Information notice

Information notice on personal data processing by KGHM Polska Miedź S.A.  for a person reporting a violation at the KGHM Polska Miedź S.A. Group

Taking care of the interest, safety and comfort of our employees and associates, and with the aim of preventing and counteracting abuses, we have introduced internal mechanisms to report irregularities. If you have used the procedure provided for reporting irregularities - we may process your data provided in the report (hereinafter: „Report”), as well as your data obtained in connection with taking follow-up actions. Below we present detailed information regarding the processing of personal data by us.

  1. Personal data administrator and DPO

    The administrator of your personal data is KGHM Polska Miedź S.A. with its registered office in Lubin (hereinafter: „we”). You can contact us by post to the following address: M. Skłodowskiej-Curie 48, 59-301 Lubin, and the data protection officer appointed by us can be contacted in all matters regarding data processing by email: IOD@kghm.com. In order to improve contact, please indicate whether your inquiry/request concerns the Head Office or the Branch (and which one).

  2. Scope, purposes of personal data processing and legal basis for processing

    Your personal data will be processed for the purpose of registering and recognizing your notification of infringement, possibly contacting you in connection with the Reporting, and - if there are grounds for doing so - in order to counteract (prevent) the violation to which the Reporting relates. The processed data will include data that you will include in the Application or provide us at the stage of its recognition. It may also be data determined by KGHM as part of activities related to the Report, including data received from third parties (e.g. data provided by established witnesses or other persons). The data we process may include, for example, your identification data (e.g. name and surname), contact details (correspondence address, e-mail address), name of the employing entity, position, circumstances of the infringement, as well as communication metadata (e.g. date of contact ) and its content. The basis for the processing of your data in the above-mentioned the purposes are the legitimate interest of KGHM, in particular taking care of the legal and financial security of our company and the KGHM capital group, taking care of proper relations in the workplace, as well as relations with contractors and suppliers, preventing and counteracting abuses and striving to ensure comfortable working conditions and provision of services (Article 6(1)(f) of the GDPR).

    If the processing of your data is necessary to fulfill a legal obligation incumbent on KGHM, e.g. the obligation to notify specific authorities or if the Report concerns mobbing or discrimination behavior, which we are obliged to prevent (which results in particular from the provisions of the Labor Code) - Your personal data will be processed in connection with the performance of our obligations under the law, including internal company regulations such as the Work Regulations (Article 6(1)(c) of the GDPR). On the other hand, when the purposes of processing result from the legitimate interests of KGHM, such as the need to establish, pursue or defend claims, conduct analyzes and statistics of violations - the legal basis for processing is Art. 6 sec. 1 lit. f) GDPR.

    In the case of special categories of personal data (so-called „sensitive” personal data), the legal basis for their processing is art. 9 sec. 2 letter f) of the GDPR (necessity to establish, pursue or defend claims). If the processing of such data is necessary to fulfill a legal obligation imposed on KGHM in the field of labor law, social security and social protection - the legal basis is art. 9 sec. 2 lit. b) GDPR.

    In some situations, depending on the subject of the Report, the processing of your data may also be necessary due to an important public interest, which is adequate protection and prevention of disruptions in the current functioning of KGHM as a company important for the interests of the state and conducting activities within which violation of the rules safety may have a negative effect not only directly on the premises of KGHM, but also on the premises inhabited by local communities (e.g. as a result of a failure) - Art. 9 section 2 lit. g) GDPR.

  3. Data source

    We have received your data directly from you, and then they can be supplemented with additional circumstances also by other persons participating in the process related to the submission and handling of the Application.

    You provide your data voluntarily.

  4. The period of storage of your personal data

    We will process your personal data, in particular, for the period necessary to register and handle the Application and for the time necessary to document the activities performed (including the need to make documentation available to the relevant authorities), but not longer than for a period of 5 years after the end of the calendar year, in which the actions taken as a result of the Report were completed, in accordance with the applicable internal archiving standards.

    If, as a result of the Report or in connection with the findings made in the course of considering the Report, court proceedings are initiated or certain claims/obligations of KGHM are identified, or if KGHM finds it necessary to take corrective action (for example, implementing changes to the applicable procedures) - the data will be further processed in to the necessary extent - (respectively) until the completion of these court proceedings and their settlement, the limitation of claims or the completion of the implementation of corrective actions.

  5. Recipients of your personal data

    Your personal data is only accessed by:

    - our duly authorized employees or associates who are obliged to keep them secret and not to use them for purposes other than those for which we obtained your data;

    - entities with whom we cooperate in our current activities, such as ICT / IT service providers, providers of legal, financial, accounting and advisory services, postal operators / couriers, our subcontractors;

    - other companies from the KGHM capital group - if the Report or the circumstances disclosed in the course of its consideration are related to the activity conducted by a given company.

    Your personal data may be disclosed to entities authorized under the law (e.g. public authorities and legal protection authorities: offices, courts, the Prosecutor's Office or the Police). In this case, information is provided only if there is a proper legal basis for it.

  6. Your rights related to the processing of personal data

    We would like to remind you that the GDPR grants you the right to:

    - access to your data; rectification of your data; data deletion request; request restriction of processing;

    - raise an objection; in certain situations, you have the right to object to the processing of your data, e.g. for reasons related to your particular situation, you can object to the operations we perform when we base our processing on our legitimate interest.

    When, despite your objection, we come to the conclusion that there are important, legally justified grounds for processing, overriding your interests, rights and freedoms or grounds for establishing, pursuing or defending claims, we will continue to process your data covered by the objection to the necessary extent.

    - lodge a complaint with the supervisory body, which in Poland is the President of the Office for Personal Data Protection.

    A detailed description of the complaint procedure is available at: https://uodo.gov.pl/pl/83/155. To exercise the above rights, please contact us or our data protection officer.

  7. Automated decision making

    As a result of the processing of your personal data, no decisions will be made in an automated manner (without human participation).

  8. Transfer of data outside the EEA

    Due to the fact that we or our contractors - e.g. providers of legal, tax or auditing services - use modern technologies, such as cloud services, your personal data may be transferred to countries outside the European Economic Area. In each such case, we apply appropriate safeguards, including, for example, standard data protection clauses adopted pursuant to a decision of the European Commission. You have the right to obtain a copy of the indicated safeguards regarding the transfer of personal data - to obtain them, contact us or our data protection officer.