Personal Data Protection Policy
PERSONAL DATA PROTECTION POLICY
at the company
Przedsiębiorstwo Wielobranżowe “AUTOS”
Spółka z ograniczoną odpowiedzialnością
as of 25.05.2018.
Prepared by Beata Lisiak
The rules, activities, competences and responsibilities described in this Personal Data Protection Policy, hereinafter referred to as the Policy, apply to the Data Controller’s employees and associates.
Procedures and documents related to the Policy shall be verified and adjusted to ensure adequate data protection. Documentation reviews shall take place no less than once a year.
The Policy sets the technical and organizational measures used by the Data Controller to ensure data protection and the procedure to be followed in case of revealing a breach of data security in the IT system or in paper documentation, or in the case of suspicion of such violation.
●The sets defines the principles of processing and protecting personal data controlled by Przedsiębiorstwo Wielobranżowe Autos Sp. z o.o (hereinafter referred to as “PW Autos”) to ensure compliance of the processing with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing of Directive 95/46/EC (OJ EU L 119, p. 1) and the provisions of mandatory Polish law regarding the processing of personal data—the Act of 10 May 2018 on the protection of personal data ()
. The policy is a set of and basis for the implemented requirements, procedures and principles of personal data protection. The Policy includes:
●a description of data protection rules in force at PW Autos;
●a set of procedures, instructions and detailed regulations regarding the processing of personal data at PW Autos concerning individual areas in the field of personal data protection; constituting annexes hereto.
For the effective implementation of the Policy, taking into account the scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with various probabilities and threat significance, PW Autos provides:
1. implementation of appropriate technical and organizational measures to ensure compliance of personal data processing with the legal requirements and the necessary protection of personal data subject to said processing;
2.constant monitoring of the compliance of personal data processing with the legal requirements and subjecting the measures to continuous reviews and updates;
3.control and supervision over the processing of personal data.
1.Whenever the Policy refers to:
1)Data Controller—it means a natural or legal person, public body, unit or other entity that independently or together with others sets the purposes and methods of personal data processing, i.e.: Przedsiębiorstwo Wielobranżowe “AUTOS” spółka z ograniczoną odpowiedzialnością, represented by the President of the Management Board, based in Solec Kujawski KRS 0000021284
2)Data Protection Officer, hereinafter referred to as DPO or Officer—it means a person designated to supervise compliance with provisions on the protection of personal data
The appointment of DPO is described in Annex 1 hereto:
3)IT System Administrator—it means a person responsible for the proper functioning of the equipment, software and its maintenance, for the technical and organizational service of the ICT system.
The appointment of the IT System Administrator (ISA) is described in Annex 2 hereto:
4)data file—means every structured set of personal data accessible according to specific criteria, regardless of whether the set is centralized, decentralized, or dispersed functionally or geographically,
5)data processing—means the operation or set of operations performed on personal data or personal data sets in an automated or non-automated manner, such as collecting, recording, organizing, ordering, storing, adapting or modifying, downloading, browsing, using, disclosing by sending, distributing or otherwise sharing, matching or linking, limiting, deleting or destroying,
6)IT system—means a set of cooperating devices, programs, information processing procedures and software tools used for data processing,
7)data security—maintaining confidentiality, integrity and availability of information;
furthermore, other properties may be taken into account, such as authenticity, accountability, non-repudiation and reliability,
Setting the technical and organizational measures necessary to ensure confidentiality, integrity and accountability in personal data processing is attached as Annex 8 hereto:
8)data removal—shall mean deleting personal data from IT systems, destruction of personal data carriers or such modification thereof, so as to prevent determining the identity of the data subject,
9) Employees—means both persons employed based on an employment relationship as well as natural persons cooperating on the basis of a civil law contract;
10)GDPR—means the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, p. 1);
11)premises—it means buildings and rooms defined by the Data Controller, constituting the area in which personal data and other legally protected information are being processed.
12)Risk management—the process of identifying, controlling and minimizing or eliminating security risks that may affect IT systems while maintaining an acceptable cost level.
13)Incident—a one-time event or a series of undesirable or unexpected events related to data protection, which create a significant probability of disruption of activities and may compromise data security.
14)Data Protection file—a set of documents, instructions, and regulations that make up the personal data protection policy, collected and supervised by the Officer.
1.The Controller ensures that personal data is:
●processed in accordance with the law, reliably and transparently for data subject,
●collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with said purposes
●adequate, relevant and limited to what is necessary for the purposes, for which they are processed
●correct and updated as necessary; all reasonable steps must be taken to ensure that personal data that are incorrect in terms of the purposes of their processing are immediately removed or corrected (“accuracy”);
●storing personal data in a form that permits the identification of the data subject for no longer than is necessary for the purposes for which the data are processed;
●processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.
2.Those whose personal data the Data Controller processes have been informed, indicating their rights (e.g. right to access the data, transfer, rectify, delete, restrict processing, object, right to withdraw consent).
3.In the case of entrusting data processing, data protection is ensured in the form of entrustment agreements with processors.
4.Confirmation of the lawfulness of the personal data processed in the sets is attached as Annex 3
5.Disclosure and consent clauses can be found in Annex 9
1.The record log includes categories of personal data processing activities at PW Autos. By means of the Record Log, PW Autos documents the processing of personal data and takes inventory of and monitors the manner personal data is used in.
2.Through the Record Log, in particular by indicating the general protection measures for Personal Data covered by a separate processing activity, the Company also seeks to demonstrate the compliance of personal data processing with the legal requirements.
●name of the activity;
●description of the category of data subjects;
●the purpose of processing;
●the legal basis of the processing;
●description of personal data recipient categories;
●categories of recipients the personal data have been or will be disclosed to
●name of the Co-Controller
●name of the Processor
●transfer to an outside country or international organization (name of the country and entity)
●if transfer and Article 49 par. 1 item 2, documentation of appropriate safeguards
●planned date of deletion of individual categories of data (if possible)
●a general description of technical and organizational measures of personal data protection
4.In case of updating or extending the category of personal data processing activities, the Company shall immediately update the Record Log in order to ensure its compliance with the actual state and scope of personal data processing operations at PW Autos.
5.The provisions of paragraph 4 do not rule out the possibility of the Record Log including additional information, improving accuracy or legibility of the Record Log or facilitating the management of compliance of personal data protection with the legal requirements, and the implementation of the accountability principle.
6.In the Record Log, PW Autos documents the legal grounds for data processing for particular processing activities by indicating the general legal basis for such processing, such as: consent, contract, legal obligation, legitimate purpose.
1.The processing of personal data is consistent with the following principles:
●Legality—PW Autos cares about the protection of privacy and processes personal data in accordance with the requirements of law;
●Security—PW Autos ensures an adequate level of security of personal data by constantly taking action in this regard;
●Rights of Individuals—PW Autos enables persons whose personal data are processed to exercise their rights and pursues these rights;
●Accountability—PW Autos ensures proper documentation of how the obligations regarding the protection of personal data are fulfilled.
1. Responsibility for the protection of personal data lies with the PW Autos Board and employees. They are particularly responsible for following the rules hereof and reporting incidents and implementing DPO recommendations.
3. Responsibility for supervising compliance with the provisions of the Policy lies with the DPO. A description and allocation of DPO duties is described in Annex 1 hereto.
4. Responsibility for observing the rules of personal data protection and keeping them secret lies with the authorized users.
5. The template confidentiality statement constitutes Annex 05A and Annex 05B hereto:
The Terms and Conditions are aimed at providing knowledge to those who process personal data regarding safe processing principles, which can be found in Annex 4
Having become familiar with the principles of personal data protection, employees are obliged to confirm their knowledge of said principles and declare their use, i.e. Annex 05A
1.Before being allowed to work with personal data, every person should undergo training and become familiar with the GDPR regulations.
2.The DPO is responsible for conducting the training.
3.In the case of internal training on the principles of personal data protection, it is advisable to document said training with the help signatures on the attendance list.
4.Training materials from the conducted training sessions can be found in the catalog
Pursuant to Article 32 of the GDPR, the Controller shall regularly test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.
The purpose of internal audits is to assess whether the personal data protection system is effectively implemented and operates in line with the GDPR requirements. Audits are conducted objectively and impartially. The principle that auditors do not audit their own work is observed.
1.The Controller is responsible for planning and conducting internal audits annually.
2.The auditor develops audit programs taking into account the validity of the processing and the audited areas as well as the results of previous audits. It defines the audit criteria, its purpose, scope and possibly methods.
3.The Controller appoints an auditor to conduct the audit.
4.The auditor is obliged to prepare for the audit, by learning the description of the area to be audited, the procedures used and the results of previous audits.
5.The auditor performs audit activities aimed at obtaining objective evidence confirming the correctness of the tasks, procedures, policies, safeguards, objectives and compliance with GDPR requirements.
6.In case of revealing shortcomings that affect the effectiveness of the data protection system in line with the GDPR, the auditor identifies the so-called shortcomings or insights
7.The audit result is documented by the auditor and forwarded to the Controller.
8.In the case of serious shortcomings, the Controller reviews and analyzes the audit result and decides whether to initiate corrective actions.
10. LIST OF SECURITY MEASURES
1.The Controller maintains a list of security measures that he uses to protect personal data, see Annex 8 . The list indicates the applicable procedural safeguards and security measures as technical measures.
2.The list is updated after each risk analysis.
11. AGREEMENTS AND CONTACTS WITH OUTSIDE PARTIES.
In the case of contracts with outside companies that affect the functioning of key elements of the personal data protection system, it is recommended to enter into a contract of entrustment specifying the following elements:
1.object of processing,
2.duration of processing,
3.nature and purpose of the processing,
4.type of personal data,
5.category of data subjects,
6.Controller’s rights and responsibilities,
7.responsibilities of the Processor.
Furthermore, a contract or other legal instrument shall have to provide, in particular, that the processor:
1) processes personal data only on the controller’s documented command;
2) ensures that those authorized to process personal data commit to confidentiality or are subject to an appropriate statutory obligation of secrecy;
3) will implement appropriate technical and organizational measures to ensure a level of security corresponding to the risk of breaching the rights or freedoms of individuals (these measures may include, for instance, pseudonymization and encryption of personal data, ensuring confidentiality, integrity, availability and resilience of processing systems and services, restoring data availability in the event of a physical or technical incident, regular testing and assessment of the effectiveness of said measures);
4) aids the Controller to meet the obligation to respond to data subjects’ requests in the exercise of their rights set out in Chapter III of the Regulation (and thus assists in the performance of one’s information, correctional and prohibitive rights);
5) aids the Controller in securing data, reporting violations to a supervisory body, notifying the data subject of a breach of personal data protection;
6) after the completion of services, depending on the Controller’s decision, removes or returns any personal data and removes all existing copies thereof;
7) allows conducting audits and contributes to them.
Template contract entrusting personal data is in the catalog:
1. Every employee is obliged to comply with the provisions of this Policy and the provisions of other parts of the information protection documentation as well as the security instructions received from the DPO and the IT System Administrator (ISA) in the performance of their duties.
2. The DPO oversees compliance with the principles and regulations on the protection of personal data.
3. Each employee is obliged to participate in organized training sessions in the field of personal data protection.
4. Each employee is required to take immediate action to prevent incidents or minimize the effects of said incidents as far as their capabilities and competences allow, if necessary by notifying their superiors or the officer. If necessary, the Data Controller decides about reporting incident to the Police.
1. Only authorized persons may be allowed to process the data.
2. The scope of authorization, scope of rights and the granting of employee access to IT systems in accordance with the employee's scope of responsibilities are determined by the direct superior.
3. On behalf of the Data Controller, authorizations to process data may be granted by a person having powers in this respect granted by the Data Controller. The template of the authorization to process data is attached as Annex 6 hereto.
4. An IT employee sets up an account for an authorized user in the system with an adequate level of rights based on an application from a direct superior in the service desk system.
5. When it comes to managing access, the principle is that user access should be based on compliance with the accountability principle and the non-repudiation principle. In case of IT systems, the following requirements shall apply:
1)requirement of unambiguous employee identification—i.e. each user works in IT systems only using their individual account, no anonymous accounts or shared accounts are applied, except where for technical reasons there is no other possibility,
2)requirement to authenticate the employee when using the IT system,
1.A breach or attempted breach of the principles of processing and protection of personal data is considered in particular, but not exclusively:
a)security breach of IT systems, in which personal information is processed;
b)sharing personal data with unauthorized persons;
c)processing personal data contrary to the assumed scope and purpose of their processing;
d)unauthorized or accidental damage, loss, destruction or change of personal data.
2.In the event of a breach of personal data protection, the employee who discovers the fact is obliged to notify the DPO immediately.
3.Having conducted the investigation and assessed the legitimacy of the notification to the supervisory body in terms of the likelihood that the breach caused a risk of violation of the rights or freedoms of individuals, the DPO either withdraws from the notification or makes a proper notification and submits it to the President of the Personal Data Protection Office.
4.No more than 72 hours may elapse from the moment of detecting the breach before any notification.
a)appropriate technical and organizational protection measures have been implemented, and these measures have been applied to the personal data affected by the breach, making it impossible for those unauthorized to access these personal data to read them;
b)the Company shall then apply measures to eliminate the high risk of violation of the data subject’s rights or freedoms; or
c)it would require a disproportionately large effort. In this case, a public message is issued, or a similar measure is put in place, aimed at informing the data subjects in an equally effective manner.
6.Irrespective of the obligations indicated herein, the DPO documents any breaches of the protection of personal data, including the circumstances of personal data breach, its consequences and the remedial actions taken. The template personal data breach record is attached as Appendix 7 .
1.The Policy is stored in paper and electronic versions at the Company’s registered office.
2.The policy (without annexes) is shared with:
●interested parties, particularly natural persons who are data subjects, by posting on the PW Autos website, and in paper form at the Company’s registered office.
3.In matters not covered herein, the provisions of the GDPR and the generally binding provisions of Polish and European law shall apply accordingly.