Polityka Prywatności

INFORMACJE DOTYCZĄCE PRZETWARZANIA DANYCH OSOBOWYCH

Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, we inform you that:

Administratorem Pani/Pana danych osobowych jest BIZON INT Sp. z o.o. z siedzibą: Tomice, ul. Europejska 4, 05-532 Baniocha k. Warszawy.

Na podstawie przeprowadzonych analiz Administrator danych nie ma obowiązku wyznaczenia inspektora. Administrator przetwarza dane osobowe zwykłe w następujących kategoriach i celu, na podstawie:

• • Jeśli jest Pan/Pani PRACOWNIKIEM BIZON INT Sp. z o.o. to dane osobowe zwykłe są gromadzone w celu
  • obsługi procesu zatrudnienia pracowników BIZON INT Sp. z o.o., spraw pracowniczych oraz archiwizacji dokumentów dotyczących zatrudnienia.
  • Jeśli jest Pan/Pani PRACOWNIKIEM KONTRAHENTA BIZON INT Sp. z o.o. dane osobowe zwykłe; dane te są gromadzone w celu realizacji procesu ofertowania, zawierania umów i zamówień oraz realizacji kontraktów serwisowych tzw. usług.
  • Jeśli jest Pan/Pani KONSUMENTEM dane osobowe zwykłe dotyczące danych konsumentów , osób fizycznych; dane te są zbierane w celu realizacji zamówień dla osób fizycznych.

1. 1. Dane osobowe będą przechowywane przez okres zależny od obowiązujących przepisów dotyczących rodzaju realizowanej usługi.
   2. Pani/Pana dane osobowe nie będą przekazywane do państwa trzeciego/organizacji międzynarodowej.
   3. Pani/Pana dane osobowe nie są i nie będą udostępniane innym odbiorcom poza przypadkami, gdy taki obowiązek wynika z powszechnie obowiązujących przepisów prawa lub została na to wyrażona Pani/Pana zgoda.
   4. Posiada Pani/Pan prawo dostępu do treści swoich danych oraz prawo ich sprostowania, usunięcia, ograniczenia przetwarzania. Prawo do przenoszenia danych, prawo wniesienia sprzeciwu, prawo do cofnięcia zgody w dowolnym momencie bez wpływu na zgodność z prawem przetwarzania (jeżeli przetwarzanie odbywa się na podstawie zgody), którego dokonano na podstawie zgody przed jej cofnięciem, listownie na adres: BIZON INT Sp. z o.o. z siedzibą: Tomice, ul. Europejska 4, 05-532 Baniocha k. Warszawy, lub e-mailowo na adres: daneosobowebizon@bizea.com.pl
   5. Ma Pan/Pani prawo wniesienia skargi do Prezesa Urzędu Ochrony Danych Osobowych, gdy uzna Pani/Pan, iż przetwarzanie danych osobowych Pani/Pana dotyczących narusza przepisy ogólnego rozporządzenia o ochronie danych osobowych z dnia 27 kwietnia 2016 r.(RODO)
   6. Pani/Pana dane nie będą przetwarzane w sposób zautomatyzowany.
   7. Pani/Pana dane nie będą podlegały profilowaniu.
   8. Bliższe informacje wraz z Polityką Bezpieczeństwa Przetwarzania Danych Osobowych znajdują się na naszej stronie Internetowej oraz w siedzibie Firmy.

 

SECURITY POLICY FOR
PERSONAL DATA PROCESSING
in
BIZON INT Sp. z o.o. z siedzibą: Tomice, ul. Europejska 4, 05-532 Baniocha k. Warszawy

 

Introduction

By implementing the constitutional right of every person to the protection of private life and the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) in order to apply technical and organizational measures to ensure the protection of processed personal data appropriate to the risks and categories of data protected, and in particular to protect data against unauthorized access, taking by an unauthorized person, processing in violation of the aforementioned Regulation, and alteration, loss, damage or destruction, the following set of procedures is introduced.

Section 1
General provisions

§ 1. Whenever referred to in the document:
1) regulation - means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
2) personal data - shall mean information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
3) data filing system - shall mean a structured set of personal data accessible in accordance with specified criteria, regardless of whether this set is centralized, decentralized or dispersed functionally or geographically;
4) data processing - shall mean an operation or a set of operations which are performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, ordering, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
5) computer system - shall mean a set of cooperating devices, programs, information processing procedures and software tools applied for the purpose of data processing;
6) securing data in the computer system - shall mean the implementation and operation of appropriate technical and organizational measures to protect data against unauthorized processing;
7) erasure of data - shall mean the destruction of personal data or its modification in such a way that it is impossible to identify the data subject;
8) data controller - shall mean the natural or legal person, public authority, entity or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or Member State law, the data controller may also be designated by Union law or Member State law, or the specific criteria for its designation may be laid down;
9) consent of the data subject - means a freely given, specific, informed and unambiguous declaration of will by which the data subject, by means of a statement or a clear affirmative action, consents to the processing of personal data relating to him/her;
10) recipients of the data - means any natural or legal person, public authority, body or other entity to whom the personal data are disclosed, whether a third party or not. However, public authorities, which may receive personal data in the context of a particular proceeding in accordance with Union law or Member State law, shall not be regarded as recipients; the processing of those data by those public authorities must comply with the data protection rules applicable to the purposes of the processing
11) third country - shall mean a country not belonging to the European Economic Area;
12) technical and organizational means - shall mean technical and organizational means necessary to ensure confidentiality, integrity and accountability of the processed personal data;
13) limitation of processing - shall mean the marking of stored personal data in order to limit their future processing;
14) profiling - means any form of automated processing of personal data which involves the use of personal data to evaluate certain personal factors of an individual, in particular, to analyze or forecast aspects relating to that individual's work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movement;
15) pseudonymization - means the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is covered by technical and organizational measures which make it impossible to attribute it to an identified or identifiable natural person;
16) processor - shall mean a natural or legal person, public authority, entity or any other body, which processes personal data on behalf of the data controller;
17) personal data protection breach - means a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed.

Section 2
Data Controller

§ 2. The Data Controller in particular:

1. 1. Uwzględniając charakter, zakres, kontekst i cele przetwarzania oraz ryzyko naruszenia praw lub wolności osób fizycznych o różnym prawdopodobieństwie i wadze zagrożenia, wdraża odpowiednie środki techniczne i organizacyjne, aby przetwarzanie odbywało się zgodnie z rozporządzeniem i aby móc to wykazać. Środki te są w razie potrzeby poddawane przeglądom i uaktualniane.
   2. Prowadzi rejestr czynności przetwarzania. W rejestrze zamieszcza się następujące informacje:

      • • the name and contact details of the Data Controller and any joint controllers, as well as, where applicable, the Data Controller's representative and the DPO;
        • processing purposes,
        • description of the categories of data subjects and categories of personal data,
        • kategorie odbiorców, którym dane osobowe zostały lub zostaną ujawnione, w tym odbiorców w państwach trzecich lub w organizacjach międzynarodowych,
        • where applicable, the transfer of personal data to a third country or international organization, including the name of that third country or international organization and, in the case of transfers referred to in the Regulation, Article 49(1), second subparagraph, the documentation of appropriate safeguards,
        • if possible, the planned deletion dates for each category of data,
        • if possible, a general description of the technical and organizational security measures referred to in Article 32(1) of the Regulation,

Section 3
Technical and organizational measures

§ 3. In order to protect the data, the controller shall comply with the requirements referred to in the Regulation:

a) conducts a data protection impact assessment,
b) performs risk analysis on the resources involved in each process,
c) only persons authorized by the data controller have been allowed to process the data (Annex 1),
d) Data Processing Entrustment Agreements have been entered into in accordance with Annex 2,
e) this security policy has been developed and implemented.

§ 4. The following applies to the protection of personal data measures of physical protection of personal data:

• • personal data sets are stored in a room secured with a regular door (not reinforced, not fireproof),
  • personal data sets are stored in a room secured with a door, personal data sets are stored in a room located on the first and second floor.
  • the building in which the data controller is located is equipped with a burglar alarm system
  • access to the rooms where personal data sets are processed is covered by an access control system - keys are issued at the reception only to authorized persons.
  • access to the building where the controller is located is controlled by a monitoring system using CCTV cameras
  • the building in which the data controller is located is supervised by a security service around the clock,
  • paper personal data sets are stored in a locked metal cabinet and in locked non-metal cabinets,
  • backup/archival copies of personal data sets are stored in a locked non-metal cabinet
  • premises, where personal data sets are processed, are protected against the effects of fire by means of a fire protection system and/or a free-standing fire extinguisher,
  • documents containing personal information are mechanically destroyed using document shredders when no longer useful.

§ 5. W celu ochrony danych osobowych stosuje się następujące środki sprzętowe infrastruktury informatycznej i telekomunikacyjnej:

• • computers used to process personal data are connected to a local computer network,
  • UPS, power generator and/or dedicated power grid devices are used to protect the information system used to process personal data from power failures,
  • access to a personal data set that is processed on a separate computer station/portable computer is protected against unauthorized activation with a password
  • access to the operating system of the computer on which personal data is processed is secured through an authentication process using a user ID and password,
  • measures are in place to prevent unauthorized copies of personal data processed using IT systems,
  • a system for registering access to the system/set of personal data has been applied,
  • cryptographic data protection measures were applied to personal data transmitted via teletransmission,
  • a disk array has been used to protect personal data from the effects of disk storage failure,
  • measures are in place to protect against malware, such as worms, viruses, Trojan horses, rootkits,
  • Firewall system has been used to protect access to the computer network,
  • IDS/IPS was used to protect access to the computer network,

§ 6. W celu ochrony danych osobowych stosuje się następujące środki ochrony w ramach narzędzi programowych i baz danych:

• • measures have been applied to determine access rights to the indicated range of data within the personal data set being processed,
  • access to data sets in the part processed in IT systems requires authentication with a user ID and password,
  • systemic measures have been applied to define appropriate access rights to IT resources, including personal data sets for individual users of the IT system,
  • a mechanism was used to force a periodic change of passwords to access a set of personal data,
  • screen savers were installed on workstations where personal data is processed,
  • a mechanism of automatic blocking of access to the IT system has been used for processing personal data in case of prolonged user inactivity (screen savers),
  • § 7. W celu ochrony danych osobowych stosuje się następujące środki organizacyjne:

• • persons employed to process the data have been made aware of the data protection regulations,
  • persons employed to process personal data were trained in the field of IT system security,
  • persons employed to process personal data are obliged to keep it confidential,
  • computer monitors on which personal data are processed are positioned in a way that prevents outsiders from seeing the processed data,
  • backups of the personal data set are stored in a different room than the one that houses the server where the personal data is processed on an ongoing basis,
  • the data controller has defined basic security rules that apply to all employees of the Company, namely:

    • • necessary knowledge principle - limiting access to data to only that which is necessary to perform the duties of the position,
      • principle of resource accountability - the processors are responsible for the data they process and are required to follow established security procedures in this regard,
      • principle of a closed room - not leaving outsiders alone in a room (in the absence of an authorized person), locking rooms when leaving them and not leaving keys in locks,
      • clean desk rule - not leaving paper documents and data carriers (CDs, DVDs, USB flash drives, etc.) unattended on the desk,
      • principle of privacy of accounts in systems - each employee is obliged to work in ICT systems on accounts assigned to him/her, it is absolutely forbidden to share accounts with people who have not been assigned to them,
      • principle of confidentiality of passwords and access codes - keeping passwords and access codes confidential and not disclosed to unauthorized persons, in particular, this principle applies to personal passwords for access to IT systems and protected areas,
      • principle of using official email - each person authorized to process data uses only official email in the performance of official duties; it is prohibited to use private email in this regard,
      • zasada czystego ekranu – blokowanie komputera przed każdym opuszczeniem pomieszczenia, w przypadku dłuższej nieobecności w pomieszczeniu konieczne jest wylogowanie się z systemu,
      • clean desktop rule - only icons of standard software and business applications should be placed on the computer desktop, as well as, shortcuts to folders, provided that they do not contain any data in their names, in particular, personal data that may be disclosed in an uncontrolled manner (e.g. during a presentation),
      • clean printer/copier rule - removing documents from printers as soon as they are printed; this rule particularly applies to documents left in printers in another room,
      • clean bin rule - paper documents except for promotional materials should be destroyed in shredders or by an outside company,
      • zasada legalności oprogramowania – zakaz samodzielnego instalowania oprogramowania, w tym w szczególności przechowywania na komputerze treści naruszających prawa autorskie oraz innych nielegalnych danych,
      • principle of security incident reporting - each data processor is obliged to report information security incidents, i.e. unauthorized disclosure, destruction or modification of information, in accordance with the procedure specified in Section 8,
      • zasada korzystania z zasobów Spółki – dane, będące w posiadaniu administratora danych, mogą być przetwarzane wyłącznie w środkach przetwarzania dopuszczonych do wykorzystania w Spółce, w szczególności zabrania się korzystania w tym celu z prywatnych środków przetwarzania danych,
      • principle of not using names that contain personal information when creating files, folders, etc.
      • principle of adequate protection of the Company's hardware resources used as business equipment - laptops, phones, smartphones, tablets and other devices used by the Company's data processors for business purposes should be adequately protected against unauthorized access, and at least should be protected with a password to activate the device.

 

Section 4
DPIA procedure
(Data Protection Impact Assessment)

§ 8. Ocenę skutków dla ochrony danych osobowych (DPIA) przeprowadza się dla każdego procesu.
§ 9. The DPIA is conducted whenever there is a significant change in the processing of personal data, e.g., change of service provider, change of processing method, exchange of resources involved in the process.
§ 10. The DPIA shall be carried out together with a risk analysis at least once a year for processes that, as a result of a previous DPIA, have shown a high risk to the rights and freedoms of data subjects.

 

Section 5
Risk analysis procedure and risk handling plan

§ 11. The data controller performs risk analysis for the resources involved in the processes.
§ 12. A risk analysis is conducted at least once a year and provides a basis for updating the way risks are handled.
§ 13. Based on the results of the risk analysis, the data controller shall implement ways to deal with the risks on its own.
§ 14. Each time a data controller chooses how to handle risk and determines which risks and in what order they will be addressed first.

Section 6
Procedure of cooperation with external entities

§ 15.1. Każdorazowe skorzystanie z usług podmiotu przetwarzającego jest poprzedzone zawarciem umowy powierzenia przetwarzania danych osobowych
2. The data controller shall keep a register of external entities entrusted with the processing of personal data
§ 16. Każdorazowo przed zawarciem umowy powierzenia przetwarzania danych osobowych administrator danych weryfikuje zgodność z rozporządzeniem wszystkich podmiotów przetwarzających, z których usług ma zamiar skorzystać z wykorzystaniem procedury współpracy z podmiotami zewnętrznymi .

Section 7
Procedure for default data protection
(taking data protection into account at the design stage)

§ 17. W każdym przypadku tworzenia nowego produktu lub usług administrator danych uwzględnia prawa osób, których dane dotyczą, na każdym kluczowym etapie jego projektowania i wdrażania. Wdraża odpowiednie środki techniczne i organizacyjne aby domyślnie przetwarzane były tylko te dane osobowe, które są niezbędne dla osiągnięcia każdego konkretnego celu przetwarzania ( ilość zbieranych danych, zakres i okres przetwarzanych danych oraz ich dostępność).
§ 18. When a data controller intends to start processing personal data in a new process, it shall carry out a DPIA in relation to that process.

Section 8
Incident management procedure

§ 20. W każdym przypadku naruszenia ochrony danych osobowych, administrator danych weryfikuje, czy naruszenie to skutkowało ryzykiem naruszenia praw lub wolności osób fizycznych.
§ 21. Administrator danych w przypadku stwierdzenia, że naruszenie skutkowało ryzykiem naruszenia praw lub wolności osób fizycznych, zawiadamia niezwłocznie organ nadzorczy, jednak nie później niż w ciągu 72 godz. od identyfikacji naruszenia z wykorzystaniem procedury zarządzania incydentami bezpieczeństwa.
§ 22. Administrator danych zawiadamia osoby, których dane dotyczą, w przypadku wystąpienia wobec nich naruszeń skutkujących ryzykiem naruszenia ich praw lub wolności w oparciu o wzór zawiadomienia osoby, której dane dotyczą, o naruszeniu, chyba że zastosował środki eliminujące prawdopodobieństwo wysokiego ryzyka wystąpienia ww. naruszenia.
§ 23. Administrator danych dokumentuje naruszenia oraz prowadzi rejestr naruszeń , które skutkują naruszeniem praw i wolności osób fizycznych.

Section 9
Procedure for exercising the rights of persons

§ 24. Each case of notification by a data subject of his or her wish to exercise the rights provided for in the Regulation shall be examined by the data controller individually.
§ 25. Administrator danych niezwłocznie realizuje następujące prawa osób, których dane dotyczą:

• • right of access to the data,
  • right to rectification of data,
  • right to erasure of data,
  • the right to data portability,
  • right to object to the processing of data,
  • right not to be subject to decisions based solely on profiling.

§ 26. Where the rights of rectification, erasure and restriction of processing are exercised, the data controller shall immediately inform the recipients to whom it has disclosed the data in question, unless this is impossible or will involve a disproportionate effort.
§ 27. The data controller shall refuse to exercise the rights of data subjects if the possibility to do so arises from the provisions of the Regulation, but any refusal to exercise the rights of data subjects shall require a statement of reasons stating the legal basis under the Regulation.

Section 10
Procedure for collecting consents and informing persons

§ 28. 1. Whenever data is collected directly from the data subject, the data controller shall fulfill the information obligation towards the data subject.
2. If data is collected from an employee, the model information obligation applies.
§ 29. Whenever data are collected from sources other than the data subject, the data controller shall comply with the information obligation towards the data subject without delay, but no later than at the first contact with the data subject,
§ 30. W każdym przypadku odbierania zgody od osoby, której dane dotyczą, korzysta się z klauzul.

Section 11
Final Provisions

§ 31. All principles described in this document shall be observed by persons authorized to process personal data with particular regard to the welfare of data subjects.
§ 32. This document is effective as of the date it is approved by the data controller.