Privacy Policy

  • Table of contents
    1. Introduction
    2. Glossary of terms
    3. Information about the Administrator
    4. Co-administration
    5. Legal basis for processing
    6. Rights of data subjects
    7. Safety of using the site
    8. Cookies
    9. Final provisions.

Introduction
With a view to ensuring the highest standards of security of personal data processing, CBRE sp. z o. o.  would like to inform you that this privacy policy meets the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as well as the standards contained in national legislation.

    The information presented in the Policy will allow you to learn in detail about the principles of personal data processing as part of your contact with CBRE sp. z o.o.

    Glossary of terms

    Administrator – the Personal Data Administrator, the entity deciding on the purposes and means of personal data processing. The administrator of personal data is CBRE sp. z o. o.

    Personal data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly.

    EEA – European Economic Area, free trade area and common market, including the European Union and the European Free Trade Association (EFTA) countries, except for Switzerland. This is the area where the free flow of personal data takes place.

    Data Recipient – means a natural or legal person, an organizational unit without legal personality (the so-called defective legal person), a public authority, a unit or another entity to which personal data is disclosed, regardless of whether it is a “third party”.

    Third countries – countries that are not part of the EEA.

    Cookies – are small pieces of information, called cookies, sent by the website we visit and saved on the end device (computer, laptop, smartphone) we use when browsing websites.

    President of the Office – the President of the Office for Personal Data Protection, a supervisory authority within the meaning of the GDPR, which supervises compliance with the law on the protection of personal data in Poland.

    Profiling – means any form of automated processing of personal data, which consists in the use of personal data allowing to evaluate the personal factors of a natural person, in particular the analysis or forecasting of aspects concerning the performance of that natural person’s work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of the data subject – provided that such action produces legal effects vis-à-vis that person or similarly significantly affects that person.

    SSL protocol – is a network protocol used for secure Internet connections, adopted as an encryption standard on websites. An SSL certificate ensures the confidentiality of data transmission sent over the Internet.

    Processing – means an operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    Policy – privacy policy of CBRE sp. z o. o.

    GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

    APESE – the Act on the Provision of Electronic Services of 18 July 2002 (Journal of Laws No. 144, item 1204 as amended).

    PT – Telecommunications Law Act of 16 July 2004 (Journal of Laws No. No. 171, item 1800 as amended

    User – means a person using the website and social profiles of the Administrator.

    Information about the Administrator

    The administrator of your personal data is CBRE sp. z o. o. with its registered office in Warsaw, Rondo Daszyńskiego 1, 00-843 Warsaw, registered in the District Court for the capital city of Warsaw, XII Commercial Division of the National Court Register under KRS number 0000020238, with a share capital of PLN 714,840.00, NIP number 527-23-03-786 (hereinafter referred to as the “Administrator”).  The Administrator can be contacted at the correspondence address or by e-mail: PolandDPO@cbre.com

    Co-administration

    Please be advised that in the scope of personal data processed in connection with the operation of the CBRE profile on Facebook – the administrator of your personal data processed on this portal is both CBRE sp. z o. o. and Meta Platforms Ireland Ltd, thus both entities are joint controllers. For information about CBRE’s processing of personal information and your rights against CBRE, please see this privacy policy. With regard to your own profiles on Facebook, research on your behavior on this portal, exercise of your rights to which you are entitled, etc. please direct to Facebook. Please be advised that by liking, i.e. clicking the “like” button, you agree to the processing of your personal data. More information on joint control and methods of processing personal data, in particular by Facebook, can be found in the terms and conditions and policies on Facebook’s website.

    Legal basis for processing

    Purpose of processingLegal basisData recipientsProcessing time
    Replying to the sent message by e-mail, messenger available on the Administrator’s website, chat – Facebook profile, Linkedin profile and telephone contact.  Article 6(1)(f), i.e. the legitimate interest of the Controller consisting in handling correspondence and telephone conversationsIT service providers; Internet providers; Hosting providers; Microsoft Ltd. Meta Platforms Ireland Ltd. Benhauer sp. z o.o.  For the period necessary to deal with the issue to which the message relates.
    Presentation of the offer (in the case of persons submitting an inquiry on their behalf, i.e. B2C)Article 6(1)(b) of the GDPR, i.e. processing is necessary to take steps prior to entering into a contract.IT service providers; Internet providers; Hosting providers;  Until an objection is filed.
    Presentation of the offer (in the case of persons submitting an inquiry on behalf of the entity for which they provide services, i.e. B2B)Article 6(1)(f) of the GDPR, i.e. the legitimate interest of the controller consisting in offering and establishing business cooperation.IT service providers; Internet providers; Hosting providers; Callpage sp. z o.o.  Until an objection is filed.
    Marketing – text messages and telephone contactArticle 6(1)(f) of the GDPR, i.e. a legitimate interest in carrying out own marketing activities in connection with obtaining consent in accordance with the PT and the APES.IT service providers; Internet providers; Hosting providers; Callpage sp. z o.o.Until an objection is raised or the consent expressed on the basis of the PT and the APES.
    Marketing – newsletterArticle 6(1)(f) of the GDPR, i.e. a legitimate interest in carrying out own marketing activities in connection with obtaining consent in accordance with the PT and the APES.IT service providers; Internet providers; Hosting providers; Salesforce Inc. Benhauer sp. z o.o.  Until an objection is raised or the consent expressed on the basis of the PT and the APES.
    Marketing – running company profiles on social media platforms (Facebook, Instagram, LinkedIn)Article 6(1)(f), i.e.  the legitimate interest of the Administrator consisting in acquiring and retaining a customer by publishing advertising postsIT service providers; Internet providers; Hosting providers; Meta Platforms Ireland Ltd. Microsoft Ltd.  Until an objection is filed.
    Marketing – running landing pagesArticle 6(1)(f) of the GDPR, i.e. a legitimate interest in carrying out your own marketing activities.IT service providers; Internet providers; Hosting providers; Google Ltd. Hotjar Ltd. Microsoft Ltd. Salesforce Inc. ASARI Sp. z o.o. Benhauer sp. z o.o. Callpage sp. z o.o. Usercentrics GmbHUntil an objection is filed.
    Complaints (defence and redress)art. 6 ust. 1 lit. f RODO legitimate interest in establishing, investigating or defending against claims.IT service providers; Hosting providers;  Until the limitation period for claims arising from the provisions of civil law expires.
    Striving to conclude and perform a contract (contractors)art. 6 ust. 1 lit. b RODO taking the necessary steps to conclude a contract with customers.IT service providers; Internet providers; Hosting providers; Law firms and legal advisors;  For the duration of the agreement, its termination and until the deadline for filing potential claims has expired
    Performance of the contract (contractor’s employees). art. 6 ust. 1 lit. f RODO legitimate interest of the Administrator consisting in coordination of activities with the contractor.IT service providers; Internet providers; Hosting providers; Law firms and legal advisors;For the duration of the agreement, its termination and until the deadline for filing potential claims has expired
    Acceptance and consideration of a request under the GDPRArticle 6(1)(c), i.e. the obligation under the GDPR to provide the data subject with information on the actions taken in relation to the requestIT service providers; Internet providers; Hosting Providers- Law firms and legal advisors;Until the statute of limitations for claims expires.
    Keeping statistics and profiling (of the Administrator’s website)Article 6(1)(f), i.e.  the legitimate interest of the Administrator consisting in the collection and use of statistics in order to improve the scope and quality of the services offered.IT service providers; Internet providers; Hosting providers, Google Ltd. Hotjar Ltd. Usercentrics GmbH  Until an objection is filed.

    Rights of data subjects

    Every person whose data is processed has a number of rights under the GDPR. 

    The right to request access to your personal data.

    Each person is entitled to obtain confirmation from the controller as to whether personal data concerning them is being processed, and if this is the case, they are entitled to access them and a number of information.

    We will provide the first copy of the personal data subject to processing to the individual upon request. For any further copies requested by the data subject, we may charge a reasonable fee based on administrative costs. If you request a copy electronically and unless you indicate otherwise, we will provide you with the information in a commonly used electronic form.

    Right to rectification

    You have the right to request that we rectify inaccurate personal data about you without undue delay. You also have the right to request that incomplete personal data be completed, including by providing an additional statement.

    Right to request deletion

    You have the right to request that we delete your data without undue delay, and we are obliged to delete it without undue delay, if one of the following circumstances applies:

    • Your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
    • You have withdrawn the consent on which the processing is based and there is no other legal basis for further processing;
    • you have objected to the processing and there are no overriding legitimate grounds for the processing;
    • your personal data has been unlawfully processed;
    • Your personal data must be erased for compliance with a legal obligation under Union law or the law of a Member State to which the controller is subject;
    • Your personal data has been collected in connection with the provision of information society services.

    In accordance with the GDPR, your data, despite the submitted request and the fulfillment of the above conditions, may not be deleted if their processing is necessary:

    • to exercise the right to freedom of expression and information;
    • to comply with a legal obligation under Union or Member State law to which the controller is subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • public interest in the field of public health;
    • for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, insofar as the law, to erasure, is likely to render impossible or seriously impede the fulfilment of the purposes of such processing;
    • to establish, pursue or defend legal claims.

    Right to request restriction of processing

    You have the right to request the controller to restrict processing in the following cases:

    • you question the accuracy of the personal data – for a period enabling the controller to verify the accuracy of the data;
    • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
    • the controller no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims;
    • You object to the processing – until it is determined whether the legitimate grounds on the part of the controller override the grounds for the objection of the data subject.

    Right to object

    You have the right to object, on grounds relating to your particular situation, at any time to processing based on the legitimate interest of the controller or the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; including profiling on the basis of those provisions.

    If you object, we are no longer permitted to process your personal data, unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

    Right to data portability

    You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format and you have the right to transmit such personal data to another controller without hindrance from us if:

    • processing is based on consent or on a contract, and
    • The processing is carried out by automated means.

    The possibility of exercising the right to transfer data and sending them by the administrator directly to another administrator will be implemented if it is technically possible.

    In accordance with the GDPR, the exercise of your rights must not adversely affect the rights and freedoms of others.

    Right to withdraw consent

    If your data is processed on the basis of consent, you have the right to withdraw such consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

    In the event of withdrawal of consent, we have the right to continue processing the data if it is necessary:

    • to exercise the right to freedom of expression and information;
    • to comply with a legal obligation requiring processing under Union or Member State law to which the controller is subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • public interest in the field of public health;
    • for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, insofar as the law, to erasure, is likely to render impossible or seriously impede the fulfilment of the purposes of such processing;
    • to establish, pursue or defend legal claims.

    Right to lodge a complaint

    You have the right to lodge a complaint with the President of the Office for Personal Data Protection. As indicated by the President of the Personal Data Protection Office, since the President of the Office is the authority controlling the correct application of the provisions on the protection of personal data by the controller, the complainant should first turn to the controller in order to exercise his rights.

    A direct link to the website of the Office for Personal Data Protection to file a complaint; https://uodo.gov.pl/pl/p/skargi

    Information on data processing outside the EEA

    Your personal data may be processed outside the EEA in certain cases. In the case of CBRE sp. z o. o., this type of data may be transferred to the USA in connection with your activity on our social media profiles on Facebook and Linkedin, which service providers we have indicated in point 5 of this Policy. In addition, in connection with the use of Microsoft 365 services for electronic communication, data may also be transferred to the provider’s servers in the USA via CBRE, Inc.

    In each case, the transfer is legally based on the Data Privacy Framework and, in certain cases, on the basis of Standard Contractual Clauses. Each provider ensures an appropriate level of security for such a transfer. More information on this below:

    Google Ltd. – https://support.google.com/adspolicy/answer/10042247?hl=pl

    Facebook Ltd. – https://www.facebook.com/legal/EU_data_transfer_addendum

    Microsoft Ltd. – https://www.microsoft.com/pl-pl/trust-center/privacy/gdpr-faqs

    Safety of using the site

    We would like to inform you that CBRE sp. z o. o. uses adequate technical and organizational measures to ensure the maximum level of protection for persons using the company’s website and providing their personal data using the contact form.

    In order to guarantee the highest level of security of using the websites, they are secured with an SSL code.

    The Website may contain appropriate links to other websites, in particular in the scope of payment for our services (websites) or other means of communication (radio, television, press, spatial advertising, etc.). Therefore, the Administrator, apart from the websites administered by him, is not responsible for the privacy rules that will be in force on these websites or in such media.

    The Administrator is also not responsible for any damage resulting or likely to result in connection with the use of such websites or media.

    Cookies

    When using our website, cookies are processed.

    We use cookies for the following purposes:

    – maintain and correct operation of the website services

    – keep statistics of users visiting the website

    The data collected by the cookie by Google Analytics (including your IP address) is transmitted to and stored by Google on servers in the United States. If the Websites anonymize IP addresses, the User’s IP address will be truncated by Google within the territory of a member state of the European Union or another country of the European Economic Area before this address is transmitted to the United States. Only in exceptional cases will your full IP address be transmitted to Google servers in the United States and truncated locally. Google will use this information for the purpose of evaluating your use of the Services, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google will not associate your IP address with any other data held by Google.

    Like many other services, Google Analytics and Facebook use their own cookies to analyze Users’ activities. These files are used to store information, e.g. the time of the start of the current visit and whether the User has been to the website before, from which website they came to our website, what screen resolution their device is, what information they were interested in on our website, etc. By using this website, you consent to the processing of your data by Google in the manner and for the purposes set out above.

    Please be advised that implementing the restrictions on the use of technologies set out above may adversely affect the functioning of the website. In order to obtain detailed information about the Google Analytics solution used, please click on the link below:

    https://support.google.com/analytics/answer/6004245

    The legal basis for data transfers outside the EEA is the EC decision on the Data Privacy Framework, and in certain situations these are standard contractual clauses.

    You can configure your browser in such a way that you are informed about the use of cookies and have the ability to decide whether to accept or reject them in certain cases or completely. If you do not accept the use of certain cookies, the functionality of our website may not be displayed correctly.

    Below are instructions for configuration in each browser.

    Internet Explore

    Microsoft Edge

    Mozilla Firefox

    Chrome

    Opera

    Safari

    Final provisions

    Using the Administrator’s website and providing your personal data in the forms is completely voluntary. In some cases, the provision of data may be necessary for the implementation of a specific purpose.

    CBRE sp. z o. o.  reserves the right to amend the Policy at any time due to the scope of services offered and to adapt the amended law. In any case, where possible, we will try to inform you of the update of the Policy before it is implemented. 

    Privacy Policy was last updated on 21/05/2025.