Privacy policy

SECURITY POLICY FOR THE PROCESSING OF PERSONAL DATA

SECURITY POLICY
PROCESSING OF PERSONAL DATA
In
BizeA Limited Liability Company
based in Tomice, ul. European 4.

Entry


Implementing the constitutional right of every person to the protection of his private life and the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95 /46/EC (General Data Protection Regulation) in order to apply technical and organizational measures ensuring protection of processed personal data appropriate to the threats and categories of data protected, and in particular to protect data against disclosure to unauthorized persons, removal by an unauthorized person, processing in violation of above Regulation and change, loss, damage or destruction, the following set of procedures is introduced.


Chapter 1
General provisions


§ 1. Whenever the document mentions:
1) regulation – this means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation);
2) personal data – this means information about an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental the economic, cultural or social identity of the natural person;
3) data set – it means an ordered set of personal data available according to specific criteria, regardless of whether this set is centralized, decentralized or functionally or geographically dispersed;
4) data processing – it means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, structuring, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying;
5) IT system – it means a set of cooperating devices, programs, information processing procedures and software tools used to process data;
6) securing data in the IT system – this means the implementation and operation of appropriate technical and organizational measures ensuring data protection against unauthorized processing;
7) data deletion – this means the destruction of personal data or their modification in such a way that it will not allow determining the identity of the data subject;
8) data controller – it means a natural or legal person, public authority, agency or other entity which, alone or jointly with others, determines the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
9) consent of the data subject – means a freely given, specific, informed and unambiguous declaration of will by which the data subject, by means of a statement or a clear affirmative action, consents to the processing of personal data relating to him or her;
10) data recipients – it means a natural or legal person, public authority, agency or other entity to which personal data are disclosed, regardless of whether it is a third party. However, public authorities which may receive personal data in the framework of a specific procedure under Union or Member State law shall not be considered as recipients; the processing of these data by these public authorities must comply with the data protection rules applicable to the purposes of the processing;
11) third country – this means a country not belonging to the European Economic Area;
12) technical and organizational measures – this should be understood as technical and organizational measures necessary to ensure confidentiality, integrity and accountability of processed personal data;
13) limiting processing – this should be understood as the marking of stored personal data in order to limit their future processing;
14) profiling – this means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability , behavior, location or movement;
15) pseudonymization – this means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identified person. an identifiable natural person;
16) processor – this means a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller;
17) personal data protection breach – this means a security breach leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.

Chapter 2
Data controller


§ 2. The data controller in particular:

  1. Taking into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity of violation of the rights and freedoms of natural persons, it implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the Regulation and to be able to demonstrate this. These measures are reviewed and updated as necessary.
  2. Keeps a register of processing activities. The following information is included in the register:
    • name and surname or name and contact details of the Data controller, as well as any joint controllers, and, where applicable, the representative of the Data Controller and the Data Protection Officer;
    • processing purposes,
    • description of the categories of data subjects and the categories of personal data,
    • categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or international organizations,
    • where applicable, transfer of personal data to a third country or international organization, including the name of that third country or international organization, and in the case of transfers referred to in the Regulation, Art. 49 section second paragraph of 1, documentation of appropriate safeguards,
    • if possible, planned dates for deleting individual categories of data,
    • if possible, a general description of the technical and organizational security measures referred to in Article 32 section 1. regulation,

Chapter 3
Technical and organizational measures


§ 3. In order to protect data, the data controller fulfills the requirements referred to in the regulation:

a) conducts a data protection impact assessment,
b) carries out a risk analysis in relation to the resources involved in individual processes,
c) only persons authorized by the data controller were allowed to process the data (Appendix No. 1),
d) contracts for entrusting data processing have been concluded in accordance with Annex 2,
e) this security policy has been developed and implemented.

§ 4. To protect your personal data, the following applies physical protection measures for personal data:

  • personal data files are stored in a room secured with an ordinary door (non-reinforced, non-fire-proof),
  • personal data files are stored in a room secured with a door, personal data files are stored in a room located on the 1st and 2nd floors.
  • the building where the data controller is based is equipped with an anti-burglary alarm system
  • access to the rooms where personal data files are processed is covered by an access control system - keys are issued at the reception only to authorized persons.
  • access to the building where the data controller is based is controlled by a monitoring system using industrial cameras
  • the building where the data controller is based is supervised 24 hours a day by the security service,
  • personal data files in paper form are stored in a closed metal cabinet and in closed non-metal cabinets,
  • backup/archive copies of personal data files are stored in a closed, non-metal cabinet
  • rooms where personal data files are processed are protected against the effects of fire using a fire protection system and/or a free-standing fire extinguisher,
  • documents containing personal data are destroyed mechanically using document shredders after they expire.


§ 5. In order to protect personal data, the following IT and telecommunications infrastructure hardware measures are used:

  • computers used to process personal data are connected to a local computer network,
  • UPS devices, a power generator and/or a separate power grid are used to protect the IT system used to process personal data against the effects of power failure,
  • access to the personal data set, which is processed on a separate computer station/portable computer, is protected against unauthorized access using a password
  • access to the operating system of the computer where personal data is processed is secured by an authentication process using a user ID and password,
  • measures have been taken to prevent unauthorized copies of personal data processed using IT systems,
  • a system for registering access to the system/personal data collection was used,
  • Cryptographic data protection measures have been used for personal data transferred via teletransmission,
  • a disk array was used to protect personal data against the effects of disk memory failure,
  • protection measures have been taken against malicious software, such as worms, viruses, Trojan horses, rootkits,
  • a Firewall system was used to protect access to the computer network,
  • the IDS/IPS system was used to protect access to the computer network,


§ 6. To protect personal data, the following protection measures are used within software tools and databases:

  • measures have been taken to determine access rights to the indicated scope of data within the processed personal data set,
  • access to data sets in the part processed in IT systems requires authentication using a user ID and password,
  • systemic measures were used to determine appropriate access rights to IT resources, including personal data files, for individual users of the IT system,
  • a mechanism was used to force periodic change of passwords for access to the personal data set,
  • screensavers were installed at workstations where personal data are processed,
  • a mechanism of automatic blocking of access to the IT system used to process personal data is used in the event of a long period of inactivity of the user's work (screen savers),
  • § 7. The following organizational measures are used to protect personal data:
  • persons employed in data processing are familiar with the provisions on personal data protection,
  • persons employed in the processing of personal data were trained in the security of the IT system,
  • persons employed in the processing of personal data are obliged to keep them secret,
  • computer monitors on which personal data are processed are set in a way that prevents unauthorized persons from viewing the processed data,
  • backup copies of the personal data set are stored in a room other than the one where the server where personal data is processed on an ongoing basis is located,
  • the data administrator has defined basic security principles applicable to all employees of the Company, namely:
    • the need-to-know principle - limiting access to data only to those necessary to perform duties in a given position,
    • principle of responsibility for resources - the processor is responsible for the data it processes and is obliged to comply with established security procedures in this respect,
    • closed room principle - not leaving other people alone in the room (in the absence of an authorized person), always locking the rooms when leaving them and not leaving keys in the locks,
    • clean desk rule - not leaving paper documents and data carriers unattended on the desk (CDs, DVDs, USB flash drives, etc.),
    • the principle of privacy of accounts in systems - each employee is obliged to work in ICT systems on accounts assigned to him, it is strictly prohibited to make accounts available to persons who have not been assigned to them,
    • the principle of confidentiality of passwords and access codes - maintaining confidentiality and not disclosing passwords and access codes to unauthorized persons, in particular this principle applies to personal passwords for access to IT systems and protected zones,
    • the principle of using business e-mail - each person authorized to process data in the performance of official duties uses only the company e-mail box, the use of private e-mail in the scope in question is prohibited,
    • clean screen rule - locking the computer before leaving the room, in case of a longer absence from the room, it is necessary to log out of the system,
    • clean desktop principle - the computer desktop should only contain icons of standard software and business applications as well as shortcuts to folders, provided that their names do not contain data, in particular personal data that may be disclosed in an uncontrolled manner (e.g. during a presentation),
    • the principle of clean printers/copiers - removing documents from printers immediately after they are printed, in particular this rule applies to documents left in printers located in another room,
    • clean bin principle - paper documents, with the exception of promotional materials, should be destroyed in shredders or by an external company,
    • the principle of legality of software - prohibition of installing software on your own, in particular storing content infringing copyrights and other illegal data on your computer,
    • principle of reporting security incidents - each data processor is obliged to report incidents related to information security, i.e. unauthorized disclosure, destruction or modification of information, in accordance with the procedure specified in Chapter 8,
    • principle of using the Company's resources - data in the possession of the data controller may only be processed using processing means approved for use in the Company, in particular it is prohibited to use private data processing means for this purpose,
    • the rule of not using names containing personal data to designate files, folders, etc.
    • the principle of appropriate protection of the Company's hardware resources used as business equipment - portable computers, telephones, smartphones, tablets and other devices that people processing data in the Company use for business purposes should be adequately protected against access by unauthorized persons, at least they should be secured in the form of password to activate the device.

Chapter 4
DPIA procedure
(Data Protection Impact Assessment)


§ 8. A data protection impact assessment (DPIA) is carried out for each process.
§ 9. DPIA is carried out whenever there is a significant change in the personal data processing process, e.g. change of service provider, change in the method of data processing, exchange of resources involved in the process.
§ 10. DPIA is carried out together with a risk analysis at least once a year in relation to processes which, as a result of the previous DPIA, showed a high risk to the rights and freedoms of data subjects.

Chapter 5
Risk analysis procedure and risk treatment plan


§ 11. The data administrator conducts a risk analysis for the resources involved in the processes.
§ 12. Risk analysis is carried out at least once a year and constitutes the basis for updating the risk management method.
§ 13. Based on the results of the risk analysis, the data controller independently implements risk management methods.
§ 14. Each time, the data controller selects the method of dealing with risks and determines which risks will be considered first and in what order.

Chapter 6
Procedure for cooperation with external entities


§ 15.1. Each use of the services of a processing entity is preceded by concluding an agreement to entrust the processing of personal data
2. The data administrator keeps a register of external entities entrusted with personal data for processing
§ 16. Each time before concluding an agreement for entrusting the processing of personal data, the data controller verifies compliance with the regulation of all processing entities whose services it intends to use using the procedure of cooperation with external entities.

Chapter 7
Default data protection procedure
(taking data protection into account by design)


§ 17. Whenever a new product or service is created, the data controller takes into account the rights of data subjects at every key stage of its design and implementation. It implements appropriate technical and organizational measures to ensure that only the personal data necessary to achieve each specific processing purpose is processed by default (the amount of data collected, the scope and period of data processed and their availability).
§ 18. If the data controller intends to start processing personal data in a new process, it conducts a DPIA in relation to this process.

Chapter 8
Incident management procedure


§ 20. In each case of a personal data protection breach, the data controller verifies whether the breach resulted in a risk of violating the rights and freedoms of natural persons.
§ 21. If the data controller determines that the breach resulted in a risk of violating the rights and freedoms of natural persons, it shall immediately notify the supervisory authority, but no later than within 72 hours. from identifying a breach using the security incident management procedure.
§ 22. The data controller notifies data subjects in the event of violations resulting in a risk of violating their rights or freedoms based on the template for notifying the data subject about the violation, unless he has applied measures to eliminate the likelihood of a high risk of the above-mentioned occurrence. violations.
§ 23. The data administrator documents violations and keeps a register of violations that result in violations of the rights and freedoms of natural persons.

Chapter 9
Procedure for realizing people's rights


§ 24. Each case of the data subject's wish to exercise the rights provided for in the regulation is considered individually by the data controller.
§ 25. The data controller shall immediately exercise the following rights of data subjects:

  • the right to access data,
  • the right to rectify data,
  • the right to delete data,
  • the right to transfer data,
  • the right to object to data processing,
  • the right not to be subject to decisions based solely on profiling.


§ 26. In the event of exercising the right to rectification, deletion and limitation of data processing, the data controller shall immediately inform the data recipients to whom he has made the data available, unless this is impossible or will require a disproportionate effort.
§ 27. The data controller refuses to exercise the rights of data subjects if such a possibility results from the provisions of the regulation, however, each refusal to exercise the rights of data subjects requires a justification specifying the legal basis arising from the regulation.

Chapter 10
Procedure for receiving consents and informing people


§ 28. 1. In each case of collecting data directly from the data subject, the data controller fulfills the information obligation towards the data subject.
2. In the case of collecting data from an employee, the information obligation template applies.
§ 29. In each case of downloading data from sources other than the data subject, the data controller fulfills the information obligation towards the data subject immediately, but no later than at the first contact with the data subject,
§ thirty. Clauses are used whenever consent is obtained from the data subject.

Chapter 11
Final Provisions


§ 31. All principles described in this document are followed by persons authorized to process personal data, with particular emphasis on the good of the data subjects.
§ 32. This document is valid from the date of its approval by the data administrator.