SECURITY POLICY

PERSONAL DATA PROCESSING

Part I - Introduction

  1. Under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (EU OJ L.2016.119), hereinafter referred to as the GDPR on the documentation of the personal data processing and technological and organisational conditions which shall be met by devices and IT systems used for the personal data processing this "Security Policy" shall be established.
  2. Wherever this document refers to an organisational unit, it should be construed as: the undertaking of EBS Sp. z o.o. with its registered office at ul. Bronisława Czecha 59, 81-586 Warsaw
  3. The undertaking of EBS Sp. z o.o. with its registered office at ul. Bronisława Czecha 59, 81-586 Warsaw shall be the Personal Data Controller.
  4. The Company Management Board shall apply appropriate measures with a view to ensuring the security of information in the Company.
  5. According to the GDPR, the Personal Data Controller shall implement the Security Policy aimed at observing the rules of personal data protection. The Company shall attend to systematic education of employees in the field of information security. Depending on the position held, employees may participate in training in the field of Personal Data protection, awareness of security problems and specific security aspects.
  6. Whereas the User uses the EBS Security computer software (application), the Controller shall collect data in the scope necessary to render individual services within a range of services and information on the User's activity. The overall operation of the said software shall be the objective of the personal data processing within the scope defined by the Security Policy.

Part II – Rules for personal data processing and protection

  1. The rules for the personal data processing in the IT system shall be specified in the Procedure for managing the IT system used to process personal data in the undertaking.
  2. Any person having access to the personal data processed in an organisational unit is required to read this document. Each employee shall be responsible for maintaining the secret of confidential data with access to which it has been provided.
  3. Access prohibition shall be the default rights in the operating information systems. It is only when the need arises that the Controller shall grant appropriate rights. Appropriate access shall be granted to a person who has to perform work in this type of system.
  4. The list of buildings, rooms or parts of rooms forming the area in which personal data are processed, referred to as the "processing area", required by the ordinance, shall be included in the Personal Data Protection System available at the registered office of the undertaking constituting an attachment hereto.
  5. Information security in the IT system shall be construed as ensuring:
    1. confidentiality of information (preventing access to data by third parties),
    2. integrity of information (evading unauthorised changes in data),
    3. availability of information (providing access to data, at any time requested by the user),
    4. accountability of operations performed on information (assuring that a full history of access to data is kept, along with information about who gained such access).
  6. The persons who process personal data in an organisational unit in any form must be authorised in writing to process data by the Personal Data Controller and sign a statement of keeping such data secret.
  7. Any person authorised to process personal data shall hold their own ID and password, allowing them to log into an IT system in which personal data are processed. The technical requirements that must be met by the password have been set out in the Information System Management Procedure available at the premises of the undertaking under the Personal Data Protection System.
  8. Where persons who do not hold authorisation must perform periodic, ad hoc servicing or other works, and they must be granted access to the processing area, they shall sign a declaration of secrecy.
  9. The outsourcing of personal data processing should take place solely under the contract for entrusting the processing of personal data.
  10. Making personal data available to an external entity may take place solely following positive verification of the statutory conditions for the admissibility of granting such access, which shall be construed in particular as a written application of the authorised entity.
  11. The authorised persons shall keep documents containing personal data stored in a paper-based form in the data processing area in cabinets, safes and lockers. If paper-based documents containing personal data must be shredded, their shredding shall be carried out by cutting in a shredder with an appropriate safety certificate.
  12. The supervision over the processing of personal data in the organisational unit shall be exercised by the appointed Personal Data Protection Officer designated by the Company Management Board in consultation with the Personal Data Controller.
  13. The employees of the undertaking shall keep a list of personal data files processed in the organisational unit and, when required by law, submit files for registration to the President of the Office for Personal Data Protection. As part of the supervision over data processing, the appointed Personal Data Protection Officer shall check in particular the objectives, scope of processing, processing time and methods of protecting personal data. The Personal Data Controller shall grant authorisation to personal data processing. The Personal Data Protection Officer shall examine risks pertinent to threats attributable to the processing of personal data in an organisational unit.
  14. Furthermore, the Personal Data Protection Officer shall keep the following lists:
    1. register of persons authorised to process personal data,
    2. list of rooms in which personal data are processed that constitute the processing area,
    3. list of entities and persons pursuing business tasks (employees and self-employed),
    4. list of entities entrusted with personal data for processing.
  15. Persons authorised to process data are in particular required to process them in accordance with the applicable provisions, in particular the Act and the Ordinance, not to disclose them and prevent unauthorised access to them, and protect them against damage.
  16. Where an application for granting access to personal data is received from a data subject, the person designated by the Personal Data Controller shall draft a response within 30 days.
  17. The Personal Data Protection Officer appointed in the undertaking shall carry out internal or external security audits from time to time, aimed at detecting possible failures in the implementation of security policy objectives.
  18. In the case of collecting personal data from a data subject, the Personal Data Controller (or a person designated by them) shall notify the subject of:
    1. the address of its registered office and its full name, and where the Personal Data Controller is a natural person – of their place of residence and first name and surname,
    2. the purpose of data collection, and in particular of the recipients or categories of recipients known to them during the provision of information or envisaged,
    3. the right to access to their data and rectify them,
    4. the lack of the obligation to give the data or the obligation to do so, and if there is such obligation, the Controller shall provide the data subject with legal basis.

Part III - Final provisions

  1. This document shall enter into force on 1 October 2018.
  2. In matters not covered hereunder, the provisions on the documentation of the personal data processing and technological and organisational conditions which shall be met by devices and IT systems used for the personal data processing shall apply.

Krzysztof Stalewski
Personal Data Controller