GDPR
The Personal Data Protection Policy – Security Policy is the basic document that defines how our Company follows personal data protection rules and shows the processes for this protection, in line with GDPR regulations.
PERSONAL DATA PROTECTION POLICY
1. This document titled “Personal Data Protection Policy” lists the requirements, rules, and regulations for protecting personal data in Astranate sp. z o.o. (hereafter called the Company).
This Policy is the personal data protection policy under the Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on protecting natural persons regarding personal data processing and free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).
The Policy describes the data protection rules in Astranate sp. z o.o., including procedures and instructions related to data protection. The Company’s partners, who act as Data Controllers (ADM), are responsible for implementing and maintaining this Policy. The Administrator and their designated persons are responsible for following the Policy. The Company ensures that its contractors comply with this Policy when the Company shares personal data with them.
2. Definitions used in this Policy and related documents mean:
* Policy means this Personal Data Protection Policy unless the context says otherwise.
* GDPR means Regulation (EU) 2016/679 of 27 April 2016 on personal data protection.
* Profiling means any automated processing of personal data to evaluate personal aspects of a person, such as work performance, economic situation, health, preferences, interests, behavior, location, or movement.
* Data Controller (ADM) means a person or organization that decides why and how personal data is processed; in this case, Astranate sp. z o.o.
* Personal data means any information about an identified or identifiable natural person.
* Data set means an organized collection of personal data.
* Data processing means any operation on personal data, like collecting, storing, organizing, using, sharing, deleting, or destroying.
* Restriction of processing means marking stored data to limit future processing.
* Consent means a clear, voluntary agreement by the person to allow processing of their personal data.
* Authorized person means someone given permission by the Controller to process data.
* User of the system means an authorized person who has access to IT systems processing personal data controlled by Astranate.
* Pseudonymization means processing data so it cannot be assigned to a person without extra information, which is kept separately and securely.
* Processor means a person or entity processing data on behalf of the Controller.
* Recipient means a person or entity receiving personal data.
* Personal data breach means unauthorized destruction, loss, modification, or access to personal data.
* Documentation means all records and procedures related to data processing, security, authorizations, registers, and contracts.
* Data export means sending data to a third country or international organization.
* DPO means Data Protection Officer.
* RCPD means Register of Data Processing Activities.
GENERAL DATA PROTECTION PRINCIPLES
1. The basic principles the Controller follows:
* Legality — processing data according to the law.
* Security — keeping data safe with constant efforts.
* Individual rights — allowing people to exercise their data rights.
* Accountability — documenting compliance.
2. Data protection rules:
The Controller processes data lawfully, fairly, transparently, for specific purposes, with minimal data needed, accurate data, only as long as necessary, and securely.
—
DATA PROTECTION SYSTEM
The Company’s data protection system includes:
1. Identifying personal data resources, data types, and how data is used.
2. Ensuring legal grounds for data processing and recording them, including managing consents and legal interests.
3. Providing information to data subjects and fulfilling their rights requests, documenting these activities.
4. Ensuring proper data security.
5. Selecting and verifying processors with contracts to protect data.
6. Managing changes affecting privacy, including privacy by design in new projects.
—
INFORMATION DUTIES
1. The Controller ensures clear communication with data subjects.
2. The Controller meets legal deadlines for information duties.
3. The Controller uses proper methods to identify people for data rights.
4. The Controller manages requests for access, correction, deletion, or restriction.
5. The Controller documents information, notifications, and requests.
6. The Controller informs people about delays, data processing, and changes.
7. The Controller notifies individuals about data breaches when necessary.
—
DATA SUBJECT REQUESTS
1. The Controller protects third parties’ rights when fulfilling data requests and may refuse requests that harm others.
2. The Controller informs if data is not processed or processing stopped.
3. The Controller informs about refusals and rights within one month.
4. The Controller provides access to personal data as per GDPR article 15.
5. The Controller issues data copies, charging fees for extra copies.
6. The Controller corrects inaccurate data on request, or refuses if unjustified.
7. The Controller updates data on request unless incompatible with processing.
8. The Controller deletes data when:
* Data is no longer needed.
* Consent is withdrawn and no other basis exists.
* Objection to processing is valid.
* Data was processed unlawfully.
* Legal obligation requires deletion.
* Data of children collected for information society services.
The Controller ensures effective deletion respecting data protection rules and informs data recipients when requested.
—
RESTRICTION OF PROCESSING
1. The Controller restricts processing on request when:
* Data accuracy is questioned.
* Processing is unlawful but deletion is opposed.
* Data is no longer needed but needed for legal claims.
* Objection raised due to special situation until verified.
2. During restriction, data is stored but not processed without consent, except for claims or public interest.
3. The Controller informs about lifting restrictions and recipients on request.
4. The Controller provides data in a machine-readable format or transfers it when possible.
—
OBJECTION TO PROCESSING
1. The Controller respects objections when processing is based on legitimate interest or public task, unless overriding reasons exist.
2. Objections for scientific, historical, or statistical purposes are respected unless necessary for public interest.
3. Objections to direct marketing stop processing.
4. The Controller provides human intervention rights for automatic processing decisions.
—
DATA MINIMIZATION
The Controller minimizes:
a) Data scope — only data necessary for the purpose.
b) Access — limited by legal, physical, and logical controls.
c) Retention time — data kept only as long as needed and properly deleted or archived.
—
SECURITY
The Controller ensures security matching risks to rights and freedoms of data subjects by:
1. Risk analysis and evaluating security measures like pseudonymization, encryption, cybersecurity, and disaster recovery.
2. Reporting data breaches to authorities within 72 hours.
—
PROCESSORS
The Controller selects and checks processors to ensure they protect data properly.
—
PRIVACY BY DESIGN
The Controller manages privacy impact in projects and investments, ensuring data protection and minimization from the start.