Privacy policy

General information
This privacy policy has been translated from Polish (company is based in Bielsko Biała, Poland) to English by Google Translate.

Bielsko – Biała, dated May 25, 2018

PERSONAL DATA PROTECTION POLICY IN ŁUKASZ KUBIAK, BARTOSZ MOSKAŁA IMAGINATION S. C. WITH ITS REGISTERED OFFICE IN BIELSKO-BIAŁA

This document entitled „Personal data protection policy” is a personal data protection policy within the meaning of Regulation (EU) 2016/679 of the European Parliament of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (general regulation on data protection) (OJ L 119, p. 1).

definitions:

  1. Administrator – means any natural or legal person, public body, unit or other entity that independently or jointly with others sets the purposes and means of processing personal data, in this case the administrator is:
    1.1. Łukasz Kubiak, who has the identification number NIP: 9372421530, the address for delivery: ul. 1 May 15, 43-300 Bielsko – Biała,
    1.2. Bartosz Moskała, holder of an NIP identifier: 5471969542, delivery address: ul. 1 May 15, 43-300 Bielsko – Biała, partners of the civil partnership: Łukasz Kubiak, Bartosz Moskała IMAGINATION s. c. with headquarters in Bielsko – Biala, ul. 1 Maja 15, 43-300 Bielsko – Biała, with a NIP number: 5472119627, REGON: 241554619;
  2. Data – personal data, ie all information regarding an identified or identifiable natural person;
  3. Sensitive data – special data and criminal data;
  4. Special data – data listed in art. 9 par. 1 RODO, i.e. personal data revealing racial or ethnic origin, political views, religious or ideological beliefs, trade-union membership, genetic or biometric data to uniquely identify a natural person or data on health, sexuality or sexual orientation;
  5. Penalty data – data listed in art. 10 GDP, ie data on convictions and violations of law;
  6. Data of children – data of persons under 16 years of age;
  7. EEA – European Economic Area;
  8. IOD – Inspector of Personal Data Protection;
  9. Violation of Data Protection – means a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to Data transmitted, stored or otherwise processed;
  10. Processing entity – an organization or person entrusted by the Administrator with the processing of personal data;
  11. Policy – this Policy for the protection of personal data, unless it is otherwise clear from the context;
  12. Profiling – any form of automated processing of personal data, which involves the use of personal data to assess some of the personal person’s personal factors, in particular to analyze or forecast aspects of the effects of the work of that individual, its economic situation, health, personal preferences, interests, credibility, behavior, location or movement;
  13. Data Processing – any operations performed on Data, such as collection, recording, storage, development, modification, sharing and deletion in a traditional form and in information systems;
  14. Pseudonymisation – means the processing of personal data in such a way that it can no longer be assigned to a specific data subject without the use of additional information, provided that such additional information is kept separately and is covered by technical and organizational measures that prevent them from being identified or identified an identifiable natural person;
  15. RODO – Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (general regulation on data protection ) (OJ EU L 119, p. 1);
  16. Applicable Data Protection Regulations – means the GDP and any national legislation governing the processing of Data applicable to the Administrator, including any future national or European legislation replacing such legislation;
  17. Consignee – means any natural or legal person, public body, unit or other entity to whom personal data are disclosed, regardless of whether it is a third party. Public bodies which may receive personal data in the context of a specific proceeding under Union law or the law of a Member State shall not, however, be considered as recipients; the processing of these data by these public authorities must be in accordance with the data protection rules applicable to the purposes of the processing;
  18. Supervisory Authority – means an independent public authority set up by a Member State in accordance with Article 51 GROSS;
  19. Register – Register of Personal Data Processing.

General provisions

The Policy applies to all Data processed at the Administrator, regardless of the form of their processing (traditionally processed files, information systems) and whether data is or can be processed in data files.
The policy is stored in an electronic version and in a paper version at the Administrator’s office.
The policy is made available to persons authorized to process personal data at their request, as well as to persons to whom authorization to process personal data is to be granted, in order to get acquainted with its content.
Responsible for the implementation, maintenance and application of this Policy and for the supervision and monitoring of its compliance are the partners of a civil partnership: Łukasz Kubiak, Bartosz Moskała IMAGINATION s. C. With headquarters in Bielsko-Biała.

Data processing area
The area in which the data is processed includes office premises of the Administrator’s office at the following address: ul. 1 Maja 15, 43-300 Bielsko – Biała.
In addition, the area in which the Data is processed are all portable computers and other data carriers located outside the area indicated above, in particular located in the Administrator’s showrooms.

General rules regarding the processing of Data with the Administrator

Processing Data Administrator takes care of:
Legalism – Administrator takes care of privacy protection and processes data in accordance with the law;
Security – The Administrator ensures an appropriate level of Data Processing security while taking permanent action in accordance with art. 32 RHODE.
Rights of data subjects – the Administrator enables people whose data is processed to exercise their rights and implements these rights;
Accountability – the Administrator documents the ways of fulfilling his obligations to be able to show their compliance at any time.
The data must be:
processed in accordance with the law, fairly and transparently for the data subject („legality, integrity and transparency”);
collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with these purposes („purpose limitation”);
adequate, relevant and limited to what is necessary for the purposes for which they are processed („data minimization”);
correct and updated as necessary; all reasonable steps must be taken to ensure that Data that is incorrect in view of the purposes for which it was processed is immediately removed or corrected (’regularity’);
kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed; Data may be stored for a longer period, provided that they are processed only for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes, provided that appropriate technical and organizational measures required by the REDO are implemented to protect the rights and the freedom of data subjects (’storage restriction’);
processed in a manner that ensures adequate data security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures („integrity and confidentiality”).

Data Protection Organization

The Administrator identifies data resources processed in the company’s data category, categories of recipients and identification of the use of Data (Data inventory), including in particular in the scope of:
Sensitive data processing;
data processing of children;
profiling;
shared data administration;
cross-border processing;
transfer of Data to a third country.
The Administrator develops, maintains and maintains a Register of Data Processing Activities. The Registry is a tool for accounting for compliance with data protection in the company.
The Administrator verifies the legal grounds for data processing and registers them in the Register, including:
maintains a system for managing consents to data processing and communication by means of electronic communication, in particular electronic mail, and the use of telecommunications terminal equipment and automated calling systems for direct marketing purposes,
inventories data processing cases where processing is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject before concluding the contract;
inventories data processing cases, where processing is necessary to fulfill the legal obligation imposed on the administrator;
inventories data processing cases where processing is necessary to protect the vital interests of the data subject or another natural person;
inventories data processing cases, where processing is necessary to perform a task carried out in the public interest or in the exercise of public authority entrusted to the administrator
Inventory and justify the cases of data processing based on the Administrator’s legitimate interest.

In a situation where the company acts as a Processing Entity, the Administrator develops, maintains and maintains a Category Data Processing Registry for other administrators.
The administrator fulfills the information obligations towards the persons whose data he processes, and ensures the service of their rights, implementing the requests received in this regard, including in particular:
in the case of the data subject, the information obligation is performed in accordance with the source of obtaining the Data pursuant to art. 13 and 14 RODO;
The administrator verifies and ensures the possibility of effective execution of any type of request by itself and entities processing Data on its behalf;
The administrator provides appropriate procedures so that the requests of persons whose data relates to them are carried out on dates and in the manner required by the GDPR and properly documented;
The Administrator uses procedures to determine the need to notify people affected by an identified breach of Data protection and undertakes remedial actions.
Data protection in the design phase and default data protection:
The Administrator takes into account the protection of Data and privacy at every stage of their processing. When planning new processing activities, the Administrator analyzes their consequences for Data protection and takes into account data protection issues. To this end, the procedures for launching new projects and investments in the company take into account the need to assess the impact of the change on Data protection, ensuring privacy already at the design stage of change, investment or at the beginning of a new project;
The Administrator processes only the Data that is necessary to achieve each specific processing purpose. This obligation refers to the amount of personal data collected, the scope of their processing, the period of their storage and their availability. Therefore, the Administrator cares about giving the technical layer of the Administrator’s projects a form ensuring the collection of data to the extent necessary to provide the Administrator’s services.
The Administrator ensures an adequate level of data processing security in accordance with art. 32 RHODE.

Entrusting the processing of personal data

The Administrator may entrust the processing of Data to another entity only by means of a contract or other legal instrument, in accordance with the requirements indicated for such contracts or other legal instruments in art. 28 THE RHODE.
If the processing is to be performed on behalf of the Administrator, it only uses the services of such processors that provide sufficient guarantees to implement the appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of the data subjects.
Before entrusting the processing of personal data, the Administrator, as far as possible, obtains information about the current practices of the processor regarding the protection of personal data.
The model contract for entrusting the processing of Data is attached as Appendix 1 to this Policy.

Transmission of data to third countries

The Administrator will not transfer or allow the transfer of Data outside the EEA (ie outside the EU, Norway, Liechtenstein, and Iceland) except in situations where:
this occurs at the request of the data subject;
The Administrator will take the necessary measures to ensure that the transfer complies with the applicable Data Protection Regulations. The measures in question may include, in particular, the transfer of the Recipient’s Data in a country which, in accordance with the decision of the European Commission, provides adequate protection of Data or Recipients in the United States that has certified compliance with the EU-US Privacy Shield program.

Data processed at the Administrator. Data Inventory

Personal data processed by the Administrator is collected in Data files.
The administrator does not undertake processing activities that could involve a serious probability of high risk for the rights and freedoms of persons. In the event of planning such action, the Administrator will perform the activities specified in art. 35 et seq. RODO.
The administrator identifies the cases in which he processes or can process sensitive data (special data and criminal data).
In the event of the identification of processing of specific data, the Administrator verifies the legal basis for the processing of sensitive data in accordance with art. 9 RODO and registers them in the Register.
If the cases of processing of criminal records are identified, the Administrator verifies the legal grounds for the processing of criminal records determined in accordance with art. 10 RODO and registers them in the Register with an indication of whether processing takes place under the supervision of public authorities or processing is permitted by Union law or the law of a Member State providing adequate safeguards for the rights and freedoms of data subjects.
The administrator identifies cases in which he is processing or can process unidentified data and maintains mechanisms facilitating the implementation of the rights of persons affected by unidentified data in accordance with art. 11 THE RHODE.
The administrator identifies cases in which profiling of processed data and maintains mechanisms that ensure compliance of this process with the law. If the cases of profiling and automated decision-making are identified, the Administrator implements appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, and at least ensures the right to obtain human intervention from the Administrator, express his own position and challenge this decision .
Administrator’s services are not directed to children under 16 years of age. The Administrator does not process Child Data.

Współadministrowanie

The administrator identifies cases of co-administering the Data and proceeds in this respect in accordance with art. 26 RHODE.
By joint arrangements, the joint controllers shall clearly define the appropriate scope of their responsibility to fulfill their obligations under the GDPR, in particular with regard to the exercise by the data subject of his rights, and their obligations with regard to the provision of information referred to in art. 13 and 14 of the GDP, unless their duties and scope are determined by Union law or the law of the Member State to which the joint controllers are subject.
Irrespective of the arrangements of the joint controllers, the data subject may exercise his rights resulting from the ROPE to each of the administrators, however, in the co-administrators’ agreements, the contact point for the data subjects should be indicated.

Register of Data Processing Activities

The register is a form of documenting the processing of Data, which makes it possible to implement the accountability principle.
The Administrator maintains a Registry in which he takes inventory and monitors the data processing.
This registry shall contain the following information:
first name and surname or name and contact details of the Administrator and any co-administrators, as well as, where applicable, a representative of the Administrator and the data protection officer;
processing purposes;
description of the categories of data subjects and categories of personal data;
the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or in international organizations;
where applicable, transfer of personal data to a third country or international organization, including the name of that third country or international organization, and in the case of transfers referred to in Article 49 par. Second paragraph of the RODO, documentation of relevant safeguards;
if possible, scheduled dates for deletion of individual categories of data;
if possible, a general description of the technical and organizational security measures referred to in Article 32 para. 1 RODO.
The Register template is attached as Appendix 2 to this Policy. The Register template also contains optional columns, in which the Administrator registers information in accordance with current needs due to the fact that the fuller content of the Register facilitates the management and compliance of data protection compliance.

Register of the Data Processing Activities

The Data Processing Data Entry Register is a form of documenting the category of data processing activities that allows the accountability principle to be implemented.
If the Administrator acts as a processor in relation to another Data administrator, he / she carries out the Data Processing Data Record, in which he / she reviews and monitors the manner in which he / she processes data on behalf of such another entity.
The following information shall be included in the Data Processing Activities Register:
the name and contact details of the processor or processors and any administrator on behalf of which the processor is acting and, where applicable, the representative of the controller or processor and the data protection officer;
the categories of processing carried out on behalf of each administrator;
where applicable, transfer of personal data to a third country or international organization, including the name of that third country or international organization, and in the case of transfers referred to in Article 49 par. Second paragraph of the RODO, documentation of relevant safeguards;
if possible, a general description of the technical and organizational security measures referred to in Article 32 para. 1 RODO.
The Register of the Data Processing Class is kept in electronic form. The template of the register is Annex No. 3 to this Policy.

 The basics of processing

The Administrator documents in the Register the legal grounds for data processing for individual processing activities.
Indicating the general legal basis of art. 6 par. 1 RODO (consent, contract conclusion condition, legal obligation, vital interests, public task, justified interest of the Administrator) The administrator specifies the basis in a clear way when it is needed.
In its activities, the Administrator uses systems and software that enable registration and verification of the expression of specific, conscious, voluntary and unambiguous consent of the data subject to the processing of its Data for a specific purpose, consent to communication by means of remote communication (email, telephone, sms, mms, etc.) and registration of refusal of consent, withdrawal of consent and similar activities aimed at the exercise of the rights of the data subject.

Support for the implementation of data subjects

The administrator ensures that the information provided to the persons whose data is processed is provided in a concise, clear, understandable and easily accessible form, clear and simple language.
The administrator facilitates the data subject to exercise his or her rights under Article 15-22 RODO through various activities, including:
placing information on the rights of data subjects on the Administrator’s website,
posting on the Administrator’s website information on the manner and dates of exercising the rights, including methods of contacting the Administrator or the Data Protection Inspector.
The administrator shall, without undue delay – and in any case within 1 (in words: one) month from receipt of the request – provide the data subject with information on actions taken in connection with the request. If necessary, this period may be extended by another 2 (in words: two) months due to the complex nature of the request or the number of requests. Within one month of receipt of the request, the Administrator shall inform the data subject about such extension, stating the reasons for the delay.
If the data subject has submitted his request electronically, if possible, the information is also transmitted electronically, unless the data subject requests a different form.
If the Administrator does not take action in relation to the request of the data subject, he shall immediately – no later than one month from the receipt of the request – inform the data subject of the reasons for failure to take action and the possibility of lodging a complaint to the supervisory authority and use the means of protection before the court.
Communication and actions taken to implement the rights of the data subject are free of charge. However, if the demands of the data subject are clearly unjustified or excessive, in particular due to their permanent nature, the Administrator may:
to charge a reasonable fee, determined taking into account the administrative costs of providing information, conducting communication or taking the required actions; or
refuse to take action in connection with the demand.
Refusal to take action due to obviously unjustified or excessive character must contain factual and legal justification and requires every time consultation with the IOD.
If the Administrator has reasonable doubts as to the identity of the natural person submitting the request, he may request additional information necessary to confirm the identity of the data subject. The administrator uses only adequate methods of identification and authentication of persons for the purpose of implementing their rights.
The administrator documents the handling of information obligations, notifications and requests of persons.

Information obligations towards Data subjects

The Administrator informs the person about the processing of his Data when obtaining Data from that person.
The Administrator informs the person about the processing of his Data when acquiring Data about that person indirectly from it.
The administrator determines the method of informing people about the processing of unidentified data, where it is possible in particular when using visual monitoring in a visible place, he places information on the coverage of the area by video monitoring.
The administrator informs the person about the purpose and planned change of the purpose of data processing.
The administrator informs the data subject about the following rights:
access to the Data and receipt of copies thereof;
correct (correct) Data;
Data removal – if, in the opinion of the data subject, there is no reason for the Administrator to process its Data;
limitation of data processing – if, in the opinion of the data subject, the Administrator has incorrect Data about it or processes it unjustifiably; or the person does not want the Administrator to delete them, because they are needed to establish, assert or defend claims, or for the time of the opposition against the processing of the Data submitted by such person;
object to the processing of Data in order to conduct direct marketing including profiling and the right to object to the processing of Data on the basis of the Administrator’s legitimate interest for purposes other than direct marketing, and when processing is necessary to perform a task carried out in the public interest or to be entrusted Administrator of public authority;
data transfer – the data subject has the right to obtain from the Administrator in a structured, commonly used machine-readable format his Data, which he provided to the Administrator based on a contract or consent, may also request the Administrator to send the Data directly to another entity;
lodging a complaint to the Supervisory Body – if the data subject believes that the Administrator processes its Data unlawfully, he may submit a complaint to the appropriate Supervisory Authority;
the right to withdraw consent to data processing – at any time, the data subject has the right to withdraw consent to the processing of these Data, which the Administrator processes based on his consent (withdrawal of consent will not affect the lawfulness of processing, which was made on the basis of consent before its withdrawal).
The Administrator provides, appropriate technical and organizational measures that will allow the withdrawal of consent to the processing of Data in a manner as easy as the way it is expressed.
The administrator informs about rectification, removal or limitation of data processing (unless it will require a disproportionately large effort or will be impossible).
The Administrator immediately notifies the data subject of a breach of data protection, if it may cause a high risk of violating the rights or freedoms of that person.

Data subjects requests

While implementing the rights of data subjects, the Administrator is also obliged to protect the rights and freedoms of third parties. In particular, if it is credible to know that making a request for the exercise of one person’s rights may adversely affect the rights and freedoms of others (eg rights related to protection of other people’s data, intellectual property rights, trade secrets), the Administrator may ask the person to clarify doubts or take other lawful steps, including refusal to comply with the request.
[Access] Upon request, persons regarding access to its data, the Administrator informs such person whether he processes its Data, and if so informs about the details of processing, in accordance with art. 15 RODO (that is, to the extent that corresponds to the information obligation when collecting data), and also gives the person access to data relating to him.
[Rectification] Administrator corrects incorrect Data on demand of the data subject. The Administrator informs about the rectification of each recipient to whom the Data has been disclosed, unless this proves impossible or will require a disproportionately large effort. The administrator informs the data subject about these recipients if the data subject requests it.
[Supplement] The administrator completes and updates the Data on demand of the data subject. However, the Administrator has the right to refuse to supplement the Data if the supplement would be inconsistent with the purposes of Data processing (eg Data is not needed by the Administrator).
[Delete] At the request of the data subject, the Administrator deletes Data when:
the consent for their processing has been withdrawn and there is no other legal basis for their processing,
they were processed unlawfully,
are no longer necessary for the purposes for which they were collected or processed for other purposes,
effective opposition to the processing of these Data has been lodged,
the necessity of their removal results from the legal obligation,
 the removal request applies to the child’s data collected on the basis of consent to provide information society services directly offered to the child.
If the data to be deleted have been made public by the Administrator, the Administrator will take reasonable steps, including technical measures, to inform other administrators processing the Data that the data subject requests that these administrators delete any links to these data, copies of these personal data or their replications.
When considering a data removal request, the Administrator verifies that there are no exceptions referred to in art. 17. sec. 3 RHODE. The obligation to delete the Data does not apply to the extent to which processing is necessary:
to exercise the right to freedom of expression and information;
to comply with a legal obligation requiring processing under Union law or the law of the Member State to which the Administrator belongs, or to perform a task carried out in the public interest or in the exercise of public authority entrusted to the Administrator;
for reasons of public interest in the field of public health (processing is necessary for preventive health or occupational medicine, for the assessment of the employee’s ability to work, medical diagnosis, provision of health care or social security, treatment or management of healthcare and social security systems or services on the basis of Union or Member State law or under contract with a health professional if they are processed by – or under the responsibility of a worker subject to professional secrecy under Union or Member State law or rules established by the competent national authorities or by another a person also subject to professional secrecy under Union or Member State law, or rules established by the competent national authorities.
for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes, insofar as it is likely that the deletion of the Data will prevent or seriously hinder the achievement of the purposes of such processing;
to establish, investigate or defend claims.
The Administrator informs about the deletion of Data of each recipient to whom the Data has been disclosed, unless this is not possible or will require a disproportionately large effort. The administrator informs the data subject about these recipients if the data subject requests it.

Limitation of processing] Administrator limits data processing at the request of the data subject when:
that person disputes the correctness of the Data – for a period allowing the Administrator to check the correctness of such Data;
the processing is unlawful and the data subject opposes the removal of the Data, requesting instead to limit their use;
The Administrator no longer needs Data for processing, but it is needed by the data subject to establish, assert or defend claims;
the data subject has objected to the processing – until it is determined whether the legitimate grounds on the part of the Administrator override the grounds for objection of the data subject.
If the processing has been limited, the Administrator stores the Data, but does not process them in other ways (does not use, not transfer), without the consent of the data subject, unless to establish, assert or defend claims, or to protect the rights of another natural person or legal, or for important reasons of public interest.
The Administrator informs about restricting the processing of the Data of each recipient to whom the Data has been disclosed, unless this proves impossible or will require a disproportionate effort. The administrator informs the data subject about these recipients if the data subject requests it.
Before revoking the processing limit, the administrator informs the data subject who requested the restriction.
[Data Transfer] At the request of the data subject, the Administrator issues in a structured, commonly used machine-readable format, or transfers to another entity, if possible, data about that person, which he provided to the Administrator, processed on the basis of the consent of that person or in order to conclude or perform an agreement concluded with it, in an automated manner in the Administrator’s IT systems.
[Opposition motivated by a special situation] If the data subject reports objection to the processing of his data for reasons related to his particular situation, and:
The data is processed by the Administrator based on the Administrator’s justified interest or based on the task entrusted to the Administrator in the public interest, the Administrator will take into account the objection and cease such processing unless there are important legal grounds on the part of the Administrator overriding interests and rights. and freedom of the opponent or grounds for establishing, investigating or defending claims;
The Administrator conducts scientific research, historical research or data processing for statistical purposes, the Administrator will take into account the objection and cease such processing, unless the processing is necessary to perform the task carried out in the public interest.
[Opposition to direct marketing] If the data subject reports objection to the processing of his Data by the Administrator for the purpose of direct marketing (including profiling if it takes place), the Administrator will take into account the objection and cease such processing.
[The right to obtain human intervention] In a situation in which the Administrator processes the Data in an automated manner, including in particular profiling people, and consequently takes decisions that cause legal effects or significantly affect the person, it provides the opportunity to appeal to the intervention and human decision, unless such an automatic decision:
it is necessary for the conclusion or performance of the contract between the appealing person and the Administrator;
it is explicitly permitted by Union law or national law;
it is based on explicit consent of the appealing person.

Minimalization

The Administrator cares for minimizing the processing of Data in terms of Data adequacy for purposes of processing, access to Data and storage time of Data.
The Administrator periodically reviews the amount of Data processed and the scope of their processing at least once a year.
The Administrator applies physical, legal and IT restrictions on access to Data.
The administrator updates the access rights for changes in the composition of staff and changes of positions, as well as changes in the processing entities.
The administrator periodically reviews established system users and updates them at least once a year.
The time of data storage is limited to the period of their usefulness for the purpose for which they were collected, not longer than until the Administrator’s claims or directed to the Administrator and after this period they are anonymized or removed from the Administrator’s IT systems, as well as from handheld files and major. Such data can be archived and be on system backups and information processed by the Administrator. Procedures for archiving and using archives, creating and using backup copies take into account data deletion requirements.

Data safety

The administrator provides a level of security corresponding to the risk of violating the rights and freedoms of natural persons by implementing appropriate technical and organizational measures, including:
carry out risk analyzes for data processing activities or categories thereof;
carry out impact assessments for data protection where the risk of violation of the rights and freedoms of the Data subjects is high;
adapts technical and organizational Data protection measures to the determined risk, including, among others, ensuring:
Pseudonymisation and encryption of personal data,
confidentiality, integrity, availability and robustness of IT systems and processing services;
the ability to quickly restore the accessibility and access to personal data in the event of a physical or technical incident;
regular testing, measuring and evaluating the effectiveness of technical and organizational measures to ensure security of processing (Article 32 (1) of the GDPR);
apply procedures to identify, assess and report identified data breaches to the Supervisory Authority (incident management).
In terms of hiring, terminating or changing the terms of employment of employees or co-workers (persons undertaking activities for the benefit of the Data Administrator under other civil law contracts) (Administrator’s staff) to the Administrator, it is necessary to ensure that:
members of the Administrator’s staff were properly prepared to perform their duties;
each of the Data Processors was authorized in writing to be processed in accordance with the authorization to process personal data – the model of authorization is attached as Appendix 4 to this Policy;
each member of the Administrator’s staff undertook to keep the Data processed in confidence. The declaration and commitment of the person who processes personal data for secrecy is attached as Appendix 5 to this Policy.
The Administrator’s staff is obliged to:
data processing and protection in accordance with this Policy and the applicable Data Protection Regulations;
ensuring the protection of Data processed in the Administrator’s files, and in particular ensuring their security against making available to third parties and unauthorized persons, taking away, damaging and unjustified modification or destruction;
strict adherence to the scope of the authorization granted;
confidentiality, also after discontinuation of works, Data and all information regarding the functioning of systems used to process personal data in the Data Administrator collection;
immediate reporting of incidents related to data breach.
The Administrator maintains a register of authorizations and declarations, which constitutes Annex No. 6 to this Policy.

Designation of the Data Protection Inspector
In the case in which the Administrator designates an IOD, he designates it on the basis of professional qualifications, and in particular professional knowledge on the law and practices in the field of data protection and the ability to complete tasks.
The main tasks of the IOD are:
monitoring compliance with the applicable Data Protection Regulations and this Policy, in particular:
collecting information to identify processing processes,
analysis and verification of compliance of processing processes,
information, consulting and making recommendations for specific activities of the administrator or processor,
conducting awareness-raising activities, training of personnel involved in processing operations and related audits,
informing the Administrator and members of its authorities, employees and co-workers processing personal data, about the duties incumbent upon them under the applicable Data Protection Regulations and advising the above-mentioned entities in this matter;
Administrator support in assessing the impact on data protection and providing recommendations to the administrator or processor on the impact assessment for data protection in accordance with Art. 35 OF THE FEDERATION, concerning in particular:
whether an impact assessment on data protection should be carried out,
the methodology for conducting an impact assessment on data protection,
whether an internal impact assessment for data protection should be carried out or commissioned to an external entity,
safeguards (including technical and organizational measures) used to mitigate any threats to the rights and interests of data subjects,
correctness of the performed impact assessment for data protection and compliance of its results with data protection requirements (whether processing should continue or what safeguards should be applied),
cooperation with the Supervisory Authority and acting as a contact point for the Supervisory Body;
performing the function of a contact point for data subjects;
support for Data Protection Corruption and Reporting of Invasions.
The administrator will provide the IOD with the performance of duties in an independent manner.
The IOD will not occupy a position entailing the definition of the methods and purposes of the data processing, i.e. any managerial position (general director, operational director, financial director, medical director, department manager, marketing manager, HR manager, IT department manager and any lower management position, if it is involved in defining the purposes and means of data processing).