The Personal Data Protection Policy – Security Policy is a fundamental document that defines the compliance with the principles of personal data protection in our Company and outlines the processes related to this protection, thus ensuring compliance with the GDPR regulations.
PERSONAL DATA PROTECTION POLICY
1. This document titled “Personal Data Protection Policy” constitutes a compilation of requirements, principles, and regulations regarding the protection of personal data within Astranate sp. z o.o. (Limited Company) (hereinafter referred to as the Company).
This Policy serves as a personal data protection policy under the regulation of the European Parliament and Council (EU) 2016/679 of April 27, 2016, concerning the protection of individuals concerning the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union L 119, p. 1) – hereinafter referred to as the GDPR.
The Policy encompasses a description of the data protection principles applicable within Astranate sp. z o.o. (Limited Company) as well as templates of procedures, instructions related to specific areas within the scope of personal data protection. Responsible for implementing and maintaining this Policy are the partners of Astranate sp. z o.o., who act as the Data Controller (ADM). The application of this Policy falls under the responsibility of the Data Controller and individuals appointed by them. The Company ensures that the actions of the Company’s contractors comply with this Policy to an appropriate extent when personal data is shared with them by the Company.
2. The terms and concepts used in this Policy and documentation are defined as follows:
“Policy” refers to this Personal Data Protection Policy, unless stated otherwise explicitly in context.
“GDPR” stands for the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union L 119, p. 1).
“Profiling” means any form of automated processing of personal data that involves the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
“Data Controller” (ADM) is defined as an individual or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. In this documentation, the processing of personal data by the Data Controller refers to Astranate sp. z o.o.
“Personal Data” refers to any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Data Set” means an organized set of personal data available according to specific criteria, regardless of whether the set is centralized, decentralized, or functionally or geographically dispersed.
“Processing of Data” includes any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Data Processing Restriction” means marking stored personal data to limit their processing in the future.
“Profiling” is understood as any form of automated processing of personal data that involves the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
“Consent of the Data Subject” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data concerning them.
“Authorized Person” refers to an individual who has received authorization from the data controller to process data. Authorization is a statement issued by the data controller indicating the person’s name who is entitled to process data within the scope specified in the statement.
“System User” is understood as an authorized person who has access to computer systems processing personal data, for which Astranate sp. z o.o. (Limited Company) acts as the data controller.
“Pseudonymization” refers to the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Data Processor” refers to a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
“Recipient” means a natural or legal person, public authority, agency, or another body, to which the personal data is disclosed, whether a third party or not.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
“Documentation of Personal Data Processing” includes the policy on the security of personal data processing, instructions for managing the IT system, authorization for personal data processing, declaration of compliance with personal data protection and established procedures, a record of authorized personnel for data processing, data processing outsourcing agreements, a record of recipients of personal data, a record of data sets, a record of media and computer programs, a record of data processing entities, a register of data processing activities, a register of requests for data disclosure, information clauses for data subjects, objections to data processing by data processors, a list of legal grounds for data processing, and a procedure for assessing the impact on personal data protection and a risk management procedure.
“Data Export” refers to the transfer of data to a third country or an international organization.
“DPO” stands for Data Protection Officer.
“RCPD” stands for Register of Personal Data Processing Activities.
GENERAL PRINCIPLES OF PERSONAL DATA PROTECTION.
1. The fundamental principles of personal data protection applied by the Data Controller are as follows:
— Legality – The Company ensures the protection of privacy and processes data in accordance with the law.
— Security – The Company maintains an adequate level of data security by taking ongoing actions in this regard.
— Rights of the Individual – The Company enables individuals whose data is processed to exercise their rights, and ensures the realization of these rights.
— Accountability – The Company documents how it fulfills its obligations to be able to demonstrate compliance at any time.
2. Principles of Data Protection
The Data Controller processes personal data based on legal grounds and in accordance with the law (legality); fairly and honestly (fairness); transparently for the data subject (transparency); for specific purposes and not “just in case” (minimization); no more than necessary (adequacy); with care for the correctness of the data (accuracy); not longer than necessary (timeliness); while ensuring appropriate data security (security).
DATA PROTECTION SYSTEM
The Data Protection System of the Data Controller consists of the following activities and elements:
1. The Data Controller identifies personal data resources, data classes, relationships between data resources, and identifies how the data is used.
2. The Data Controller ensures, identifies, verifies the legal bases for data processing, and records them in the Register, including:
a) Maintaining a consent management system for data processing and remote communication,
b) Inventorying and specifying justifications for cases where the Data Controller processes data based on a legitimate interest.
3. The Data Controller fulfills informational obligations towards individuals whose data is processed and ensures support for their rights by fulfilling requests received in this regard, including:
a) The Data Controller provides individuals with legally required information when collecting data and in other situations, and organizes and ensures documentation of the fulfillment of these obligations (information clauses and records).
b) The Data Controller verifies and ensures the effective execution of each type of request by itself and its processors (information clauses).
c) The Data Controller ensures the appropriate resources and procedures for fulfilling individuals’ requests within the deadlines and in the manner required by the GDPR, and documents these processes.
d) The Company implements procedures to determine the necessity of notifying data subjects of identified data protection breaches (record of personal data breaches).
4. The Data Controller ensures an adequate level of data security, including:
5. The Data Controller has policies for selecting data processors on behalf of the Data Controller and requirements for the conditions of data processing (data processing agreement), and verification of compliance with data processing agreements.
6. The Data Controller manages changes that impact privacy. To this end, procedures for initiating new projects and investments consider the necessity of assessing the impact of the change on data protection, ensuring privacy (including compliance with processing purposes, data security, and minimization) already in the design phase of the change, investment, or at the beginning of a new project.
1. The Data Controller ensures clarity and style in the information and communication provided to individuals whose data is processed.
2. The Data Controller adheres to legal deadlines for fulfilling obligations towards individuals.
3. The Data Controller implements adequate methods of identifying and authenticating individuals for fulfilling individuals’ rights and information obligations.
4. To fulfill individuals’ rights, the Data Controller provides procedures and mechanisms to identify the data of specific individuals processed by the Company, integrate this data, modify it, and delete it in an integrated manner.
5. The Data Controller documents the handling of information obligations, notifications, and requests from individuals.
6. The Data Controller defines lawful and effective ways to fulfill information obligations.
7. The Data Controller informs an individual of an extension of the one-month deadline for considering their request.
8. The Data Controller informs an individual about the processing of their data when obtaining data from that individual.
9. The Data Controller informs an individual about the processing of their data when obtaining data about that individual indirectly from them.
10. The Data Controller specifies the method of informing individuals about the processing of unidentified data, where possible.
11. The Data Controller informs an individual about a planned change in the purpose of data processing.
12. The Data Controller informs an individual before lifting a restriction on processing.
13. The Data Controller informs data recipients of corrections, deletions, or limitations of data processing (unless this would require disproportionately large effort or be impossible).
14. The Data Controller informs an individual of the right to object to data processing at the latest during the first contact with that individual.
15. The Data Controller promptly notifies an individual of a breach of personal data protection if it may result in a high risk to the rights or freedoms of that individual.
DATA SUBJECT REQUESTS
1. When exercising the rights of individuals whose data is processed, the Data Controller introduces procedural guarantees for the protection of the rights and freedoms of third parties. In particular, in the event of receiving credible information that fulfilling a data subject’s request for a copy of data or the right to data portability may adversely affect the rights and freedoms of other individuals (e.g., rights related to the protection of other individuals’ data, intellectual property rights, trade secrets, personal interests, etc.), the Data Controller may contact the individual to clarify doubts or take other legally permissible steps, including refusing to comply with the request.
2. The Data Controller informs an individual that it does not process or has ceased processing their data if the individual has made a request concerning their rights.
3. Within one month of receiving a request, the Data Controller informs the individual of the refusal to process the request and the rights associated with that decision.
4. Upon an individual’s request for access to their data, the Data Controller informs the individual whether their data is processed and provides information about the processing details, in accordance with Article 15 of the GDPR (the scope corresponds to the information obligation at the data collection stage). Additionally, the Data Controller grants the individual access to their data. Access to data may be provided by issuing a copy of the data; however, the copy of data provided by the Company in response to the right of access will not be considered the first free copy of data for the purposes of data copy charges.
5. Upon request, the Data Controller provides the individual with a copy of their data and records the issuance of the first copy of data. The Data Controller establishes and maintains a price list for data copies, in accordance with which fees for subsequent data copies are charged. The price of data copies is calculated based on the estimated unit cost of processing the data copy request.
6. Upon an individual’s request, the Data Controller corrects inaccurate data. The Data Controller is entitled to refuse to correct data unless the individual reasonably demonstrates the inaccuracy of the data being corrected. In the event of data correction, the Company informs the individual about data recipients upon the individual’s request.
7. Upon an individual’s request, the Data Controller supplements and updates data. The Data Controller may refuse to supplement data if doing so would be inconsistent with the purposes of data processing (e.g., the Company does not have to process data that is unnecessary for the Company). The Data Controller may rely on the individual’s statement regarding the data being supplemented, unless it is insufficient in light of the procedures adopted by the Company (e.g., regarding the acquisition of such data), the law, or there are grounds to deem the statement unreliable.
8. At the request of an individual, the Data Controller deletes data when:
— the data is no longer necessary for the purposes for which it was collected or processed for other purposes,
— consent to their processing has been withdrawn, and there is no other legal basis for processing,
— the individual has lodged a successful objection to the processing of that data,
— the data was processed unlawfully,
— there is a legal obligation to delete the data,
— the request concerns data of a child collected based on consent for the provision of information society services directly to the child (e.g., a child’s profile on a social media platform, participation in a contest on a website).
The Data Controller defines the procedure for handling the right to delete data in such a way as to ensure effective exercise of this right while respecting all data protection principles, including security, as well as verification of whether exceptions specified in Article 17(3) of the GDPR apply.
If data subject to deletion has been made public by the Data Controller, reasonable steps, including technical measures, are taken to inform other data controllers processing the personal data about the need to delete the data and provide access to it.
In the event of data deletion, the Company informs the individual about data recipients upon the individual’s request.
DATA PROCESSING RESTRICTION
1. The Administrator restricts data processing upon the request of an individual when:
a) the individual contests the accuracy of the data – for a period allowing for the verification of their accuracy,
b) the processing is unlawful, and the individual whose data it concerns opposes the erasure of personal data and requests restriction of their use instead,
c) the Company no longer needs the personal data, but they are needed by the individual whose data it concerns for the establishment, exercise, or defense of legal claims,
d) the individual has objected to processing based on legitimate grounds related to their particular situation – until it is verified whether the Company’s overriding legitimate grounds for processing override the individual’s grounds for objection.
3. During data processing restriction, the Data Controller retains the data but does not process it (does not use, transmit it), without the consent of the individual whose data it concerns, unless it is necessary for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person, or for reasons of important public interest. The Company informs the individual before lifting the restriction on processing. In the case of data processing restriction, the Company informs the individual about data recipients upon the individual’s request.
4. Upon the request of an individual, the Company provides, in a structured, commonly used, and machine-readable format, or transfers to another data controller if possible, the data concerning that individual which they have provided to the Company, processed based on their consent or for the performance of a contract with them, in the Company’s information systems.
OBJECTION TO PROCESSING
1. If an individual raises an objection, based on their specific situation, against the processing of their data, and the data is processed by the Administrator based on a legitimate interest or a task carried out in the public interest, the Administrator will consider the objection unless there are legally valid grounds for processing by the Administrator that override the interests, rights, and freedoms of the objecting individual, or grounds for establishing, asserting, or defending legal claims.
2. Objection regarding scientific, historical, or statistical research. If the Administrator conducts scientific, historical research, or processes data for statistical purposes, an individual may object to such processing based on their specific situation. The Company will consider such an objection unless the processing is necessary for the performance of a task carried out in the public interest.
3. Objection to direct marketing. If an individual raises an objection to the processing of their data by the Administrator for the purposes of direct marketing (including profiling if applicable), the Administrator will consider the objection and cease such processing.
4. Right to human intervention in automated processing. If the Administrator processes data in an automated manner, including profiling individuals, and as a result, makes decisions that have legal effects or otherwise significantly affect the individual, the Administrator ensures the possibility of human intervention and decisions made by a human for the Company, unless such automated decision is necessary for the conclusion or performance of a contract between the objecting individual and the Company, or is explicitly authorized by the law, or is based on the clear consent of the objecting individual.
The Administrator ensures data minimization regarding the adequacy of data for their purposes (quantity of data and scope of processing), access to data, and data retention periods.
a) Scope Minimization
— The Administrator has verified the scope of data collected, the scope of their processing, and the quantity of processed data in terms of their adequacy for processing purposes as part of the GDPR implementation.
— The Administrator conducts periodic reviews of the quantity of processed data and the scope of their processing no less frequently than once a year.
— The Administrator performs verification of changes in the quantity and scope of data processing as part of change management procedures.
b) Access Minimization
The Administrator applies access restrictions to personal data:
— Legal (confidentiality obligations, authorization scopes),
— Physical (access zones, room locking),
— Logical (restrictions on permissions for systems processing personal data and network resources where personal data resides).
The Administrator applies physical access control.
The Administrator updates access permissions when there are changes in personnel composition, changes in roles of individuals, and changes in data processors.
The Administrator conducts periodic reviews of established system users and updates them no less frequently than once a year.
Detailed rules for physical and logical access control are included in the Company’s physical security and information security procedures.
c) Time Minimization
The Administrator implements mechanisms for controlling the lifecycle of personal data, including verifying the continued usefulness of data in relation to the deadlines and checkpoints indicated in the Register.
Data whose usefulness diminishes over time is deleted from ADM systems as well as from cache and primary records. Such data may be archived and included in backup copies of systems and information processed by ADM. Archiving procedures and the use of archives, creating and using backup copies, consider data lifecycle control requirements, including data deletion requirements.
ADM ensures a level of security appropriate to the risk of infringement of the rights and freedoms of individuals resulting from the processing of personal data.
1. Risk Analysis and Adequacy of Security Measures
The Administrator conducts and documents analyses of the adequacy of personal data security measures. For this purpose:
(1) ADM provides the appropriate knowledge about information security, cybersecurity, and business continuity – internally or with the support of specialized entities.
(2) ADM categorizes data and processing activities in terms of the risks they pose.
(3) ADM conducts risk analyses of potential infringements of the rights or freedoms of individuals for data processing activities or their categories. The Company analyses possible situations and scenarios of personal data protection breaches, considering the nature, scope, context, and purposes of processing, the risk of infringement of the rights or freedoms of individuals with varying probabilities and the severity of the threat.
(4) ADM determines feasible organizational and technical security measures and assesses the cost of their implementation. In this regard, the Company assesses the suitability of applying measures and approaches such as:
b) encryption of personal data,
c) other cybersecurity measures contributing to the ability to continuously ensure the confidentiality, integrity, availability, and resilience of processing systems and services,
d) measures to ensure business continuity and prevent the consequences of disasters, i.e., the ability to quickly restore the availability of personal data and access to them in the event of a physical or technical incident.
2. Reporting Breaches
ADM applies procedures for identifying, assessing, and reporting identified data protection breaches to the Office for Personal Data Protection within 72 hours of discovering the breach.
The Administrator has principles for selecting and verifying data processors on behalf of the Company, developed to ensure that data processors provide sufficient guarantees for the implementation of appropriate organizational and technical measures to ensure security, the realization of individuals’ rights, and other data protection obligations incumbent on the Company.
The Administrator manages changes that impact privacy in such a way as to enable the provision of adequate security for personal data and the minimization of their processing.
To achieve this, the principles for conducting projects and investments by the Administrator refer to the principles of personal data security and minimization, requiring an assessment of the impact on privacy and data protection, as well as the consideration and design of security and data minimization from the outset of the project or investment.