Krilico Sp. z o.o. ul.Strzelecka 7B, 80-803, Gdańsk
NIP 5833475764, REGON 525084186
| Development Date: | 07.03.2023 |
| Implementation date: | 19.04.2023 |
| Document approved and implemented: | 19.04.2023 |
I. Purpose, scope, and definitionsused in the document
1. Policy Objective
1.1 The purpose of developing and implementing this security policy is to describe Krilico Sp. z o.o. ul.Strzelecka 7B, 80-803, Gdańsk the technical and organizational measures applied within the organization (hereinafter referred to as the administrator) that ensure the protection of processed personal data, corresponding to the risk of violation of rights and freedoms in connection with the processing of personal data.
1.2 Polityka The security policy must ensure that responsibilities are properly performed, anddministrator- Krilico Sp. z o.o. ul.Strzelecka 7B, 80-803, Gdańsk. PolitykaThe Personal Data Security Policy is developed in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Individuals with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
1.3 This document will be implemented by publishing it and making it available to persons authorized to process personal data, as well as other persons who have access to personal data processed przez by the administrator.
2. Scope and exceptions to the application
2.1 The policy applies to all personal data processed by the administrator.
2.2 The provisions and requirements of this Policy can only be excluded if applicable law provides for such an exception.
3. Definitions
| 1. | Administrator | Krilico Sp. z o.o. ul.Strzelecka 7B, 80-803, Gdańsk in relation to the data that it decides on the purposes and methods of processing |
| 2. | DPersonal | data means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified in particular by identifier such as a name, an identification number, location data, online identifier or one or more specific factors determining a physical, physiological, genetic, mental, economic, cultural or social identity of a natural person; |
| 3. | Dane specific categories of personal | data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-Union membership and the processing of genetic data, biometric data to uniquely identify a natural person, or data about health, sexuality or sexual orientation of the person, as well as data on convictions and violations of the law or related security measures; |
| 4. | The office for personal data protection | Chairman Of The Personal Data Protection Department; |
| 5. | AndProperties | to ensure that your personal data has not been altered or destroyed in an unauthorized manner; |
| 6. | Na security violation of personal data | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed; |
| 7. | Osboth authorised | person with permission to process personal data as an administrator; |
| 8. | Pvariation data(or data owner) | any natural person whose personal data shall be processed by the administrator or on behalf of the administrator in connection with its activities; |
| 9. | Preliability of the data | property, which ensures that data is not transmitted to unauthorized persons; |
| 10. | PRacer | A person having access to personal data, employ the administrator on the basis of labor relations; |
| 11. | Sthird party | means a natural or legal person, public authority, natural or legal person other than the data subject, controller, processor or persons who, with the permission of the administrator or the handler may process personal data; |
| 12. | The processor or handler is | a legal person, natural person, unincorporated organisational unit or any other person, determining the purpose and means of the processing of personal data, which the administrator is instructed to process the personal data and concluded the agreement entrusting the processing of personal data within the meaning of article 28 GDPR; |
| 13. | Pprocessing of personal data | means an operation or set of operations performed on personal data or sets of personal data by automated or non-automated way, such as the collection, preservation, organization, organisation, storage, adaptation or alteration, retrieval, viewing, use, disclosure by transmission, dissemination or other kind of exchange, Association or Association, restriction, deletion or destruction; |
| 14. | The policy | of the present document, that is, the security policy of personal data; |
| 15. | Roz | property that allows to demonstrate compliance administrator to the rules of the GDPR; |
| 16. | The regulation | of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 On the protection of natural persons in connection with the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC; |
| 17. | Pseudonimization | means the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and 18. A register of processing operations performed by the administrator, a register containing at least the following data; |
| 18. | Register of processing operations | prowadzony przez Administratoraa registry containing at least the following data:
a) first and last name, as well as contact details of the administrator and any co-administrators, as well as, where applicable, the administrator's representative and the data protection inspector; b)purposes of processing; c) description of the category of data subjects and the category of personal data; d) categories of recipients to whom personal data has been or will be disclosed (e) Where applicable, the transfer of personal data to a third country or international organization, including the name of that third country or international organization, and, in the case of the transfer referred to in article 49 (1) second paragraph, documentation of the relevant security measures; f) if possible, the planned time frame for the deletion of certain categories of data; g) if possible, a general description of the technical and organizational security measures referred to in article 32 (1.19 ; |
| 19. | Skarga | any letter (in paper or electronic form) transmitted by the data subject (data owner) or the chairman of the Management, with the content of which there is a problem complaint or request for clarification / information regarding the processing of personal data by the administrator; |
| 20. | SIT system (or IT system) | - a set of interacting devices, programs, information processing procedures and software tools used for data processing; |
| 21. | Law | The Law of May 10, 2018 On the Protection of Personal Data; |
| 22. | USeverity | one of the following:
- a written permission granted in accordance with Article 29 GDPR for the processing of personal data, provided to an employee, employee or employee of the processor by a partner of the company, - a contract of assignment for the processing of personal data concluded in writing within the meaning of Article 28 GDPR; |
| 23. | Employee | a person who has access to personal data, performs tasks personally and directly / services for the administrator; |
| 24. | CData protection | implementation and operation of appropriate technical and organizational measures to protect data from unauthorized processing; |
| 25. | Consent | of the data subject the data subject means a voluntary, specific, informed and unambiguous expression of the will that the data subject has in accordance with the legislation of the Russian Federation. authorizes the processing of their personal data in the form of an application or explicit confirmation action; |
II. Responsibilities Krilico Sp. z o.o. ul.Strzelecka 7B, 80-803, Gdańsk as an administrator
1. Obligation to comply with the legal grounds for processing personal data
1.1 Każdy Pracownik jak i Współpracownik Before making a decision on creating a processing purpose or expanding the scope of personal data collected to the current processing purpose specified in the Register of Processing Operations (RCP), each employee must specify and apply the legal basis (with GDPR) that legalizes the processing of such data.
2. Information obligation with respect to the data subject in accordance with Article 13 and Article 14 of the GDPR
2.1 Each employee who collects (receives) personal data, at the time of its collection directly from the data owner, is obliged to inform the data owner (for example, by submitting the relevant paragraph) in accordance with the prepared information paragraphs concerning Article 13 of the GDPR.
2.2 In the case of data collection from third parties, and therefore not directly from the data owner, it is necessary immediately after storing data about the circumstances processed in accordance with the information provisions of Article 14 of the GDPR.
2.3 When using information systems that automatically collect personal data, it is necessary to ensure that this system provides the information specified in the paragraphs above.
2.4 In the case of the use of third parties (for example, marketing or recruitment agencies) in the contract with such a subject, it is necessary to ensure that during the collection of personal data, the subject fulfills the information obligation on behalf of the administrator in accordance with paragraph 2.2. 1) or 2.2. 2).
3. Obligation to comply with the processing rulesdescribed in Article 5 of the GDPR
3.1 When processing personal data, special attention should be paid to protecting the interests of data subjects, in particular, compliance with the rules set out in punktach 5-7-7 of the policy. This obligation applies both to employees, employees, and entities that Administratoraprocess personal data on behalf of the administrator on the basis of contracts of assignment for processing personal data, i.e. processors.
4. Obligation to conclude a contract of assignment for the processing of personal data (Article 28)
4.1 If Administrathe tor administration decides to use the services of a third party, and as part of the provision of these services, this subject will process personal data on behalf of or on behalf of the administrator, then it is necessary to ensure that before transferring the data to this subject, a "contract for ordering the processing of personal data" is concluded in accordance with the rules set out in paragraph 6. The Policy.
5. Obligation to comply with the data subject's requests
5.1 If the data owner submits an oral or written request / request for access / copy of data / transfer of data / deletion of their data / correction / restriction / update (regardless of the form of submission on paper or in electronic form), you must immediately, within a maximum of 30 days, comply with such request, if appropriate.
5.2 In any case, the implementation of such an offer specified in. the above clause must be made by the administrator, who in this case can specify, respectively, an employee, employee or other entity to support in the execution of such a request
5.3 In any case, the administrator makes it easier for the data owner to exercise the rights that they have in accordance with Articles 15-22 of the GDPR. If the administrator is unable to demonstrate that it cannot identify the data subject, it informs the data subject whenever possible and requests that the data be supplemented in order to establish the identity of the data owner
5.4 AdministratorWhen executing a request from the data owner, the administrator follows the procedure for processing requests from data subjects.
6. Data protection obligation
6.1 Each employee, Współpracownik is obliged to provide:
• organizational rules (for example, policies, regulations, procedures) that apply in the administrator's organization, regardless of what internal document describes them, and
• technical issues (for example, using access passwords, an encrypted flash drive, or encrypting computers and mobile devices). Bypassing security measures specified in internal documents or implemented by the IT provider may constitute a violation of personal data protection.
6.2 The data protection obligation also applies to processors. Specific requirements for the protection of personal data by the processor must be set out in the contract of assignment of personal data processing.
7. Obligation to inform about the new purpose of personal data processing
7.1 If an employee or employee decides to start collecting personal data for a new purpose, they must inform o tym fakcie the administrator, a widely used form of communication in the organization, before the collection begins.
7.2 Based on the information provided by the employee or employee, the administrator decides whether a specific goal is subject to an obligation to register it in the register of processing operations.
7.3 Employees and employees are required to report directly to the administrator any changes related to the processing operations described in the registry before making these changes.
8. Transfer obligations to third countries
8.1 When deciding whether to choose a provider outside the EEA or transfer data to a third country, the administrator should conduct additional analysis or consult with external sources about the security of transmitting such information.
9. Responsibilities and responsibilities
9.1 Every employee and employee, regardless of their position or position, is obliged and responsible for:
• maintaining the confidentiality of personal data and how to protect it,
• familiarization with and compliance with the provisions of this Policy and internal documents issued in accordance with this Policy,
• written confirmation of familiarization with the personal data protection regulations
and this Policy,
• compliance with the laws on personal data protection, in particular the law,
• denial of access to IT systems,
• do not grant or allow access to personal data to unauthorized persons,
• report any reported incident / suspected violation of personal data protection or this Policy in accordance with the procedures
9.2 Responsibilities and responsibilities of managers
• supervision of subordinate employees, whether they apply the principles set out in this Policy,
• information and training needs in the legislation on personal data protection,
• approval of any changes concerning the purposes of personal data processing prior to their introduction;
• control of the designated purposes of personal data processing or the scope of processing in accordance with the register of processing operations,
• review of new IT solutions related to the transfer of personal data to a third party,
• ensuring that the administrator enters into a processing assignment agreement Administratora
with any entity to which the administrator intends to entrustthe processing przetwarzanie of personal data.
9.3 Responsibilities and responsibilities of the IT Provider (if any)
Each employee of the IT provider assigned to work with the Administratormust and is responsible for:
• control over how effectively security is implemented and maintained (physical, logical,system),
• control over how effective restrictions on access to data processing areas are.
• take into account the GDPR rules and policies when developing and implementing new solutions related to information or physical security,
• at the request of the administrator, draw up an opinion and information about the security used in the organization.
10. Rules for handling complaints about the processing of personal data
10.1 Complaints / requests made by the data owner
1) In the case of a written complaint / request (regardless of the form of delivery or name) sent by the data owner to the administrator, it should be considered immediately, no more than 30 days from the date of receipt.
2) The response to the complaint / request must be provided in writing (by registered parcel), if the applicant has provided an address for delivery, and in the absence of such an address, in the same way as the complaint / request was submitted, if the applicant has not requested another form.
In the event of an email response, a copy of the response must
be archived in any case in order to fill in the personal data controller's report.
3) If the data owner submits a request, request to change or update personal data, you must do so immediately after receiving such a request.
4) If the data owner requests, requests deletion or stops processing his / her data, and this data was collected only on the basis of this person's consent, his / her personal data must be immediately deleted or terminated for the purposes for which he / she previously gave his / her consent.
5) Personal data processed on the basis of a concluded contract may be processed for other purposes (for example, contract execution, taxation) after revocation of all approvals of the data owner, if such data follows from the register of processing operations.
6) If the data owner requests access to their personal data or to receive a copy of the data, such request should be answered immediately, not exceeding 30 days.
7) The data owner may exercise the right to copies of data processed under contract or consent, which were provided by the owner to the administrator freeof charge. For each subsequent copy of data , the administrator may charge a reasonable administrative fee associated with the preparation of such a copy of data.
10.2 Complaints received from the President
1) In the event of a complaint filed by the owner of the data to the Management Chairman, which the authority has transferred to the administrator, it is necessary to immediately transfer it to the company's partner.
2) The time limit for responding to such a complaint filed by the President of the office is
7 days (unless the President of the office appoints another one).
3) The response is prepared Administratoraby the employee bądźor employee or one of the company's partners specified by the administrator, and the final response is sent to the Management Chairman by the company's partner.
III. Rules for personal data processing by the administrator
1. The principle of legality, reliability and transparencyPersonal data must be processed lawfully, securely and transparently for the data subject. Personal data may not be processed without a legal basis. Before you start processing a new category of personal data or data for a new purpose, you must specify the legal basis for processing it.
2. Data minimization principle
Personal data should only be processed for a specific and clearly defined purpose, and the data owner should be informed of this. Personal data must be collected for specific, explicit and legitimate purposes and not further processed in a manner that does not correspond to these purposes.
3. Minimization principle
You can only collect as much data as you need to complete the goal. You can not collect "for stock" because they will be "useful" in the future. Personal data must be adequate, up-to-date and limited to what is necessary for the purposes for which they are processed.
4. The principle of correctness
All authorized processing entities and processors are responsible for the accuracy of the data. Personal data must be correct and updated as necessary; all reasonable measures must be taken to ensure that personal data that is incorrect in the light of the purposes for which it is processed is immediately deleted or corrected.
5. The principle of limiting processing
You can only process personal data for as long as the purpose of processing exists or it is provided for by law. Personal data must be stored in a formthat allows identification of the data subject for no longer than necessary for the purposes for which this data is processed.
6. The principle of confidentiality and integrity
Personal data must be processed in such a way as to ensure adequate security of personal data, including protection against illegal or illegal processing and accidental loss, destruction or damage, through appropriate technical or organizational measures.
7. Principle of familiarization of authorized persons with internal
and external legislation in the field of personal data protection Every person authorized to process personal data must bea aware of internal and external laws in the field of personal data protection. If you don't have any knowledge, you can contact z the company's partner directly. Each person authorized to review the laws and regulations in the field of personal data protection confirms this fact by signing a corresponding application in writing.
8. The principle of restricted access
Access to personal data should always be restricted to authorized persons only. Access restrictions can be organizational (for example, personal control, entering procedures), physical (for example, key locking, contactless room cards), or informational (for example, using usernames and passwords).
9. The principle of dual access
Access to personal data must always be restricted by applying at least two access restrictions of any type.
10. The clean table principle
After completing the work, there should be no documents or publicly available information media containing personal data on the employee's / employee's desk. All such documents / media must be locked in cabinets / exchange offices.
11. The principle of safe destruction of documents and data carriers
Data deletion by destroying documents in paper or electronic form is carried out in accordance with the”secure data deletion procedure".
12. The principle of accountability
The actions of an authorized person or processor in relation to personal data, in particular in information systems, should always be clearly attributed to only oneperson authorized to process personal data. This means that a given login for the IT system can only be assigned to one person. It is forbidden for two or more people to share their Logins. Actions assigned in the IT system to a specific username will always be assigned to the person who used that username. In addition, inaccordance with the responsibilities and tasks of the GDPR and this Policy, each authorized person must demonstrate that they comply with the GDPR and this Policy.
13. The principle of secrecy and quality of access passwords
Under no circumstances should you disclose your access password (not to your supervisor, not to your employer,not to any other person, not even to government employees). The password must be changed on the same day after receiving it from the system administrator. The password must have a minimum of 8 characters, including an uppercase letter, a lowercase letter, a number, and a special character.
IV. Rules for instructing the administrator to process personal data to third parties
1. Applying trust agreements
In the case of entering into a service contract that involves entrusting the processing of personal data to the service provider, it is necessary to conclude a written agreement on the assignment of processing in accordance with Article 28 of the GDPR.
2. Responsibilities and responsibilities of processors
When drawing up a contract for ordering the processing of personal data, you must write down the following questions:
a) object and duration of processing, nature and purpose of processing, type of personal data and categories of data subjects, duties and rights of the administrator and processor;
b) The processor processes personal data only on the controller's documented instructions, which also relate to the transfer of personal data to a third country or an international organization, except in cases where such an obligation is imposed on it by the legislation of the Union or the Member State to which the processor is subordinate; in this case, before starting processing, the processor informs the controller of this legal obligation, if the law this does not prohibit the provision of such information in connection with important public interests,
c) The Processor guarantees that the persons authorized to process personal data undertake to keep secret or comply with the relevant legal obligations to preserve secrecy,
d) The Processor takes all measures necessary in accordance with Article 32 of the GDPR,
e) The processor does not use the services of another processor without the prior detailed or general written consent of the administrator. In the case of general written consent, the processor informs the controller of any proposed changes regarding the addition or replacement of other handlers, thereby giving the administrator the opportunity to object to such changes,
f) If the processor uses the services of another processor to perform specific processing activities on behalf of the administrator, it is subject to the same data protection obligations under the agreement or other legal act regulated by the legislation of the Union or a Member State as in the agreement or other legal act between the administrator and the processor on these obligations in particular, the obligation to provide sufficient guarantees for the implementation of the relevant technical and organizational measures to ensure that the processing complies with the requirements of this Regulation. If this other processor fails to comply with its data protection obligations, the original processor is fully responsible to the controller for fulfilling the obligations of this other processor,
g) The processor, taking into account the nature of the processing, whenever possible helps the administrator, through appropriate technical and organizational measures, to fulfill the obligation to respond to requests from the data subject regarding the exercise of his rights specified in chapter III of the GDPR,
h) The processor, taking into account the nature of the processing and the information available to it, helps the administrator to perform the duties specified in Articles 32-36 of the GDPR;
i) The processor, after completing the provision of services related to processing,depending on the administrator's decision, deletes or returns to it any personal data and deletes all existing copies, unless the legislation of the Union or a Member State prescribes the storage of personal data;
j) The processor provides the administrator with all the information necessary to demonstrate the performance of the duties specified in Article 28 of the GDPR, and allows the administrator or an auditor authorized by the administrator to conduct and contribute to the audit, including audits.
3. Responsibilities and responsibilities of processor supervisors
The administrator is obliged to monitor the processor personally or through a designated employee whether it meets the requirements of the concluded data processing assignment agreement.
4. Processor Management
In each contract of assignment for the processing of personal data, an entry on the possibility of conducting a check (audit) of compliance with the processing of the assigned data with the contract and regulatory acts is mandatory. Such control may be carried out by a person authorized by the administrator in writing.
5. Checking the Processor
Each processor must be verified in accordance with the vendor verification procedure before signing the trust agreement.
V. Identify the technical and organizational measures necessary to ensure the confidentiality, integrity and accountability of the processed data.
1. Organizational measures for personal data protection
In order to strengthen oversight of the processing of personal data, the organizational data protection measures described in this paragraph have been introduced.
2. Internal training
Each person authorized to process personal data is required to complete at least one full-time or e-learning course per year in accordance with the legislation on personal data protection.
3. Implementation of policies and procedures
The Personal Data Security Policy provides the basis for the development and implementation of other personal data protection procedures, the proposed list of which is presented
in paragraph 9.
4. Planning a backup of personal data sets
Personal data processed in information systems is protected by backup systems controlled by the Board of Directors or the IT provider. These systems create backups according to a schedule set by the Board of Directors or the IT provider.
5. Minimum technical measures for personal data protection
The technical data protection measures described in this section apply
to collections of personal data, but not to all collections. Depending
on the category, type, nature, and purpose of personal data processing, adequate security measures are applied to ensure that the processing complies with the GDPR requirements.
a. Sphysical protection bars
1) Access to the premises where personal data sets are processed is covered by the access system through locked doors.
2) The premises where personal data sets are processed are protected from the consequences of fire by a fire extinguishing system and / or a stand-alone fire extinguisher.
b. Measures to ensure information and telecommunications infrastructure
1) Access to the operating system of the computer where personal data is processed is provided through an authentication process using a user ID and password.
2) We used system mechanisms that force us to change passwords periodically.
3) Cryptographic data protection measures were applied for personal data transmitted over the TV broadcast.
4) We use measures to protect against malicious programs such as worms, viruses, Trojan horses, and rootkits.
5) The firewall system was used to protect access to the computer network.
6. Security measures in the IT software used by the administrator.
1) Measures have been taken to determine access rights to the specified data range.
2)Access to personal data requires authentication using a user ID and password.
3) Cryptographic means of personal data protection are used.
4) Screensavers are installed at stations where personal data is processed.
5) The mechanism of automatic blocking of access to the information system used for processing personal data in case of prolonged inactivity of the useris used.