REALIZATION OF THE RIGHTS OF THE DATA SUBJECTS
1. It is our duty to ensure that the rights of data subjects that they have in connection with the processing of their personal data are respected. The implementation of the rights of persons burdens the persons responsible for individual data processing activities, which determine the manner of handling the applications of natural persons in this respect. Nevertheless, as part of our organization, any person who processes personal data may receive such a request, hence it is important to know the rights that the data subjects may pursue.
2. This paragraph describes key elements related to the exercise of the rights of data subjects, however, if such rights are exercised by those persons towards the Company, persons responsible for their implementation should strictly apply the provisions of Articles 16-22 of the GDPR.
3. Each person has the right to control the processing of data concerning him, contained in data files, in particular the right to:
- 1) obtain comprehensive information on the processing of data, and to determine the data controller, address of its registered office and full name,
- 2) obtain information about the purpose, scope and method of data processing,
- 3) obtain information as from when data concerning him or her is processed, until when it is planned to be processed and given in a generally understandable form the content of such data,
- 4) obtain information about the source from which the data relating to him or her originate, unless the Controller is obliged to keep confidential information secret or keep professional secret in this respect.,
- 5) obtain information on the method of data sharing, in particular information on the recipients or categories of recipients to whom these data are made available,
- 6) obtain information about the right to lodge a complaint to the supervisory authority,
- 7) obtain information on automated decision making, including profiling,
- 8) request rectification of inaccurate personal data,
- 9) request for the erasure of personal data concerning him or her, if circumstances arise from article 17 (1) of the GDPR (right to be forgotten),
- 10) demand from the controller restriction of processing, in the cases described in Article 18 (1) of the GDPR,
- 1) data portability in accordance with Article 20 of the GDPR,
- 11) when data processing takes place due to the legitimate interest of the Company, submitting:
- a. written, motivated request to cease processing of its data due to its special situation,
- b. object to the processing of his or her data, if the Controller intends to process it for marketing purposes or to transfer his or her personal data to another data controller.
4. In the event of a request for information about personal data being processed on a written application from the data subject, the reply must be made within 30 days from the date of its receipt. The answer may be given in writing or in another form indicated by the applicant.
5. The data subject may request information, not more often than once every six months. For any further copies requested by the data subject, the Company will charge a reasonable fee resulting from administrative costs.
6. If a person objects to the processing of his or her data, the information on objection is forwarded to the Personal Data Protection Coordinator. Further processing of the data in question is unacceptable. However, the Personal Data Protection Coordinator may leave in the collection the name and surname of the person, as well as the ID number or address only in order to avoid re-use of that person’s data for the purposes covered by the objection.
7. The data subject has the right to request the Company to erasure of personal data concerning him or her without undue delay and the Company shall have the obligation to erase personal data without undue delay if the conditions for sending such a request are met. If, during the course of the business, the Company has made the personal data public, it takes reasonable steps, including available technology and implementation cost, including technical measures to inform the controllers processing this personal data that the data subject requests the erasure by such controllers of any links to, or copy or replication of, those personal data.. This does not apply to the transfer of data for the purpose of implementing legal provisions or pursuing claims.
8. Execution of the right to data portability may take place only when processing data on the basis of consent or for the purpose of contract performance. In this case, the data subject has the right to receive, in a structured, commonly used format, readable personal data about him or her that he or she has provided to the Company.
TASKS OF PERSONS RESPONSIBLE FOR DATA PROTECTION
1. Responsible for data security are:
- 1) Controller,
- 2) Data Protection Officer, if established, and in the absence of his appointment Personal Data Protection Coordinator,
- 3) IT Network Administrator,
- 4) employees authorized to process personal data.
2. Tasks of the DPO / Personal Data Protection Coordinator include:
- 1) participating in the creation, implementation and interpretation of personal data protection documentation, standards, recommendations and procedures regarding the processing of personal data,
- 2) coordinating activities in the field of personal data protection,
- 3) monitoring compliance with the law on personal data, as well as the Policy and Instruction,
- 4) informing the Controller and employees who process personal data about their obligations under the law,
- 5) close cooperation with INA in the scope of establishing rules and supervision over the correctness of personal data processing in IT systems,
- 6) familiarize the persons employed in the processing of personal data with the provisions on the protection of personal data by conducting training,
- 7) keeping the Record of Processing Activities and Record of Processing Activities Category,
- 8) giving opinions on contracts regarding entrusting third parties with the processing of personal data,
- 9) undertaking appropriate actions in case of detection of violations or suspected security breaches,
- 10) participation in the Data Protection Impact Assessment,
- 11) contact with the supervision authority,
- 12) acting as a contact point for the supervisory authority in matters related to processing, including prior consultations referred to in Article 36 of the GDPR.
3. Tasks of IT Network Administrator include:
- 1) registering and unregistering system users,
- 2) changing the rights of system users,
- 3) compliance with the security procedures developed for the system,
- 4) maintaining the IT system in technical efficiency,
- 5) preventing access of unauthorized persons to the IT system in which personal data are processed,
- 6) configuring devices and software for processing personal data, as required,
- 7) updating and configuring the antivirus software,
- 8) responding to security breaches and removing their consequences,
- 9) supervision of proper use and servicing of devices and software,
- 10) keeping the system work log, which contains descriptions of all events relevant to the operation of the IT system, in particular in the event of a failure – description of the failure, cause of failure, damage resulting from a breakdown,
failure removal method, description of the system after a breakdown, conclusions,
- 11) in the case of system maintenance – description of actions taken, conclusions,
- 12) making backup copies of IT databases in which personal data are processed and backup copies of information systems,
- 13) keeping technical documentation of systems,
- 14) informing the Controller or DPO about any events related to or likely to affect the security of the ICT system.
4. Employees, regardless of the legal relationship regulating the basis of their employment, are obliged to:
- 1) confidentiality of personal data to which they have access, as well as ways to secure this data, both during and after termination of the relationship,
- 2) compliance with internal regulations in force in the Company that involve the protection of personal data, including Policy and Instructions,
- 3) report noticed security incidents related to the protection of personal data.