Te most beautiful gifts for Women's Day
Fast delivery
Free delivery from £99
30 days to return
  • Instagram
  • Facebook

Privacy Policy

SECURITY POLICY FOR PROCESSING PERSONAL DATA AND MANAGEMENT INSTRUCTIONS FOR INFORMATION SYSTEMS PROCESSING PERSONAL DATA AT PROGRESSIVE Ltd.

INTRODUCTION

Implementing the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) and the national laws of the Republic of Poland, a set of rules and practical experience is introduced to regulate the management, protection and distribution of sensitive information allowing to ensure the protection of personal data.

Chapter 1

General provisions

Whenever the document refers to:

  1. "personal data" - means information about an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular on the basis of an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
  2. "Processing" shall mean an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collection, recording, organizing, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or linking, limiting, deleting or destroying;
  3. "Restriction of processing" is to be understood as the marking of stored personal data in order to limit its future processing;
  4. "Profiling" shall mean, any form of automated processing of personal data that involves the use of personal data to evaluate certain personal factors of an individual, in particular to analyze or forecast aspects of that individual's performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movement;
  5. "Pseudonymization" is to be understood as the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and is covered by technical and organizational measures that prevent its attribution to an identified or identifiable natural person;
  6. "Dataset" means an organized set of personal data accessible according to specific criteria, regardless of whether the set is centralized, decentralized or functionally or geographically dispersed;
  7. "Processor" shall mean a natural or legal person, public authority, entity or other entity that processes personal data on behalf of the controller;
  8. "Administrator" or "Personal Data Administrator (ADO)" - refers to PROGRESSIVE Sp . z o.o. , headquartered in Wrocław at 5 Sosnowiecka Street.  
  9. "Administrator for Personal Data Security (ABDO)" - shall mean the person designated by the Administrator's Board of Directors to coordinate all matters relating to the protection of personal data.
  10.  "Recipients" shall be understood to mean a natural or legal person, public authority, entity or other entity to which personal data is disclosed, whether or not it is a third party. However, public authorities that may receive personal data in the context of a specific proceeding in accordance with Union or Member State law are not considered recipients.  
  11. "Third party" shall mean a natural or legal person, public authority, entity or body other than the data subject, controller, processor or persons who, under the authority of the controller or processor, may process personal data;
  12. "Consent of the data subject" shall be understood as a voluntary, specific, informed and unambiguous demonstration of will by which the data subject, in the form of a statement or explicit affirmative action, consents to the processing of personal data concerning him;
  13. "Personal data breach" shall mean a breach of security leading to the accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed;
  14. "Biometric data" shall mean personal data that result from special technical processing, relating to physical, physiological or behavioral characteristics of a natural person and enable or confirm the unique identification of that person, such as facial image or dactyloscopic data;
  15. "Health data" shall mean personal data about an individual's physical or mental health - including the use of health care services - revealing information about the individual's health status;
  16. "Processing area" shall mean buildings, premises or parts of premises in which personal data are processed.
  17. "Personal data set" means an organized set of personal data accessible according to specific criteria, regardless of whether the set is centralized, decentralized or functionally or geographically dispersed.
  18. "description of the structure of the collection" means a description of personal data sets indicating the content of individual information fields and the relationship between them.
  19. "description of data flow" shall be understood as a description of the flow of personal data between collections.
  20. "Technical and organizational measures" shall mean the technical and organizational measures necessary to ensure the confidentiality, integrity and accountability of the processed data.
  21. "Security procedures" shall be understood as procedures aimed at securing the processed personal data.

Chapter 2

Principles regarding the processing of personal data:
  1. Any person processing personal data under the authority of the Controller shall be responsible (to the extent of the personal data processed by him) for compliance with the above principles and must be able to demonstrate compliance ("accountability").
    1. processed lawfully, fairly and transparently to the data subject ("lawfulness, fairness and transparency");
    2. collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archival purposes in the public interest, for scientific or historical research or for statistical purposes shall not be considered incompatible with the original purposes ("purpose limitation"); c) adequate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization");
    3. correct and updated as necessary; take all reasonable measures to ensure that personal data that is inaccurate in light of the purposes of its processing is promptly deleted or corrected ("correctness");
    4. kept in a form that allows identification of the data subject for no longer than necessary for the purposes for which the data are processed; personal data may be kept for longer periods as long as they are processed exclusively for archival purposes in the public interest, for scientific or historical research, or for statistical purposes, provided that appropriate technical and organizational measures required by law are implemented to protect the rights and freedoms of data subjects ("storage limitation");
    5. processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organizational measures ("integrity and confidentiality").

Chapter 3

Basis for data processing
  1. The Administrator will only process personal data if at least one of the following conditions is met:
    1. the data subject has consented to the processing of his or her personal data for one or more specified purposes;
    2. processing is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject prior to entering into a contract;
    3. processing is necessary for the fulfillment of a legal obligation incumbent on the controller - if such an obligation arises under European Union or national law;
    4. processing is necessary to protect the vital interests of the data subject or another natural person;
    5. the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party (whereby it derives from European Union law or national law), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  2. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of biometric data for the purpose of uniquely identifying a natural person, or data concerning the health, sexuality or sexual orientation of that person, is permitted only if:
    1. the data subject has expressly consented to the processing of such personal data for one or more specific purposes;
    2. processing is necessary for the fulfillment of obligations and the exercise of specific rights by the controller or the data subject in the field of labor law, social security and social protection;
    3. the processing is necessary to protect the vital interests of the data subject or another natural person, and the data subject is physically or legally incapable of giving consent;
    4. the processing concerns personal data obviously made public by the data subject;
    5. processing is necessary for the purposes of preventive health or occupational medicine, assessment of an employee's fitness for work, medical diagnosis, provision of health care or social security, treatment or management of health care or social security systems and services.

Chapter 4

Change in the purpose of processing

If the processing for a purpose other than the purpose for which the personal data were collected is not based on the data subject's consent or on European Union or national law, the controller-to determine whether the processing for another purpose is compatible with the purpose for which the personal data were originally collected-takes into account, among other things:

  1. any relationship between the purposes for which the personal data was collected and the purposes of the intended further processing;
  2. the context in which the personal data were collected, in particular the relationship between the data subjects and the controller;
  3. the nature of the personal data, in particular whether special categories of personal data are processed in accordance with Article 9 of the RODO, or personal data relating to criminal convictions and violations of law in accordance with Article 10 of the RODO;
  4. the possible consequences of the intended further processing for data subjects;
  5. The existence of appropriate security measures, possibly including encryption or pseudonymization.

Chapter 5

Dealing with data subjects
  1. The controller shall take appropriate measures to provide the data subject with all information required by law in a concise, transparent, comprehensible and easily accessible form, in clear and simple language, and to conduct all communications with him/her required by law on processing.
  2. Information shall be provided in writing or by other means, including, where appropriate, electronically.
  3. Information for the administrator's employees will be provided electronically (using the company's e-mail box). At the request of an employee, information will be provided in writing.  
  4. If the data subject requests it, the information can be provided verbally, as long as there is no doubt about his identity.
  5. The controller shall, without undue delay - and in any case within one month of receipt of the request - provide the data subject with information on the actions taken in connection with the request made by him/her. If necessary, this deadline may be extended for another two months due to the complexity of the request or the number of requests.
  6. Within one month of receipt of the request, the controller shall inform the data subject of such extension, stating the reasons for the delay.
  7. If the data subject has transmitted his request electronically, as far as possible the information shall also be transmitted electronically, unless the data subject requests another form.
  8. If the controller fails to act on the data subject's request, it shall promptly - no later than one month after receipt of the request - inform the data subject of the reasons for the failure to act and of the possibility of lodging a complaint with the supervisory authority and pursuing legal remedies before a court. In such a situation, the legal counsel of the controller should be contacted in each case.
  9. Communications and information provided to the data subject are free of charge.

Chapter 6

Information provided to the data subject
  1. In the case of collection of personal data from a data subject, such person shall - during data acquisition - be provided with the information specified in Appendix No. 6.1.
  2. In the case of obtaining personal data by means other than from the data subject, the data subject shall be provided with the information specified in Appendix No. 6.2.

This information should be provided:

  1. within a reasonable period of time after obtaining personal data - within a month at the latest - given the specific circumstances of personal data processing;
  2. if the personal data are to be used for communication with the data subject - at the latest at the first such communication with the data subject; or
  3. if you plan to disclose personal data to another recipient - no later than the first disclosure.
  1. If it is planned to further process personal data for a purpose other than the purpose for which the personal data was collected, the data subject must be informed of the new purpose before such further processing.

Chapter 7

Access to data
  1. The data subject is entitled to obtain confirmation from the controller as to whether or not personal data relating to him or her is being processed, and if this is the case, he or she is entitled to obtain access to it and the following information regarding it:
  1. processing purposes;
  2. categories of relevant personal data;
  3. information about recipients or categories of recipients to whom personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  4. the planned period of storage of personal data, and when this is not possible, the criteria for determining this period;
  5. information about the right to request from the controller rectification, erasure or restriction of the processing of personal data concerning him or her, and to object to such processing;
  6. Information about the right to file a complaint with the supervisory authority;
  7. if the personal data was not collected from the data subject - any available information about its source.
  1. If personal data is transferred to a third country or international organization, the data subject has the right to be informed of the appropriate safeguards related to the transfer.
  2. At the request of the data subject, the controller shall provide him/her with a copy of the personal data being processed. If the data subject requests a copy by electronic means, and unless he or she indicates otherwise, the information shall be provided by common electronic means.

Chapter 8

Correction of data

The data subject has the right to request from the controller the immediate rectification of personal data concerning him/her that is inaccurate and, taking into account the purposes of the processing, the completion of incomplete personal data.

Chapter 9

Data deletion
  1. The data subject has the right to demand from the controller the immediate erasure of personal data concerning him/her, and the controller is obliged to erase the personal data without undue delay if:
  1. personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  2. the data subject has withdrawn consent for processing;
  3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  1. If a controller has made personal data public, and is required by applicable law to delete such personal data, the controller shall, taking into account available technology and the cost of implementation, take reasonable measures, including technical measures, to inform controllers processing such personal data that the data subject requests that such controllers delete any links to such data, copies of such personal data, or replications thereof.

Chapter 10

Limitation of processing

The data subject has the right to request the controller to restrict processing in the following cases:

  1. the data subject questions the accuracy of the personal data - for a period that allows the controller to verify the accuracy of the data;
  2. processing is unlawful and the data subject objects to the erasure of the personal data, requesting instead a restriction on its use;
  1. the controller no longer needs the personal data for the purposes of processing, but they are needed by the data subject to establish, assert or defend claims;
  2. the data subject has objected to the processing - until it is determined whether the legitimate grounds on the part of the controller override the grounds of the data subject's objection.

Chapter 11

Objection to processing
  1. The data subject has the right to object at any time to the processing of personal data concerning him/her.
  2. If personal data is processed for direct marketing or recruitment purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, to the extent that the processing is related to such direct marketing or recruitment.
  3. If the data subject objects to processing for direct marketing or recruitment purposes, the personal data may no longer be processed for such purposes.
  4. At the latest on the occasion of the first communication with the data subject, he or she shall be clearly informed of the right, to object to the processing.

Chapter 12

Administrator
  1. The controller, in order to adequately protect personal data and ensure that the processing is carried out in accordance with the law may:
    1. Appoint a Personal Data Security Administrator.
    2. Appoint an Information System Administrator.
  2. In particular, the administrator should:
    1. Identify and implement appropriate technical and organizational measures (e.g., pseudonymization, data minimization) so that processing is carried out in accordance with the law. These measures should take into account the nature, scope, context and purposes of the processing, as well as the risk of violation of the rights or freedoms of individuals with different probability and severity of the threat.
    2. Provide the ability to demonstrate that data is processed in accordance with applicable laws ("accountability").
    3. Review and update the implemented measures; reviews should take place at least once a year and after any change in the law on personal data protection - these reviews should involve the heads of personal data processing units (e.g. HR), the person responsible for the operation of the IT infrastructure and, if necessary, the Administrator's legal services.  
    4. Enforce the Security Policy for the processing of personal data and the Management Manual for the information system that processes personal data.
    5. Issue and cancel authorizations to process personal data to persons who are to process such data.
    6. Keep records of persons authorized to process personal data.
    7. Keep records of personal data sets with a description of the software used to process them, how data flows between systems, and a description of the security measures used.
    8. Maintain a description of the structure of the datasets with a description of the information fields and links between them. (Annex No. 12.6)
    9. Keep records of statements of consent for processing of personal data of data subjects. (Annex No. 12.7)
    10. Keep a register of personal data processing activities
    11. Draw up Regulations for the Protection of Personal Data. (Appendix No. 12.9)

Chapter 13

Technical and organizational measures
  1. The following organizational safeguards are in place to protect personal data and ensure its processing in accordance with the law:
    1. A Security Policy for the Processing of Personal Data and a Management Instruction for the Information System Processing Personal Data have been developed and implemented.
    2. Only persons who have a need to know ("need to know") in order to perform their job duties and at the same time have valid authorizations to process personal data are allowed to do so.
    3. Records are kept of persons authorized to process personal data.
    4. Authorized persons have been trained in data protection and information system security.
    5. Persons with authorizations have made a statement on the confidentiality of the personal data processed.
    6. The processing of personal data is under conditions that protect personal data from unauthorized access.
    7. The presence of unauthorized persons in the processing area is possible only in the presence of authorized persons and under conditions that ensure the security of personal data.
  2. The following physical safeguards are used to protect personal data:
    1. Paper personal data is stored in lockable furniture.
    2. Document and media shredders are available in the processing area.
  3. The following hardware safeguards of the IT and telecommunications infrastructure are used to protect personal data:
    1. A UPS has been applied to the server or computers on which the processed personal data resides.
    2. Access to the computers on which personal data is stored is by providing a login and password or access card.
    3. Remote access via the Internet to personal data is via an encrypted SSL VPN - Open VPN connection and requires a login and password.
    4. An antivirus system and firewall are used on computers that hold personal data.

Chapter 14

Procedures to ensure security of personal data
  1. Procedure for granting authority to process personal data:
    1. Authorization to process personal data is granted by the Administrator.
    2. Before granting authorization to process personal data, a person is trained in data protection and familiarized with the security rules of the information system.
    3. A person authorized to process personal data shall sign a statement of confidentiality of personal data to which he has access.
  2. Methods and measures to secure access to personal data:
    1. Passwords for access to personal data must not be common names.
    2. The authorized person undertakes to keep the password for access to personal data confidential and to change it immediately in case of disclosure.
    3. It is forbidden to store the password openly or to transfer it to others.
    4. The password is changed semi-automatically or manually every 30 days by authorized persons.
    5. The password consists of at least 8 characters, including upper and lower case letters and numbers or special characters.
  3. The procedure for starting, suspending and terminating work that requires the processing of personal data:
    1. The authorized person logs into the system or computer program using a login and password.
    2. The authorized person is required to inform the Information System Administrator of unauthorized attempts to log into the system or program if the system or program monitors such occurrences.
    3. The authorized person is obliged to prevent unauthorized persons from seeing the personal data displayed on the monitor screen or in the paper version.
    4. A person authorized to process personal data is required, when temporarily leaving the workplace, to run a password-protected screen saver or log out of the system and remove printouts with personal data from the desk.
    5. At the end of work, the authorized person is required to log off or turn off the computer and remove from the desk any media containing personal data as well as secure the room against break-in, flooding, fire or other risk of unauthorized disclosure or destruction of documents or media containing personal data.
  4. Backup procedure:
    1. Depending on the volume and capacity growth of personal data, backups are made at intervals of no more than 1 day and no less frequently than 1 month.
    2. Electronic backups of personal data may be stored on an external data storage medium secured in accordance with organizational safeguards.
    3. The person making the backups is obliged to mark them and check the consistency of the data and the possibility of restoration.
    4. Backups shall be kept for no less than 1 year and no more than 6 years.
    5. After the storage period expires, the backups are permanently destroyed or anonymized.
  5. Procedure for storing personal data carriers in paper and electronic versions. Personal data carriers such as:
    1. Laptop/Computer
    2. Mobile Phone/Smartphone
    3. Flash Drive/Memory Card
    4. External hard drive
    5. CD/DVD/BR
    6. Paper printing

are stored in a way that prevents unauthorized access to them as well as protecting them from accidental damage.

  1. Authorized persons are required to permanently destroy/dispose of personal data after the purpose of processing ceases.
  2. It is forbidden to take personal data outside the processing area without the consent of the Personal Data Security Administrator or the Administrator, and if such consent is obtained and it is necessary to process data outside the Administrator's premises, authorized persons shall be required to ensure at least the same security conditions for personal data processing as apply at the Administrator's premises.
  3. Personal data sent electronically outside the processing area must be password protected.
  4. It is forbidden to transfer data carriers containing personal data to external entities without the consent of the Administrator.

Chapter 15

Register of activities
(effective upon compliance with the requirements set forth in Article 30 of RODO)
  1. A register of data processing activities shall be kept, specifying in particular:
    1. Purpose of data processing.
    2. Description of categories of data subjects and categories of personal data.
    3. Categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries.
    4. Details of the transfer of personal data to a third country, including the name of the third country and the entity to which the data was transferred and documentation of the relevant safeguards.
    5. Planned deadlines for deletion of particular categories of data - if it is possible to determine these deadlines.
  2. The register will be kept in written form, including electronic form.

Chapter 16

Cases of data protection violations
  1. In the situation of a suspected or identified case of a personal data breach, any person subject to this procedure shall immediately inform the Personal Data Security Administrator.
  2. If possible, the application should state:
    1. the nature of the breach, including, if possible, an indication of the categories and approximate number of data subjects and the categories and approximate number of personal data records affected by the breach;
    2. describe the possible consequences of a data protection breach;
    3. available measures that can remedy a data protection breach or minimize the negative effects of a breach.
  1. The Data Security Administrator shall document all data protection violations, including the circumstances of the data breach, its consequences, and remedial actions taken.
  2. The Personal Data Security Administrator, after reviewing the notification, may decide whether it is necessary to notify the Inspector General for Personal Data Protection or other competent supervisory authority of the breach, as well as the data subjects. 

Chapter 17

Control procedures and employee training
  1. Audits of compliance with applicable data protection rules are conducted at least once a year.
  2. A protocol is prepared from the inspection, which is the basis for updating the procedures and this document.
  3. Once a year, employee update training on data protection is conducted.
  4. Each employee is trained individually before receiving authorization.
  5. Any repair or maintenance of computer equipment containing personal data or of the premises constituting the processing area may be carried out only under the supervision of authorized persons.

Chapter 18

Final provisions
  1. All procedures and rules described in this document shall be followed by persons authorized to process personal data, with particular regard to the welfare of data subjects.
  2. This Policy applies to the processing of personal data by fully or partially automated means and to the processing by non-automated means of personal data that are part of a data set or intended to be part of a data set.
  3. Entrusting the processing of personal data to an external entity may be done only by means of a written agreement, provided that the entity meets at least the same security conditions for the processing of personal data as the Administrator.