1. This document, entitled "Personal Data Protection Directive" ('the Guidelines'), defines the requirements, principles and rules for the protection of personal data in Kokotowie, Kokotów 703, 32-002 Węgrzce Wielkie (hereinafter referred to as "the Company") ) GmbH with limited liability).
This Directive is a personal data protection policy within the meaning of RODO - Regulation (EU) 2016/679 of 27/04/2016 on the protection of individuals with regard to the processing of personal data and the free movement of, and repeals of personal data Directive 95/46 / EC (General Data Protection Regulation) (OJ EU L 119, p.
2. The policy includes:
a) a description of the privacy rules in the company,
b) references to supplementary annexes (reference procedures or instructions relating to specific areas of personal data protection which require more detailed information).
3. Responsible for the implementation and maintenance of this policy is in accordance with the rules
Representation of the company:
a) a member of the Administrative Board entrusted with the supervision of the personal data protection area.
b) a person appointed by the Board to ensure compliance with the protection of personal data; For
Monitoring and compliance monitoring are:
c) Data Protection Officer, if appointed in the company,
d) internal audit unit if it is active in the company;
4. The following persons are responsible for the application of this Directive:
a) The company
b) organizational unit responsible for information security,
c) organizational units that process personal data on a large scale,
d) other organizational units,
e) all employees of the company.
The entity should also ensure that the conduct of the parties to the company is consistent with this Directive to the extent that they are provided by the company with personal data.
5. Abbreviations and Definitions
• Directive means this Directive for the protection of personal data, unless otherwise specified in the context.
• RODO stands for Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of persons and repealing Directive 95/46 / EC (General Protection Regulation) Data) (OJ EU L 119, p.
• Data is personal data, unless otherwise stated in the context.
• Special category data is the data listed in Article 9 (1) of the GDPR, ie personal data stating race or ethnic origin, political views, religious or ideological beliefs, trade union membership, genetic and biometric data, to clearly identify a natural person identify or provide data on health, sexuality or sexual orientation.
• Punitive data are data listed in Article 10 of the GDPR, d. H. Data on convictions and offenses.
• Data for children are data of persons under 16 years.
• The person refers to the person to whom the data relates unless the context dictates otherwise.
• The processing entity is an organization or person entrusted with the processing of personal data by the company (eg an IT service provider, an entity involved in the provision of the services provided by the company).
• profiling means any form of automated processing of personal data in which personal data is used to assess some personal factors of the person, in particular to analyze or predict aspects of the effects of that person's work, their economic situation, their health, their personal preferences, their interests and their reliability behavior, location or movement.
• Data export means the transfer of data to a third country or an international organization.
• IOD or Inspector is the Inspector for Personal Data Protection.
• RCPD or Registry means the register for the processing of personal data.
The enterprise means CENTER ZOO with seat in Kokotów.
6. Protection of personal data in the company, general rules:
a) Pillars of personal data protection in the company:
• Legality - The company is committed to privacy and processes data in accordance with the law.
• Security - The company ensures a reasonable level of data security and is constantly taking action in this area.
• Individual Rights - The Company allows individuals who process data to exercise their rights and to enforce those rights.
• Responsibility - The company documents how it fulfills its obligations to demonstrate compliance at all times.
b) The company processes personal data according to the following principles:
• based on the legal basis and in accordance with the law (legalism);
• honest and honest (fairness);
• transparent for the data subject (transparency);
• for specific purposes and not "in stock" (minimization);
• not more than necessary (appropriateness);
• taking into account the data accuracy (correctness)
• not more than necessary (time dependency);
• Ensuring adequate data security (security).
7. Privacy system:
The personal data protection system in the company consists of the following elements:
a) Data The Company identifies personal data resources in the enterprise, data classes, relationships between data resources, identification of data usage methods (inventory), including:
• cases where special category data and criminal data are processed;
• Cases of data processing by persons who are not identified by the company (data
unidentified / UFO);
• cases of data processing by children;
• shared data management.
b) Register. The company develops, maintains and maintains a register of activities for personal data in the company (register). The register is an instrument for accounting for data protection in the company.
c) Legal basis. The company identifies the legal data-processing grounds, identifies them, reviews them and registers them in the register, including:
• maintains a system for the management of data processing and remote communications approvals,
• Inventorying and specifying the reasons for cases where the company processes data based on
legitimate interest of the company.
d) dealing with individual rights. The Company fulfills its obligations to provide information to the persons whose data it processes and ensures the maintenance of its rights by responding to such requests, including:
• Information requirements. The Company will provide the Eligible Persons with the necessary legal information in collecting the data and in other situations, and will demonstrably organize and provide fulfillment of such duties.
• the ability to make inquiries. The company checks and ensures the possibility of effective execution of any type of requirement by itself and its processors.
• Edit requests. The company will ensure adequate spending and procedures to ensure that people's requests are made on time and in the manner required and documented by GDP.
• Notification of violations. The Company uses procedures to identify the need to notify those affected by the identified data breach.
e) minimization. The company has principles and methods of managing the minimization (privacy by default), including:
• principles of data adequacy management;
• principles of regulation and management of access to data;
• Rules for the management of data storage and verification of further suitability.
f) Security The company ensures an adequate level of security
• carries out risk analyzes for data processing activities or categories;
• carries out privacy impact assessments when the risk of infringement of rights and freedoms is high;
• adapts the data protection measures to the specified risk;
• has an information security management system;
• uses procedures to identify, evaluate, and report identified data breaches to the data protection authority - manage incidents.
g) processor. The company has rules for the selection of data processing for the benefit of the company, requirements for processing conditions (contract of entrustment) and rules for verification of fulfillment of entrustment agreements.
h) Data export The company has rules to verify that the company does not submit data to countries
Third countries (ie outside the EU, Norway, Liechtenstein, Iceland) or international organizations
and to ensure the lawful conditions for such a transfer, if any.
i) Privacy by design. The company manages changes that affect privacy. To this end, the procedures for launching new projects in the enterprise take into account the need for the impact of changes on data protection, risk analysis, data protection (and compliance with processing objectives, data security and minimization) already at the design stage of a change or to evaluate at the beginning of a new project.
j) Cross-border settlement The company has the rules for the review of cross-border processing as well as the principles for the determination of the leading supervisory body and the main organizational unit within the meaning of the RODO.
a) Information on certain categories and criminal data:
The company does not process specific category data or criminal data.
b) Unidentified data:
The company identifies cases in which it can process or process unidentified data and maintains mechanisms that enable the implementation of the rights of individuals affected by unidentified data.
The company identifies cases in which the profiling of the processed data is performed and maintains mechanisms to ensure that this process complies with the law. In identifying instances of profiling and automated decision-making, the Company follows the rules in this regard.
The company does not manage the data together.
9. REGISTRATION OF DATA PROCESSING ACTIVITIES
a) RCPD is a form of documentation of data processing activities, acts as a data processing card and is one of the key elements enabling the implementation of the Fund the general principle on which the entire system of protection of personal data is based is the principles of accountability.
b) The company keeps a data processing record in which it checks the way in which it uses personal data.
c) The law firm is one of the basic tools with which the company can fulfill most privacy obligations.
d) In the register, for each data processing activity that the enterprise considers to be separate for the requirements of the register, the enterprise records at least the following:
• Name of the activity
• the purpose of the processing,
• description of the category of persons,
• Description of the data categories
• the legal basis of the processing, including the category of the legitimate interest of the company, if it is based on a legitimate interest,
• Method of data collection
• description of categories of data recipients (including processors),
• information on transfers outside the EU / EEA;
• a general description of the technical and organizational data protection measures.
e) The form of the register is Annex No 1 of the Directive - "Model Register of Data Processing Activities". The tab template also contains optional columns. In non-compulsory columns, the company registers the information and opportunities required, taking into account that the more comprehensive content of the register facilitates the administration and compliance with data protection rules.
10. REASONS FOR PROCESSING
a) The Company documents in the Register the legal grounds for data processing for certain processing activities.
b) By providing the general legal basis (consent, contract, legal obligation, essential interests, lawful purpose of the company) in the documents, the Company shall lay down the basis accurately and legibly, if necessary. For example, for consent - indication of scope, if the law is the basis - indication of a specific provision and other documents, eg. B. Agreement, Administrative Agreement, Vital Interests - Indicate categories of events in which they occur, legitimate purpose - Specify a specific objective, such as marketing own claims to pursue.
c) The company uses the consent management methods, which are the registration and verification of the consent of the person to process their specific data for a specific purpose, consent to remote communication (e-mail, telephone, SMS, etc.) and the registration of the refusal of consent Withdrawal of consent and similar activities(objection, restriction, etc.).
d) The manager of the organizational unit of the company is required to know the legal basis on which the cell he / she directs carries out certain activities for the processing of personal data. If the legitimate interest of the company is based on it, the manager of the company is required to know the specific interest of the company being processed.
11. OPERATION OF THE RIGHTS OF THE UNIT AND INFORMATION OBLIGATIONS
a) The company pays attention to the readability and style of the information provided and to the communication with the persons whose data it processes.
b) Society enables people to assert their rights through various activities. These include: retrieving information or objections on the Company's website for information about the rights of individuals, their use in society, including identification requirements, contact with the Company for this purpose, an optional list of "additional" requests, etc.
c) The company ensures compliance with legal deadlines for the fulfillment of obligations towards persons.
d) The Company shall introduce appropriate methods for the identification and authentication of persons for the realization of individual rights and information obligations.
e) To implement the rights of the Company, the Company provides procedures and mechanisms that allow this
Identify, manipulate, modify, and delete information about specific individuals being processed by the Company;
f) The company documents the handling of information duties, communications and inquiries of persons.
12. INFORMATION REQUIREMENTS
a) The Company defines legitimate and effective ways to fulfill its obligations
b) The company informs the person about the extension of the deadline for the examination of this person's application by more than one month.
c) The company informs the person about the processing of his data when data is collected from this person.
d) The company informs the person about the processing of their data, if data about this person is collected indirectly.
e) The company defines the method to inform people about the processing of unidentified data, if possible (eg a record in the area covered by CCTV).
f) The company informs the person about the planned change of the purpose of the data processing.
g) The company informs the person before the revocation of the processing limit.
h) The company informs the recipients about the correction, deletion or restriction of data processing (unless this requires a disproportionate effort or is impossible).
i) The company informs the person against the data processing at the latest by the date of the objection right
first contact with this person.
j) The company must inform the person immediately about the violation of the protection of personal data if:
There is a risk that the rights or freedoms of this person will be violated.
13. APPLICATION TO PEOPLE
a) Rights of third parties. Implementing the rights of data subjects, SDas Regal provides procedural safeguards to protect the rights and freedoms of others. In particular, when reliable information is received, the execution of a request by a person for a copy of the data or the right to transmit the data may adversely affect the rights and freedoms of others (eg a law protecting the privacy of others, intellectual property rights, trade secrets,
The company may ask the person to clarify any doubts or take other legitimate steps, including refusing to comply with the request.
b) Not processing. The company informs the person that it does not process any related data if that person has made a request regarding their rights.
c) rejection. The Company will notify the person within one month of receiving the request that it refuses to consider the request and the associated rights.
d) access to data. At the request of persons to access their data, the company informs the person whether they are processing their data and informs the person of the details of the processing in accordance with the article. 15 GREAT (the scope corresponds to the obligation to inform when collecting data) and also provides the person
Access to his data. Access to the data may be made by issuing a copy of the data, with the proviso that the copy of the data granted by the user when exercising the right of access to data is not the first free copy of the data for the purposes of data copy fees is recognized.
e) Data Copies. Upon request, the company will provide the person with a copy of their data and take note of the fact of the first copy of the data. The company introduces and maintains a pricelist of data copies
what fees charges for later copies of data. The price of the copy of the data is calculated on the basis
the estimated unit cost of processing the request for a copy of the data.
f) Correction of data. The company corrects incorrect data at the request of the person. The company has the right to refuse to correct the data unless the person has reasonably demonstrated the irregularity of the data that is requested to be corrected. In the case of a data correction
The company informs the person at the request of this person about the recipient of the data.
g) Completion of the data. The company complements and updates data at the request of one person. The company has the right to refuse supplementing the data if the supplement is incompatible with the purposes of data processing (eg, the company need not process data that is not required by the company). The Company may invoke a statement of the person as to the completed data, unless this is because of the procedures used by the Company (for example, in obtaining such data), the law or the reasons for the declaration of unreliable to explain.
h) Remove data At the request of a person, the company deletes data if:
• The data is not required for the purpose for which it was collected or processed for other legitimate purposes.
• The consent to their processing has been revoked and there is no other legal basis for processing.
• The person has effectively objected to the processing of this data.
• The data was processed unlawfully.
• the necessity of removal arises from the legal obligation
• The request relates to the data of a child collected as a result of consent to the provision of information society services offered directly to the child (eg participation in the competition on the website). The Company defines the handling of the right to delete data in such a way as to ensure effective implementation of this right, respecting all data protection principles, including safety, and verifying that there are no exceptions to those referred to in the art is taken. 17 sec. 3 RHODE. When the company that deleted the data has been published by the Company, the Company takes reasonable measures, including technical measures, to inform other administrators who process such personal information about the need to delete and access data. In the case of data deletion, the company informs the person about the data subject at the request of that person.
i) Limitation of processing. The company limits the processing of data at the request of a person if:
• the person asks for the correctness of the data - for a period in which their accuracy can be checked,
• the processing is unlawful and the data subject opposes the removal of personal data and instead requests the restriction of their use,
• The company no longer needs personal information, but the data subjects need to identify, enforce or defend claims.
• The person has objected to processing for reasons pertaining to his or her particular situation - until it is ascertained whether the company has legitimate grounds for raising the objection. During the processing restriction, the company stores data but does not process it (it does not use it, does not transmit it) without the data subject agreeing to it, unless discovering, investigating or defending claims or the rights of another natural one or legal person to protect. or for important reasons of public interest. The company informs the person before the revocation of the processing limit. In the case of ogra The processing of data The company informs the person at the request of this person about the recipient of the data.
j) Data Transmission At the request of the person, the Company may issue, in a structured, commonly used machine-readable format, or, if possible, transmit to another entity data relating to the person whom it has made available to the Company on the basis of Approval of the person being processed, or to conclude a contract or complete it was included in the company's IT systems.
k) Objection in a special situation. If a person objects to their particular situation and opposes the processing of their data and the data is processed by the Company on the basis of the legitimate interests of the Company or the public interest delegation, the Company will consider the opposition, unless: the company has legally justified reasons for doing so. Processing, annulment of the interests, rights and freedoms of the offending person or grounds for the discovery, investigation or defense of claims.
l) contradiction in scientific research, historical or statistical purposes. if
The company conducts scientific research, historical research or data processing for statistical purposes. The person may give a reasoned motivation against such processing, which results from their particular situation. The company will consider this objection unless the processing is necessary to fulfill the public interest task.
m) Objection to direct marketing. If the person objects to the processing of their data by the company for direct marketing purposes (including profiling), the company will consider the objection and cessation of this processing.
n) The right to intervene by people with automatic processing. If the company
automatically processes data, in particular profiles of people, and thus makes decisions that cause legal effects or significantly affect a person. The Company offers the opportunity to appeal and to make decisions of the Company, unless such an automatic decision:
• is required for the conclusion or performance of a contract between the complainant
Person and the company or
• it is expressly permitted by law or
• based on explicit consent that will cancel people.
The company attaches importance to minimizing data processing in relation to:
• adequacy of data for purposes (volume of data and amount of processing),
• access to data,
• time of data storage.
a) Minimization of the scope
The Company has reviewed the scope of the data collected, the extent of its processing and the amount of data processed for the reasonableness of data processing for the purposes of processing in the context of the implementation of the GDPR. The company regularly reviews the amount of data processed and the amount of processing at least once a year. The company is reviewing changes in the scope and extent of data processing (Privacy by Design) as part of the change management procedures.
b) Minimization of access
The Company applies restrictions on access to personal information: legal (confidentiality obligations, authorization restrictions), physical (access zones, business premises closure) and logical (restrictions on the rights of systems handling personal data and network resources containing personal information ). The company applies physical access control. The company updates the access rights to changes in the composition of the staff and changes in the roles of persons and changes of entities
Processing. The company regularly reviews existing system users and updates them at least once a year. Detailed rules for physical and logical access control are included in the company's physical security and information security practices.
c) Minimization of time The Company implements mechanisms for controlling the life cycle of personal data in the Company, including checking the further suitability of the data in relation to the data and control points specified in the Register. Data whose usage is limited over time will be removed from the company's production systems as well as from the handheld and main files. Such data may be archived and located on system and information backups
processed by the company. The procedures for archiving and using archives, creating and using backup copies, take into account the data life cycle control requirements, including data deletion requirements.
The Company provides a level of security equivalent to the risk of infringement of the rights and freedoms of individuals resulting from the processing of personal data by the Company.
a) Risk analysis and adequacy of security measures
The company maintains and documents the adequacy analysis of personal data security measures. To this end:
• Ensures information security, cybersecurity and business continuity - either internally or with the support of specialized units.
• The company categorizes data and processing activities according to the risks they pose.
• The organization determines the organizational and technical security measures that can be applied and assesses the costs of implementation. In doing so, the company determines the suitability and applies such measures and procedures as:
• encryption of personal data,
• other cyber-security measures that can ensure continuous confidentiality,
Integrity, availability and robustness of processing systems and services,
• Measures to ensure business continuity and prevent the consequences of disasters; d. H. The ability to quickly restore access to and access to personal data in the event of a physical or technical incident.
b) Data Impact Impact Assessment The Company assesses the impact of planned personal data processing operations when, according to the risk analysis, there is a risk that the rights and freedoms of individuals will be violated. The company applies the method of impact assessment used in the company.
c) Security measures The Company applies security measures established in risk analysis as well as the adequacy of security measures and privacy impact assessments. Personal security measures are part of information security measures and provide cyber security in the enterprise. They are described in more detail in the procedures established by the Company for these areas.
d) Notification of Violations The Company will use procedures to identify, assess and report identified data protection breaches within 72 hours of discovery of the breach.
The Company has the principles of data processing selection and review for the Company to ensure that Processors provide sufficient warranties to take appropriate organizational and technical measures to ensure the security, implementation of individual rights and other data protection obligations of the Company , The company has set minimum requirements for the data transfer agreement in Annex 2 of the Directive
- "Model contract for the transmission of data processing". The company settles processors with sub-processors as well as other requirements arising from the principles of the provision of personal data.
17. DATA EXPORT
The company does not export data outside the European Economic Area (EEA 2017 = European Union, Iceland, Liechtenstein and Norway).
18. PRIVACY DESIGN
The company manages a change that affects privacy so it can be provisioned
adequate security of personal data and minimization of their processing. To this end
The principles of the project implementation by the company refer to the principles of data security
personal data and minimization, which require an impact assessment on privacy and data protection
Integrated and designed security and minimization of data processing from the beginning
Project or investment.
19. FINAL PROVISIONS