This document entitled “Policy for the protection of personal data security” (hereinafter referred to as the Policy) is intended to provide a map of the requirements, rules and regulations for the protection of personal data in Skalium Spółka z ograniczoną odpowiedzialnością Sp. K. with registered office in Bydgoszcz (hereinafter the Company). This Policy is a personal data protection policy within the meaning of the GDPR and has been developed on the basis of a / Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Official Journal of EU L 119, p. 1). b / the Act of 10 May 2018 on the protection of personal data (Official Journal of 2018, item 1000) The purpose of the Personal Data Processing Security Policy, hereinafter referred to as the “Security Policy”, is to obtain an optimal and lawful way of processing
information containing personal data.
2. The Policy includes:
a) description of the data protection principles in force in the Company;
b) references to detailed attachments (model procedures or instructions regarding individual areas in the field of personal data protection requiring clarification in separate documents);
3. The Company’s Management Board is responsible for the implementation and maintenance of this Policy, and within the Management Board:
(i) President of the Management Board, who was entrusted with supervision over the area of personal data protection;
(ii) a person appointed by the Management Board to ensure compliance with the protection of personal data; the following are responsible for supervision and monitoring of compliance with the Policy:
(iii) The Data Protection Officer the following are responsible for applying this Policy:
(v) organizational unit responsible for the area of information security;
(vi) organizational units processing personal data,
(vii) all members of the Company’s staff. The Company should also ensure compliance of the Company’s contracting parties with this Policy to the relevant extent when personal data are provided to them by the Company.
4. Abbreviations and definitions:
– Policy means this Policy for the protection of personal data, unless something else explicitly stated in the context. – GDPR means regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (general regulation on data protection). (Official Journal EU L 119, p. 1). – Data means personal data, unless the context clearly indicates otherwise. – Sensitive data means special data and criminal data. – Special data means the data listed in art. 9 item 1 GDPR, i.e. personal data revealing racial or ethnic origin, political views, religion or beliefs, trade union membership, genetic, biometric data to uniquely identify a natural person or data on health, sexuality or sexual orientation. – Criminal data means the data listed in art. 10 GDPR, i.e. data on convictions and violations of the law. – Children’s data means the data of persons under 16 years of age. – Person means person, the data subject, unless the context clearly indicates otherwise. – Processing entity means the organization or person entrusted with the processing of personal data by the Company (e.g. external accounting). – Profiling means any form of automated processing of personal data that involves the use of personal data to evaluate certain personal factors of a natural person, in particular to analyse or forecast aspects of the natural person’s work effects, his economic situation, health, personal preferences, interests, credibility , behaviour, location or movement. – Data export means the transfer of data to a third country or an international organization. – DPO or Officer means the Data Protection Officer – RPDPA or Registry means the Register of Personal Data Processing Activities. – Company means the company Skalium Spółka z ograniczoną odpowiedzialnością Sp. K. with registered seat in Bydgoszcz
5. Protection of personal data in the Company – general principles
5.1. The pillars of personal data protection in the Company:
(1) Legality – the Company cares for the protection of privacy and processes data in accordance with the law.
(2) Security – The Company ensures an adequate level of data security by undertaking continuous activities in this area.
(3) Individuals’ Rights – the Company enables data subjects to exercise their rights and exercise these rights.
(4) Accountability – the Company documents how it fulfils its obligations in order to be able to demonstrate compliance at any time.
5.2. Principles of data protection The company processes personal data in accordance with the following principles:
(1) based on a legal basis and in accordance with the law (legalism);
(2) honestly and earnestly (reliability);
(3) in a transparent manner for the data subject (transparency);
(4) for specific purposes and not “to spare” (minimization);
(5) not more than necessary (adequacy);
(6) with care for the correctness of data (correctness);(7) no longer than necessary (temporality);
(8) ensuring adequate data security (security).
5.3. The personal data protection system The personal data protection system in the Company consists of the following elements:
1) Inventory of data.
The Company identifies personal data resources in the Company, data classes, relationships between data resources, identifies ways of using data (inventory), including:
a) cases of special data processing (sensitive data);
b) cases of processing data of persons whom the Company does not identify (unidentified data / UFOs);
The Company develops, conducts and maintains a Register of Personal Data Activities in the Company (Register) and a Register of Categories of Personal Data Processing Activities. The Register is a tool for settling compliance with data protection in the Company.
3) Legal basis.
The company provides, identifies, verifies the legal grounds for data processing and registers them in the Register, including:
a) maintains the consent management system for data processing and remote communication,
b) maintains a catalogue and details the justification of cases when the Company processes data on the basis of the legitimate interest of the Company.
4) Handling of individual rights.
The company fulfils its obligations to inform towards persons whose data it processes and provides support for their rights by fulfilling requests received in this respect, including:
a) Disclosure requirements The company provides legal persons with the required information when collecting data and in other situations, and organizes and provides documentation of the implementation of these obligations.
b) Ability to make requests. The company verifies and ensures the possibility of effective execution of each type of request by itself and its processing entities.
c) Handling requests. The company provides adequate expenditure and procedures to ensure that people’s requests are met within the deadlines and in the manner required by the GDPR, and documented.d) Notification of infringements. The company applies procedures to determine the need to notify people affected by an identified data breach.
The company has principles and methods of minimization management (privacy by default), including:
a) principles of data adequacy management;
b) rules for rationing and managing access to data;
c) rules for managing the period of data storage and verification of further suitability;
The company ensures an adequate level of data security, including:
a) performs risk analyses for data processing activities or categories thereof;
b) conducts data protection impact assessments where the risk of violating the persons’ rights and freedom is high;
c) adjusts data protection measures to the risks identified;
d) has an information security management system;
e) applies procedures to identify, evaluate and report an identified data protection breach to the Data Protection Authority – manages incidents.
The Company has rules for the selection of data processors for the Company, requirements as to the processing conditions (entrustment agreement), and rules for verifying the performance of entrustment agreements.
8) Data Export.
The Company has rules to verify that the Company does not transfer data to third countries (i.e. outside the EU, Norway, Liechtenstein, Iceland) or to international organizations, and to ensure lawful conditions for such transfers, if any.
9) Privacy by design.
The company manages changes that affect privacy. For this purpose, the procedures for launching new projects and investments in the Company take into account the need to assess the impact of the change on data protection, ensuring privacy (including compliance of processing purposes, data security and minimization) already at the stage of designing the change, investment or at the beginning of a new project.
6.1. Sensitive data
The company identifies cases in which it processes or may process sensitive data (special data and criminal data) and maintains dedicated mechanisms to ensure the lawfulness ofprocessing sensitive data. In the case of identifying cases of processing sensitive data, the Company proceeds in accordance with the adopted principles in this respect.
6.2. Unidentified data
The company identifies cases in which it processes or may process unidentified data and maintains mechanisms to facilitate the exercise of the rights of persons to whom unidentified data relate.
The company identifies cases in which it profiles the processed data and maintains mechanisms ensuring compliance of this process with the law. If profiling and automated decision making are identified, the Company will follow the adopted principles in this respect.
7. Register of Data Processing Activities
7.1. RDPA is a form of documenting data processing activities, acts as a data processing map and is one of the key elements enabling the implementation of the fundamental principle on which the entire personal data protection system is based, i.e. the principle of accountability.
7.2. The Company maintains a Register of Data Processing Activities and a Register of Categories of Personal Data Processing Activities in which it catalogues and monitors the manner in which it uses personal data.
7.3. The register is one of the basic tools enabling the Company to settle most data protection obligations.
7.4. In the Register, for each data processing activity that the Company has recognized as separate for the purposes of the Registry, the Company shall record at least:
(i) the name of the activity,
(ii) the purpose of processing,
(iii) description of the categories of persons,
(iv) description of the categories of data,
(v) the legal basis for processing, together with a specification of the category of legitimate interest of the Company, if the basis is a legitimate interest,
(vi) method of data collection,
(vii) description of the categories of data recipients (including processors),
(viii) information on transfers outside the EU / EEA;
(ix) a general description of the technical and organizational data protection measures.
7.5. The template of the Register is attached as Annex 1 to the Policy – “Template for the Register of Data Processing Activities”. The Register template also contains optional columns. In optional columns, the Company registers information as necessary and possible, taking into account that the fuller content of the Register makes it easier to manage and settle data protection compliance
8. Basics of processing
8.1. The Company documents in the Register the legal grounds for data processing for individual processing activities.
8.2. By indicating the general legal basis (consent, contract, legal obligation, vital interests,
public task / public authority, legitimate purpose of the Company) the Company specifies the basis in a legible manner when it is needed. E.g. for consent indicating its scope, when the basis is law – indicating a specific provision and other documents, e.g. a contract,administrative agreement, vital interests – indicating the categories of events in which they will materialize, a legitimate purpose – indicating a specific purpose, e.g. own marketing, redress of claims.
8.3. The Company implements consent management methods enabling registration and verification of a person’s consent to the processing of specific data for a specific purpose, consent to distance communication (email, telephone, SMS, etc.) and registration of refusal of consent, withdrawal of consent and similar activities (objection, restriction etc.).
8.4. The head of the organizational unit of the Company is required to know the legal basis on which the cell he directs performs specific activities of processing personal data. If the basis is the legitimate interest of the Company, the unit manager is required to know specific interest of the Company in processing.
9. Method of handling individual rights and information obligations
9.1. The company cares about the readability and style of the information provided and communication with the persons whose data it processes.
9.2. The Company makes it easier for individuals to exercise their rights through various activities, including: placing on the Company’s website information or references (links) to information about the rights of persons, how to exercise them in the Company, including identification requirements, methods of contacting the Company in this purpose, etc.
9.3. The Company ensures compliance with legal deadlines for fulfilling its obligations towards persons.
9.4. The Company introduces adequate methods of identification and authentication of persons for the purposes of exercising individual rights and information obligations.
9.5. In order to exercise the rights of an individual, the Company provides procedures and mechanisms to identify the data of specific persons processed by the Company, integrate these data, introduce changes to them and delete them in an integrated manner.
9.6. The Company documents handling of information obligations, notifications and requests of persons.
10. Duties to inform.
10.1. The Company defines lawful and effective ways of performing disclosure obligations.
10.2. The Company informs the person about the extension of the deadline to consider the person’s request for more than one month.
10.3. The Company informs the person about the processing of its data when obtaining data from that person.
10.4. The Company informs a person about the processing of its data when obtaining data about that person indirectly from him.
10.5. The Company defines the manner of informing people about the processing ofunidentified data wherever possible (e.g. a plate about the area covered by video monitoring).
10.6. The Company informs the person about the planned change in the purpose of data processing.
10.7. The Company informs the person before waiving the processing restrictions.
10.8. The Company informs data recipients about the rectification, deletion or limitation of data processing (unless it requires disproportionate effort or is impossible).
10.9. The Company informs the person about the right to object to data processing at the latest on the first contact with that person.
10.10. The Company, without undue delay, notifies the person of a breach of personal data protection if it may cause a high risk of violating rights or freedom of the person.
11. People’s requests
11.1. Third Party Rights.
By exercising the rights of data subjects, the Company introduces procedural guarantees to protect the rights and freedoms of third parties. In particular, if you receive reliable information that the performance of a person’s request for a copy of the data or the right to transfer data may adversely affect the rights and freedoms of others (e.g. rights related to data protection of other persons, intellectual property rights, trade secrets, personal rights, etc.), the Company may ask a person to clarify doubts or take other legal steps, including a refusal to satisfy the request.
11.2. Not processing.
The Company informs the person that it does not process data concerning the person if the person has made a request regarding his/her rights.
The Company informs the person, within one month of receiving the request, of the refusal to consider the request and of the rights of the person related thereto.
11.4. Access to the data.
At the request of a person regarding access to his/her data, the Company informs the person whether it processes his/her data and informs the person about the details of the processing, in accordance with art. 15 GDPR (the scope corresponds to the information obligation when collecting data), and also grants the person access to data concerning him/her. Access to the data may be made by issuing a copy of the data, with the proviso that the Company will not consider the copy of the data issued in the exercise of the right of access to data as the first free copy of the data for the purposes of fees for copies of the data.
11.5. Data copies.
Upon request, the Company issues a copy of the data concerning the person and notes the fact of issuing the first copy of the data. The Company introduces and maintains a price list of data copies, according to which it charges fees for subsequent copies of data. The price of a copy of the data is calculated based on the estimated unit cost of handling the request for acopy of the data.
11.6. Data correction.
The Company corrects incorrect data at the request of a person. The Company has the right to refuse to rectify data, unless the person reasonably demonstrates the inaccuracies of the data which he/she requires to be rectified. If the data is corrected, the Company informs the person about the recipients of the data, at the request of that person.
11.7. Data complement.
The company complements and updates the data at the request of a person. The Company has the right to refuse to complement data if the complement would be inconsistent with the purposes of data processing (e.g. the Company does not have to process data that is unnecessary for the Company). The Company may rely on a statement by a person regarding supplemented data, unless this is insufficient in the light of the procedures adopted by the Company (e.g. regarding the acquisition of such data), law, or there are grounds to consider the statement unreliable.
11.8. Data deletion.
At the request of a person, the Company erases data when:
(1) the data is not necessary for the purposes for which it was collected or processed for other purposes,
(2) consent to their processing has been withdrawn, and there is no other legal basis for processing,
(3) the person has effectively objected to the processing of this data,
(4) data was processed unlawfully,
(5) the need to remove results from a legal obligation,
(6) the request relates to the child’s data collected on the basis of consent for the provision of information society services offered directly to the child (e.g. the child’s profile on a social network, participation in the competition on the website). The company defines the manner of handling the right to delete data in such a way as to ensure the effective implementation of this right while respecting all data protection principles, including security, as well as verifying that there are no exceptions referred to in Art. 17 pass. 3 GDPR. If the data subject to deletion has been made public by the Company, the Company takes reasonable steps, including technical measures, to inform other controllers processing this personal data about the need to delete the data and access to it. In the event of deletion of data, the Company informs the person about the recipients of the data, at the request of that person..
11.9. Restriction of processing.
The Company limits the processing of data at the request of a person when:
a) a person questions the correctness of data – for a period that allows checking their correctness,
b) the processing is unlawful and the data subject opposes the deletion of personal data,demanding instead a restriction on their use,
c) The Company no longer needs personal data, but it is needed by the data subject to determine, pursue or defend claims,
d) the person has objected to the processing for reasons related to his/her particular situation – until it is determined whether the Company has legally justified grounds superior to the grounds for the objection. During the limitation of processing, the Company stores data, but does not process (does not use, transfer) without the consent of the data subject, unless to establish, assert or defend claims, or to protect the rights of another natural or legal person, or for important reasons of public interest. The Company informs the person before waiving the processing restrictions. If the processing of data is restricted, the Company informs the person about the recipients of the data, at the request of that person.
11.10. Data transfer.
At the request of a person, the Company issues in a structured, commonly used machine- readable format or transfers to another entity, if possible, data on that person which it provided to the Company, processed on the basis of the person’s consent or for the purpose of concluding or performing a contract concluded with the person, in the Company’s IT systems.
11.11. Opposition in a special situation.
If a person raises an objection motivated by his/her particular situation to the processing of his/her data, and the data is processed by the Company based on the legitimate interest of the Company or on the task entrusted to the Company in the public interest, the Company will take into account the objection, unless there are valid legally justified grounds on the part of the Company processing, overriding the interests, rights and freedoms of the person raising an objection, or grounds for establishing, pursuing or defending claims.
11.12. Objection to direct marketing.
If a person objects to the processing of his/her data by the Company for the purposes of direct marketing (including possibly profiling), the Company will accept the objection and stop such processing.
11.13. Right to human intervention in automatic processing.
If the Company processes data automatically, including in particular profiling persons, and as a consequence makes decisions towards the person resulting in legal effects or otherwise significantly affecting the person, the Company provides the opportunity to appeal to human intervention and decisions on the part of the Company, unless such automatic decision
(i) is necessary for the conclusion or performance of a contract between the appellant and the Company;
or (ii) is expressly permitted by law;
or (iii) is based on the explicit consent of the dismissing person.
The Company ensures minimization of data processing in terms of:
(i) the adequacy of the data for the purposes (amount of data and scope of processing),
(ii) access to data,
(iii) time of data storage.
12.1. Range minimization
The Company has verified the scope of the data obtained, the scope of their processing andthe amount of data processed in terms of their adequacy for the purposes of processing as part of the implementation of the GDPR. The Company periodically reviews the amount of data processed and the scope of its processing at least once a year. The Company verifies changes regarding the amount and scope of data processing as part of change management procedures (privacy by design).
12.2. Minimizing of access
The Company applies restrictions on access to personal data: legal (confidentiality obligations, scopes of authorizations), physical (access zones, closing rooms) and logical (restrictions on the rights to personal data processing systems and network resources in which personal data reside). The Company applies physical access control. The Company updates access rights when there are changes in the composition of staff and changes in the roles of persons, as well as changes in processing entities. The Company periodically reviews established system users and updates them at least once a year. Detailed rules for controlling physical and logical access are contained in the physical security and information security procedures of the Company.
12.3. Time minimization
The Company implements mechanisms for controlling the life cycle of personal data in the Company, including verification of the further usefulness of data in relation to the dates and control points indicated in the Register. Data whose scope of use is limited over time are removed from the Company’s production systems, as well as from handy and main files. Such data may be archived and may be on backup systems and information processed by the Company. The procedures for archiving and using archives, creating and using backups take into account the requirements of data life cycle control, including data removal requirements.
The Company provides a degree of security corresponding to the risk of violation of the rights and freedoms of natural persons as a result of the processing of personal data by the Company.
13.1. Risk analysis and adequacy of security measures
The Company carries out and documents the analysis of the adequacy of personal data security measures.
For this purpose:
(1) The Company provides an appropriate level of knowledge about information security, cyber security and business continuity – internally or with the support of specialized entities.
(2) The Company categorizes the data and processing activities in terms of the risk they present.
(3) The Company carries out analyses of the risk of violation of the rights or freedom of natural persons for data processing activities or categories thereof. The Company analyses possible situations and scenarios of personal data breach taking into account the nature, scope, context and purposes of processing, the risk of violation of the rights or freedoms of natural persons with different probabilities and severity of threat.(4) The Company determines the possible organizational and technical security measures and assesses the cost of implementation thereof. In this, the Company determines the usefulness and applies such measures and approach as:
(ii) personal data encryption,
(iii) other cyber security measures making up the ability to continuously ensure the confidentiality, integrity, availability and resilience of systems and processing services,
(iv) measures to ensure business continuity and prevent the effects of disasters, i.e. the ability to quickly restore the availability of personal data and access to them in the event of a physical or technical incident.
13.2. Impact assessments for data protection
The Company assesses the effects of planned processing operations on the protection of personal data where, according to the risk analysis, the risk of violating the rights and freedoms of persons is high. The Company applies the impact assessment methodology adopted in the Company.
13.3. Security measures
The Company applies security measures established as part of risk analysis and adequacy of security measures and impact assessment for data protection. Personal data security measures are part of the information security measures and ensuring cyber security in the Company and are further described in the procedures adopted by the Company for these areas.
13.4. Reporting violations
The Company applies procedures to identify, evaluate and report an identified data breach to the Data Protection Authority within 72 hours of establishing the breach.
14. DATA PROCESSORS
The Company has rules for the selection and verification of data processors for the benefit of the Company, designed to ensure that processors give sufficient guarantees for the implementation of appropriate organizational and technical measures to ensure security, implementation of individual rights and other data protection obligations incumbent on the Company. The Company has adopted minimum requirements for the contract for entrusting data processing constituting Annex 2 to the Policy – “Model contract for entrusting data processing”. The Company accounts for processors from the use of sub-processors, as well as from other requirements arising from the Rules of entrusting personal data.
15. DATA EXPORT
The Company registers in the Register data export cases, i.e. data transfers outside the European Economic Area (EEA in 2017 = European Union, Iceland, Liechtenstein and Norway). To avoid the situation of unauthorized data export, in particular in connection with the use of publicly available cloud services (shadow IT), the Company periodically verifies the users’ behaviour and, if possible, provides equivalent solutions compliant with the law.
16. PRIVACY DESIGN
The Company manages the change affecting privacy in such a way as to enable ensuring adequate security of personal data and minimizing its processing. For this purpose, the principles of project and investment management by the Company refer to the principles of personal data security and minimization, requiring an assessment of the impact on privacy and data protection, including and designed security and minimizing data processing from the beginning of the project or investment.
17. FINAL PROVISIONS
Each user, before being allowed to work with an IT system processing personal data or personal data files in a paper version, should be trained in the protection of personal data in electronic and paper files. The Personal Data Inspector is responsible for conducting the training. The person processing personal data makes a statement including a commitment to comply with the principles of personal data protection.