Privacy policy

Privacy policy

PERSONAL DATA PROTECTION POLICY

ASBO Sp. z o.o.


PREAMBLE

The present Perso­nal Data Protec­tion Policy was drawn up with the aim of empha­si­sing the fact that perso­nal data at ASBO Sp. z o.o. (here­ina­fter refer­red to as the “Control­ler”) are proces­sed and protec­ted pursu­ant to legal provi­sions perta­ining to the proces­sing and protec­tion of data inclu­ding Regu­la­tion (EU) 2016/679 of the Euro­pean Parlia­ment and of the Coun­cil of 27 April 2016 on the protec­tion of natu­ral persons with regard to the proces­sing of perso­nal data and on the free move­ment of such data, and repe­aling Direc­tive 95/46/EC (here­ina­fter refer­red to as the “Regu­la­tion”).


I. GENERAL PROVISIONS

1. The Perso­nal Data Protec­tion Policy applies to all perso­nal data proces­sed at ASBO Sp. z o.o. regar­dless of the proces­sing form.

2. The Perso­nal Data Protec­tion Policy is kept in a paper and elec­tro­nic format at the Control­le­r’s address: Brze­ska 65, 08 – 110 Siedlce. 

3. The Perso­nal Data Protec­tion Policy shall be made availa­ble to persons autho­ri­sed to process perso­nal data upon their requ­est as well as persons who are to be autho­ri­sed to process perso­nal data in order to allow such persons to read it. 

4. In order to effec­ti­vely enforce the Perso­nal Data Protec­tion Policy, the Control­ler ensures: 

a) tech­ni­cal measu­res and orga­ni­sa­tio­nal solu­tions appro­priate for given thre­ats and cate­go­ries of data subject to protection;

b) control and super­vi­sion over proces­sing of perso­nal data;

c) moni­to­ring of the applied protec­tion measures. 

5. In parti­cu­lar, the Control­le­r’s moni­to­ring of applied protec­tion measu­res inclu­des: actions of persons autho­ri­sed by the Control­ler, breaches of data access rules, ensu­ring file inte­grity and protec­tion against exter­nal and inter­nal attacks. 

6. The Control­ler ensu­res that the tasks perfor­med in conjunc­tion with the proces­sing and protec­tion of perso­nal data are compliant with the present Perso­nal Data Protec­tion Policy and rele­vant provi­sions of law.


II. PERSONAL DATA PROCESSED BY THE CONTROLLER

1. Perso­nal data proces­sed by the Control­ler shall be collec­ted in filing systems. 

2. The Control­ler shall not engage in proces­sing which could entail a serious proba­bi­lity of a high risk occur­ring within the scope of the rights and freedoms of persons whom the data perta­ins to. 

3. For plan­ning new proces­sing acti­vi­ties, the Control­ler shall carry out an analy­sis of their conse­qu­en­ces for the protec­tion of perso­nal data and takes into acco­unt data protec­tion issues at the plan­ning stage thereof. 


III. DUTIES AND RESPONSIBILITY WITHIN THE SCOPE OF PROTECTION MANAGEMENT 

1. All indi­vi­du­als with access to perso­nal data subject to proces­sing by the Control­ler under­take to process that data in accor­dance with the regu­la­tions as in force at present and pursu­ant to the Perso­nal Data Protec­tion Policy as set forth by the Controller.

2. All perso­nal data proces­sed by the Control­ler are proces­sed in compliance with the prin­ci­ples as prescri­bed by the provi­sions of law, i.e.:

a) in each case there exists at least one basis as speci­fied by the provi­sions of law for the proces­sing of data;

b) perso­nal data are proces­sed fairly and in a trans­pa­rent manner, 

c) perso­nal data are collec­ted for speci­fied, expli­cit and legi­ti­mate purpo­ses and not further proces­sed in a manner that is incom­pa­ti­ble with those purposes;

d) perso­nal data shall be proces­sed only to the extent requ­ired in order to achieve the data proces­sing purpose;

e) perso­nal data are correct and upda­ted as required;

f) storage time is limi­ted to the period of data usabi­lity for purpo­ses which they have been collec­ted for; 

g) the infor­ma­tion obli­ga­tion in accor­dance with Artic­les 13 and 14 of the Regu­la­tion with respect of the data subject is performed;

h) perso­nal data are protec­ted against breaches to their protec­tion principles. 

3. In parti­cu­lar an infrin­ge­ment or an attemp­ted infrin­ge­ment of perso­nal data protec­tion and proces­sing shall be under­stood as: 

a) a breach to the secu­rity of IT systems within which perso­nal data are processed; 

b) provi­sion of faci­li­ta­ting the provi­sion of perso­nal data to non-autho­ri­sed persons or entities; 

c) neglec­ting the obli­ga­tion to ensure perso­nal data protection; 

d) failing to obse­rve the obli­ga­tion to keep perso­nal data and their protec­tion measu­res confidential; 

e) proces­sing of perso­nal data not in accor­dance with the assu­med proces­sing scope and purpo­ses for the collec­tion thereof; 

f) causing damage, loss, uncon­trol­led change or unau­tho­ri­sed copy­ing of perso­nal data; 

g) breach of the rights of data subjects. 

4. If a perso­nal data protec­tion breach is iden­ti­fied, a person autho­ri­sed by the Control­ler shall under­take all neces­sary steps to mini­mise the conse­qu­en­ces of the breach and to imme­dia­tely notify the Controller. 

5. The Control­le­r’s obli­ga­tions within the scope of employ­ing, termi­na­ting employ­ment or chan­ging employ­ment terms for employ­ees or contrac­tors (persons acting on behalf of the Control­ler on the basis of civil law agre­ements or coope­ra­tion agre­ements) entail ensu­ring that: 

a) employ­ees are suita­bly prepa­red to carry out their duties;

b) every employee proces­sing perso­nal data has writ­ten autho­ri­sa­tion for the proces­sing of perso­nal data and that they under­took to main­tain perso­nal data confi­den­tia­lity — sample autho­ri­sa­tion and decla­ra­tion consti­tute Appen­dix 1 and Appen­dix 2 to the present Perso­nal Data Protec­tion Policy respectively;

c) in the event of entru­sting perso­nal data proces­sing to third parties (on the basis of civil law agre­ements or coope­ra­tion agre­ements), an appro­priate agre­ement on entru­sting the proces­sing of perso­nal data is concluded.

6. The Control­le­r’s workers are obli­ged to: 

a) stric­tly obse­rve the scope of the gran­ted authorisation; 

b) process perso­nal data in accor­dance with the provisions; 

c) keep perso­nal data and their protec­tion measu­res confidential; 

d) report inci­dents asso­cia­ted with data protec­tion breaches and incor­rect func­tio­ning of the IT system.


IV. SITE FOR THE PROCESSING OF PERSONAL DATA 

1. The site where perso­nal data shall be proces­sed compri­ses office premi­ses loca­ted at the Control­le­r’s head office.

2. Addi­tio­nally the site where perso­nal data shall be proces­sed inclu­des all porta­ble compu­ters as well as other elec­tro­nic or tradi­tio­nal storage devi­ces loca­ted outside of the Control­le­r’s head office in conjunc­tion with the scope of the Control­le­r’s busi­ness activity. 


V. DEFINITION OF TECHNICAL AND ORGANISATIONAL MEASURES REQUIRED TO ENSURE CONFIDENTIALITY, INTEGRITY AND ACCOUNTABILITY FOR THE PROCESSED DATA 

1. The Control­ler provi­des tech­ni­cal and orga­ni­sa­tio­nal measu­res requ­ired to ensure confi­den­tia­lity, inte­grity, acco­un­ta­bi­lity and conti­gu­ity for the proces­sed perso­nal data 

2. The applied (tech­ni­cal and orga­ni­sa­tio­nal) protec­tion measu­res should be adequ­ate to the iden­ti­fied risk level for given systems, types of filing systems and data categories.

3. In parti­cu­lar the protec­tion measu­res include: 

a) access to premi­ses within which perso­nal data are proces­sed restric­ted to only persons who hold appro­priate autho­ri­sa­tions. Other persons may enter premi­ses used for data proces­sing only accom­pa­nies by an autho­ri­sed person;

b) locking premi­ses which consti­tute the perso­nal data proces­sing site as defi­ned in item IV of the present Perso­nal Data Protec­tion Policy under absence of employ­ees in a manner preven­ting third party access;

c) use of locka­ble cabi­nets and safes to protect documents; 

d) use of a shred­der to effec­ti­vely erase docu­ments conta­ining perso­nal data;

e) protec­tion of the local IT network against actions initia­ted from the outside;

f) making emer­gency data copies as required;

g) protec­tion of the compu­ter equip­ment used by the Control­ler against malware;

h) secu­ring access to compu­ter equip­ment used by the Control­ler using access passwords;

i) encryp­tion of perso­nal data during transmission.


VI. BREACHES OF PERSONAL DATA PROTECTION PRINCIPLES 

1. If a perso­nal data protec­tion breach is iden­ti­fied, the Control­ler asses­ses whether the breach in question may consti­tute a risk to the rights and freedoms of natu­ral persons. 

2. In every situ­ation where a perso­nal data protec­tion breach may consti­tute a risk to the rights and freedoms of natu­ral persons, the Control­ler reports the perso­nal data protec­tion breach to the super­vi­sory autho­rity – the Presi­dent of the Perso­nal Data Protec­tion Office – without undue delay – no later than within 72 hours of iden­ti­fy­ing the breach. 

3. If the risk to the rights and freedoms is high, the Control­ler also noti­fies the data subject of the incident.


VII. CONFERRING PERSONAL DATA PROCESSING 

The Control­ler may confer the proces­sing of perso­nal data to another entity solely pursu­ant to a writ­ten agre­ement conc­lu­ded in accor­dance with the requ­ire­ments speci­fied in Article 28 of the Regulation.


VIII. TRANSFERRING DATA TO A THIRD COUNTRY 

1.The Control­ler may trans­fer perso­nal data to a third coun­try, in situ­ations where this occurs at the requ­est of the data subject or is neces­sary in his busi­ness acti­vi­ties. The trans­fer of data in this respect is sporadic. 

2. The trans­fer of perso­nal data that is proces­sed or is to be proces­sed after the trans­fer to a third coun­try takes place when the Proces­sing entity meets the condi­tions define in the Regulation.

3. In the event of trans­fer­ring data to a third coun­try, the Control­ler shall apply adequ­ate secu­rity measu­res ensu­ring that the level of protec­tion of natu­ral persons guaran­teed in the Regu­la­tion is not viola­ted (Chap­ter V, Artic­les 44 — 49).


IX. FINAL PROVISIONS

1. For failing to obse­rve obli­ga­tions stem­ming from the present docu­ments, the Control­le­r’s employee shell be held respon­si­ble pursu­ant to the labour Code, perso­nal data protec­tion provi­sions as well as the Crimi­nal Code.

2. The follo­wing Appen­di­ces consti­tute an inte­gral part of the present Protec­tion Policy:

- Appen­dix No. 1 – Perso­nal data proces­sing authorisation;

- Appen­dix No. 2 – Declaration.