- This Policy is a personal data protection policy within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (OJ L 119, p. 1) – hereinafter GDPR.
- The policy includes:
a) a description of the data protection principles in force in Revitum,
b) best practices or instructions regarding specific areas of personal data protection.
- Maria Biernacik Bańkowska is responsible for the implementation and maintenance of this Policy, as an entrepreneur who is the administrator of personal data processed by Revitum or a person appointed by her to ensure the compliance of personal data processing processes of Revitum customers with the provisions in force in the field of personal data protection.
- The Data Protection Inspector, who is Katarzyna Łyszkowska, is responsible for supervising and monitoring compliance with the Policy (e-mail: firstname.lastname@example.org)
- The following are responsible for applying this Policy:
a) Revitum staff who have access to personal data
b) Specialists cooperating with Revitum, processing personal data of Revitum Customers
c) entities to which Revitum will provide personal data of its clients.
- Revitum’s obligations regarding data protection include:
a) facilitating the data subject to exercise his rights under the GDPR (right to information, access to rectification of data, to delete data – “being forgotten”, to limit processing, to transfer data, to object);
b) the information obligation fulfilled when collecting personal data;
c) special care when processing personal data in order to protect the interests and rights of the persons whose data it processes;
d) providing information on the scope of personal data being processed, enabling the data subject to monitor data processing;
e) the obligation to supplement, update, rectify data, temporarily or permanently suspend the processing of questioned data or remove it from the collection, if this is requested by the person whose data is processed by the administrator;
f) the obligation to implement and apply technical and organizational measures ensuring the protection of processed personal data appropriate to the threats and categories of data protected, as well as enabling the demonstration of personal data processing in accordance with the GDPR;
g) control what data, when and by whom were entered into the collection and to whom they are disclosed / transferred (data recipients), creation and maintenance of a register of personal data processing activities by the Personal Data Administrator, the obligation to inform the recipient of the data about the rectification, deletion or limitation of data processing personal;
h) keeping records of persons authorized to process personal data;
i) enabling the transfer of data of the person they concern to another service provider, generating a file with personal data processed;
j) in the case of entrusting the processing of personal data – verification of the possibility of the processing entity meeting the obligations and requirements set out by the GDPR;
k) implementation and application of the Procedure for detecting, analyzing, reporting breaches of data protection and, if possible, informing data subjects about breaches of data protection (Procedure for notifying the person concerned about a breach of personal data):
l) conclusion of contracts entrusting data processing with the processing entity and control of their performance – if entrusting data processing to an external entity;
m) cooperation with the Supervisory Body in performing tasks in the field of personal data protection;
n) designating a person who will act as a Personal Data Inspector
II ABBREVIATIONS AND DEFINITIONS:
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (EU Official Journal L 119, p. 1).
Data – personal data, unless otherwise explicitly stated in the context.
Data of special categories – data listed in Article 9 (1) GDPR, i.e. personal data revealing racial or ethnic origin, political views, religious or beliefs, trade union membership, genetic, biometric data to uniquely identify a person physical or health, sexuality or sexual orientation data.
Criminal data – data listed in Article 10 of the GDPR, i.e. data on convictions and violations of law.
Data on children – data on persons under 16 years old.
Person – the data subject, unless otherwise clearly stated in the context.
Revitum customer – a natural person using services or making purchases at Revitum branches
Specialist – a natural person providing services offered by Revitum on the basis of a civil law agreement connecting the Specialist with Revitum
Processing entity – the organization or person entrusted with the processing of personal data by Revitum (e.g. IT service provider, external accounting, specialists).
Profiling – any form of automated processing of personal data that involves the use of personal data to evaluate certain personal factors of a natural person, in particular to analyze or forecast aspects of the natural person’s work effects, economic situation, health, personal preferences, interests, credibility, behavior, location or movement.
Data export – data transfer to a third country or international organization.
IOD / Inspector – Personal Data Protection Inspector Katarzyna Łyszkowska.
RCPD / Register – Register of Personal Data Processing Activities.
III. PROTECTION OF PERSONAL DATA IN REVITUM – GENERAL RULES
The pillars of personal data processing by Revitum are:
a) legality – Revitum cares for the protection of privacy and processes data in accordance with the law;
b) security – Revitum ensures an adequate level of data security, constantly taking action in this area;
c) individual rights – Revitum enables data subjects to exercise, exercise their rights and exercise those rights;
d) Accountability – Revitum documents how it fulfills its obligations to demonstrate compliance at any time.
Personal data must be processed in accordance with the following principles:
a) compliance with the law (based on a legal basis and in accordance with applicable regulations in this respect) and reliability and transparency for the data subject;
b) limiting the purpose of collecting personal data (to specific explicit and legitimate purposes);
c) minimization and adequacy of the collected data – their limitation to the minimum necessary as part of the purpose for which the data is processed (no more than necessary and not “on stock”);
d) correctness – ensuring correctness and – if possible – timeliness of processed data;
e) storage restrictions – for a period that is necessary for the purposes for which this data is processed;
f) integrity and confidentiality – in a manner ensuring adequate security of processed data;
g) ensuring security – the Administrator’s responsibility for compliance with the principles of personal data protection (the ability to demonstrate compliance with the principles of personal data protection).
IV DATA PROTECTION SYSTEM
The Revitum personal data protection system consists of the following elements:
- Data inventory.
1.1. Revitum identifies personal data resources, categories of data collected and processed, dependencies between data resources, identifies ways of using data.
1.2. To Revitum customers, in order to provide paramedical services, Revitum collects data of specific categories including: First name, last name, date of birth, address, telephone number, email address.
1.3. Data of special categories are processed only on the basis of the consent of the data subjects, and in the case of children’s data – on the basis of the consent of their legal representatives, including for the provision of services by Revitum or cooperating entities, and only for the period necessary for the proper performance of the service, including limitation period for any claims related thereto.
1.4. Revitum does not collect or process criminal data.
1.5. In the case of collecting unidentified data in the case of recording monitoring of premises, Revitum clearly informs its clients employees or associates (in particular through clear information about monitoring and the possibility of processing unidentified data), ensuring the exercise of the rights of persons who are affected by unidentified data.
2.1. For all categories of data processed by itself or cooperating entities, Revitum maintains a Register of Personal Data Activities (Registry), which is a tool for settling data processing compliance, in which it monitors the manner in which it uses personal data of individual categories.
2.2. In the Registry, Revitum records at least: (i) the name of the activity, (ii) the purpose of processing, (iii) description of the categories of persons, (iv) description of the categories of data, (v) the legal basis for processing, together with a specification of the category of legitimate interest of Revitum, if the basis there is a legitimate interest, (vi) the method of data collection, (vii) description of the categories of data recipients (including processors), (viii) information on transfers outside the EU / EEA; (ix) a general description of the technical and organizational data protection measures.
Legal grounds for processing.
3.1. Revitum provides the legal basis for data processing and collects it in the Register for individual processing activities. For this purpose:
a) maintains the consent management system for data processing and distance communication, maintaining an appropriate register of consents granted for data processing, indicating the date of withdrawal of consent or other activities notified by the data subject (objection to data processing, request to limit data processing, etc. )
b) collects and stores consents to the processing of personal data, (specimen consent to the processing of data, consent is given in writing in duplicate, one of which is in Revitum, the other is received by the data subject;
c) inventory and details the justification of cases when data processing is to take place on the basis of the legitimate interest of Revitum, and ensures that the head of the organizational unit or Revitum associate knows the detailed and specific interest of Revitum realized by processing this personal data,
d) indicating the general legal basis for data processing, Revitum clarifies, as far as possible, the detailed scope of the basis by indicating a specific legal provision, document, scope of consent granted, a specific purpose that is justified for data processing;
Handling individual rights.
4.1 Revitum fulfills the disclosure obligations towards persons whose data it processes, and provides support for their rights by fulfilling the requests received in this regard. To this end, Revitum:
a) when collecting data, provides legal persons with the required information and organizes and ensures documentation of the implementation of these obligations by including information clauses in accordance with the GDPR in the consent form for processing personal data;
b) upon each request, provides information within the scope specified in a separate Procedure;
c) verifies and ensures the possibility of effective execution of any type of request for personal data by itself and its processors, provided that the fulfillment of these requests is not associated with excessive costs for Revitum;
d) applies procedures to detect violations in the processing of personal data and determine the need to notify persons affected by an identified breach of data protection.
5.1. Revitum ensures minimization of data processing in terms of data adequacy for purposes (category, amount of data and scope of their processing), data access and storage time. For this purpose:
a) ensures that the data collected in the Revitum IT system are limited only to the data necessary for the proper provision of services by Revitum Specialists;
b) performs periodic (at least once a year) reviews of the amount of data processed and the scope of their processing;
c) applies restrictions on access to personal data of the following categories:
- legal: authorization to process personal data, confidentiality obligations, contracts for entrusting the processing of personal data;
- physical: locked rooms in which personal data are collected and processed
- logical: restrictions on the rights to systems in which personal data are processed and network resources in which personal data are collected;
d) whenever access or processing of personnel or processors is changed, access rights and authorizations shall be updated
e) periodically controls the life cycle of personal data, including verifying the further usefulness of data against deadlines and control points indicated in the Register. Data whose scope of use is reduced over time is removed from the Revitum system as well as from handy and main files. Such data can be archived and can be found on backup systems and information processed by Revitum. The procedures for archiving and using archives, creating and using backups take into account the requirements of data life cycle control, including data removal requirements.
5.2. Authorizations to process personal data are granted by the Personal Data Administrator in the form of a written document, after training or familiarization – in another form, of a person authorized to protect personal data. Authorization is granted individually, with a clear indication of what categories of data it covers. Each person who has obtained the authorization to process data is obliged to protect them in a manner consistent with the provisions of the Act, the GDPR and the provisions of this Policy.
5.3. An authorized person is obliged to keep personal data secret and how to secure it. This obligation also exists after the termination of employment. The relevant provision about accepting the obligation to keep secret personal data processed contains authorization.
5.4. Security measures and principles adopted by Revitum, including the principles of data access control, are described in item 6 below.
6.1. Revitum ensures an appropriate level of data security, including:
(a) carry out risk analyzes for data processing activities or categories thereof;
b) carry out data protection impact assessments where the risk of violating the rights and freedoms of persons is high;
c) adapt the data protection measures to the risks identified;
d) has an information security management system;
e) applies procedures to identify, evaluate and report the identified data protection breach to the Data Protection Authority;
f) ensure appropriate knowledge about information security and cyber security.
6.2. Before implementing appropriate security measures, Revitum analyzed the risk of violating the rights or freedoms of natural persons for data processing activities, including possible situations and scenarios of personal data breach, taking into account the nature, scope, context and purposes of processing, the risk of violating the rights and freedoms of natural persons with different the likelihood and severity of the threat.
6.3. Based on the above analysis, Revitum has adopted the following security principles and measures:
6.3.1. Revitum Maria Biernacik – Bańkowska, the Data Protection Inspector and persons authorized to process them have access to personal data.
6.3.2. Staying of persons unauthorized to process data in the room where personal data are processed is only allowed in the presence of a person authorized to process them, unless the data is properly secured against access.
6.3.3. For the security of personal data processing in a given set, individual responsibility is primarily given to each person authorized to process them.
6.3.4. Employees / associates having access to personal data may not disclose it both at the workplace and outside of it, in a way that goes beyond activities related to their processing within the scope of official duties, as part of the authorization to process data.
6.3.5. Do not share individual passwords and IDs for IT systems with anyone.
6.3.6. Sending serial emails requires the use of the “hidden copy” option.
6.3.7. You cannot provide personal data information to other entities based on a request for such data in the form of a telephone inquiry.
6.3.8. At the place of processing personal data recorded in paper form, employees / associates are obliged to apply the so-called “Clean desk.” This rule means that materials containing personal data will not be left in a place enabling physical access to them by unauthorized persons. Each employee is responsible for the implementation of the above principle.
6.3.9. Destruction of drafts, incorrect or unnecessary copies of materials containing personal data must be carried out in a way that prevents reading of the content contained therein, e.g. using shredders.
6.3.10. It is unacceptable to take materials containing personal data outside the processing area without being related to the performance of official duties. In this case, the person making the removal is responsible for the security and return of materials containing personal data.
6.3.11. After finishing work in the IT system in which personal data is stored, log out of the system.
6.3.12. A person using a portable computer containing personal data is obliged to exercise extreme caution during its transport, storage and use outside the area in which personal data are processed.
6.3.13. Staying of unauthorized persons in the room where personal data are processed is only allowed in the presence of a person authorized to process personal data, unless the data is properly secured against access.
6.4. In a situation where, according to a risk analysis, the risk of violation of the rights and freedoms of persons is high, Revitum assesses the effects of planned personal data processing operations on the protection of personal data.
6.5. In order to ensure an adequate level of security of personal data, Revitum applies procedures enabling identification, assessment and reporting an identified breach of personal data protection to the Data Protection Office within 72 hours of establishing the breach. As far as technically possible, Revitum immediately informs the person about the possibility of violating the protection of his personal data.
7.1. Revitum selects data processors for Revitum, subject to the requirements as to the data processing conditions specified in the entrustment agreement, in order to ensure that data processors give sufficient guarantees to implement appropriate organizational and technical measures to ensure data security, implementation of individual rights and other data protection obligations on Revitum.
7.2. Entities entrusted with the processing of data by Revitum are required to apply at least the requirements that Revitum applies in the field of personal data protection and to ensure their integrity and confidentiality and are responsible for the processing of personal data in accordance with applicable law and regulations adopted by Revitum.
7.3. Revitum periodically controls and accounts for processors in the scope of requirements arising from the rules of entrusting personal data.
8.1. Revitum has rules to verify that it does not transfer data to third countries (i.e. outside the EU, Norway, Liechtenstein, Iceland) or to international organizations and to ensure the lawful conditions for such transfers, if any.
8.2. The register records data exports outside the EEA. To avoid the situation of unauthorized data export, in particular in connection with the use of publicly available cloud services, Revitum periodically verifies the behavior of system users (employees, associates) and, if possible, provides equivalent legal solutions.
Privacy by design.
9.1. Revitum manages changes that affect privacy. To this end, the procedures for launching new projects and investments in Revitum take into account the need to assess the impact of a given change on data protection, risk analysis, ensuring privacy (including compliance of processing purposes, data security and minimization) already at the design stage of the change, investment or at the beginning of a new project .
9.2. If it is determined that the planned project carries a significant risk of violating the rights and freedoms of persons in the field of data protection, Revitum will make the necessary modification of the project or intent to ensure adequate data protection, or deviate entirely from the plans to implement the given project or intent.
10.1. Revitum has rules for verification when there are cases of cross-border processing and rules for determining the lead supervisory body and the main organizational unit within the meaning of the GDPR.
V FINAL PROVISIONS
- This Policy enters into force on May 25, 2018. Any changes to the Policy must be in writing to be valid.
- In matters not covered, relevant procedures are applicable as attachments to this Policy and generally applicable law.