Privacy Policy

Privacy is very important to us. The protection of individuals in relation to the processing of personal data is one of the fundamental rights, and therefore we take actions to ensure the security of processed data through appropriate technical and organizational measures.

The purpose of this privacy policy is to provide information regarding the application of the EU legal regulation GDPR and the functioning of cookies. This privacy policy contains information on the processing of personal data that you may provide to us when visiting our website. On the website, you can find information about current events and ongoing projects, read announcements, view photo materials, learn about our products and services, find out about employment opportunities, or get the latest news. If we provide links to other websites on our website, we are not responsible for the privacy policies of those sites. When you enter the websites of external entities, we recommend familiarizing yourself with the privacy policy of those entities.

Personal data

Personal data is any information relating to an identified or identifiable natural person. As personal data we also understand individual information which, only when put together, can lead directly or indirectly to the identification of a specific natural person. Processing personal data means performing operations on personal data, by whatever means, in particular the collection, storage, recording, organisation, modification, consultation, use, disclosure, restriction, erasure or destruction of personal data.

Information about the Administrator

The Administrator of the personal data being processed is Huta Stalowa Wola S.A. with its registered office in Stalowa Wola at 8 Gen. Tadeusz Kasprzycki St., 37-450 Stalowa Wola. In matters related to the processing of personal data, you can contact by sending an e-mail to rodo @ hsw pl or by directing traditional correspondence to the above address of the Administrator’s registered office.

Data processing by the Administrator

In connection with its activities, the Administrator collects and processes personal data. The processing of personal data is carried out in compliance with applicable laws, particularly Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

The controller processes personal data transparently, particularly by informing about data processing at the time of collection, including the purpose and legal basis for processing, e.g., within the framework of the recruitment process or when concluding a contract.. The Controller ensures that data is collected to the necessary extent for the indicated purpose and processed for the period necessary to achieve the purpose of processing.

When processing data, the Administrator ensures their security and confidentiality, as well as access to information about the processing to data subjects. In the event that, despite the security measures applied by the Administrator, a breach of personal data protection occurs, the Administrator shall inform the data subjects of such an event in accordance with the applicable legal provisions.

Data Recipients

In connection with the conduct of activities requiring processing, personal data may be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and equipment, entities providing legal services or couriers. Data may also be disclosed to entities related to the Administrator, including companies in its capital group. The Administrator reserves the right to disclose selected information concerning the data subject to the competent authorities or to third parties who make a request for such information on the basis of an appropriate legal basis and in accordance with the provisions of the applicable law.

Personal Data Processing Period

The period of data processing by the Controller depends on the purpose of the processing. The period of data processing may result directly from the law, in case of data processing on this basis. For data processed on the basis of the legitimate interest of the Controller (e.g. for security reasons), the data shall be processed for the period enabling the fulfilment of this interest or until an effective objection to the processing is raised. Where processing is based on consent, data are processed until the consent is withdrawn. When the basis for processing is the necessity to conclude and perform a contract, the data are processed until the contract is terminated. The processing period may be extended, among other things, when processing is necessary to establish or pursue claims or defend against claims, and after this period – only if and to the extent required by law. After the processing period expires, data will be deleted or anonymized.

Rights of Data Subjects

A data subject is any natural person whose personal data is processed by the Controller, e.g., a person visiting the Controller’s premises or making an inquiry via email. The Controller ensures that the data subjects exercise their rights, in cases provided for by the GDPR.

Data subjects have the following rights:

  • Right to information about the processing of personal data – on this basis the Administrator informs the data subject about the processing of personal data, including, in particular, the purposes and legal basis of the processing, the scope of the data held, the entities to which the data are disclosed, and the planned date of deletion of the data;
  • Right to obtain a copy of the data – on this basis, the Controller provides the data subject with a copy of the processed data;
  • Right of rectification – on this basis, the Administrator is obliged to remove any inconsistencies or errors in connection with the processing of personal data and to complete the data if it is incomplete;
  • The right to erasure – on this basis the Administrator may be requested to erase data the processing of which is no longer necessary for the performance of any of the purposes for which it was collected;
  • The right to restrict processing – on this basis, the Controller is obliged to cease performing operations on personal data – with the exception of operations consented to by the data subject – and to store them, in accordance with the retention rules adopted or until the reasons for restricting the processing cease to exist (e.g. it may be a decision issued by a supervisory authority to allow further processing);
  • The right to data portability – on this basis – to the extent that the data are processed in connection with a contract concluded or consent given – the Administrator shall issue the data provided by the data subject in a computer-readable format. It is also possible to request that the data be sent to another entity – provided, however, that the technical capacity to do so exists both on the part of the Controller and that other entity;
  • Right to object to data processing – on this basis, the data subject can at any time object to the processing of their personal data by the Controller, which is carried out based on legitimate interest (e.g., for analytical or statistical purposes or due to property protection reasons). The objection in this respect should contain justification;
  • The right to withdraw consent – on this basis, the data subject has the right to withdraw the consent given to the Controller for the processing of his/her data, which, however, does not affect the lawfulness of the processing carried out before the withdrawal of consent;
  • The right to complain – on this basis, a data subject may lodge a complaint with a supervisory authority if they consider that the processing of personal data breaches the provisions of the GDPR or other data protection legislation.

In order to exercise the above rights, please contact the Administrator using the contact channels provided in the Information about the Administrator section.

Purposes and Legal Basis of the Processing

E-mail and Traditional Correspondence

When contacting the Administrator via email or postal mail, the personal data contained in that correspondence is processed for the purpose of communication, including responding to the matter to which the correspondence relates. Legal basis for the processing – the legitimate interest of the Administrator (Article 6(1)(f) GDPR), which is to carry out the correspondence addressed to it in relation to its activities. The Administrator processes personal data relevant to the resolution of the matter, and the correspondence is stored in a manner ensuring the security of the personal data (and other information) contained therein and disclosed only to authorized persons.

Telephone Contact

When contacting the Administrator by telephone, on matters not related to the concluded contract or the services provided, the Administrator may request personal data only if it is necessary to handle the matter to which the contact relates. The legal basis in such a case is, as a rule, the legitimate interest of the Administrator (Article 6(1)(f) GDPR) consisting of the need to resolve the reported matter related to his/her business activity.

Video Monitoring and Access Control

In order to ensure the security of people and property, the Administrator uses video surveillance and controls access to the building and to the premises managed by it. Personal data, in the form of video surveillance recordings and data collected in the register of entrances and exits, are processed in order to ensure security and order in and around the premises and in the event of investigation or defence against claims. The basis for the processing of personal data is the Administrator’s legal obligation or legitimate interest (Article 6(1)(c) and (f) of the GDPR) to ensure the safety of the Administrator’s persons or property and to protect their rights.

Employee Recruitment

In the recruitment processes, the Administrator does not expect the transfer of personal data (e.g., in a CV or resume) beyond what is specified by labor law. Therefore, providing data beyond the scope that is prescribed by law is treated by the Administrator as a conscious and voluntary act of the data subject.

Personal data is processed:

  • In order to comply with legal obligations relating to the employment process, including primarily the Labour Code – the legal basis for the processing is a legal obligation incumbent on the Administrator (Article 6(1)(c) of the GDPR in relation to the provisions of the Labour Code);
  • To conduct the recruitment process in the scope of data not required by law, as well as for the purposes of future recruitment processes – the legal basis for processing is consent (Article 6(1)(a) GDPR);
  • To establish or pursue potential claims or defend against such claims, the legal basis for processing data is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

Data Collection Related to Contracts

In the case of data collection for purposes related to the performance of a specific contract, the Controller provides the data subject with detailed information regarding the processing of their personal data at the time of concluding the contract.

Other Data Collection Cases

In connection with the Administrator’s activities, the Administrator may collect personal data in the framework of e.g. business meetings, industry events, through the exchange of business cards – for the purposes of initiating and maintaining business relations. The legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) GDPR) consisting of creating a network of contacts in connection with the conducted activities. Personal data collected in the manner described above shall be processed only for the purpose for which it was collected and the Administrator shall ensure its protection.

Data security

The Administrator applies organizational and technical solutions to ensure an appropriate level of protection and security for the processed data, including granting access to personal data only to authorized individuals and only to the extent necessary for the tasks they perform, as well as recording the operations performed on personal data. The Administrator also takes necessary actions to ensure that cooperating entities provide guarantees of applying appropriate security measures whenever they process personal data on behalf and at the request of the Administrator. In the event of identifying new threats, the Administrator takes appropriate actions to enhance the security of the processed data.

Cookes

The administrator uses cookies as part of the website. Cookies (commonly known as cookies) are small files sent by a website and stored in the user’s browser. Cookies are used to track website traffic and facilitate the proper functioning of the website. They help tailor the website to the requirements of visitors by remembering their preferences and behaviour on the site. The information contained in the file can be read by the server when you connect and use the site.

The use of cookies is regulated by the Telecommunications Act of 16 July 2004. In accordance with the law, the use of cookies requires the consent of those browsing our website. The consent is given by means of the software settings installed in the telecommunications end device used or the configuration of the service. Accordingly, you can withdraw your consent or modify its scope by changing the settings in your browser.
The purposes and rules for the use of cookies can be found in the Cookies Policy.

Profiling

The Administrator does not use personal data for the purpose of automated decision-making, including profiling, in such a way that such automated processing of personal data could result in any decision producing legal effects or in a similar manner significantly affecting the data subjects.

Transfer of Data Outside the EEA

The level of protection of personal data outside the European Economic Area (EEA) is not the same as that provided by European law. For this reason, the Administrator transfers personal data outside the EEA only when necessary and with an adequate level of protection, primarily by:

  • cooperating with entities processing personal data in countries for which an appropriate decision of the European Commission has been issued;
  • application of standard contractual clauses issued by the European Commission;
  • application of binding corporate rules approved by the relevant supervisory authority.

Changes to the Privacy Policy

This privacy policy is for information purposes only. In order to keep it up to date, we reserve the right to make changes at any time, in particular where such changes are required to adapt to new or changed functionalities and services of the website. With each change, a new version of the Privacy Policy will appear indicating the version and the date of issue.

Version 1.1.
Edition 2024-06-18