Personal Data Protection Policy

1. Definitions

  • The Administrator – Samsic Polska Sp. z o. o. located ul. Astrów 10; 40-045 Katowice
  • Personal Data – information of natural person identified or identifiable by one or several special factors defining physical, physiological, genetic, mental, economic, cultural, or social identity, including appearance, voice record, contact data, localization data, information from correspondence, information collected through recording equipment or other similar technology.
  • Personal Data Protection Coordinator (KODO) – designated person or persons by the Administrator implementing Personal Data tasks in the Administrator’s organization accordance with the law.
  • Supervisory authority – President of the Personal Data Protection Office or alternatively competent supervisory authority in terms of Personal Data indicated by other Member State of European Union 
  • Data subject – natural person to whom the Personal Data are processing by The Administrator.
  • Policy – this Personal Data Protection Policy.
  • Employee – natural person employed by the Administrator based on an employment contract.
  • RODO –European Parliament and Council regulation (UE) 2016/679 of 27.04.2016 r. about natural persons protection due to processing Personal Data and fluent traffic those data and repeal od directive 95/46/WE.
  • Coworker – natural person performing for the Administrator services based on civil law contract (e.g., contract of mandate, work contract).

 

2.General principles

2.1 This Policy is basic document which regulating safety principles of Personal Data processing
by the Administrator.

2.2 Implementation of the Policy aims to provide compatibility of procedures of data processing
by the Administrator with RODO, regardless of its form (electronic or paper form) in which processing
is occurring.

2.3 In connection with its operations, the Administrator collects and processes Personal Data in accordance with applicable laws, including the RODO, and the processing rules provided therein, i.e.:

2.3.1 The Administrator ensures that processing Personal Data is lawful and based on one of the fundamentals specified in RODO that is w art. 6 ust. 1, art. 9 ust. 2 or art. 10 (legality principle).

2.3.2 The Administrator ensures reliability and transparency of processing Personal Data, especially the Administrator always informs about processing Personal Data now of collecting the data including the purpose and legal basis of the processing (reliability and transparency principle).

2.3.3. The Administrator ensures that Personal Data are collecting just in specific, explicit, and legitimate purposes and they are not processing forward are not further processed in a manner incompatible with those purposes (purpose limitation principle).

2.3.4. The Administrator ensures that is processing data only in terms necessary to realization of purpose for which the data has been collected by the Administrator (minimization principle).

2.3.5 The Administrator ensures that the Personal Data it processes is correct and updated as necessary, and that it takes all reasonable measures to ensures that Personal Data that is inaccurate in light of the purposes of its processing is promptly deleted or rectified (regularity principle).

2.3.6.The Administrator ensures that the Personal Data is processed only for the period of time necessary to realize the purposes of the processing (time limitation principle).

2.3.7 The Administrator ensures the security of Personal Data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, by implementing appropriate technical or organizational measures (integrity and confidentiality principle).

 

2.4 The Administrator, through appropriate technical and organizational measures, shall ensures that it is possible to demonstrate compliance of the processing of Personal Data with the RODO and other regulations concerning Personal Data (accountability principle).

2.5 The Administrator ensures compliance with the Policy by all Employees and Associates of the Administrator.

 

3.Organization system of Personal Data protection

3.1 Before granting access to process Personal Data, the Administrator will introduce each Employee, Associate or other persons processing Personal Data under its authorization with the Policy, including the procedures and rules regarding the protection of Personal Data in force in the Administrator’s organization.

3.2 Processing of Personal Data by Employees and Associates may be done only on the basis of the Administrator’s documented authorization. In addition, the Administrator requires authorized persons to maintain the confidentiality of Personal Data and information concerning the security of Personal Data, as well as to comply with the Policy, including procedures and rules regarding the protection of Personal Data in force in the Administrator’s organization.

3.3 The Administrator assigns a person or persons responsible for the area of Personal Data protection, entrusting them with the function of KODO, and provides adequate resources and funds necessary to perform the tasks assigned to them.

3.4 The KODO’s duties include, in particular:

3.4.1 inform and advise the Administrator and Employees and Associates who process Personal Data about their obligations under the RODO and other EU or national legislation on the protection of Personal Data.

3.4.2 monitoring authorized persons’ respect for the regulations of the RODO and other EU and national regulations on the protection of Personal Data, as well as internal policies and procedures implemented at the Administrator in this area.

3.4.3 take actions to raise awareness of the protection of Personal Data, including training of personnel involved in processing operations, and conduct related audits.

3.4.4 providing, upon request, recommendations on the assessment of the impact on the protection of Personal Data and monitoring its implementation due to art. 35 RODO.

3.4.5 cooperation with the Supervisory Authority.

3.4.6 acting as a point of contact for the Supervisory Authority on issues related to processing, including the previous consultations referred to art. 36 RODO, and, where appropriate, to consult on any other cases.

3.5 KODO performs its tasks with due regard to the risks associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.

3.6 Employees and Associates who process Personal Data are obliged in particular to:

3.6.1 process Personal Data in according to its authorization and with due care.

3.6.2 in the case of observing an incident that may be a violation of the protection of Personal Data, immediately report it to the immediate supervisor and to the KODO in accordance with the principles described in another procedure.

3.6.3 participation in organized training courses on the protection of Personal Data.

3.6.4 keep the confidentiality of Personal Data and information on how it is secured, in accordance with the signed confidentiality clause.

 

4. Safety of Personal Data

4. 1 The Administrator implements appropriate technical and organizational resources to ensures a degree of security appropriate to the risk of violation of the rights or freedoms of natural persons with different probability of occurrence and level of the risk. In doing so, the Administrator takes into account the state of technical knowledge, the cost of implementation, and the nature, scope, context and purposes of the processing.

4.2 In evaluating if the level of security is adequate, the Administrator takes into account, in particular, the risks associated with the processing, in particular those resulting from accidental or unlawful destruction, loss, modification, unauthorized release of or unauthorized access to the Personal Data transmitted, stored or otherwise processed.

4.3 In order to ensures the integrity and confidentiality of Personal Data, the Administrator provides access to Personal Data only to authorized persons and only to the extent that it is necessary due to the tasks they perform. The Administrator applies organizational and technical solutions to ensures that all operations on Personal Data are recorded and performed only by authorized persons.

4.4 The Administrator conducts an ongoing analysis of the risks associated with the processing of Personal Data and monitors the adequacy of the applied Personal Data security measures to the identified risks. If necessary, the Administrator implements additional measures to enhance the security of Personal Data.

4.5 Where the type of processing – in particular using new technologies – by its nature, scope, context and purposes is likely to result in a high risk of violation of the rights or freedoms of natural persons, the Administrator assess the effects of the planned processing operations on the protection of Personal Data before the processing begins. If the impact evaluation shows that the processing would cause a high risk if the Administrator did not apply resources to minimize that risk, the Administrator, before starting processing, consults with the supervisory authority.

4.6 If the purposes for which the Administrator processes Personal Data do not require the Administrator to identify the Data Subject, the Administrator is not required to keep, get, or process additional information to identify the Data Subject solely to comply with the requirements of the RODO.

 

5. Breach of Personal Data protection

5.1 The Administrator ensures that violations of Personal Data protection are reported to the Supervisory Authority unless the violation is unlikely to result in a risk of violation of the rights or freedoms of natural persons. To this end, the Administrator, in particular, requires all persons processing Personal Data to immediately report any noticed violation of the protection of Personal Data.

5.2 The Administrator ensures that it notifies Data Subjects of a Personal Data breach without unnecessary delay if it may cause a high risk of violation of rights or freedoms.

5.3 In each case, the Administrator investigates the violation that has occurred and implements appropriate organizational and technical corrective measures.

5.4 The Administrator documents all breaches of Personal Data protection, including the facts of the breach of Personal Data protection, the consequences of the breach, and the remedial actions taken.

 

6. Implementation of Data Subjects’ Rights

6.1 The Administrator ensures that it implements the rights of Data Subjects in accordance with the principles set by RODO, including:

6.1.1 right to information about data processing – the Administrator provides the person making the request with information about the processing of Personal Data, including, in particular, the purposes and legal grounds for processing, the scope of the Personal Data held, the entities to which they are disclosed, and the planned date of deletion of Personal Data;

6.1.2 right to receive a copy of the data – the Administrator provides the person making the request with a copy of the Personal Data that concerns them.

6.1.3 right to correct data – the Administrator removes, upon request, any inconsistencies or errors in the processed Personal Data and completes it if it is incomplete.

6.1.4 the right to delete data – the Administrator, upon request, deletes or anonymizes Personal Data, the processing of which is no longer necessary to carry out any of the purposes for which they were collected.

6.1.5 the right to limit processing – the Administrator stops performing operations on Personal Data on request – with the exception of operations for which the Data Subject has given their consent – and their storage, in accordance with the adopted retention rules or until the reasons for limiting the processing of Personal Data cease to exist (e.g., a decision is issued by the Supervisory Authority authorizing further processing);

6.1.6 right to data portability – to the extent that Personal Data is processed by automated means in connection with a concluded contract or consent given, the Administrator gives, upon request, issue Personal Data provided by the subject in a computer-readable format.

6.1.7 right to object to processing for marketing purposes – the Data Subject may object at any time to the processing of Personal Data for marketing purposes, without having to specify the reasons for such objection.

6.1.8 right to object to other purposes of processing – The Data Subject may at any time object, on reasons related to their special situation, to the processing of Personal Data that is carried out on the basis of the legitimate interests of the Administrator.

6.1.9 right to recall consent – if the Personal Data is processed on the basis of the consent given, the Data Subject has the right to recall it at any time, which, however, does not affect the lawfulness of the processing carried out before the recall.

 

7. Contacts with the Data Subject

7.1 The Administrator implements appropriate resources so that communications with the Data Subject are made in a concise, clear, and easily accessible form, in clear and simple language.

7.2 The Administrator provides information to Data Subjects in writing or by other methods, including, where applicable, electronically. If the Data Subject so requests, the Administrator provides information orally, provided that it is possible to confirm the Data Subject’s identity by other methods.

7.3 The Administrator facilitates Data Subjects’ exercise of their rights under the RODO, including the rights provided for in the art. 15–22 RODO.

7.4 The Administrator without unnecessary delay provides Data Subjects with information on actions taken in connection with the with respect to the request made on the basis of art. 15–22 RODO.

 

8. Sharing and entrustment Personal Data

8.1 The Administrator shares Personal Data with another The Administrator just if one of the conditions is done referred to in art. 6 ust. 1 or art. 9 ust. 2 RODO.

8.2 The Administrator entrusts the processing of Personal Data on the basis of a data processing entrustment agreement or other legal tool referred to in art. 28 RODO.

8.3 Entrustment of the processing of Personal Data by the Administrator occurs after previous verification that the processor provides sufficient guarantees for the implementation of appropriate technical measures.

8.4 and organizational measures so that the processing meets the requirements of the RODO and protects the rights of Data Subjects. In addition, the Administrator takes all necessary measures to ensures that also its subcontractors and other cooperating entities provide guarantees of the application of appropriate security measures whenever they process Personal Data on request of the Administrator.

 

9. Transfer Personal Data to third country.

9.1 The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Administrator transfers Personal Data to a third country only when necessary and with an appropriate level of protection, mainly through:

9.1.2 cooperation with processors of Personal Data in countries for which a relevant decision of the European Commission has been issued regarding the determination of ensuring an adequate level of protection of Personal Data.

9.1.3 use of standard contractual clauses issued by the European Commission.

10. Ensuring continuity of consistency

 10.1 The Administrator ensures that the organization’s operations are continuously maintained in compliance with the requirements for the protection of Personal Data provided for in the RODO, including reviewing and optimizing the records implemented in the organization and procedures.

 10.2 To this purpose, The Administrator, among other things, monitors changes in legislation, guidelines of national and international data protection authorities and case law of courts and tribunals, and takes into account best market.

 

11. Attachments

11.1 The Administrator maintains and applies the following records and procedures for the protection of Personal Data, which are an integral part of the Policy:

11.1.1 Record of processing activities.

11.1.2 Record of realization of rights of data

11.1.3 Risk analysis.

11.1.4 Assessment of the impact of processing.

11. 1.5 RODO violation notification procedure.

11.1. 6 Record of data protection violations.

 

12. Final resolutions

 12.1 The policy come into force on 16.10.2023 r.