COLORISED Sp. z o. o. within the scope of its activities, makes every effort to meet the highest standards that guarantee the provision of services in a correct manner, in accordance with applicable regulations and standards of generally applicable law.
Considering the above in view of the requirements introduced by Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation) (OJ.EU.L.2016.119.1, 2016.05.04), in order for COLORISED Sp. z o.o., the proper handling of personal data with regard to any operation performed on personal data, this Personal Data Protection Regulation is adopted.
This document was developed after an internal RODO audit for which COLORISED Sp. z o.o., has been classified as a Personal Data Controller, processing information constituting personal data within the meaning of the aforementioned EU Regulation.
This document is directed by COLORISED Sp. z o. o. to any collaborators, contractors, and current and potential customers in order to present the scope of protection and the magnitude of the measures taken due to any processes directly or indirectly related to the processing of personal data.
As defined in these regulations:
- The administrator of the personal data is COLORISED Sp. z o.o., address: Mikołaja Kopernika 36B, Poland, EU, NIP/VAT: PL729 270 77 66, REGON: 361607998, KRS: 0000560152, which alone or jointly with others determines the purposes and means of personal data processing, hereinafter referred to as “Administrator”.
- Personal data is information about an identified or identifiable natural person from so one who can be identified directly or indirectly, in particular on the basis of an identifier such as a name, an identification number, location data, an online identifier or one or more specific factors that determine the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
- Acting on the Administrator’s own initiative – this is acting on the basis of a decision made by the Administrator, which means that there is no legal obligation to do so and the Administrator is free to make decisions.
- A Data Protection Officer is a person appointed by the Controller who is responsible for monitoring compliance with the RODO, other EU or Member State data protection laws and the Controller’s data protection policies, hereinafter referred to as the “DPO”.
- Data entrustment – is a data processing activity involving the transfer of personal data by the Controller for processing to a third party that processes data on behalf of the Controller for the purpose and in the manner indicated by the Controller.
- Processing is an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, structuring, storing, adapting or modifying, downloading, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or linking, limiting, deleting or destroying, hereinafter referred to in these Terms and Conditions as Processing.
- The RODO Regulation is the REGULATION OF THE EUROPEAN PARLIAMENT AND COUNCIL (EU) 2016/679 of April 27, 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation) (OJ.EU.L.2016.119.1, 2016.05.04), hereinafter also referred to as the RODO Regulation.
- Data sharing – is a data processing activity involving the sharing of personal data by the Controller with a third party, without specifying the purpose of processing, without specifying the method of processing.
- The law is the law of May 10, 2018. On the protection of personal data (Journal of Laws 2018.1000 dated 2018.05.24), as amended. zm.
- A dataset is an organized set of personal data available according to specific criteria, regardless of whether the set is centralized, decentralized or functionally or geographically dispersed.
- These Personal Data Protection Regulations constitute a set of rules and procedures applicable to the Processing of Personal Data and the handling of Personal Data in the Administrator’s enterprise, whether in electronic or paper form, regardless of the technique or method of recording or storing them.
- The provisions contained in these Regulations for the Protection of Personal Data set out the directions of the Administrator and support for ensuring the security of Personal Data, in particular:
a.) determine the principles of management, protection and Processing of Personal Data;
b.) set standards to ensure the proper and secure operation of all Personal Data Processing systems and the flow of information within the scope of the Administrator’s enterprise
- The basis for the development of these Personal Data Protection Regulations and their implementation are the legal acts in force on the date of their acquisition, including, in particular:
a.) Act of May 10, 2018 on the protection of personal data (Journal of Laws 2018.1000 of 2018.05.24);
b.) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ.EU.L.2016.119.1 of 2016.05.04).
- All the documentation that makes up the Personal Data Protection System within the Administrator’s enterprise consists of:
a.) Regulations for the Protection of Personal Data.
b.) Personal Data Security Policy with its annexes.
c.) Instructions for the Management of the Information System used for the processing of Personal Data, together with the annexes.
- If it is necessary to regulate the security of Personal Data in the Administrator’s enterprise in additional detail, it is possible to introduce additional documentation regulating the necessary scopes in detail.
PERSONAL DATA CONTROLLER
- Taking into account the nature, scope, context and purposes of the Processing and the risk of infringement of the rights or freedoms of natural persons of different probability and severity, the Controller pursuant to the provisions of paragraph 3 of this section shall ensure the implementation and application of appropriate technical and organizational measures so that the Processing is carried out in accordance with the applicable regulations.
- The technical and organizational measures referred to in paragraph 1 above include ensuring that the Administrator implements appropriate documentation required by applicable regulations, including, in particular, a personal data security policy, and exercising all due diligence to ensure the conclusion and application of individual agreements with external entities to which the Administrator has entrusted, at least in part, data, as well as the recording of activities involving Data Sharing.
- The Administrator, in carrying out the implementation and application of appropriate technical and organizational measures, shall take into account the state of technical knowledge, the cost of implementing such measures, as well as their nature, scope, context and purposes of the Processing and the risk of violation of the rights or freedoms of natural persons with different probability of occurrence and severity of danger resulting from the Processing.
- The Administrator, in terms of the solutions used, will make every effort to provide measures to effectively protect Personal Data and the necessary security of Personal Data Processing.
- The controller, in the event that there is a joint arrangement with another controller for the common purpose and manner of Data Processing, shall make the necessary arrangements and clearly define the scope of its responsibilities and the relationship between it and the other controller as well as the relationship with the data subjects by taking the necessary actions and measures in this regard.
PERSONAL DATA PROCESSOR
- The Administrator may entrust the data – to Processing on behalf of the Administrator. The Controller shall verify the Personal Data Processor with respect to ensuring that the Personal Data Processor has sufficient guarantees to implement such technical and organizational measures so that the Processing ordered by the Controller meets the requirements of the applicable law and protects the rights of the Data Subjects.
- The Administrator entrusts data to the Processor on the basis of a contract or other legal instrument that is binding on both the Processor and the Administrator. Within the scope of regulation of Data Entrustment, the Administrator shall ensure that, in the scope of the concluded contract, or other legal instrument, the following are specified in particular:
a.) subject matter and duration of Processing,
b.) the nature and purpose of the Processing,
c.) the type of Personal Data that will be Processed
d.) categories of persons to whom the Personal Data relates,
e.) duties and rights of the Administrator.
REGISTER OF PERSONAL DATA PROCESSING ACTIVITIES
- The Administrator, on his own initiative and whenever he is obliged to do so in accordance with applicable laws, shall ensure the maintenance of a register of personal data processing activities, which may take written or electronic form The Administrator may also use dedicated software to maintain the register.
- In terms of the record of personal data processing, the Administrator shall ensure the inclusion of the following information:
a.) The name and contact information of the Administrator and any co-administrators, and the IOD when appointed;
b.) purposes of Processing;
c.) description of the categories of data subjects and categories of Personal Data;
d.) categories of recipients to whom the Personal Data has been or will be disclosed, including recipients in third countries or international organizations;
e.) when applicable, the transfer of Personal Data to a third country or international company, including the name of that third country or international company;
f.) if possible, planned dates for deletion of particular categories of data;
g.) if possible, a general description of technical and organizational security measures.
- The Administrator shall ensure the obligation of the Processor to maintain a record of all categories of Processing activities performed on behalf of the Administrator.
AUTHORIZATION TO PROCESS PERSONAL DATA
- The Administrator shall ensure in its company that Processing is carried out only by persons authorized to Process, issued by the Administrator in accordance with the internal regulations applicable to the Administrator’s company, which indicate detailed procedures regarding access to Personal Data.
- The Administrator shall ensure that Personal Data Processors have the necessary knowledge and skills in this regard, and that the period and scope of Personal Data Processing by such persons is consistent with the content of the authorization granted by the Administrator.
- The Administrator, in accordance with the internal regulations applicable to the Administrator’s enterprise governing the detailed treatment of access to Personal Data, shall issue, record and store personal authorizations for Personal Data Processing and revoked authorizations.
- The Administrator shall ensure that Personal Data Processors are aware of their obligation to keep confidential the data to which they have access and that this fact is confirmed by a written statement from such persons.
- The Administrator shall ensure that the person authorized to Process performs all operations on Personal Data with organizational and technical measures in the Administrator’s company to secure and protect the Personal Data from unauthorized access, modification and destruction.
DATA PROTECTION OFFICER
- With respect to the Administrator’s company, there is no rationale for appointing an IOD because:
a.) the main activities of the Administrator do not consist of Processing operations that, due to their nature, scope or purposes, require regular and systematic monitoring of Personal Data Subjects on a large scale;
b.) the main activity of the Administrator does not involve large-scale Processing of special categories of Personal Data and Personal Data relating to convictions and violations of law.
- In view of the content of paragraph 1 above, in the absence of an obligation to appoint a DPO, the Administrator shall provide the opportunity to contact the Internal Specialist or the Administrator directly on all matters relating to the protection of Personal Data by providing contact information by providing an email address or telephone number.
- In connection with the contents of paragraph. 1 above, in the absence of an obligation to appoint a DPO, the Administrator shall ensure cooperation with a professional entity with the necessary knowledge and tools to provide advice on the protection of Personal Data within the scope of the enterprise.
- The Administrator may, on its own initiative, provide for the appointment of a DPO in which case the Administrator shall provide for the publication of the DPO’s contact details and notify the supervisory authority competent in the field of personal data protection of the appointment, in accordance with the provisions of law in force on the date of the appointment of the DPO.
- If the Administrator has appointed a DPO in accordance with paragraph 1 of this section, it shall ensure that the DPO performs his/her tasks with due regard to the risks associated with the Processing operations, taking into account the nature, scope, context and purposes of the Processing.
GROUNDS FOR PROCESSING PERSONAL DATA
- The Administrator shall ensure that all operations on Personal Data within its enterprise are carried out in accordance with the guidelines indicated below:
a.) Personal data shall be processed lawfully, fairly and transparently to the data subject;
b.) Personal data shall be collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;
c.) Personal Data is adequate, relevant and limited to what is necessary for the purposes for which it is Processed;
d.) Personal Data shall be correct and updated as necessary, and the Administrator shall take all reasonable measures to ensure that Personal Data that is incorrect in light of the purposes of its Processing is promptly deleted or rectified;
e.) Personal data shall be kept in a form that allows the identification of the data subject for no longer than necessary for the purposes for which the data are Processed, although they may be kept for longer periods as long as they are Processed exclusively for archival purposes in the public interest, for scientific or historical research or for statistical purposes, provided that appropriate technical and organizational measures required to protect the rights and freedoms of the data subjects are implemented;
f.) Personal Data shall be Processed in a manner that ensures adequate security of Personal Data, including protection against unauthorized or unlawful Processing and accidental loss, destruction or damage, by means of appropriate technical or organizational measures.
- The Administrator shall ensure that, within its enterprise, the Processing of Personal Data is carried out for the specified purposes and to the specified extent, if:
a.) the data subject has consented to the Processing of his/her Personal Data for one or more specified purposes;
b.) The processing is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject prior to entering into a contract;
c.) Processing is necessary to fulfill a legal obligation of the Administrator;
d.) The processing is necessary to protect the vital interests of the data subject or another natural person;
e.) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the Administrator;
f.) Processing is necessary for the purposes of legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject requiring protection of Personal Data, in particular where the Data Subject is a child.
- The Administrator shall ensure that, unless authorized to do so by an express provision of law in his company, there shall be no Processing of Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and Processing of genetic data, biometric data for the purpose of uniquely identifying a person or data concerning his health, sexuality or sexual orientation.
- The Controller shall ensure that the Personal Data it processes is obtained in a manner consistent with generally applicable law whether directly from the data subject or otherwise than from the data subject.
RIGHTS OF PERSONS WHOSE PERSONAL DATA ARE SUBJECT TO PROCESSING
- The Administrator shall ensure that the acquisition of Personal Data is carried out in a manner consistent with
with generally applicable laws, including, in particular, providing the person whose data is subject to Processing with all the information required by the RODO.
- The Controller shall ensure that the person whose data is subject to Processing has the right under the RODO to control Personal Data.
- The person whose Personal Data is subject to Processing at each stage of the Processing of his/her Personal Data is provided with a number of rights that allow him/her to access the Personal Data, verify the correctness of the Processing of the Personal Data, correct the Personal Data, as well as to object to the Processing, request the restriction of the Processing, transfer the Personal Data.
TECHNICAL AND ORGANIZATIONAL MEASURES TO PROTECT PERSONAL DATA
- The Administrator shall ensure that appropriate technical and organizational data protection measures are taken, in particular that documents, both electronic and paper, containing Personal Data are stored in properly secured buildings and premises.
- If, in performance of the obligation set forth in paragraph 1 of this section above, the Administrator decides to place records containing Personal Data in buildings and premises that are locked, the Administrator shall ensure that, in particular:
a.) with regard to access to buildings and premises where Personal Data is processed, appropriate control and verification measures have been taken,
b.) keys to places where Personal Data is processed were issued directly by the Administrator or other responsible person only to persons authorized to access these buildings and premises
c.) internal regulations in force at the Administrator’s company – if the Administrator is the owner of the building, obliged the person who was the key holder to hand over the keys to the places where Personal Data is processed only to persons authorized to access these buildings and premises,
d.) internal regulations in force at the Administrator’s company – if the Administrator is the owner of the building, obliged the person responsible for issuing keys to hand over keys to places where Personal Data is processed only to persons authorized to access these buildings and premises,
e.) regulations applicable to rented/leased/used buildings and premises – if the Administrator rents/leases/uses buildings or premises – obliged the person responsible for issuing keys to hand over keys to places where Personal Data is processed only to persons authorized to access such buildings and premises,
f.) appropriate procedures have been put in place obliging a person who has lost the keys to the place where Personal Data is processed to immediately report this circumstance to the Administrator or a person designated by the Administrator.
- The Administrator shall ensure that the detailed rules for controlling access to individual places where Personal Data is processed are specified in the internal procedures in force at the Administrator’s company.
- The Administrator shall ensure that the Administrator’s company has appropriate internal procedures that indicate proper behavior when working with records containing Personal Data, and in particular that:
a.) when using multifunction devices to copy or scan documents containing Personal Data, documents containing Personal Data if copied or scanned, as well as their copies removed from the multifunction device immediately after use,
b.) in the situation of sending documents containing Personal Data by means of electronic communication, special care was taken, including, in particular, that the transmitted document was encrypted if appropriate,
c.) the person authorized to Process Personal Data, after completion of Processing activities on documents containing Personal Data, secures the documents and electronic media in specially designated places.
d.) the person authorized to Process Personal Data, after completion of the Processing activity, unusable documents in paper form containing Personal Data shall be destroyed in a secure manner, in particular by means of a shredder.
- The Administrator shall ensure that the Administrator’s company has appropriate internal procedures for the permanent destruction of documentation containing Personal Data, in particular, the Administrator may permanently destroy documents containing Personal Data through a professional document shredder (upon execution of an appropriate agreement in accordance with the provisions of Chapter IV hereof).
- The Administrator shall ensure that each person authorized to Process Data in the Administrator’s enterprise is aware of the applicable regulations on the protection of Personal Data.
- The Administrator shall, if necessary and advisable, train persons authorized to Process Personal Data in the safe operation of equipment and programs related to the Processing and protection of Personal Data, as well as securing the places where documents containing Personal Data are stored.
- Detailed physical, technical and organizational measures for the protection of Personal Data are included in the internal documents in force at the Administrator’s company, in particular the Personal Data Protection Security Policy and the IT System Management Manual.
PROCEDURE FOR DEALING WITH BREACHES OF PERSONAL DATA SECURITY
- The Administrator shall ensure within the Administrator’s enterprise the development and implementation of a procedure for dealing with security breaches of Personal Data, which regulates in particular:
a.) Reducing the occurrence of similar incidents in the future;
b.) minimizing the impact of the incident;
c.) clarification of the circumstances of the incident;
d.) securing evidence of the incident.
- The Administrator shall ensure that the procedure to be followed in the event of a breach of security of Personal Data in a comprehensive manner and in accordance with applicable regulations shall regulate the correct action at each stage, i.e. Prevent, monitor, and control and clarify any risks of a Personal Data breach.
- The Administrator, within the framework of its enterprise, treats as an event constituting a breach of the protection of Personal Data any event, dependent as well as independent of human will, causing a threat to the security of Personal Data, in particular:a.) an event leading to a loss of integrity (completeness, reliability) of Personal Data;
b.) an event that threatens the confidentiality of Personal Data;
b.) an event that threatens the accountability of Personal Data.
- The Administrator in the scope shall ensure that all necessary steps and actions for the protection of Personal Data are taken if there has been:a.) Violation of internal policies, procedures or instructions on the protection of Personal Data applicable to the Administrator’s scope of business,
b.) violations concerning the protection of Personal Data of applicable laws,
c.) violation of physical security measures used by the Administrator.
- Detailed rules for dealing with a breach of Personal Data protection are regulated by the Administrator in internal documents, procedures and policies.
PRINCIPLES OF SHARING PERSONAL DATA
- The Administrator shall make Personal Data Processed within its enterprise available only to persons or entities entitled to receive it, taking into account the laws in force on the date of Sharing
- The Administrator shall ensure that the act of Providing Personal Data does not violate the rights of the persons to whom the Personal Data relates.
- These Regulations for the Protection of Personal Data shall come into force on 01.05.2023.