Protection policy
personal data

This Data Protection Policy ("Policy"), has been drawn up to demonstrate that personal data is processed and secured in accordance with the requirements of the law relating to the Company's data processing and security rules, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter RODO).

You can contact us:

• by post - Company Office ul. Łużycka 25a, 59-900 Zgorzelec
• by telephone - 756408105
• by e-mail - biuro@topping-work.pl
• in another way, which we indicate on the website

Definitions:

1. Data Administrator/ Company - Topping Work Europe sp. z o.o. in Zgorzelec
2. Personal data - any information relating to an identified or identifiable natural person
3. Information system - a set of cooperating devices, programs, information processing procedures software tools used to process data
4. User - a person authorized by the Data Controller to process personal data
5. Data set - any structured set of data of a personal nature, accessible according to specific criteria
6. Data processing - any operation performed on Personal Data such as collection, recording, storage, processing, alteration, disclosure and deletion in traditional form and in computer systems
7. User identifier - a sequence of letter, digital or other characters uniquely identifying the person authorized to process personal data in a computer system (the User) in case personal data are processed in such a system.
8. Password - a sequence of letter, digital or other characters known only to a person authorized to work in a computer system (User) in case of processing personal data in such a system
9. Authentication - an action whose purpose is to verify the declared identity of the subject (User).

I. General provisions

1. The Policy applies to all Personal Data processed at the Company regardless of the form of processing (traditionally processed record collections, IT systems) and whether the data is or can be processed in data sets.
2. The policy is stored electronically and in hard copy at the Administrator's office.
3. For the effective implementation of the Policy, the Data Controller shall ensure:
   1. technical measures and organisational solutions appropriate to the risks and categories of data to be protected,
   2. control and supervision of the Processing of personal data,
   3. monitoring the protection measures applied.
4. The Data Controller's monitoring of the security measures in place includes, but is not limited to, the actions of Users, data access violations, ensuring file integrity and protecting against external and internal attacks.
5. The Data Controller shall ensure that the activities carried out in relation to the processing and safeguarding of personal data comply with this policy and the relevant legislation

II. Personal data processed at the Administrator, Register of activities

1. Personal data processed by the Data Controller is collected in Data Sets.
2. The controller shall not undertake processing activities that are likely to present a serious likelihood of high risks to the rights and freedoms of persons.
3. When planning new processing activities, the Controller shall analyse their data protection implications and take into account data protection considerations at the design stage.
4. The controller shall keep a Register of Processing Activities. The Register of Processing Activities shall be in writing and in electronic form.
5. The controller shall make the register of processing operations available to the President of the Office upon request.
6. The Register shall contain the following information: the name and contact details of the Controller and of the Data Protection Officer if appointed, the purposes of the processing; a description of the categories of data subjects and of the categories of personal data, the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations where applicable, information on transfers of personal data to a third country or an international organisation, including the name of that third country or international organisation and, in the case of transfers referred to in Art. 49(1), second subparagraph, documentation of the appropriate safeguards; where possible, the planned time limits for erasure of the different categories of data, where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the RODO.
7. Personal data the Company processes:
   1. to conclude or perform contracts concluded with you or involving you,
   2. to fulfil legal obligations,
   3. for the purpose of our legitimate interest.
   4. to perform tasks that serve the public interest,
   5. on the basis of your consent.
8. If you do not provide us with your data, we will not be able to conclude and perform a contract with you. The provision of data is voluntary, but necessary in order to conclude and perform a contract with us. We are then obliged to identify you and to collect and save your data.

III. Duties and responsibilities for safety management

1. All persons are obliged to process personal data in accordance with the applicable legislation and in accordance with the Policy established by the Data Controller as well as other internal documents and procedures related to the Processing of personal data in the Company.
2. All personal data at the Company are processed in compliance with the processing rules provided by law:
   1. in each case at least one of the legal grounds for data processing is present,
   2. data are processed fairly and transparently,
   3. Personal data is collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes,
   4. personal data shall be processed only to the extent that is necessary to achieve the purpose of the processing,
   5. personal data is correct and updated as necessary,
   6. the duration of data retention is limited to the period of their usefulness for the purposes for which they were collected, after which they are anonymised or deleted,
   7. an information obligation is exercised towards the data subject in accordance with the content of Articles 13 and 14 of the RODO,
   8. data are protected against breaches of security.
3. In particular, a breach or attempted breach of the principles of processing and protection of Personal Data is considered to be:
   1. a breach of security of the IT Systems in which personal data are processed, if processed in such systems,
   2. sharing or enabling the sharing of data with unauthorised persons or entities,
   3. failure, however inadvertent, to comply with a duty to protect personal data,
   4. Failure to comply with the obligation to keep Personal Data and the means of securing it confidential,
   5. processing of Personal Data not in accordance with the intended scope and purpose of its collection,
   6. causing damage, loss, uncontrolled alteration or unauthorised copying of Personal Data,
   7. infringement of the rights of data subjects.
4. If the User discovers circumstances of a data breach, he/she is obliged to take all necessary steps to limit the effects of the breach and to notify the Data Controller without delay.
5. It is the Data Controller's responsibility with regard to hiring, terminating or changing the terms and conditions of employment of employees or associates (persons undertaking activities for the Data Controller under other civil law contracts) to ensure that:
6. employees were adequately prepared to perform their duties,
7. each processor of Personal Data is authorised in writing to process in accordance with the "Personal Data Processing Authorisation" - the model Authorisation is attached as Appendix 1 to this Policy,
8. each associate has undertaken to keep the personal data processed at the Company confidential. "Declaration and undertaking of the person processing personal data to maintain confidentiality" (according to the template - Appendix No. 2 to this Policy).
9. Employees are required to:
   1. strict adherence to the scope of the authorisation granted,
   2. the processing and protection of personal data in accordance with the legislation,
   3. the confidentiality of personal data and the ways in which they are secured,
   4. reporting of data security incidents and system malfunctions.

IV. Identification of the technical and organisational measures necessary to ensure the confidentiality, integrity and accountability of the processed data

1. The Data Controller shall ensure that the technical and organisational measures necessary to ensure the confidentiality, integrity, accountability and continuity of the Processed Data are applied.
2. The measures referred to above include:
   1. secured data servers, secured network drives, secured mail server, secured management systems, accounting and HR system, internal document and data circulation,
   2. employee training.
3. The security measures (technical and organisational) applied should be appropriate to the identified level of risk for the individual systems, types of filing systems and categories of data, these measures include:
   1. restrict access to the premises where personal data are processed only to duly authorised persons. Other persons may be present in the premises used for data processing only when accompanied by an authorised person,
   2. locking the premises forming the Personal Data Processing area during the absence of employees in such a way as to prevent access by third parties,
   3. Use of lockable cabinets and safes to secure documents;
   4. use of a shredder to effectively dispose of documents containing personal data,
   5. protection of the local network against externally initiated actions using a firewall network,
   6. protection of the computer equipment used at the Data Controller's premises against malware,
   7. securing access to the Company's facilities with passwords;
   8. the use of data encryption for data transmission.

V. Breaches of data protection principles

1. In the event of a personal data breach, the Data Controller shall assess whether the breach that has occurred may have created a risk of infringement of the rights or freedoms of natural persons.
2. In any situation where the occurrence of a breach may have resulted in a risk of infringement of the rights or freedoms of natural persons, the Data Controller shall notify the fact of the breach of data protection rules to the supervisory authority without undue delay - if feasible, no later than 72 hours after the breach has been noticed. The model notification is set out in Appendix No. 3 to this Policy.
3. If the risk of violation of rights and freedoms is high, the Data Controller shall also notify the data subject of the incident.

VI. Entrustment of the processing of personal data

1. The Data Controller may entrust the processing of personal data to another entity (processor) only by means of a contract concluded in writing, in accordance with the requirements indicated for such contracts in Article 28 RODO (according to the Model constituting Appendix No. 4 to the Policy) .
2. Before entrusting the processing of personal data, the Data Controller shall, as far as possible, obtain information about the processor's existing practices regarding the security of personal data.

VII. Transfers of data to a third country

The Data Controller will not transfer personal data to a third country, except at the request of the data subject.

VIII. Final provisions

1. For failure to comply with the obligations under this document, the employee shall be liable under the Labour Code, the Personal Data Protection Regulations and the Criminal Code in respect of personal data covered by professional secrecy.
2. The following Annexes form an integral part of this Policy:
   • Annex 1 - Model authorisation to process personal data (pdf, 59KB).
   • Annex 2 - Model Declaration and Undertaking of the Data Processor (pdf, 57KB)
   • Annex 3 - Data breach notification template (pdf, 68 KB)