Skip to content
Home Page / GDPR
Share
Share

GDPR policy

DEFINITIONS

Cotroller / PEJ – Polskie Elektrownie Jądrowe sp. z o.o., with its registered office in Warsaw, Al. Jerozolimskie 132/136, 02-305 Warsaw, entered in the Register of Entrepreneurs of the National Court Register (KRS) kept by the District Court for the capital city of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under KRS number: 0000347416, Tax Identification Number (NIP):
701-021-82-99.

Personal data – all information about an identified or identifiable natural person by one or more specific factors that determine the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person, including the image, voice recording, contact data, location data, information contained in correspondence, information collected with a recording device or other similar technology.

Policy the GDPR Policy.

GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Data subject each natural person whose personal data is processed by the Controller, (e.g., our customers, persons using our services, visiting our premises, people who correspond with us).

DATA PROCESSING BY THE CONTROLLER

In connection with its business activities, it collects and processes Personal Data in accordance with the relevant regulations, including in particular the GDPR, and the data processing rules provided therein.

We ensure transparency in data processing, in particular, we always inform about the processing of data at the time of collection, including the purpose and legal basis for processing. We make sure that data is collected only to the extent necessary for the purpose indicated, and processed only for the necessary period of time.

When we process data, we ensure its security, confidentiality and access to information about the processing for data subjects.  In the event that, despite the security measures in place, there is a breach of personal data protection (e.g., data “leakage” or loss), we inform data subjects of such an event in a manner consistent with the regulations.

CONTACT WITH THE CONTROLLER

You can contact us by e-mail at sekretariat@pej.pl, at other e-mail addresses indicated in the Contact tab, or in writing to Polskie Elektrownie Jądrowe sp. z o. o., Al. Jerozolimskie 132/136, 02-305 Warsaw. We have appointed Natalia Domagała as the Data Protection Officer who can be contacted via e-mail at iod@pej.pl on any matter concerning personal data processing.

SECURITY OF PERSONAL DATA

To ensure the integrity and confidentiality of data, we have implemented procedures to allow access to personal data only to authorized persons and only to the extent necessary for the tasks they perform.

We use organizational and technical solutions to ensure that all operations on personal data are recorded and performed by authorized persons only.

Furthermore, we take all necessary measures to ensure that our subcontractors and other cooperating entities provide guarantees to apply appropriate security measures whenever they process Personal Data on our behalf.

We conduct an ongoing risk analysis and monitor the adequacy of the data safeguards in place to address the risks identified. If necessary, we implement additional measures to enhance data security.

PURPOSES AND LEGAL BASIS OF DATA PROCESSING BY THE CONTROLLER

E-mail and traditional correspondence

If you send correspondence to us by e-mail or traditional mail, the personal data contained in such correspondence is processed solely for the purpose of communication and handling of the matter to which the correspondence related, or related matters.

The legal basis for processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of the GDPR) consisting of the necessity to manage correspondence addressed in connection with the conducted activity.

We process only the personal data needed for the matter which the correspondence refers to. All correspondence is stored in a manner which ensures the security of the personal data and other information contained therein, and is disclosed only to authorized persons.

Telephone contact

In the event of telephone contact, we may request personal data only if it is necessary to process the case. In this case, the legal basis is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting of the necessity to handle a reported business-related matter.

Phone calls may also be recorded (which we inform about at the beginning of the call) – in order to handle the matter and process the inquiry directed to us at the highest level.

CCTV and access control

In order to ensure the security of people and property, the Controller uses CCTV monitoring and controls access to the premises and grounds managed by the Controller (key and card monitoring). The data collected in this way is not used for any other purpose.

Personal data in the form of monitoring recordings and data collected in the entry and exit register are processed for the purpose of ensuring security and order on the premises and possibly for the purpose of defending or pursuing claims. The legal basis of data processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR).

Recruitment

Within the recruitment processes, we acquire data provided to us, e.g. in a resume or CV, only to the extent specified in the provisions of labor law. Therefore, information should not be provided in a larger extent. In the event that the submitted applications contain such additional data, this information will not be used or taken into account in the recruitment process or for any other purposes.

Personal data is processed for the following purposes:

  • to fulfil obligations resulting from legal provisions, related to the process of employment, in particular the Labor Code – under Article 6 (1)(c) of the GDPR in relation to the provisions of the Labor Code;
  • to carry out the recruitment process in the scope of data not required by legal provisions, as well as for the purposes of future recruitment – under Article 6(1)(a) of the GDPR;
  • to establish or pursue possible claims or defend against such claims – under Article 6(1)(f) of the GDPR.

Employment

PEJ processes personal data of persons employed under a contract of employment to perform the contract concluded with them, under the labor law provisions. In particular , the processing includes activities related to the establishment and termination of employment, ongoing personnel management, working time recording, calculation and payment of remuneration, initial and periodic examinations, managing sick leaves, management of occupational health and safety, execution of tasks related to the operation of the Company Social Benefit Fund, as well as archiving of employee documentation.

Personal data of persons cooperating with PEJ on the basis of a different contract (B2B cooperation agreement, contract for specific work, contract of mandate, postgraduate internship, student internship, etc.), are processed in order to perform the contract concluded with them. Data is processed to the extent necessary for the performance of this contract. In particular , the processing includes activities related to the conclusion and termination of contracts, the ongoing management of personnel, and the calculation and payment of remuneration. 

Regardless of the legal form of employment, PEJ processes personal data in order to comply with its public liabilities under labor, tax, accounting and social security laws. This applies in particular to processing for the calculation and payment of advance income tax, social security contributions, as well as health and sickness insurance contributions. Other purposes for which data may be processed include organizing business trips and training, in connection with career development tasks, managing payment cards, mobile phones and other equipment provided to employees, analyzing and evaluating the effectiveness of tasks performed, managing benefits such as the medical package, sports card, company car and group insurance, and in connection with other internal administrative objectives of PEJ. The processing of personal data for these purposes is carried out on the basis of the Controller’s legitimate interest in ensuring IT security, conducting HR policies and managing benefits, respectively.

In specific situations, data may be processed by PEJ for the purpose of documenting accidents at work, based on the provisions of labor laws; for the purpose of pursuing claims or protecting against claims, based on the Company’s legitimate interest in protecting the Company’s rights.

Collection of data in connection with the provision of services or performance of other contracts

If we collect data for the performance of a specific contract, we shall provide the data subject with detailed information regarding the processing of his/her personal data, at the latest at the time of entering into the contract. The data of a party to the contract that is a natural person is processed by PEJ to perform the contract to which the data subject is a party (Article 6(1)(b) of the GDPR).

Processing of personal data of Management Board members, commercial proxies, attorneys, or personnel of contractors cooperating with the Controller

In relation to the conclusion of contracts in the course of its business, the Controller obtains from the contractors the data of board members, proxies or attorneys, persons involved in the performance of such contracts (e.g., persons authorized to contact, persons performing specified work, etc.). The scope of the data provided is in any case limited to the extent necessary to confirm one’s authority to represent and perform the contract, and usually does not include information other than name and business contact information.

Such personal data is processed for the purpose of pursuing the legitimate interests of the Controller and its contractor (Article 6(1)(f) of the GDPR), which is to enable the proper and effective performance of the contract. Such data may be disclosed to third parties involved in the contract.

The data is processed for the period necessary to pursue the above interests and to fulfill regulatory obligations.

Handling of whistleblower reports in accordance with the provisions of the Act on the protection of whistleblowers

When a whistleblower report is submitted to the Controller under the Whistleblower Protection Act, if the report is not submitted anonymously, PEJ will process the whistleblower’s personal data in order to handle such a report and to prevent the reported violation. The legal basis for data processing:

  • with regard to common data (e.g., name, surname, phone number), Article 6(1)(c) of the GDPR (necessity of processing to fulfill an obligation under a legal provision),
  • for special categories of data (e.g., data regarding health, sexuality, political opinions, trade union membership) Article 9(2)(g) GDPR (the processing is necessary for reasons of important public interest, on the basis of Union or Member State law, which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject).

Establishment, exercise, and defense of claims

In relation to its activity with regard to situations where the Controller’s economic interests are threatened, PEJ has the right to process personal data of a person whose actions threaten the Controller’s economic interests for the purpose of establishing and exercising its claims or defending against claims of other persons who make claims against PEJ – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR); the legitimate interest consists in the Controller’s pursuit and protection of its rights.

Data collection in other cases

In connection with the activity conducted, we also collect personal data, for example, during business meetings for the purpose of establishing and maintaining business contacts. In this case, the legal basis is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting of networking in connection with its business activity.

Personal data collected in this way is processed only for the purpose for which it was collected, with adequate protection.

Information about the personal data processed within our websites can be found in a separate document: Privacy Policy of the www.pej.pl Website.

  1. DATA RECIPIENTS

In connection with conducting activities that require personal data processing, they may be disclosed to external entities, including those operating information systems and equipment, legal service providers, couriers, marketing or recruitment agencies.

Any disclosure or transfer of personal data to competent authorities or third parties that make a request for such information may occur only on an appropriate legal basis and in accordance with the provisions of applicable law.

TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA

The level of protection of Personal Data outside the European Economic Area (EEA) differs from the level provided by European law. For this reason, the Controller transfers Personal Data outside the EEA only when necessary, and with an adequate degree of protection, primarily by:

  • cooperation with processors of Personal Data in countries for which a relevant decision of the European Commission has been issued;
  • use of standard contractual clauses issued by the European Commission;
  • application of binding corporate rules approved by the relevant supervising authority;

The Controller always informs about the intention to transfer personal data outside the EEA at the stage of data collection.

The period of data processing depends on the processing purpose, and may also result from law provisions if they are the basis for processing. In the case of data processing based on the legitimate interest of the Controller, the data is to be processed for a period of time that allows for its pursuit or until an effective objection to the data processing is reported. If processing is based on consent, the data is processed till its withdrawal. Where the basis for processing is necessary for the conclusion and performance of the contract, the data will be processed until the contract is terminated.

The period of data processing may be extended if the processing is necessary for the establishment, exercise or defense of possible claims, and thereafter only in the case and to the extent required by law. At the end of the processing period, the data are irreversibly deleted or anonymized.

RIGHTS RELATED TO PERSONAL DATA PROCESSING

Rights of data subjects

Rights of data subjects are the following:

  • Right to information about the processing of personal data – we provide the person making such a request with information about the data processing, including, first and foremost, with the purposes and legal grounds for processing, the scope of the data held, the entities to which it is disclosed and the planned date for its deletion;
  • Right to obtain a copy of the data – we provide a copy of the data processed concerning the person making the request;
  • Right to rectification – at the request of the data subject, we will delete any inconsistencies or errors in the personal data processed and supplement the data if it is incomplete;
  • Right to erasure – you can request the erasure of data whose processing is no longer necessary to pursue any of the objectives for which it was collected;
  • Right to restriction of processing – if you make such a request, we will stop performing operations on personal data and storing it until the reasons for restriction of processing cease to exist (e.g., a decision is issued by a supervisory entity authorizing further processing);
  • Right to data portability – to the extent that the data is processed by automated means or in connection with a contract or given consent, we will issue the data provided by the data subject in a machine-readable format.
     You can also request that this data be sent to another entity – provided, however, that there are technical capabilities on both our side and the other entity’s side to do so;
  • Right to object to data processing for direct marketing purposes – you can object at any time to the processing of your personal data for direct marketing purposes, without having to justify such objection;
  • Right to object to other purposes of data processing – the data subject may object at any time to the processing of personal data for reasons related to his/her particular situation – as long as we process his/her data on the basis of a legitimate interest of the Controller (i.e. on the basis of Article 6(1)(f) of the GDPR, e.g. for analytical or statistical purposes or for property protection reasons). Objections in this regard should include a justification;
  • Right to withdraw consent – if the data is processed on the basis of the consent given, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing performed prior to the withdrawal.
  • Right to complain – if the processing of personal data is deemed to violate the provisions of the GDPR or other data protection laws, the data subject may file a complaint with the President of the Personal Data Protection Office.

Raising demands and requests regarding the implementation of rights

The request/demand can be submitted:

  • in writing, to the address: Polskie Elektrownie Jądrowe sp. z o.o., Al. Jerozolimskie 132/136, 02-305 Warsaw (marked “IOD”)
  • by e-mail to: iod@pej.pl

In order to improve service, we kindly ask you, if possible, to indicate precisely what the request/demand is about, such as:

  • what right you want to exercise (e.g., the right to receive a copy of your data, the right to erasure, etc.);
  • what processing the demand concerns (e.g., use of a specific service, activity on a specific website, receipt of a newsletter, etc.);
  • what processing purposes the demand refers to (e.g., marketing purposes, analytical purposes, etc.).

If we are unable to determine the content of the demand or identify the person submitting the request based on the notification made, we will ask for additional information. Responses to applications should be given within a month after their receipt. If it is necessary to extend this deadline, we will inform you of the reasons for the extension.

The response shall be provided in writing, unless the demand/request was submitted by e-mail or a response in electronic form was requested. If there is any doubt as to the identity of the person making the request via e-mail, we reserve the right to verify the identity.

Rules for charging

The processing of submitted requests is free of chargeFees may be charged only in the case of:

  • a request to release a second and each subsequent copy of data (the first copy of data is free of charge); in this case, we may demand a fee of PLN 20 (in words: twenty złotys). The above fee includes the costs associated with the request implementation.
  • submission by the same person of excessive (e.g., extremely frequent) or clearly unreasonable requests; in such a case, we may require payment of a fee of PLN 20 (in words: twenty zlotys). The above fee includes the costs associated with taking the requested action.

If the decision to impose the fee is questioned, the data subject may file a complaint with the President of the Personal Data Protection Office.

CHANGES TO THE POLICY OF PERSONAL DATA PROCESSING

The policy is reviewed on an ongoing basis and updated as necessary. The current version of the Policy was adopted on 03.03.2025

Contact
Social media
About us
The Project
For suppliers
Press center
  • © 2025 Polskie Elektrownie Jądrowe sp. z o.o.
  • All rights reserved
Skip to content