General information

This document describes the rules regarding the security of personal data in: MULTIBED MIESZKANIA SP. Z O.O..
The document describes the application of technical and organizational measures ensuring protection of processed personal data appropriate to the threats and categories of data protected.

In particular, it pays attention to securing data against disclosure to unauthorized persons, removal by an unauthorized person, and processing in violation of the above-mentioned. regulation and change, loss, damage or destruction.
The document indicates how to proceed in the event of a personal data security breach and is intended for persons employed and authorized to process this data.

The security policy was developed on the basis of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Definitions

The terms used in this document mean:

1) “Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ( general data protection regulation)

2) “personal data” means information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, the economic, cultural or social identity of the individual;

3) “processing” means an operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by transmission, distributing or otherwise making available, aligning or combining, restricting, deleting or destroying;

4) “restriction of processing” means the marking of stored personal data with the aim of limiting their future processing;

5) “data deletion” means the destruction of personal data or their modification in such a way that it will not allow determining the identity of the data subject,

6) ‘data confidentiality’ means the property ensuring that data are not made available to unauthorized entities;

7) “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, credibility, behavior, location or movements;

8) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that attribution to an identified or identifiable natural person;

9) ‘dataset’ means an organized set of personal data accessible according to specific criteria, whether that set is centralized, decentralized or functionally or geographically dispersed;

10) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

11) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

12) ‘recipient’ means a natural or legal person, public authority, agency or other body to which personal data are disclosed, whether or not a third party. However, public authorities which may receive personal data in the framework of a specific procedure in accordance with Union or Member State law shall not be considered as recipients; the processing of these data by these public authorities must comply with the data protection rules applicable to the purposes of the processing;

13) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons who, under the authority of the controller or processor, are permitted to process personal data;

14) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies his agreement to the processing of personal data relating to him;

(15) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed;

(16) ‘representative’ means a natural or legal person established in the Union who is designated in writing by the controller or processor pursuant to Article 27 to represent the controller or processor in their obligations under this Regulation;

(17) ‘entrepreneur’ means a natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships or associations engaged in a regular economic activity;

(18) ‘supervisory authority’ means an independent public authority established by a Member State in accordance with Article 51;

19) ‘third country’ means a country not belonging to the European Economic Area;

20) “identifier” means a string of letters, digits or other characters uniquely identifying the person authorized to process personal data in the IT system;

21) “password” means a string of letters, digits or other characters known only to a person authorized to work in the IT System;

(22) ‘authentication’ means an activity whose purpose is to verify the claimed identity of an entity;

23) ‘database management system’ means a software system containing mechanisms ensuring data consistency and security, efficient access to data, programming means for data processing, simultaneous access to data for many users, means for regulating access to data, means for restoring the database content after a failure,

24) “IT system” means a set of interconnected elements: servers with operating systems, database management system, databases, software (utility programs), end devices (computers, terminals, portable devices, printers) and devices used for communication between hardware elements of the system,

25) “data security in the IT system” means the implementation and operation of appropriate technical and organizational measures ensuring protection of data against unauthorized processing;

26) ‘technical and organizational measures’ means the technical and organizational measures necessary to ensure the confidentiality, integrity and accountability of personal data processed;

27) “telecommunications network” means a telecommunications network within the meaning of Art. 2 points 23 of the Act of July 21, 2000 – Telecommunications Law (Journal of Laws No. 73, item 852, as amended)

28) “internet” means a public network within the meaning of Art. 2 points 22 of the Act of 21 July 2000 – Telecommunications Law;

29) ‘teletransmission’ means the transmission of information via a telecommunications network;

Data controller

The personal data administrator carries out tasks in the field of personal data protection, in particular:

1) implements appropriate technical and organizational measures to ensure that the processing of personal data is carried out in accordance with the Regulation and to be able to demonstrate this. These measures are taken taking into account the nature, scope, context and purposes of processing as well as the risk of violating the rights and freedoms of natural persons with varying likelihood and severity. They are also reviewed and updated as necessary.

2) implements appropriate technical and organizational measures so that by default only the personal data that are necessary to achieve each specific purpose of processing are processed (amount of personal data collected, scope of their processing, period of their storage and their availability). In particular, these measures shall ensure that, by default, personal data are not made available to an indefinite number of natural persons without the intervention of an individual.

3) implements appropriate technical and organizational measures, such as pseudonymization, designed to effectively implement data protection principles, such as data minimization, and to provide the processing with the necessary safeguards to comply with the requirements of this Regulation and to protect the rights of data subjects. These measures are taken into account when determining the methods of processing and during the processing itself, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risk of violating the rights and freedoms of natural persons with varying probability of occurrence and the severity of the threat resulting from processing.

4) Keeps records of persons authorized to process

5) Keeps records of concluded contracts for entrusting processing

6) Maintains a register of violations

Technical and organizational measures

The data controller meets the requirements for the protection of personal data contained in the regulation.
Action taken:
1) Risk analysis and risk management plan prepared before the development of the security policy and updated periodically (at least once a year) for each of the resources involved in the company’s processes, in accordance with Annex No. 1.

2) Limiting access to personal data only to persons who have been trained and granted authorizations, as confirmed by the register of persons authorized to process in Annex 8.

3) Data processing outside the controller is permitted only by processing entities that meet the requirements of the regulation and with which appropriate contracts have been concluded, included in the register in Annex 10.

4) A personal data security policy has been developed and implemented

The following measures are used to ensure confidentiality, integrity and accountability of processed data:

Organizational measures

1) Allowing only persons to process data by authorization granted by the data controller

2) A register is kept of persons authorized to process personal data

3) Training of persons employed in data processing in the field
· provisions regarding the protection of personal data
· IT systems security

4) Obligation of persons employed in the processing of personal data to keep it confidential by signing appropriate declarations

5) Arranging computer screens so that unauthorized persons cannot view their content, especially not opposite the entrance to the room

6) Leaving the workstation only after activating the screen saver or locking the workstation in another way

7) Not leaving documents, data carriers and equipment unattended in hotels and other public places and in cars

8) Deleting after using data on portable drives

9) Failure to write down the password required for authentication in the system on paper or other media and not to leave it in a visible place

10) Destroying all printouts containing personal data in a shredder before leaving the workplace, at the end of the working day

11) Not leaving unauthorized persons in the room where personal data is processed without the presence of a person authorized to process personal data

12) Hiding all files containing personal data in cabinets before leaving the workplace, after the end of the working day;

13) Placing apartment keys in the designated place after the end of the working day;

14) Destruction of physically damaged media before discarding them

15) Do not reuse single-sided printed cards to prepare draft documents if they contain protected data. However, it is recommended to print double-sided drafts of letters and prepare double-sided documents;

16) Shredding printouts containing personal data after use. This activity should be performed every day before finishing work. If possible, such printouts should not be kept on the desk during the day or taken outside the data controller’s office.

Technical measures

1) SON IT system used to process personal data:

· records changes made to personal data files by the user
· regulates the scope of authorizations to process individual files for each employee
· requires authentication using an ID and password to log in and update data

2) The following are used on computers where personal data are processed:
· protection against unauthorized access (password required)
· automatic screensavers activated after a long period of user inactivity, requiring the user to re-enter the password
· automatic operating system update and security update installed and activated

Physical protective equipment

1) Specification of the office in Wrocław where the personal data collection is processed:
· security with a regular door with a new lock
· outside working hours, the room is locked
· 24-hour security supervision of the building, including entry to the property
· is protected against the effects of fire using a fire protection system

2) The collection of personal data in paper form is stored in a regular cabinet in a closed room in the office and company headquarters

3) Backup/archive copies of personal data files in paper form are stored electronically in the Google cloud with password-controlled access.

4) Documents containing personal data after they expire are destroyed mechanically using shredders located one in each office.

Risk analysis and treatment

1) The Administrator performs periodic (at least once a year) risk analysis for resources involved in data processing.

2) The likelihood and seriousness of the risk of violating the rights and freedoms of the data subject are determined by the controller by reference to the nature, scope, context and purposes of data processing. Risk is estimated based on an objective assessment in accordance with the Risk Analysis and Risk Management Plan sheet constituting Appendix 1.

3) As a result of the analysis, the controller determines whether data processing operations involve risk or high risk.

4) Based on the results of the risk analysis, the administrator makes decisions on how to deal with the risk and defines a risk management plan aimed at minimizing it.

Data protection impact assessment

1) Before starting processing, the Administrator assesses the effects of planned processing operations on the protection of personal data if a given type of processing, due to its nature, scope, context and purposes, is likely to result in a high risk of violating the rights and freedoms of natural persons. A single assessment may be carried out for similar data processing operations involving a similar high risk. Before performing the assessment, the controller verifies whether a given type of processing is included in the list of types of processing for which a data protection impact assessment is required, published by the supervisory authority.

2) The Administrator performs periodic (at least once a year) verification of the data protection impact assessment for processes in which previous verification has shown a high probability of a high violation of the rights and freedoms of natural persons. In addition, an impact assessment is performed when there is a significant change in the processing operation, e.g. when a new technology has been introduced, personal data are used for another purpose or the data controller has decided to start transferring these data to a third country.

Default protection of personal data

1) Before starting a new process and at the stage of designing a new product/service, the administrator carries out an impact assessment on the protection of personal data, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of violating the rights and freedoms of natural persons with varying likelihood of occurrence. and the importance of the risks arising from processing.

2) The Administrator implements appropriate technical and organizational measures so that only the personal data necessary to achieve each specific processing purpose are processed by default. This particularly applies to the amount of personal data collected, the scope of their processing, the period of their storage and their availability. In particular, these measures shall ensure that, by default, personal data are not made available to an indefinite number of natural persons without the intervention of an individual.

3) The Administrator periodically (at least once a year) conducts an assessment of the impact on personal data protection as well as a risk analysis and risk management plan for all processes and all products/services in the company.

Cooperation with processors

1) Processing by the processor takes place on the basis of an agreement entrusting the processing of personal data in accordance with Annex No. 9.

2) Processing entities carrying out processing on behalf of the controller must provide sufficient guarantees of implementing appropriate technical and organizational measures so that the processing meets the requirements of the Regulation and protects the rights of data subjects.

3) The data controller verifies the compliance of the processing entity with the Regulation before signing the contract and periodically, at least once per month.

Obtaining personal data

1) In the case of obtaining data directly from the data subject, the controller shall provide the information necessary to ensure fair and transparent processing in accordance with Annex 12, Part A.

2) In the case of obtaining personal data in a way other than from the data subject, the controller provides the information necessary to ensure fair and transparent processing in accordance with Annex 12, Part B.
The information is transferred:
a) within a reasonable period of time after obtaining personal data (no later than within a month),
b) at the latest at the first such communication with the data subject, if the personal data are to be used for communication with the data subject,
c) at the latest upon their first disclosure if it is planned to disclose personal data to another recipient.

3) In the case of processing personal data for a purpose other than the purpose for which the data was obtained, before further processing, the data subject shall be informed about this other purpose and provide him with any other relevant information referred to in the Regulation.

Incident management

1) In the event of a breach of personal data protection, the administrator shall immediately secure the data, document the circumstances and verify whether the breach resulted in a risk of violating the rights and freedoms of natural persons.

2) If a breach of personal data protection may result in a risk of violating the rights and freedoms of natural persons, the controller shall, without undue delay and no later than 72 hours after discovering the breach, report it to the supervisory authority competent in accordance with Art. 55 of the regulation.

3) Where a breach of personal data protection may result in a high risk to the rights and freedoms of natural persons data subjects, the controller shall notify the data subject of such breach without undue delay.

4) The Administrator documents all personal data protection breaches, including the circumstances of the personal data protection breach, its effects and the remedial actions taken.

5) After each personal data protection breach, the administrator verifies the threats and safeguards of the process in which the incident occurred and takes remedial actions to prevent or minimize the likelihood of its recurrence.

Exercise of the rights of data subjects

1) The administrator, in accordance with the regulation, immediately implements the rights of data subjects:
· the right to access data
· the right to rectify data
· the right to delete data (“right to be forgotten”)
· the right to restrict processing
· the right to transfer data
· the right to information about recipients to whom the administrator has disclosed personal data
· the right to object to the processing of your personal data
· the right not to be subject to decisions based solely on automated processing

2) The Administrator considers each notification of the data subject and considers it individually in accordance with the protocol in Annex 15.

3) The administrator refuses to exercise the rights of data subjects if the conditions described in the regulation do not occur. Each refusal must be justified on a legal basis under the regulation.

4) The Administrator informs each recipient to whom personal data has been disclosed about rectification or deletion of personal data or restriction of processing, unless it turns out to be impossible or requires a disproportionate effort.

Final Provisions

1) All persons authorized to process personal data are obliged to apply the provisions contained in this Security Policy.

2) In matters not regulated in this Security Policy, the provisions of the regulation shall apply.

3) This Personal Data Security Policy is valid from the date of its approval by the data administrator.

Scroll to Top