In accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR") – the Institute of Environmental Protection - National Research Institute (hereinafter referred to as the "IOS-PIB"), acting as the administrator of personal data, provides the following information regarding the processing of personal data necessary for the administration of the polish part of the Union Registry (hereinafter referred to as the "Registry"), as mentioned in Article 3(17) of the Act of 12 June 2015 on greenhouse gases emissions trading system (Journal of Laws of 2020, items 136 and 284) (hereinafter referred to as the "ETS Law").
The administrator of the collected personal data (hereinafter referred to as the "data administrator") is the IOS-PIB, located at ul. Słowicza 32, 02-170 Warsaw, Poland, registered in the register of entrepreneurs kept by the District Court for the capital city of Warsaw, XII Economic Department of the National Court Register, under the KRS number 0000032034. The Director acts on behalf of the IOS-PIB. For correspondence related to the data administrator for the collection of data necessary for managing the Registry, the address is ul. Słowicza 32, 02-170 Warsaw, Poland.
The Data Protection Officer at the IOS-PIB can be contacted via e-mail: iodo@ios.edu.pl or via the correspondence address of the data administrator.
Personal data is processed based on Article 6(1)(c) or (e) of the GDPR, for the purpose of implementing by the IOS-PIB due diligence in identifying account holders or potential account holders in the Registry. The identification procedure for these entities is carried out within the task specified in Article 3(2)(2) of the Act of 17 July 2009 on the system for managing greenhouse gas emissions and other substances (Journal of Laws of 2020, item 1077), which involves managing the collection of accounts in the Registry.
The data is also processed for the following purposes:
Recipients of personal data are the European Commission and entities listed in Article 80(3) of Commission Delegated Regulation (EU) 2019/1122 of 12 March 2019 supplementing Directive 2003/87/EC of the European Parliament and of the Council as regards the functioning of the Union Registry (Official Journal of the European Union L 177/3 of 2 July 2019) (hereinafter referred to as the "Registry Regulation"). Subject to Article 79(2) and Article 80 of the Registry Regulation, the data administrator does not disclose information gathered in the Registry, including information about account holders, authorized representatives, or transactions conducted in the Union Registry. The data administrator provides information collected in the Registry within the scope specified in the legal provisions for the purpose of fulfilling the information obligations specified therein.
To verify the authenticity of documents and verify information submitted by legal entities and individuals applying for the opening of an account or updating data in the Union Registry, the data administrator may present obtained documents and information to national administrators mentioned in Article 3(2) of the Registry Regulation and public authorities in the country and abroad.
The data administrator processes personal data to the extent necessary to manage accounts in the Registry and provides it only upon request of the entities specified in Article 80(3) of the Registry Regulation. The data administrator may disclose personal data, in the scope of name and correspondence address, to entities providing postal or courier services.
Personal data come from the application form for entering data into the Union Registry and from documents attached to the application. The scope of collected and processed personal data includes personal data submitted based on the Registry Regulation. In the case of communication by the account holder or their authorized representatives with the IOS-PIB (e.g., via email, fax, telephone) for assistance or other matters, the data administrator will register related information, including responses provided by them. In particular, the data administrator, to ensure the security of the Union Registry, reserves the right to record telephone conversations and store their recordings.
Personal data will be stored for the period necessary to fulfil the legal obligations imposed on the data administrator, at least for a period of five years from the closure of the account in the Union Registry. Personal data is deleted from the Union Registry after five years from the closure of the account or after five years from the end of economic relations with a natural person, as mentioned in Article 3(13) of Directive (EU) 2015/849. For the purposes of investigations and prosecutions, detection and prosecution of crimes, tax administration, or law enforcement, audit, and financial supervision related to activities involving fraud, money laundering, terrorism financing, other serious crimes, or market abuses in which the account in the Union Registry could be used, or violations of EU or national regulations ensuring the functioning of the EU ETS system, the IOS-PIB may process personal data after the provision of services until the end of the period corresponding to the maximum statute of limitations for these crimes specified in national regulations.
In accordance with the provisions of Annex IV, paragraph 8, and Annex VIII, paragraph 5, of the Registry Regulation, and in order to minimize the processing of data based on Article 5(1)(c) of the GDPR, the Administrator anticipates the destruction of information from the criminal record and duplicates of identity documents after the opening of the account or the assignment of the person to the account.
The IOS-PIB makes every effort to ensure that the personal data it processes is accurate, up-to-date, and true, excluding processing for archival and historical data processing purposes, i.e., cases where the person is not an active user of the Registry.
An individual whose data is concerned has the right to access the content of their data, receive a copy of it, and have the right to correct the data (in case it is incorrect or incomplete), as well as in justified cases, request its deletion or restriction of processing (this right is limited under Article 17(3)(b), (d), and (e) of the GDPR). Submitting a request for the restriction of processing personal data by an authorized representative of the Union Registry may result in the obligation (on the part of the account holder) to promptly designate another person in place of the person requesting the restriction of processing their personal data.
An individual whose data is concerned has the right to lodge a complaint with the President of the Personal Data Protection Office if they believe that the processing of their personal data violates the provisions of the GDPR.
An individual whose data is concerned has the right to object, in accordance with Article 80(8) paragraph 3 of the Registry Regulation.
Within the processing of personal data by the IOS-PIB, there is no automated decision-making or profiling as referred to in Article 22(1) of the GDPR.
The provision of personal data results from Article 9(4) of the ETS Law. The consequence of not providing personal data will be the inability to access or the denial of access to the account in the Registry, and in exceptional cases, the refusal to open an account. The account holder is obliged to obtain authorization to provide and process personal data concerning the authorized representatives designated by them.
These confidentiality information rules may change in the event of changes in legal regulations specifying the requirements for providing information gathered in the Union Registry or regulations regarding the protection of personal data.
Publication date: 2024-05-13