sygnet
icon

Port Gdańsk

Privacy Policy

In performance of its obligation under Article 11 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws 2018, item 1000), Port of Gdańsk Authority S.A. reports that, acting pursuant to Article 37(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Port of Gdańsk Authority S.A. (the Controller) has appointed Mr Karol Cieniak as Data Protection Officer.

Data subjects may contact the Data Protection Officer in all matters relating to the processing of their personal data and the exercise of their rights under the GDPR.

The Data Protection Officer can be contacted via email:
iod@portgdansk.pl or in writing: Zarząd Morskiego Portu Gdańsk S.A.,
ul. Zamknięta 18, 80-955 Gdańsk, Poland with the note ‘Inspektor Ochrony Danych’ or ‘IODO’.

The Data Protection Officer shall ensure full confidentiality of the communication in all matters raised by data subjects.

PGA S.A. Privacy Policy [in Polish, PDF, 542,8 KB, Adobe Reader]

Information on the processing of personal data within a video surveillance system

Port of Gdańsk Authority S.A. with its registered office in Gdańsk 80-955, ul. Zamknięta 18, registered by the District Court Gdańsk – Północ in Gdańsk, 7th Commercial Division of the National Court Register, under KRS no: 0000040398, NIP 583 24 61 866 (hereinafter referred to as “PGA”) is the Controller of the personal data of all persons who enter the area managed by PGA under its video surveillance system (hereinafter “Video Surveillance”);

Contacting the Controller

In matters concerning personal data, you can contact PGA directly, as your Controller – via letter to the address given above or via email: info@portgdansk.pl;

Contacting the Data Protection Officer

Data subjects may contact the Data Protection Officer appointed by PGA in all matters relating to the processing of their personal data and the exercise of their rights under the GDPR;

The Data Protection Officer can be contacted via email: iod@portgdansk.pl or in writing: Zarząd Morskiego Portu Gdańsk S.A., ul. Zamknięta 18, 80-955 Gdańsk, Poland with the note ‘Inspektor Ochrony Danych’ or ‘IODO’;

Scope of Video Surveillance

If land, buildings or individual rooms are covered by Video Surveillance operated by PGA, they are marked with security camera symbols and signs containing information about personal data processing;

Purpose of processing

Video Surveillance is used to ensure the security of the area managed by PGA, including general security, physical security, confidentiality of information and protection of property;

Legal basis

In relation to all persons entering the area managed by PGA who are not employees of PGA, the legal basis for the use of Video Surveillance is Article 6(1)(c) of the GDPR (processing is necessary for compliance with a legal obligation) in conjunction with Article (5a)(1) of the Act on the principles of state property management (PGA fulfils its obligations as a company carrying out a public service mission within the meaning of Article (2)(8)(a)(9) of that Act) and Article (6)(1)(e) GDPR (a task carried out in the public interest resulting from the abovementioned provision). In this sense, being covered by the relevant Video Surveillance System is a condition for access to the covered areas;

Data recipients

Access to video surveillance recordings is provided by delegated employees of Orlen Ochrona Sp. z o.o., representatives of PGA Security Department and selected persons from the PGA structure to the extent appropriate due to the nature of the recorded events. In particular cases where the recording may constitute evidence in a claim, access may also be granted to external law firms and insurance entities as well as other entities that can justify a legitimate interest in accessing the recording concerning the specified event;

Recordings storage period

Video surveillance recordings shall be overwritten after 30 days – provided that there has been no incident justifying securing the recordings during that time. Recordings from the marked area and the appropriate time period are preserved until the settlement of the case and the expiry of the longest limitation period for claims relevant to the incident;

Right to lodge a complaint with the supervisory authority

OData subjects have the right to lodge a complaint with the data protection supervisory authority if they believe that the processing of their personal data violates the provisions of the GDPR. Supervisory authority:
President of the Personal Data Protection Office based in Warsaw, at ul. Stawki 2; Tel. 22 531 03 00). However, if you have any questions or concerns about the processing of your personal data, please consider reaching out to the Personal Data Officer appointed by PGA S.A. first (iod@portgdansk.pl or in writing: Zarząd Morskiego Portu Gdańsk S.A., ul. Zamknięta 18, 80-955 Gdańsk, Poland with the note ‘Inspektor Ochrony Danych’ or ‘IODO’), as he will help you get the necessary information and will conduct an investigation, if necessary;

Other rights

Data subjects have the right to:

  • request access to their data and to receive a copy thereof. However, if a recording is requested to be released or made available – where the recording also includes images of other persons – the scope, manner and the very admissibility of making the recording available shall be assessed on a case-by-case basis;
  • correct (rectify) their personal data;
  • restrict the processing of their personal data;
  • object to the processing of certain data for a specific purpose;
  • have their personal data erased;

In some cases, PGA may not obliged to fulfil your request; however, we will notify you of the reasons for any refusal and the possibility to lodge a complaint or take legal action;

Entry passes

Clause under Article 13 of the GDPR – for persons representing applicants

Pursuant to Article 13 of the General Data Protection Regulation of 27 April 2016. (OJ L 119 04.05.2016), we inform you that:

  1. Your personal data controller is Port of Gdańsk Authority S.A. with its registered office in Gdańsk, Poland (80-955) at ul. Zamknięta 18;
    You can contact the Controller via email: info@portgdansk.pl or via letter to the address indicated above;
  2. To ensure the security of the processing of personal data and facilitating contact with regard to the exercise of data subjects’ rights, the Controller has appointed a Data Protection Officer;
    the Data Protection Officer may be contacted at iod@portgdansk.pl in all matters concerning the processing of personal data and the exercise of rights related to the processing of data.
  3. Your personal data will be processed for the purpose of issuing the requested pass, as well as for the subsequent verification of the correct operation of the pass system;
  4. The legal basis for the processing of personal data of the person representing the entity applying for a pass is Article 6(1)(c) of the GDPR – implementation of the obligation resulting from a legal provision, which consists in ensuring an access control system by establishing a pass system by the entity in charge of the port; The organisation method of the pass system results from the Ordinance of the Council of Ministers of 15 April 2011 on methods and measures for the protection of shipping and maritime ports, issued pursuant to Article 42 of the Act on the security of shipping and maritime ports;
    Ensuring the security of the system through the introduction of the pass system is at the same time a legitimate interest of the Controller within the meaning of Article 6(1)(f) of the GDPR – in particular as regards the provision of data which are not explicitly indicated in the generally applicable regulations but are necessary for identity verification, such as the PESEL number or other identifier enabling unambiguous confirmation of identity in the case of foreigners;
    The principles of issuing passes is described in detail in Passenger, Material and Vehicle Traffic in Port Areas of Port of Gdańsk Authority S.A. issued for the purpose of performing the obligations arising from the abovementioned applicable law;
  5. Your personal data will be kept for 2 years from the date of expiry of the last pass issued on the basis of your application;
  6. The data of persons representing entities requesting a pass will be forwarded to a merchant (person representing an entity entitled to accept the issuance of a specific pass) indicated on the request.
    For security reasons, employees of entities providing physical protection in port areas of Port of Gdańsk Authority S.A. have access to the data collected in connection with the operation of the pass system;
  7. You have the right to request a copy of your personal data, to transfer You have the right to object to the processing of your personal data; the objection is subject to the Controller’s approval based on your individual situation;
  8. You have the right to object to the processing of your personal data; the objection is subject to the Controller’s approval based on your individual situation;
  9. You have the right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland);
  10.  The data we ask for in the pass request are absolutely necessary – without this information, a pass cannot be issued;

Issuing of passes

Clause under Article 14 of the GDPR – for persons whose data are provided by the applicant

Pursuant to Article 14 of the General Data Protection Regulation of 27 April 2016. (OJ L 119 04.05.2016), we inform you that:

  1. The controller of your data provided in relation to a pass request is Port of Gdańsk Authority S.A. with its registered office in Gdańsk, Poland (80-955) at ul. Zamknięta 18;
    You can contact the Controller via email: info@portgdansk.pl or via letter to the address indicated above;
  2. To ensure the security of the processing of personal data and to facilitate contact with regard to the exercise of data subjects’ rights,
    the Controller has appointed a Data Protection Officer; the Data Protection Officer may be contacted at iod@portgdansk.pl in all matters concerning the processing of personal data and the exercise of rights related to the processing of data.
  3. Your personal data is collected by the Controller, Port of Gdańsk Authority S.A., from the entity requesting a pass (e.g. the employer provides data of its employees to whom the passes are to be issued);
  4. Port of Gdańsk Authority S.A., as the Controller, obtains the following data of prospective pass holders:
    – full name;
    – nationality;
    – place of employment (for employees);
    – address of residence;
    – PESEL number or, where inapplicable, the series and number of the passport or other document proving identity;
    – photograph;
    – for vehicle passes – the make and registration number of the vehicle;
    – where the pass expires within the period indicated in Section 7 – circumstances of the expiry;
  5. Your personal data will be processed for the purpose of issuing the requested pass, as well as for the subsequent verification of the correct operation of the pass system;
  6. The legal basis for the processing of personal data of a prospective personal pass holder is Article 6(1)(c) of the GDPR – implementation of the obligation resulting from a legal provision, which consists in ensuring an access control system by establishing a pass system by the entity in charge of the port; The organisation method of the pass system results from the Regulation of the Council of Ministers of 15 April 2011 on methods and measures for the protection of shipping and maritime ports based on Article 42 of the Act on the security of shipping and maritime ports;
    Ensuring the security of the system through the introduction of the pass system is at the same time a legitimate interest of the Controller within the meaning of Article 6(1)(f) of the GDPR – in particular as regards the provision of data which are not explicitly indicated in the generally applicable regulations but are necessary for identity verification, such as the PESEL number or other identifier enabling unambiguous confirmation of identity in the case of foreigners;
    The principles of issuing passes is described in detail in Passenger, Material and Vehicle Traffic in Port Areas of Port of Gdańsk Authority S.A. issued for the purpose of performing the obligations arising from the abovementioned applicable law;
  7. Your personal data will be kept for a period of 2 years from the expiry date of your pass;
  8. The data of pass holders will be forwarded to a merchant (person representing an entity entitled to accept the issuance of a specific pass) indicated on the request. For security reasons, employees of entities providing physical protection in port areas of Port of Gdańsk Authority S.A. have access to the data collected in connection with the operation of the pass system;
  9. You have the right to request a copy of your personal data, to transfer the data, to restrict processing and to erase or rectify the personal data – the Controller is not obliged to comply with such requests at all times; the decision will be made on a case-by-case basis and all refusals will be justified;
  10. You have the right to object to the processing of your personal data; the objection is subject to the Controller’s approval based on your individual situation;
  11. You have the right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office (ul. Stawki 2,
    00-193 Warsaw, Poland);
  12. The data we ask for in the pass request are absolutely necessary – without this information, a pass cannot be issued;

Information clause on the processing of personal data in connection with the conclusion of agreements and the monitoring of network traffic

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119, 04.05.2016, p. 1), hereinafter “GDPR”, we inform you that:

  1. The controller of personal data contained in any documents necessary for the conclusion and/or proper performance of agreements is Port of Gdańsk Authority S.A. with its registered office in Gdańsk, at ul. Zamknięta 18, 80-955 Gdańsk, Poland registered in the District Court Gdańsk-Północ in Gdańsk, 7th Commercial Division of the National Court Register under KRS number 0000040398, NIP (Tax ID) 583-246-18-66, share capital (fully paid up) of PLN 2,109,250.00, hereinafter referred to as ‘PGA’;
  2. PGA has appointed a Data Protection Officer who can be contacted in all matters relating to the processing of personal data at: iod@portgdansk.pl;
  3. In matters concerning personal data, you can contact PGA directly, as your Data Protection Officer, via letter to the address given in point 1 above or via email: info@portgdansk.pl;
  4. This processing shall be carried out for the purposes indicated in point 6 below and shall primarily involve the so-called ordinary personal data, as part of which we obtain basic information used for activities related to the handling of the conclusion of an agreement, the performance of its subject matter, as well as the archiving of the agreement itself and the information related to it (in particular with regard to the verification of authorisation and identity), such as: first name, surname, place of work, position held. In exceptional situations, the scope of this data may be wider, if this is necessary for the performance of the agreement (this kind of additional scope may arise, for example, from the need to include documents confirming the qualifications and experience of the person in question in the processing of personal data). In exceptional situations, the scope of this data may be broader if it is necessary for the proper performance of the agreement (such additional scope may arise, for example, from the need to include documents confirming qualifications or entitlements, if at a particular stage of the proceedings related to the conclusion of the agreement or its performance, the provision of such documents is necessary for its proper performance (including confirmation of qualifications), or basic business contact details, in the case of persons designated as contact persons in relation to the implementation of the agreement. Should you wish to receive more detailed information on the scope of personal data to be processed by PGA, please contact us using the data provided above in point 2 or 3;
  5. In the event that a counterparty of the PGA uses the IT infrastructure of the PGA, any data that is processed using this infrastructure may be processed by the PGA as part of the monitoring of network traffic. The PGA shall perform such monitoring within the framework of specialised software dedicated to privileged access management. This monitoring may include activities related to assigning and receiving access to PGA infrastructure and IT systems, analysis of network traffic, and monitoring and logging of activity in PGA information systems.
  6. If you do not provide your personal data directly, the source of acquisition of your personal data by PGA is the entity entering into a direct agreement with PGA;
  7. Personal data obtained in connection with concluded agreements will be processed on the basis of:

    – Article 6(1)(b) of the GDPR, with regard to data concerning natural persons directly concluding an agreement on their behalf, the legal basis for the processing of personal data in this case shall be the necessity to conclude and perform the agreement, in this case also the legal basis shall be Article 6(1)(f) of the GDPR after the termination of the agreement in terms of protection against possible claims, in connection with which they shall be archived for the period of limitation of possible, related claims;

    – Article 6(1)(c) of the GDPR, as fulfilment of a legal obligation to archive data for the purposes of fulfilling obligations under tax law and the Accounting Act;

    – Article 6(1)(f) of the GDPR, regarding acting as a person representing the entity with which the agreement has been concluded, i.e. in order to pursue the legitimate interest of the PGA in performing activities related to the concluded agreement, in particular contacting the representative of the counterparty and securing against possible claims.

    – Article 6(1)(f) of the GDPR, in connection with the monitoring of network traffic as described in point 5 above, in order to ensure the security of the infrastructure, resources and systems of the PGA in the event that the execution of a given agreement is related to the access to the infrastructure of the PGA, the processing of personal data may then include activities related to the allocation and acceptance of access to the infrastructure and systems of the PGA, network traffic analysis, monitoring and recording of activity in information systems;

    – if necessary (e.g. if the network traffic monitoring is related to the implementation within the HR and payroll system of the counterparty), PGA may process special category data, i.e. data concerning health – in such case the basis for the processing of your data is Article 9(1)(b) of the GDPR;

  8. Recipients of personal data may be entities conducting audits on behalf of PGA, the scope of which includes activities related to the agreement, and in case of disputes also external law firms, recipients of data may also be entities providing services related to ensuring the functioning of the IT system, entities providing accounting, advisory, tax, audit, consulting services, providing document destruction services, postal operators, couriers, banks and payment operators;
  9. The period of personal data processing for the purposes referred to in point 7 above shall correspond to the duration of the agreement, and the period of protection against possible claims related to the performance of the agreement (until the expiry of the period of limitation of claims under the provisions of the Civil Code);
  10. Every data subject has the right to request: to have a copy of the processed personal data concerning him/her, to have the data transferred, to have the processing restricted and to have the personal data erased or rectified – not in every situation will the data controller be obliged to comply with such requests, but each case will be considered individually and any refusal will be justified;
  11. Each data subject can object to the processing of his/her personal data (to the extent that his/her personal data is processed based on the legitimate interest referred to in Article 6(1)(f) of the GDPR) – however, the possibility for the controller to take it into account will be determined on a case-by-case basis;
  12. Every data subject has the right to lodge a complaint to the supervisory authority – the President of the Office for Personal Data Protection (ul. Stawki 2, 00-193 Warsaw).

 

Information Clause Implementing the Information Obligation for the Connecting Europe Facility (CEF)

The Minister of Funds and Regional Policy shall be the controller of personal data processed in the Connecting Europe Facility (CEF) in the transport sector – insofar as he acts as an implementing body of the Connecting Europe Facility in the transport sector and as a beneficiary.

Some of the institutions and entities involved in the implementation of operational programmes also act as processors, e.g. the Centre for EU Transport Projects – when they process personal data on behalf of other institutions which are personal data controllers.

  • Purpose of Data Processing

The Minister of Funds and Regional Policy shall process personal data in order to carry out the tasks assigned to the Implementing Authority of the Connecting Europe Facility in the transport sector to the extent necessary for this purpose.

The Minister of Funds and Regional Policy processes personal data specifically for:

  1. Performing duties of the body responsible for the implementation of the CEF in the transport sector with regard to applying for EU funds, implementing projects (including technical assistance projects), confirming the eligibility of expenditure, granting support for the implementation of projects, applying for payments to the European Commission, evaluation, monitoring, control, audit, reporting and information and promotional activities within the framework of the CEF in the transport sector,
  2. Providing an information obligation to make public information on entities receiving support from the CEF in the transport sector.
  3. Legal Basis for Processing

Data processing is carried out in accordance with the GDPR[1]. The legal basis for the processing is the necessity of fulfilling the obligations incumbent on the Minister of Funds and Regional Policy under European and national law (Article 6(1)(c) of the GDPR). These obligations arise, inter alia, from the provisions of the Public Finance Act of 27 August 2009 (Dz.U [Journal of Laws] of 2021, item 305, as amended) and the provisions of European law :

  1. Regulation (EU) No. 1316/2013 of the European Parliament and of the Council of 11 December 2013 establishing the Connecting Europe Facility, amending Regulation (EU) No. 913/2010 and repealing Regulations (EC) No. 680/2007 and (EC) No. 67/2010 – with regard to CEF 2014 – 2020;
  2. Regulation (EU) No. 2021/1153 of the European Parliament and of the Council of 7 July 2021 establishing the Connecting Europe Facility and repealing Regulations (EU) No. 1316/2013 and (EU) No. 283/2014 – with regard to CEF 2021 – 2027;
  3. Regulation (EU) No. 1315/2013 of the European Parliament and of the Council of 11 December 2013 on Union guidelines for the development of the trans-European transport network and repealing Decision No. 661/2010/EU;
  4. Regulation (EU, Euratom) No. 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No. 1296/2013, (EU) No. 1301/2013, (EU) No. 1303/2013, (EU) No. 1304/2013, (EU) No. 1309/2013, (EU) No. 1316/2013, (EU) No. 223/2014 and (EU) No. 283/2014 and Decision No. 541/2014/EU and repealing Regulation (EU, Euratom) No. 966/2012 (OJ L 193, 18.07.2018, p. 1);
  5. Council Regulation (EC, Euratom) No. 2988/95 of 18 December 1995 on the protection of the European Communities financial interests.
  6. Types of Data Processed

The Minister of Funds and Regional Policy, in connection with the implementation of the Connecting Europe Facility, processes personal data of, among others:

  1. Applicants, beneficiaries and partners (and their staff) who apply for Community funds and implement projects (including technical assistance projects) under the CEF in the transport sector.
  2. Employees of the institutions involved in the preparation and handling of projects (including technical assistance projects) and in the implementation and delivery of the CEF in the transport sector.
  3. Persons whose data are processed in connection with the examination of the eligibility of measures in projects under the CEF in the transport sector, including in particular project staff, as well as participants in tender committees, tenderers and contractors, executing public procurement agreements.
  4. Participants of trainings, competitions, conferences and other events of informational or promotional character in the scope of implementing projects within the CEF in the transport sector.

Depending on the role assigned to individuals within the handling of European funds, the Minister may process different types of personal data. The most important types of personal data include: identification data, in particular: first name, surname, PESEL/NIP no., place of work, profession, education, function performed, series and no. of identity card, telephone number, e-mail, salaries.

Data shall be collected directly from data subjects or from institutions and bodies involved in the implementation of operational programmes, in particular applicants, beneficiaries and partners.

Where data is collected directly from data subjects, the provision of data is voluntary. Refusal to provide the data is tantamount to the impossibility of taking appropriate action, such as applying for European funds.

  • Data Retention Period

Personal data will be stored for a period of 5 years from the end of the year in which the final payment for the project is submitted (in accordance with the provisions of Article II(27)(2) of the Grant Agreement – project funding agreement concluded between the beneficiary and the European Commission/European Agency for Climate Change, Infrastructure and Environment CINEA). This period may be extended in certain cases, such as when European Union authorities inspect the Minister.

After the expiry of the aforementioned period, personal data will be subject to archiving in accordance with the provisions of the Act of July 14, 1983, on the national archival resource and archives.

  • Data Recipients

The Recipients of personal data are:

  1. entities entrusted by the Minister with the tasks of handling European funds, including in particular the Centre for EU Transport Projects, as well as beneficiaries,
  2. European Union (EU) institutions, bodies and agencies and other bodies entrusted by the EU with tasks relating to the processing of European funds,
  3. entities providing the Minister with services related to the operation and development of ICT systems and ensuring communication, in particular IT solutions providers and telecommunications operators.
  4. Data Subject Rights

Individuals whose data is processed in connection with the implementation of the Connecting Europe Facility have the following rights:

  1. the right to access and rectify personal data
    In exercising this right, the data subject may ask the Minister, among other things, whether the Minister is processing his or her personal data, what personal data the Minister is processing and where the Minister obtained the data from, the purpose of the processing and its legal basis, and how long the data will be processed.
    If the data being processed is found to be out of date, the data subject may request the Minister to update the data.
  2. the right to delete or restrict their processing – if the prerequisites set out in Articles 17 and 18 of the GDPR are met
    The request for deletion of personal data is carried out in particular when further processing of the data is no longer necessary to achieve the purpose of the Minister or the personal data has been processed unlawfully. The specific conditions for exercising this right are set out in Article 17 of the GDPR.
    Restricting the processing of personal data means that the Minister can only store personal data. The Minister may not transfer this data to other entities, modify or delete it.
    The restriction of the processing of personal data is temporary and continues until the Minister assesses whether the personal data is accurate, processed lawfully and necessary for the purpose of the processing.
  3.  the right to lodge a complaint to the President of the Personal Data Protection Office
  • Data is not subject to automated decision-making
  • Contact with the Data Protection Officer

The Minister of Funds and Regional Policy – with regard to personal data administered under the department of regional development – has its seat at: ul. Wspólna 2/4, 00-926 Warsaw, Poland.

Should any questions arise, the Data Protection Officer can be contacted:

  1. in person: ul. Wspólna 2/4, 00-926 Warsaw, Poland.
  2. via email: IOD@mfipr.gov.pl.

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) of 27 April 2016 ( OJ L No.119, p.1 as amended)

 

Information notice for shareholders of Port of Gdańsk Authority S.A.

Pursuant to Article 13(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (OJ L 119/1 04.05.2016), hereinafter “GDPR”, we inform you that:

    1. Your personal data controller is Port of Gdańsk Authority S.A. with its registered office in Gdańsk Poland (80-955) at ul. Zamknięta 18, registered by the District Court Gdańsk – Północ in Gdańsk, 7th Commercial Division of the
      National Court Register, under KRS no: 0000040398, NIP 583 24 61 866, hereinafter “PGA S.A.”.
    2. Data subjects may contact the Data Protection Officer appointed by PGA S.A. in all matters relating to the processing of their personal data and the exercise of their rights under the GDPR.
      The Data Protection Officer can be contacted via email: iod@portgdansk.pl or in writing: Zarząd Morskiego Portu Gdańsk S.A., ul. Zamknięta 18, 80-955 Gdańsk, Poland with the note
      ‘Inspektor Ochrony Danych’ or ‘IODO’.

      Information about the collected data

    3. Shareholders’ personal data are processed primarily on the basis of Article 6(1)(c) of the GDPR – for the purpose of fulfilling the obligations arising from the provisions of applicable law set out by the Commercial Companies Code, in particular Article 328[1-3] and Article 406 of the Commercial Companies Code (Journal of Laws of 2019, item 505, as amended).
    4. The register of shareholders referred to in Article 328[1] of the Commercial Companies Code is maintained in electronic form by a specialised, authorised entity, processing data on behalf of and upon the order of PGA S.A. pursuant to Article 28 of the Code of Commercial Companies. Shareholders’ personal data are also processed in the Register of Heirs programme, which is used by PGA S.A. to register the heirs to PGA S.A.’s shares in order to prepare share purchase agreements.
    5. The legal basis is also the implementation of the legitimate interest of PGA S.A. within the meaning of Article 6(1)(f) of the GDPR related to providing efficient tools to identify shareholders – in particular in the identity verification process when holding a general meeting online (copies or scans of documents are destroyed immediately after the identity of a shareholder or proxy has been confirmed, in accordance with the procedure described in the relevant regulations).
    6. The consent referred to in Section 9 of this information notice also serves as a legal basis within the meaning of Article 6(1)(a) of the GDPR.
    7. As a rule, the provision of personal data by a shareholder is mandatory and is a condition for the fulfilment of the obligation under Article 328[1] of the Commercial Companies Code consisting in entering the necessary data in the register of shareholders.

      Scope of data processing 

    8. PGA S.A. processes the following categories of shareholders’ personal data: full name, shareholder’s address or mailing address, quantity and numbers of registered shares, number of votes, and also, at the request of an entitled person,
      a record concerning the transfer of shares to another person together with the record date (data resulting from art. 328 [3] of the Commercial Companies Code) and additionally (to exclude the possibility of misidentification) the PESEL number or the number and series of an identity document. PGA S.A. also requires the shareholders’ bank account numbers to perform its monetary obligations.
    9. Shareholders can also agree to receiving communications from the company via telephone or e-mail, in particular for the purposes of keeping the register of shareholders, voluntarily and at their own discretion, by providing the relevant contact data in an appropriate form. Please note that the provision of these data is voluntary and that the consent given can always be withdrawn, although this does not affect the lawfulness of the processing before the withdrawal.

      Data recipients

    10. The recipients of your personal data will only include entities entitled to obtain personal data on the basis of separate provisions of law, authorised employees/partners of the Controller, entities providing services to PGA S.A. such as: postal operators/couriers, providers of legal services, accountants, providers of IT systems and services, entities running general meetings. You will be notified if such entities are to process data as separate controllers, and in other cases, the data may be made available or transferred only in accordance with Article 28 of the GDPR, i.e. upon the conclusion of a personal data processing agreement imposing data security and confidentiality obligations on the processor.
    11. Please be aware that your data disclosed in the register of shareholders are open to any other shareholder and to the company, pursuant to Article 328[5] of the Commercial Companies Code.
    12.  The Controller has concluded a personal data processing agreement within the meaning of Article 28 of the GDPR with Powszechna Kasa Oszczędności Bank Polski Spółka Akcyjna, Branch of the Brokerage Office in Warsaw, with its registered office in Warsaw, address: ul. Puławska 15, 02-515 Warsaw, Poland, registered in the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register under KRS number 0000026438, on the provision of services connected with keeping the register of shareholders.
    13.  The entity in question is also entitled to perform monetary obligations towards shareholders on behalf and upon the order of PGA S.A.
    14.  Shareholders’ personal data will be kept for the duration of the company’s existence (historical data concerning the owners of shares).

Information on the rights of data subjects

  1. Data subjects have the right to lodge a complaint with the data protection supervisory authority if they believe that the processing of their personal data violates the provisions of the GDPR. Supervisory authority:
    President of the Personal Data Protection Office based in Warsaw, at
    ul. Stawki 2; Tel. 22 531 03 00). However, if you have any questions or concerns about the processing of your personal data, please
    consider reaching out to the Personal Data Officer appointed by PGA S.A. first (contact data provided in Section 2), as he will help you get the necessary information and will conduct an investigation, if necessary.
  2. Please note that the entity keeping the register of shareholders referred to in Section 12 is entitled to contact the shareholders (on behalf of and upon order of PGA S.A.), which shows that most of the current issues, such as data updates, should be communicated directly to that entity.
  3. Shareholders, as data subjects, have the right to:
    – access their data and receive a copy of the data;
    – correct (rectify) their personal data;
    – restrict the processing of their personal data;
    – object to the processing of certain data for a specific purpose;
    – have their personal data erased.
    In some cases PGA may not obliged to fulfil your request; however, we will notify you of the reasons behind any refusal and the possibility to lodge a complaint or take legal action;
  4.  If the Controller has reasonable doubt as to the identity of the natural person making the request, it may request additional information necessary to confirm the identity of the data subject. The information shall be provided in writing or otherwise, including, where appropriate, by electronic means. If the data subject so requests, information may be provided orally, on condition that the identity of the data subject is confirmed by other means.

    Please note that all updates of this information notice will be published on the website of Port of Gdańsk Authority S.A. at www.portgdansk.pl