PRIVACY POLICY OF ORUGA GROUP SP. Z O.O.

Definitions:
Personal Data: information about an identified or identifiable natural person;
Data Subject: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Data Protection Officer: an entity appointed on the basis of professional qualifications, and in particular professional knowledge on law and practice in the area of data protection, as well as skills related to performance of tasks referred to in Art. 39 for the purpose of ensuring fulfilment of personal data protection provisions;

Consent: of a data subject means a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her;

Breach of Personal Data Protection: breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Supervisory Authority: an independent public authority established by a member state in line with Art. 51 of the GDPR.

With respect to issues not defined above, definitions from Art. 4 of the GDPR shall be applicable.

I. Data Controller

The Data Controller of your personal data is Oruga Group Sp. z o.o. with its’ registered office in Warsaw at ul. Smulikowskiego 1/3, 00-389 Warsaw, National Court Register No. (KRS): 0000409643, VAT Reg. No. (NIP): 5213626803, State Statistical No. (REGON): 145988281, hereinafter referred to as the Data Controller or the Company.

Contacting the Data Controller shall be possible via:

  • - e-mail: info@orugagroup.com;
  • - contact form: http://orugagroup.com/pl/kontakt,
  • - post, in writing at the address specified below: 

ul. Smulikowskiego 1/2 suite 1, 00-389 Warsaw, Poland.

II. Data Protection Officer

II.I. With respect to issues related to personal data protection, it is possible to contact a Data Protection Officer designated by the Data Controller (hereinafter referred to as the DPO):
- via e-mail: info@orugagroup.com,
- via post, at the following address: 
ul. Smulikowskiego 1/3 suite 202.
II.II. The Data Controller has appointed a Data Protection Officer; at the present moment, the Data Protection Officer is Ms. Olga Swiridiuk. The DPO provides answers to any questions pertaining to the personal data processed by the Data Controller.

III. Manner, Purpose and Bases of Personal Data Processing

1. Personal data processed by the Data Controller are collected, stored, edited, archived in paper documents, as well as IT systems and on electronic information media.
2. This document introduces regulations with respect to the principles of processing organisation and refers to paper and electronic information.
3. The Data Controller shall observe confidentiality with respect to data processing.
4. The Data Controller declares that entities performing functions as part of its’ structure, which remain in the relation of sub-contracting, cooperation, persons performing commissioned work or bound by other civil law agreements and labour agreements became liable for observing relevant confidentiality of data provided to them. The Data Controller declares that it is liable for violation of the confidentiality principle with respect to the data processed by such entities.
5. The Data Controller makes the processed personal data available to supervision entities and authorities authorised to process such data exclusively on the basis of legal provisions or upon explicit request of a Data Subject.
6. The Data Controller shall make the personal data available for the purpose of performing Services which are the subject of the agreement exclusively in a scope that is necessary for the purposes of a service that was ordered. Definition of Services is contained in the next chapter. 
7. The Data Controller also processes personal data for the needs of:

- conducting the current recruitment process - the legal basis for processing is the consent for the processing of personal data for this purpose;

- conducting future recruitment processes - the legal basis for processing is the consent for the processing of personal data for this purpose.

Provision of personal data is voluntary, yet necessary for implementing the purposes defined above. If consent was given for participation in the current recruitment process, personal data of the data subject shall be stored for a maximum for 14 days from the date of its’ completion. If consent was given for participation in future recruitment processes, such data shall be stored for 5 years from the moment of sending of application or the moment of withdrawing the consent.
8. The Data Controller declares that it has implemented relevant operational and technical measures to secure the processed data:
- in reference to data contained in paper documents - such documents are stored in a properly secured archive which may be accessed exclusively by authorised persons;
- in reference to data in electronic format - data are stored on electronic information media equipped with proper securities; data are also stored in an electronic data set (the so-called cloud), properly secured by a relevant security system, which may be accessed exclusively by authorised persons.
9. Issues not regulated in this document shall be governed by the provisions of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, act of 29 August 1997 on the protection of personal data and relevant provisions of the EU member states with respect to the personal data protection.

III.I. In order to provide Services in line with the profile of operation, the Company processes the collected personal data - for different purposes, yet always in compliance with the law. 

Service: in line with the tab on the website http://orugagroup.com/pl/uslugi activity encompassing business and legal servicing, including:

  • sale of shelf companies in Poland;
  • registration of companies;
  • sale of business;
  • licences and permits;
  • temporary stay;
  • commercial properties;
  • property management;
  • investments in Poland;
  • sale of shelf companies;
  • registration of companies abroad;
  • virtual office in Warsaw;
  • administrative support in Poland.

Oruga Group Sp. z o.o. also provides legal and business consulting services.

III.II. Purposes of Personal Data Processing

1. For the purpose of estimating a Service and providing a Service, personal data is processed by the Data Controller in a relevant scope (depending on the volume of provided identification information):

  • first name and surname;
  • marital status;
  • citizenship;
  • country of origin;
  • native language;
  • identification data from valid documents;
  • education;
  • age;
  • sex;
  • e-mail address:
  • address of residence/ address of registered office;
  • VAT Reg. No. (NIP)/ PESEL No.;
  • numbers from foreign commercial/ tax registers;
  • date of filing the order.

The legal basis for such processing of data is Art. 6.1.b) of the GDPR, which allows for the processing of personal data if such processing is necessary for the performance a contract or in order to take steps prior to entering into a contract; Provision of surname shall be understood as approval for the processing of such data, which has its’ basis in Art. 6.1.a) of the GDRP, which allows for the processing of such data on the basis of a freely given consent.

2. For the purpose of examining a complaint, the Data Controller processes such personal data as:
•    first name and surname (if it was provided);
•    e-mail address;
•    potentially address or residence - if funds are returned;
•    potentially bank account number - if funds are returned.

The legal basis for such processing of data is Art. 6.1.b) of the GDPR, which allows for the processing of personal data if such processing is necessary for the performance a contract or in order to take steps prior to entering into a contract; provision of surname shall be understood as approval for the processing of such data, which has its’ basis in Art. 6.1.a) of the GDRP, which allows for the processing of such data on the basis of a freely given consent.

3. For the purpose of sending e-mail notifications and marketing information (“Newsletter”), the Data Controller processes such personal data as:
•    e-mail address;
•    first name and surname (if it is provided);
The legal basis for such processing of data is Art. 6.1.f) of the GDPR which allows for the processing of personal data if, in this manner, the Data Controller pursues its’ legitimate interest (in this case, the Company’s interest is informing the client about activities related to the processing of the ordered service).
4. For the purpose of telephone contact with respect to issues related to the performance of a Service or estimation of a Service, the Data Controller processes such personal data as:
•    telephone number;
•    first name and surname (if it is provided).
The legal basis for such processing is Art. 6.1.a) of the GDPR, which allows for the processing of personal data on the basis of a freely given consent. Provision of telephone number is optional and depends exclusively on a freely given consent.

5. For the purpose of issuing an invoice and fulfilling other obligations resulting from the tax law provisions, the Data Controller processes such personal data as:

  • first name and surname;
  • company;
  • address of residence or address of registered office;
  • VAT Reg. No. (NIP);
  • document number;
  • parents’ names;
  • date of birth;
  • foreign identification numbers.

The legal basis for such processing of data is Art. 6.1.c) of the GDPR, which allows for the processing of personal data if such processing is necessary for the Data Controller's compliance with legal obligations.

6. For the purpose of archiving the unpaid requests, the Data Controller processes such personal data as:
first name and surname;
e-mail address.
The legal basis for such processing of data is Art. 6.1.f) of the GDPR which allows for the processing of personal data if, in this manner, the Data Controller pursues its’ legitimate interest.

7. For the purpose of setting up records and registers related to the GDPR, including a record of clients who filed objections in line with the GDPR, the Company processes such personal data as:
first name and surname;
document number;
e-mail address.
The legal basis for such processing of data is Art. 6.1.c) of the GDPR, which allows for the processing of personal data if such processing is necessary for the Data Controller's compliance with legal obligations and Art. 6.1.f) of the GDPR, which allows for the processing of personal data if, in this manner, the Data Controller pursues its’ legitimate interest.

8. For the purpose of determining, seeking or defending against claims, the Data Controller processes such personal data as:
first name and surname (if surname was provided) or, potentially, company name;
address of residence (if it was provided);
PESEL No. or VAT Reg. No. (NIP) (if it was provided);
e-mail address.
The legal basis for such processing of data is Art. 6.1.f) of the GDPR which allows for the processing of personal data if, in this manner, the Data Controller pursues its’ legitimate interest (in this case, the Company’s interest is holding the personal data that allow for determining, seeking or defending against claims, including from clients and third parties).

9. For archival and evidence purposes, the Data Controller processes personal data within a scope in which they were provided for the purpose of estimation or performance of a Service, which may be used to determine facts with legal significance, in particular:

  • first name and surname;
  • marital status;
  • citizenship;
  • country of origin;
  • native language;
  • identification data from valid documents;
  • education;
  • age;
  • sex;
  • e-mail address:
  • address of residence/ address of registered office;
  • VAT Reg. No. (NIP)/ PESEL No.;
  • numbers from foreign commercial/ tax registers.

The legal basis for such processing of data is Art. 6.1.f) of the GDPR which allows for the processing of personal data if, in this manner, the Data Controller pursues its’ legitimate interest.

10. For analytical purposes, i.e. testing and analysing the activity on the Data Controller’s website, the Data Controller processes such data as:

  • date and time of website visit;
  • type of operating system;
  • approximate location;
  • type of Internet browser used to view the website;
  • time spent on the website;
  • visited sub-pages;
  • sub-pages where the contact form was completed.

The legal basis for such processing of data is Art. 6.1.f) of the GDPR which allows for the processing of personal data if, in this manner, the Data Controller pursues its’ legitimate interest.


11. For the purpose of administering the website, the Data Controller processes such personal data as:

  • IP address;
  • server date and time;
  • information about Internet browser;
  • information about operating system.

Such data is saved automatically in the so-called server logs during every use of the website that belongs to the Company. The legal basis for such processing of data is Art. 6.1.f) of the GDPR which allows for the processing of personal data if, in this manner, the Data Controller pursues its’ legitimate interest.

IV. Cookies
On its’ website, the Company uses cookies, i.e. small text files saved on the computer, telephone, tablet or another device of the user. They may be read by the Data Controller’s system, as well as by systems that belong to other entities. Turning off or restricting the use of cookies may cause serious difficulties with using the website.  The consent for the use of cookies may be withdrawn every time.

V. Right to Withdraw Consent
1. If the processing of personal data takes place on the basis of a consent, such consent may be withdrawn any time.
2. Withdrawing the consent may take place, in particular, via;

  • e-mail sent to the Data Controller or the DPO;
  • declaration on consent withdrawal sent via post.

3. If the processing of personal data took place on the basis of a consent, its’ withdrawal does not render the processing of personal data until such withdrawal illegitimate. Until the consent was withdrawn, processing was legitimate, and its’ withdrawal does not influence the legitimacy of hitherto processing.

VI. Requirement to Provide Personal Data
Provision of personal data is voluntary. However, on account of Services offered by the Company, in some cases provision of specific personal data is necessary for efficient provision of offered Services.

VII. Automated Decision Making and Profiling
The Company does not perform automated decision making, also on the basis of profiling. The content of the inquiry which is sent via the contact form is not subject to evaluation via an IT system. The proposed price of a Service is, in no case, the result of evaluation performed by any IT system.

VIII. Recipients of Personal Data
1. The Data Controller transfers personal data within the necessary and minimum scope that is needed for business servicing of its’ clients. In relation to the above, if necessary, the data are transferred in particular to lawyers who provide services, companies servicing payments, accounting company, insurance company, banks and translators whose services are used by the Data Controller. The consent may be withdrawn at any time, yet the Data Controller does not guarantee provision of the Service that was ordered.
2. The Data Controller transfers the personal data to the indicated entities based on relevant legal provisions or decision of a competent body.

IX. Transfer of Personal Data to Third Countries
1. The Company uses services offered by such entities as Facebook, Microsoft and Google, which have their seats outside of the European Union and thus, in the light of the GDPR provisions, they are treated as third countries.
2. Personal data are transferred by the Data Controller outside of the European Economic Area only within a scope that is minimum and necessary to perform the Service that was ordered or other legitimate purposes of personal data processing. Withdrawal of consent does not allow for keeping the guarantee of performance of a Service that was ordered.
3. The Data Controller shall, upon every request of a Data Subject, immediately provide additional explanations with respect to the personal data processing.
4. A Data Subject has a right to receive copies of personal data transferred to a third country.

X. Period of Personal Data Processing
1. In line with binding legal provisions, personal data are processed only for the time necessary to accomplish the stipulated purpose for which the data was processed.
2. After the lapse of the time referred to in the preceding section, the data shall be permanently deleted or destroyed.
3. Periods referred to in the first section amount to: 
term of the Agreement: in reference to personal data processed for the purpose of concluding and executing the Agreement;
3 years or 10 years + 1 year: in reference to personal data processed to determine, seek or defend against claims (the length of the period depends on whether both parties are entrepreneurs or not);
6 months: in reference to personal data which were collected during estimation of a service and, at the same time, the agreement was not concluded immediately;
5 years: in reference to personal data related to the fulfilment of tax law obligations;
until the consent is withdrawn or the purpose of processing was accomplished, however not longer than 5 years: in reference to personal data processed on the basis of a consent;
until the moment of efficient filing of an objection or accomplishment of the purpose of processing, however not longer than 5 years: in reference to personal data processed on the basis of a legitimate interest of the Data Controller or for marketing purposes;
until the data become outdated or become useless, however not longer than for 3 years: in reference to personal data processed primarily for analytical purposes, use of cookies and website administration.
4. Annual periods are calculated from the end of the year when processing of personal data commenced to streamline the process of removal or destruction of personal data. Separate calculation of the deadline for every concluded agreement would be related to significant organisational and technical difficulties, as well as significant financial expenses, thus establishing one date for removal or destruction of personal data allows for more efficient management of this process. The Data Controller, upon a justified request of a Data Subject, shall refrain from the periods stipulated above.
5. The additional year related to the processing of personal data collected for the purpose of agreement performance results from the possibility of filing potential claims.

XI. Rights of Data Subjects
1. The Data Subject has a right to:
access his/ her/ its’ personal data;
rectify the personal data;
delete personal data;
restrict the processing of personal data;
object against the processing of personal data;
transfer personal data.
2. The above-listed rights are not absolute; thus, in certain cases the Data Controller may refuse to comply with them in line with the law. 
4. The Data Controller may refuse the right to object against personal data processing on the basis of a legitimate interest of the Data Controller, which means that:
there are legitimate bases for processing, which are overriding in comparison to the interests, rights and freedoms of Data Subjects, or;
there are bases for determining, seeking or defending against claims.
5. A Data Subject may file an objection against processing of his/ her data for marketing purposes at any moment. 

XII. Right to File Complaint
A Data Subject may file a complaint to the President of the Personal Data Protection Office if the Data Subject believes that his/ her data are processed in breach of binding legal provisions.

XIII. Final Provisions
1. Issues not regulated by this Privacy Policy shall be governed by the provisions on personal data protection.
2. The Data Controller shall provide information about any changes pertaining to this Privacy Policy via e-mail, as well as via relevant publication on the website that it manages.
3. This Privacy Policy enters into force on 25 May 2018.