Privacy Policy

Personal Data Protection Policy
at Spółka Inżynierów SIM Sp. z o.o. [SIM Engineering Company]

On the basis of art. 32 of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), in order to apply technical and organizational measures ensuring that the protection of personal data being processed is adequate to threats and categories of the data subject to protection, in particular the protection of data against disclosure to unauthorized persons, acquiring by unauthorized persons, processing in violation of the aforementioned regulation, as well as modification, loss, damage or destruction and, under the statutory competencies, to ensure the implementation of the objectives and tasks for which Spółka Inżynierów SIM Sp. z o.o.   this Protection Policy for Personal Data Processing is introduced in Spółka Inżynierów SIM Sp. z o.o.

§ 1
Preliminary Provisions

The Policy defines the rules of processing and protecting personal data in Spółka Inżynierów SIM Sp. z o.o. [SIM Engineering Company]. This is to ensure that the processing of data complies with the requirements of the GDPR and the provisions of the mandatory Polish law regarding the processing of personal data. The Policy constitutes a set of rules and a basis for the requirements, procedures and regulations regarding the protection of personal data implemented in Spółka Inżynierów SIM Sp. z o.o. [SIM Engineering Company].

The Policy includes:

Description of data protection rules applicable in Spółka Inżynierów SIM, Sp. z o.o.;

Set of procedures, instructions and detailed regulations regarding the processing of personal data in Spółka Inżynierów SIM, Sp. z o.o. regarding individual areas in the field of personal data protection;

The Policy applies to all employees and associates of Spółka Inżynierów SIM, Sp. z o.o.  The following units are responsible for compliance with and maintaining the provisions of the Policy:

Management Board;

Organizational units of Spółka Inżynierów SIM, Sp. z o.o. in which personal data are processed;

Employees.

For the purposes of effective implementation of the Policy, taking into account the scope, context and purposes of data processing as well as the risk of violating the rights or freedoms of individuals with various probabilities and severity of the threat, Spółka Inżynierów SIM, Sp. z o.o.  shall ensure:

Implementation of appropriate technical and organizational measures aimed at ensuring compliance of personal data processing with the legal requirements and the necessary protection of personal data being processed;

Ongoing monitoring of the compliance of personal data processing with legal requirements, and subjecting data protection measures to continuous review and updating processes;

Control and supervision over the processing of personal data.

Supervision over the compliance with the provisions of the Policy shall be ensured by the Management Board. The supervision referred to in the preceding sentence is intended in particular, but not exclusively, to ensure that the activities related to the processing of personal data in Spółka Inżynierów SIM, Sp. z o.o.  follow the requirements of law and the provisions of the Policy.

Spółka Inżynierów SIM Sp.  z o.o.  shall ensure compliance of the contractors’ conduct, including in particular entities processing data, with the provisions of the Policy in all appropriate circumstances in cases where personal data are forwarded to these entities for processing, including storage.

The Policy shall be stored and made available in paper and electronic form at the headquarters of Spółka Inżynierów SIM Sp. z o.o., ul.  Stefczyka 34, 20-151 Lublin.

§ 2
Glossary

Whenever the following definitions or phrases are used in this Policy, they shall bear the following meanings:

Policy – the present Policy, including any Annexes thereto;

Data Controller – Spółka Inżynierów SIM Sp. z o.o.  with its registered office at ul. Stefczyka 34, 20-151 Lublin (also referred to as Spółka Inżynierów SIM [[SIM Engineering Company]).

Personal Data – information regarding an identified or identifiable natural person, such as: first and last name, ID number, location data, Internet ID, one or more specific factors determining the physical, physiological, genetic, psychological, economic, cultural or social identity of a natural person, referred to in art. 4 item 1 of the GDPR;

GDPR – Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (EU Official Journal L 119, p. 1);

Authorized Person – person authorized by the Data Controller to process personal data in a given area;

Processing – operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as: collecting, recording, organizing, collating, storing, adapting or modifying, downloading, browsing, using, disclosure by transmission, dissemination or otherwise making available, matching or combining, limiting, deleting or destroying, as referred to in art. 4 item 2 of the GDPR;

Data Set – every ordered set of personal data, available in accordance with specific criteria;

Processing Entity – natural or legal person, public body, unit or other entity that processes personal data on behalf of Spółka Inżynierów SIM Sp. z o.o.  with its registered office at ul. Stefczyka 34, 20-151 Lublin.

Authentication – action aimed at verifying the User’s declared identity;

Employees – both the persons employed in Spółka Inżynierów SIM, Sp. z o.o.  based on an employment relationship and natural persons working in cooperation with the Company under a civil law contract;

System – system of personal data protection in Spółka Inżynierów SIM, Sp. z o.o., referred to in § 5 of the Policy; Sensitive data – personal data referred to in art. 9 of the GDPR.

§ 3
Basis for the protection of Personal Data in Spółka Inżynierów SIM Sp. z o.o.

Spółka Inżynierów SIM Sp.  z o.o.  shall ensure the application of technical and organizational measures necessary to ensure confidentiality, integrity, accountability and continuity of the data being processed.

Authorized persons and all other persons to whom personal data processed in Spółka Inżynierów SIM [SIM Engineering Company] are made available are obliged to process personal data in compliance with the provisions of law and those of the Policy, as well as other internal legal acts or procedures related to the processing of personal data.

When employing employees and during their course of employment, Spółka Inżynierów SIM [SIM Engineering Company] shall ensure that:

Before the commencement of the performance of their official duties, employees will be provided with all necessary information regarding the principles of processing and protection of personal data in Spółka Inżynierów SIM [SIM Engineering Company].

Each employee will be authorized in writing to process personal data to the necessary extent and will be obliged to maintain the confidentiality and integrity of personal data, in accordance with the model constituting Annex 1 to the Policy; the template for the registration of persons authorized to process personal data is attached as Annex 2 to this Policy.

Each employee of Spółka Inżynierów SIM [SIM Engineering Company] shall be obliged to:

Strictly comply with the scope of the authorization;

Comply with the law and the provisions of the Policy in the field of data processing;

Maintain the secrecy of personal data;

Maintain the secrecy of the manner of maintaining the confidentiality and integrity of personal data;

Promptly report to the Data Controller any incidents related to the breach of security of personal data.

Spółka Inżynierów SIM [SIM Engineering Company] shall ensure that personal data are:

Processed in accordance with the law, reliably and in a manner transparent for the data subject;

Collected for specific, explicit and legitimate purposes, and shall not be further processed in any manner inconsistent with these purposes;

Adequate, relevant and limited to the scope necessary for the purposes for which the data are processed;

Correct and updated as necessary; all reasonable steps must be taken to ensure that any personal data deemed to be incorrect in the context of the purposes for which they are processed, are immediately removed or corrected;

Stored in a form permitting the identification of the data subject for a period no longer than that necessary for the purposes for which the data is processed;

Processed in a manner ensuring adequate security of personal data; this also applies to protection against unauthorized or unlawful processing and accidental loss, destruction or damage, executed by means of appropriate technical or organizational measures.

While ensuring that personal data will be processed according to the principles set out in sec. 1, the Spółka Inżynierów SIM [SIM Engineering Company] founds the processing of data on the following factors:

Legality – Spółka Inżynierów SIM [SIM Engineering Company] cares for the protection of privacy, and will process personal data in accordance with the requirements of law;

Security – Spółka Inżynierów SIM [SIM Engineering Company] shall ensure an adequate level of personal data security by continuously undertaking actions in this area;

Rights of the individual – Spółka Inżynierów SIM [SIM Engineering Company] shall enable data subjects to exercise their rights, and shall exercise these rights;

Accountability – Spółka Inżynierów SIM [SIM Engineering Company] will ensure proper documentation regarding the manner of fulfilling its obligations in the field of personal data protection.

Spółka Inżynierów SIM [SIM Engineering Company] shall not provide data subjects with information in a situation where such data have to be kept confidential in compliance with the obligation to maintain professional secrecy.

§ 5
Personal Data Protection System

In addition, Spółka Inżynierów SIM [SIM Engineering Company] shall ensure the compliance of the processing of personal data with legal requirements by introducing the following organizational and technical security system:

Restricting access to rooms in which personal data are processed to authorized persons only and ensuring that other people are granted access to rooms used for the processing of personal data solely in the company of an authorized person;

Closing the rooms in which personal data are processed for the time of absence of employees in a way preventing third parties from access to these rooms;

Ensuring security of the area referred to in sec. 1 (b) of the Policy against random factors such as fire, flood or burglary;

Using lockers, drawers or other technical means preventing unauthorized persons from access to personal data stored there;

Ensuring effective removal or destruction of documents containing personal data in a manner preventing their subsequent reproduction;

Ensuring hardware and IT security, which includes:

Protection of the local network against external initiations;

Ensuring that the software used is up to date;

Protection against malware of the computer hardware used in Spółka Inżynierów SIM [SIM Engineering Company];

Ensuring constant, frequent back-ups of data stored on computers, server in the local network of Spółka Inżynierów SIM [SIM Engineering Company];

Limiting access to computer hardware, server and the local area network by applying the rules of Authentication; Monitoring changes in the processes relating to the processing of personal data in Spółka Inżynierów SIM [SIM Engineering Company] and the ongoing management of changes affecting the protection of personal data in Spółka Inżynierów SIM.

§ 6
Execution of responsibilities towards data subjects

Spółka Inżynierów SIM [SIM Engineering Company] shall implement methods of managing the consents allowing for the registration and verification of the person’s consent to process their specific data for a specific purpose, consent to remote communication (e-mail, phone, text messages, etc.), as well as registration of refusal to give consent, withdrawal of consent and similar activities such as opposing to the processing or a restriction thereof.

Spółka Inżynierów SIM [SIM Engineering Company] shall ensure the legibility and appropriate style of information provided, as well as communication with persons whose personal data are being processed.

Spółka Inżynierów SIM [SIM Engineering Company] shall publish on its website and keep at its headquarters a copy of the Privacy Policy of Spółka Inżynierów SIM which fulfills the obligations arising from art. 13 of the GDPR. The Privacy Policy contains i.a. the following information:

Information about who the Data Controller is;

Information about the rights of the Data Subjects;

Information about the scope of personal data being processed for specific purposes;

Methods of contacting Spółka Inżynierów SIM [SIM Engineering Company] in matters regarding personal data.

In order to exercise the rights of Data Subjects, Spółka Inżynierów SIM [SIM Engineering Company] will provide procedures and mechanisms aimed to identify the data of specific persons processed by Spółka Inżynierów SIM, make changes to these data and delete them in an appropriate manner.

Notwithstanding the provisions of sec. 4 above, Spółka Inżynierów SIM [SIM Engineering Company] shall determine a method of providing information about the processing of unidentified data in places where it will be possible (e.g. a sign indicating that the area has been covered by video surveillance).

At the request of a person regarding access to their data, Spółka Inżynierów SIM [SIM Engineering Company] shall inform the person whether it processes their data and inform the person of the details of data processing in accordance with art. 15 of the GDPR and will provide the person access to the relevant data. Access to the data can, among others, be provided by issuing a copy of the data.

Spółka Inżynierów SIM [SIM Engineering Company] shall issue to the Data Subject a copy of their data and record the fact that the first copy of data was issued to that person.

At the request of the Data Subject, Spółka Inżynierów SIM [SIM Engineering Company] will correct any incorrect data. Spółka Inżynierów SIM [SIM Engineering Company] has the right to refuse to correct the data, unless the person demonstrates, in a reasonable manner, the irregularities of the data whose correction they have requested. At the request of a person, if the data has been rectified, the Company will inform the person about the recipients of the data.

At the request of the Data Subject, Spółka Inżynierów SIM [SIM Engineering Company] shall complete and update the data. Should the completion of data be incompatible with the purposes of data processing, the Company has the right to refuse to complete/update the data.  Spółka Inżynierów SIM [SIM Engineering Company] may rely on the Data Subject statement regarding the data to be corrected, unless this is insufficient in the light of the procedures adopted by Spółka Inżynierów SIM or the provisions of law or should there be grounds to consider the statement to be unreliable.

Spółka Inżynierów SIM [SIM Engineering Company] shall delete the data under the following circumstances:

The data are no longer needed for the purposes for which they were collected, nor are they being processed for other purposes;

The consent to their processing has been withdrawn, and there are no other legal grounds for processing,

The Data Subject has lodged a valid objection against the processing of such data;

Data processing was unlawful,

There is a need to delete the data, resulting from a legal obligation,

The request relates to the data of a child, collected based on a consent to provide society services information offered directly to the child.

When deleting personal data, Spółka Inżynierów SIM [SIM Engineering Company] shall take into account ensuring effective execution of this right, while respecting all ruler regarding the protection of data, including security, as well as a verification whether the exceptions referred to in art. 17.  sec. 3 of the GDPR do not apply.

In the event that the data to be deleted are made public by Spółka Inżynierów SIM [SIM Engineering Company], Spółka Inżynierów SIM will take all reasonable steps, including technical measures, to inform other administrators processing these personal data about the need to delete the data and to prevent access to them. At the request of a person, if the data has been detected, Spółka Inżynierów SIM [SIM Engineering Company] will inform the person about the recipients of the data.

Spółka Inżynierów SIM [SIM Engineering Company] shall limit the processing of data at the request of the Data Subject under the following circumstances:

The Data Subject questions the correctness of the data – for a period of time necessary to verify their correctness,

The processing of data is unlawful, and the Data Subject is against the removal of personal data, requesting instead to limit their use,

Spółka Inżynierów SIM [SIM Engineering Company] no longer needs the personal data, but they are needed by the Data Subject to establish, investigate or defend claims,

The Data Subject objected to the processing of data for reasons related to their specific situation – for a period of time necessary to establish whether the Company has any legitimate grounds prevailing over the grounds of the objection.

When the processing of data is limited, Spółka Inżynierów SIM [SIM Engineering Company] stores the data but does not process it (use or transfer it) without the consent of the Data Subject, unless it is necessary to establish, investigate or defend claims, or to protect the rights of another natural or legal person, or as a result of important public interest considerations. Before revoking the limitation of data processing, the Company will inform the Data Subject. At the request of a person, if the processing of data has been limited, the Company will inform the person about the recipients of the data.

At the request of the Data Subject, Spółka Inżynierów SIM [SIM Engineering Company] will publish in a structured, commonly used machine-readable format or, if possible, provide another entity with data relative to the Data Subject they have provided to the Spółka Inżynierów SIM, processed on the basis of the Data Subject’s consent or processed in order to enter into or perform a contract concluded with that person, in the company’s IT systems.

In the event where the Data Subject reports a justified objection to the processing of their data motivated by their specific situation, referred to in art. 21 of the GDPR, and the data are processed by Spółka Inżynierów SIM [SIM Engineering Company] based on the legitimate interest of Spółka Inżynierów SIM or on the task entrusted to Spółka Inżynierów SIM in the public interest, Spółka Inżynierów SIM undertakes to take into account these objections, unless Spółka Inżynierów SIM has important, legally justified grounds for data processing, overriding the interests, rights and freedoms of the opponent, or grounds for establishing, investigating or defending claims.

If the Data Subject objects to the processing of their data by Spółka Inżynierów SIM [SIM Engineering Company] for direct marketing purposes, Spółka Inżynierów SIM will take into account the objection and cease to process the data in this manner.

§ 7
Minimization of Data

Spółka Inżynierów SIM implements procedures to execute the principle of minimizing the processed personal data in terms of:

Adequacy of personal data for processing purposes; the procedures include limiting the amount of the processed personal data and the scope of their processing for a given purpose;

Limiting access to personal data to authorized persons, for whom the use of personal data in a specific scope is necessary to properly perform their duties;

Limiting the time of storing personal data to a period for which it is necessary due to the implementation of the purpose of the processing or obligations imposed on Spółka Inżynierów SIM [SIM Engineering Company].

Spółka Inżynierów SIM [SIM Engineering Company] reviews the amount of data processed and the scope of its processing at least once a year.

Spółka Inżynierów SIM [SIM Engineering Company] limits access to personal data by implementing the following procedures:

Commitment of employees and co-workers to confidentiality, including personal data;

Verification of the circle of internal recipients of personal data by providing individual employees with specific authorizations regarding the processing of personal data;

Implementation of IT measures for the protection of personal data by limiting access to systems, software and network resources used in the processing of personal data;

Implementation of physical technical measures of personal data protection.

Spółka Inżynierów SIM [SIM Engineering Company] updates access rights in the event of changes in the staff, changes regarding the roles of staff members and changes of processing entities. Spółka Inżynierów SIM [SIM Engineering Company] periodically reviews the established users of the system and performs updates at least once a year.

Data whose scope of use is limited in time are removed from the systems of Spółka Inżynierów SIM [SIM Engineering Company], as well as from main and handy files. Such data may be archived and located on backup copies of systems and information processed by Spółka Inżynierów SIM [SIM Engineering Company].

§ 7
Security of Personal Data

Taking into account current technical knowledge and implementation costs, as well as the nature, scope, context and purposes of data processing and the risk of violating the rights or freedoms of individuals with various probabilities and severity of the threat, Spółka Inżynierów SIM [SIM Engineering Company] shall implement technical and organizational measures ensuring a proper level of personal data protection, corresponding to the risk of violation of the rights and freedoms of individuals as a result of the processing of personal data by Spółka Inżynierów SIM.

Spółka Inżynierów SIM [SIM Engineering Company] implements measures to ensure the continuity of its activity and preventing the consequences of disasters, i.e. the ability to quickly restore the accessibility of personal data and access to these data in the event of a physical or technical incident.

§ 8
Breach of Personal Data Protection

Breach or attempted breach of the principles of processing and protection of personal data includes, in particular, but not exclusively:

Breach of security of information systems in which personal data are processed;

Disclosure of personal data to unauthorized persons;

Processing of personal data that differs from the intended scope and purpose of their processing;

Unauthorized or accidental damage, loss, destruction or change of personal data.

Spółka Inżynierów SIM [SIM Engineering Company] shall notify the Data Subject about the breach of personal data protection, provided that it may cause a high risk of violating the rights or freedoms of that person, and promptly notify a supervisory body without undue delay, but no later than within 72 hours of identification of the breach.

Spółka Inżynierów SIM [SIM Engineering Company] shall document any breaches resulting in a violation of the rights and freedoms of natural persons. The template for reporting a suspected breach of personal data constituted Annex 3 to this document. The template of the record of infringements constitutes Annex 4.

In the event where the risk of violating the rights and freedoms of the Data Subject is elevated:

Spółka Inżynierów SIM [SIM Engineering Company] will implement appropriate technical and organizational security measures applicable to the personal data subject to breach, preventing them from being accessed by unauthorized persons; Spółka Inżynierów SIM [SIM Engineering Company] shall then apply the necessary measures to eliminate the likelihood of a high risk of violating the rights or freedoms of the Data Subject, unless the effort involved would be disproportionate. In such a case, a public message shall be issued, or a similar measure shall be applied in order to provide information to the Data Subject in an equally effective manner.

§ 9
Entrusting the Processing

Spółka Inżynierów SIM [SIM Engineering Company] may entrust the processing of personal data to a processing entity only by way of written contract, in accordance with the requirements specified in art. 28 sec. 3 of the GDPR. Spółka Inżynierów SIM [SIM Engineering Company] uses only the services provided by processing entities that provide a sufficient guarantee that it will implement appropriate technical and organizational measures in order to ensure that the processing of data meets the requirements set out in this regulation and protects the rights of the Data Subjects.

§ 11
Entrusting the Processing

Spółka Inżynierów SIM [SIM Engineering Company] may entrust the processing of personal data to a processing entity only by way of written contract, in accordance with the requirements specified in art. 28 sec. 3 of the GDPR. Spółka Inżynierów SIM [SIM Engineering Company] uses only the services provided by processing entities that provide a sufficient guarantee that it will implement appropriate technical and organizational measures in order to ensure that the processing of data meets the requirements set out in this regulation and protects the rights of the Data Subjects.

§ 12
Transfer of Data to a Third Country

Spółka Inżynierów SIM [SIM Engineering Company] shall not transfer personal data to any third country located outside the territory of the European Union or the European Economic Area, except when it would occur at the request of the Data Subject.

In order to avoid unauthorized data export, in particular in connection with the use of publicly available cloud services, Spółka Inżynierów SIM [SIM Engineering Company] periodically reviews user behavior and, where possible, provides equivalent solutions in accordance with data protection law.

§ 13
Final Provisions

The Policy comes into effect on the day of its announcement.

In matters not covered by the Policy, the provisions of the GDPR and generally binding provisions of Polish and European law apply accordingly.

Any changes or supplements to the Policy require for their effectiveness a written form under pain of nullity. Changes or supplements to the Policy shall come into effect not earlier than within 7 days from the date of their announcement.

Annex 1 to the Personal Data Protection Policy of Spółka Inżynierów SIM, Sp. z o.o. [SIM Engineering Company] 

Lublin, ……………… 2019

Authorization to process personal data/stay in the area where personal data is processed*

On the basis of art. 29 of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data

and on the free movement of such data, and repealing Directive 95/46/EC (EU Official Journal L 119, p. 1) and under my statutory powers, I hereby authorize Mr./Mrs.*:

…………………………………………………………………………………………………

(first and last name)

………………………………………………………………………………………………….

(job title/organizational unit)

to process personal data within the scope of their professional duties.

At the same time, you are obliged to process personal data in accordance with the obtained authorization and the provisions of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, the Act of 10 May 2018 on the protection of personal data, as well as the Personal Data Protection Policy of Spółka Inżynierów SIM, Sp. z o.o. [SIM Engineering Company], ul.  Stefczyka 34, 20-151 Lublin.

I hereby oblige you to maintain the confidentiality and secrecy of personal data and methods of their protection, also after termination of employment.

At the same time, you are hereby authorized to create/possess/modify for the needs of your professional duties statements, registers and records containing personal data in the system:

…………………………………………………………………………………..………

You are also obliged to maintain full data protection using technical and organizational measures employed in Spółka Inżynierów SIM, Sp. z o.o., ul.  Stefczyka 34, 20-151 Lublin.

                The authorization is valid from …………… to ……………….

                                                                                                              ……………………………………

                                                                                              (Signature of the Personal Data Controller)

Date of expiration/cancellation* of the authorization: ……………… **

* Delete where not applicable.

** Date of termination of employment/date of termination of a civil law contract.

Annex 3 to the Personal Data Protection Policy of Spółka Inżynierów SIM, Sp. z o.o.

Report of a suspected breach of personal data in Spółka Inżynierów SIM [SIM Engineering Company]

1             First and last name of the person submitting the report

2             Contact phone:

3             Time, date and place of the incident:

4             Description of the incident:

5             Categories of Data Subjects:

1

2

3

4

6             Approximate number of persons affected by the breach:

7             Name of the entity that may have obtained access to data in an unauthorized way:

8             Comments of the reporting person:

9             Date and signature of the person reporting the breach:

10  

Date and signature of the Data Protection Coordinator: