PRIVACY POLICY

PRIVACY POLICY
of the website www.elkor.net.pl
Version: 2.0 | Effective date: 21 May 2026

This Privacy Policy (hereinafter: the “Policy”) sets out the rules for processing personal data of Users of the website available at https://elkor.net.pl, the rules for the use of cookies and information about the rights available to Users.

The Policy fulfils the obligations arising from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: “GDPR”).

1. The controller of personal data of the Website Users is Leszek Korcz conducting sole trader business under the name Leszek Korcz PHU “ELKOR”, registered in the Central Register and Information on Economic Activity, with its registered office at ul. Lipowa 28, 63-005 Kleszczewo, VAT ID: 7860006690, statistical number: 632197861 (hereinafter: the “Controller”).
2. Contact with the Controller in all matters relating to the processing of personal data is possible:
   • by e-mail at: elkor@post.pl,
   • by telephone at: +48 61 8176 070,
   • in writing to the Controller’s registered address indicated in paragraph 1 above.
3. The Controller has not appointed a data protection officer. All requests, questions and applications related to the processing of personal data should be directed to the contact details indicated in paragraph 2.

For the purposes of this Policy, the following meanings of the terms used are adopted:

• ECL – the Act of 12 July 2024 – Electronic Communications Law;
• Website – the Controller’s website available at https://elkor.net.pl along with all its subpages, including subpages in language versions (Polish, English, German and Russian);
• User – a natural person visiting the Website or using its functionalities, including a job applicant, contractor, person representing a contractor and a person directing an inquiry to the Controller;
• Campaign – advertising and recruitment activities conducted by the Controller in the Meta Ads and Google Ads systems, including campaigns directed at the markets of Member States of the European Union;
• Cookies – IT data, in particular small text files, saved and stored on the User’s end device, used for visiting the website pages of the Website.

1. The Controller processes personal data of Users only to the extent necessary to achieve the purposes indicated below, on the legal bases defined in the GDPR and in special provisions of Polish law.
2. A summary of the purposes of processing, categories of data processed, legal bases and retention periods is presented in the table below.

   Purpose of processing	Scope of data	Legal basis	Retention period
   Recruitment of drivers and other personnel (recruitment forms at elkor.net.pl/praca in PL/EN/RU versions, Meta Lead Ads, WhatsApp, telephone contact)	first name, last name, e-mail address, phone number, CV and cover letter content, education, professional qualifications, employment history, declared country of residence, language skills	Art. 6(1)(c) GDPR; Art. 6(1)(b) GDPR; Art. 6(1)(a) GDPR (consent to participate in future recruitment processes)	until the end of the recruitment process, and in the case of consent to future recruitment – for 12 months from the date of consent
   Verification of residence and work legalisation status in Poland (question about holding a type D work visa or residence permit in the Meta Lead Ads form)	declared legalisation status (confirmation / non-confirmation of holding a type D visa or residence permit)	Art. 6(1)(b) GDPR (condition necessary to initiate recruitment activities); Art. 6(1)(c) GDPR	until the end of the recruitment process
   Handling the general contact form available at elkor.net.pl/kontakt and e-mail correspondence	first name and last name, e-mail address, phone number (if provided), content of the inquiry	Art. 6(1)(f) GDPR (legitimate interest of the Controller in responding to received inquiries and conducting ongoing business correspondence)	until a response is provided and the correspondence is concluded, and subsequently for the period necessary to establish, pursue or defend against claims (no longer than 3 years from the last contact)
   Conclusion and performance of transport, forwarding and other commercial contracts with contractors	identifying data of the contracting party (company name, VAT ID, statistical number, registered address), data of representatives and contact persons (first name, last name, position, business e-mail and phone), data necessary for the performance of the order	Art. 6(1)(b) GDPR (performance of a contract or taking steps prior to its conclusion); Art. 6(1)(f) GDPR (contact with persons representing the contractor)	for the duration of the contract and after its termination – until the expiry of limitation periods for claims (generally up to 6 years)
   Issuing and storing accounting documents (invoices, documents confirming the performance of a service)	identifying data (company name, first and last name, VAT ID, address), transaction data	Art. 6(1)(c) GDPR in conjunction with Art. 86 §1 of the Tax Ordinance Act, Art. 74(2) of the Accounting Act and Art. 112 of the VAT Act	for 5 years calculated from the end of the calendar year in which the tax payment deadline expired
   Website traffic analytics (Google Analytics 4, Microsoft Clarity)	anonymised IP address, cookie identifiers, device and browser data, website activity data (visited pages, time spent, clicks, session recordings)	Art. 6(1)(a) GDPR (consent expressed via the cookies banner)	until withdrawal of consent, no longer than for the validity period of individual cookies indicated in § 12
   Own marketing – advertising campaigns in Meta Ads and Google Ads systems, including remarketing and interest-based marketing directed, inter alia, at EU markets (Germany, France, other Member States)	marketing cookie identifiers, Meta and Google advertising identifiers, website activity data, approximate location, device data	Art. 6(1)(f) GDPR (legitimate interest of the Controller in promoting its own recruitment services and conducting marketing activities); Art. 6(1)(a) GDPR (consent expressed via the marketing cookies banner)	until withdrawal of consent or submission of an effective objection, no longer than for the validity period of individual cookies
   Ensuring the security and proper functioning of the website (server logs, necessary cookies)	IP address, server date and time, browser and operating system information, session identifier	Art. 6(1)(f) GDPR (legitimate interest of the Controller in ensuring the security and continuity of the website)	server logs – up to 12 months; session cookies – until the browser is closed
   Establishment, pursuit of and defence against claims	all personal data collected in connection with the pursuit of the above purposes, to the extent necessary to protect the legal interests of the Controller	Art. 6(1)(f) GDPR (legitimate interest of the Controller in defending against claims and pursuing its own claims)	until the expiry of limitation periods for claims under applicable law

3. The provision of personal data is voluntary; however, to the extent indicated as a condition for concluding a contract or participating in the recruitment process – it is necessary to achieve the indicated purpose. The consequence of not providing data is the inability to carry out the given process (e.g. participation in recruitment, conclusion of a contract, receipt of a response to an inquiry).
4. The Controller does not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sexuality or sexual orientation. If such data is voluntarily provided by the User (e.g. in the content of a CV), the Controller deletes it immediately after obtaining it, unless it is necessary to assess the candidate’s ability to perform work in a given capacity or the User has given explicit consent to its processing under Art. 9(2)(a) GDPR.

The Controller conducts recruitment and advertising campaigns in the Meta Ads (Facebook, Instagram) and Google Ads systems, directed from the territory of the Republic of Poland to the markets of the Member States of the European Union, in particular to the territory of the Federal Republic of Germany and the French Republic, as well as other EU states. The campaigns are directed at natural persons seeking employment in the transport industry, holding a driver’s licence and a legalised residence and work status in Poland.

4.1. Recruitment forms on the language subpages of the Website

On the elkor.net.pl/praca subpages available in Polish, English and Russian language versions, the User may submit a recruitment application together with a CV. The Controller processes the data indicated by the candidate in the form and in the submitted CV for recruitment purposes, in accordance with the rules set out in § 3.

4.2. Meta Lead Ads forms

1. As part of advertising campaigns in the Meta Ads system, the Controller uses Meta Lead Ads forms, which enable potential candidates to leave their contact details directly from the Facebook and Instagram platforms, without the need to leave the social network.
2. The scope of data collected via Meta Lead Ads forms includes: first name, last name, e-mail address, phone number and a declaration regarding holding a Polish type D work visa or a Polish residence permit.
3. The question about the legalisation status of residence and work is dictated by the need for preliminary verification of the possibility of legally employing the candidate on the territory of Poland – it constitutes a necessary condition for the Controller to initiate recruitment activities and fulfils the obligations of an employer employing foreign nationals.
4. Data provided by candidates in Meta Lead Ads forms is available in the Meta advertising panel for up to 90 days from the moment of its collection, and is then downloaded by the Controller (directly or via an authorised data processor) and stored in a cloud-based spreadsheet until the end of the recruitment process.
5. In the scope of operations performed within Meta’s systems (including displaying advertisements, campaign optimisation, collecting statistical data), joint controllership of personal data within the meaning of Art. 26 GDPR exists between the Controller and Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, D02X525, Ireland). The scope of joint controllers’ responsibilities and information on data processing by Meta are available at: https://www.facebook.com/legal/controller_addendum and in Meta’s privacy policy: https://www.facebook.com/privacy/policy.

4.3. WhatsApp channel and telephone contact

Some candidates contact the Controller directly via WhatsApp or by telephone, using the numbers provided in the content of advertisements and on the website. In this channel, the Controller processes data voluntarily provided by the candidate in the content of the correspondence, to the extent necessary to conduct a recruitment conversation and verify qualifications.

4.4. Legal status of data subjects residing outside Poland

Regardless of the candidate’s country of residence, all personal data obtained as part of the Campaign is processed by the Controller on the territory of Poland, in accordance with the GDPR and Polish national law. All rights arising from the GDPR are available to data subjects, including the right to lodge a complaint with a supervisory authority – the President of the Personal Data Protection Office (UODO), as well as with the competent supervisory authority of the state of habitual residence or the place of the alleged infringement.

1. The recipients of personal data processed by the Controller are exclusively entities to which entrusting the processing or disclosing of data is necessary to achieve the purposes indicated in § 3, namely:
   • providers of IT infrastructure, hosting and website software;
   • providers of analytical, marketing and advertising tools indicated in detail in § 12 of this Policy (incl. Google Ireland Limited, Meta Platforms Ireland Limited, Microsoft Ireland Operations Limited);
   • marketing agencies and advertising service providers conducting campaigns on behalf of the Controller – to the extent necessary for the activities entrusted to them;
   • accounting office and providers of bookkeeping and payroll services;
   • law firms, debt collection firms and external advisors – to the extent necessary for the advisory services provided;
   • authorised state authorities – in cases provided for by law.
2. Each data processor to whom the Controller entrusts the processing of personal data operates on the basis of a written data processing agreement concluded in accordance with Art. 28 GDPR, ensuring at least a standard of protection equivalent to the standard applied by the Controller.

1. In connection with the Controller’s use of analytical and advertising tools provided by entities headquartered in the United States of America, personal data of Users may be transferred to a third country within the meaning of Chapter V of the GDPR. This applies in particular to the following entities:
   • Google LLC, headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA;
   • Meta Platforms, Inc., headquartered at 1 Hacker Way, Menlo Park, CA 94025, USA;
   • Microsoft Corporation, headquartered at One Microsoft Way, Redmond, WA 98052, USA.
2. The transfer of personal data to the United States is based on Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 issued pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, finding that the United States ensures an adequate level of protection of personal data guaranteed within the framework of the EU–U.S. Data Privacy Framework (hereinafter: “DPF”).
3. All entities indicated above are active participants in the DPF; participation status may be verified at: https://www.dataprivacyframework.gov/list.
4. Independently of the DPF mechanism, the Controller also ensures data transfer on the basis of Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as a safeguarding mechanism. The Standard Contractual Clauses apply as a supplementary measure, in particular in the event that the adequacy decision ceases to apply.

1. In order to conduct marketing activities tailored to the preferences of recipients and to optimise advertising campaigns, the Controller may process personal data of Users in an automated manner, including through profiling. Profiling is carried out on the basis of data about the User’s activity on the website, demographic data and data transmitted by Meta and Google advertising tools.
2. Profiling carried out by the Controller does not produce legal effects concerning the User or similarly significantly affect the User within the meaning of Art. 22(1) GDPR. The Controller does not make decisions producing legal effects concerning Users in a solely automated manner.
3. The legal basis for profiling is Art. 6(1)(f) GDPR (legitimate interest of the Controller – conducting marketing tailored to the preferences of recipients) in conjunction with Art. 6(1)(a) GDPR (consent to marketing cookies expressed via the cookies banner).
4. The User has the right to object to the processing of their data for the purposes of direct marketing, including profiling, at any time and free of charge. The objection may be expressed by contacting the Controller or by withdrawing consent to marketing cookies via the consent management panel (§ 13).

1. Every person whose personal data is processed by the Controller is entitled to the following rights arising from the GDPR:
   • Right of access to data – the right to obtain from the Controller confirmation as to whether personal data concerning the person making the request is being processed, and if so – the right to obtain access to that data and the information indicated in Art. 15(1) GDPR, as well as the right to obtain the first copy of the data free of charge.
   • Right to rectification – the right to request immediate rectification of inaccurate data and completion of incomplete data.
   • Right to erasure (“right to be forgotten”) – the right to request immediate erasure of personal data, e.g. when the data is no longer necessary for the purposes for which it was collected, or consent has been withdrawn.
   • Right to restriction of processing – the right to request restriction of data processing in situations specified in the provision.
   • Right to data portability – the right to receive personal data in a structured, commonly used, machine-readable format and the right to request that such data be transmitted to another controller – where the processing is based on consent or a contract and is carried out in an automated manner.
   • Right to object – the right to object to the processing of data based on Art. 6(1)(f) GDPR, including to profiling. With regard to direct marketing, the objection is unconditional.
   • Right to withdraw consent – with regard to processing based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before its withdrawal.
   • Right to lodge a complaint with a supervisory authority – the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stanisława Moniuszki 1A, 00-014 Warsaw, www.uodo.gov.pl), and also, in the case of persons residing in another EU Member State, with the competent supervisory authority of the state of habitual residence or the place of the alleged infringement.
2. The exercise of the above rights is effected on the basis of a request directed to the Controller at the contact details indicated in § 1(2). The Controller responds without undue delay, no later than within one month of receipt of the request, with the possibility of extending this period by a further two months in cases of complexity of the request.

The Controller implements and maintains appropriate technical and organisational measures ensuring a level of security corresponding to the risk of infringement of the rights or freedoms of natural persons. The measures applied include in particular: encryption of data transmission (HTTPS/TLS protocol), access control to IT resources, regular backups, authorisation management policies, employee training in the field of personal data protection and periodic verification of the effectiveness of the implemented security measures.

1. The Website may contain links (hyperlinks) to websites operated by third parties, including the Controller’s social media accounts and partner platforms. After navigating to an external website, the User is subject to the privacy policy and terms of service applicable in that service.
2. The Controller is not responsible for the content, operation or rules for the processing of personal data applicable on the websites of third parties to which the Website links. The Controller has no influence on the manner of data processing by these entities.
3. Independent data controllers, which include in particular Meta Platforms Ireland Limited, Google Ireland Limited and Microsoft Ireland Operations Limited, independently determine the purposes and means of data processing within their services. The Controller recommends reading the privacy policies of these entities:
   • Meta – https://www.facebook.com/privacy/policy;
   • Google – https://policies.google.com/privacy;
   • Microsoft – https://privacy.microsoft.com/pl-pl/privacystatement.

1. The Website uses cookies and similar technologies (incl. local storage, tracking pixels) in order to ensure the proper functioning of the Website, conduct traffic analytics and carry out marketing activities.
2. Cookies constitute information stored on the User’s end device and read by the Website or by third-party systems (e.g. Google, Meta). Cookies do not independently identify the User; however, in combination with other data, they may constitute personal data.
3. Storing information on the User’s end device or accessing it is permissible on condition that the User has previously given consent – except in cases where it is necessary to provide a service requested by the User or to carry out a transmission.
4. Cookies used in the Website are divided into:
   • necessary – conditioning the proper functioning of the Website, installed without the need to obtain consent;
   • analytical – used to measure website traffic and analyse it (require consent);
   • marketing – used to present advertisements tailored to preferences and to measure their effectiveness (require consent);
   • functional – enabling additional functionalities, including embedded external elements, e.g. maps (require consent).
5. The User may at any time independently change the settings of their web browser with regard to the handling of cookies – block their saving, delete already saved files or receive notifications about their placement. Limiting the handling of cookies may affect some functionalities of the Website.

The table below contains a detailed list of tools used in the Website along with a description of their operation, cookie category and storage period.

1. Consents to cookies other than necessary are collected via the Consent Management Platform CookieYes tool provided by CookieYes Limited (Ireland). The consent banner is displayed during the first visit to the Website and after the expiry of the previously granted consent period.
2. The User may at any time:
   • accept all cookies;
   • reject all cookies other than necessary;
   • independently configure consent divided into individual cookie categories;
   • withdraw a previously given consent by clicking on the consent management icon visible in the Website.
3. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
4. The Website uses the Google Consent Mode v2.0 mechanism – a solution integrating the consent banner with Google tools (Google Analytics 4, Google Ads). Depending on the User’s decision expressed in the consent banner, Google tools operate in full measurement mode (upon giving consent) or in anonymised behaviour modelling mode (in the event of refusal or absence of consent), without the use of identifiers enabling identification of the User. This mechanism ensures respect for the User’s decision while maintaining the ability to conduct basic analytics based on aggregated data.
5. CookieYes stores information about the consent granted in order to demonstrate its granting; the consent record is stored for the period necessary to demonstrate accountability, for no less than 12 months.

1. The Controller reserves the right to make changes to the Policy in the event of a change in legislation, a change in the scope of activities conducted, the introduction of new tools or services, or for other significant reasons. The amended content of the Policy is published in the Website and takes effect from the date of its publication.
2. In matters not regulated by this Policy, the provisions of the GDPR, the Act of 10 May 2018 on the Protection of Personal Data, the Act of 12 July 2024 – Electronic Communications Law, the Act of 18 July 2002 on the Provision of Electronic Services and other generally applicable laws shall apply accordingly.
3. The Policy takes effect from 21 May 2026.