Personal Data Protection Policy

Based on Article. 24 of the Regulation 2016/679, the Personal Data Protection Policy is introduced on 01/09/2018.

Legal requirements:

Act of 10 May 2018 on the protection of personal data (Journal of Laws 018, item 1000). Regulation of the Minister of Internal Affairs and Administration of 29 April 2004 on personal data processing documentation and technical and organizational, which should be fulfilled by devices and IT systems used to process personal data (Journal of Laws of 2004, No. 100, item 1024 ).

1. List of basic abbreviations.

SHORTCUT	DESCRIPTION
u.o.d.o.	Act of May 10, 2018 on the protection of personal data (Journal of Laws 2018, no. item 1000)
GDPR	Regulation of the European Parliament on the Council EU 2016/679 on protection of natural persons with regard to the processing of personal data and in on the free movement of such data and repealing the Directive 95/46 / EC (general regulation on the protection of personal data)
start MSWIA	Regulation of the Minister of Internal Affairs and Administration of 29 April 2004 on the documentation of personal data processing and the technical and organizational conditions they should meet devices and information systems used for data processing personal
UODO	Office for Personal Data Protection
ADO	Personal Data Administrator
IOD	Data Protection Officer
ASI	IT Systems Administrator
SI	IT System
SZBDO	Personal Data Security Management System
PODO	Personal Data Protection Policy
IZSI	Instructions for Managing IT Systems

2. List of basic definitions
Whenever this Security Policy refers to:
2.1. Personal Data Administrator – it means a body, organizational unit, entity or person that decides about the purposes and means of processing personal data;
2.2. Data Protection Inspector – it is understood as a natural person appointed by the Personal Data Administrator, referred to in art. 8 u.o.d.o .;
2.3. IT System Administrator – it means a person or an external entity appointed by the Personal Data Administrator, responsible for the operation of ICT systems and networks and for compliance with the principles and requirements of security of systems and ICT networks;
2.4. Authorized person – it is understood as a person authorized by the Personal Data Administrator to process personal data. The user may be an employee of the company, a person performing work on the basis of a mandate contract or other civil law contract, as well as a person who is volunteering, apprenticeship or internship.
2.5. Personal data – it means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, mental, economic, cultural or social identity;
2.6. Collection of personal data – it is understood as any structured set of personal data, available according to specific criteria, regardless of whether the set is dispersed or functionally divided;
2.7. Processing of personal data – it means any operations performed on personal data, such as collecting, recording, storing, developing, changing, sharing and deleting, especially those performed in IT systems;
2.8. IT system – it is understood as a set of cooperating devices, programs, information processing procedures and software tools used for data processing;
2.9. Securing data in the IT system – this is understood as the implementation and operation of the technical and organizational measures used to ensure the protection of personal data against unauthorized processing;
2.10. Information security – it is understood as a set of principles that should be followed when designing and using systems and applications for information processing so that access to them is consistent with the assumptions in all circumstances;
2.11. Deleting data – it is understood as destroying personal data or modifying them in such a way that it will not allow the identification of the data subject;
2.12. Consent of the data subject – it is understood as a declaration of will, the content of which is consent to the processing of personal data of the person who makes the declaration. Consent may not be implied or implied from a declaration of will with a different content. The consent may be revoked at any time;
2.13. Recipients of data – it means anyone to whom personal data is disclosed, with the exception of:
– the data subject,
– a person authorized to process personal data,
– state bodies or local government bodies to which the data is made available in connection with the conducted proceedings;
2.14. Third country – means a country belonging to the European Economic Area;
2.15. Password – it is understood as a string of letters, numbers or other characters known only to the user authorized to work in the IT system;
2.16. User ID – it is understood as a string of letters, numbers or other characters that uniquely identifies the person authorized to process data in designated areas of the company’s IT system;
2.17. Data confidentiality – it is understood as a property that ensures that data is not made available to unauthorized persons or entities;
2.18. Data integrity – it is understood as a property that ensures that personal data has not been altered or destroyed in an unauthorized way;
2.19. Data accountability – it is understood as a property that ensures that the actions of a person or entity can be unambiguously assigned only to that person or entity;
2.20. IT system user – it is understood as a person authorized to process personal data in IT systems, who has been given a unique identifier and password;
2.21. Authentication – it is understood as the process of correct identification of the user of the IT system to the extent enabling the granting of appropriate permissions or privileges in the company’s IT system;
2.22. Incident – it is understood as a breach of the security of personal data due to confidentiality, availability and integrity;
2.23. Threat – it is understood as the potential possibility of an incident;
2.24. Corrective action – it is understood as an action carried out in order to eliminate the cause of an incident or other undesirable situation;
2.25. Preventive action – it is understood as an action that must be taken to eliminate the causes of a hazard or other potential undesirable situation.
3. Introduction.
The Personal Data Protection Policy defines the rules for the processing of personal data and the methods of their protection, as a set of rights, rules and recommendations regulating the method of their management, protection and distribution of data at Metal-Fach Technika Grzewcza Sp. z o.o. The policy contains information on the recognition of personal data processing processes and the introduced technical and organizational safeguards ensuring protection of the processed data
personal. This document complies with applicable law, in particular with the Act of May 10, 2018 on the protection of personal data and the GDPR. Based on the analysis of the risk of personal data loss, the level of risk was defined as basic.
4. Objectives of the Personal Data Protection Policy.
The purpose of the Personal Data Protection Policy is to define and implement the principles of security and protection of personal data processed in the company “Metal-Fach Technika Grzewcza Sp. z o.o.”, in particular:
4.1. ensuring compliance with legal requirements;
4.2. ensuring confidentiality, integrity and accountability of personal data processed in the company;
4.3. raising awareness of persons processing personal data;
4.4. involvement of people processing personal data of the company in their protection.
5. Data Protection Officer (DPO)
5.1. The Personal Data Administrator appoints the Data Protection Officer. The appointment takes place on the basis of a written appointment (the appointment form is provided in Annex Z1-PODO to this PODO).
5.2. The Personal Data Administrator may appoint deputy Data Protection Officers.
5.3. The Personal Data Administrator grants a power of attorney to the Data Protection Officer to grant authorizations to process personal data.
5.4. The role of the Data Protection Officer is to supervise compliance with the rules and applied technical and organizational measures ensuring the protection of personal data processed in the company “Metal-Fach Technika Grzewcza Sp. z o.o.”.
5.5. The tasks of the Data Protection Officer include:
(a) informing the controller, the processor and the employees who process personal data about their obligations and other Union or Member States’ data protection legislation and advising them on this matter;
b) monitoring compliance with the GDPR (Regulation 2016/679 of the European Parliament and of the Council), other EU or Member States’ data protection laws and the policies of the controller or processor in the field of personal data protection, including the division of duties, measures increasing
awareness, training of personnel involved in processing operations and related audits;
c) to provide, upon request, recommendations as to the data protection impact assessment and to monitor its performance pursuant to Art. 35 GDPR;
d) cooperating with the supervisory authority;
e) acting as a contact point for the supervisory authority in matters related to processing, including prior consultation referred to in Art. 36 GDPR and, where appropriate, consulting on any other matters.
Additionally, the DPO’s task is to keep a register of personal data processing activities, as well as a register of data entrustment agreements.
5.6. ADO may entrust the DPO with the performance of other duties that do not violate the proper performance of the tasks specified in points 4-5.
6. Persons authorized to process personal data.
6.1. The obligations of persons authorized to process personal data include:
– getting acquainted with the provisions of the law on the protection of personal data and the provisions of the Personal Data Protection Policy and Instructions for Managing IT Systems;
– compliance with the recommendations of the DPO;
– processing of personal data only to the extent individually determined by the Personal Data Administrator in a written authorization and only for the purpose of performing the imposed official duties;
– immediately informing the DPO of any irregularities regarding the security of personal data processed in the company;
– protection of personal data and the means used to process personal data against unauthorized access, disclosure, modification, destruction or distortion;
– use of the company’s IT systems in a manner consistent with the guidelines contained in the manuals for the devices included in the IT systems;
– indefinite confidentiality of personal data and ways of securing it;
– exercising special diligence during the processing of personal data in order to protect the interests of data subjects.
7. Basic principles of personal data protection.
7.1. All personal data in the company must be processed in accordance with applicable law.
7.2. In relation to persons whose personal data are processed, the information obligation resulting from the provisions of the Act on Personal Data shall be fulfilled.
7.3. The collected personal data should be processed for specified and lawful purposes and not subjected to further processing inconsistent with these purposes.
7.4. It should be ensured that the processing of personal data takes place in accordance with the principles of substantive correctness and adequately to the purposes for which they were collected.
7.5. Personal data in the company may be processed for no longer than it is necessary to achieve the purpose of their processing.
7.6. Confidentiality, integrity and accountability of personal data processed in the company must be ensured.
7.7. The processed personal data may not be made available without the consent of the data subjects, unless the data is made available to data subjects, persons authorized to process personal data, entities to whom data was provided on the basis of an entrustment agreement and state authorities or local government authorities in connection with the conducted
proceeding.
7.8. The processing of personal data in the company can take place both in IT systems and in the traditional form: files, indexes, books, lists and other record files.
7.9. With regard to personal data processed in systems other than IT, the existing regulations on professional secrecy, circulation and security of official documents still apply.
7.10. All persons whose data is processed have the right to protect their data, to control the processing of these data and to update and delete them, as well as to obtain all information about their rights.
8. Authorization to process personal data.
8.1. Only persons authorized to process personal data (the model authorization is attached as Annex Z2-PODO) issued by the Personal Data Administrator or
Data Protection Officer and submitted an appropriate statement regarding the proper implementation of the provisions of the (the template of the declaration is attached as Annex Z3-PODO).
8.2. On behalf of PDA, the DPO keeps a register of persons authorized to process personal data (the template of the register is Annex Z4-PODO).
9. Entrusting the processing of personal data.
9.1 The Personal Data Administrator may commission another entity to process personal data in order to perform a specific task.
9.2 In the event of entrusting the processing of personal data to an external entity, the contract for entrusting the processing of personal data primarily specifies the purpose and scope of personal data processing. The list of concluded entrustment agreements is kept by the DPO.
10. Sharing personal data.
Providing personal data in the company is allowed on the basis of one of the legal grounds specified in u.o.d.o. or on the basis of provisions of other laws. The DPO keeps records of sharing personal data with institutions and persons from outside the company (the template of the record is attached as Annex Z5-PODO).
11. Transferring personal data outside of Poland.
11.1. The Personal Data Administrator may transfer personal data to:
– countries of the European Economic Area;
– other countries (third countries).
11.2. The transfer of personal data within the EEA is treated as if it were processed in Poland.
11.3. In the case of transfer of personal data to a third country, one of the conditions must be met:
– the destination country guarantees the protection of personal data on its territory, at least as in force in the territory of the Republic of Poland;
– when the transfer of personal data results from an obligation imposed by law or the provisions of a ratified international agreement;
– consent of the Personal Data Protection Office (UODO) to provide personal data.
12. List of buildings, rooms or parts of rooms that make up the area in which personal data is processed.
The DPO is responsible for keeping and storing documentation containing a list of buildings, rooms or parts of rooms forming the area in which personal data are processed, both in paper and electronic form. The current list of personal data processing areas is included in Annex Z6-PODO.
13. List of personal data files with an indication of the programs used to process this data.
The DPO is responsible for keeping and storing documentation containing a list of all personal data files along with an indication of the programs used to process these data. The current list of personal data files is included in Annex Z7-PODO.
14. Description of the structure of personal data files.
The DPO is responsible for keeping and storing documentation containing a description of the structure of personal data files processed in the company. The current description of the structure of personal data files is included in Annex Z8-PODO.
15. Description of the data flow between each of them
systems.
The DPO is responsible for keeping and storing documentation containing a description of the data flow between individual systems.
The current description of the data flow method is included in Annex Z9-PODO.
16. Defining technical and organizational measures necessary to ensure confidentiality, integrity and accountability of the processed data.
The DPO is responsible for keeping and storing documentation containing certain technical and organizational measures necessary to ensure confidentiality, integrity and accountability of the processed data.
The current description of the applied technical and organizational measures is included in Annex Z10-PODO.
17. Penal and order regulations.
Penal and order regulations are regulated by:
– Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2018, item 1000) – Art. 102-108;
– the Act of 6 June 1997 Criminal Code (Journal of Laws of 1997, No. 88, item 553, as amended) – Art. 266;
– the Act of June 26, 1974, the Labor Code (Journal of Laws of 1998, No. 21, item 94, as amended) – Art. 52 and art. 108.
18. Final Provisions.
In matters not covered by this Personal Data Protection Policy, the provisions of the Act of 10 May 2018 on the protection of personal data (i.e. Journal of Laws of 2018, item 1000) and the implementing provisions to this Act shall apply.
The procedure to be followed in the event of a breach of personal data security is specified in the procedure, which is Annex 12 to the PODO, and such a fact is recorded in the incident and event register, which is Annex 11 to the PODO.
19. Attachments.
19.1. Z1-PODO – Appointment of the Data Protection Officer;
19.2. Z2-PODO – Authorization to process personal data;
19.3. Z3-PODO – Declaration regarding the proper implementation of the provisions of u.o.d.o .;
19.4. Z4-PODO – Records of persons authorized to process personal data;
19.5. Z5-PODO – Records of personal data sharing;
19.6. Z6-PODO – List of buildings, rooms or parts of rooms that make up the area in which personal data are processed;
19.7. Z7-PODO – List of personal data files with conviction of programs used to process this data;
19.8. Z8-PODO – Description of the structure of personal data files;
19.9. Z9-PODO – Description of the method of data flow between individual systems;
19.10. Z10-PODO – Description of applied technical and organizational measures;
19.11. Z11-PODO – Register of incidents and events.
19.12. Z12-PODO – Procedure to be followed in the event of a breach of Personal Data security.