Privacy policy
Personal Data Protection Policyin the company:
Podlaskie Zakłady Zbożowe S.A.,
ul. Elewatorska 14, 15-959 Białystok,
NIP: 542-26-62-269, KRS: 0000038920
INTRODUCTION
The Personal Data Protection Policy is a document describing the personal data protection principles applied by the Administrator to meet the requirements of the EP and RE Regulation 2016/679 of April 27, 2016, on the protection of individuals regarding the processing of personal data (RODO).
The Policy is one of the organizational measures to demonstrate that the processing of personal data is carried out in accordance with the above Regulation.
1. Data inventory, legal compliance, authorizations
1.1 Data inventory
1. Personal data requiring protection are listed in Annex 01a List of personal data sets.
2. The list includes collections with an identified potential risk of violating the rights or freedoms of individuals.
3. Each collection shall be described in such a way as to make it possible to conduct a risk analysis
4. The description of the collections shall include such information as:
a. the name of the collection;
b. description of the purposes of processing;
c. nature, scope, context, personal data documented;
d. recipients;
e. a functional description of the processing operations;
f. assets used to process personal data (Information, Programs, operating systems, IT Infrastructure, Infrastructure, Employees and associates, Outsourcing);
g. Information on the need to enter in the register of processing operations;
h. Information on the need to conduct an impact assessment for the collection.
1.2 Compliance with the law
1.2.1 The Administrator shall ensure that:
1. the data are lawfully processed (based on Article 6,9);
2. personal data are adequate in relation to the purposes of processing;
3. personal data are processed for a specific period of time (data retention);
4. the so-called “information obligation” (Articles 12, 13, and 14) has been carried out with respect to the persons processed by the controller, together with the indication of their rights (e.g., the right of access to data, portability, rectification, erasure, restriction of processing, objection);
5. data protection is ensured in the case of entrustment of data processing in the form of entrustment agreements with processors (Article 28).
1.2.2 Confirmation of the lawfulness of the processed personal data in the collections, can be found in Appendix 01a List of Personal Data Collections.
1.2.3 For information clauses, see Appendix 01b Information Clauses.
1.3 Authorizations
1. The controller is responsible for granting / cancelling authorizations to process data in paper files, information systems.
2. Each authorized person must process data only on the instructions of the administrator or based on a provision of law.
3. Authorizations are given to collections at the request of the persons’ superiors. Authorizations specify the scope of operations on data, e.g., creation, deletion, inspection, transfer – see Appendix 01d Authorization to process personal data.
4. Authorizations may be given in the form of orders, e.g., authorization to conduct inspections, audits, perform official activities, documented order of the administrator in the form of an entrustment agreement.
5. The administrator shall keep records of authorized persons to control the proper access to data of authorized persons. The records are ancillary and are not required by the provisions of the RODO. See Appendix 01c Records of authorized persons.
2. Risk analysis / Impact assessment procedure
1. The procedure describes how to conduct a risk analysis to secure personal data adequately to the identified risks.
2. It is assumed that the risk analysis is carried out for a set of personal data or a group of sets characterized by similarity of purposes and means of processinga.
3. If an impact assessment is required (Art. 35), the following is required:
a. A systematic description of the planned processing operations and purposes of processing – included in Annex 01a List of personal data sets;
b. an assessment of whether the processing operations are necessary and proportionate to the purposes – contained in Annex 01a List of Personal Data Sets.
c. risk assessment – contained in Annex 02a Risk Analysis Procedure.
d. Measures planned to address the risk, presented in the form of a risk handling plan – see Appendix 02a Risk Analysis Procedure.
3. Instruction for dealing with incidents
The procedure defines a catalog of vulnerabilities and incidents that threaten the security of personal data and describes how to respond to them. Its purpose is to minimize the consequences of security incidents and reduce the risk of threats and incidents occurring in the future.
1. Each person authorized to process personal data is required to notify his or her immediate supervisor (or, if appointed, the Data Protection Officer) of the discovery of a vulnerability or the occurrence of an incident.
2. Typical personal data security vulnerabilities include:
a. inadequate physical security of premises, equipment, and documents;
b. inadequate security of IT equipment, software against leakage, theft and loss of personal data;
c. employees’ failure to follow data protection rules (e.g., failure to follow the clean desk/screen rule, password protection, failure to lock rooms, cabinets, desks).
3. Typical personal data security incidents include:
a. external random events (facility/room fire, water flooding, loss of power, loss of communications);
b. internal random incidents (failures of server, computers, hard disks, software, mistakes by IT specialists, users, loss/loss of data);
c. intentional incidents (intrusion into the IT system or premises, theft of data/equipment, leakage of information, disclosure of data to unauthorized persons, deliberate destruction of documents/data, viruses, and other malware).
4. In the event of an incident, the Administrator (or, if appointed, the DPO) shall investigate during which:
a. determines the scope and causes of the incident and its possible consequences;
b. initiates possible disciplinary action;
c. acts to restore the organization’s operations after the incident;
d. recommends preventive (precautionary) actions to eliminate similar incidents in the future or reduce losses when they occur.
5. The Administrator shall document the above all personal data protection violations, including the circumstances of the personal data protection violation, its consequences and remedial actions taken – see Appendix 03 Incident Registration Form.
6. It is prohibited to cause incidents knowingly or unintentionally by persons authorized to process data.
7. In the event of a breach of personal data protection resulting in a risk of violation of the rights or freedoms of individuals, the controller shall, without undue delay – if possible, no later than 72 hours after the discovery of the breach – report it to the supervisory authority. Regulations for the Protection of Personal Data.
The Regulations are intended to provide knowledge to persons processing personal data regarding secure processing rules. See Appendix – 04 Regulations for the Protection of Personal Data. After becoming familiar with the Personal Data Protection Rules, individuals are required to confirm their knowledge of these rules and declare their application, see Appendix 04a Confidentiality Statement.
4. Training
1. Each person shall be trained and familiarized with the provisions of the RODO before being allowed to work with personal data.
2. Training shall be the responsibility of the Administrator.
3. In the case of internal training on the principles of personal data protection, it is advisable to document the completion of this training with 05a Appendix RODO Training Plan.
4. Training materials for trainees have been developed in the form of Appendix 05b RODO Internal Training.
5. After training on the principles of personal data protection, participants are required to confirm their knowledge of these principles and declaration of their application, see Appendix 04a Confidentiality Statement.
5. Register of processing activities
1. If it is necessary for the Administrator to maintain a register of processing activities, it shall complete Annex 06a Register of Activities Maintained by the Administrator.
2. If it is necessary to maintain a register of processing activities by the Processor, completes Attachment 06b Register of activities maintained by the Processor.
6. Audits
Pursuant to Article 32 of the RODO, the Administrator shall regularly test, measure, and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.
For this purpose, the Administrator shall follow an audit procedure – see Appendix 07 Audit Procedure.
7. Procedure for restoring availability of and access to personal data in the event of a physical or technical incident (BCP)
According to Article 32 of the RODO, the Administrator should ensure the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident. The Administrator has developed restoration procedures as described in Appendix 04 Business Continuity Plan.
8 List of safeguards
1. The Administrator shall maintain a list of safeguards it uses to protect personal data, see Appendix Security List.
2. The list shall indicate the procedural safeguards used and the safeguards as technical measures.
3. The list shall be updated after each risk analysis.