Personal Data Security Policybinding limited partnership at Syneo.pl with a registered office in Bydgoszcz at 246/1006 Fordońska Street, entered into the Register of Entrepreneurs kept by the District Court in Bydgoszcz, XIII Commercial Division of the National Court Register under number 0000671620, NIP 5542948235, represented by Syneo’s General Partner .pl Spółka z oo represed by by the President of the Management Board, Karol Chęciński
§ 1 Purpose and subject matter of personal data security policy1. The purpose of the Personal Data Security Policy introduced in Syneo.pl sp. Z o. O., Sp. K. In Bydgoszcz is to define the principles of processing, protecting and sharing personal data collected and processed in an enterprise run by a company hereinafter referred to as Syneo.pl, as well as active supervision of the processing of personal data in accordance with applicable law; 2. The security policy for personal data in Syneo.pl applies to all persons performing any tasks for and on behalf of Syneo.pl, regardless of the legal basis for performing these tasks and the position held at Syneo.pl, as well as in other entities cooperating with Syneo.pl.
§ 3 Legal basis for personal data security policyThis regulation has been developed based on: 1) Regulation of the European Parliament and of the Council of the European Union 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (general regulation on data protection ); 2) the Act of 15 July 1987 on the Commissioner for Citizens’ Rights (Journal of Laws of 2018, item 650); 3) the Act of 29 August 1997 on the Protection of Personal Data (Journal of Laws of 2018, item 138, 723); 4) Regulation of the Minister of Internal Affairs and Administration of 29 April 2004 on the documentation of personal data processing and technical and organizational conditions which should be met by devices and IT systems used to process personal data (Journal of Laws 2004 No. 100 item 1024) , issued on the basis of art. 39a of the Act of 29 August 1997 on the Protection of Personal Data (Journal of Laws of 2002 No. 101, item 926 and No. 153, item 1271 and 2004 No. 25, item 219 and No. 33, item 285);
§ 5 Tasks of the Personal Data AdministratorI. Tasks of the personal data administrator: 1. The data controller is obliged to apply technical and organizational measures ensuring protection of personal data being processed, appropriate to threats and categories of data protected, in particular, it should protect data from unauthorized access by unauthorized persons, processing in violation of the Act and change, loss , damage or destruction. 2. The data controller is obliged to ensure that personal data is: 1) Processed in accordance with the law, fairly and transparently for the data subject; 2) Collected for specific, explicit and legitimate purposes, as well as not further processed in a manner inconsistent with these purposes; 3) Adequate, relevant and limited to what is necessary for the purposes for which they are processed; 4) Correct and, if necessary, updated, so all reasonable measures must be taken II. Tasks of the IOD 1. The IOD appointed by Syneo.pl is responsible for the security of the IT system in which personal data are processed; 2. The duties of IOD include: 1) Performing tasks defined in the RODO, and in particular in the provisions of art. 39 par. 1 RODO; 2) Supervision of compliance with the Personal Data Security Policy and all documents and legal provisions that are the basis of the Policy, as well as the management of the IT system used to process personal data; 3) supervision and control of IT systems used to process personal data and persons employed in it; 4) Supervision over proper security of equipment and rooms in which personal data are processed; 5) Supervision of the software used in Syneo.pl and its legality; 6) Counteracting access of unauthorized persons to the system in which personal data are processed; 7) Taking appropriate measures to ensure proper data protection and ongoing updating of security systems; 8) Examining possible breaches in the personal data security system; 9) Reporting of violations found to the competent entity in accordance with the wording of art. 33 RODO; 10) Making decisions on installing new devices and software used to process personal data; 11) Supervision over repairs, maintenance and liquidation of computer devices containing personal data; 12) Defining access passwords; 13) Updating anti-virus and other software aimed at ensuring the implementation of the objectives of the Policy; 14) Making backup copies, storing them and periodically checking them for their further usefulness, in case they need to be created; 15) Carrying out or ensuring the implementation and implementation of internal training in the field of personal data protection and technical and organizational measures for the processing of data in information systems; 16) Preparing reports on the breach of the security of the IT system and the system for storing and securing personal data collected and recorded in a form other than electronic; 17) Ensuring the protection and security of personal data contained in the Syneo.pl IT system and in traditional data sets, with particular emphasis on the data of individuals; 18) Immediate notification to the Administrator of the data or a person authorized by him or her of any breach of the provisions of the Act on the Protection of Personal Data; 19) Undertaking, in accordance with the Policy, appropriate actions in case of detection of unauthorized access to the database or breach of the security of data contained in the IT system and personal data collected and recorded in a form other than electronic; 20) Ensuring the physical security of the IT system and the system for storing and securing personal data collected and recorded in a form other than electronic; 21) Ensuring the safety of all devices operating in the Syneo.pl system; 22) Ensuring access to information systems and systems and databases containing personal data only by authorized persons; 3. The IOD records the persons authorized to process personal data, which includes: a) name and surname of the authorized person; b) the date of the authorization; c) the date when the authorization ceased; d) work station of an authorized person; c) signature of an authorized person, confirming that all documents regulating the security of personal data processing in Syneo.pl have been read; III. Tasks of employees, co-workers and entities cooperating with Syneo.pl: 1. All employees, associates and entities cooperating with Syneo.pl (hereinafter collectively referred to as “employees”) are required to comply with the provisions contained in this Policy and any other documents implementing the objectives of the Policy; 2. Before being allowed to work at the processing of personal data, each employee is obliged to read the provisions on the protection of personal data, including this Policy. The fact of getting acquainted is confirmed by a personally signed statement. The declaration should be included in the files of the employee or documents related to a different basis for the provision of services at Syneo.pl; 3. Employees are obliged to care for the security entrusted to them for processing, archiving or storage of data in accordance with the Security Policy in force at the facility, including, but not limited to: 1) protect data against unauthorized access, 2) protect data against accidental destruction, loss or modification, 3) protect all media containing personal data, in particular magnetic and optical media, semiconductor memory devices, and all types of prints and documents, against unauthorized access and against accidental destruction, 4) keep secrets, their frequency and technological details, also after the termination of employment at Syneo.pl, 4. Employees are prohibited from: 1) disclosure of data, including personal data contained in the supported systems, 2) copying databases or parts thereof without express authorization, 3) data processing in a manner different from that resulting from the applicable law, 5. Employees are obliged to provide assistance to the IOD and to implement its recommendations when carrying out tasks related to the protection of personal data; 6. Cases of unjustified failure to fulfill obligations under this Policy may be treated as a serious breach of employee’s duties or grossly improper performance of the obligation, in particular by a person who did not notify the DPO about the infringement;
§ 6 Scope of application1. This policy applies to the processing of all personal data processed by Syneo.pl in all kinds of files, indexes, books, lists and other records, as well as in IT systems at Syneo.pl’s disposal; 2. A list of buildings, rooms or parts of rooms forming the area in which personal data are processed is an attachment to the Policy; 3. A list of personal data files along with an indication of computer programs used for data processing constitutes an attachment to the Policy; 4. Records of persons authorized to process personal data is attached to the Policy; 5. Regardless of the rights and obligations set out in this Policy, the processing of personal data contained in the documentation and databases maintained at Syneo.pl takes place within the scope and principles defined in generally applicable regulations, in particular in the provisions containing: a) The basis for the processing of personal data; b) The scope of personal data collected and processed; c) The form of processing personal data; d) The basis and scope of sharing personal data held by Syneo.pl and an entity authorized to access these personal data; e) The period of processing and storage of this personal data. 6. Personal data processed in IT systems are stored on servers located at the headquarters of Syneo.pl in the building at ul. Fordońska 246/1006; 7. In relation to personal data of employees and associates and other entities cooperating with Syneo.pl, as well as other data at Syneo.pl’s disposal, their processing may be conducted on the basis of a separate contract for entrusting the processing of personal data with the use of specialized software being in the disposal of the entity processing the entrusted data which, on the order of Syneo.pl, provides accounting and bookkeeping services. The above does not preclude entrusting data to other entities on the basis of a separate entrustment agreement.
§ 7 Breach of the Personal Data Security Policy1. For the purposes of this Policy, Syneo.pl determines that events that violate or threaten the security of personal data are divided into: a) external threats, in particular fire, flood, lack of power supply, which may lead to the loss of data integrity, destruction and damage to the technical infrastructure of the system and disruption of its operation; b) internal threats, in particular employee errors, IODs, hardware failures, software errors that can lead to data destruction, disrupt the system’s continuity, cause data confidentiality, data integrity and data integrity; c) intentional, deliberate and intentional threats, which may consist of unauthorized access to the system from its interior, unauthorized transmission of data, deterioration of the quality of hardware and software, and direct threat to the material components of the system. 2. Cases classified as a breach or reasonable suspicion of a breach of personal data protection, including security of the IT system in which personal data are processed, are in particular: a) random situations, unforeseen impact of external factors on system resources, in particular fire, flooding of premises, construction disaster; b) gross violation of the discipline of work in the field of compliance with information security procedures, including personal data, in particular work on personal data for private purposes, not closing the room in which there is a computer or device or piece of equipment to store personal data, incorrect logout or abandon logging out of the system; c) improper environmental parameters in which computer equipment works, in particular excessive humidity or excessive temperature, shocks or vibrations from industrial devices; d) failure of the hardware or software or device or item of equipment for storing personal data, in particular personal documentation, which clearly indicate intentional action towards a security breach or data protection, as well as improper operation of the website; e) the quality of the data in the system or other deviation from the expected state indicating system disturbances or other extraordinary and undesirable modification in the system; f) breach or attempt to breach the integrity of the system or database in this system; g) attempt to modify or modify data or change in the data structure without appropriate authorization or contrary to the wording of the law; h) unacceptable manipulation of personal data in the system; i) disclosing to unauthorized persons personal data or processing procedures or other security elements of the security system; j) deviations from the assumed work rhythm indicating the failure or failure to protect personal data, including work at the computer or in the network of a person who is not formally authorized to operate it, a signal about persistent unauthorized login attempts; (k) the existence of unauthorized data access accounts; 3. The breach of data protection shall also be considered as irregularities in the protection of places and devices used to store personal data on paper media, printouts, or other electronic external media of such data.
§ 8 Ways to protect your personal information1. The basic method of securing data processed in the IT system and accessing them in Syneo.pl is the system of defining logins and passwords of persons authorized to process personal data. These are software (logical) protections incorporated into operated systems that prevent access to the system by unauthorized persons; 2. The basic method of securing data processed in written form, i.e. on paper data carriers, including personal documentation, is to restrict access to it by means of physical security elements by limiting access to rooms and cabinets or other office equipment in which these documents are stored and organizational by giving, verifying and controlling access to these data by authorized employees; 3. Logging in to the IT system requires a login and password. Each authorized employee independently determines and changes the system password, passwords can be changed by the direct supervisor and the managing person; 4. The IOD has access to all logins and passwords used by all employees; 5. System passwords should be changed at least every 90 days; 6. On every computer operating in the system that has access to the Internet, an appropriate antivirus program is installed adequate to the degree of threat and significance of the protected data; 7. Printouts containing personal data should be in a place that prevents unauthorized access.
§ 9 Personal protective procedure1. Before commencing work, the user is obliged to check whether the condition of the device, both computer and room and device for storing data on paper media does not indicate a violation or attempt to violate personal data; 2. Users can exit after logging out of the system. These persons are obliged to log out of the system also in the case of temporary leave of the job, a deviation from the above rule is only possible in justified circumstances; 3. If the use of personal data is detected by unauthorized persons or security breaches of access to the system, anyone who has stated the above violation should notify the IOD immediately.
§ 10 This protective procedure1. Personal data processed in the IT system is secured by backing up data sets and programs used for data processing; 2. Every employee or IOD is responsible for making backup copies that make it possible to restore the system’s efficiency. They are stored on the server and on external media. External media Syneo.pl stores outside the area of data processing, referred to in the annex containing the list of buildings and rooms; 3. With magnetic media, backup copies are removed immediately after their usefulness has ceased in such a way that their content can not be restored.
§ 11 Control of personal data protection1. As part of monitoring and controlling the system, the following activities should be carried out above all: (a) periodically checking backups in terms of recoverability; b) checking the records of magnetic and optical media; c) checking the frequency of password changes; d) ongoing control of data protection procedures; 2. The IOD carries out inspections and evaluates the security of personal data; 3. Moreover, not less than once every six months, the IOD analyzes the threats to personal data collected by Syneo.pl. The conclusions from the analysis are included in the report prepared by the IOD.
§ 12 Rules for dealing with third party devices1. Devices, discs or other electronic data carriers containing personal data, intended for: a) liquidation shall be deprived of the record of such data in advance, and if it is not possible, it shall be damaged in a way that makes it impossible to read; b) transfer to an unauthorized person for processing of data is previously deprived of the data in a way that prevents their recovery; c) the repairs are previously deprived of the data in a way that prevents their recovery, or they are repaired under the supervision of a person authorized by the Administrator, or otherwise guarantee the confidentiality of this data; 2. Printouts containing personal data after their use are destroyed in a way that makes it impossible to read the data on them.
§ 13 Responsibilities in the event of a policy violation detected1. Any person performing any tasks on behalf of or on behalf of Syneo.pl, who finds or suspects a breach of the security of personal data protection, is obliged to inform the DPO and the Data Administrator about this immediately; 2. The obligation referred to in para. 1, also applies to the situation when the state of the device, the content of the personal data file, the disclosed working methods, the way the program works or the quality of network communication with respect to electronic data sets may indicate a security breach of this data; 3. A person performing any task in the processing of personal data who has obtained information or has found a breach of personal database security in an IT system or a breach of the security of a data set processed on paper media is obliged to immediately notify the IOD and in case of his absence, the Data Administrator ; 4. The IOD should in the first instance: a) determine all circumstances connected with this incident, in particular the exact time of obtaining information about the breach of personal data protection and the time of independent detection of this fact; b) immediately generate and print (if the system resources allow it) all possible documents and reports that can help in determining the circumstances of the event, date and signature, identify the type of the incident and, in particular, determine the scale of violations and the method of access to the personal data of an unauthorized person; c) immediately take further appropriate steps to stop or limit access to data of an unauthorized person, minimize damage and protect against traces of its interference, in particular by: I) physical disconnection of devices and network segments that could allow access to the database to an unauthorized person, in particular through external access; II) temporary limitation of access for some people to personal data processed on paper media, including personal documentation, and verification of rights to process such personal data, as well as checking and verification of established document circulation rules containing personal data; III) changing the password to the account through which illegal access was obtained in order to avoid a second attempt to break in; 6. After eliminating the immediate threat, the IOD should carry out a preliminary analysis of the IT system status in order to confirm or exclude the fact of the personal data breach; 7. To this end, the IOD should check in particular: a) the condition of the devices used to process personal data; b) the content of the personal data file; c) the way the program works; d) quality of communication in the network; e) the possibility of the presence of computer viruses; 8. After carrying out the activities referred to above, the DPO should conduct a detailed analysis of the state of the IT system including identification: a) the type of the event; b) methods of access to data of an unauthorized person; c) the scale of damage; 9. After the normal operation of the personal data processing system has been restored, if the database or traditional file has been damaged, it must be restored from available sources, including the latest backup, with all precautions to avoid re-accessing the same by an unauthorized person; 10. After restoring the proper status of the personal data base, a detailed analysis of the reason for the breach of personal data protection should be carried out and steps should be taken to eliminate similar events in the future. If the reason was: a) failure of a person performing any tasks in the processing of personal data in an IT system, training of persons involved in data processing should be carried out; b) activation of the virus, determine its source and install antivirus protection or check the status of existing safeguards; (c) negligence on the part of a person carrying out any tasks in the processing of personal data, appropriate consequences should be derived; (d) burglary in order to obtain a personal data base, a detailed analysis of the security measures implemented should be undertaken to ensure effective protection of personal data; e) bad condition of the device, including devices for storing data recorded on paper carriers, or the way the program works, immediately carry out inspection service activities; 11. The IOD is obliged to prepare a detailed report on the causes, course and conclusions from the incident; 12. The report of this IOD shall immediately provide the Administrator with data, and in the event of his absence, the person authorized by the Administrator; 13. In the event of a breach of personal data protection, the IOD shall, without undue delay, if possible, within no more than 72 hours after the finding of the violation, report it to the supervisory body competent in accordance with Art. 55 of the GDP, unless it is unlikely that the violation would result in the risk of violating the rights or freedoms of natural persons. The notification submitted to the supervisory body after 72 hours shall include an explanation of the reasons for the delay, in accordance with the wording of art. 33 THE RHODE 14. The application specified in § 13 section 13 should contain: a) a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects, and the categories and approximate number of entries of personal data affected by the breach; b) name and contact details of the IOD or designation of another contact point from which more information can be obtained; c) a description of the possible consequences of a breach of personal data protection; (d) a description of the measures taken or proposed by the controller in order to remedy the breach of personal data protection, including, where appropriate, measures to minimize its potential adverse effects.
§ 14 Documenting the implementation of Policy objectives </ b> </ p> 1. The register of personal data processing activities referred to in art. 30 para. 1 RODO, constitutes an attachment to the Policy; 2. The register referred to in § 14, para. 1, is in writing and in electronic form; 3. The register of all categories of processing activities performed by employees on behalf of the Data Administrator referred to in art. 30 para. 2 RODO, constitutes an attachment to the Policy; 4. The register referred to in § 14, para. 3, is in writing and electronically; 5. A record of violations or suspected violations of the security of personal data processing referred to in art. 33 para. 5 RODO, constitutes an attachment to the Policy.