Privacy policy

POLICY

PROTECTION OF PERSONAL DATA

for

World Drone Pilots Organization WDPO.org

(REGON: 381361040)

 

VER. 1.0

 

 

I. Table of contents

 

I. Table of contents 1

II. Preliminary information 2

III. Data Protection Policy. 3

IV. List of buildings and rooms for processing personal data 5

V. List of personal data files 5

VI. Definition of measures necessary to maintain the security of personal data 5

VII. Transmission of data to a third country 8

VIII. Final provisions 8

IX. List of changes in the document: 8

 

II. Introductory information

A. Legal basis

 

Personal Data Protection Policy (hereinafter referred to as the Policy) describes organizational and technical activities undertaken by World Drone Pilots Organization (hereinafter referred to as WDPO) with headquarters in Gliwice, REGON: 381361040, represented by the President - Mr. Przemysław Tomków, whose goal is to achieve and maintain an acceptable level the security of personal data being processed and raising the level of awareness of those involved in its work in the protection of this data / information. The policy is a data protection policy within the meaning of art. 24 sec. 2 RHODE.

For the designated purpose, the Administrator strives to implement an appropriate system of personal data protection against internal and external threats.

The policy is made available to all persons authorized to process personal data in WDPO, as well as all interested persons, in particular the natural persons to whom the data relates - at their request.

The basic legal acts that the Policy implements are:

1) Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2018, item 100)

- hereinafter referred to as UODO;

2) Regulation of the Minister of Internal Affairs and Administration of 29 April 2004 on the documentation of personal data processing and technical and organizational conditions which should be met by devices and IT systems used for the processing of personal data (Journal of Laws of 2004, No. 100 , item 1024) - hereinafter referred to as REGULATION.

 

As of 25 May 2018, the Policy implements the provisions of the Regulation of 27 April 2016 of the European Parliament and of the Council 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (general regulation on data protection) - Official Journal of the EU L 119 of 4 May 2016 - hereinafter referred to as the RODO.

B. Definitions

a) Personal Data Administrator - World Drone Pilots Organization with registered office in Gliwice (44-100), ul. Stalmach 4/9, REGON: 381361040, represented by the President - Mr. Przemysław Tomków (hereinafter also referred to as "the Administrator").

b) Employee - a person providing work to the Administrator, regardless of the legal title (employment contract, civil law, voluntary agreement, appointment, appointment, etc.).

c) Authorized Person - any person who has a written authorization to process personal data issued by the Administrator;

d) System user - any person authorized to process personal data issued by the Administrator, registered in the system / having a unique identifier and password / processing personal data;

e) Personal data - all information regarding an identified or identifiable natural person. An identifiable person is a person whose identity can be identified directly or indirectly;

f) Special categories of personal data - personal data revealing racial or ethnic origin, political views, religious or ideological beliefs, trade union membership and processing of genetic data, biometric data to uniquely identify a person or data on health, sexuality or sexual orientation persons as well as personal data concerning convictions and violations of law or related security measures;

g) Data file - an ordered set of personal data available according to specific criteria, regardless of whether the set is centralized, decentralized or functionally or geographically dispersed;

h) Data processing - an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated way, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing or other types of sharing, matching or combining, limiting, deleting or destroying;

i) Deletion of data - destruction of personal data or modification thereof, which will not allow to determine the identity of the data subject;

j) User identifier - a string of letters, digits or other characters uniquely identifying the person authorized to proces

personal data in the IT system;

k) Password - a string of literal, digital or other characters, known only to the person authorized to work in the IT system;

l) Authentication - this action is aimed at verification of the entity's declared identity;

m) Information security - preservation of confidentiality, integrity, availability and accountability of information

n) Confidentiality - a property that information is not shared or disclosed to unauthorized persons and entities;

o) Availability - the property of being available and useful at the request of an authorized entity or authorized person;

p) Integrity - a property that ensures that personal information has not been altered or destroyed in an unauthorized manner;

q) Accountability - a property that ensures that the actions of the entity can be assigned only explicitly to this entity;

r) Breach of personal data protection - breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data sent, stored or otherwise processed;

s) IT system - a set of cooperating devices, programs, information processing procedures and software tools used to process data;

t) Securing data in the IT system - implementation and operation of appropriate technical and organizational measures ensuring data protection against unauthorized processing;

C. Defining responsibility

 

Personal Data Administrator - World Drone Pilots Organization with its registered office in Gliwice (44-100), ul. Stalmach 4/9, REGON: 381361040, represented by the President - Mr. Przemysław Tomków (hereinafter also referred to as "the Administrator"). The purpose of the Policy is to indicate the actions to be performed and to establish rules and rules of conduct that should be used to properly perform the duties of the Administrator in the scope of securing personal data.

The policy applies to all Administrator's employees.

Personal data covered by the Policy and methods of their security are covered by the unlimited secret in time.

III. Data Protection Policy

A. Basic principles of the Personal Data Protection Policy.

In order to ensure the protection of personal data processed by the Administrator, the following rules apply:

a) "minimum privileges" - assignment of access rights only to the extent necessary to perform official duties,

b) "separation of duties" - critical tasks from the point of view of information security can not be implemented by one person,

c) "alleged refusal" - to be accepted as the standard most restrictive settings that can be released only in certain situations.

The Policy implementation is carried out according to the following rules:

1) Each person involved in the processing of personal data has a written authorization to process them given by the Administrator acting as Administrator's order within the meaning of art. 29 RODO and 32 para. 4 RHODE. This authorization is connected with the employee's declaration of confidentiality of personal data, methods of securing them as well as familiarization with the content of the Policy - the procedure of granting authorizations is described in item VIII B.

.

 

2) The administrator has implemented appropriate organizational and technical measures to properly secure personal data.

 

3) The administrator shall ensure the ability to continually ensure the confidentiality, integrity, availability and resilience of processing systems and services by applying the following principles:

a) the Administrator's IT system is protected against unauthorized access, loss, modification or destruction of data through the use of anti-virus software and passwords. The internal network is protected against unauthorized access from outside by a software firewall.

b) each employee of the Administrator has an individual identifier through which he can use the resources and services provided. The mechanisms and procedures included in the IT system ensure the accountability of users registered in the system.

c) all employees of the Administrator are made aware of the adopted Policy.

d) employees of the Administrator are obliged to inform about the occurrence of an information safety incident.

 

4) In the event of a breach of the protection of personal data, submitting it to the supervisory authority should:

(a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects, and the categories and approximate number of entries of personal data to which the infringement relates;

(b) include the name and contact details of the data protection officer or the designation of another contact point from which more information can be obtained;

c) describe the possible consequences of the nation the protection of personal data protection;

(d) describe the measures taken or proposed by the controller in order to remedy the breach of personal data protection, including, where appropriate, measures to minimize its potential adverse effects.

 

5) The administrator documents any breaches of the protection of personal data, including the circumstances of personal data breach, its consequences and the remedial actions taken.

 

6) The administrator has not carried out an assessment of the effects of processing on data protection, because the nature, scope, context and purposes of personal data processing do not indicate a high probability of high risk of violation of the rights or freedoms of natural persons.

 

7) The administrator once a year takes steps to test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of processing in the form of an internal audit.

 

8) The administrator has implemented measures ensuring the ability to quickly restore the accessibility and access to personal data in the event of a physical or technical incident in the form of backing up personal data processed in the IT system and programs and tools used to process personal data. Copies are created at least once a month on an external disk.

 

B. Implementation of the Personal Data Protection Policy.

 

Particular attention is paid by the Administrator to the elements of management that have a significant impact on data security understood as protection against accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data sent, stored or otherwise processed. This applies not only to personal data stored in databases, paper documentation, but also to those data that are sent in computer networks.

In the latter case, it is mainly about data security during their electronic transport, which occurs when data is sent:

1) in the e-mail messages: aggregate personal data other than contact or other that may adversely affect the data subject must be sent in secured attachments and may not constitute the content of the message - the contact data should be understood data (first name, last name, position, telephone number, e-mail address, place of work) used only to contact a given person,

2) from databases to users,

The principles of personal data protection should be treated in a comprehensive manner. While implementing the Policy, it is important to involve all persons involved in data processing. Knowledge of data security and awareness of its importance is particularly important.

All employees declare the will to protect the personal data being processed, the purpose of which is to ensure the security of these data, and in particular to care for them:

a) confidentiality;

b) integrity.

c) availability.

d) Accountability.

IV. List of buildings and rooms for processing personal data

 

Administrator processes personal data at its headquarters in Gliwice (44-100), ul. Stalmach 4/9.

Access to personal data processed in IT systems via the telecommunications network may have selected persons only with the consent of the Administrator.

V. A list of personal data files

 

The administrator processes personal data of natural persons in IT systems and in paper form. All personal data processed by the Administrator are processed in accordance with applicable law.

A detailed inventory of personal data processed in paper and electronic form was carried out.

VI. Definition of measures necessary to maintain the security of personal data

 

The administrator applies various technical and organizational measures ensuring protection of personal data being processed.

The organizational and technical measures applied are the result of the risk management, including its analysis and selection of the procedure.

A. Physical security.

 

A 1. Entrance control

The Administrator's office is secured by an intercom. Directly at the entrance there is a reception desk, which should pass to go to further rooms. The property has an anti-burglar alarm.

Visitors to the Administrator should be allowed access only for specific, approved purposes.

No special permission granted by the Administrator may be used in its premises for photographic, video and recording equipment.

A 2. Access to the rooms

Access to the Administrator's premises in which personal data processing takes place is limited only to employees and other persons authorized by the Administrator. Persons authorized to reside in the area of ​​personal data processing may stay in it only to the extent necessary to perform the activities described in the authorization.

In case of access to a room for bystanders, they should stay in the room only in the presence of an authorized employee or with the consent of the Administrator. Each time an employee is appointed to supervise an outsider.

A 3. Isolated reception areas

Guests are prevented from receiving the guests by the Administrator's employees in their offices at workstations. This can lead to an accidental leak of information by reading the contents of an open paper or electronic document or by overhearing employees' conversations.

A 4. Information system equipment

The Administrator uses mobile devices: portable computers, external media, and smartphones. They are used with extreme caution outside the area of ​​data processing, in particular:

a) cryptographic security is used;

b) logins and passwords for the IT system are used;

c) it is forbidden to leave devices unattended;

d) it is prohibited to transfer devices to unauthorized persons;

e) the use of Hotspot type networks is prohibited;

f) data backups are made;

g) administrative passwords of access to active devices, server systems, workstations and other devices requiring logging are stored in a safe place;

h) data backups are in a different room from the information processing system itself.

B. General security measures.

 

B 1. Authorizations for the processing of personal data

Every employee who processes personal data must have authorization to process personal data. The authorization includes all required legal information and the level of access to the Administrator's IT system.

At the latest on the last day of cooperation, the authorization shall be canceled by recording this fact in the Register of authorized persons and making an appropriate note in the authorization document.

Authorizations are stored in the place where the personnel and accounting documentation are stored.

B 2. The principle of a clean desk and a clean screen

The information left on the desks may be damaged or damaged, or may be disclosed by unauthorized access, therefore the following rules have been introduced:

1) paper documents and other information media should be stored in lockable cabinets and / or other secure places, especially outside the operating hours of the Administrator,

2) all paper documents must be destroyed using a shredder,

3) documents containing sensitive or critical information should be locked in lockers with a lock, the stamps should be closed in drawers with a lock,

4) do not leave logged computers unattended,

5) monitors should be set up to prevent unauthorized viewing of information on the screen,

6) outside of working hours, copying devices should be protected against unauthorized use,

7) confidential / sensitive information should be removed from the printer immediately after printing.

C. Entrusting data processing.

 

The administrator transfers personal data to other entities. Then, the processing of personal data is entrusted. In this case, the Administrator takes the following actions:

1) includes entrusting the processing of personal data to the list of data sets

2) places in the contracts provisions regarding entrusting the processing of personal data.

Contractual records relating to the entrusting of data processing must include provisions that the processor:

1) processes personal data only for the purpose and scope specified in the contract, and also only for the documented administrator's order;

2) ensures that persons authorized to process personal data commit themselves to confidentiality or are subject to an appropriate statutory obligation of secrecy;

3) where necessary, take all measures required to secure personal data, in particular pseudonymisation and encryption of personal data, the ability to continually ensure the confidentiality, integrity, availability and resilience of processing systems and services, the ability to quickly restore the accessibility of personal data and access in the event of a physical or technical incident and regularly testing, measuring and evaluating the effectiveness of technical and organizational measures to ensure the security of processing;

4) transfers entrusted personal data to other entities for processing only after obtaining the explicit consent of the administrator;

5) assists the administrator through appropriate technical and organizational measures to meet the obligation to respond to requests of the data subject in the exercise of his rights;

6) assists the administrator in fulfilling his obligations regarding reporting violations of personal data protection and in assessing the impact of processing on personal data;

7) after completing the provision of services related to processing, depending on the decision of the administrator deletes or returns the Admin to the istrator, all personal data and delete any existing copies thereof, unless Union or Member State law requires the storage of personal data;

8) provide the Administrator with all the information necessary to demonstrate compliance with the obligations set out in this Article and enable the administrator or auditor authorized by the administrator to carry out audits, including inspections, and contribute to them.

D. Handling of information

 

D 1. Control of access to information

Employees may not, without the authorization of the Administrator, provide the following information:

• about personal data and other confidential information,

• about security, including information about the security of the IT system.

D 2. Forms of information exchange

Voice, fax and visual information are also protected. The following requirements are introduced to secure the information transmitted:

1) to exercise particular caution while conducting telephone calls, in particular to prohibit the transfer of confidential information and personal data by telephone.

2) a ban on confidential conversations in public places (restaurants, public transport, etc.), widely available offices, thin-walled rooms.

3) not leaving messages containing confidential content on "automatic secretaries".

D 3. ICT security

Antivirus software and other devices and programs controlling the flow of information between the public network and the Administrator's IT system are used.

 

VII. Transmission of data to a third country

1) WDPO does not transfer Personal Data to a third country located outside the territory of the European Union or the European Economic Area, except for situations in which it occurs at the request of the person whose Personal Data refers to.

2) To avoid unauthorized data export, in particular in connection with the use of publicly available cloud services, WDPO periodically reviews user behavior and, where possible, provide equivalent solutions to data protection law.

VIII. Final Provisions

1) The policy takes effect on the day of announcement.

2) In matters not covered by the Policy, the provisions of the GDPR and generally binding provisions of Polish and European law apply accordingly.

3) Any changes or supplements to the Policy require for their effectiveness a written form under pain of nullity.

4) Changes or supplements to the Policy shall enter into force not earlier than within 7 days from the date of their publication.

 

IX. List of changes in the document:

PERSONAL DATA PROTECTION POLICY

Date: Modification type: Responsible person:

25/05/2018 The creation of the document.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

VER. 1.0

 

 

I. Table of contents

 

I. Table of contents 1

II. Preliminary information 2

III. Data Protection Policy. 3

IV. List of buildings and rooms for processing personal data 5

V. List of personal data files 5

VI. Definition of measures necessary to maintain the security of personal data 5

VII. Transmission of data to a third country 8

VIII. Final provisions 8

IX. List of changes in the document: 8

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

II. Introductory information

A. Legal basis

 

Personal Data Protection Policy (hereinafter referred to as the Policy) describes organizational and technical activities undertaken by World Drone Pilots Organization (hereinafter referred to as WDPO) with headquarters in Gliwice, REGON: 381361040, represented by the President - Mr. Przemysław Tomków, whose goal is to achieve and maintain an acceptable level the security of personal data being processed and raising the level of awareness of those involved in its work in the protection of this data / information. The policy is a data protection policy within the meaning of art. 24 sec. 2 RHODE.

For the designated purpose, the Administrator strives to implement an appropriate system of personal data protection against internal and external threats.

The policy is made available to all persons authorized to process personal data in WDPO, as well as all interested persons, in particular the natural persons to whom the data relates - at their request.

The basic legal acts that the Policy implements are:

1) Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2018, item 100)

- hereinafter referred to as UODO;

2) Regulation of the Minister of Internal Affairs and Administration of 29 April 2004 on the documentation of personal data processing and technical and organizational conditions which should be met by devices and IT systems used for the processing of personal data (Journal of Laws of 2004, No. 100 , item 1024) - hereinafter referred to as REGULATION.

 

As of 25 May 2018, the Policy implements the provisions of the Regulation of 27 April 2016 of the European Parliament and of the Council 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (general regulation on data protection) - Official Journal of the EU L 119 of 4 May 2016 - hereinafter referred to as the RODO.

B. Definitions

a) Personal Data Administrator - World Drone Pilots Organization with registered office in Gliwice (44-100), ul. Stalmach 4/9, REGON: 381361040, represented by the President - Mr. Przemysław Tomków (hereinafter also referred to as "the Administrator").

b) Employee - a person providing work to the Administrator, regardless of the legal title (employment contract, civil law, voluntary agreement, appointment, appointment, etc.).

c) Authorized Person - any person who has a written authorization to process personal data issued by the Administrator;

d) System user - any person authorized to process personal data issued by the Administrator, registered in the system / having a unique identifier and password / processing personal data;

e) Personal data - all information regarding an identified or identifiable natural person. An identifiable person is a person whose identity can be identified directly or indirectly;

f) Special categories of personal data - personal data revealing racial or ethnic origin, political views, religious or ideological beliefs, trade union membership and processing of genetic data, biometric data to uniquely identify a person or data on health, sexuality or sexual orientation persons as well as personal data concerning convictions and violations of law or related security measures;

g) Data file - an ordered set of personal data available according to specific criteria, regardless of whether the set is centralized, decentralized or functionally or geographically dispersed;

h) Data processing - an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated way, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing or other types of sharing, matching or combining, limiting, deleting or destroying;

i) Deletion of data - destruction of personal data or modification thereof, which will not allow to determine the identity of the data subject;

j) User identifier - a string of letters, digits or other characters uniquely identifying the person authorized to proces

personal data in the IT system;

k) Password - a string of literal, digital or other characters, known only to the person authorized to work in the IT system;

l) Authentication - this action is aimed at verification of the entity's declared identity;

m) Information security - preservation of confidentiality, integrity, availability and accountability of information

n) Confidentiality - a property that information is not shared or disclosed to unauthorized persons and entities;

o) Availability - the property of being available and useful at the request of an authorized entity or authorized person;

p) Integrity - a property that ensures that personal information has not been altered or destroyed in an unauthorized manner;

q) Accountability - a property that ensures that the actions of the entity can be assigned only explicitly to this entity;

r) Breach of personal data protection - breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data sent, stored or otherwise processed;

s) IT system - a set of cooperating devices, programs, information processing procedures and software tools used to process data;

t) Securing data in the IT system - implementation and operation of appropriate technical and organizational measures ensuring data protection against unauthorized processing;

C. Defining responsibility

 

Personal Data Administrator - World Drone Pilots Organization with its registered office in Gliwice (44-100), ul. Stalmach 4/9, REGON: 381361040, represented by the President - Mr. Przemysław Tomków (hereinafter also referred to as "the Administrator"). The purpose of the Policy is to indicate the actions to be performed and to establish rules and rules of conduct that should be used to properly perform the duties of the Administrator in the scope of securing personal data.

The policy applies to all Administrator's employees.

Personal data covered by the Policy and methods of their security are covered by the unlimited secret in time.

III. Data Protection Policy

A. Basic principles of the Personal Data Protection Policy.

In order to ensure the protection of personal data processed by the Administrator, the following rules apply:

a) "minimum privileges" - assignment of access rights only to the extent necessary to perform official duties,

b) "separation of duties" - critical tasks from the point of view of information security can not be implemented by one person,

c) "alleged refusal" - to be accepted as the standard most restrictive settings that can be released only in certain situations.

The Policy implementation is carried out according to the following rules:

1) Each person involved in the processing of personal data has a written authorization to process them given by the Administrator acting as Administrator's order within the meaning of art. 29 RODO and 32 para. 4 RHODE. This authorization is connected with the employee's declaration of confidentiality of personal data, methods of securing them as well as familiarization with the content of the Policy - the procedure of granting authorizations is described in item VIII B.

.

 

2) The administrator has implemented appropriate organizational and technical measures to properly secure personal data.

 

3) The administrator shall ensure the ability to continually ensure the confidentiality, integrity, availability and resilience of processing systems and services by applying the following principles:

a) the Administrator's IT system is protected against unauthorized access, loss, modification or destruction of data through the use of anti-virus software and passwords. The internal network is protected against unauthorized access from outside by a software firewall.

b) each employee of the Administrator has an individual identifier through which he can use the resources and services provided. The mechanisms and procedures included in the IT system ensure the accountability of users registered in the system.

c) all employees of the Administrator are made aware of the adopted Policy.

d) employees of the Administrator are obliged to inform about the occurrence of an information safety incident.

 

4) In the event of a breach of the protection of personal data, submitting it to the supervisory authority should:

(a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects, and the categories and approximate number of entries of personal data to which the infringement relates;

(b) include the name and contact details of the data protection officer or the designation of another contact point from which more information can be obtained;

c) describe the possible consequences of the nation the protection of personal data protection;

(d) describe the measures taken or proposed by the controller in order to remedy the breach of personal data protection, including, where appropriate, measures to minimize its potential adverse effects.

 

5) The administrator documents any breaches of the protection of personal data, including the circumstances of personal data breach, its consequences and the remedial actions taken.

 

6) The administrator has not carried out an assessment of the effects of processing on data protection, because the nature, scope, context and purposes of personal data processing do not indicate a high probability of high risk of violation of the rights or freedoms of natural persons.

 

7) The administrator once a year takes steps to test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of processing in the form of an internal audit.

 

8) The administrator has implemented measures ensuring the ability to quickly restore the accessibility and access to personal data in the event of a physical or technical incident in the form of backing up personal data processed in the IT system and programs and tools used to process personal data. Copies are created at least once a month on an external disk.

 

B. Implementation of the Personal Data Protection Policy.

 

Particular attention is paid by the Administrator to the elements of management that have a significant impact on data security understood as protection against accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data sent, stored or otherwise processed. This applies not only to personal data stored in databases, paper documentation, but also to those data that are sent in computer networks.

In the latter case, it is mainly about data security during their electronic transport, which occurs when data is sent:

1) in the e-mail messages: aggregate personal data other than contact or other that may adversely affect the data subject must be sent in secured attachments and may not constitute the content of the message - the contact data should be understood data (first name, last name, position, telephone number, e-mail address, place of work) used only to contact a given person,

2) from databases to users,

The principles of personal data protection should be treated in a comprehensive manner. While implementing the Policy, it is important to involve all persons involved in data processing. Knowledge of data security and awareness of its importance is particularly important.

All employees declare the will to protect the personal data being processed, the purpose of which is to ensure the security of these data, and in particular to care for them:

a) confidentiality;

b) integrity.

c) availability.

d) Accountability.

IV. List of buildings and rooms for processing personal data

 

Administrator processes personal data at its headquarters in Gliwice (44-100), ul. Stalmach 4/9.

Access to personal data processed in IT systems via the telecommunications network may have selected persons only with the consent of the Administrator.

V. A list of personal data files

 

The administrator processes personal data of natural persons in IT systems and in paper form. All personal data processed by the Administrator are processed in accordance with applicable law.

A detailed inventory of personal data processed in paper and electronic form was carried out.

VI. Definition of measures necessary to maintain the security of personal data

 

The administrator applies various technical and organizational measures ensuring protection of personal data being processed.

The organizational and technical measures applied are the result of the risk management, including its analysis and selection of the procedure.

A. Physical security.

 

A 1. Entrance control

The Administrator's office is secured by an intercom. Directly at the entrance there is a reception desk, which should pass to go to further rooms. The property has an anti-burglar alarm.

Visitors to the Administrator should be allowed access only for specific, approved purposes.

No special permission granted by the Administrator may be used in its premises for photographic, video and recording equipment.

A 2. Access to the rooms

Access to the Administrator's premises in which personal data processing takes place is limited only to employees and other persons authorized by the Administrator. Persons authorized to reside in the area of ​​personal data processing may stay in it only to the extent necessary to perform the activities described in the authorization.

In case of access to a room for bystanders, they should stay in the room only in the presence of an authorized employee or with the consent of the Administrator. Each time an employee is appointed to supervise an outsider.

A 3. Isolated reception areas

Guests are prevented from receiving the guests by the Administrator's employees in their offices at workstations. This can lead to an accidental leak of information by reading the contents of an open paper or electronic document or by overhearing employees' conversations.

A 4. Information system equipment

The Administrator uses mobile devices: portable computers, external media, and smartphones. They are used with extreme caution outside the area of ​​data processing, in particular:

a) cryptographic security is used;

b) logins and passwords for the IT system are used;

c) it is forbidden to leave devices unattended;

d) it is prohibited to transfer devices to unauthorized persons;

e) the use of Hotspot type networks is prohibited;

f) data backups are made;

g) administrative passwords of access to active devices, server systems, workstations and other devices requiring logging are stored in a safe place;

h) data backups are in a different room from the information processing system itself.

B. General security measures.

 

B 1. Authorizations for the processing of personal data

Every employee who processes personal data must have authorization to process personal data. The authorization includes all required legal information and the level of access to the Administrator's IT system.

At the latest on the last day of cooperation, the authorization shall be canceled by recording this fact in the Register of authorized persons and making an appropriate note in the authorization document.

Authorizations are stored in the place where the personnel and accounting documentation are stored.

B 2. The principle of a clean desk and a clean screen

The information left on the desks may be damaged or damaged, or may be disclosed by unauthorized access, therefore the following rules have been introduced:

1) paper documents and other information media should be stored in lockable cabinets and / or other secure places, especially outside the operating hours of the Administrator,

2) all paper documents must be destroyed using a shredder,

3) documents containing sensitive or critical information should be locked in lockers with a lock, the stamps should be closed in drawers with a lock,

4) do not leave logged computers unattended,

5) monitors should be set up to prevent unauthorized viewing of information on the screen,

6) outside of working hours, copying devices should be protected against unauthorized use,

7) confidential / sensitive information should be removed from the printer immediately after printing.

C. Entrusting data processing.

 

The administrator transfers personal data to other entities. Then, the processing of personal data is entrusted. In this case, the Administrator takes the following actions:

1) includes entrusting the processing of personal data to the list of data sets

2) places in the contracts provisions regarding entrusting the processing of personal data.

Contractual records relating to the entrusting of data processing must include provisions that the processor:

1) processes personal data only for the purpose and scope specified in the contract, and also only for the documented administrator's order;

2) ensures that persons authorized to process personal data commit themselves to confidentiality or are subject to an appropriate statutory obligation of secrecy;

3) where necessary, take all measures required to secure personal data, in particular pseudonymisation and encryption of personal data, the ability to continually ensure the confidentiality, integrity, availability and resilience of processing systems and services, the ability to quickly restore the accessibility of personal data and access in the event of a physical or technical incident and regularly testing, measuring and evaluating the effectiveness of technical and organizational measures to ensure the security of processing;

4) transfers entrusted personal data to other entities for processing only after obtaining the explicit consent of the administrator;

5) assists the administrator through appropriate technical and organizational measures to meet the obligation to respond to requests of the data subject in the exercise of his rights;

6) assists the administrator in fulfilling his obligations regarding reporting violations of personal data protection and in assessing the impact of processing on personal data;

7) after completing the provision of services related to processing, depending on the decision of the administrator deletes or returns the Admin to the istrator, all personal data and delete any existing copies thereof, unless Union or Member State law requires the storage of personal data;

8) provide the Administrator with all the information necessary to demonstrate compliance with the obligations set out in this Article and enable the administrator or auditor authorized by the administrator to carry out audits, including inspections, and contribute to them.

D. Handling of information

 

D 1. Control of access to information

Employees may not, without the authorization of the Administrator, provide the following information:

• about personal data and other confidential information,

• about security, including information about the security of the IT system.

D 2. Forms of information exchange

Voice, fax and visual information are also protected. The following requirements are introduced to secure the information transmitted:

1) to exercise particular caution while conducting telephone calls, in particular to prohibit the transfer of confidential information and personal data by telephone.

2) a ban on confidential conversations in public places (restaurants, public transport, etc.), widely available offices, thin-walled rooms.

3) not leaving messages containing confidential content on "automatic secretaries".

D 3. ICT security

Antivirus software and other devices and programs controlling the flow of information between the public network and the Administrator's IT system are used.

 

VII. Transmission of data to a third country

1) WDPO does not transfer Personal Data to a third country located outside the territory of the European Union or the European Economic Area, except for situations in which it occurs at the request of the person whose Personal Data refers to.

2) To avoid unauthorized data export, in particular in connection with the use of publicly available cloud services, WDPO periodically reviews user behavior and, where possible, provide equivalent solutions to data protection law.

VIII. Final Provisions

1) The policy takes effect on the day of announcement.

2) In matters not covered by the Policy, the provisions of the GDPR and generally binding provisions of Polish and European law apply accordingly.

3) Any changes or supplements to the Policy require for their effectiveness a written form under pain of nullity.

4) Changes or supplements to the Policy shall enter into force not earlier than within 7 days from the date of their publication.

 

IX. List of changes in the document:

PERSONAL DATA PROTECTION POLICY

Date: Modification type: Responsible person:

25/05/2018 The creation of the document.