Security policy for personal data processing

SECURITY POLICY FOR

PERSONAL DATA PROCESSING

BIZON INT Sp. z o. o

with registered office in Tomice, ul. European 4.

Introduction

By implementing the constitutional right of every person to the protection of private life and the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) in order to apply technical and organizational measures to ensure the protection of processed personal data appropriate to the risks and categories of data protected, and in particular to protect data against unauthorized access, taking by an unauthorized person, processing in violation of the aforementioned Regulation, and alteration, loss, damage or destruction, the following set of procedures is introduced.

Section 1

General provisions

§ 1. Whenever referred to in the document:

1) regulation - means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);

2) personal data - shall mean information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;

3) data filing system - shall mean a structured set of personal data accessible in accordance with specified criteria, regardless of whether this set is centralized, decentralized or dispersed functionally or geographically;

4) data processing - shall mean an operation or a set of operations which are performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, ordering, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

5) computer system - shall mean a set of cooperating devices, programs, information processing procedures and software tools applied for the purpose of data processing;

6) securing data in the computer system - shall mean the implementation and operation of appropriate technical and organizational measures to protect data against unauthorized processing;

7) erasure of data - shall mean the destruction of personal data or its modification in such a way that it is impossible to identify the data subject;

8) data controller - shall mean the natural or legal person, public authority, entity or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or Member State law, the data controller may also be designated by Union law or Member State law, or the specific criteria for its designation may be laid down;

9) consent of the data subject - means a freely given, specific, informed and unambiguous declaration of will by which the data subject, by means of a statement or a clear affirmative action, consents to the processing of personal data relating to him/her;

10) recipients of the data - means any natural or legal person, public authority, body or other entity to whom the personal data are disclosed, whether a third party or not. However, public authorities, which may receive personal data in the context of a particular proceeding in accordance with Union law or Member State law, shall not be regarded as recipients; the processing of those data by those public authorities must comply with the data protection rules applicable to the purposes of the processing

11) third country - shall mean a country not belonging to the European Economic Area;

12) technical and organizational means - shall mean technical and organizational means necessary to ensure confidentiality, integrity and accountability of the processed personal data;

13) limitation of processing - shall mean the marking of stored personal data in order to limit their future processing;

14) profiling - means any form of automated processing of personal data which involves the use of personal data to evaluate certain personal factors of an individual, in particular, to analyze or forecast aspects relating to that individual's work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movement;

15) pseudonymization - means the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is covered by technical and organizational measures which make it impossible to attribute it to an identified or identifiable natural person;

16) processor - shall mean a natural or legal person, public authority, entity or any other body, which processes personal data on behalf of the data controller;

17) personal data protection breach - means a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed.

Section 2

Data Controller

§ 2. The Data Controller in particular:

1. Taking into account the nature, scope, context and purposes of the processing and the risk of violation of the rights or freedoms of natural persons of varying probability and gravity, it shall implement appropriate technical and organizational measures to ensure that the processing is carried out in accordance with the Regulation and to be able to demonstrate it. These measures shall be reviewed and updated as necessary.

2. Maintains a register of processing activities. The register shall contain the following information:

the name and contact details of the Data Controller and any joint controllers, as well as, where applicable, the Data Controller's representative and the DPO;
processing purposes,
description of the categories of data subjects and categories of personal data,
categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations,
where applicable, the transfer of personal data to a third country or international organization, including the name of that third country or international organization and, in the case of transfers referred to in the Regulation, Article 49(1), second subparagraph, the documentation of appropriate safeguards,
if possible, the planned deletion dates for each category of data,
if possible, a general description of the technical and organizational security measures referred to in Article 32(1) of the Regulation,

Section 3

Technical and organizational measures

§ 3. In order to protect the data, the controller shall comply with the requirements referred to in the Regulation:

a) conducts a data protection impact assessment,

b) performs risk analysis on the resources involved in each process,

c) only persons authorized by the data controller have been allowed to process the data (Annex 1),

d) Data Processing Entrustment Agreements have been entered into in accordance with Annex 2,

e) this security policy has been developed and implemented.

§ 4. The following physical protection measures are in place to protect personal information:

personal data sets are stored in a room secured with a regular door (not reinforced, not fireproof),
personal data sets are stored in a room secured with a door, personal data sets are stored in a room located on the first and second floor.
the building in which the data controller is located is equipped with a burglar alarm system
access to the rooms where personal data sets are processed is covered by an access control system - keys are issued at the reception only to authorized persons.
access to the building where the controller is located is controlled by a monitoring system using CCTV cameras
the building in which the data controller is located is supervised by a security service around the clock,
paper personal data sets are stored in a locked metal cabinet and in locked non-metal cabinets,
backup/archival copies of personal data sets are stored in a locked non-metal cabinet
premises, where personal data sets are processed, are protected against the effects of fire by means of a fire protection system and/or a free-standing fire extinguisher,
documents containing personal information are mechanically destroyed using document shredders when no longer useful.

§ 5. The following IT and telecommunications infrastructure hardware measures are used to protect personal data:

computers used to process personal data are connected to a local computer network,
UPS, power generator and/or dedicated power grid devices are used to protect the information system used to process personal data from power failures,
access to a personal data set that is processed on a separate computer station/portable computer is protected against unauthorized activation with a password
access to the operating system of the computer on which personal data is processed is secured through an authentication process using a user ID and password,
measures are in place to prevent unauthorized copies of personal data processed using IT systems,
a system for registering access to the system/set of personal data has been applied,
cryptographic data protection measures were applied to personal data transmitted via teletransmission,
a disk array has been used to protect personal data from the effects of disk storage failure,
measures are in place to protect against malware, such as worms, viruses, Trojan horses, rootkits,
Firewall system has been used to protect access to the computer network,
IDS/IPS was used to protect access to the computer network,

§ 6. The following safeguards within software tools and databases are in place to protect personal information:

measures have been applied to determine access rights to the indicated range of data within the personal data set being processed,
access to data sets in the part processed in IT systems requires authentication with a user ID and password,
systemic measures have been applied to define appropriate access rights to IT resources, including personal data sets for individual users of the IT system,
a mechanism was used to force a periodic change of passwords to access a set of personal data,
screen savers were installed on workstations where personal data is processed,
a mechanism of automatic blocking of access to the IT system has been used for processing personal data in case of prolonged user inactivity (screen savers),

§ 7. The following organizational measures are in place to protect personal data:

persons employed to process the data have been made aware of the data protection regulations,
persons employed to process personal data were trained in the field of IT system security,
persons employed to process personal data are obliged to keep it confidential,
computer monitors on which personal data are processed are positioned in a way that prevents outsiders from seeing the processed data,
backups of the personal data set are stored in a different room than the one that houses the server where the personal data is processed on an ongoing basis,
the data controller has defined basic security rules that apply to all employees of the Company, namely:
- necessary knowledge principle - limiting access to data to only that which is necessary to perform the duties of the position,
- principle of resource accountability - the processors are responsible for the data they process and are required to follow established security procedures in this regard,
- principle of a closed room - not leaving outsiders alone in a room (in the absence of an authorized person), locking rooms when leaving them and not leaving keys in locks,
- clean desk rule - not leaving paper documents and data carriers (CDs, DVDs, USB flash drives, etc.) unattended on the desk,
- principle of privacy of accounts in systems - each employee is obliged to work in ICT systems on accounts assigned to him/her, it is absolutely forbidden to share accounts with people who have not been assigned to them,
- principle of confidentiality of passwords and access codes - keeping passwords and access codes confidential and not disclosed to unauthorized persons, in particular, this principle applies to personal passwords for access to IT systems and protected areas,
- principle of using official email - each person authorized to process data uses only official email in the performance of official duties; it is prohibited to use private email in this regard,
- clean screen rule - locking the computer each time before the employee leaves the room; in case of prolonged absence from the room, it is necessary to log out of the system,
- clean desktop rule - only icons of standard software and business applications should be placed on the computer desktop, as well as, shortcuts to folders, provided that they do not contain any data in their names, in particular, personal data that may be disclosed in an uncontrolled manner (e.g. during a presentation),
- clean printer/copier rule - removing documents from printers as soon as they are printed; this rule particularly applies to documents left in printers in another room,
- clean bin rule - paper documents except for promotional materials should be destroyed in shredders or by an outside company,
- principle of software legality - prohibition of self-installation of software, including in particular storing on the computer the content violating copyrights and other illegal data,
- principle of security incident reporting - each data processor is obliged to report information security incidents, i.e. unauthorized disclosure, destruction or modification of information, in accordance with the procedure specified in Section 8,
- the principle of using the resources of the Company - the data held by the data controller may be processed only in the means of processing permitted for use in the Company, in particular, it is prohibited to use private means of data processing for this purpose,
- principle of not using names that contain personal information when creating files, folders, etc.
- principle of adequate protection of the Company's hardware resources used as business equipment - laptops, phones, smartphones, tablets and other devices used by the Company's data processors for business purposes should be adequately protected against unauthorized access, and at least should be protected with a password to activate the device.

Section 4

DPIA procedure

(Data Protection Impact Assessment)

§ 8. A Data Protection Impact Assessment (DPIA) shall be conducted for each process.

§ 9. The DPIA is conducted whenever there is a significant change in the processing of personal data, e.g., change of service provider, change of processing method, exchange of resources involved in the process.

§ 10. The DPIA shall be carried out together with a risk analysis at least once a year for processes that, as a result of a previous DPIA, have shown a high risk to the rights and freedoms of data subjects.

Section 5

Risk analysis procedure and risk handling plan

§ 11. The data controller performs risk analysis for the resources involved in the processes.

§ 12. A risk analysis is conducted at least once a year and provides a basis for updating the way risks are handled.

§ 13. Based on the results of the risk analysis, the data controller shall implement ways to deal with the risks on its own.

§ 14. Each time a data controller chooses how to handle risk and determines which risks and in what order they will be addressed first.

Section 6

Procedure of cooperation with external entities

§ 15 .1. Each use of the services of the processing entity is preceded by the conclusion of a contract for entrusting the processing of personal data

2. The data controller shall keep a register of external entities entrusted with the processing of personal data

§ 16. Each time before entering into an entrustment agreement for the processing of personal data, the data controller shall verify the compliance with the Regulation of all processors it intends to use using a procedure for cooperation with third parties.

Section 7

Procedure for default data protection

(taking data protection into account at the design stage)

§ 17. Whenever a new product or service is developed, the data controller shall take into account the rights of data subjects at every key stage of its design and implementation. It shall implement appropriate technical and organizational measures so that, by default, only this personal data is processed which is necessary for each specific purpose of the processing (the amount of data collected, the scope and duration of the data processed and its availability).

§ 18. When a data controller intends to start processing personal data in a new process, it shall carry out a DPIA in relation to that process.

Section 8

Incident management procedure

§ 20 . In each case of a breach of personal data protection, the data controller verifies whether the breach resulted in the risk of violating the rights or freedoms of natural persons.

§ 21. If the data controller determines that the breach has resulted in a risk of violation of the rights or freedoms of individuals, the data controller shall notify the supervisory authority immediately, but no later than within 72 hours of the identification of the breach using the security incident management procedure. 72 h from identifying a breach using the security incident management procedure.

§ 22. The data controller shall notify data subjects in case of breaches against them resulting in a risk of violation of their rights or freedoms based on the model breach notification to the data subject, unless the data controller has implemented measures to eliminate the likelihood of a high risk of such breach.

§ 23. The data controller shall document violations and keep a record of violations that result in violation of the rights and freedoms of natural persons.

Section 9

Procedure for exercising the rights of persons

§ 24. Each case of notification by a data subject of his or her wish to exercise the rights provided for in the Regulation shall be examined by the data controller individually.

§ 25. The data controller shall immediately exercise the following rights of data subjects:

right of access to the data,
right to rectification of data,
right to erasure of data,
the right to data portability,
right to object to the processing of data,
right not to be subject to decisions based solely on profiling.

§ 26. Where the rights of rectification, erasure and restriction of processing are exercised, the data controller shall immediately inform the recipients to whom it has disclosed the data in question, unless this is impossible or will involve a disproportionate effort.

§ 27. The data controller shall refuse to exercise the rights of data subjects if the possibility to do so arises from the provisions of the Regulation, but any refusal to exercise the rights of data subjects shall require a statement of reasons stating the legal basis under the Regulation.

Section 10

Procedure for collecting consents and informing persons

§ 28. 1. Whenever data is collected directly from a data subject, the data controller shall comply with the information obligation towards the data subject.

2. If data is collected from an employee, the model information obligation applies.

§ 29. Whenever data are collected from sources other than the data subject, the data controller shall comply with the information obligation towards the data subject without delay, but no later than at the first contact with the data subject,

§ 30. Whenever consent is collected from a data subject, the clauses are used.

Section 11

Final Provisions

§ 31. All principles described in this document shall be observed by persons authorized to process personal data with particular regard to the welfare of data subjects.

§ 32. This document is effective as of the date it is approved by the data controller.

Contact

Links

Join BIZON INT