GDPR

Protection of personal data

In accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR, we present information on the processing of personal data below.

Who is the Personal Data Administrator?

The administrator of your personal data is:

1. ResInvest Energy Polska sp. z o.o., Al. Jerozolimskie 63, 00-697 Warszawa,
2. ResInvest Energy Skawina S.A., ul. Piłsudskiego 10, 32-050 Skawina,
3. ResInvest Energy Chorzów S.A., ul. Marii Skłodowskiej-Curie 30, 41-503 Chorzów,
4. ResInvest Energy PE sp. z o.o., ul. Marii Skłodowskiej-Curie 30, 41-503 Chorzów.

Why do we need personal data?

Each time before starting the processing of personal data, the Administrator identifies the purpose, the legal basis for their processing and specifies the data retention period.

When we are bound by an agreement, we process personal data for the purpose of its conclusion and implementation, for at least 6 years from its termination, due to the requirements of tax law. We may also process your personal data due to legal requirements imposed on us by Polish or European law, e.g. when an accident at work occurs on the premises of one of our facilities. In such a situation, we will process the personal data of the participants in the accident, due to the legal requirements in the area of ​​health and safety, for the period indicated in these regulations. It also happens that we process your personal data in our legitimate interest, e.g. in order to ensure the safety of property and persons staying on the premises of the Company, in connection with the use of video monitoring.

Each time, we will make every effort to inform you about the purpose of personal data processing, the legal basis for this processing, the data retention period and all other information required by the GDPR, as part of the implementation of the information obligation.

Information clauses

1. Customer Contractor
2. Subcontractor
3. Persons reporting violations of law - Whistleblowers
4. Persons staying in the area covered by video monitoring

What matters does the Data Protection Officer deal with?

The Data Protection Officer (hereinafter referred to as the IOD) was appointed pursuant to Article 37 of the GDPR. The IOD, among other things, verifies the correctness of the processing of personal data. As part of its activities, it is also the contact point for all reports related to possible irregularities in their processing. Therefore, you can contact the IOD, for example, if you want to exercise one of the rights granted under the GDPR.

Your rights under the GDPR

Subject to the limitations set out in the GDPR and other legal requirements, you are entitled to:

• the right to request access to your personal data from the administrator, their rectification, deletion or restriction of processing or the right to object to the processing, as well as the right to transfer data,
• the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal,
• the right to lodge a complaint with the supervisory authority (www.uodo.gov.pl).

How will your application be processed?

The application may be submitted through the administrator's employees or directly to the IOD. We will deal with it immediately and respond within one month. If the verification of the possibility of fulfilling your request takes longer than one month, you will be informed of the extension of the response deadline in a separate letter. Such an extension is possible due to the complexity of the request or the number of submitted applications. If the application does not allow for your unambiguous identification or is unclear, the IOD will send you a request to supplement it within one month of receipt of the application. If the application is submitted electronically, further correspondence will also be conducted in this form, if possible. In other cases, you will be informed in writing, by registered letter with acknowledgment of receipt, about the method of considering the application. Consideration of the application is free of charge. However, if the request is clearly unjustified or frequently repeated, the Personal Data Administrator may:

• impose a reasonable fee, taking into account the reasonable administrative costs associated with processing the application, communication or carrying out the requested operations or
• refuse to process the application.

How to contact the Data Protection Officer?

Electronically to the address:

1. for ResInvest Energy Polska sp. z o.o.: iodo.polska@repolska.pl
2. for ResInvest Energy Skawina S.A.: iodo.skawina@repolska.pl
3. for ResInvest Energy Chorzów S.A.: iodo.chorzow@repolska.pl
4. for ResInvest Energy PE sp. z o.o.: iodo.pe@repolska.pl

or in writing to the above address of the ADO registered office, with the note: Inspektor Ochrony Danych [Data Protection Officer].

What are the rules for processing personal data?

In the interests of security, respect and adherence to your rights, personal data are:

• processed lawfully, fairly and transparently,
• collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes,
• adequate, relevant and limited to what is necessary for the purposes, i.e. data minimisation,
• correct and updated as needed,
• stored in a form that allows the identification of the data subject for a period no longer than is necessary for the purposes for which the data is processed,
• processed in a way that ensures appropriate security of personal data: protection against unauthorised or unlawful processing and accidental loss, destruction or damage using appropriate technical and organisational measures.

In addition, based on the risk assessment process, safeguards have been implemented that minimize the likelihood of a breach of personal data protection. The scope of the safeguards includes both the area of ​​personal security (e.g. training in personal data protection is carried out), physical security (e.g. documentation is stored in supervised rooms and additionally placed in locked cabinets) and IT security (e.g. encryption of computer hard drives is used).

Will we share your data?

As part of the processing activities, your personal data may be transferred to our trusted partners. The recipients of personal data may include:

• suppliers of IT systems and services with whom the administrator cooperates,
• companies providing security services for our facilities,
• external law firms,
• consulting companies,
• companies providing courier services,
• other authorized entities at their documented request.

Data transfer outside the European Economic Area and profiling

Your personal data will generally not be transferred outside the European Economic Area and will not be profiled. However, transfers outside the EEA may be carried out by, among others, Microsoft as a provider of the Microsoft 365 service as part of the use of global cloud services. Microsoft carries out transfers outside the EEA using security mechanisms based on standard contractual clauses in accordance with Article 46 paragraph 2 of the GDPR, as well as using, in accordance with Article 45 of the GDPR, a transfer mechanism based on a decision confirming the adequacy of protection for entities listed in the EU-US Data Privacy Framework, i.e. the principles of the data protection framework between the European Union and the United States, implemented by the decision of the European Commission of 10 July 2023 and issued by the US Department of Commerce (EU-U.S. DPF).

If you do not find answers to your questions in this information, please contact the Data Protection Supervisor via the e-mail address provided.