This Security Policy, hereinafter referred to as the Policy, has been prepared in order to demonstrate that personal data is processed and secured in accordance with legal requirements regarding the principles of data processing and securing at the Registry, including Regulation of the European Parliament and of the Council (EU) 2016/679 with 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (hereinafter "RODO").
1. Data Administrator - PB Technik sp. z o.o., ul Zwoleńska 27, 04-761 Warszawa.
2. Personal data - all information regarding an identified or identifiable natural person.
3. IT system - a set of devices, programs and procedures for processing information of software tools used for data processing.
4. User - a person authorized by the Data Administrator to process personal data.
5. Data set - each orderly set of personal data, available according to specific criteria.
6. Data processing - any operations performed on Personal data, such as collection, recording, storage, development, modification, sharing and removal in a traditional form and in information systems.
7. User ID - a string of letters, digits or other characters uniquely identifying a person authorized to process personal data in the IT system (User) in case of processing personal data in IT system.
8. Password - a string of literal, digital or other characters, known only to the person authorized to work in the IT system (the User) and in case of processing personal data in IT system.
9. Authentication - an action whose purpose is to verify the declared identity of the User.
1. The policy applies to all Personal Data processed in PB Technik Sp. z o.o., regardless of the form of their processing (traditionally processed, record collections, IT systems) and whether data is or can be processed in data sets.
2. The policy is stored in an electronic version and in a hard copy at the Data Administrator's office.
3. The policy is made available to persons authorized to process personal data at their request, as well as to persons to whom authorization to process personal data is to be granted, in order to get acquainted with its content.
4. For effective implementation of the Policy, the Data Administrator provides:
a) appropriate organizational solutions and protection for covering technical hazards and categories of data,
b) control and supervision over the processing of personal data,
c) monitoring of the protection used.
5. The Data Administrator's monitoring of the protection includes others Users' actions, violation of data access rules, ensuring file integrity and protection against external and internal attacks.
6. The Data Administrator ensures that the activities performed in connection with the processing and protection of personal data are consistent with this policy and the applicable law.
Personal data processed by the data administrator
1. Personal data processed by the Data Administrator is collected in data files.
2. The Data Administrator does not undertake processing activities that could involve a serious probability of high risk for the rights and freedoms of persons. In the case of planning such action, the Administrator will perform the activities specified in art. 35 et seq. RODO.
3. In the case of planning new processing activities, the Data Administrator analyzes their consequences for the protection of personal data and takes protection of data during the project phase.
4. The Data Administrator maintains a register of processing activities.
Responsibility of the safety management
2. All personal data in PB Technik Sp. z o.o. are processed with respect to the rules of law:
a) in any case, there is at least one of the grounds for data processing provided for by law;
b) data is processed fairly and in a transparent way;
c) personal data is collected for specific, explicit and legitimate purposes and not further processed in a manner inconsistent with these purposes;
d) personal data are processed only to the extent necessary to achieve the purpose of data processing;
e) personal data is correct and updated as necessary. Information security policy;
f) the retention period is limited to their useful life for the purposes for which they were collected and after this period they are anonymized or deleted;
g) In relation to the data subject, the information obligation is performed in accordance with art. 13 and 14 RODO;
h) Data is protected against violations.
3. The Data Administrator does not provide data subjects with information in a situation where such data must be confidential in accordance with the duty of professional secrecy (Article 14 paragraph 5 point d of the RODO).
4. For breaching or attempting to violate the principles of processing and protection of Personal Data, it is in particular deemed to be:
a) breach of security of IT systems in which personal data are processed, if processed in such systems;
b) providing or enabling access to data to unauthorized persons or entities;
c) omission, even if inadvertent, of the obligation to provide security of the Personal Data;
d) failure to comply with the obligation to keep Personal Data secret and method to protect them;
e) processing of Personal Data not in accordance with the assumed scope and purpose of their collection;
f) causing damage, loss, uncontrolled change or unauthorized copying of Personal Data;
g) violation of the rights of persons whose data are processed.
5. In the case of discovering the circumstances of violation of the rules of personal data protection, the User is obliged to take all necessary steps to limit the consequences of the infringement and to immediately notify the Data Administrator.
6. For the duties of the Data Administrator in the field of hiring, terminating or changing the terms of employment of employees or co-workers (persons undertaking activities for the benefit of the Data Administrator under other civil law contracts), it is necessary to ensure that:
a) the employees were properly prepared to perform their duties,
b) each of the personal data processors has been authorized in writing to process in accordance with the "Authorization for the processing of personal data"
c) each employee undertook to keep personal data processed in the company. "Statement and commitment of the person processing personal data for secrecy" is part of the "Authorization to process personal data".
7. Employees are required to:
a) strict compliance with the scope of the authorization granted;
b) the processing and protection of personal data in accordance with the law rules;
c) keep personal data and methods of securing it confidential;
d) reporting incidents related to the breach of data security and the malfunctioning of the system.
Area of personal data processing
Area in which personal data is processed in the area of PB Technik Sp. z o.o. includes the office space of the company located in PB Technik Sp. z o.o. ul. Zwoleńska 27.04-761 Warszawa. Additionally, the area in which Personal Data is processed are all portable computers and other data carriers located outside the area indicated above.
Definition of technical and organizational steps necessary to ensure confidentiality, integrity and accountability of the processed data
1. The Data Administrator ensures the application of technical and organizational solutions necessary to ensure confidentiality, integrity, accountability and continuity of the processed data.
2. Applied protection solutions (technical and organizational) should be adequate to the level of risk identified for particular systems, types of collections and categories of data. Protection solutions include:
a) Restricting access to rooms in which personal data are processed only to duly authorized persons. Other people may be in rooms used for data processing only in the company of an authorized person.
b) Closing the rooms forming the area of Personal Data Processing specified in point IV above during the absence of employees, in a way that prevents access to them by unaauthorized persons.
c) Use of lockers and safes to secure documents.
d) Use of a shredder to effective deleting of documents containing personal data.
e) Protection of the local network against activities initiated from the outside using a firewall.
f) Backing up data on secure servers.
g) Protection of computer hardware used by the administrator against malware.
h) Securing access to company's devices using access passwords.
i) The use of data encryption for their transmission.
Violations of the rules of personal data protection
1. In case of a breach of personal data protection, the Data Administrator assesses whether the violation could have caused a risk of violating the rights or freedoms of individuals.
2. In any situation where the violation could have caused a risk of violation of the rights or freedoms of individuals, the Data Administrator reports the fact that the data protection rules have been violated without undue delay - if feasible, no later than within 72 hours after the violation. If the risk of violation of rights and freedoms is high, the Data Administrator also notifies the data subject about the incident.
Delegation of the processing of personal data
1. The Data Administrator may delegate of the processing of personal data to another entity only by way of an agreement concluded in writing, in accordance with the requirements indicated for such agreements in art. 28 RODO.
2. Before delegation of the processing of personal data, the Data Administrator, as far as possible, obtains information about the previous practices of the new entity regarding the protection of personal data.
Transmission of data to a third country
1. The Personal Data Administrator will not transfer personal data to a third country, except in situations where it occurs at the request of the data subject.