SECURITY POLICY OF PERSONAL DATA

Biernacki InteGREATing Spółka Komandytowo-Akcyjna

Ul. Słowackiego 20/15

60-823 Poznań

1. The following definitions were used in the Security Policy

   1. Administrator - Biernacki InteGREATing Spółka Komandytowo-Akcyjna

   2. Personal data - means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, the economic, cultural or social identity of a natural person

   3. Confidentiality of data -Protect personal data from access of the data by unauthorized persons.

   4. Processing of personal data - means an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing or otherwise sharing, adjusting or combining, limiting, deleting or destroying

   5. RODO - Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016. On the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC

   6. Act - the Personal Data Protection Act of May 10, 2018

   7. IT system / IT system - a set of cooperating devices, programs, information processing procedures and software tools used for data processing

   8. Breach of personal data protection - Security breach leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed

   9. Data subject's request - A natural person's request to exercise their rights under the GDPR

   10. Data subject - In other words, the data owner, i.e. the data subject

   11. Accountability - A property that allows showing the Administrator's compliance with the provisions on the protection of personal data, including the GDPR and the Act

   12. Policy This document - Personal data security policy
       

2. General rules regarding the security of personal data processed

   1. The purpose of the Security Policy is to develop and indicate the rules that should be followed in order to ensure the protection, confidentiality and integrity of personal data.

   2. The purpose of the Security Policy is to aggregate and describe the technical and organizational safeguards used in the Administrator's structures to protect personal data.

   3. The Security Policy aims to document the Controller's accountability as regards the application of the provisions on the protection of personal data and is the basis for the implementation of other procedures and safeguards.

   4. The legal basis for the application of this Policy is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC as also the Personal Data Protection Act of May 10, 2018.

3. Obligation to process data in accordance with the law

   1. The administrator processes personal data only on the basis of the premises for the processing of personal data specified in art. 6 GDPR.

   2. The administrator is obliged to indicate the legal basis (from the GDPR) legalizing the processing of such data

   3. The administrator, collecting personal data, at the time of collecting them directly from the data owner, is obliged to inform the data owner (e.g. by presenting an appropriate clause) in accordance with the Privacy Policy.

   4. In the case of collecting data from third parties, the data owner must be informed immediately after recording the data about the circumstances of the processing in accordance with Art. 14 GDPR

   5. In the case of using IT systems that automatically collect personal data, it should be ensured that this system provides the information referred to in point above.
      

4. Entrusting the processing of personal data

   1. If the Administrator decides to use the services of a third party as part of the provision of these services, this entity will process personal data on behalf of or on behalf of the Administrator, it should be ensured that before the data is transferred to this entity, a "Personal Data Processing Agreement" and the entity this has been properly verified in accordance with the Processor Selection Procedure.
      

5. Fulfillment of data access requests

   1. If the data owner submits an oral or written request / request for access / copy of data / data transfer / deletion of his data / rectification / restriction / update (regardless of the form of the notification on paper or electronically), the objection or withdrawal of consent must be raised immediately execute such a request within 30 days in accordance with the Data Subject Request Handling Procedure.

   2. If the Administrator cannot demonstrate that he is not able to identify the data subject, he informs the data subject about it, if possible. The administrator refuses to take action at the request of the data subject wishing to exercise his rights under art. 15-22 GDPR.
      

6. Complaints about the processing of personal data / applications

   1. In the case of a written complaint / request (regardless of the form of delivery or title) sent by the data owner to the Administrator, it should be dealt with immediately, not longer than within 30 days from the date of receipt.

   2. A response to a complaint / request should be given in writing (registered mail) if the claimant provided an address for service, and in the absence of such an address, the same route as the complaint / request was submitted, unless the applicant requested a different form.

7. Rules for the processing of personal data by the Administrator

   1. Principle of legality, fairness and transparency Personal data must be processed lawfully, fairly and in a transparent manner for the data subject. It is not allowed to process personal data without a legal basis. Before proceeding with the processing of a new category of personal data or data for a new purpose, the legal basis for their processing should be specified.

   2. The principle of data minimization Personal data must be processed only for a specific and clearly defined purpose, and the data owner must be informed about this purpose. Personal data must be collected for specific, explicit and legitimate purposes and not further processed in a manner inconsistent with these purposes.

   3. Principle of minimization You can collect only as much data as is adequate to achieve the goal. You cannot collect "in reserve" due to the fact that they will be "useful" in the future. Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed

   4. The principle of correctness All persons authorized to process and processors are responsible for the substantive correctness of the data. Personal data must be correct and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data that are incorrect in view of the purposes of their processing are immediately deleted or rectified.

   5. The principle of limitation of processing Personal data can be processed only as long as the purpose of processing exists or it is specified by law. Personal data must be kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed.

   6. Principle of confidentiality and integrity . Personal data must be processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures.

   7. Restricted Access Principle . Access to personal data must always be restricted to authorized persons only. Access restriction may be organizational (e.g. entering procedures), physical (e.g. locking) or IT (e.g. using logins, passwords).

   8. The principle of double access. Access to personal data must always be restricted by applying a minimum of two access restrictions of any kind. (e.g. lockable doors and lockers).

   9. The principle of a clean desk. After finishing work, there must not be any documents or generally available IT media containing personal data on the desk. All such documents / media should be locked in cabinets.

   10. The principle of secret and quality of access passwords. Under no circumstances should you reveal your access password. The password should be changed at least once every 90 days, unless the system requires an earlier change of passwords. The password must be at least 8 characters long, including a capital letter, a lowercase letter, a number and a special character.
       

8. Technical and organizational measures applied by the Administrator .

   1. In order to strengthen the supervision over the processing of personal data, organizational measures for data protection were introduced (a list in a separate security statement).

   2. Personal data processed in IT systems are secured by means of backup systems supervised by the Administrator and, if applicable, the IT systems supplier.

   3. Each IT system used by the Administrator ensures that operations on personal data can be associated with the user. This applies to both the application part of the system and the database part.

   4. In the case of purchasing new IT systems, the IT supplier must ensure that the specification of the IT system purchase includes a provision that the supplier meets the requirements regarding integrity, confidentiality, and accountability of entering and using data in the system.

   5. Depending on the category, type, nature and purpose of personal data processing, adequate technical security measures are applied, including physical protection measures and IT infrastructure protection measures (description of security features in a separate statement).

9. List of places where personal data are processed:

   1. Currently, all personal data of the company's clients and associates are stored only in non-material form on the servers described below.

   2. Access is secured with double encryption

10. List of IT software used for the processing of personal data:

    1. Microsoft 365, Binteg.onmicrosoft.com

    2. iCloud by Apple Inc - Customer Data and Documentation

    3. Dropbox, Inc. San Francisco, California, USA - Customer Data and Documentation

Go back to the offer