The Metal-Fach Sp. z o.o. Personal Data Protection Policy

The terms listed below will have the following meanings throughout this Data Security Policy.
1. Personal Data Controller means an authority, organisational unit, entity or person deciding on the purposes and means of personal data processing.
2. Data Protection Officer means a natural person appointed by the Personal Data Controller referred to in Article 8 of PDPA.
3. ICT Systems Administrator means a person or an external entity, appointed by the Personal Data Controller, responsible for the functioning of ICT systems and networks and for compliance with the rules and requirements for the security of ICT systems and networks.
4. Authorised person means a person authorised by the Personal Data Controller to process personal data. The authorised user may include an employee of the company, a person performing work under a contract or mandate or another civil law contract, as well as a person doing voluntary work, on-the-job training or internship.
5. Personal data means any information about an identified or identifiable natural person. An identifiable person means a person who can be identified, directly or indirectly, in particular, by reference to an identification number or to one or more factors specific to his physical, mental, economic, cultural or social identity.
6. Filing system means any structured set of personal data that are accessible according to specific criteria, whether dispersed or divided on a functional basis.
7. Personal Data Processing means any set of operations that is performed on personal data, such as collecting, recording, storage, preparing, alteration, disclosing and erasure, and particularly those that are performed in IT systems.
8. IT system means a set of devices, programs, data processing procedures and program tools that operate together, used in order to process the data.
9. Data protection in the IT system means the implementation and use of relevant technical and organisational means that ensure data protection from unauthorised processing thereof.
10. Information Security means a set of principles that must be followed when designing and using systems and applications for processing information so that access to them is consistent with the assumptions in all circumstances.
11. Erasure of data means the destruction of personal data or such modification thereof that the identity of the data subject cannot be established.
12. Consent of the data subject means a statement of intent containing an agreement to the processing of personal data relating to a person who submits the statement. The consent may not be alleged or implied on the basis of any other statement of intent. The consent may be revoked at any time.
13. Recipients of data mean anyone to whom personal data are disclosed, with the exception of
• the data subject
• persons authorised to process personal data
• state authorities or local self-government authorities to whom data are disclosed in connection with any pending proceedings
14. Third country means a country belonging to the European Economic Area.
15. Password means a sequence of alphabetical, digital or other characters, known only to the user who is authorised to work in an IT system.
16. User ID means a sequence of alphabetical, digital or other characters uniquely identifying a person authorised to process data in designated areas of the company’s IT system.
17. Data confidentiality means an attribute ensuring the data is not rendered available to unauthorised entities.
18. Data integrity means an attribute ensuring the personal data is not changed or destroyed in an unauthorised way.
19. Data accountability means an attribute ensuring the actions of a person or entity can be uniquely attributed only to that person or entity.
20. IT system user means a person authorised to process personal data in IT systems, who has been assigned a unique ID and password.
21. Authentication means the process of correct identifying a user of the IT system to the extent enabling the granting of appropriate rights or privileges in the company’s IT system.
22. Incident means an infringement of personal data security in terms of confidentiality, availability and integrity.
23. Threat means a possible occurrence of an incident.
24. Corrective action means an action taken to eliminate the cause of an incident or other undesirable situation.
25. Preventive action means an action that should be taken to eliminate the causes of a threat or other potential undesirable situation.

The Personal Data Protection Policy defines the principles of personal data processing and methods for protecting them, as a set of laws, rules and instructions regulating the system of their management, protection and distribution in “Metal-Fach” sp. z o.o.
The Policy contains information on the recognition of personal data processing processes and the technical and organizational security measures in place to ensure the protection of the personal data processed.
This document is consistent with the applicable laws, including, without limitation, with the Act of 10 May 2018 on the Protection of Personal Data and GDPR.
On the basis of the risk analysis for personal data loss, the risk level was defined as basic.

The Personal Data Protection Policy has been prepared to define and implement the rules for security and protection of personal data processed in “Metal-Fach”, and in particular to
1. Ensure compliance with legal requirements
2. Ensure confidentiality, integrity and accountability of personal data processed in the company
3. Raise the awareness of persons processing personal data
4. Engage persons who process personal data of the company in its protection

1. The Personal Data Controller appoints the Data Protection Officer. The appointment is effected on the basis of a letter of appointment (a specimen of the appointment form is attached as Appendix Z1-PODO hereto).
2. The Personal Data Controller may appoint the deputies of the Data Protection Officer.
3. The Personal Data Controller authorises the Data Protection Officer to grant authorisations to process personal data.
4. The role of the Data Protection Officer is to supervise compliance with the rules and technical and organizational measures that are taken to ensure the protection of personal data processed in “Metal-Fach”.
5. The Data Protection Officer has the following tasks
(a) informing and advising the controller or the processor and the employees who carry out processing of their obligations and on other Union or Member State data protection provisions
(b) monitoring compliance with GDPR (Regulation 2016/679 of the European Parliament and of the Council), with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
(c) providing advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35 of GDPR
(d) cooperating with the supervisory authority
(e) acting as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 of GDPR, and to consult, where appropriate, with regard to any other matter.
Additionally, the DPO’s task is to keep a register of personal data processing activities, as well as a register of data processing agreements.
6. The DPC may entrust the DPO with other duties that do not prejudice the proper performance of the tasks set out in Clauses 4 and 5.

1. The tasks of persons authorised to process personal data are to
• learn the provisions of the law on personal data protection and the provisions of the Personal Data Protection Policy and the IT Systems Management Manual
• comply with the advice of the DPO
• process of personal data only to the extent determined individually by the Personal Data Controller in a written authorisation and only for the purpose of performing imposed official duties
• immediately inform the DPO about any irregularities concerning the security of personal data processed in the company
• protect personal data and the means taken to process personal data from unauthorised access, disclosure, alteration, destruction or distortion
• use the company’s IT systems in a manner consistent with the instructions contained in the manuals of devices comprising the IT systems
• keep personal data and the manners of their protection confidential indefinitely
• exercise special care in the performance of personal data processing operations in order to protect the interests of data subjects.

1. All the personal data in the Company must be processed in accordance with the applicable law.
2. With regard to persons whose personal data are processed, the information obligation resulting from the provisions of PDPA must be fulfilled.
3. The personal data collected must be processed for specified and legitimate purposes and may not be processed further in a way incompatible with those purposes.
4. Carrying out personal data processing in accordance with the principles of substantive correctness and in accordance with the purposes for which it was collected must be ensured.
5. Personal data may be processed within the Company for no longer than is necessary to achieve the purpose of their processing.
6. The confidentiality, integrity and accountability of personal data processed in the Company must be ensured.
7. The personal data processed may not be made available without the consent of the data subjects, unless the data are made available to the data subjects, persons authorised to process personal data, entities to whom the data were transferred on the basis of a data processing agreement, and state or local government authorities in connection with any pending proceedings.
8. Processing of personal data in the Company may take place both in IT systems and in the traditional form: card files, indexes, books, lists and other records.
9. With respect to personal data processed in systems other than IT systems, the existing provisions on professional secrecy, circulation and security of business documents shall continue to apply.
10. All persons whose data are processed have the right to the protection of personal data concerning them, to control the processing of such data and to have them updated, erased and receive all information of their rights.

1. Only persons authorised to process personal data (a specimen of the authorisation is attached as Appendix Z2-PODO) issued by the Personal Data Controller or the Data Protection Officer may process personal data and operate IT filing systems containing such data, and only if they have submitted a relevant statement on the proper implementation of the provisions under PDPA (a specimen of the statement is attached as Appendix Z3-PODO).
2. The DPO, on behalf of the PDC, keeps a register of persons authorised to process personal data (a specimen of the register is attached as Appendix Z4-PODO).

1) The Personal Data Controller may assign another entity to process personal data in order to perform a specific task.
2) In the case of assigning the processing of personal data to an external entity, the personal data processing agreement shall define first of all the purpose and scope of the personal data processing. The list of concluded data processing agreements is maintained by the DPO.

The sharing of personal data in the company is permitted on the basis of one of the legal bases specified in the PDPA or on the basis of provisions of other laws.
The DPO maintains a record of sharing personal data to institutions and persons from outside the company (a specimen of the record is attached as Appendix Z5-PODO).

1. The Personal Data Controller may transfer personal data to:
◦ countries in the European Economic Area
◦ other countries (third countries).
2. The transfer of personal data within the EEA is interpreted as if they were processed on the territory of Poland.
3. In case of the transfer of personal data to a third country, one of the following conditions must be met.
• The target country provides guarantees of personal data protection in force on its territory at least to the same extent as those in force on the territory of the Republic of Poland
• The transfer of personal data results from an obligation imposed by law or by a ratified international agreement
• The transfer of personal data will be approved by the PDPO.

The DPO shall be responsible for maintaining and storing records containing a list of buildings, rooms or parts of rooms forming an area where personal data is processed, in both paper and electronic form.
The current list of personal data processing areas is attached as Appendix Z6-PODO.

The DPO is responsible for maintaining and storing records listing all personal data filing systems and indicating the software applied to the processing of such data. The current list of personal data filing systems is attached as Appendix Z7-PODO.

The DPO is responsible for maintaining and storing records describing the filing systems structure for personal data processed in the Company.
The current description of personal data filing systems structure is attached as Appendix Z8-PODO.

The DPO is responsible for maintaining and storing records describing the description of data flow between filing systems.
The current description of the data flow is attached as Appendix Z9-PODO.

The DPO is responsible for maintaining and storing records containing the specific technical and organisational measures necessary to ensure the confidentiality, integrity and accountability of the data processed.
A current description of the technical and organisational measures in place is attached in Appendix Z10-PODO.

Criminal law and regulations are defined in
• Act of 10 May 2018 on Personal Data Protection (Official Journal of 2018, item 1000), Article 102-108
• Act of 6 June 1997 on Criminal Code (Journal of Laws of 1997, No. 88, item 553, as amended), Article 266
• Act of 26 June 1974 on Labour Code (Journal of Laws of 1998, No. 21, item 94, as amended), Article 52 and 108

With regard to matters not regulated by this Personal Data Protection Policy, the provisions of the Act of 10 May 2018 on the Personal Data Protection (Journal of Laws of 2018, item 1000), and executive regulations to this Act, shall apply.
The measures to be followed in the event of a personal data security infringement are specified in the procedure attached as Appendix 12 hereto, and such infringement is to be recorded in the register of incidents and events, which is attached as Appendix 11 hereto.

1. Z1-PODO – Appointment to the position of Data Protection Officer
2. Z2-PODO – Authorisation to process personal data
3. Z3-PODO – Statement on the proper implementation of the provisions under PDPA
4. Z4-PODO – The records of persons authorised to process personal data
5. Z5-PODO – Records of personal data sharing
6. Z6-PODO – List of buildings, rooms or parts of rooms forming an area where personal data is processed
7. Z7-PODO – List of filing systems with programs applied to process of the data
8. Z8-PODO – Description of the filing system structure
9. Z9-PODO – Description of the data flow between filing systems
10. Z10-PODO – Description of technical and organisational measures applied
11. Z11-PODO – Register of incidents and events
12. Z12-PODO – Procedure for the event of personal data security infringement