This document has been machine translated. The original legally binding version is available in Polish.
Personal Data Protection Policy at Print Union Sp. z o.o. ("Print Union Limited")
The purpose of the Personal Data Protection Policy, hereinafter referred to as the Policy, is to establish and maintain the required protection of personal data in
accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and the Act on Personal Data Protection
(Journal of Laws of 2018, item 1000) in connection with the processing of personal data at Print Union Sp. z o.o. ("Print Union Limited") with its registered office in
Białynin, Production Plant 96-100 Skierniewice, ul. Łowicka 127, e-mail: [email protected].
This Policy applies to both personal data processed in a traditional manner in books, records, lists, and other registration sets, as well as in IT systems. It applies
to existing and future sets of personal data. The procedures and principles specified in this document apply to all persons authorized to process personal data, both
employed and others, e.g. volunteers, interns, trainees. The area of processing of personal data at Print Union Sp. z o.o. ("Print Union Limited") includes buildings
and/or premises
located in 96-100 Skierniewice, ul. Łowicka 127.
Terms used in the Personal Data Protection Policy mean:
-
Data Controller (DC) Print Union Sp. z o.o. ("Print Union Limited")
-
IT systems administrator (ITSA) - a person responsible for managing IT systems used for processing personal data,
-
personal data - any information relating to an identified or identifiable natural person,
-
processing of personal data - collecting, recording, storing, organizing, modifying, sharing, and erasing personal data, especially in IT systems,
-
user - a person authorized to process personal data,
-
IT system - a system (devices, tools, programs) in which personal data is processed,
-
IT system security - this includes the implementation of administrative, technical, and protection measures against unauthorized access, modification, destruction, or
acquisition of personal data, as well as their loss,
-
GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing Directive 95/46/EC,
-
Act on Personal Data Protection - Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2018, item 1000).
1. Principles of processing personal data
1.1. The Data Controller processes personal data:
- lawfully, fairly, and in a transparent manner in relation to the data subject ("lawfulness, fairness, and transparency"),
- for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes ("purpose limitation"),
- adequately, relevantly, and limited to what is necessary in relation to the purposes for which they are processed ("data minimization"),
- accurately and, where necessary, kept up to date ("accuracy"),
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ("storage
limitation"),
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental
loss, destruction, or damage, using appropriate technical or organizational measures ("integrity and confidentiality").
1.2.
In order to comply with these principles, the data controller processes data legally, based on the grounds described in Article 6 of the GDPR. Personal data is collected
appropriately for processing purposes and processed for a specific period. For individuals whose data is processed, the data controller fulfills the information
obligations specified in Article 13 of the GDPR or Article 14 of the GDPR (when information is obtained in a manner other than from the data subject) and indicates their
rights, such as the right to:
- access to data,
- rectification of data,
- erasure of data (right to be forgotten),
- data portability,
- objection to processing,
- restriction of processing,
- lodging a complaint with the supervisory authority,
- objection to being subjected to automated decision-making.
The data controller ensures data protection when using services of external entities by concluding appropriate entrustment agreements and by using processing entities
that fulfill the obligations arising from the GDPR. In the event of a technical or physical incident, the data controller ensures the ability to quickly restore access to
personal data and access to them.
1.3.
Confirmation of compliance with the information obligations by the data controller consists of informative clauses provided to individuals whose data is processed. In the
case of employees, they are presented with clauses for signature and placed in employees' personal files.
For customers and contractors, they are provided at the time of concluding the contract, and are also displayed in a visible place at the workplace.
2. Authorizations for data processing
The Data Controller ensures that access to personal data at Print Union Sp. z o.o. ("Print Union Limited") is granted only to persons who are authorized by the DC.
Authorizations
specify the
operations to which users are entitled, i.e. creating, deleting, viewing, transferring data, in which systems, and for how long. The Data Controller maintains a record of
authorized persons. Authorizations for processing personal data may be granted at the request of the user's immediate supervisor.
3. Risk analysis
The Data Controller conducts a risk analysis to secure personal data adequately to identified threats. The analysis is conducted in case of a threat and cyclically every
4 months. Data analysis is carried out separately for each set of data or for several sets with a similar scope of data. If necessary, an impact assessment is carried out
to assess the risk in accordance with Article 35 of the GDPR.
4. List of security measures
Taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing as well as the risk of violating the
rights or freedoms of natural persons with varying likelihood and severity of the risk, the data controller and the data processor implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk.
5. Recording data processing activities
The data controller keeps a register of processing activities. In this register you include:
- Name and contact details of the administrator,
- Purposes of processing,
- Description of categories of individuals whose data is concerned, and categories of personal data,
- Categories of recipients to whom personal data has been or will be disclosed, including recipients in third countries or international organizations,
- Where applicable, information about the transfer of personal data to a third country or international organization, including the name of that third country or
organization, and in the case of transfers referred to in Article 49(1) second subparagraph of the GDPR, documentation of appropriate safeguards,
- If possible, planned deadlines for the deletion of specific categories of data,
- If possible, a general description of the technical and organizational security measures referred to in Article 32(1) of the GDPR.
6. Appointment of Data Protection Officer
The Personal Data Administrator may be/is obliged to appoint a Data Protection Officer. In the case of appointing a Data Protection Officer, their tasks include:
- Informing the administrator, data processor, and employees processing personal data about their obligations under the provisions of the GDPR and the Personal Data
Protection Act,
- Monitoring compliance with the GDPR, the Personal Data Protection Act, and the applicable Data Protection Policy in the organization, including division of
responsibilities, awareness-raising activities, training of staff involved in processing operations, and related audits,
- Providing recommendations on the assessment of data protection impact and monitoring its implementation in accordance with Article 35 of the GDPR,
- Cooperating with the supervisory authority, i.e., the President of the Office for Personal Data Protection,
- Acting as a point of contact for the supervisory authority on issues related to processing, including prior consultations, as appropriate,
- Conducting consultations on any other matters.
In the event of appointing a Data Protection Officer, their appointment must be reported to the President of the Office for Personal Data Protection within 14 days from
the date of appointment, indicating the first name, last name, email address, or phone number of the Data Protection Officer.
7. Incident Handling Procedure
The data administrator implements a procedure for handling incidents of personal data protection breaches. The purpose of this procedure is to fulfill the obligation
arising from Article 33 of the GDPR. The procedure defines the way incidents threatening the security of personal data are defined and how to respond to them, as well as
the procedure for implementing corrective actions. Every person authorized to process personal data is obliged to inform about the possibility of an incident occurring or
its occurrence. Such information should be provided to the immediate superior or the Data Protection Officer.
Notifications are required for:
- improper protection of electronic equipment, software against leakage, theft, and loss of personal data, sharing passwords with unauthorized persons,
- improper physical protection of premises, equipment, and documents,
- failure to comply with the principles of personal data protection by employees (e.g., failure to use the clean desk/screen principle, password protection, failure to
lock rooms, cabinets, desks, sticking passwords in drawers),
- traces on doors, windows, and cabinets indicating an attempted break-in,
- documentation containing personal data being destroyed without using a shredder,
- open doors to rooms, cabinets, where personal data is stored,
- presence of unauthorized persons in the unit,
- incorrect monitor settings allowing unauthorized persons to access personal data,
- removing personal data in paper and electronic form from the unit without the administrator's authorization,
- server failures, computer failures, hard drive failures, software failures,
- disclosure of personal data to unauthorized persons,
- telephone attempts to obtain personal data by deception,
- theft, loss of computers or CDs, hard drives, pen drives with personal data,
- emails urging the disclosure of an identifier or password,
- computer virus infection or other incorrect computer behavior,
- random events (building fire, water damage, power loss, loss of communication),
- intrusion into the IT system or premises,
- data/equipment theft,
- deliberate destruction of documents.
It is also necessary to notify the administrator of the information systems. Additionally, the occurrence of the incident, its consequences, as well as the corrective and
remedial actions taken, must be documented. In the event that the incident results in a violation of the rights or freedoms of natural persons, the data administrator
reports them to the President of the Office for Personal Data Protection within 72 hours, and if required, notifies the individuals affected by the incident.
8. Personal Data Protection Regulations and Internal Training
The data administrator introduces Personal Data Protection Regulations in Print Union Ltd. in order to provide individuals processing personal data with full knowledge
of the principles of personal data processing in the organization and the associated obligations. Persons familiarized with the Regulations are obliged to confirm their
familiarity with this document and declare their compliance with its principles. Each person should be acquainted with the Regulations before employment. The data
administrator also provides training to employees on the application of regulations regarding the protection of personal data, and the presence of employees should be
confirmed in writing.
9. Tasks of the Information System Administrator
The Information System Administrator carries out tasks related to the management and ongoing supervision of the data administrator's information system. In this regard:
- they manage the information system in which personal data is processed, using an access password to all workstations and the server as an administrator,
- they prevent unauthorized access to the information system in which personal data is processed,
- they assign each user an identifier and password for the information system and make any necessary modifications to permissions, as well as delete user accounts in
accordance with the rules specified in the management instruction for the information system used for processing personal data,
- they conduct position-specific training for the user in the use of computer equipment and network resources, familiarize them with the relevant documents in this
area,
- they oversee the operation of user authentication mechanisms and access control to personal data,
- in the event of a breach of the security of the information system, they inform the data administrator/data protection officer of the breach and cooperate with them
in removing the consequences of the breach,
- they maintain detailed documentation of security breaches of personal data processed in the information system,
- they supervise the repair, maintenance, and disposal of computer equipment on which personal data is stored, as well as the creation of backups, their storage, and
periodic checking for their continued usability in data recovery in the event of a system failure,
- they take action to ensure the reliability of computer power supply, other equipment affecting the security of data processing, and ensure the secure exchange of data
in the internal network and secure teletransmission.
10. Personal Data Processing Agreements
10.1. In the case of outsourcing the processing of personal data to external entities, the data administrator is obligated to conclude a data processing
agreement. A register of agreements for entrusting the processing of personal data is maintained within the organization.
10.2. The agreement specifies the categories of individuals whose data is concerned, as well as the responsibilities and rights of the data
administrator. Furthermore, it obligates the data processing entity to:
- process personal data only on documented instructions from the administrator - this also applies to the transfer of personal data to a third country or international
organization,
- ensure that individuals authorized to process personal data are bound by confidentiality or are subject to the appropriate statutory obligation of confidentiality,
- take all measures required under Article 32 of the GDPR,
- comply with the terms of use of services provided by another data processing entity,
- assist the administrator in fulfilling the obligation to respond to requests from the data subject regarding the exercise of their rights defined in Chapter III of
the GDPR, through appropriate technical and organizational means,
- assist the administrator in fulfilling the obligations defined in Articles 32-36 of the GDPR,
- erase or return personal data to the administrator and delete all existing copies, unless Union law or the law of a Member State requires the retention of personal
data,
- provide the administrator with all necessary information to demonstrate compliance with the obligations defined in the provisions of the GDPR and enable the
administrator or an auditor authorized by the administrator to conduct audits, including inspections, and contribute to them.
11. Control Activities
Print Union Ltd. exercises supervision and control over the protection of personal data. Control activities are carried out once every quarter. A protocol is prepared
for control activities, which provides a detailed description of the scope of the control and the actions taken, as well as recommendations and corrective measures. The
protocol is signed by the persons conducting the control activities.
12. Responsibility of Individuals Authorized to Process Data
Failure to comply with the Data Protection Policy implemented by the data administrator, the principles of which are defined in this document, and the violation of data
protection procedures by employees authorized to process personal data may be treated as a serious breach of employment duties.