SECURITY POLICY

"Security Policy" is used to process personal data and was developed on the basis of the following legal acts:

    Of the Constitution of the Republic of Poland of April 2, 1997 (Journal of Laws 1997 No. 78
    Pos. 483 with later d.);

    REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (general regulation on data protection) .

GLOSSARY OF TERMS

(1) 'personal data' means information about an identified or identifiable natural person ('data subject'); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name, identification number, location data, internet identifier or one or more specific factors determining physical, physiological, genetic, psychological, the economic, cultural or social identity of a natural person;

2. "processing" means the operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, browsing, using, disclosing by sending, distribution or other type of sharing, matching or combining, limiting, deleting or destroying;

3) "limitation of processing" means the indication of stored personal data in order to limit their future processing;

4) "profiling" means any form of automated processing of personal data, which consists in the use of personal data to assess some of the personal person's personal factors, in particular to analyze or forecast aspects of the effects of the work of that individual, its economic situation, health, personal preferences, interests, credibility, behavior, location or movement;

5. 'pseudonymisation' means the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is covered by technical and organizational measures to prevent assigning an identified or identifiable individual;

(6) 'dataset' means an ordered set of personal data available according to specified criteria, irrespective of whether the set is centralized, decentralized or functionally or geographically dispersed;

(7) 'administrator' means a natural or legal person, public body, unit or other entity that independently or jointly with others sets the purposes and means of processing personal data; if the purposes and means of such processing are determined by Union law or under the law of a Member State, an administrator may be designated by Union law or under the law of a Member State, or specific criteria may be laid down for its determination;

8. 'processor' means a natural or legal person, public authority, unit or other entity that processes personal data on behalf of the controller;

9. 'recipient' means a natural or legal person, public authority, unit or other entity to whom personal data are disclosed, regardless of whether he is a third party. Public bodies which may receive personal data in the context of a specific proceeding under Union law or the law of a Member State shall not, however, be considered as recipients; the processing of these data by these public authorities must be in accordance with the data protection rules applicable to the purposes of the processing;

10. 'third party' means a natural or legal person, public authority, unit or entity, other than the data subject, administrator, processor or persons who, under the authority of the controller or processor, may process personal data;

11) "consent" of the data subject means a voluntary, concrete, informed and unambiguous representation of the will, which the data subject, in the form of a declaration or a clear confirmation action, allows for the processing of personal data concerning him;

12. "personal data breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed;

13. 'genetic data' means personal data on the inherited or acquired genetic characteristics of a natural person that reveal unique information about the physiology or health of that person

(14) 'biometric data' means personal data which result from special technical processing, relate to the physical, physiological or behavioral characteristics of an individual and enable or support the unambiguous identification of that person, such as a facial image or fingerprint data;

(15) 'health data' means personal data on the physical or mental health of a natural person - including the use of health care services - revealing information about his or her health status;

The above definitions are synonymous with the definitions included in the REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation).

GENERAL RULES FOR PROCESSING OF PERSONAL DATA

The rules regarding the processing of personal data are presented in Chapter II, Article 5 of Regulation (EC) 2016/679 of the European Parliament and Council Regulation of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of the Directive 95/46 / EC (general regulation on data protection).

Personal data must be:

(a) processed in accordance with the law, fairly and transparently for the data subject ("legality, integrity and transparency");

(b) collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes is not considered incompatible with the original purposes ("purpose limitation");

(c) adequate, relevant and limited to the necessary purposes for which they are processed ('data minimization');

(d) correct and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are incorrect in view of the purposes for which it is processed are immediately removed or corrected ('regularity'). The data should be stored in a form allowing the identification of the data subject for no longer than is necessary for the purposes for which the data is processed. Personal data may be stored for a longer period, provided that they are processed only for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes, provided that appropriate technical and organizational measures are implemented to protect the rights and freedoms of persons data concern ("storage restriction");

(f) processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures ('integrity and confidentiality').

The administrator is responsible for compliance with the rules and the above rules. It must be able to demonstrate compliance ("accountability").

POTENTIAL RISKS

Resources relevant to the activities of Personnel and Media Solutions s.c.,
and in particular information and equipment necessary for their storage and processing,
they are exposed to various threats that are identified in the following risk areas:

1) breach of confidentiality - understood as providing information and resources to unauthorized persons, for example: providing information to unauthorized persons, theft of a resource, loss of a resource;

2) breach of availability - understood as a significant reduction of significant functional parameters of resources or loss of data, for example: destruction of a resource, theft of a resource due to the occurrence of force majeure or unintentional, intentional or accidental action;

3) breach of integrity - understood as an unauthorized change in the content of information due to unintentional, intentional or accidental action;

4) violation of authenticity - understood as, preventing verification of information
or data describing them;

5) violation of non-repudiation - understood as a negation of their participation
in the process of data exchange by one of the entities involved in this exchange;

6) breach of accountability - understood as preventing verification of actions by persons involved in the processes of information production and processing.

The purpose of the regulations contained in this "Security Policy" is to reduce the risk from hazards to an acceptable level, i.e. minimize the possibility of breaching the information resources of Personnel and Media Solutions sc, enabling early detection of such an infringement, minimizing losses related to such a breach and efficiently removing its consequences .

CATEGORIES OF PERSONAL DATA

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (general regulation on data protection) concerns:

- personal data processed in a fully or partially automated manner;

- personal data forming part of a data set or to be part of a data set.

Among the personal data, you can distinguish:

a. special categories of personal data

b. personal data regarding convictions and violations of law.

Specific categories of personal data include those that reveal racial or ethnic origin, political views, religious or ideological beliefs, trade union membership, and genetic, biometric data about health, sexuality or sexual orientation of a person. Generally, it is prohibited to process the personal data mentioned above.

Data belonging to special categories of personal data may be processed if one of the following conditions is met:

(a) the data subject has expressly consented to the processing of such personal data for one or more specific purposes;

(b) processing is necessary for the controller or data subject to fulfill his obligations and exercise specific rights in the field of labor law, social security and social protection, if this is permitted by Union or Member State law or by collective agreement under the law providing adequate safeguards for the fundamental rights and interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person and the data subject is physically or legally incapable of giving consent;

(d) the processing takes place within the framework of authorized activities carried out with appropriate safeguards by the foundation, association or other non-profit-making entity with political, ideological, religious or trade union objectives, provided that the processing concerns only members or former members of that entity;

(e) the processing relates to personal data that are obviously made public by the data subject;

(f) processing is necessary for the purpose of establishing, seeking or defending claims or in the administration of justice through the courts;

(g) processing is necessary for reasons related to major public interest, does not affect the right to data protection and provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject;

(h) processing is necessary for the purpose of preventive medicine or occupational medicine, for the assessment of the worker's ability to work, medical diagnosis, provision of health care or social security, treatment or management of healthcare and social security systems or services

(i) processing is necessary for reasons relating to the public interest in the field of public health, such as protection against serious cross-border health threats or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices,

(j) processing is necessary for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes.

Data belonging to specific categories of personal data may be processed for the purpose of preventive health or occupational medicine, for the assessment of the employee's ability to work, medical diagnosis, provision of health care or social security, treatment or management of healthcare and social security systems or services, if they are processed by - or under the responsibility of - an employee subject to the obligation of professional secrecy.

PROCESSING OF PERSONAL DATA AND CONFORMITY WITH LAW

Processing is lawful only in cases where at least one of the following conditions is met:

(a) the data subject has consented to the processing of his personal data for one or more specified purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party to or take action at the request of the data subject prior to the conclusion of the contract;
(c) processing is necessary to fulfill the legal obligation of the administrator;
(d) processing is necessary to protect the vital interests of the data subject or of another natural person;
e) processing is necessary to perform a task carried out in the public interest or in the exercise of public authority entrusted to the administrator.

 The basis for processing referred to in points (c) and (e) must be specified:

- in Union law;

or

- in the law of the Member State to which the administrator belongs.

If the processing for purposes other than the purpose for which the personal data were collected is not carried out on the basis of the consent of the data subject, neither Union law nor the law of a Member State, nor is it subject to the restriction referred to in art. 23 par. 1 of the REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation ), administrator - to determine whether the processing for another purpose is consistent with the purpose for which the personal data was originally collected - takes into account, inter alia:

(a) any relationship between the purposes for which the personal data were collected and the intended purposes for further processing;

(b) the context in which personal data have been collected, in particular the relationship between data subjects and the controller;

c) the nature of personal data, in particular whether special categories of personal data or personal data concerning convictions and violations of law are processed;

d) the possible consequences of the intended further processing for data subjects;

e) the existence of appropriate safeguards, including possibly encryption or pseudonymisation.

Such cases are considered by the data controller and the data protection officer.

ADMINISTRATOR AND PROCESSING ENTITY

Administrator's responsibilities

The administrator of personal data protection in Personnel and Media Solutions s.c. are partners of a civil law partnership.

In accordance with Article 24 of REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (general regulation about data protection) it is the administrator's duty to take care of every aspect of personal data protection.

Taking into account the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons with different probabilities and seriousness of risk, the administrator implements appropriate technical and organizational measures for processing in accordance with REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 on 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation) and in such a way as to be able to demonstrate it. Technical means are described in the "Register of processing activities", which constitutes Annex 1 to this document. Whereas, organizational measures include first of all the introduction of the "Security policy for processing personal data in Personnel and Media Solutions s.c."

These funds are reviewed and updated as necessary, and the Administrator occupies.

According to art. 25 of the said regulation, the administrator must take into account data protection in the design phase of technical and organizational measures, such as pseudonymisation, minimization - designed to effectively implement the principles of data protection. As far as the teleinformation system is concerned, these measures are described in the "Instruction for managing the IT system used to process personal data in Personnel and Media Solutions s.c.". The administrator implements appropriate technical and organizational measures to process only personal data that are necessary to achieve each specific purpose of processing. This obligation refers to the amount of personal data collected, the scope of their processing, the period of their storage and their availability.

In particular, these measures ensure that, by default, personal data is not made available without the intervention of an individual, an unspecified number of persons.

Responsibilities of the processor

 

A "processing entity" should be understood as a natural or legal person, public authority, unit or other entity that processes personal data on behalf of the administrator. If the processing is to be performed on behalf of the administrator, then the provisions of Article 28 REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (general data protection regulation), the controller may use only the services of such processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing complies with the requirements of this Regulation and protects the rights of persons, whose data concern.

The processor does not use the services of another processor without prior detailed or general administrator's written permission.

The processing by the processor is carried out under a contract or other legal instrument that is subject to Union law or the law of a Member State and is binding on the processor and the controller.

According to this regulation, they determine the subject and duration of processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the duties and rights of the controller. A contract or other legal instrument provides in particular that the processor:

(a) process personal data only for the administrator's documented command - which also applies to the transfer of personal data to a third country or international organization - unless the obligation is imposed by Union law or the law of the Member State to which the processor is subject; in this case, the processor shall inform the controller of this legal obligation prior to the commencement of processing, unless that law prohibits such communication on grounds of important public interest;

b) ensure that persons authorized to process personal data commit themselves to confidentiality or are subject to an appropriate statutory obligation of secrecy;

c) take all technical and organizational measures to protect data

d) adheres to the terms of use of the services of another processor,

(e) taking into account the nature of the processing, it shall, to the extent possible, assist the controller by appropriate technical and organizational measures to comply with the obligation to answer the requests of the data subject,

Upon completion of the provision of processing services depending on the decision of the administrator, the administrator deletes or returns any personal data to him and removes all existing copies thereof, unless Union or Member State law requires the storage of personal data;

(h) provide the administrator with all information necessary to demonstrate compliance with the obligations set out in this Article and enable the administrator or the auditor authorized by the administrator to carry out audits, including inspections.

If the processing entity uses the services of another processor for executing specific processing activities on behalf of the controller, the same processing entity is imposed - under a contract or other legal act subject to Union law or the law of a Member State - the same data protection obligations as in contract or other legal act between the administrator and the processor. If that other processor fails to fulfill its data protection obligations, full responsibility for the controller for fulfilling the obligations of that other processor is the primary processor.

In Personnel and Media Solutions s.c. the principle is that before entrusting personal data to a given entity, an appropriate contract must be signed with it, the specimen of which is shown in Annex 2. The provisions of the contract should refer to article 28 of the GDPR. An important aspect of entrusting data processing is direct indication of the scope of operations performed on entrusted personal data.

REGISTRATION OF PROCESSING ACTIVITIES

The administrator maintains a "Register of personal data processing activities" for which he is responsible. This register - constituting Annexe No. 1 includes the following information:

a) the name and contact details of the administrator

b) purposes of processing;

c) a description of the categories of data subjects and the category of personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or in international organizations;

(e) where applicable, the transfer of personal data to a third country or international organization, including the name of that third country or international organization;

(f) if possible, scheduled dates for deletion of individual categories of data;

(g) if possible, a general description of the technical and organizational security measures.

Regarding the processor, it also keeps a register of all categories of processing activities performed on behalf of the administrator, containing the following information:

(a) the name and contact details of the processor or processors and any controller on behalf of which the processor is acting and, where applicable, the representative of the controller or processor and the data protection officer;

(b) the categories of processing to be carried out on behalf of each administrator;

(c) where applicable, the transfer of personal data to a third country or an international organization.

d) if possible, a general description of technical and organizational security measures.

The processing entity makes the register available at the request of the supervisory authority.

AUTHORIZATION FOR PROCESSING OF PERSONAL DATA

To process personal datTHE RIGHT OF A PERSON WHO THE DATA CONCERNS

Transparent information, transparent communication, exercise of rights by the data subject

If the data subject asks for it, the information shall be provided in writing or otherwise, including, where appropriate, electronically. The information can be given orally, provided that the identity of the data subject is confirmed by other means. This task will be carried out by the Administrator.

The administrator always makes it easier for the data subject to exercise his rights and performs duties towards that person, which generally means:

- access right
- the right to rectify
- right to delete data - "the right to be forgotten"
- the right to limit processing
- obligation to notify the rectification or deletion of personal data or to limit processing
- the right to transfer data
- the right to object
- lack of automated decision-making in individual cases, including profiling.

The administrator shall take appropriate measures to provide, in a concise, clear, easily understandable and easily accessible form, to the data subject any information regarding the methods of data processing, organizational arrangements and the rights he has with regard to the protection of personal data.

Processing that does not require identification

There may also be processing that does not require identification. In accordance with Article 11 of the GDPR, if the purposes for which the controller processes personal data that do not require identification of the data subject, the controller is not obliged to retain, obtain or process additional information in order to identify the data subject.

The data subject:

a) is entitled to obtain from the administrator confirmation whether personal data concerning him is being processed and, if so, is entitled to access to them and a range of information (Article 15),
b) has the right to request the administrator to immediately correct personal data that is incorrect about him / her (Article 16),
c) has the right to request the administrator to immediately delete personal data concerning him in the specified circumstances (Article 17),
(d) has the right to request the controller to restrict data processing in specified cases (Article 18),
(e) has the right to obtain, in a structured, commonly used machine-readable format, personal data concerning him that he has provided to the controller,
(f) has the right, in the cases listed, to forward such personal data to another administrator without obstacle on the part of the controller to whom that data was provided (Article 20).

In order not to have to fulfill these obligations, the administrator must be able to demonstrate that:
 

1) the purposes for which personal data are processed do not require or no longer require identification of the data subject,
2) is unable to identify the data subject without additional activities to identify that person.

This is data that no longer has personal data values.

The fact that the purposes for which the controller processes personal data do not require, or no longer require, the data subject to identify him, do not exempt him from the obligation to make good his or her rights. He must still be able to show that he is unable to identify the data subject without additional activities to identify him. In addition, if the data subject provides him with the information needed to identify him, he will be able to exercise his or her rights under those provisions.

At the same time, the administrator may not refuse to accept such additional information from the data subject to facilitate his exercise of his rights.

In the case of non-identifiable data processing, the administrator does not refuse to take action at the request of the data subject who wishes to exercise his rights. The administrator, without undue delay, within one month of receipt of the request, gives the data subject information about the actions taken in connection with the request. If necessary, this period can be extended by another two months due to the complex nature of the request or the number of requests. Within one month of receipt of the request, the administrator shall inform the data subject about such extension, stating the reasons for the delay. If the data subject has submitted his request electronically, if possible, the information is also transmitted electronically, unless the data subject requests a different form. If the administrator does not take action in relation to the request of the data subject, he shall immediately - no later than one month from the receipt of the request - inform the data subject of the reasons for failure to take action and the possibility of lodging a complaint to the supervisory body and use the means of protection before the court. If the data subjects' requests are manifestly unjustified or excessive, in particular because of their continuing nature, the controller may:

(a) to charge a reasonable fee, including the administrative costs of providing information, carrying out communication or taking the action sought; or

b) refuse to take action in connection with the demand. The obligation to show that the request is clearly unjustified or excessive is on the administrator. If the administrator has reasonable doubts as to the identity of the natural person submitting the request, he may request additional information necessary to prove the identity of the data subject.

CONDITIONS FOR EXPRESSION OF CONSENT TO PROCESSING

If the processing is done on the basis of consent, the administrator must be able to show that the data subject has consented to the processing of his personal data. If the data subject agrees in a written statement that also covers other matters, the request for consent must be presented in a way that clearly distinguishes them from the other issues, in a comprehensible and easily accessible form, clear and plain language. The data subject has the right to withdraw his consent at any time. Withdrawal of consent does not affect the lawfulness of the processing that was made on the basis of consent before its withdrawal. The data subject is informed of this before agreeing. Withdrawing consent must be as easy as expressing it.

What characterizes the conditions of consent?

voluntary - means that the data subject has, in fact, free choice about consent and may refuse or withdraw it at any time. The name of a voluntary consent is refused, from which the performance of the contract has been made conditional upon.

concreteness and separateness - the administrator can not take away general consent to the processing of personal data without specifying a specific purpose. The consent clause should specify the purpose of personal data processing and the scope of this data.

awareness - the person giving consent should at least know the identity of the administrator and the purposes of personal data processing intended by him. In accordance with the principle of transparency, information provided to the data subject should be formulated in a clear, clear and simple language. The availability of these contents is also important - the clauses should be visible and comprehensive.

unambiguous - there can be no doubt about the intention of the person agreeing. Expressing consent may take the form of a declaration of will or a clear confirmation action. The consent should be prior to the start of data processing, and should therefore be received at the moment of data collection.

Each processing of personal data should take place on a specific legal basis. The consent of the data subject is a legalization premise:

-    processing of ordinary data;
 -   processing of special category data (so-called sensitive data);
  -  automated decision making, including profiling;
   - transferring data to a third country (ie belonging to the European Economic Area - EEA).

Clear consent is mandatory if the personal data administrator provides for profiling and / or data transfer outside of the EEA.

As for the processing of personal data itself, it may also take place on a different legal basis provided for in the GDPR. Collecting consent will therefore not be necessary if the processing of personal data is necessary to achieve one of the objectives indicated in the regulation. They will be:

- data processing is necessary to fulfill the right or fulfill the obligation arising from the following legal provisions;
- data processing is necessary for the performance of the contract if the data subject is a party to it or if it is necessary to take action before the conclusion of the contract at the request of the data subject;
- data processing is necessary to carry out tasks defined for the public for the public good;
- data processing is necessary to fulfill legally justified goals carried out by personal data administrators or recipients of such data,
and the processing does not violate the rights and freedoms of the data subject;
- the processing concerns data that are necessary for the enforcement of rights before a court;
- data processing is necessary to perform the tasks of personal data administrator referring to the employment of employees and other persons, and the scope of data being processed is specified in legal provisions;
- data processing is carried out in order to protect the health condition, provision of medical services or treatment of patients by persons professionally involved in the treatment or provision of other medical services or management of the provision of medical services and full guarantees for the protection of personal data are created;
- the processing relates to data which has been made public by the person to whom that data relates;
- data processing is indispensable for conducting scientific research, including preparation of a dissertation required to obtain a university or academic degree, and publication of research results makes it impossible to identify persons whose data has been processed;

- data processingFEEDBACK INFORMATION AND ACCESS TO INFORMATION

Data can be collected:

a. from the person they concern
b. in a different way than the data subject.

Obligation to inform in the situation of obtaining data from the data subject

If the personal data of the data subject is collected from that person, the administrator provides the following information when collecting personal data:

a) your identity and contact details;
b) the purposes of the processing of personal data, and the legal basis for processing;
(c) where processing is necessary for purposes deriving from legitimate interests pursued by the controller, legally legitimate interests provided by the controller or by a third party must be provided;
d) information about recipients of personal data or categories of recipients, if any;

When acquiring personal data, the administrator also provides the data subject with the following information necessary to ensure fairness and transparency of processing:

(a) the period during which personal data will be stored, and where this is not possible, the criteria for determining this period;
b) information on the right to demand from the administrator access to personal data relating to the data subject, rectification, deletion or limitation of processing or the right to object to the processing, as well as the right to data transfer;
c) if the processing is based on consent, information about the right to withdraw consent at any time without affecting the compliance of the processing with the law;
d) information on the right to lodge a complaint to the supervisory body;
e) information whether the provision of personal data is a statutory or contractual requirement or a condition for the conclusion of the contract and whether the data subject is obliged to provide them and what are the possible consequences of not providing the data;
(f) information on automated decision-making, including profiling, at least in these cases, relevant information about the rules for their taking, and the significance and foreseeable consequences of such processing for the data subject.

If the administrator plans to further process personal data for purposes other than the purpose for which the personal data were collected, he shall inform the data subject about that other purpose and provide him with all other relevant information prior to such further processing.

In this situation, the data from Annex 11 should be used. is carried out by the party in order to implement the rights and obligations arising from the decision issued in court or administrative proceedings.

Obligation to inform in the case of obtaining data not from the data subject

If personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

a) your identity and data;
(b) the purposes of the processing to which the personal data are to serve and the legal basis for the processing;
c) categories of personal data;
d) information about recipients of personal data or categories of recipients, if any;

In addition to the information, the administrator shall provide the data subject with the following information necessary to ensure fairness and transparency of the processing to the data subject:

(a) the period during which personal data will be stored, and where this is not possible, the criteria for determining this period;
b) information on the right to demand from the administrator access to personal data relating to the data subject, rectification, deletion or limitation of processing or the right to object to the processing, as well as the right to data transfer;
c) information on the right to demand from the administrator access to personal data relating to the data subject, rectification, deletion or limitation of processing and the right to object to the processing, as well as the right to data transfer;
d) if the processing is based on consent, information about the right to withdraw consent at any time without affecting the legality of the processing;
e) information on the right to lodge a complaint to the supervisory body;
f) the source of personal data, and where applicable, whether they come from publicly available sources;
g) information on automated decision making, including profiling,

The above information is provided by the administrator:

a) within a reasonable period of time after obtaining personal data - at the latest within a month - taking into account the specific circumstances of the processing of personal data;
b) if personal data are to be used to communicate with the data subject - at the latest at the first such communication with the data subject;
c) if it is planned to disclose personal data to another recipient - at the latest at their first disclosure.

If the controller plans to further process personal data for a purpose other than the purpose for which the data was obtained, he shall inform the data subject about that other purpose and provide him with all other relevant information prior to such further processing.

These rules do not apply when:

(a) the data subject already has that information;
b) it proves impossible to provide such information or would involve a disproportionate effort; in particular when processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes.
(c) the acquisition or disclosure is clearly regulated by Union law or by the law of the Member State to which the controller belongs, providing for adequate measures to protect the legitimate interests of the data subject;
(d) personal data must remain confidential in accordance with the obligation of professional secrecy laid down by Union law or under the law of a Member State, including a statutory obligation of secrecy.

In this situation, the data from Annex 12 should be used.

ACCESS TO INFORMATION

The data subject has the right to obtain from the administrator confirmation of whether personal data concerning him is being processed and, if so, he is entitled to access to them and the following information:

(a) processing purposes;
b) categories of relevant personal data;
(c) information on the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular about recipients in third countries or international organizations;
d) as far as possible, the intended period of storage of personal data, and if this is not possible, criteria for determining this period;
e) information on the right to request the administrator to rectify, delete or limit the processing of personal data relating to the data subject and to object to such processing;
f) information on the right to submit a complaint to the supervisory body;
g) if personal data have not been collected from the data subject - all available information about their source;
h) information on automated decision making, including profiling.

If personal data are transferred to a third country or an international organization, the data subject has the right to be informed about the appropriate safeguards. The administrator provides the data subject with a copy of the personal data to be processed. For any further copies requested by the data subject, the administrator may charge a reasonable fee resulting from administrative costs. If the data subject asks for a copy electronically and if not indicated otherwise, the information is provided by electronic means.

Informing people about the administration of their data takes place in a variety of ways. The information obligation is met by individual organizational units, employees at workplaces. Information is provided via the website, the Public Information Bulletin, leaflets and announcements.

RETURN AND REMOVE DATA, RIGHT TO OPEN

The right to rectify data

The data subject has the right to require the administrator to immediately correct personal data that is incorrect about him / her. Taking into account the purposes of processing, the data subject has the right to request supplementing incomplete personal data, including by providing an additional statement.

For this purpose, the person submits the application in any form accepted, but clearly specifying the request to correct the data. Considerations of the application are made by: personal data administrator, data protection inspector and manager / head of the relevant organizational unit.

The right to "be forgotten", i.e. the right to delete data

The data subject has the right to request the administrator to delete his personal data immediately, and the administrator has the obligation to delete personal data without undue delay, if one of the following circumstances occurs:

(a) personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(b) the data subject has withdrawn the consent on which the processing is based in accordance with and has no other legal basis for the processing;
(c) the data subject is objecting to the processing and there are no overriding legitimate grounds for the processing;
d) personal data have been processed unlawfully;
(e) personal data must be removed in order to comply with a legal obligation under Union law or the law of the Member State to which the administrator falls;

To this end, the person submits his request to delete the data. Considerations are made by: personal data administrator, data protection officer and manager / head of the relevant organizational unit.

The right to limit processing

The data subject has the right to request the administrator to restrict processing in the following cases:

a) the data subject questions the correctness of personal data - for a period allowing the administrator to check the correctness of this data;
(b) the processing is unlawful and the data subject opposes the removal of personal data, requesting instead to limit their use;
(c) the controller no longer needs personal data for processing, but it is needed by the data subject to establish, assert or defend claims;
(d) the data subject has objected to the processing - pending determination of whether the legitimate grounds on the part of the controller take precedence over the grounds for objection of the data subject.

If processing is limited, such personal data may be processed, with the exception of storage, only with the consent of the data subject, or to determine, assert or defend claims, or to protect the rights of another natural or legal person, or for important reasons reasons of public interest of the Union or of a Member State.

To this end, the person submits a request to limit the processing of data. Considerations of the application are made by: personal data administrator, data protection inspector and manager / head of the relevant organizational unit

OBLIGATION TO NOTIFY THE RECOVERY OR RECOVER OF PERSONAL DATA OR THE ORGANIZATION OF PROCESSING

The Administrator informs about rectification or deletion of personal data or restricting the processing of each recipient to whom personal data have been disclosed, unless this proves impossible or will require a disproportionate effort. The administrator informs the data subject about these recipients if the data subject requests it.

RIGHT TO TRANSFER DATA

The data subject has the right to receive, in a structured, commonly used machine-readable format, personal data about him that he provided to the administrator and has the right to forward this personal data to another administrator without any interference from the controller to whom this personal data was provided, if processing is carried out on the basis of consent or on the basis of a contract and the processing takes place in an automated manner.

This right shall not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the controller.

RIGHT TO OPPOSING

The data subject has the right to object at any time - for reasons related to his particular situation - to the processing of his personal data. including profiling based on these regulations. The Administrator is no longer allowed to process such personal data, unless he demonstrates the existence of valid legally valid grounds for processing that override the interests, rights and freedoms of the data subject or the grounds for establishing, investigating or defending claims.

At the latest on the occasion of the first communication with the data subject, it shall be clearly informed of the right to object and shall present it clearly and separately from any other information.

AUTOMATED DECISION MAKING IN INDIVIDUAL CASES, INCLUDING PROFILING

Automated decision making is the process by which a decision is made without human intervention in its making. An example of this is the automatic rejection of an electronic loan application or electronic recruitment methods without human intervention. The data subject has the right not to be subject to a decision which is based solely on automated processing, including profiling, and has legal effects or similar effects on the person. Such processing includes "profiling" - which relies on any automated processing of personal data allowing the assessment of personal factors of a natural person, and in particular analyzing or forecasting aspects of work effects, economic situation, health, personal preferences or interests, credibility or behavior.

TRANSMISSION OF PERSONAL DATA TO THIRD COUNTRIES

The general principle of transmission

The transfer of personal data that is processed or to be processed after transfer to a third country occurs only when the controller and the processor comply with certain conditions.

The transfer of personal data to a third country when the Commission finds that this third country ensures an adequate level of protection. Such transfer does not require special permission.

Transmission subject to appropriate safeguards

The controller or processor may transfer personal data to a third country only if they provide adequate safeguards and provided that enforceable rights of data subjects and effective remedies are in place.

Appropriate safeguards can be provided by means of one of the following measures:

a) a legally binding and enforceable instrument between public authorities or bodies;
b) binding corporate rules;
c) standard data protection clauses;
e) an approved code of conduct;
f) the approved certification mechanism;

Subject to the authorization of the competent supervisory authority, appropriate safeguards may also be provided, in particular, by means of:

a) contractual clauses between the controller or the processor and the controller, processor or recipient of personal data in a third country or an international organization;
b) provisions of administrative arrangements between public authorities or entities that provide for enforceable and effective rights of data subjects.

SAFETY PROCESSING

Taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of individuals with different probability of occurrence and threat weight, the administrator and the processor implement the appropriate technical and organizational measures to ensure a degree of security corresponding to this risk , including, but not limited to, if applicable:

a) pseudonymisation and encryption of personal data;
b) the ability to continually ensure the confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to quickly restore the accessibility and access to personal data in the event of a physical or technical incident;
d) regularly testing, measuring and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

When assessing whether the level of security is appropriate, account shall be taken in particular of the risks involved in the processing, in particular resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.

It should be remembered that anonymisation leads to irreversible failure to identify a person. All data that could enable identification is blackened, which allows the creation of a set of data that can not be identified by a specific natural person. Identifiers are removed from the document - information such as names, names, addresses, dates of birth, PESEL numbers and NIP numbers. Documents that have been properly anonymised are not subject to the law on the processing of personal data and may be made available to the applicants or made public without the consent of the data subjects.

The purpose of anonymisation is to prevent the use of personal data or a person susceptible to be identified by "all the means that a" data controller or a third party can use. The process of anonymisation can be carried out immediately when entering documents ("on entry") or - if necessary - on an existing set of personal data.

Pseudonymisation, on the other hand, is a new tool for the protection of personal data, which until now has not been anticipated by Polish law. Unlike anonymisation, it is a reversible process. It involves changing identifiers that are personal data to those that are not. For example, the names and surnames of individuals are replaced by numbers. The most important aspect of pseudonymisation is to block the connection - rules - of old identifiers with new ones. Personal data will be secured, but you can recover it if you know the rule of replacing old identifiers. As a result of pseudonymisation, we will not receive an anonymous set of data, although sensitive data is protected and the risk for those affected is reduced. However, it should be remembered that the documents after the malignance are still subject to the law on the processing of personal data - that is, you need a legal basis to process them.

ORGANIZATIONAL AND TECHNICAL MEASURES APPLIED TO ENSURE THE CONFIDENTIALITY, INTEGRITY AND CLEARANCE OF PROCESSED PERSONAL DATA
Organizational measures for the protection of personal data

The personal data administrator is obliged to ensure control over what personal data, when and by whom were entered into the set and to whom they are transferred.

In order to create appropriate safeguards, which should directly affect the data processing processes, the following organizational measures are introduced:

  -  the processing of personal data can only take place as part of the performance of official tasks, and the scope of the rights arises from the scope of these tasks;
  -  only persons with appropriate authorization may be allowed to process data;
 -   access to both buildings, rooms and devices used for processing personal data should be available only to authorized persons;
  -  personal data should be processed only in buildings and rooms adapted to it and secured by authorized persons;
  -  data sets (databases) in which personal data are processed should be protected against unauthorized access and recorded
    in the "Register of processing activities";
  -  every employee must receive training in the field of personal data protection; the newly admitted employee is obligated to train in the field of personal data protection before processing this data;
   - every person authorized to process personal data confirms in writing that he / she is familiar with this documentation and understands all security principles;

    Staying unauthorized in the above-mentioned the area is allowed with the consent of the controller or in the presence of a person authorized to process personal data;

   - rooms that are a data processing area must be locked after the end of work;
   - monitors of computers on which personal data are processed are set in a way that prevents unauthorized access to processed data;
   - before leaving the room constituting the area of ​​data processing, the windows should be closed and, if possible, all documents and information carriers should be removed from the desk and placed in appropriate locked cabinets, drawers or desks.

    It is unacceptable to leave access passwords to computers.

Technical means for the protection of personal data

Used in Personnel and Media Solutions s.c. technical means are divided into: physical protection measures, protection measures within system software tools
and databases and hardware, IT and telecommunications infrastructure.

As a result, processed data sets are secured by:

a) means of physical protection, which means that:

   - personal data collections are stored in rooms protected against free access;
   - access to the building is controlled by a monitoring system;
   - personal data sets in paper form are stored in lockable wardrobes;
    -the door of rooms where personal data processing takes place,
    they are additionally secured by means of coded corridor doors, which are opened only by means of a card;
  -  archival collections of personal data are stored in a room called "archive". The key to this room is stored in a lockable closet,
    and only archive employees have access to it;
    -security copies (backup copies) are stored in places protected against unauthorized takeover, modification by damage or destruction, which is specified in detail in the "Instruction for managing the IT system used to process personal data in the Poviat Starosty in Piaseczno",
  -  backup copies (backup copies) of personal data files on data carriers (external disk) are stored in a closed room, and access to it is only authorized persons;
   - rooms in which personal data files are processed are protected against the effects of a fire by means of a free-standing fire extinguisher and a fire-fighting system;
   - documents containing personal data about the end of usefulness are destroyed in a mechanical way using document shredders, after destroying the documents, a destruction protocol is written down.

b) hardware measures, IT and telecommunications infrastructure, which means that:

   - collections of personal data are processed using desktop computers,
   - access from the level of the Administrator to the system in which personal data are processed on the computer is held only by the data protection officer and his deputy and IT specialists, and at the same time this access is secured by the authentication process using the ID and password;
    -protection measures against malware were used, such as worms, Trojan horses, rootkits, etc .;
   - firewall was used as part of the antivirus program to protect access to the computer network;
    -the office has e-mail configured and protected against spam;
   - access to active devices in the LAN (eg network switches, routers)
    the office has only ASI.
   - access to the LAN network is limited to computers which have obtained the consent to work in the network, which is supervised by the deputy data protection supervisor;

c) security measures within system software tools and databases,
which means that:

   - access to personal data files requires authentication using a personalized user ID and a unique user password;
   - the user ID that has lost access to personal data can not be assigned to another person;
    -systemic measures are used to determine appropriate rights of access to IT resources, including personal data sets for individual users of the IT system;
   - the deputy data protection inspector periodically (monthly) copies personal data from all information systems used in the office of the programs, to protect against loss of data caused by the breakdown of computer hardware;
   - change of access passwords takes place at least once every 30 days;
  -  hard drives damaged or out of service before being handed over for disposal must be permanently removed from the recording or the hard disk should be destroyed in this way,
    that it would be impossible to recover data from it.

SECURING PAPER AND ELECTRONIC DOCUMENTATIONAGAINST LOSS, DESTRUCTION, CHANGE, FALSE, ACCESS
UNPROCESSED PEOPLE

Documentation in electronic and paper form

Documentation containing personal data - due to the sensitivity of data - should be particularly protected at every stage of its use. The different types of documentation should be protected as follows:

a) documentation in electronic form

Access to the documentation, in particular personal data, are only to logged-in users of the IT system in the office with appropriate authorizations. At the same time, it is possible to identify users who are responsible for edited or entered data.

    Before destroying this data, the system is protected by devices protecting the system (physically) and by regularly making backup copies that are stored in a designated place.

    Users have the rights chosen so as to minimize the possibility of outflow of information and their distortion or change. The computer program is entered data after their physical authorization by persons authorized to do so.

    paper documentation

    The documentation is the property of the originator and should be protected from unauthorized access by sailing, alteration or destruction from the moment it is created until its destruction, after the archiving period has ceased.

    The documentation should be stored in rooms, cabinets, or drawers secured by a functional lock, and when it is in use, it can not be left unattended by persons authorized to use it.

    Documentation is archived in a separate room (archive). Access to the archive room is limited to personal data authorized by the administrator.

    After the archiving period has expired, the documentation from which the destruction report is made is destroyed.

    The data administrator decides on the access to the documentation, in particular the documentation containing personal data.


ATTENTION! it is forbidden to:

   - storing personal data in cabinets in corridors;
   - leaving unprotected rooms in which personal data are processed in the absence of persons authorized to process personal data;
   - leaving documents with personal data on the desk after finishing work, in an unsecured room.

Principles of deletion and utilization of computer hardware, consumables and data carriers

The main objective is to ensure safe disposal of computer hardware, operating elements of this equipment and data carriers. The procedure applies to the cancellation and utilization of computer hardware, its consumables and data carriers.

The procedure is as follows:

    Before destruction, you must deprive computer equipment and data carriers of all readable information.

    Data carriers should be destroyed in such a way that it becomes impossible to recover
    from them any data.

    The equipment, if entered in the list of fixed assets, is taken down
    from the list of fixed assets and handed over to the recycling company on the basis of the waste transfer protocol

Principles of supervision over the software installed on computers

    The Administrator supervises the software installed on the computers owned by the company.

PROTECTION OF BUILDINGS, OBJECTS AND ROOMS AND SYSTEM
ALARM

Protection of buildings

    Services in the field of alarm system maintenance are provided by an external company. On the basis of the concluded contract, the contractor undertook to act in an emergency mode and in the case of the alarm system maintenance, in order to maintain the equipment's operational efficiency and the installation of the alarm system in a constant operational condition.

​

24.3. Current procedure during the working day and after work

    Keys used to secure desks and cabinets must be clearly described.

    During business hours, keys remain under the supervision of employees who are fully responsible for their proper protection.

    It is forbidden to leave keys when temporary persons are absent in the room.

    After finishing work, the keys used to secure the desks and cabinets must be kept in a safe place.

    After finishing work, all employees are required to:

- switching off and protecting electrical and electronic devices,
- switching off the lighting,
- securing and closing windows and doors,

    Backup keys for rooms where personal data are processed are issued only to authorized employees. Issuing backup keys to the rooms where personal data are processed may only take place in justified emergency situations, only with the consent of the personal data administrator.

PROCEEDING PROCEDURES IN THE SITUATION OF INFRINGEMENT OF PERSONAL DATA PROTECTION AND CONTROL ACTIONS

In the event of a breach of personal data protection, the administrator shall, without undue delay - no later than within 72 hours after finding the violation - report it to the supervisory body, unless it is unlikely that the breach would risk the violation of the rights or freedoms of natural persons.

The notification submitted to the supervisory authority after 72 hours shall include an explanation of the reasons for the delay.

The person or processor after reporting a personal data breach, reports it to the administrator without undue delay. The application must describe at least:

a) the nature of the breach of personal data protection, including, where possible, the categories and approximate number of data subjects, as well as the categories and approximate number of entries of personal data affected by the breach; b) include the name and contact details of the Administrator or the designation of another contact point from which more information can be obtained; c) describe the possible consequences of a breach of personal data protection; (d) describe measures taken or proposed by the controller to remedy an infringement of personal data protection.

The administrator documents any breaches of the protection of personal data, including the circumstances of personal data breach, its consequences and the remedial actions taken. Documents of incidents and infringements are used - "Report on data protection breaches" - Annex No. 21 and "Registry of violations of personal data protection" - according to Annex No. 22.

Notifying the data subject of a personal data breach 1. If the breach of personal data protection may cause a high risk of violation of the rights or freedoms of individuals, the administrator shall without undue delay notify the data subject of such breach. The notification, in clear and simple language, describes the nature of the personal data breach.

Notification is required in the following cases:

a) the administrator has implemented appropriate technical and organizational protection measures and these measures have been applied to the personal data to which the infringement relates, in particular measures such as encryption, preventing unauthorized persons from accessing such personal data;
b) the administrator then applies measures to eliminate the likelihood of a high risk of violation of the rights or freedoms of the data subject;
c) it would require a disproportionate effort.

In this case, a public message shall be issued or a similar measure shall be applied whereby the data subject is informed in an equally effective manner.

If the controller has not yet notified the data subject of a breach of personal data protection, the supervisory authority may request it.

26. FINAL PROVISIONS

    In the case of a person who, in the event of a breach of personal data protection or a reasonable presumption of such breach, did not take any specific action
    in this document, and in particular, did not notify the appropriate person in accordance with the specified tasks, and also, when it did not implement the appropriate action documenting this case, disciplinary proceedings are initiated.

    The Data Protection Officer is obliged to keep records of people who have been acquainted with this document and undertake to apply the rules contained therein.

    Cases of unjustified failure to perform the obligations arising from this document may be regarded as a serious breach of employee duties,
    in particular by a person who, in the face of a breach of personal data protection or a reasonable presumption of such breach, did not notify the Administrator.

    A disciplinary penalty pronounced against a person who fails to notify the Administrator does not rule out the possibility of bringing a civil action against it by the employer to compensate for the losses suffered.