The following Safety policy (hereinafter referred to as the Policy), has been drawn up in order to prove that the personal data is processed and safeguarded by Enercomtel sp. z o.o., ul. Pokrzywno 4A, 61-315 Poznań, Poland, VAT no. PL7822588595 (hereinafter referred to as Enercomtel) pursuant to the regulations on processing and securing data by the aforementioned entrepreneur, including Regulation (UE) 2016/679 of the European Parliament and of the Council of of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as General Data Protection Regulation GDPR).
- Controller: Enercomtel sp. z o.o.
- Personal Data – any information that relates to an identified or identifiable natural person
- IT system – set of cooperating devices, programs, data processing procedures, programing tools applied for data processing
- User – person authorized by the Controller to process personal data
- Filing system – any structured set of personal data which are accessible according to specific criteria
- Data processing – any operation performed on personal data, such as collection, recording, organization, adaptation or alteration, disclosure or erasure in a traditional-paper form or with the use of IT systems
- User ID – sequence of letters, numbers or other symbols by which a person authorized to process personal data is identified to IT system (User) in case personal data is processed in the system
- Password – sequence of letters, numbers or other symbols known only to a person authorized to work in the IT system (User) in case personal data is processed in the system
- Authentication – any action in order to check a declared identity of an individual (User).
- This Policy includes all personal data processing, regardless of the form of their processing (traditional records, IT systems) and of whether or not the data is or may be processed in filing systems.
- This Policy is kept in a digital form and in a paper form in the Controller’s main office.
- This Policy is made available to persons authorized to process personal data upon their request, and to persons to which the authorization to process personal data is to be granted in order for them to get acquainted with its content.
- In order for this Policy to be implemented, the Controller grants:
- technical and organizational measures appropriate to risks and categories of the safeguarded data,
- control and supervision over personal data processing,
- monitoring of the applied safety measures.
- Monitoring of the applied safety measures by the Controller includes, between others: Users’ operations, breaching rules of accessing data, maintaining integrity of files and protection against external and internal attacks.
Personal data processed by the Controller
- Personal data processed by the Controller are stored in a filing system.
- The Controller shall not undertake processing actions which are likely to result in a high risk to the rights and freedoms of natural persons. In such case, the Controller shall proceed as specified in art. 35 and the following GDPR.
- Should new processing action be planned, the Controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, prior to the processing, while they are being designed.
Obligations and responsibilities in safety management
- All persons are obliged to process personal data pursuant to the applicable regulations and the Safety Policy created by the Controller, IT Systems’ Management Manual, as well as other internal documents and procedures related to personal data processing.
- All personal data are processed in Enercomtel in accordance with the rules of personal data processing established by the law:
- In all cases, there is at least one justified reason for the data to be processed specified in regulations.
- All data are processed lawfully, fairly and in a transparent manner.
- Personal data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Personal data are processed in a scope that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Personal data are accurate and, where necessary, kept up to date.
- Personal data may be stored for longer periods than is necessary for the purposes for which the personal data are processed and shall henceforth be anonymized or erased.
- Where personal data relating to a data subject are collected, he shall be informed on these actions in accordance with art. 13 and 14 GDPR.
- The Controller shall not inform the data subject where the personal data must remain confidential subject to an obligation of professional secrecy (art. 14, section 5 GDPR).
- A breach or an attempt to breach the rules of processing and protecting personal data shall be considered as such in particular where:
- the IT systems’ safety, in which personal data is processed, should it be processed in such systems, is breached;
- any personal data are disclosed or enabled to be disclosed to unauthorized persons or parties;
- there occurs a failure, be it unintentional, to fulfil the obligation to safeguard personal data;
- there occurs a failure to fulfil the obligation to maintain personal data and measures of their safeguarding in secret;
- any personal data is processed in breach of the scope and purpose of their collection.
- In the event of any personal data breach, the User is obliged to undertake all necessary measures in order to limit the impact of the breach and to notify the Controller without undue delay.
- The responsibilities of the Controller in terms of employment, termination of employment or changing employment terms of employees and partners (persons undertaking actions for the sake of the Controller in accordance with other civil-law contracts) include:
- appropriate preparation of employees to perform their tasks, all employees who process personal data authorized in writing according to “The authorization to process personal data” whose sample constitutes Enclosure 2 to this Policy.
- All employees are obliged to:
- comply promptly with the scopes of the granted authorization;
- process and safeguard personal data in accordance with regulations;
- observe secrecy with regard to personal data and measures of their safeguarding.
Data processing area
- The area in Enercomtel where personal data are processed include offices located in the Enercomtel premises.
- Additional area where personal data are processed include portable computers and data carriers outside of the aforementioned premises.
Defining technical and organizational measures indispensable to secure confidentiality, integrity and measurability of the data processed
- The controller shall implement appropriate technical and organizational measures for ensuring confidentiality, integrity, measurability and continuity of data processing.
- Protecting measures implemented (technical and organizational) shall be appropriate to the assessed risks for particular systems, filing types and categories. These measures include:
- Limiting access to premises in which personal data are processed only to authorized persons. Any other person may stay in the said premises only in the company of an authorized person.
- Locking premises constituting areas for data processing herein specified during absence of employees in a way disabling access to these premises by the third parties.
- Using lockable cabinets and safes to safeguard documents.
- Using a shredder to effectively erase documents containing personal data.
- Local network firewall against external threats.
- Maintaining data copies on the external drive.
- Protecting computer devices used by the Controller against malware (malicious software).
- Securing access to Enercomtel’s devices by an individual password.
Personal data protection breach
- In the case of a personal data breach, the Controller shall assess whether this breach is unlikely to result in a risk to the rights and freedoms of natural persons.
- In the case when a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. A sample of such notification constitutes Enclosure 4 to this Policy.
Outsourcing of personal data processing
- The Controller may entrust another party, a Processor, with processing activities only by means of a legal agreement drawn up in writing in accordance with the requirements hereon specified in art. 28 GDPR.
- Prior to entrusting another party with personal data processing, the Controller shall, where feasible, acquire information on the previous activities of the party to which the data is to be entrusted related to safeguarding of personal data.
Transfers of personal data to third countries
- The Controller shall not transfer any personal data to third countries except from the case where a data subject files for them.
- Failure to fulfil obligations specified herein shall incur liability of an employee pursuant to the Labor Code, the provisions on the protection of personal data and Criminal Code in relation to the personal data to which professional secrecy applies.
- The following Enclosures constitute an integral part of this Policy:
- Enclosure 1 – Record of processing activities
- Enclosure 2 – Sample authorization to process personal data
- Enclosure 3 – Sample declaration and commitment of the person processing personal data to observe secrecy
- Enclosure 4 – Sample notification on the personal data breach to the supervisory authority
Should you request to get acquainted with the aforementioned Enclosures, risk assessment results and internal procedures, do not hesitate to contact us: firstname.lastname@example.org