INFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY
“LOCO spółka z ograniczoną odpowiedzialnością” Sp. k.
with its registered office in Warsaw
under KRS no. 0000499544
Warsaw, May 21, 2018
This Security Policy, hereinafter referred to as the Policy, has been prepared in order to demonstrate that personal data is processed and secured in accordance with legal requirements regarding the processing and data protection rules, including Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC hereinafter “GDPR”).
1.Data Administrator” LOCO spółka z ograniczoną odpowiedzialnością” Sp. k. with its registered office in Warsaw (KRS no. 0000499544) ul. Sienna 72 lokal 14; 00-833 Warszawa.
2.Personal data – all information regarding an identified or identifiable natural person
3.IT system – a set of devices, programs and procedures for processing information of software tools used for data processing
4.User – a person authorized by the Data Administrator to Process personal data
5.Data file – each structured file of personal data, available according to specific criteria
6.Data processing – any operations performed on personal data, such as collection, recording, storage, development, modification, sharing and deletion in a traditional form and in information systems
7.User ID – a string of letters, digits or other characters uniquely identifying a person authorized to process personal data in the IT system (the User) in the case of processing personal data in such a system
8.Password – a string of letters, digits or other characters known only to the person authorized to work in the IT system (the User) in the case of processing personal data in such a system
9.Authentication – an action whose purpose is to verify the declared identity of the entity (the User).
I. General provisions
1.The Policy applies to all Personal Data processed
at “LOCO spółka z ograniczoną odpowiedzialnością” Sp. k. with its registered office in Warsaw (KRS no. 0000499544) ul. Sienna 72 lokal 14; 00-833 Warszawa, regardless of the form of its processing (traditionally processed files, information systems) and whether data is or can be processed in data files.
2.The Policy is stored in an electronic version and in a paper version at the Administrator’s office.
3.The Policy is made available to persons authorized to process personal data at their request, as well as to persons to whom authorization to process personal data is to be granted, in order to get acquainted with its content.
4.The Code of Ethics of Property Managers and Realtors introduced by the National Council of the Polish Real Estate Federation of December 9, 2013 applies to the processing of data obtained in connection with the activities covered by the secret of a real estate broker.
5.For effective implementation of the Policy, the Data Administrator provides:
a) technical means and organizational solutions appropriate to the threats and categories of data to be protected,
b) control and supervision over the processing of personal data,
c) monitoring of the protection measures used.
6.The Data Administrator’s monitoring of the protection measures applied includes, among others, Users’ actions, violation of data access rules, ensuring file integrity and protection against external and internal attacks.
7.The Data Administrator ensures that the activities performed in connection with the processing and protection of personal data are consistent with this Policy and the applicable law.
II. Personal data processed by the Administrator.
1.Personal data processed by the Data Administrator is collected in data files.
2.The data Administrator does not undertake processing activities that could involve a serious probability of high risk for the rights and freedoms of persons. In the case of planning such actions, the Administrator will perform the activities specified in art. 35 et seq. of GDPR.
3.When planning new processing activities, the Administrator analyses their consequences for the protection of personal data and takes into account the data protection issues during the design phase.
4.The data Administrator keeps a record of processing activities. The template of the processing activity record constitutes Appendix No. 1 to this Policy.
III. Obligations and responsibilities in the field of security management
1.All persons are obliged to process personal data in accordance with the applicable regulations and in accordance with the Security Policy established by the Data Administrator, the IT System Management Instruction, as well as other internal documents and procedures related to the processing of personal data at “LOCO spółka z ograniczoną odpowiedzialnością” Sp. k. with its registered office in Warsaw (KRS no. 0000499544) ul. Sienna 72 lokal 14; 00-833 Warszawa
2.All personal data in the Office is processed with respect to the rules of processing provided for by law:
a) in any case, there is at least one of the grounds for data processing provided for by law.
b) data is processed fairly and in a transparent manner.
c) personal data is collected for specific, explicit and legitimate purposes and not further processed in a manner inconsistent with these purposes.
d) personal data is processed only to the extent necessary to achieve the purpose of data processing.
e) personal data is correct and updated as necessary.
f) the storage period is limited to its usefulness for the purposes for which it was collected and after this period it is anonymized or deleted.
g) an obligation to provide information in accordance with art. 13 and 14 of GDPR.
h) the data is protected against violations of the rules of its protection.
3.The data Administrator does not provide data subjects with information on a situation, where such data must be confidential in accordance with the duty of professional secrecy (Article 14 paragraph 5 point d of GDPR).
4.Violating or attempting to violate the principles of processing and protection of personal data is, in particular, understood as:
a) violation of security of IT systems in which personal data is processed, if processed in such systems;
b) providing or enabling access to data to unauthorized persons or entities;
c) omission, even if inadvertent, of the obligation to provide protection to personal data;
d) failure to comply with the obligation to keep Personal Data secret and methods of protecting it;
e) processing of Personal Data not in accordance with the assumed scope and purpose of its collection;
f) causing damage, loss, uncontrolled change or unauthorized copying of Personal Data;
(g) violation of the rights of persons, whose data is processed.
5.In the case of discovering the circumstances of the violation of personal data protection rules, the User is obliged to take all necessary steps to limit the consequences of the infringement and to immediately notify the Data Administrator,
6.In terms of duties of the Data Administrator in the field of employment, terminating or changing the terms of employment of employees or co-workers (persons undertaking activities for the benefit of the Data Administrator under other civil law agreements), it is necessary to ensure that:
a) employees were properly prepared to perform their duties,
b) each of the personal data processors were authorized in writing to process in accordance with the “Authorization for the processing of personal data” – the template of which constitutes Appendix No. 2 to this Security Policy.
c) each employee undertook to keep personal data processed in the office
confidential.”Declaration and commitment of the data
processor to confidentiality” constitutes
an element to the “Authorization for personal data processing”.
7.Employees are required to:
a) strict compliance with the scope of the authorization granted;
b) the processing and protection of personal data in accordance with the provisions;
c) confidentiality of personal data and methods of securing it;
d) report incidents related to the violation of data security and the malfunctioning of the system.
IV. Area of personal data processing
1.Area in which personal data are processed at “LOCO spółka z ograniczoną odpowiedzialnością” Sp. k. with its registered office in Warsaw (KRS no. 0000499544) ul.Sienna 72 lokal 14; 00-833 Warszawa
includes office space at “LOCO spółka z ograniczoną odpowiedzialnością” Sp. k. located in Warszawa ulica Sienna 72 lok.14.
2.In addition, the area in which Personal Data is processed has portable computers and other storage media outside the area indicated above.
V. Definition of technical and organizational measures necessary to ensure confidentiality, integrity and accountability of the processed data
1.The Data Administrator ensures the application of technical and organizational measures necessary to ensure confidentiality, integrity, accountability and continuity of the processed data.
2.Applied protection measures (technical and organizational) should be adequate to the level of risk identified for individual systems, types of files and categories of data. The measures include:
a) restricting access to rooms in which personal data is processed only to authorized persons. Other people may be in rooms used for data processing only in the company of an authorized person.
b) locking the rooms forming the Area of Personal Data Processing specified in point IV above for the time of absence of employees, in a way that prevents access to them by third parties.
c) using of lockers and safes to secure documents.
d) using of a shredder to effectively delete documents containing personal data.
e) Protection of the local network against activities initiated from the outside using a firewall.
f) performing backup copies of data on external disks.
g) protection of computer hardware used by the administrator against malware.
h) securing access to office equipment at LOCO spółka
z o.o. spółka komandytowa in Warsaw under KRS no. 0000499544 using access passwords.
i) using data encryption for its transmission.
VI. Violations of the rules of personal data protection
1.In the event of a violation of the protection of personal data, the Administrator assesses whether the violation could have caused a risk of violating the rights or freedoms of natural persons.
2.In any situation, where the violation could have caused a risk of violating the rights or freedoms of natural persons, the Administrator reports the fact of violating the data protection rules to the supervisory body without unnecessary delay
– if it is feasible, no later than 72 hours after the violation is discovered. The report template constitutes Appendix No. 3 to this Policy.
3.If the risk of violation of rights and freedoms is high, the Administrator also notifies the data subject about the incident.
VII. Entrusting the processing of personal data
1.The Personal Data Administrator may entrust the processing of personal data to another entity only by way of an agreement concluded in writing, in accordance with the requirements indicated for such agreements in art. 28 of GDPR and only if it is data that may be disclosed without violating professional secrecy.
2.Before entrusting the processing of personal data, the Administrator, as far as possible, obtains information about the previous practices of the processor regarding the protection of personal data.
VIII. Transmission of data to a third country
The Personal Data Administrator will not transfer personal data to a third country, except in situations, where it occurs at the request of the data subject.
IX. Final Provisions
1.For failure to comply with the obligations under this document, the employee is liable on the basis of the Labour Code, Personal Data Protection Regulations and the Penal Code with regard to personal data covered by professional secrecy.