§ 1
1. The Controller, aware of threats to the safety of processed personal data, declares to take all possible actions that are necessary to prevent, among others, threats such as:
- random situations or unforeseen impacts of external factors on the resources of the Controller's IT System, such as fire, flooding of premises, construction disasters, robbery, theft, burglary;
- inappropriate parameters of the environment, which disrupt the operation of computer devices (excessive humidity or very high temperatures, the influence of electromagnetic fields, and others);
- hardware or software failures that clearly indicate intentional breaches of data protection, and also the improper operation of service procedures, including permission to repair equipment that has personal Data outside the Controller's office;
- breaches of data protection by unauthorized Processing;
- the disclosure to unauthorized persons of data protection rules that are applied by the Controller;
- the deliberate or accidental scattering of data on the Internet by bypassing the protection of the Controller's IT System, or by using errors in the Controller's IT System;
- cyber attacks;
- breaches of the rules set out in documentation concerning the protection of personal data by persons who are authorized to process personal data; the breaches are related to non-compliance with data protection rules, including in particular:
- termination of work or leaving the workplace, which is non-compliant with the procedures;
- breaches of data security by their unauthorized Processing;
- disclosure of data protection rules applied by the Controller to unauthorized persons;
- disclosure of data processed by the Controller to unauthorized persons, including inadvertent disclosure of data to third parties who were staying unsupervised in insufficiently supervised Controller's premises;
- failure to make backups in accordance with the procedures adopted by the Controller;
- Processing of personal data contrary to the purpose specified by the Controller, including private purposes;
- introduction of changes to the Controller's IT System and the installation of any software without the consent of the Controller.
§ 2 Definitions
Whenever a given term is capitalized in the Policy, it has the meaning specified below:
- Controller - it is understood as Marta Wróbel, President of the Management Board of the company under the name FOLKSTAR sp.z o.o. determining the purposes and methods of personal data processing;
- Data Anonymization - this shall mean such a transformation of personal data that it is then impossible to assign individual, personal or material information to a specific or identifiable natural person, and this process is irreversible;
- Staff Member - this shall mean a person employed by the Controller on the basis of an employment relationship, civil law contracts (e.g. contracts for a specific task or contract of mandate), an entrepreneur performing activities personally and individually (including under cooperation contracts), an apprentice, an intern, a person referred to work under contracts with temporary employment agencies performing work related to the Processing of personal data at the Controller.
- Personal Data - this shall mean information about an identified or identifiable natural person ("person who is the data subject"). An identifiable person is a person who can be directly or indirectly identified, in particular on the basis of an Identifier such as a first name and surname, identification number, location data, internet identifier, or one or more specific factors that determine the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
- Special categories of personal Data - this shall mean Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed in order to uniquely identify a natural person, or data concerning the health, sexuality or sexual orientation of a person;
- Conviction and violation Data - this shall mean data on convictions and violations of the law, or other related security measures;
- Ordinary personal Data - this shall mean personal Data that is not the personal Data of Special categories, or Data concerning convictions and violations of law;
- Password - this shall mean a sequence of letters, numbers or other characters that are known only by the User;
- Identifier - this shall mean a sequence of letters, numbers, or other characters that uniquely identify the person who is authorized to process personal data in the IT System;
- Integrity and confidentiality of data - this shall mean a property that ensures adequate protection of personal data by appropriate technical or organizational measures, including protection against unauthorized or unlawful processing, accidental loss, as well as destruction or damage;
- Commission - this shall mean the European Commission;
- Recipient of Data - this shall mean a natural or legal person, public authority, unit, or other entity to which personal Data is disclosed, including the processor, with the exception of public authorities which may receive personal Data as part of a specific proceeding in accordance with EU law or Polish law;
- Limitation of processing - this shall mean the marking of stored personal data in order to limit their future processing;
- Supervisory authority - this shall mean the President of the Personal Data Protection Office
- International organization - this shall mean an organization and its subordinate bodies operating under public international law, or another body that was established by or on the basis of an agreement between two or more countries.
- Person authorized to process personal data - this shall mean a member of staff who has been authorized by the Controller to process personal data at the Controller;
- Third country - this shall mean any country not belonging to the European Economic Area (hereinafter: EEA),
- Entrusting the processing of personal data - this shall mean an order for the processing of personal data by the processor to the benefit of the Controller on the basis of an appropriate provision in the contract, which ensures the security of personal data in accordance with the provisions of the Regulation, or on the basis of a separate written contract for entrusting the processing of personal data concluded in accordance with Art.28, sec. 3 of the Regulation;
- Processor - this shall mean a natural or legal person, public authority, unit, or other entity that processes personal Data on behalf of the Controller,
- Data Processing - this shall mean an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, sorting, storing, adapting or modifying, downloading, viewing, using, disclosing through sending, distributing or otherwise providing, adjusting or combining, limiting, or deleting or destroying;
- Accountability - this shall mean a feature that enables compliance with the provisions of the Regulation to be demonstrated;
- Regulation - this shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR (EU Official Journal L 119, p. 1);
- Entrepreneur - Marta Wróbel President of the Management Board of the company under the name FOLKSTAR sp.z o.o.
- Controller's IT System - this shall mean computer hardware, software, Data used in a set of cooperating devices, programs, principles of information processing, and software tools that are used to process Customer data;
- Disclosure of personal data - this shall mean sending, disseminating, or other ways of providing personal data;
- Data deletion - this shall mean destroying personal data or modifying them in such a way that will not allow the Data subject to be identified;
- Authentication - this shall mean an activity that aims to verify the declared identity of a natural person or entity;
- User - this shall mean a member of staff who is authorized in writing to process personal data;
- Protection of the IT System - this shall mean the implementation of appropriate administrative, technical and physical measures to secure technical and IT resources, and to protect against modification, destruction, unauthorized access and disclosure or acquisition of personal data, as well as their loss;
- Collection of personal data - this shall mean the collecting of data from the data subject or from other sources;
- Consent of the data subject - this shall mean a voluntary, specific, conscious and unambiguous demonstration of the data subject's will in the form of a declaration or a clear affirmative action that allows for the processing of personal data;
§ 3
- The Entrepreneur is responsible for the implementation and maintenance of this Policy.
- The Entrepreneur is responsible for the supervision and monitoring of this Policy.
- The Entrepreneur is responsible for applying this Policy.
§ 4 Principles of personal data processing
1. The protection of personal data in the Company is based on the following pillars:
a. Legality - The Entrepreneur cares for the protection of privacy and processes data in accordance with the law;
b. Security - The Entrepreneur ensures an appropriate level of data security by constantly taking actions regarding this matter;
c. Individual rights - the Entrepreneur enables persons whose data are processed to exercise their rights, and in turn the Entrepreneur exercises these rights;
d. Accountability - The Entrepreneur documents the way of fulfilling obligations in order to be able to demonstrate compliance at any time.
2. The Entrepreneur processes personal data based on the following principles:
a. Pursuant to the legal basis and in accordance with the law (legalism);
b. Reliably and honestly (reliability);
c. In a transparent manner for the data subject (transparency);
d. For specific purposes and not "just in case" (minimization);
e. No more than necessary (adequacy);
f. With care for the correctness of data (correctness);
g. Not longer then needed (timeliness);
h. Ensuring adequate data security (security).
3. The personal data protection system in the Company consists of the following elements:
a. Data inventory. The Entrepreneur identifies personal data resources at the Entrepreneur, data classes, relationships between data resources, and ways of using data (inventory).
b. Register. The Entrepreneur develops, runs and maintains a Register of Processing Personal Data Activities in the Company (Register). The Register is a tool for verifying the compliance with data protection at the Entrepreneur.
c. Legal basis. The Entrepreneur provides, identifies, and verifies the legal grounds for the processing of personal data and registers them in the Register:
- Maintains both the system of managing consent for data processing and remote communication;
- Inventories and specifies the justification of cases when the Entrepreneur processes data on the basis of the Entrepreneur's legitimate interest.
d. Handling the rights of individuals. The Entrepreneur fulfils obligations regarding information for persons whose data are processed and will ensure the handling of their rights while fulfilling any requests received in this regard, including:
- Information obligations. The Entrepreneur provides legally required information when collecting data and in other situations, and organizes and ensures the documentation of fulfilling these obligations;
- Ability to execute requests. The Entrepreneur verifies and ensures the possibility of effective execution of each type of request by herself and her processors;
- Processing of requests. The Entrepreneur ensures the appropriate expenditure and procedures in order for the requests of persons to be documented and executed on time and in the manner that is required by GDPR;
- Notification of violations. The Entrepreneur uses procedures to determine the need to notify persons affected by the identified breach of data protection.
e. Minimization. The Entrepreneur has principles and methods of minimization management (privacy by default), including:
- Principles of data adequacy management;
- Principles of rationing and managing access to data;
- Principles of managing the data storage period and the verification of its further suitability.
f. Security. The Entrepreneur ensures an appropriate level of data security, including:
- Performing a risk analysis for the proceedings related to the processing of data or its categories;
- Carrying out assessments of the impact of data protection where the risk of violating the rights and freedoms of individuals is high;
- Adapting data protection measures to the identified risks;
- Having a system of managing the security of information;
- Applying procedures that allow for the identification, assessment and notification of the identified data breaches to the Data Protection Authority - managing incidents.
g. Processor. The Entrepreneur has the rules of selection of data processors for the benefit of the Entrepreneur, requirements concerning the conditions of processing (processing agreements), rules for verifying the performance of processing agreements.
h. Data Export. The Entrepreneur possesses the rules for verifying that the Entrepreneur does not transfer data to third countries or to international organizations, and also for ensuring legal conditions for such transfer if applicable.
i. Privacy by design. The Entrepreneur manages changes affecting privacy. For this purpose, at the stage of designing a change or investment, or at the beginning of a new project, there are procedures for launching new projects and investments in the Company, which take into account risk analysis, the ensuring of privacy, and the need to assess the impact of the change on data protection (including compliance with processing purposes, data protection and minimization).
j. Cross-border processing. The Entrepreneur possesses the rules for verification when there are cases of cross-border processing, as well as the rules for determining the leading supervisory authority and the main organizational unit within the meaning of GDPR.
§ 5 Inventory
- The Entrepreneur identifies cases in which special categories of data or criminal data are processed or may be processed, and maintains dedicated mechanisms to ensure the lawfulness of processing such data. In the case of identifying cases of processing data of special categories or criminal data, the Entrepreneur acts in accordance with the principles adopted in this regard.
- The Entrepreneur identifies cases in which unidentified data is processed or may be processed, and maintains mechanisms that facilitate the exercise of the rights of data subjects of whom unidentified data concerns.
- The Entrepreneur identifies cases in which the processed personal data is profiled, and maintains mechanisms that ensure the compliance of this process with the law. In the case of identifying cases of profiling and automated decision-making, the Entrepreneur acts in accordance with the adopted rules in this regard.
- The Entrepreneur identifies cases of co-administration of personal data and acts in accordance with the rules adopted in this regard.
§ 6 Register of personal data processing activities
- The Register of Personal Data Processing Activities is a form of documenting personal data processing activities; it serves as a data processing map and is one of the key elements that implement the fundamental principle of accountability.
- The Entrepreneur keeps the Register of Personal Data Processing Activities in which the way of using personal data is inventoried and monitored.
- The Register is one of the basic tools that enable the Company to settle the majority of personal data protection obligations.
- In the Register of Personal Data Processing Activities, for each data processing activity that the Entrepreneur recognizes as separate for the purposes of this Register, the Entrepreneur records at least:
a. the name of the activity;
b. the purpose of the processing;
c. the description of the category of persons;
d. the description of the data categories;
e. the legal basis for the processing;
f. the method of data collection;
g. the description of the category of data recipients;
h. the information about the transfer of data outside the EU/EEA;
i. the general description of the technical and organizational data protection measures.
§ 7 Legal basis for processing
- The Entrepreneur documents the legal basis for data processing for individual processing activities in the Register of Personal Data Processing Activities.
- By indicating the general legal basis (consent, contract, legal obligation, vital interests, public opinion/public authority, legitimate objective of the Entrepreneur) in the documents, the Entrepreneur defines the basis in a precise and legible way when needed. For example, for consent - indicating its scope, when based on law - the Entrepreneur indicates a specific provision and other documents, e.g. contract, agreement, vital interests - indicating categories of events in which they materialise, a legitimate purpose - indicating a specific purpose, e.g. self-marketing, pursuing claims.
- The Entrepreneur implements consent management methods that enable the registration and verification of a person's consent to the processing of specific data for a specific purpose, and also consent for remote communication (e-mail, telephone, SMS, etc.). These methods also enable the registration of refusal of consent, withdrawal of consent, and other similar activities (objection, restriction, etc.).
- The manager of an organizational unit of the Entrepreneur is obliged to know the legal basis on which the unit under the manager's control carries out specific activities of personal data processing. If the grounds are the legitimate interest of the Entrepreneur, the manager is obliged to know the specific Entrepreneur's interest that is being executed using processing.
§8 Handling individual rights and information obligations
- The Entrepreneur cares about the legibility and style of the provided information and communication with people whose data are processed.
- The Entrepreneur takes care to meet the legal deadlines for fulfilling obligations towards persons.
- The Entrepreneur introduces adequate methods of identification and authentication of persons for the purposes of exercising individual rights and information obligations.
- In order to exercise the rights of individuals, the Entrepreneur provides procedures and mechanisms to identify the data of specific persons that are processed by the Entrepreneur, integrates this data, introduces changes to it, and deletes it in an integrated manner.
- The Entrepreneur documents the handling of information obligations, notifications and claims of persons.
§ 9 Information obligations
- The Entrepreneur determines, in accordance with the law, the methods of performing information obligations.
- The Entrepreneur informs the person about the extension of more than one month of the deadline for considering the claim of that person.
- The Entrepreneur informs the person about the processing of their data when collecting data from that person.
- The Entrepreneur informs the person about the processing of their data when obtaining data about this person, but not directly from that person.
- The Entrepreneur determines the method of informing people about the processing of unidentified data where it is possible (e.g. a notice board about the area being covered by video surveillance).
- The Entrepreneur informs about the planned changes of the purpose of data processing.
- The Entrepreneur informs the person before withdrawing the limitation of processing.
- The Entrepreneur informs the data recipients about the rectification, deletion or limitation of data processing (unless it will require a disproportionate effort or will be impossible).
- The Entrepreneur informs the person about the right to object to the processing of data at the latest at the first contact with that person.
- The Entrepreneur, without undue delay, notifies the person about the breach of personal data protection if it may result in a serious breach of the rights or freedoms of that person.
§ 10 Claims
- Third Party Rights. When implementing the rights of data subjects, the Entrepreneur introduces procedural guarantees for the protection of the rights and freedoms of third parties. In particular, in the event of obtaining reliable information that the execution of a person's request for a copy of data, or the right to transfer data, may adversely affect the rights and freedoms of other persons, the Entrepreneur may ask the person to clarify doubts or take other steps permitted by law, including the refusal to satisfy the claim.
- Non-processing. The Entrepreneur informs the person that data concerning that person are not processed if such a person has made a request regarding their rights.
- Refusal. The Entrepreneur informs the person within one month of receiving the request about the refusal to execute the request and about the rights of the person related to it.
- Access to data. At the request of the person concerning the access to their data, the Entrepreneur informs whether she processes their data, informs the person about the details of processing in accordance with Art. 15 of GDPR, and grants the person access to data concerning that person. Access to data may be provided by issuing a copy of the data, with the proviso that the Entrepreneur will not consider a copy of the data issued in the exercise of the right to access the data as the first free copy of the data for the purposes of fees for data copies.
- Copies of data. Upon request, the Entrepreneur issues a copy of the data concerning the person and notes the fact that the first copy of the data was issued. The Entrepreneur introduces and maintains a price list for copies of data, according to which the Entrepreneur charges a fee for subsequent copies.
- Data rectification. The Entrepreneur corrects incorrect data at the request of the person. The Entrepreneur has the right to refuse to rectify the data, unless the person reasonably proves that the data is incorrect. In the event of rectification of data, the Entrepreneur informs the recipients of the data at the request of that person.
- Updating data. The Entrepreneur completes and updates data at the request of the person. The Entrepreneur has the right to refuse to update data if that updating is inconsistent with the purposes of processing. The Entrepreneur may rely on the person's declaration regarding incomplete data, unless it is insufficient with regards to the procedures adopted by the Entrepreneur, the law, or if there are grounds for considering this declaration as unreliable.
- Deleting data. At the request of the person, the Entrepreneur deletes data when:
a. data is not necessary for the purposes for which it was collected, or data is not processed for other lawful purposes;
b. consent to their processing has been withdrawn, and there is no other legal basis for processing;
c. the person has lodged an effective objection to the processing of this data;
d. the need to remove it results from a legal obligation;
e. the request concerns a child's data collected on the basis of consent in order to provide information society services offered directly to the child.
9. The Entrepreneur determines the method of handling the right to delete data in such a way as to ensure the effective implementation of this right while respecting all the data protection principles, including those regarding security; the Entrepreneur verifies that there are no exceptions referring to Art. 17, sec. 3 of GDPR.
10. If the data to be deleted has been made public by the Entrepreneur, the Entrepreneur shall take reasonable steps, including technical measures, to inform other controllers who process this data about the need to delete the data and the access to it.
11. In the event of deleting data, the Entrepreneur shall inform about the recipients of the data at the request of that person.
12. Limitation of processing. The Entrepreneur limits data processing at the request of the person when:
a. the person questions the correctness of the data - for a period that allows their correctness to be verified;
b. the processing is unlawful, and the data subject opposes the deletion of personal data and instead requests the limitation of their use;
c. the Entrepreneur no longer needs personal data, but they are needed by the data subject to assert, investigate or defend claims;
d. the person has objected to the processing due to reasons related to a special situation - until it is determined whether the Entrepreneur has legally justified grounds that override the grounds for objection.
13. During the limitation of data processing, the Entrepreneur stores data, but does not process them without the consent of the data subject, unless in order to ascertain, investigate or defend against claims or to protect the rights of another natural or legal person, or for important reasons of public interest.
14. The Entrepreneur informs the person before repealing the processing restriction.
15. In the event of limitation of data processing, the Entrepreneur informs the person about the recipients of the data at the request of that person.
16. Moving data. At the request of the person, the Entrepreneur issues data in a structured, commonly used machine-readable format or transfers it to another entity if possible; the data concerns that person, was provided to the Company, is contained in the Entrepreneur's IT System, and processed on the basis of that person's consent or for the purpose of concluding or performing a contract with that person.
17. Objection in a special situation. If the person raises an objection motivated by their particular situation to the processing of their personal data, and the data are processed by the Entrepreneur on the basis of the Entrepreneur's legitimate interest or a task entrusted to the Entrepreneur in the public interest, the Entrepreneur will take into account the objection unless there are valid legally justified grounds for the Entrepreneur's processing of data that override the interests, rights and freedoms of the person objecting, or there are grounds for ascertaining, investigating and defending against claims.
18. Objection to direct marketing. If the person objects to the processing of their data by the Entrepreneur for direct marketing purposes, the Entrepreneur will take into account the objection and cease such processing.
19. Right to human intervention in the event of automated processing. If the Entrepreneur processes data automatically, including in particular the profiling of persons, and as a consequence makes decisions with respect to such persons that have legal effects or otherwise significantly affect the person, the Entrepreneur provides the possibility of appealing to the intervention and decision of the person on behalf of the Entrepreneur, unless such an automatic decision:
a. is necessary for the conclusion or performance of a contract between the person appealing and the Entrepreneur;
b. is directly permitted by law;
c. is based on the clear consent of the person appealing.
§ 11 Minimization
- The Entrepreneur cares about minimizing data processing in terms of:
a. the adequacy of data for certain purposes;
b. access to data;
c. the time of storing data. - The Entrepreneur verified the scope of the obtained data, the scope of their processing and the amount of data processed with regards to adequacy for processing purposes as part of the implementation of GDPR.
- The Entrepreneur shall periodically review, at least once a year, the amount of processed data and the scope of processing.
- The Entrepreneur verifies changes to the amount and scope of data processing as part of procedures regarding the management of changes (privacy by design).
- The Entrepreneur applies restrictions on access to personal data: legal (confidentiality obligations, scope of authorizations), physical (access zones, closing rooms) and logical (restrictions on authorizations to systems processing personal data and network resources in which personal data reside).
- The Entrepreneur applies physical access control.
- The Entrepreneur updates access authorizations in the event of changes in staff, changes in the roles of people, and changes in the processing of entities.
- The Entrepreneur periodically reviews the established system's users and updates them at least once a year.
- The Entrepreneur implements the mechanisms of controlling the personal data lifecycle at the Entrepreneur, including the verification of further suitability of the data in relation to the dates and control points indicated in the register of personal data processing activities.
- Data, the scope of suitability of which has been limited over time, is removed from the Entrepreneur's production systems, as well as from reference and main files. Such data may be archived and stored on backup copies of systems and information processed by the Entrepreneur. Procedures for archiving and using archives, as well as for creating and using backups, take into account the requirements of data lifecycle control, including the requirements of data deletion.
§ 12 Security
- The Entrepreneur ensures a level of security corresponding to the risk of violating the rights and freedoms of natural persons as a result of the processing of personal data by the Entrepreneur.
- The Entrepreneur carries out and documents analyses of the adequacy of personal data security measures. For this purpose:
a. the Entrepreneur provides adequate knowledge concerning security of information, cyber security and business continuity - internally, or with the support of specialized entities;
b. the Entrepreneur categorizes data and processing activities with regards to the risks they present;
c. the Entrepreneur carries out an analysis of the risk of violating the rights or freedoms of natural persons with regards to the activities related to the processing of data or their categories. The Entrepreneur analyses possible situations and scenarios of personal data breaches, taking into account the nature, scope, context, and purposes of processing, and also the risk of violating the rights or freedoms of natural persons with a different probability of the occurrence of this risk and its different severity;
d. the Entrepreneur determines the possible organizational and technical security measures and assesses the cost of their implementation. The Entrepreneur determines the suitability of such measures and applies the following:
i. cyber security measures, involving the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services;
ii. measures to ensure business continuity and to prevent the effects of disasters, i.e. the ability to quickly restore the availability of personal data and access to it in the event of a physical or technical incident. - The Entrepreneur assesses the effects of the planned processing operations for the protection of personal data where, according to risk analysis, the risk of violating rights and freedoms is high.
- The Entrepreneur uses the methodology of impact assessment adopted at the Entrepreneur.
- The Entrepreneur applies security measures established within the analysis of the risk and adequacy of security measures and the assessments of the impact of data protection.
- Personal data security measures constitute an element of information security measures and the ensuring of cyber security in the Company, and are described in more detail in the procedures adopted by the Entrepreneur regarding these areas.
- The Entrepreneur applies procedures that allow for the identification, assessment and notification of the identified data breach to the Data Protection Office within 72 hours from the determination of the breach.
§13 Processor
- The Entrepreneur has principles for the selection and verification of people who process data on behalf of the Entrepreneur, which are developed to ensure that the processors provide sufficient guarantees to implement appropriate organizational and technical measures to ensure security, the exercising of the rights of individuals, and also to ensure other obligations regarding data protection that are imposed on the Entrepreneur.
- The Entrepreneur verifies the processors with regards to the use of sub-processors, as well as other requirements resulting from the Rules of entrusting personal data.
§14 Data export
- The Entrepreneur registers cases of data export, i.e. transfers of data outside the EEA, in the Register of Personal Data Processing Activities.
- In order to avoid the situation of unauthorized data export, in particular in connection with the use of publicly available cloud services (shadow IT), the Entrepreneur periodically verifies the behaviour of users and, if possible, provides equivalent solutions in accordance with data protection law.
§ 15 Privacy by design
- The Entrepreneur manages changes that affect privacy in such a way as to ensure adequate security of personal data and the minimizing of their processing.
- For this purpose, the rules of conducting projects and investments by the Entrepreneur refer to the rules of personal data security and minimization; they require an assessment of the impact on privacy and data protection, as well as require the taking into account and designing of security and the minimizing of data processing from the beginning of a project or investment.