Regulations for the protection of personal data

These Regulations help to unify and implement the most relevant provisions of the personal data protection documentation, and which are also required by law. It applies to full-time employees and associates with valid authorizations to process personal data granted by the data controller. The Regulations were created in connection with the requirements of the Law of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000, 1669, of 2019, item 730.), and the Regulation of the European Parliament and the Council (EU) 2016/679 of April 27, 2016, and the Regulation of the Minister of Internal Affairs and Administration of April 29, 2004. on documentation of personal data processing and technical and organizational conditions to be met by devices and IT systems used for personal data processing (Journal of Laws of 2004, No. 100, item 1024) in connection with Articles 68 and 69 paragraph 1 point 3 of the Act of August 27, 2009 on Public Finance (consolidated text: Dz.U.2013, item 885).

  1. granting of authorizations and powers

(1) The data controller acting at the same time as the administrator of the information system shall grant all authorizations for access to the system.

(2) Anyone before being authorized to process personal data must:

(a) become familiar with these Regulations,

b) receive the necessary training,

c) sign a statement of confidentiality and be aware of the related obligations.

(3) Authorization is granted to process personal data on paper for the following purposes:

The processing of personal data for purposes related to the activities of the data controller is lawful when the data have been obtained from the data subject and permissible when it is necessary for the exercise of an entitlement or fulfillment of an obligation under a provision of law.

When personal data has not been obtained from the data subject, its processing is lawful when a specific provision so provides.

The assessment of the necessity of the processing of personal data for the fulfillment of the legitimate purposes of the controller should be made on a case-by-case basis in each situation.

The processing of data for a purpose other than that for which they were collected is permissible if it does not violate the rights and freedoms of the data subject and is done for the purpose of exercising a right or fulfilling an obligation under a provision of law.

(4) When an authorization is granted to a collection in a computer system, the controller of this system shall give the person an individual and unique identifier in the system.

(5) If the authorization to process personal data is revoked for any reason, the authorizations assigned in the computer system of the person shall be blocked.

(6) The administrator of the system shall be personally responsible for recording the assigned authorizations in the information system and shall be obliged to watch over and supervise their compliance with the real state.

  1. be aware that anyone who has access to the room where the information system equipment is installed may cause damage to the system or may have access to the information displayed on the monitor or printouts. Threats to the system can also come from any other person, e.g., support staff, technicians, consultants, etc., with sufficient skills and knowledge to access the network.

(8) The rooms in which the computer workstations are located shall be: a) locked if no one is in them; b) equipped with safes or other containers for storing documents. The installation of the equipment of the ICT system and network is done with the knowledge and under the control of the Information Security Administrator, who is also responsible for the conditions for putting into use, storing, operating and decommissioning each device.

2 Password policy

(1) The password for access to the information system shall consist of at least 8 characters (upper and lower case letters and numbers or special characters).

(2) The computer system access password shall be changed at least every 30 days and immediately in case of suspicion that the password may have been disclosed.

(3) The user of the system while working in the application if necessary may change his password.

(4) The change of the password is made by the user automatically.

(5) Passwords must not be commonly used words, in particular, the following should not be used as passwords: dates, first names, surnames, initials, car registration numbers, telephone numbers.

(6) The user undertakes to keep the password confidential, even after it has expired, in particular, it is forbidden to save passwords openly in places not intended for this purpose and to transfer them to others.

  1. use of the information system
  2. IT equipment consists of desktop computers, network printing equipment and server stations.

(2) The user of the system shall perform all work necessary for effective and secure work at the workstation /also using a workstation/. He is obliged to maintain the necessary security conditions, in particular, to comply with the procedures for access to the system and protection of personal data. The person using the information system:

(a) is obliged to use the equipment in a manner: consistent with its intended use, in a manner consistent with the instruction manual attached to it, and to protect the equipment from destruction, loss or damage,

b) is obliged to immediately inform the administrator of this system of any situation of destruction, loss or damage to the entrusted equipment,

(c) shall not arbitrarily install or use any software on the computer system that has not been previously approved by ASI, or attempt to break or obtain administrative privileges on this system, it is also forbidden to rip to the computer’s hard drive and run any illegal programs and files downloaded from an unknown source (illegal source of origin). Such files should be downloaded only with the permission of the Data Administrator each time and only in justified cases, provided that this will not lead to a violation of the law.

(d) shall not arbitrarily interfere with, move, open (disassemble) equipment, install additional devices (e.g., hard drives, memory sticks), or connect any unapproved devices to the computer system (including private devices, even just to charge the batteries of these devices).

3 Anti-virus policy The following recommendations are implemented in terms of anti-virus protection: a) do not use software on the workstation other than recommended by the system administrator; b) do not install freeware or shareware; c) regularly update the virus database of the installed anti-virus software; d) before using the storage media, check whether it is infected with a computer virus.

  1. clean screen policy
  2. clean screen policy, i.e. taking all measures to ensure that unauthorized persons do not have access to the content displayed on screen monitors or laptop screens on which Customer data is stored.

(2) The person authorized to use the IT system each time he/she leaves his/her workstation is required to manually activate the password-protected screen saver also if he/she leaves the IT system unattended even for a moment.

  1. screenshots from the IT system where data are displayed, as well as sending such information outside the organization without the consent of the administrator of this system is prohibited.

(4) Anyone who is authorized to use the information system is obliged to:

(a) position monitors and laptop screens in such a way that the content displayed on them cannot be viewed in relation to both the windows and the entrance doors to the rooms in which they are located,

b) ensure, in the situation of running portable computers outside the processing area, e.g. airports, railway stations, conference rooms and in any other public place, the discretion and protection of the data displayed there,

c) supervise unauthorized persons remaining in the data processing area.

5 Clean desk and clean printing policy

  1. clean desk policy, i.e. ensuring that when work is completed, all documents on which persons’ data are located are out of reach of unauthorized eyes and hands.
  2. if the room is provided with furniture or a lockable cabinet, lock the cabinets before finishing work, placing all sensitive data and documents in them beforehand, and place the keys in a safe place so that unauthorized persons do not have access to them.

(3) Anyone who last drops a data processing site should check that all windows are closed and that all other security features are activated, such as the alarm system. It should be armed, doors should be locked and all other security systems should be activated.

(4) It is forbidden to leave documents and printouts containing personal data in places where there are devices such as printers, photocopiers, scanners, unattended. Any documents that are misprinted or that are destined to be discarded must be immediately destroyed using shredders or containers for the disposal of confidential documentation.

(5) If it is necessary and there is a situation of transporting hard copy documents of personal data outside the processing area, this must be done in a manner that ensures their confidentiality, i.e. the documents must be covered and protected from accidental loss and access by unauthorized persons.

6 Sharing of personal data

  1. The data processor, when transferring data by telephone, must be sure of the identity of his caller; if there is any doubt about the identity, the controller should be notified of the problem in determining the identity of the caller. If verbal transmission of data does not guarantee confidentiality, written disclosure (for review) should be used.

(2) Personal data may be provided only to the data subject or to another person with his or her consent kept for evidentiary purposes with the procedure provided for in the paragraph above.

(3) When sharing personal data off-site where it cannot be properly protected (e.g., in publicly accessible places), the maximum confidentiality of the data must be guaranteed.

(4) The risk of disclosure to unauthorized persons of personal data or other information about the safeguards in place should be mitigated by taking various measures adequate for this purpose. Risky situations are such as:

(a) requesting data on applied security features by impersonators (identity theft),

b) requests for information on previously used passwords for access to information systems (telephone social engineering),

(c) any other suspicious requests for classified information, especially by telephone.

7 Use of Internet access

(1) Anyone who processes data is obliged to use the Internet only for the purpose necessary to carry out the functions entrusted to him by the controller. It is categorically forbidden to visit websites for private purposes during work.

(2) When using the Internet, data processors are obliged to comply with the law, especially to respect industrial property and copyright.

(3) Data processors are categorically forbidden to use the Internet to view content of a nature unrelated to their function, work and, in particular, content that is offensive, immoral or inappropriate to the generally applicable rules of conduct, as well as to play computer games on the Internet or on the computer system, watch movies, or enjoy other broad entertainment.

(4) To the extent permitted by law, the data controller reserves the right to inspect and control the use of the Internet by data processors in terms of the above-described rules.

  1. use of e-mail

(1) Electronic mail is intended and may only be used to perform the duties of the position, any other use is not permitted and may be cause for liability.

(2) When using e-mail, data processors are required to comply with industrial property law and copyright law.

(3) Data processors should take special care not to inadvertently send messages via the Internet, including using a private electronic mailbox, containing information described as confidential to unauthorized persons regarding, for example, the data controller, its employees, customers, suppliers or contractors.

(4) Data processors should exercise extreme caution and should not open messages sent electronically from unknown senders when the title does not suggest a connection with the duties of their position should report such messages to the controller and delete them from their mailbox.

(5) In the case of electronic transmission of files containing personal data to external entities that are authorized to do so, the data processor is obliged to package and password them. The password should be sent by a separate means of communication so that in case of erroneous sending or unauthorized interception there is no risk of opening the data file.

9 Electronic data carriers

(1) Electronic data carriers include, for example, removable hard disks, pen drives, CDs, DVDs, flash drives.

(2) Data processors shall not take removable electronic storage media, both private and shared, outside the processing area when information with personal data is transferred to them without the consent of the data controller and without his knowledge in each case.

(3) In the event of damage, wear and tear or discontinuation of use of a given carrier containing personal data, it shall be physically destroyed by burning or shredding so that the information contained therein cannot be read or used again.

  1. emergency instructions

The data processor shall notify the data controller in the event of an identified or suspected personal data breach.

The administrator of information systems, upon finding a violation of the information system, is obliged to, secure traces to determine the causes of the violation of the information system, analyze and determine the consequences of the violation of the information system, determine the factors that caused the violation of the information system, make the necessary corrections in the information system consisting in securing the system from being violated again. The administrator shall take similar measures when he finds that:

(a) traces on doors, windows and cabinets indicate an attempted break-in,

b) documentation with data is destroyed without using a shredder or not destroyed at all,

c) doors to rooms, cabinets where personal data is stored are left open,

d) the setting of monitors does not provide security against unauthorized access,

e) there is unauthorized copying and taking of personal data in either paper and/or electronic versions outside the processing area without the consent and notification of admin,

f) there are telephone attempts to phish for personal data or access passwords,

g) theft of computers or electronic data storage media has occurred,

h) a threat notified by an anti-virus program appears,

passwords to systems are not properly secured or are stored near the computer.

11 Disciplinary proceedings

(1) Any unjustified failure to comply with the data protection guidelines under these Regulations may be treated as a serious breach of basic employee duties or contractual obligations that compel a person to behave in a particular situation. Disciplinary proceedings may be initiated against a person who, in the event of a breach of the security of the information system or a reasonable suspicion of such a breach, has failed to take the action specified in these Regulations, and in particular has failed to notify the appropriate person in accordance with the specified rules, which does not preclude the person from being held liable under the relevant laws, for the damage caused or the risk of its occurrence.

(2) Disciplinary punishment when applied to a person who evades notifying the administrator of the danger, does not exclude holding him liable for additional criminal liability in accordance with the Law of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000, 1669, of 2019, item 730.), and the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016, and the possibility of filing a civil lawsuit against him for compensation of losses incurred.