We have prepared this privacy policy in relation to our information obligations under Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing of Directive 95/46/EC (The General Data Protection Regulation) (hereinafter: “GDPR”).
You are requested to read the contents of this privacy policy carefully.
The controller of your personal data is XTB Institutional with its registered office in Warsaw, Prosta 67, 00-838 Warsaw.
You can contact XTB Institutional: 1) by e-mail: support.inst@xtb.com, 2) by phone: (+48 22 273 99 90), 3) by mail: Prosta 67, 00-838 Warsaw.
We obtain your personal data directly from you. Depending on the specific situation, we may also collect them from entities to which you have given your consent to provide such data (e.g. entities co-organizing educational events with us) or from persons representing you on the basis of a power of attorney.
From the sources indicated above we may obtain data such as: personal data identifying you, contact data, socio-demographic data (i.e. employment, level of education), data used in settlements with the tax authorities (competent tax office and tax identification number in the case of self-employed persons), bank account number.
If you are an entrepreneur, we obtain some of your data from other public sources, i.e. from the National Court Register, the Central Register and Information on Business Activity, Central Register of Beneficial Owners or similar sources in other countries as well as from private entities and business intelligence agencies which collect and make available information on entrepreneurs. Acquisition of the aforementioned data is necessary, in particular, in order to conclude a contract and fulfill legal obligations related to e.g. prevention of money laundering.
In exceptional cases, we may obtain information about you from whistleblowers.
We obtain personal data on the people who represent you or act on your behalf from the same sources as your data as well as from you.
Clients
| Purpose of personal data processing | Description | Legal basis for personal data processing | Personal data storage period |
| Taking action before entering into an agreement and taking action to perform the concluded agreement | At your request, XTB Institutional takes action before entering into an agreement for provision of brokerage services. XTB Institutional undertakes actions in order to perform the agreement. | The processing is necessary for the performance of an agreement to which you are a party or to take action at your request prior to entering into an agreement (Article 6(1)(b) of the GDPR). | If you hold an investment account with XTB Institutional, your personal data will be stored for the term of the agreement. In addition, after the termination of the agreement, XTB Institutional will process your data for the period of limitation of claims to which XTB Institutional is entitled or against XTB Institutional provided for by law. |
| Taking action on the receipt of a complaint, claim, appeal or other request. | XOH’s consideration of the complaints, claims, appeals or other requests submitted by you. | The processing of personal data is necessary for the fulfillment of legal obligations incumbent on XOH, resulting for example from the Act on Consumer Rights or the Act on Complaints Handling by Financial Market Operators and Financial Ombudsman (Article 6(1)(c) GDPR). The processing of personal data is necessary to take action to perform the agreement if you are our client and the premise of fulfilling the legal obligation does not apply (Article 6(1)(b) GDPR). | In this case, the storage period for your personal data will be the time necessary to handle the complaint, claim or other request in accordance with the agreement or the law. We stipulate that this period may be extended by the period of limitation of claims under the law. |
| To comply with obligations under anti-money laundering and counterterrorist financing legislation, including profiling. | Registration of transactions by XOH, as well as assessment by XOH of the level of risk money laundering and terrorism financing and applying financial security measures (e.g. verifying client and beneficial owner identity) in order to prevent money laundering and terrorism financing, as well as archiving related to the above. | The processing of personal data is necessary to fulfill the legal obligation of XOH (Article 6(1)(c) GDPR). | We retain: (a) copies of documents and information obtained as a result of financial security measures; (b) evidence of transactions and records of transactions, including original documents or copies of documents necessary to identify the transactions for 5 years from the date of termination of the business relationship with you or where occasional transactions were carried out. We retain: the results of risk assessments and business relationship analyses for 5 years from the date they were conducted. |
| Fulfillment of obligations under other laws, e.g. on taxes, accounting. | Fulfilment by XOH of obligations resulting from other provisions of law, such as: fulfilling obligations relating to collecting certain information and verifying clients (e.g. statements relating to FATCA, CRS, EMIR, MIFIR), preparing reports on transactions concluded and providing them to relevant financial institutions and supervisory authorities. | The processing of personal data is necessary to fulfil the legal obligation of XOH (Article 6(1)(c) GDPR). | The period for which we store your personal data results from individual regulations. For example, in accordance with the tax ordinance, we are obliged to store your tax records for a period of 5 years counting from the end of the calendar year in which the deadline for tax payment expired. |
| Determining and pursuing claims or defending against claims. | Taking actions related to establishing and pursuing claims by XOH or taking actions to defend against claims directed against XOH. | Processing of personal data is necessary in order to fulfil the legally legitimate interest of XOH, consisting in the possibility of determining or pursuing claims, as well as defending against claims addressed to XOH (legal basis: Article 6(1)(f) GDPR in connection with Article 9(2)(f) GDPR). | The statute of limitations for claims to which XOH is entitled or against XOH is stipulated by law. For example, pursuant to the Polish Civil Code, the statutes of limitations for claims are: – 6 years from performance of the agreement – for consumer claims; – 10 years from the execution of the agreement – for consumer claims established by a final decision of a court or authority, arising and not time-barred before 9 July 2018 (except for accounting documents) and until the final conclusion of the case and for the period necessary due to accounting regulations or audit obligations. |
| Contacting you for purposes related to permitted marketing activities, through available communication channels, in particular by e-mail, SMS and telephone. | XOH undertakes activities aimed at promotion of products and services and marketing communication via communication channels to which you have consented. | The legal basis for processing the client’s personal data is the legally justified interest of XOH (Article 6(1)(f) GDPR), consisting in the possibility of promoting (direct marketing) XOH’s products and services. | The period of existence of XOH’s legitimate interest, unless you object to the processing of your data for marketing purposes. |
| Maintaining contact, scheduling a meetings and providing answers to any questions sent. | Taking actions to maintain contact with client and respond to any questions provided. | The processing of personal data is necessary in order to pursue a legitimate interest of XOH consisting of taking actions to maintain contact with client and respond to any questions provided (Article 6(1)(f) GDPR). | Personal data may be processed until questions are answered or claims have expired. |
| Research and improvement of service quality | Carrying out analytical activities aimed at verifying and improving the quality of services | The processing of personal data is necessary in order to implement the legitimate interest of XOH consisting in verifying and improving the quality of services (Article 6(1)(f) of the GDPR). | Personal data may be processed until you object. |
Prospects
| Purpose of personal data processing | Description | Legal basis for personal data processing | Personal data storage period |
| Contacting you for purposes related to permitted marketing activities, through available communication channels, in particular by e-mail, SMS and telephone. | XOH undertakes activities aimed at promotion of products and services and marketing communication via communication channels to which you have consented. | The legal basis for the processing of personal data in the case of a potential customer is consent to the processing of personal data (Article 6(1)(a) GDPR). | Until you withdraw your consent or the data controller considers that the data are no longer adequate or relevant. |
| Taking action on setting up a demonstration account. | Undertaking by XOH actions aimed at promotion of products as well as marketing communication via communication channels to which you have consented. | The legal basis for the processing of personal data in the case of a potential customer is consent to the processing of personal data (Article 6(1)(a) GDPR). | Until you withdraw your consent or the data controller considers that the data are no longer adequate or relevant. |
| Taking action on the receipt of a complaint, grievance, appeal or other request. | Consideration by XOH of complaints, claims, appeals or other requests submitted by you. | The processing of personal data is necessary in order to pursue a legitimate interest of XOH consisting in considering and providing you with an answer to a complaint, claim, appeal or other request (Article 6(1)(f) GDPR). In some cases, the basis for processing such data may be the fulfilment of the legal obligation resulting e.g. from the Act on Consumer Rights or the Act on Complaints Handling by Financial Market Operators and Financial Ombudsman (Article 6(1)(c) GDPR). | In this case, the storage period for your personal data will be the time necessary to handle the complaint, claim or other request in accordance with the agreement or the law. We stipulate that this period may be extended by the period of limitation of claims under the law. |
| Maintaining contact, scheduling a meetings and providing answers to any questions sent. | Taking actions to maintain contact with client and respond to any questions provided. | The processing of personal data is necessary in order to pursue a legitimate interest of XOH consisting of taking actions to maintain contact with client and respond to any questions provided (Article 6(1)(f) GDPR). | Personal data may be processed until questions are answered or claims have expired. |
| Determining and pursuing claims or defending against claims. | Taking actions related to establishing and pursuing claims by XOH or taking actions to defend against claims directed against XOH. | Processing of personal data is necessary in order to fulfil the legally legitimate interest of XOH, consisting in the possibility of determining or pursuing claims, as well as defending against claims addressed to XOH (legal basis: Article 6(1)(f) RODO). | Period of limitation of claims to which XOH is entitled or against XOH provided for by the law. |
| Fulfillment of obligations arising from the regulations on conducting brokerage activities. | XOH’s fulfilment of obligations resulting from the regulations on conducting brokerage activities, such as e.g.: recording telephone conversations and e-mail correspondence and the related archiving. | The processing of personal data is necessary to fulfill the legal obligation of XOH (Article 6(1)(c) GDPR). | The period for which your personal data is stored results from individual regulations. For example, pursuant to the Act on Trading in Financial Instruments, the period for which we store your data drawn up, transmitted or received in connection with the provision of brokerage services is 5 years, counting from the first day of the year following the year in which the documents or information carriers were compiled or received. |
Contractors and Representatives
| Purpose of personal data processing | Description | Legal basis for personal data processing | Personal data storage period |
| Verifying the correctness of the authorization to act on behalf of the contractor and contacting in matters relating to the execution of the contract. | Taking actions by XOH aimed at verifying the correctness of the authorization to act on behalf of the contractor, including verification of the above data in public registers and contacting in matters related to the execution of the contract. | The legal basis for the processing of personal data is: – in the case of company owners – performance of the contract (Article 6(1)(b) of the GDPR) – in the case of representatives and persons contacting the company – the legitimate interest of XOH (Article 6(1)(f) of the GDPR). | Duration of the concluded contract or until the negotiations are completed. |
| Fulfillment of obligations arising from other legal provisions, e.g. tax and accounting. | Fulfillment by XOH of obligations arising from other legal provisions, such as: fulfilling obligations in the scope of collecting specific information and verifying clients (e.g. statements related to FATCA, CRS, EMIR, MIFIR), creating reports regarding concluded contracts transactions and forwarding them to the appropriate financial institutions and supervisory authorities. | The processing of personal data is necessary to complete legal obligation imposed on XOH (Article 6(1)(c) of the GDPR). | The storage period of your personal data depends on individual data regulations. For example, according to the tax ordinance, we have an obligation storing your documentation tax for a period of 5 years from the end of the calendar year in which the tax payment deadline expired. |
| Establishing and pursuing claims or defending against claims. | Taking actions related to the establishment and pursuit of claims by XOH or taking actions to defend against claims against XOH. | The processing of personal data is necessary to implement the legitimate interest of XOH, consisting in the possibility of establishing or pursuing claims, as well as defending against claims against XOH (legal basis: Article 6(1)(f) of the GDPR). | The limitation period for claims due to XOH or against XOH is provided for by law. |
Users of Website and Application
| Purpose of personal data processing | Description | Legal basis for personal data processing | Personal data storage period |
| Ensuring the correct provision of services via the website/application. | The use of cookies to ensure the proper operation of the website and application as well as to enable the provision of online services in accordance with the regulations. | Processing is necessary to perform a contract to which you are a party or to take action at your request before concluding a contract (Article 6(1)(b) of the GDPR). | Until cookies are deleted from the device. Detailed information about retention can be found in the cookie policy. |
| Analytical | The use of cookies allows us to measure the number of visits and collect information about traffic sources, so that we can improve the performance of our website and application. They also help us understand which pages and features are most popular or how visitors navigate them. | The processing of personal data is necessary for legally justified purposes XOH’s interest, consisting in improving the quality of the services provided (legal basis: Article 6(1)(f) of the GDPR). | Until the goal is achieved, you express your objection or delete cookies from your device. |
| Advertising. | We may use advertisements that appear on other websites to promote certain services, articles or events. | The legal basis for the processing of personal data in this case is consent to the processing of personal data (Article 6(1)(a) GDPR). | Until the goal is achieved, you express your objection or delete cookies from your device. |
Beneficial Owners
| Purpose of personal data processing | Description | Legal basis for personal data processing | Personal data storage period |
| Fulfillment of obligations arising from the provisions on counteracting money laundering and terrorism financing regarding the identification of the beneficial owner. | Taking steps to determine the beneficial owner of the Client. | The processing of personal data is necessary to fulfill the legal obligation imposed on XOH (Article 6(1)(c) of the GDPR). | A period of 5 years from the date of termination of business relations with the Client or in which occasional transactions were carried out. |
Reporters / Whistleblowers
| Purpose of personal data processing | Description | Legal basis for personal data processing | Personal data storage period |
| Serving people reporting violations of the law and conducting an analysis. | Handling all signals regarding violations of the law to the extent necessary to perform a task carried out in the public interest. | Processing is necessary for the performance of a task carried out in the public interest. (Article 6(1)(e) of the GDPR in connection with joke. 9 section 2(g) GDPR). | The documentation may be stored for a period of 5 years, counting from the first day of the year following the year in which the documents or information media were prepared or received. |
Personal to whom The Report is Concerned
| Purpose of personal data processing | Description | Legal basis for personal data processing | Personal data storage period |
| Serving people reporting violations of the law and conducting an analysis. | Handling all signals regarding violations of the law to the extent necessary to perform a task carried out in the public interest. | Processing is necessary for the performance of a task carried out in the public interest. (Article 6(1)(e) of the GDPR in connection with joke. 9 section 2(g) GDPR). | The documentation may be stored for a period of 5 years, counting from the first day of the year following the year in which the documents or information media were prepared or received. |
Cooperating entities
We may provide your personal data to cooperating entities, i.e. companies which XTB Institutional owns or controls or which are under common control with XTB Institutional or which remain in constant cooperation with XTB Institutional . These include, in particular, banks, investment firms, auditors, companies providing other financial services, IT companies, consultancies or courier companies), only to the extent necessary to perform such cooperation.
Personal data processors
We transfer your personal data, to entities providing services and processing your data on behalf of XTB Institutional , i.e. providers of IT services and solutions in the following categories: an IT tool of CRM (customer relationship management) class, an IT tool for videoverification of customer identity and verification of customer documents, tools for sending e-mails and a tool for managing and recording phone calls. The entities to which we provide data are not the controllers of your data; in each of the above cases, XTB Institutional remains the data controller. The data is processed by the above-mentioned providers on the basis of a data processing agreement with XTB Institutional and only in accordance with its instructions.
Location
Provision of services by XTB Institutional may require (depending on the scope of activities performed by XTB Institutional ) that personal data be transferred to entities providing services to XTB Institutional in other countries, including countries outside the European Economic Area. In the case of transfer to countries which do not ensure an adequate level of personal data protection, XTB Institutional applies safeguards in the form of one of the legal instruments provided for in the GDPR such as, among others, decisions of the European Commission on the determination of an adequate level of protection in one of the third countries, standard contractual clauses approved by the European Commission or the supervisory authority in one of the Member States, approved codes of conduct in a given industry or binding corporate rules.
The data subject shall have the opportunity to obtain a copy of his/her data.
State authorities
If XTB Institutional is requested to provide access to your personal data by authorized state authorities, in particular by law enforcement authorities, enforcement agencies, tax control authorities, courts, public authority appointed to protect personal data, XTB Institutional will provide access to your personal data if such access is required by law.
The right to object to the use of your personal data
In accordance with Article 21 of the GDPR, you have the right to object at any time – on the grounds relating to your particular situation – to the use of your personal data, if we process your personal data on the basis of our legitimate interests, such as in connection with the marketing of products and services. If your personal data is processed for marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such marketing, including profiling. If you object to the data processing for marketing purposes, we will not be able to process your personal data for such purposes.
The right to restrict data processing
In accordance with Article 18 of the GDPR, you may request that we restrict the processing of your personal data in a situation where:
– you question the accuracy of your personal data (in which case we will restrict the use of your personal data for the time needed to verify the accuracy of your personal data),
– the processing of your data is unlawful and you request restriction of use instead of erasure,
– your personal data is no longer necessary for the purposes for which it was collected, but is needed to establish, assert or defend a claim, and if
– you have objected to the use of your data (in which case we will restrict the data processing for the time needed to consider whether the protection of your interests, rights and freedoms outweighs the interests we pursue in processing your personal data).
The right to access, rectification and erasure of personal data
Article 15 of the GDPR states that you have the right to obtain confirmation from us as to whether your personal data is being processed. If this is the case, you have the right to access your personal data, to obtain information about, among other things, the purposes of the processing, the categories of personal data processed, the intended period of data storage or the criteria for determining this period, your rights under the GDPR, your right to lodge a complaint with a supervisory authority, any available information about the source of the data if it was not collected from you, automated decision-making, including profiling as referred to in Art. 22(1) and (4) of the GDPR, and – at least in these cases – with regard to relevant information about the rules of such decisionmaking, as well as about the significance and anticipated consequences of such data processing for you. In addition, you have the right to be informed on the appropriate safeguards referred to in Article 46 of the GDPR related to the transfer of data if they are transferred to a third country or an international organization. In addition, you have the right to receive a copy of any personal data of yours we hold and to inform us of any inaccuracies you notice. For any subsequent copies you request, we may charge a reasonable fee based on administrative costs. We point out that the right to obtain copies of data must not adversely affect the rights and freedoms of others. 8 If your personal data has changed or you want XOH to correct your personal data held by it, notify us immediately. The right to rectify personal data is provided for in Article 16 of the GDPR and applies only to personal data that is incorrect. As directed, we will amend, correct or delete your personal data from our database, except, however, to the extent that we are required to retain it by regulation or law in order to provide services to you or maintain relevant business records.
The right to data portability
In accordance with Article 20 of the GDPR, you have the right to receive in a structured, commonly used machine-readable format the personal data concerning you that you have provided to us, where the processing is based on consent or on an agreement and the processing is carried out by automated means. You also have the right to request that the personal data be sent by the controller directly to another controller, insofar as this is technically possible.
The right to lodge a complaint to the supervisory authority
You have the right to lodge a complaint to the supervisory authority if you believe that the processing of your personal data by XOH violates the provisions of the GDPR. This right results from Article 77 of GDPR. Under Polish law the appropriate authority is the President of the Office for Personal Data Protection.
The right to revoke consent
Where the basis for the processing of your personal data is your consent, you have the right to withdraw your consent at any time without affecting the legality of the processing performed on the basis of your consent before its withdrawal.
If you make a request to us to exercise any of the rights listed above, we will either comply with the request or refuse to comply with it immediately. On the other hand, we will inform you of the action taken on your request under Articles 15-22 of the GDPR within the maximum time of one month of your request. In the event that we cannot comply with your request within one month due to the complexity of the request or the number of requests received, we will comply with your request within the next two months. We will inform you in advance of the intended extension and state the reason for the delay.
The provision of personal data by you for the purpose of entering into and performing an agreement for brokerage services is a legal requirement or it is necessary for the purpose of entering into and performing an agreement for services. If you refuse to provide personal data that is necessary to enter into an agreement or that is necessary for us to perform our statutory obligations, we will not be able to enter into an agreement, continue the agreement or execute some of your requests related to the agreement.
If you provide personally identifiable information in your complaint, claim or request, it is necessary for us to process it and respond to you.
If you do not provide us with personal information, we will not be able to enter into and perform an agreement for brokerage services or respond to you.
Profiling for the purposes of complying with anti-money laundering and counter-terrorist financing obligations.
We are required under anti-money laundering and counter-terrorist financing regulations to assess the level of risk of money laundering and terrorism financing and to apply security measures to prevent money laundering and terrorism financing. As a result, we process your data to make an appropriate assessment of the level of risk and apply the required security measures.
In making the assessment, we take into account your data from the documents that you have provided to us when entering into an agreement or ordering a transaction. The risk assessment is made on the basis of established criteria, such as, but not limited to, economic, geographic, subject matter and behavioral criteria.
As a result, we automatically assign you to a risk group. If it is a risk group that we do not accept, an automatic block may be triggered, and we will not enter into a relationship with you.
In connection with automated decision-making regarding the determination of a target group resulting in the opportunity to take advantage of a specific offer or not, you have the right to challenge that decision, to express your own position, or to obtain human intervention (i.e., analysis of the data and human decision-making).
Target group profiling
We are required by product management regulations to analyze the financial instruments we offer for their suitability and appropriateness for customers belonging to target groups. This analysis is intended to ensure that the financial instruments we offer, as well as our distribution strategy, are in line with the needs, characteristics or objectives of the group of purchasers (the socalled target group). For this purpose, we examine, among other things, your risk tolerance and financial situation.
Accordingly, we assign you to a specific target group on the basis of the information we obtain from you and using the solutions we have implemented.
In connection with automated decision-making regarding the determination of the target group resulting in the opportunity to take advantage of a certain offer or not, you have the right to contest this decision, to express your position or to obtain human intervention (i.e. analysis of data and decision-making by a human being).