SECURITY POLICY
OF PERSONAL DATA PROCESSING AND
INSTRUCTION FOR MANAGEMENT OF THE COMPUTER SYSTEM THAT PROCESSES PERSONAL DATA
at PROGRESSIVE Sp. z o.o.
INTRODUCTION
Implementing the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) and the national laws of the Republic of Poland, a set of rules and practical experience is introduced to regulate the management, protection and distribution of sensitive information allowing to ensure the protection of personal data.
Chapter 1
General provisions
Whenever the document refers to:
- "personal data" - shall mean information about an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular on the basis of an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
- "processing" shall mean an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organizing, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or linking, restricting, erasing or destroying;
- "restriction of processing" shall be understood as the marking of stored personal data for the purpose of limiting its future processing;
- "profiling" shall be understood as, any form of automated processing of personal data which involves the use of personal data to evaluate certain personal factors of an individual, in particular to analyze or predict aspects relating to that individual's performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements; and
- "pseudonymization" shall mean the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and is covered by technical and organizational measures preventing its attribution to an identified or identifiable natural person;
- "data filing system" shall mean an ordered set of personal data accessible according to specific criteria, regardless of whether the set is centralized, decentralized or functionally or geographically dispersed;
- "processor" shall mean a natural or legal person, public authority, entity or other entity that processes personal data on behalf of the controller;
- "Controller" or "Personal Data Administrator (ADO)" - shall mean PROGRESSIVE Sp . z o.o. , headquartered in Wrocław at 5 Sosnowiecka Street.
- "Administrator of Personal Data Security (ABDO)". - shall mean the person designated by the Administrator's Board of Directors to coordinate all matters relating to personal data protection.
- "Recipient" is to be understood as a natural or legal person, public authority, entity or other entity to whom personal data is disclosed, whether or not it is a third party. However, public authorities that may receive personal data in the context of a specific proceeding in accordance with the laws of the Union or a Member State are not considered recipients.
- "Third party" is to be understood as a natural or legal person, public authority, entity or body other than the data subject, controller, processor or persons who, under the authority of the controller or processor, may process personal data;
- "consent of the data subject" shall mean a voluntary, specific, informed and unambiguous demonstration of will by which the data subject, in the form of a statement or explicit affirmative action, consents to the processing of personal data concerning him/her;
- "personal data breach" shall mean a breach of security leading to the accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed;
- "biometric data" shall be understood as personal data that results from special technical processing, relating to the physical, physiological or behavioral characteristics of a natural person and enables or confirms the unique identification of that person, such as facial image or dactyloscopic data;
- "health data" shall be understood as personal data about the physical or mental health of an individual - including the use of health care services - revealing information about the individual's health status;
- "processing area" shall be understood as buildings, premises or parts of premises in which personal data are processed.
- "personal data filing system" shall be understood as a structured set of personal data accessible according to specific criteria, regardless of whether the set is centralized, decentralized or functionally or geographically dispersed.
- "description of the structure of collections" should be understood as a description of personal data sets indicating the content of individual information fields and the links between them.
- "description of data flow" should be understood as a description of the flow of personal data between sets.
- "technical and organizational measures" should be understood as technical and organizational measures necessary to ensure confidentiality, integrity and accountability of processed data.
- "security procedures" shall mean procedures aimed at securing the processed personal data.
Chapter 2
Principles concerning the processing of personal data:
- Any person processing personal data under the authority of the Administrator shall be responsible (to the extent covering the personal data processed by him/her) for compliance with the above principles and must be able to demonstrate compliance ("accountability").
- Processed lawfully, fairly and transparently for the data subject ("lawfulness, fairness and transparency");
- collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archival purposes in the public interest, for scientific or historical research or for statistical purposes is not considered incompatible with the original purposes ("purpose limitation"); c) adequate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization");
- correct and updated as necessary; all reasonable steps must be taken to ensure that personal data that are inaccurate in light of the purposes for which they are processed are promptly deleted or rectified ("accuracy");
- kept in a form that allows identification of the data subject for no longer than is necessary for the purposes for which the data are processed; personal data may be kept for longer periods as long as they will be processed exclusively for archival purposes in the public interest, for scientific or historical research or for statistical purposes, provided that appropriate technical and organizational measures required by law are implemented to protect the rights and freedoms of data subjects ("retention limitation");
- processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organizational measures ("integrity and confidentiality").
Chapter 3
Basis for data processing
- The Administrator will process personal data only if at least one of the following conditions is met:
- the data subject has consented to the processing of his/her personal data for one or more specified purposes;
- processing is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation incumbent on the controller - if such an obligation arises under European Union law or national law;
- processing is necessary to protect the vital interests of the data subject or another natural person;
- processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party (where such an obligation arises under European Union law or national law), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of biometric data for the purpose of uniquely identifying a natural person, or data concerning the health, sexuality or sexual orientation of that person, is permitted only when:
- the data subject has explicitly consented to the processing of such personal data for one or more specific purposes;
- the processing is necessary for the fulfillment of obligations and the exercise of specific rights by the controller or the data subject in the fields of labor law, social security and social protection;
- the processing is necessary to protect the vital interests of the data subject or another natural person, and the data subject is physically or legally incapable of giving consent;
- the processing relates to personal data obviously made public by the data subject;
- the processing is necessary for the purposes of preventive health or occupational medicine, assessment of an employee's fitness for work, medical diagnosis, provision of health care or social security, treatment or management of health care or social security systems and services.
Chapter 4
Change of purpose of processing
If processing for a purpose other than the purpose for which the personal data were collected is not based on the consent of the data subject or on European Union or national law, the controller-to determine whether processing for another purpose is compatible with the purpose for which the personal data were originally collected-shall take into account, among other things:
- any relationship between the purposes for which the personal data were collected and the purposes of the intended further processing;
- the context in which the personal data were collected, in particular the relationship between the data subjects and the controller;
- the nature of the personal data, in particular whether special categories of personal data are processed in accordance with Article 9 of the RODO, or personal data relating to criminal convictions and violations of law in accordance with Article 10 of the RODO;
- the possible consequences of the intended further processing for data subjects;
- (e)the existence of appropriate safeguards, including encryption or pseudonymization, if any.
Chapter 5
Dealing with data subjects
- The controller shall take appropriate measures to provide the data subject with all information required by law in a concise, transparent, comprehensible and easily accessible form, in clear and simple language, and to conduct all communications with him/her required by law on processing.
- Information shall be provided in writing or by other means, including electronically where appropriate.
- Information for the administrator's employees will be provided electronically (using the company's e-mail box). Upon request by an employee, information will be provided in writing.
- If the data subject so requests, the information may be provided orally, as long as there is no doubt as to the identity of the data subject.
- The controller shall, without undue delay - and in any case within one month of receipt of the request - provide the data subject with information on the actions taken in connection with his request. If necessary, this deadline may be extended for another two months due to the complexity of the request or the number of requests.
- Within one month of receipt of the request, the controller shall inform the data subject of such extension, stating the reasons for the delay.
- If the data subject has transmitted his request electronically, the information shall also be transmitted electronically, if possible, unless the data subject requests another form.
- If the controller does not act on the data subject's request, the controller shall promptly - no later than one month after receipt of the request - inform the data subject of the reasons for the failure to act and of the possibility of lodging a complaint with the supervisory authority and pursuing legal remedies before the courts. In such a situation, the legal counsel of the controller should be contacted in each case.
- Communications and information provided to the data subject are free of charge.
Chapter 6
Information provided to the data subject
- In the case of collection of personal data from a data subject, such data subject shall - during data acquisition - be provided with the information specified in Appendix No. 6.1.
- In the case of obtaining personal data by means other than from the data subject, such person shall be provided with the information specified in Exhibit No. 6.2.
This information must be provided:
- within a reasonable time after the acquisition of personal data - within one month at the latest - taking into account the specific circumstances of the processing of personal data;
- if the personal data are to be used for communication with the data subject - at the latest at the first such communication with the data subject; or
- if it is planned to disclose personal data to another recipient - at the first disclosure at the latest.
- If it is planned to further process personal data for a purpose other than the purpose for which the personal data were collected, the data subject must be informed of the new purpose before such further processing.
Chapter 7
Access to data
- The data subject is entitled to obtain confirmation from the controller as to whether or not personal data concerning him or her is being processed, and if this is the case, he or she is entitled to obtain access to the data and the following information regarding:
- the purposes of the processing;
- the categories of personal data involved;
- information about the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- the intended period of storage of the personal data and, where this is not possible, the criteria for determining this period;
- information about the right to request from the controller the rectification, erasure or restriction of the processing of personal data concerning him or her, and to object to such processing;
- information about the right to lodge a complaint with a supervisory authority;
- if the personal data was not collected from the data subject - any available information about its source.
- If personal data is transferred to a third country or international organization, the data subject has the right to be informed of the appropriate safeguards related to the transfer.
- At the request of the data subject, the controller will provide him or her with a copy of the personal data being processed. If the data subject requests a copy by electronic means, and unless he or she indicates otherwise, the information shall be provided by common electronic means.
Chapter 8
Rectification of data
The data subject shall have the right to request from the controller the immediate rectification of personal data concerning him/her that is inaccurate and, taking into account the purposes of the processing, the completion of incomplete personal data.
Chapter 9
Deletion of data
- The data subject has the right to demand from the controller the immediate erasure of personal data concerning him/her, and the controller is obliged to erase the personal data without undue delay if:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- the data subject has withdrawn consent for processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- If the controller has made the personal data public, and is required by the applicable regulations to delete the personal data, the controller shall, taking into account the available technology and the cost of implementation, take reasonable measures, including technical measures, to inform the controllers processing the personal data that the data subject requests that the controllers delete any links to the data, copies of the personal data, or replications of the personal data.
Chapter 10
Restriction of processing
The data subject shall have the right to request the controller to restrict processing in the following cases:
- the data subject disputes the accuracy of the personal data - for a period of time that allows the controller to verify the accuracy of the data;
- the processing is unlawful and the data subject objects to the erasure of the personal data, requesting instead a restriction on its use;
- the controller no longer needs the personal data for the purposes of the processing, but they are needed by the data subject to establish, assert or defend claims;
- the data subject has objected to the processing - until it is determined whether the legitimate grounds on the part of the controller override the grounds of the data subject's objection.
Chapter 11
Objection to processing
- The data subject has the right to object to the processing of personal data concerning him or her at any time.
- If personal data are processed for direct marketing or recruitment purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, to the extent that the processing is related to such direct marketing or recruitment.
- If the data subject raises an objection to processing for direct marketing or recruitment purposes, the personal data may no longer be processed for such purposes.
- At the latest on the occasion of the first communication with the data subject, the data subject shall be clearly informed of the right, to object to the processing.
Chapter 12
Administrator
(1) The Administrator, in order to adequately protect personal data and ensure that processing is carried out in accordance with the law, may:
- Appoint a Personal Data Security Administrator.
- Appoint an Information System Administrator.
(2) In particular, the Administrator shall:
- Determine and implement appropriate technical and organizational measures (e.g., pseudonymization, data minimization) to ensure that processing takes place in accordance with the law. These measures should take into account the nature, scope, context and purposes of the processing, as well as the risk of violation of the rights or freedoms of natural persons of varying probability and severity.
- Ensure that it can be demonstrated that data is processed in accordance with applicable laws ("accountability").
- Review and update the implemented measures; reviews should take place at least once a year and after any change in the law on personal data protection - these reviews should involve the heads of personal data processing units (e.g., HR), the person responsible for the operation of the IT infrastructure and, if necessary, the Administrator's legal services.
- Enforce the Personal Data Processing Security Policy and the Management Instruction for the IT system processing personal data.
- Issue and cancel authorizations to process personal data to persons who are to process such data.
- Keep records of persons authorized to process personal data.
- Keep records of personal data sets along with a description of the software used to process them, the way data flows between systems and a description of the security measures used.
- Maintain a description of the structure of data sets with a description of the information fields and links between them. (Annex No. 12.6)
- Keep records of statements of consent for the processing of personal data of data subjects. (Annex No. 12.7)
- Keep a register of personal data processing activities
- Draw up Regulations for the Protection of Personal Data. (Annex No. 12.9)
Chapter 13
Technical and organizational measures
- The following organizational safeguards are in place to protect personal data and ensure its processing in accordance with the law:
- A Security Policy for the Processing of Personal Data and a Management Instruction for the Computer System Processing Personal Data have been developed and implemented.
- Only persons who have the necessary access to the data ("need to know") in order to perform their duties and at the same time have valid authorizations to process personal data are allowed to process the data.
- Records are kept of persons with authorizations to process personal data.
- Persons holding authorizations have been trained in personal data protection and IT system security.
- Persons with authorizations have made a statement on the confidentiality of the personal data processed.
- The processing of personal data is in conditions that protect personal data from access by unauthorized persons.
- The presence of unauthorized persons in the processing area is possible only in the presence of authorized persons and in conditions that ensure the security of personal data.
- The following physical safeguards are used to protect personal data:
- Paper personal data is stored in lockable furniture.
- Document and data media shredders are available in the processing area.
- In order to protect personal data, the following hardware safeguards are applied to the IT and telecommunications infrastructure:
- A UPS is applied to the server or computers on which personal data is processed.
- Access to computers on which personal data is stored is made by providing a login and password or access card.
- Remote access via the Internet to personal data is through an encrypted SSL VPN - Open VPN connection and requires a login and password.
- An anti-virus and firewall system is used on computers where personal data is stored.
Chapter 14
Procedures to ensure the security of personal data
- Procedure for granting authorization to process personal data:
- Authorizations to process personal data are granted by the Administrator.
- Before granting authorization to process personal data, a person shall be trained in the protection of personal data and familiarized with the security rules of the information system.
- A person authorized to process personal data shall sign a statement of confidentiality of the personal data to which he/she has access.
- Methods and measures for securing access to personal data:
- Passwords for access to personal data must not be commonly known proper names.
- The authorized person undertakes to keep the password for access to personal data confidential and to change it immediately in case of disclosure.
- It is forbidden to store the password openly or to transfer it to others.
- The password is changed semi-automatically or manually every 30 days by authorized persons.
- The password shall consist of at least 8 characters, including upper and lower case letters and numbers or special characters.
- Procedure for starting, suspending and terminating work that requires processing of personal data:
- The authorized person logs into the system or computer program using a login and password.
- The authorized person is obliged to inform the Information System Administrator of unauthorized attempts to log into the system or program if the system or program monitors such phenomena.
- The authorized person is obliged to prevent unauthorized persons from viewing the personal data displayed on the monitor screen or in the paper version.
- A person authorized to process personal data is obliged, when temporarily leaving the workplace, to run a password-protected screen saver or log out of the system and remove printouts with personal data from the desk.
- After finishing work, the authorized person is required to log off or turn off the computer and remove any media containing personal data from the desk as well as secure the room against break-in, flooding, fire or other risk of unauthorized disclosure or destruction of documents or media containing personal data.
- Backup procedure:
- Depending on the size of the increase in quantity and capacity of personal data, backups shall be made at intervals no more frequent than 1 day and no less frequent than 1 month.
- Electronic backups of personal data may be stored on an external data storage medium secured in accordance with organizational safeguards.
- The person making the backups is obliged to mark them and check the consistency of the data and the possibility of restoration.
- Backups shall be stored for no less than 1 year and no more than 6 years.
- After the expiration of the storage period, the backups shall be permanently destroyed or anonymized.
- Procedure for storage of personal data media in paper and electronic versions. Personal data media such as:
- Laptop/Computer
- Mobile phone/Smartphone
- Flash drive/memory card
- External hard drive
- CD/DVD/BR
- Paper printout
shall be stored in a manner that prevents access by unauthorized persons as well as protects them from accidental damage.
- Authorized persons are required to permanently destroy/dispose of personal data after the purpose of processing ceases.
- It is forbidden to take personal data outside the processing area without the consent of the Personal Data Security Administrator or the Administrator, and if such consent is obtained and it is necessary to process the data outside the Administrator's premises, authorized persons shall be obliged to ensure at least the same security conditions for personal data processing as apply at the Administrator's premises.
- Personal data sent electronically outside the processing area must be password protected.
- It is prohibited to transfer data carriers containing personal data to external entities without the consent of the Administrator.
Chapter 15
Register of activities
(effective upon compliance with the requirements set forth in Article 30 of the RODO)
- A register of data processing activities shall be maintained, specifying in particular:
- Purpose of data processing.
- Description of categories of data subjects and categories of personal data.
- Categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries.
- Details of the transfer of personal data to a third country, including the name of the third country and the entity to which the data were transferred and documentation of the relevant safeguards.
- Planned deletion dates for each category of data - if it is possible to determine these dates.
- The register will be kept in written form, including electronic form.
Chapter 16
Cases of data protection violations
- In the situation of a suspected or identified case of data protection violation, each person subject to this procedure is obliged to immediately notify the Data Security Administrator.
- If possible, the notification should specify:
- the nature of the breach, including, if possible, an indication of the categories and approximate number of data subjects and the categories and approximate number of personal data records affected by the breach;
- describe the possible consequences of the personal data breach;
- available measures that may remedy the personal data protection breach or minimize the negative consequences of the breach.
- The Personal Data Security Administrator shall document any personal data breach, including the circumstances of the personal data breach, its consequences, and the remedial measures taken.
- The Personal Data Security Administrator, after reviewing the notification, may decide whether it is necessary to notify the Inspector General for Personal Data Protection or other relevant supervisory authority of the breach, as well as the data subjects.
Chapter 17
Inspection procedures and employee training
- At least once a year, inspections of compliance with the applicable rules on personal data protection shall be carried out.
- A protocol is drawn up from the inspections, which is the basis for updating the procedures and this document.
- Once a year, an update training of employees on personal data protection is conducted.
- Each employee is trained individually before receiving authorization.
- Any repair or maintenance of computer equipment containing personal data or of the premises constituting the processing area may be carried out only under the supervision of authorized persons.
Chapter 18
Final provisions
- All procedures and rules described in this document shall be observed by persons authorized to process personal data, with particular regard to the welfare of data subjects.
- This policy applies to the processing of personal data in a fully or partially automated manner and to the processing in a non-automated manner of personal data that are part of a data set or intended to be part of a data set.
- Entrusting the processing of personal data to an external entity may only be done by means of a written agreement, provided that the entity meets at least the same security conditions for the processing of personal data as the Administrator.