Personal data protection policy at Print Union Sp. Zoo.
The purpose of the Personal Data Protection Policy, hereinafter referred to as the Policy, is to introduce and maintain the provisions of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 and the Act on the Protection of Personal Data (Journal of Laws of 2018, item 1000). ) proper protection of personal data in connection with the processing of personal data at Print Union Sp. z o.o. with headquarters in Białynin, Production plant 96-100 Skierniewice, ul. Łowicka 127, e-mail: firstname.lastname@example.org
This Policy applies to both personal data processed in a traditional way in books, records, lists and other records, as well as in IT systems. Applies to existing and future personal data collections. The procedures and rules set out in this document apply to all persons authorized to process personal data, both employees and others, e.g. volunteers, apprentices, trainees. The personal data processing area at Print Union Sp. z o.o. buildings and / or premises located in 96-100 Skierniewice, ul. Łowicka 127
The terms used in the Personal Data Protection Policy mean:
Personal Data Administrator (PDA) Print Union Sp. z o.o.
Information Systems Administrator (ISA) - a person obliged to manage IT systems used to process personal data,
Personal data - any information relating to an identified or identifiable natural person,
Processing of personal data - collecting, recording, storing, processing, modifying, sharing and deleting personal data, especially in IT systems,
User - a person authorized to process personal data,
IT system - a system (devices, tools, programs) in which personal data are processed,
security of the IT system - this ought to be understood as the implementation of administrative and technical measures as well as protection against modification, destruction, unauthorized access and disclosure or acquisition of personal data, as well as their loss,
GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC,
Act on the Protection of Personal Data - the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000).
Principles of personal data processing 1.1. Administrator processes personal data:
• in accordance with the law, fairly and transparently for the data subject ("lawfulness, fairness and transparency"), • collects them for specific, explicit and legitimate purposes and does not further process them in a manner inconsistent with these purposes ("purpose limitation"), • adequately, appropriately and limited to what is necessary for the purposes for which they are processed ("data minimization"), • correctly and, if necessary, updates the collected data ("correctness"), • stores them in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed ("storage limitation"), • in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures ("integrity and confidentiality").
1.2. In order to implement these principles, the data administrator processes the data legally, based on the premises described in art. 6 GDPR. Collects personal data adequately to the purposes of processing and processes them for a specified period of time. He fulfills the information obligations set out in Art. 13 GDPR or Art. 14 GDPR (when information is collected in a way other than from the data subject) and indicates their rights, such as the right to: • access the data, • rectification of data, • deletion of data (the right to be forgotten), • carrying, • objection to processing, • processing restrictions, • lodging a complaint to the supervisory body, • opposition to being profiled.
The data administrator ensures data protection when using the services of external entities in the form of concluding appropriate entrustment agreements and using the services of processing entities performing obligations under the GDPR. In the event of a technical or physical incident, the data administrator ensures the ability to quickly restore the availability and access to personal data.
1.3. Confirmation of compliance with the information obligations by the data administrator are information clauses provided to the persons whose data is processed. In the case of employees, the clauses to be signed are presented to them and included in the employees' personal files.
In the case of clients and contractors, they are communicated to them at the time of concluding the contract, they are also displayed in a visible place at work.
The data administrator ensures that access to personal data at Print Union Sp. z o.o. only people who had the authorization granted by ADO. The authorizations define what operations the users are entitled to, i.e. creating, deleting, viewing, transferring data, in which systems and for how long. The data administrator keeps a record of authorized persons. Authorizations to process personal data may be granted at the request of the immediate superior of the system user.
The data administrator conducts a risk analysis in order to secure personal data adequately to the identified threats. The analysis is carried out in the event of a threat and periodically every 4 months. Data analysis is carried out separately for each data set or for several sets with a similar scope of data. Where necessary, an impact assessment for the risk assessment under Art. 35 GDPR.
Taking into account the state of technical knowledge, the cost of implementation as well as the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with different probability and severity of the risk, the administrator and the processor implement appropriate technical and organizational measures to ensure the level of security corresponding to this risk. .
The data administrator keeps a register of processing activities. This register includes:
a) name and surname and contact details of the administrator, b) the purposes of processing, c) a description of the categories of data subjects and the categories of personal data, d) categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or in international organizations, e) where applicable, information on the transfer of personal data to a third country or international organization, including the name of that third country or international organization, and in the case of transfers referred to in Art. 49 sec. 1, second paragraph of the GDPR, documentation of appropriate security measures, f) if possible, the planned dates of deletion of individual data categories, g) where possible, a general description of the technical and organizational security measures referred to in Article 32 sec. 1 GDPR.
The Personal Data Administrator may be / is required to appoint a data protection officer. If a data protection officer is appointed, his tasks include: • informing the administrator, processor and employees who process personal data about their obligations under the provisions of the GDPR and the Personal Data Protection Act, • monitoring compliance with the provisions of the GDPR and the Personal Data Protection Act and the Data Protection Policy in force in the unit, including the division of duties, awareness-raising activities, training of personnel participating in processing operations and related audits, • providing, upon request, recommendations as to the data protection impact assessment and monitoring its implementation in accordance with Art. 35 GDPR, • cooperation with the supervisory body, i.e. the President of the Personal Data Protection Office, • acting as the contact point for the supervisory authority on issues relating to processing, including prior consultation, and to consult, where appropriate, on any other matter. If a data protection officer is appointed, its appointment should be notified to the President of the Personal Data Protection Office within 14 days from the date of appointment, indicating the name, surname, e-mail address or telephone number of the inspector.
The data administrator introduces a procedure for dealing with incidents of personal data breach. The purpose of this procedure is to fulfill the obligation under Art. 33 GDPR. The procedure defines the method of defining incidents threatening the security of personal data and the manner of reacting to them, as well as the procedure for introducing corrective actions. Each person authorized to process personal data is obliged to inform about the possibility of an incident or its occurrence. Such information should be provided to the immediate superior or the data protection officer.
Notifications require: • improper protection of electronic equipment and software against leakage, theft and loss of personal data, disclosure of passwords to third parties, • inadequate physical protection of premises, devices and documents, • non-compliance with the rules of personal data protection by employees (e.g. non-compliance with the principle of a clean desk / screen, password protection, keeping rooms, wardrobes, desks closed, sticking cards with passwords in drawers), • traces on doors, windows and wardrobes indicating an attempted break-in, • documentation containing personal data destroyed without the use of a shredder, • open doors to rooms, cabinets where personal data is stored, • presence of outsiders in the unit, • incorrect setting of monitors allowing access of third parties to personal data, • taking personal data in paper and electronic form outside the unit without the authorization of the data administrator, • failures of the server, computers, hard drives, software, • disclosure of personal data to unauthorized persons, • telephone attempts to obtain personal data, • theft, loss of computers or CDs, hard drives, pen-drives with personal data, • e-mails urging you to disclose your ID or password, • infecting computers with a virus or other erroneous behavior of computers, • random events (facility fire, flooding, loss of power, loss of communication), • breaking into the IT system or rooms, • data / hardware theft, • deliberate destruction of documents.
The IT administrator should also be notified. In addition, the occurrence of the incident, its effects and the corrective and remedial measures taken should be documented. If the incident results in the violation of the rights or freedoms of natural persons, the data administrator shall report them to the President of the Personal Data Protection Office within 72 hours and, if required, notify the affected persons about this fact.
The data administrator introduces in Print Union Sp. z o.o. personal data protection regulations in order to provide persons processing personal data with a full range of knowledge about the principles of personal data processing in the unit and the related obligations. Persons familiar with the Regulations are obliged to confirm that they have read this document and declare compliance with its rules. Before employment, each person should read the Regulations. The data administrator also provides training for employees in the application of provisions on the protection of personal data, and the presence of employees must be confirmed in writing.
The IT system administrator performs tasks in the field of management and ongoing supervision over the data administrator's IT system. Therefore: • manages the IT system in which personal data are processed, using the password to access all workstations and the server from the administrator's position, • prevents unauthorized access to the IT system in which personal data are processed, • assigns each user an ID and password to the IT system and makes possible modifications to the rights, and removes user accounts in accordance with the rules set out in the instructions for managing the IT system used to process personal data, • conducts on-site training of the user in the use of computer equipment and network resources, familiarizes with the applicable documents, • supervises the operation of user authentication mechanisms and control of access to personal data, • in the event of a breach of the security of the IT system, it informs the data administrator / data protection officer about the breach and cooperates with him in removing the effects of the breach, • keeps detailed documentation of breaches of the security of personal data processed in the IT system, • supervises the performance of repairs, maintenance and liquidation of computer devices on which personal data are stored, the making of backups, their storage and periodic checking for their further suitability for data recovery in the event of an IT system failure, • takes measures to ensure the reliability of power supply to computers and other devices that affect the security of data processing and to ensure safe data exchange in the internal network and secure teletransmission.
10.1. In the case of outsourcing the processing of personal data to external entities, the data administrator is obliged to conclude a processing agreement. The unit keeps a register of contracts for entrusting the processing of personal data.
Supervision and control over the protection of personal data is exercised by Print Union Sp. z o.o. Control activities are carried out once a quarter. A protocol is prepared from the control activities, in which a detailed description of the scope of the control and the activities performed, as well as recommendations and corrective actions are made. The report is signed by persons performing inspection activities.
Failure to comply with the Personal Data Protection Policy conducted by the data administrator, the assumptions of which are set out in this document, and violation of data protection procedures by employees authorized to process personal data may be treated as a serious breach of employee duties.