us with technical or organisational assistance with the recruitment, including communication with candidates, and which ensure proper operation of IT tools and systems.

In the case of investor relations, your Personal Data may also be transferred to KDPW S.A., the Warsaw Stock Exchange, the Polish Financial Supervision Authority, entities authorized to keep records for dematerialised bonds, in accordance with Article 8.2 of the Bonds Act of 15 January 2015 (Journal of Laws of 2015, item 238).

The Personal Data that we process in connection with access to confidential information may also be transferred, at their request, to competent authorities, in particular the Polish Financial Supervision Authority.

The transmission of Personal Data outside the European Economic Area (EEA)

By way of exception, we may transfer your Personal Data to our partners to process them outside the European Economic Area (EEA), but only insofar as this is necessary, eg in connection with our partners’ provision of services to us, especially IT services (e.g. data storage). Our partners can process data mostly in the United States (USA).

To ensure the security of your Personal Data, we use safeguards, such as standard contractual clauses approved by the European Commission. We also strive to ensure that our partners are included in the EU‒US Privacy Shield programme. You have the right to obtain copies of the safeguards we use, in particular by contacting us via email or otherwise in accordance with the contact details provided in section 1 above.

What rights do you have?

In any event, you have the right:

  1. to access your Personal Data (including, for example, to be informed of which Personal Data items are processed);
  2. to request Personal Data to be rectified or to limit the processing of Personal Data (e.g. if it is incorrect);
  3. to have Personal Data deleted (eg. if processed unlawfully);
  4. to have the Personal Data that you provided to the Controller, and which is processed in an automated manner, with the processing taking place based on consent or under a contract, transferred, e.g. to another Controller;
  5. to object to the processing of Personal Data which is based on the basis of necessity for purposes arising from the legitimate interests of the Controller, including, in particular, processing for marketing purposes;
  6. to lodge a complaint with the President of the Personal Data Protection Office).

If the processing of Personal Data takes place on the basis of consent, you have the right to withdraw your consent at any time without affecting the legality of the processing which took place on the basis of consent before its withdrawal.

If you have any questions about the processing of Personal Data by XTPL S.A., please contact XTPL’s personal data officer (Mr Michał Bednarek) on 71 707 22 04 or rodo@xtpl.com.