Clickbed Horizontal
Clickbed Vertical
Young Collection
These principles of personal data protection at ABAR EKSPORT-IMPORT Bogdan Kamiński, hereinafter also referred to as the Principles, security policy or Policy, aim to ensure the processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as GDPR) and the Act of 10 May 2018 on the protection of personal data (hereinafter referred to as the Implementing Act).
The general principles of personal data protection at ABAR EKSPORT-IMPORT Bogdan Kamiński, (hereinafter also referred to as the Policy or principles) are specified by this policy. If any of these principles are contrary to the GDPR or the Implementing Act, the GDPR and the Implementing Act shall apply.
For the purposes of these Principles, it is established that all definitions used in the text have the meaning described in the GDPR, except for:
Local network – connection of the Data Administrator’s IT Systems exclusively for its own needs using telecommunications devices and networks;
Data set – each set of data containing personal data;
Data processing – any operations performed on Personal Data, such as collecting, recording, storing, developing, changing, sharing and deleting, and especially those performed in the form of operations on the electronic Data Set;
Data security – technical measures and practices to protect data against their unauthorized Processing;
User identifier – a unique string of characters identifying the person authorized to process personal data;
Password – a unique string of characters known only to the person authorized to work with personal data.
1. The Data Administrator is ABAR EKSPORT-IMPORT Bogdan Kamiński with its registered office at ul. Podgórna, no. 11a, 05-074 Nowy Konik, entered into CEIDG, NIP: 5320016844, REGON: 010486360 (hereinafter referred to as ABAR or the Administrator).
2. The Policy applies to all Personal Data processed at ABAR EKSPORT-IMPORT Bogdan Kamiński, regardless of the form of their processing (paper, electronic files, IT systems).
3. The Policy is available for review at the request of any person or entity, and is stored in electronic and paper form at the Administrator’s registered office at ul. Podgórna, no. 11a, 05-074 Nowy Konik.
4. Each person processing personal data is required to familiarize themselves with this Policy. The Policy is permanently available for review by persons authorized to process personal data. Persons who should familiarize themselves with the Policy include, in particular, employees and associates of ABAR EKSPORT-IMPORT Bogdan Kamiński. Each person processing Personal Data should be authorized in writing to process in accordance with the “Authorization to Process Personal Data” – the Authorization template is Annex No. 2. The authorization may limit access to personal data.
5. For the effective implementation of the GDPR, the Data Administrator provides, among others, technical means and organizational solutions for data protection in the form of, among others, encryption, access passwords, keys and other physical means of limiting access. The authorized person may not use means of access to personal data belonging to other persons.
6. The Administrator periodically monitors and constantly controls the processing of personal data on an ongoing basis, ensuring compliance with, among others, the GDPR and the Policy. Persons authorized to process personal data constantly monitor the integrity and protection of data sets and devices used in their processing against interference by third parties.
7. Monitoring of the applied security measures by the Data Administrator includes, among others, Users’ actions, violation of data access rules, ensuring file integrity and protection against external and internal attacks.
1. Personal data processed by ABAR include: first and last name, PESEL number, date of birth, NIP, KRS, REGON, RHB, residential address and correspondence address, place of service provision and sale of products and other locations in which these Persons are interested, photos of persons or devices, numbers of identity documents or other similar documents, e-mail addresses or other identifiers used in electronic systems (in particular logins and user names of these systems).
2. The Data Administrator does not undertake processing activities that could be associated with a serious probability of high risk to the rights and freedoms of persons, and in the event of determining that such processing is taking place, the actions provided for in Article 35 and subsequent GDPR should be taken immediately. The Administrator processes data only for commercial and advertising purposes.
3. The Data Administrator maintains a register of processing activities. The template of the register of processing activities constitutes Annex No. 1 to this policy.
1. Personal data are processed only to the extent necessary to achieve the purpose of data processing, in particular communication with the contractor and the preparation, delivery or sending of related documents and services.
2. It is not permissible to process the data of persons who are not employees, business partners of the Administrator, potential business partners, employees or persons associated with business partners, or who have not expressed their consent thereto, and there is no other basis for processing such data.
3. The period of data storage is limited to the period of their usefulness for the purposes for which they were collected, and after this period they are anonymized or deleted, or they are stored without their processing.
4. The information obligation is fulfilled towards the data subject in accordance with the content of art. 13 and 14 of the GDPR, subject to art. 6 sec. 1 letter b of the GDPR.
1. The Data Controller shall not provide data subjects with information in a situation where such data must be kept confidential in accordance with the obligation to maintain professional secrecy (Article 14, paragraph 5, point d of the GDPR).
2. Data should be protected against violations of the principles of their protection.
3. The following shall be considered in particular as a violation or attempted violation of the principles of processing and protection of Personal Data:
a) a breach of the security of electronic or IT systems in which personal data are processed, in the event of their processing in such systems or with their participation;
b) making data available or enabling the sharing of data to unauthorized persons or entities;
c) failure (intentional or unintentional) to ensure the protection of personal data, to keep personal data confidential and failure to comply with the principles and methods of securing them, regardless of whether this resulted in damage, loss, changes or unauthorized copying of Personal Data;
d) processing of Personal Data contrary to the purpose and scope for which it was obtained;
e) violation of the rights of persons whose data is processed.
4. In the event of a breach of personal data protection rules, the User (in particular the Employee) is obliged to take all necessary steps to limit the effects of the breach and to immediately notify the Data Administrator.
5. In the event of obtaining unnecessary data, such data must be immediately deleted permanently.
1. The Administrator ensures that in the scope of hiring, terminating or changing the terms of employment of employees or co-workers (persons undertaking activities for the Data Administrator on the basis of other civil law contracts), these persons:
• are adequately prepared to perform their duties,
• each employee has undertaken to keep the personal data processed in ABAR confidential. The “Declaration and commitment of the person processing personal data to keep confidential” is an element of the “Authorization to process personal data”.
• keep personal data and methods of securing them confidential;
• report incidents related to data security breaches and improper functioning of the system.
1. The area in which Personal Data is processed includes in particular the registered office of the Administrator, computers, telephones, tablets, CDs, pendrives, e-mail servers and virtual disks, as well as other data carriers located outside the area indicated above.
2. The security measures applied (technical and organizational) should be appropriate to the identified level of risk for individual systems, types of sets and categories of data and should not deviate from practices typical for this type of security.
The measures include:
a) Limiting access to the rooms in which personal data is processed only to duly authorized persons, using safes and cabinets locked with keys or otherwise blocked against access to them. During the period of absence, these rooms are closed and monitored using an automatic warning system (alarm).
b) Restricting the presence/access to data – other persons may stay in the rooms used for data processing or use their sets only in the company of an authorized person.
c) Destruction of unnecessary personal data and media using a document shredder and shredding software.
d) Protection of the local network and computers and similar devices using firewall/antispyware software.
e) Making backup copies of data according to the needs and technical possibilities.
f) Securing access to electronic devices using access passwords.
g) Use of Data encryption during their transmission
i.
Violations of personal data protection principles
1. The Administrator does not transfer Personal Data to other entities, except for making entries in registers kept by administrative bodies, in particular when it concerns social insurance or professional qualifications.
2. In each case in which the breach may have caused a risk of violating the rights or freedoms of natural persons, the Administrator shall report the breach of data protection principles to the supervisory authority without undue delay, no later than 72 hours after the breach was detected. The notification template is specified in Annex No. 4 to this policy.
1. In the event of a breach of Personal Data protection, the Administrator shall assess whether the breach may have caused a risk of violating the rights or freedoms of natural persons.
3. If the risk of violating the rights and freedoms is high, the Administrator shall also notify the data subject of the incident.
4. The Administrator shall not transfer Personal Data to a third country, except in situations where this occurs at the request of the data subject.
For failure to fulfill the obligations arising from this document, a person processing data in a manner inconsistent with the principles implemented in this Policy shall be liable, among others, on the basis of the Labor Code. The annexes constitute an integral part of this policy.
The following annexes constitute an inseparable part of this Security Policy:
Annex No. 1 – Register of personal data processing activities
Annex No. 2 – Template of authorization to process personal data.
Annex No. 3 – Template of Declaration and commitment of the person processing personal data
Annex No. 4 – Template of notification of violation of data protection principles to the supervisory authority
Annex No. 5 – Data protection measures in the IT system
Annex No. 6 – Information on data processing (for an individual).
Annex No. 7 – Consent to data processing (for an individual).
Register of personal data processing activities
1. Name and surname of the authorized person or name and contact details …………………………………………………..; 2. Description of the categories of data subjects and categories of personal data ………………………………………………………;
3. Purposes of personal data processing ………………………………………………………;
4. Categories of recipients to whom personal data have been or will be disclosed, including recipients in the three countries or in international organizations ………………………………………………………;
Sample authorization to process personal data.
Authorization to process personal data on behalf of ABAR EKSPORT-IMPORT Bogdan Kamiński with its registered office at ul. Podgórna, No. 11a, 05-074 Nowy Konik I hereby authorize: … . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . to process personal data within the scope of … . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. … for the duration: period of employment/cooperation on behalf of ABAR EKSPORT-IMPORT Bogdan Kamiński
scope of authorisation: processed on paper media,
in the IT system, personal data included in the set:
. … . . . . . . . . , dn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
position
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
workplace
Sample Declaration and commitment of the person processing personal data
DECLARATION
I declare that – in connection with the performance of my work for / on behalf of ABAR EKSPORT-IMPORT Bogdan Kamiński authorizing me to Process personal data – I have been familiarized with the relevant provisions and standards of personal data protection, I undertake to comply with the provisions on the protection of personal data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC Security Policy In connection with the above, I undertake to:
a. ensure the protection of personal data processed in the administrator’s files, and in particular ensure their security against disclosure to third parties and unauthorized persons, taking away, damaging and unjustified modification or destruction,
b. keeping secret, even after the cessation of work, all
information concerning the functioning of systems used to process personal data in the files made available to me,
c. immediately reporting to the data controller any observation of
an attempt or fact of breaching the physical security of the room, the security of the file(s) or IT systems.
………………………………………. [signature of employee/co-worker]
Sample notification of a breach of data protection principles to the supervisory authority
…… on …….. 20…. of the year
……. (registration data and company stamp valid on the date of notification)….
Personal Data Protection Office / former GIODO
Dear Sirs/Madams
We hereby notify the supervisory authority of a breach of data protection principles consisting in …………..
As a result of the breach, the following was disclosed to ……. following personal data: ……………..
In connection with the above-mentioned protection measures were taken consisting of ……
The effects of the breach are assessed as …..
The interested parties were informed of the breach ……….
Yours sincerely
………..
Data protection measures in the IT system and archives
Data protection measures in ABAR EKSPORT-IMPORT Bogdan Kamiński.
The data administrator is responsible for the security of personal data in the IT system, performing their duties through an IT specialist, HR employees, managers and a specialist IT company.
Persons with access to the archive or IT system gain access to them after being authorized to process data. After being authorized to process data, the person receives the assigned user ID and password, or the right to access the archive in the form of the ability to download the appropriate key. Once the identifier is assigned or the key is downloaded, the person may gain access to the IT systems or archive to the extent appropriate to the given authorization.
In the archive, keys are used for its individual elements or separate archives are created by collecting materials in separate rooms. In the IT system, authentication is used at the level of access to the operating system, where an individual password is used.
Physical security should meet standards that prevent access by unauthorized persons. The minimum length of the password assigned to the user is 6 alphanumeric and special characters.
Procedures for starting, suspending and ending work by system users. Data protection.
After starting, the employee logs in using the user ID and password to the IT system. When ending or interrupting work, the user protects the device from access by third parties.
To protect the integrity of the data, data is periodically archived.
All archived data should be identified, i.e. contain such information as: the date of recording and the identifier of the data saved in the copy.
Media with archived copies should be protected against access by unauthorized persons, destruction or theft.
Media with archived data should not be stored in the same rooms where data used on an ongoing basis is stored. Information carriers, backup copies that are not intended to be made available, are stored in conditions that prevent access to them by unauthorized persons.
Copies and data that are no longer useful should be destroyed physically or by using erasure through multiple recording of irrelevant information in the area occupied by the deleted data.
It is prohibited to remove any recorded media containing personal data from the workplace outside of archiving.
Method of securing the IT system
against the activity of computer viruses, unauthorized access and power failures
The IT system is protected against the operation of software aimed at obtaining unauthorized access.
Employees may use e-mail for business purposes and for private purposes to the extent limited by their duties. The administrator may learn the content of electronic messages used by employees located in all of the administrator’s systems.
It is prohibited to open e-mails from an unknown sender or with a suspicious title (so-called phishing e-mail). In particular, it is prohibited to open links or download files saved in external communication from an unknown sender.
Methods of implementing data processing requirements in the system (method of implementing the requirement to save (information about data recipients) in the IT system)
Information about data recipients is saved in the IT system from which the data was made available, taking into account the date and scope of the sharing, as well as the exact identification of the data recipient.
Procedures performed tion of inspections and maintenance of the system and information media used for data processing
Control inspections, hardware and software servicing should be performed by service companies with which agreements have been concluded containing provisions obliging them to observe the principles of confidentiality of information obtained as part of the tasks performed.
When performing servicing, the following principles should be observed:
a) servicing activities should be performed in the presence of a person authorized to process data,
b) b) before starting these activities, data and programs in the system should be protected against their destruction, copying or improper modification,
c) servicing work should be recorded in a book containing the type of servicing activities performed, dates of commencement and completion of the service, a record of the persons performing the servicing activities, i.e. property and name, as well as persons participating in the servicing work,
d) in the case of servicing work performed by an external entity requiring access to personal data, appropriate personal data entrustment agreements should be concluded with such entity.
Information on data processing (for a natural person).
. …… on …….. 20….
……. (registration data and company stamp valid on the date of notification)….
……….(personal data of the person)
Dear Sir/Madam
We hereby inform you that we have become the administrator of your personal data, which we will process only for the purposes of performing the contract concluded with you and in connection with the rights acquired by you in ABAR EKSPORT-IMPORT Bogdan Kamiński with its registered office at ul. Podgórna, no. 11a, 05-074 Nowy Konik, entered into CEIDG, NIP: 5320016844, REGON: 010486360.
The data administrator in ABAR EKSPORT-IMPORT Bogdan Kamiński with its registered office at ul. Podgórna, No. 11a, 05-074 Nowy Konik, entered in CEIDG, NIP: 5320016844, REGON: 010486360. The only recipients of your data may be manufacturers or importers of purchased items or services, companies providing transport services for purchased items and service services, as well as administrative bodies (in particular Tax Offices – for tax purposes to determine the appropriate taxes).
The data will be stored for the period of cooperation, the period of realization of the purpose of processing (in particular the execution of contracts) or until the withdrawal of consent to their processing. You have the right to view, change or delete them, however, we would like to draw your attention to the fact that they are necessary for the execution of the contract or the exercise of rights (in particular the right of ownership to real estate) acquired in cooperation with us or the acquisition of which is planned. After the end of the above period, your data will be destroyed. The Administrator profiles your data only in terms of the location of the property purchased (or which you have demonstrated your willingness to purchase).
We kindly inform you that in the event of a violation of your rights, you have the right to lodge a complaint with the supervisory authority.
Yours sincerely
………..
Consent to data processing (for a natural person).
I, the undersigned ………………., residing in ………, ………… , with NIP/REGON/PESEL No. ………., consent to the processing by ABAR EKSPORT-IMPORT Bogdan Kamiński with its registered office at ul. Podgórna, No. 11a, 05-074 Nowy Konik, entered into CEIDG, NIP: 5320016844, REGON: 010486360, my personal data for the duration of the contract, the period for which I acquire or will acquire rights or the time of cooperation (with ABAR EKSPORT-IMPORT Bogdan Kamiński and its subsidiaries – including ……………………) and the time necessary to protect or maintain my rights related to the above.
I confirm receipt of information on my rights related to the processing of personal data.
………..
(date and place, legible signature)
Need help choosing a product? Contact our specialists who will help you in every situation.