Personal Data Protection Policy
Pursuant to Article 24 of Regulation 2016/679, as of 1 September 2018, the Personal Data Protection Policy is introduced.
Legal requirements:
Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws 2018, item 1000). Regulation of the Minister of Internal Affairs and Administration of 29 April 2004 on the documentation of personal data processing and technical and organizational conditions that should be met by devices and IT systems used to process personal data (Journal of Laws of 2004, No. 100, item 1024).
I. List of basic abbreviations.
| Shortcut | Description |
| u.o.d.o. | Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000) |
| GDPR | Regulation of the European Parliament and of the Council EU 2016/679 on the protection of individuals individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) |
| Reg. MSWIA | Regulation of the Minister of Internal Affairs and Administration of 29 April 2004 on the documentation of personal data processing and technical and organizational conditions that should be met by devices and IT systems used to process personal data |
| UODO | Urząd Ochrony Danych Osobowych |
| ADO | Administrator of Personal Data |
| IOD | Data Protection Inspector |
| ASI | IT Systems Administrator |
| SI | IT System |
| SZBDO | Personal Data Security Management System |
| PODO | Data Protection Policy Personal |
| IZSI | IT Systems Management Instruction |
II. List of basic definitions.
Whenever this Security Policy refers to:
2.1. Personal Data Administrator – this means the body, organizational unit, entity or person deciding on the purposes and means of processing personal data;
2.2. Data Protection Inspector – this means the natural person designated by the Personal Data Administrator, referred to in art. 8 of the Personal Data Protection Act;
2.3. IT System Administrator – this means the person or external entity designated by the Personal Data Administrator, responsible for the operation of teleinformatic systems and networks and for compliance with the principles and requirements of the security of teleinformatic systems and networks;
2.4. Authorized person – this means the person authorized by the Personal Data Administrator to process personal data. The User may be an employee of the company, a person performing work on the basis of a contract of mandate or other civil law contract, as well as a person doing volunteer work, an internship or an apprenticeship.
2.5. Personal data – this means any information relating to an identified or identifiable natural person. An identifiable person is a person whose identity can be determined directly or indirectly, in particular by reference to an identification number or one or more specific factors determining their physical, mental, economic, cultural or social identity;
2.6. Personal data collection – this means any structured set of personal data, accessible according to specific criteria, regardless of whether this set is dispersed or functionally divided;
2.7. Personal data processing – this means any operations performed on personal data, such as collecting, recording, storing, developing, changing, making available and deleting, and especially those performed in IT systems;
2.8. IT system – this means a set of cooperating devices, programs, information processing procedures and software tools used for data processing;
2.9. Data protection in the IT system – this means the implementation and operation of the technical and organizational measures used to protect personal data against unauthorized processing;
2.10. Information security – this means a set of principles that should be followed when designing and using systems and applications used to process information so that access to them is consistent with the assumptions in all circumstances;
2.11. Data deletion – this means the destruction of personal data or their modification in such a way that it will not be possible to determine the identity of the person to whom the data relates;
2.12. Consent of the person to whom the data relates – this means a declaration of will, the content of which is the consent to the processing of personal data of the person submitting the declaration. Consent cannot be presumed or implied from a declaration of will with a different content. Consent may be revoked at any time;
2.13. Data recipients – this means anyone to whom personal data is made available, except for:
– the data subject,
– the person authorized to process personal data,
– state bodies or local government bodies to whom the data is made available in connection with the proceedings being conducted;
2.14. Third country – this means a country belonging to the European Economic Area;
2.15. Password – this means a sequence of letters, numbers or other characters, known only to the user authorized to work in the IT system;
2.16. User identifier – this means a sequence of letters, numbers or other characters that clearly identifies the person authorized to process data in designated areas of the company’s IT system;
2.17. Data confidentiality – this means a property that ensures that data is not made available to unauthorized persons or entities;
2.18. Data integrity – this is understood as a property ensuring that personal data has not been changed or destroyed in an unauthorized manner;
2.19. Data accountability – this is understood as a property ensuring that the actions of a person or entity can be attributed unambiguously only to that person or entity;
2.20. User of the IT system – this is understood as a person authorized to process personal data in IT systems, who has been assigned a unique identifier and password;
2.21. Authentication – this is understood as the process of correctly identifying the user of the IT system to the extent that appropriate authorizations or privileges can be granted in the company’s IT system;
2.22. Incident – this is understood as a breach of personal data security due to confidentiality, availability and integrity;
2.23. Threat – this is understood as the potential possibility of an incident;
2.24. Corrective action – this means an action taken to eliminate the cause of an incident or other undesirable situation;
2.25. Preventive action – this means an action that should be taken to eliminate the causes of a threat or other potential undesirable situation.
2.1. Personal Data Administrator – this means the body, organizational unit, entity or person deciding on the purposes and means of processing personal data;
2.2. Data Protection Inspector – this means the natural person designated by the Personal Data Administrator, referred to in art. 8 of the Personal Data Protection Act;
2.3. IT System Administrator – this means the person or external entity designated by the Personal Data Administrator, responsible for the operation of teleinformatic systems and networks and for compliance with the principles and requirements of the security of teleinformatic systems and networks;
2.4. Authorized person – this means the person authorized by the Personal Data Administrator to process personal data. The User may be an employee of the company, a person performing work on the basis of a contract of mandate or other civil law contract, as well as a person doing volunteer work, an internship or an apprenticeship.
2.5. Personal data – this means any information relating to an identified or identifiable natural person. An identifiable person is a person whose identity can be determined directly or indirectly, in particular by reference to an identification number or one or more specific factors determining their physical, mental, economic, cultural or social identity;
2.6. Personal data collection – this means any structured set of personal data, accessible according to specific criteria, regardless of whether this set is dispersed or functionally divided;
2.7. Personal data processing – this means any operations performed on personal data, such as collecting, recording, storing, developing, changing, making available and deleting, and especially those performed in IT systems;
2.8. IT system – this means a set of cooperating devices, programs, information processing procedures and software tools used for data processing;
2.9. Data protection in the IT system – this means the implementation and operation of the technical and organizational measures used to protect personal data against unauthorized processing;
2.10. Information security – this means a set of principles that should be followed when designing and using systems and applications used to process information so that access to them is consistent with the assumptions in all circumstances;
2.11. Data deletion – this means the destruction of personal data or their modification in such a way that it will not be possible to determine the identity of the person to whom the data relates;
2.12. Consent of the person to whom the data relates – this means a declaration of will, the content of which is the consent to the processing of personal data of the person submitting the declaration. Consent cannot be presumed or implied from a declaration of will with a different content. Consent may be revoked at any time;
2.13. Data recipients – this means anyone to whom personal data is made available, except for:
– the data subject,
– the person authorized to process personal data,
– state bodies or local government bodies to whom the data is made available in connection with the proceedings being conducted;
2.14. Third country – this means a country belonging to the European Economic Area;
2.15. Password – this means a sequence of letters, numbers or other characters, known only to the user authorized to work in the IT system;
2.16. User identifier – this means a sequence of letters, numbers or other characters that clearly identifies the person authorized to process data in designated areas of the company’s IT system;
2.17. Data confidentiality – this means a property that ensures that data is not made available to unauthorized persons or entities;
2.18. Data integrity – this is understood as a property ensuring that personal data has not been changed or destroyed in an unauthorized manner;
2.19. Data accountability – this is understood as a property ensuring that the actions of a person or entity can be attributed unambiguously only to that person or entity;
2.20. User of the IT system – this is understood as a person authorized to process personal data in IT systems, who has been assigned a unique identifier and password;
2.21. Authentication – this is understood as the process of correctly identifying the user of the IT system to the extent that appropriate authorizations or privileges can be granted in the company’s IT system;
2.22. Incident – this is understood as a breach of personal data security due to confidentiality, availability and integrity;
2.23. Threat – this is understood as the potential possibility of an incident;
2.24. Corrective action – this means an action taken to eliminate the cause of an incident or other undesirable situation;
2.25. Preventive action – this means an action that should be taken to eliminate the causes of a threat or other potential undesirable situation.
III. Introduction.
The Personal Data Protection Policy specifies the rules for the processing of personal data and the methods of securing them, as a set of rights, principles and recommendations regulating the method of managing, protecting and distributing data in the company METAL-FACH Technika Grzewcza Sp. z o.o. The policy contains information on the recognition of personal data processing processes and the introduced technical and organizational security measures ensuring the protection of processed personal data. This document complies with the applicable provisions of law, in particular with the Act of 10 May 2018 on the protection of personal data and the GDPR. Based on the conducted analysis of the risk of losing personal data, the level of risk was determined as basic.
IV. Goals of the Personal Data Protection Policy.
The purpose of the Personal Data Protection Policy is to define and implement the principles of security and protection of personal data processed in the company “METAL-FACH Technika Grzewcza Sp. z o.o.”, in particular:
4.1. ensuring compliance with legal requirements;
4.2. ensuring confidentiality, integrity and accountability of personal data processed in the company;
4.3. raising awareness of persons processing personal data;
4.4. involving persons processing the company’s personal data in their protection.
4.1. ensuring compliance with legal requirements;
4.2. ensuring confidentiality, integrity and accountability of personal data processed in the company;
4.3. raising awareness of persons processing personal data;
4.4. involving persons processing the company’s personal data in their protection.
V. Data Protection Inspector (DPO)
5.1. The Personal Data Administrator appoints the Data Protection Inspector. The appointment is made on the basis of a written appointment (the appointment template is attached as Annex Z1-PODO to this PODO).
5.2. The Personal Data Administrator may appoint deputies of the Data Protection Inspector.
5.3. The Personal Data Administrator grants the Data Protection Inspector a power of attorney to grant authorization to process personal data.
5.4. The role of the Data Protection Inspector is to supervise compliance with the principles and applied technical and organizational measures ensuring the protection of processed personal data in the company “METAL-FACH Technika Grzewcza Sp. z o.o.”.
5.5. The tasks of the Data Protection Inspector include:
a) informing the administrator, the processor and employees who process personal data about the obligations incumbent on them and other provisions of the Union or Member States on data protection and advising them on this matter; b) monitoring compliance with the GDPR (Regulation 2016/679 of the European Parliament and of the Council), other EU or Member State data protection provisions and the policies of the controller or processor in the field of personal data protection, including the allocation of responsibilities, awareness-raising activities, training of staff involved in processing operations and related audits;
5.2. The Personal Data Administrator may appoint deputies of the Data Protection Inspector.
5.3. The Personal Data Administrator grants the Data Protection Inspector a power of attorney to grant authorization to process personal data.
5.4. The role of the Data Protection Inspector is to supervise compliance with the principles and applied technical and organizational measures ensuring the protection of processed personal data in the company “METAL-FACH Technika Grzewcza Sp. z o.o.”.
5.5. The tasks of the Data Protection Inspector include:
a) informing the administrator, the processor and employees who process personal data about the obligations incumbent on them and other provisions of the Union or Member States on data protection and advising them on this matter; b) monitoring compliance with the GDPR (Regulation 2016/679 of the European Parliament and of the Council), other EU or Member State data protection provisions and the policies of the controller or processor in the field of personal data protection, including the allocation of responsibilities, awareness-raising activities, training of staff involved in processing operations and related audits;
c) providing, upon request, recommendations on the data protection impact assessment and monitoring its implementation in accordance with Article 35 of the GDPR;
d) cooperating with the supervisory authority;
e) acting as a contact point for the supervisory authority on matters relating to processing, including the prior consultations referred to in Article 36 of the GDPR and, where appropriate, conducting consultations on any other matters.
In addition, the task of the DPO is to keep a register of personal data processing activities, as well as a register of data entrustment agreements.
5.6. The DPO may entrust the DPO with other duties that do not affect the proper performance of the tasks specified in points 4-5.
VI. Persons authorized to process personal data.
6.1. The duties of persons authorized to process personal data include:
– familiarizing themselves with the legal provisions on the protection of personal data and the provisions of the Personal Data Protection Policy and the Information Systems Management Instructions;
– following the recommendations of the Data Protection Officer;
– processing personal data only to the extent determined individually by the Data Protection Officer in a written authorization and only for the purpose of performing the imposed official duties;
– immediately informing the Data Protection Officer of any irregularities concerning the security of personal data processed in the company;
– protecting personal data and means used to process personal data against unauthorized access, disclosure, modification, destruction or distortion;
– using the company’s IT systems in a manner consistent with the instructions contained in the operating instructions for devices included in the IT systems;
– indefinitely maintaining the confidentiality of personal data and the methods of securing them;
– exercising special diligence during the performance of personal data processing operations in order to protect the interests of the data subjects.
– familiarizing themselves with the legal provisions on the protection of personal data and the provisions of the Personal Data Protection Policy and the Information Systems Management Instructions;
– following the recommendations of the Data Protection Officer;
– processing personal data only to the extent determined individually by the Data Protection Officer in a written authorization and only for the purpose of performing the imposed official duties;
– immediately informing the Data Protection Officer of any irregularities concerning the security of personal data processed in the company;
– protecting personal data and means used to process personal data against unauthorized access, disclosure, modification, destruction or distortion;
– using the company’s IT systems in a manner consistent with the instructions contained in the operating instructions for devices included in the IT systems;
– indefinitely maintaining the confidentiality of personal data and the methods of securing them;
– exercising special diligence during the performance of personal data processing operations in order to protect the interests of the data subjects.
VII. Basic principles of personal data protection.
7.1. All personal data in the company must be processed in accordance with applicable legal regulations.
7.2. In relation to persons whose personal data is processed, the information obligation arising from the provisions of the Personal Data Protection Act must be fulfilled.
7.3. Collected personal data must be processed for specified and lawful purposes and not subject to further processing incompatible with these purposes.
7.4. It must be ensured that the processing of personal data takes place in accordance with the principles of substantive correctness and adequately to the purposes for which they were collected.
7.5. Personal data in the company may be processed no longer than necessary to achieve the purpose of their processing.
7.6. The confidentiality, integrity and accountability of personal data processed in the company must be ensured.
7.7. Processed personal data may not be made available without the consent of the data subjects, unless such data is made available to the data subjects, persons authorized to process personal data, entities to which the data was transferred on the basis of an entrustment agreement and state bodies or local government bodies in connection with the proceedings conducted.
7.8. Personal data may be processed in the company both in IT systems and in traditional form: files, indexes, books, lists and other record collections.
7.9. In the scope of personal data processed in systems other than IT systems, the previous provisions on professional secrecy, circulation and protection of professional documents continue to apply.
7.10. All persons whose data is processed have the right to the protection of data concerning them, to control the processing of such data and to update, delete it as well as to obtain all information about their rights.
VIII. Authorization to process personal data.
8.1. Only persons who have authorization to process personal data (the authorization form is attached as appendix Z2-PODO) issued by the Personal Data Administrator or the Data Protection Inspector and have submitted an appropriate declaration regarding the proper implementation of the provisions of the Personal Data Protection Act (the declaration form is attached as appendix Z3-PODO) may be permitted to process personal data and to handle computer files containing such data. 8.2. The IOD, on behalf of the ADO, keeps a register of persons authorized to process personal data (the register form is attached as appendix Z4-PODO).
IX. Entrustment of personal data processing.
9.1 The Personal Data Administrator may commission another entity to process personal data in order to perform a specific task.
9.2 In the event that the processing of personal data is entrusted to an external entity, the personal data processing entrustment agreement shall primarily specify the purpose and scope of personal data processing. The list of concluded entrustment agreements shall be kept by the IOD.
9.2 In the event that the processing of personal data is entrusted to an external entity, the personal data processing entrustment agreement shall primarily specify the purpose and scope of personal data processing. The list of concluded entrustment agreements shall be kept by the IOD.
X. Sharing of Personal Information.
Sharing personal data within the company is permitted on the basis of one of the legal bases specified in the Personal Data Protection Act or on the basis of the provisions of other acts. The IOD keeps records of sharing personal data with institutions and persons outside the company (a template of the records is attached as Annex Z5-PODO).
XI. Transfer of personal data outside Poland.
11.1. The Personal Data Administrator may transfer personal data to:
– countries of the European Economic Area;
– other countries (third countries).
– countries of the European Economic Area;
– other countries (third countries).
11.2. Transfers of personal data within the EEA are treated as if they were processed in Poland.
11.3. In the case of transferring personal data to a third country, one of the following conditions must be met:
– the target country guarantees the protection of personal data on its territory at least as much as those in force on the territory of the Republic of Poland;
– when the transfer of personal data results from an obligation imposed by law or the provisions of a ratified international agreement;
– the Personal Data Protection Office consents to the transfer of personal data.
XII. List of buildings, rooms or parts of rooms constituting the area in which personal data are processed.
The IOD is responsible for maintaining and storing documentation containing a list of buildings, rooms or parts of rooms that constitute the area in which personal data is processed, both in paper and electronic form. The current list of areas of personal data processing is included in Annex Z6-PODO.
XIII. List of personal data sets together with an indication of the programs used to process these data.
The IOD is responsible for maintaining and storing documentation containing a list of all personal data sets together with an indication of the programs used to process these data. The current list of personal data sets is included in Annex Z7-PODO.
XIV. Description of the structure of personal data sets.
The IOD is responsible for maintaining and storing documentation containing a description of the structure of personal data sets processed in the company. The current description of the structure of personal data sets is included in Annex Z8-PODO.
XV. Description of how data flows between individual systems.
The IOD is responsible for maintaining and storing documentation containing a description of the method of data flow between individual systems. The current description of the method of data flow is included in Annex Z9-PODO.
XVI. Defining the technical and organizational measures necessary to ensure the confidentiality, integrity and accountability of the processed data.
The IOD is responsible for maintaining and storing documentation containing specific technical and organizational measures necessary to ensure the confidentiality, integrity and accountability of the processed data. The current description of the technical and organizational measures used is included in Annex Z10-PODO.
XVII. Criminal and public order regulations.
Criminal and order regulations are regulated by:
– Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000) – Articles 102-108;
– Act of 6 June 1997 – the Penal Code (Journal of Laws of 1997, No. 88, item 553, as amended) – Article 266;
– Act of 26 June 1974 – the Labor Code (Journal of Laws of 1998, No. 21, item 94, as amended) – Article 52 and Article 108.
– Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000) – Articles 102-108;
– Act of 6 June 1997 – the Penal Code (Journal of Laws of 1997, No. 88, item 553, as amended) – Article 266;
– Act of 26 June 1974 – the Labor Code (Journal of Laws of 1998, No. 21, item 94, as amended) – Article 52 and Article 108.
XVIII. Final provisions.
In matters not regulated in this Personal Data Protection Policy, the provisions of the Act of 10 May 2018 on the protection of personal data (consolidated text: Journal of Laws of 2018, item 1000) and the implementing provisions of this Act shall apply. The procedure to be followed in the event of a breach of personal data security is specified in the procedure, constituting Annex No. 12 to the PODO, and such a fact is recorded in the register of incidents and events, constituting Annex No. 11 to the PODO.
XIX. Attachments.
19.1. Z1-PODO – Appointment to the position of Data Protection Inspector;
19.2. Z2-PODO – Authorization to process personal data;
19.3. Z3-PODO – Declaration regarding proper implementation of the provisions of the Personal Data Protection Act;
19.4. Z4-PODO – Register of persons authorized to process personal data;
19.5. Z5-PODO – Register of sharing personal data;
19.6. Z6-PODO – List of buildings, rooms or parts of rooms that form the area in which personal data are processed;
19.7. Z7-PODO – List of personal data sets together with a description of the programs used to process such data;
19.8. Z8-PODO – Description of the structure of personal data sets;
19.9. Z9-PODO – Description of the method of data flow between individual systems;
19.10. Z10-PODO – Description of technical and organizational measures used;
19.11. Z11-PODO – Register of incidents and events.
19.12. Z12-PODO – Procedure in the event of a breach of Personal Data security.
19.2. Z2-PODO – Authorization to process personal data;
19.3. Z3-PODO – Declaration regarding proper implementation of the provisions of the Personal Data Protection Act;
19.4. Z4-PODO – Register of persons authorized to process personal data;
19.5. Z5-PODO – Register of sharing personal data;
19.6. Z6-PODO – List of buildings, rooms or parts of rooms that form the area in which personal data are processed;
19.7. Z7-PODO – List of personal data sets together with a description of the programs used to process such data;
19.8. Z8-PODO – Description of the structure of personal data sets;
19.9. Z9-PODO – Description of the method of data flow between individual systems;
19.10. Z10-PODO – Description of technical and organizational measures used;
19.11. Z11-PODO – Register of incidents and events.
19.12. Z12-PODO – Procedure in the event of a breach of Personal Data security.
Our products
Pellet boilers
Wood gasification boilers
Wood boilers
Eco-pea coal boilers
Hydraulic clutches and central heating distributors
Agricultural machinery
Do you have a question about our offer?
Contact our representative.
Offer
Shopping and advice
Service and services
Contact
- METAL-FACH Technika Grzewcza Sp. z o.o.
- st. Sikorskiego 66, 16-100 Sokółka, Poland
- NIP: 545-182-60-12
- REGON: 523566030
- Mon-Fri 07:00-15:00
- Phone: +48 85 711 94 54
- sprzedaz@metalfach.com.pl
2026 © Copyright METAL-FACH Technika Grzewcza Sp. z o.o.