ASBO Sp. z o.o.
The present Personal Data Protection Policy was drawn up with the aim of emphasising the fact that personal data at ASBO Sp. z o.o. (hereinafter referred to as the “Controller”) are processed and protected pursuant to legal provisions pertaining to the processing and protection of data including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “Regulation”).
1. The Personal Data Protection Policy applies to all personal data processed at ASBO Sp. z o.o. regardless of the processing form.
2. The Personal Data Protection Policy is kept in a paper and electronic format at the Controller’s address: 3 Maja 34, 08 – 110 Siedlce.
3. The Personal Data Protection Policy shall be made available to persons authorised to process personal data upon their request as well as persons who are to be authorised to process personal data in order to allow such persons to read it.
4. In order to effectively enforce the Personal Data Protection Policy, the Controller ensures:
a) technical measures and organisational solutions appropriate for given threats and categories of data subject to protection;
b) control and supervision over processing of personal data;
c) monitoring of the applied protection measures.
5. In particular, the Controller’s monitoring of applied protection measures includes: actions of persons authorised by the Controller, breaches of data access rules, ensuring file integrity and protection against external and internal attacks.
6. The Controller ensures that the tasks performed in conjunction with the processing and protection of personal data are compliant with the present Personal Data Protection Policy and relevant provisions of law.
1. Personal data processed by the Controller shall be collected in filing systems.
2. The Controller shall not engage in processing which could entail a serious probability of a high risk occurring within the scope of the rights and freedoms of persons whom the data pertains to.
3. For planning new processing activities, the Controller shall carry out an analysis of their consequences for the protection of personal data and takes into account data protection issues at the planning stage thereof.
1. All individuals with access to personal data subject to processing by the Controller undertake to process that data in accordance with the regulations as in force at present and pursuant to the Personal Data Protection Policy as set forth by the Controller.
2. All personal data processed by the Controller are processed in compliance with the principles as prescribed by the provisions of law, i.e.:
a) in each case there exists at least one basis as specified by the provisions of law for the processing of data;
b) personal data are processed fairly and in a transparent manner,
c) personal data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
d) personal data shall be processed only to the extent required in order to achieve the data processing purpose;
e) personal data are correct and updated as required;
f) storage time is limited to the period of data usability for purposes which they have been collected for;
g) the information obligation in accordance with Articles 13 and 14 of the Regulation with respect of the data subject is performed;
h) personal data are protected against breaches to their protection principles.
3. In particular an infringement or an attempted infringement of personal data protection and processing shall be understood as:
a) a breach to the security of IT systems within which personal data are processed;
b) provision of facilitating the provision of personal data to non-authorised persons or entities;
c) neglecting the obligation to ensure personal data protection;
d) failing to observe the obligation to keep personal data and their protection measures confidential;
e) processing of personal data not in accordance with the assumed processing scope and purposes for the collection thereof;
f) causing damage, loss, uncontrolled change or unauthorised copying of personal data;
g) breach of the rights of data subjects.
4. If a personal data protection breach is identified, a person authorised by the Controller shall undertake all necessary steps to minimise the consequences of the breach and to immediately notify the Controller.
5. The Controller’s obligations within the scope of employing, terminating employment or changing employment terms for employees or contractors (persons acting on behalf of the Controller on the basis of civil law agreements or cooperation agreements) entail ensuring that:
a) employees are suitably prepared to carry out their duties;
b) every employee processing personal data has written authorisation for the processing of personal data and that they undertook to maintain personal data confidentiality — sample authorisation and declaration constitute Appendix 1 and Appendix 2 to the present Personal Data Protection Policy respectively;
c) in the event of entrusting personal data processing to third parties (on the basis of civil law agreements or cooperation agreements), an appropriate agreement on entrusting the processing of personal data is concluded.
6. The Controller’s workers are obliged to:
a) strictly observe the scope of the granted authorisation;
b) process personal data in accordance with the provisions;
c) keep personal data and their protection measures confidential;
d) report incidents associated with data protection breaches and incorrect functioning of the IT system.
1. The site where personal data shall be processed comprises office premises located at the Controller’s head office.
2. Additionally the site where personal data shall be processed includes all portable computers as well as other electronic or traditional storage devices located outside of the Controller’s head office in conjunction with the scope of the Controller’s business activity.
1. The Controller provides technical and organisational measures required to ensure confidentiality, integrity, accountability and contiguity for the processed personal data
2. The applied (technical and organisational) protection measures should be adequate to the identified risk level for given systems, types of filing systems and data categories.
3. In particular the protection measures include:
a) access to premises within which personal data are processed restricted to only persons who hold appropriate authorisations. Other persons may enter premises used for data processing only accompanies by an authorised person;
b) locking premises which constitute the personal data processing site as defined in item IV of the present Personal Data Protection Policy under absence of employees in a manner preventing third party access;
c) use of lockable cabinets and safes to protect documents;
d) use of a shredder to effectively erase documents containing personal data;
e) protection of the local IT network against actions initiated from the outside;
f) making emergency data copies as required;
g) protection of the computer equipment used by the Controller against malware;
h) securing access to computer equipment used by the Controller using access passwords;
i) encryption of personal data during transmission.
1. If a personal data protection breach is identified, the Controller assesses whether the breach in question may constitute a risk to the rights and freedoms of natural persons.
2. In every situation where a personal data protection breach may constitute a risk to the rights and freedoms of natural persons, the Controller reports the personal data protection breach to the supervisory authority – the President of the Personal Data Protection Office – without undue delay – no later than within 72 hours of identifying the breach.
3. If the risk to the rights and freedoms is high, the Controller also notifies the data subject of the incident.
The Controller may confer the processing of personal data to another entity solely pursuant to a written agreement concluded in accordance with the requirements specified in Article 28 of the Regulation.
1.The Controller may transfer personal data to a third country, in situations where this occurs at the request of the data subject or is necessary in his business activities. The transfer of data in this respect is sporadic.
2. The transfer of personal data that is processed or is to be processed after the transfer to a third country takes place when the Processing entity meets the conditions define in the Regulation.
3. In the event of transferring data to a third country, the Controller shall apply adequate security measures ensuring that the level of protection of natural persons guaranteed in the Regulation is not violated (Chapter V, Articles 44 — 49).
1. For failing to observe obligations stemming from the present documents, the Controller’s employee shell be held responsible pursuant to the labour Code, personal data protection provisions as well as the Criminal Code.
2. The following Appendices constitute an integral part of the present Protection Policy:
- Appendix No. 1 – Personal data processing authorisation;