PERSONAL DATA PROTECTION POLICY
at the Trading Company XXL s.c. Iwona Dudziak Wiesław Dudziak hereinafter referred to as the ADMINISTRATOR
1. This document entitled "Personal Data Protection Policy" (hereinafter the Policy) is intended to serve as a map of the requirements, principles, and regulations of personal data protection at the Administrator.
2. This Policy is a personal data protection policy within the meaning of GDPR – the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119, p. 1).
3. The Policy includes:
a) a description of the data protection principles applicable at the Administrator;
b) references to annexes specifying (model procedures or instructions concerning specific areas of personal data protection requiring clarification in separate documents);
4. The Data Protection Officer and all members of the Administrator's staff are responsible for implementing and maintaining this Policy.
5. The Administrator shall ensure that its contractors' conduct complies with this Policy to the appropriate extent when personal data is transferred to them by the Administrator.
6. Abbreviations and definitions:
- Policy means this Personal Data Protection Policy, unless the context clearly indicates otherwise.
- GDPR means the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119, p. 1).
- Data means personal data unless the context clearly indicates otherwise.
- Sensitive data means special categories of data and criminal data.
- Special data means data listed in Article 9(1) of the GDPR, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of trade unions, genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health, sexuality, or sexual orientation.
- Criminal data means data listed in Article 10 of the GDPR, i.e. data concerning convictions and offenses.
- Children's data means data of persons under 16 years of age.
- Person means the individual to whom the data relates unless the context clearly indicates otherwise.
- Processor means an organization or person entrusted by the Administrator to process personal data (e.g., IT service provider, external accounting).
- Profiling means any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict aspects concerning the performance of the work of that natural person, economic situation, health, personal preferences, interests, reliability, behavior, location, or movement.
- Data export means transfer of data to a third country or an international organization.
- DPO or Data Protection Officer means the Data Protection Officer.
- RCPD or Register means the Register of Personal Data Processing Activities.7. Personal data protection at the Administrator – general principles
5.1. Pillars of personal data protection at the Administrator:
(1) Legality – The Administrator cares about privacy protection and processes data in accordance with the law.
(2) Security – The Administrator ensures an appropriate level of data security by continuously taking actions in this regard.
(3) Individual Rights – The Administrator enables persons whose data is processed to exercise their rights and fulfills these rights.
(4) Accountability – The Administrator documents how it meets its obligations to demonstrate compliance at any time.
5.2. Data protection principles. The Administrator processes personal data respecting the following principles:
(1) based on legal grounds and in accordance with the law (lawfulness);
(2) fairly and honestly (fairness);
(3) in a transparent manner to the data subject (transparency);
(4) for specific purposes and not "in advance" (minimization);
(5) no more than necessary (adequacy);
(6) with care for data accuracy (accuracy);
(7) no longer than necessary (storage limitation);
(8) ensuring appropriate data security (security).
5.3. Data protection system
The personal data protection system at the Administrator consists of the following elements:
1) Data inventory. The Administrator identifies personal data assets, data classes, relationships between data assets, identification of the ways the data are used (inventory), including:
a) cases of processing special and "criminal" data (sensitive data);
b) cases of processing data of persons unidentified by the Administrator (unidentified data/UFO);
c) cases of processing children's data;
d) profiling;
e) data co-administration.
2) Register. The Administrator develops, maintains, and manages the Register of Personal Data Processing Activities. The Register is a tool for accountability regarding data protection at the Administrator.
3) Legal bases. The Administrator ensures, identifies, verifies legal bases for data processing, and records them in the Register, including:
a) maintaining a consent management system for data processing and remote communication;
b) inventorying and specifying justification for cases where the Administrator processes data based on a legitimate interest of the Administrator.
4) Handling individual rights. The Administrator fulfills information obligations towards persons whose data are processed and provides service of their rights by implementing received requests, including:
a) Information obligations. The Administrator provides legally required information to persons when collecting data and in other situations and organizes and ensures documentation of fulfilling these obligations.
b) Opportunity to fulfill requests. The Administrator verifies and ensures the ability to effectively fulfill every type of request by itself and its processors.
c) Request handling. The Administrator ensures appropriate resources and procedures so that individuals' requests are fulfilled within the legally required deadlines and documented.
d) Breach notification. The Administrator applies procedures enabling the determination of the necessity to notify persons affected by an identified data protection breach.
5) Minimization. The Administrator has rules and methods for managing minimization (privacy by default), including:
a) rules for managing data adequacy;
b) rules for access control and data access management;
c) rules for managing data retention periods and verifying further usefulness;
6) Security. The Administrator ensures an appropriate level of data security, including:
a) conducts risk analyses for data processing activities or categories;
b) conducts data protection impact assessments where the risk of violating individuals' rights and freedoms is high;
c) adjusts data protection measures to the assessed risk;
d) has an information security management system;
e) applies procedures allowing identification, assessment, and reporting of identified data breaches to the Data Protection Authority – manages incidents.
7) Processors. The Administrator has rules for selecting processors processing data on behalf of the Administrator, requirements regarding processing conditions (data processing agreement), and verification rules for performance of entrustment contracts.
8) Data export. The Administrator has rules verifying whether data are not transferred to third countries (outside the EU, Norway, Liechtenstein, Iceland) or to international organizations and ensures lawful conditions of such transfers if they take place.
9) Privacy by design. The Administrator manages changes affecting privacy so that new projects and investments consider the need for impact assessment on data protection, privacy assurance (including compliance with processing purposes, data security, and minimization) already at the design phase of the change, investment, or new project.
8. Inventory
6.1. Sensitive data
The Administrator identifies cases where it processes or may process sensitive data (special categories and criminal data) and maintains dedicated mechanisms ensuring lawful processing of sensitive data. Upon identifying such cases, the Administrator follows adopted principles in this regard.
6.2. Unidentified data
The Administrator identifies cases where it processes or may process unidentified data and maintains mechanisms facilitating exercising rights of persons whose data they concern.
6.3. Profiling
The Administrator identifies cases where profiling of processed data is performed and maintains mechanisms ensuring compliance of this process with the law. Upon identifying such cases, the Administrator follows adopted principles.
6.4. Co-administration
The Administrator identifies cases of data co-administration and acts in accordance with adopted principles.
9. Register of Data Processing Activities at SPA
7.1. The RCPD at SPA is a form of documenting data processing activities, serves as a data processing map, and is one of the key elements enabling the fundamental principle underlying the entire personal data protection system: accountability.
7.2. The Administrator maintains the Register of Data Processing Activities at SPA, in which it inventories and monitors how personal data are used.
7.3. The Register is one of the basic tools allowing the Administrator to account for most data protection obligations.
7.4. In the Register, for each data processing activity that the Administrator considers separate for the Register's needs, the Administrator records at least: (i) the name of the activity, (ii) the purpose of processing, (iii) the description of the categories of data subjects, (iv) description of data categories, (v) legal basis for processing, including specification of the legitimate interest category if the basis is a legitimate interest, (vi) method of data collection, (vii) description of recipient categories (including processors), (viii) information on transfers outside the EU/EEA; (ix) a general description of technical and organizational data protection measures.
7.5. The Register template is Annex 1 to the Policy – "Template of the Register of Data Processing Activities at SPA." The Register template includes optional columns. In optional columns, the Administrator records information as needed and possible, considering that more complete Register content facilitates data protection compliance management and accountability.
10. Legal Bases for Processing
8.1. The Administrator documents legal bases for data processing.
8.2. When specifying a general legal basis (consent, contract, legal obligation, vital interests, public task/public authority, legitimate interest of the Administrator), the Administrator clarifies the basis clearly if needed. For example, for consent, indicating its scope; if based on law, referencing specific provisions and documents (e.g., contract, administrative agreement); for vital interests, indicating categories of events in which they materialize; for legitimate interest, specifying the particular purpose (e.g., own marketing, claim enforcement, claim limitation).
8.3. The Administrator implements consent management methods allowing registration and verification of consent for processing specific data for a specific purpose, consent for remote communication (email, phone, SMS, etc.), and registration of consent refusal, withdrawal, and similar actions (objection, limitation, etc.).
8.4. The head of the Administrator's organizational unit must know legal bases on which the unit conducts specific personal data processing activities. If the basis is the Administrator's legitimate interest, the unit head must know the specific interest processed.
9. How to Handle Individual Rights and Information Obligations
9.1. The Administrator ensures readability and style of information and communication provided to persons whose data it processes.
9.2. The Administrator facilitates use of rights by persons through various measures, including posting on the website and in publicly accessible locations in the Administrator's premises information or links to information about individuals' rights, how to exercise them with the Administrator, including identification requirements, contact methods, possible fees for "additional" requests, etc.
9.3. The Administrator ensures compliance with legal deadlines for fulfilling obligations towards individuals.
9.4. The Administrator introduces appropriate identification and authentication methods for individuals to exercise rights and fulfill information obligations.
9.5. To exercise individual rights, the Administrator provides procedures and mechanisms to identify specific persons' data processed, integrate these data, make changes, and delete data in an integrated manner.
9.6. The Administrator documents handling of information obligations, notifications, and individuals' requests.
10. Information Obligations
10.1. The Administrator defines lawful and effective ways of executing information obligations.
10.2. The Administrator informs the individual about an extension of the deadline exceeding one month for processing their request.
10.3. The Administrator informs the individual about the processing of their data when collecting data directly from them.
10.4. The Administrator informs the individual about the processing of their data when collecting data about them indirectly.
10.5. The Administrator defines how to inform individuals about processing of unidentified data where possible (e.g., notice of video surveillance coverage).
10.6. The Administrator informs the individual about planned change of processing purpose.
10.7. The Administrator informs the individual before lifting the restriction on processing.
10.8. The Administrator informs data recipients about rectification, deletion, or restriction of data processing (unless this requires disproportionate effort or is impossible for the Administrator).
10.9. The Administrator informs the individual about the right to object to data processing no later than at the first contact with the individual.
10.10. The Administrator without undue delay notifies the individual about a personal data breach if it may pose a high risk to the individual's rights or freedoms.
11. Individual Requests
11.1. Rights of third parties. When fulfilling rights of data subjects, the Administrator introduces procedural safeguards to protect rights and freedoms of third parties. In particular, if credible information is received that fulfilling a person's request for a copy of data or data portability may adversely affect rights and freedoms of others (e.g., data protection rights of others, intellectual property rights, trade secrets, personal rights, etc.), the Administrator may contact the person to clarify doubts or take other legally permitted steps, including refusal to comply with the request.
11.2. Non-processing. The Administrator informs the individual that their data are not processed if such a request is made.
11.3. Refusal. The Administrator informs the individual within one month of receiving the request about refusal to consider it and about the rights related thereto.
11.4. Access to data. Upon a request for access to their data, the Administrator informs the person whether their data are processed and provides details of processing according to Article 15 GDPR (scope corresponds to the information obligation when collecting data) and grants access to such data. Access may be provided by issuing a copy of the data, whereby the copy issued under the right of access is not considered the first free copy for charging purposes.
11.5. Data copies. Upon request, the Administrator issues a copy of the person's data and records the issuance of the first copy. The Administrator maintains a price list for copies, charging for subsequent copies based on estimated unit costs of handling the request.
11.6. Data rectification. The Administrator rectifies inaccurate data on request. The Administrator may refuse to rectify data unless the individual reasonably demonstrates inaccuracies. Upon rectification, the Administrator informs data recipients upon request.
11.7. Data completion. The Administrator supplements and updates data on request. The Administrator may refuse completion if it conflicts with processing purposes (e.g., processing unnecessary data). The Administrator may rely on the individual's statement unless insufficient under the Administrator's procedures, law, or if the statement is deemed unreliable.
11.8. Data deletion. Upon request, the Administrator deletes data when:
(1) data are no longer necessary for the purposes collected or other purposes;
(2) consent is withdrawn and no other legal basis exists;
(3) a valid objection has been made;
(4) data were processed unlawfully;
(5) deletion is required by law;
(6) request concerns a child's data collected by consent for information society services offered directly to the child (e.g., child's profile on social network, contest participation on website).
The Administrator defines how to handle the right to deletion effectively, respecting data protection principles including security, and verifies whether exceptions under Article 17(3) GDPR apply.
If data to be deleted were made public by the Administrator, reasonable actions, including technical measures, will be taken to inform other data controllers processing those personal data about the need to delete the data and access them.
Upon deletion, the Administrator informs the person about data recipients upon request.
11.9. Restriction of processing. The Administrator restricts processing upon request when:
a) the individual disputes data accuracy – for time allowing verification;
b) processing is unlawful and the individual opposes deletion and requests restriction;
c) the Administrator no longer needs data, but the individual requires them for claims establishment, exercise, or defense;
d) the individual objected to processing for reasons related to their specific situation until it is determined whether legitimate grounds override objection.
During restriction, the Administrator stores data but does not process them (no use or transfer) without the individual's consent, except for claims-related purposes, protection of rights of others, or important public interest reasons.
The Administrator informs the individual before lifting processing restriction.
Upon restriction, the Administrator informs the person about data recipients upon request.
11.10. Data portability. Upon request, the Administrator provides data in a structured, commonly used, machine-readable format or transfers it to another entity, if feasible, regarding data supplied by the person, processed based on consent or contract, within the Administrator's IT systems.
11.11. Objection in special situations. If the person objects for reasons related to their specific situation to data processing based on legitimate interest or public task, the Administrator will honor the objection unless overriding legitimate grounds or grounds for claims defense apply.
11.12. Objection for scientific, historical, or statistical research. If the Administrator conducts such research, the person may object for reasons related to their specific situation unless processing is necessary for public interest task.
11.13. Objection to direct marketing. If the person objects to processing for direct marketing needs (including profiling), the Administrator will comply and cease such processing.
11.14. Right to human intervention in automated processing. If the Administrator processes data automatically, including profiling, and as a result makes decisions having legal or significant effects on the person, the Administrator ensures the possibility to appeal to human intervention and decision, unless the decision is necessary for contract performance, explicitly permitted by law, or based on explicit consent.
12. MINIMIZATION
The Administrator ensures minimization of data processing regarding: (i) data adequacy to purposes (amount and scope), (ii) data access, (iii) data retention period.
12.1. Scope minimization
The Administrator has verified the scope of collected data, processing scope, and data quantity for adequacy to processing purposes under GDPR implementation.
The Administrator conducts periodic reviews of data quantity and processing scope at least once a year.
Changes to data quantity and scope are verified under change management procedures (privacy by design).
12.2. Access minimization
The Administrator applies access restrictions: legal (confidentiality obligations, authorization scopes), physical (access zones, locked rooms), and logical (system access rights, network resource access).
Physical access control is enforced.
Access rights are updated with staff changes and role/processor changes.
Periodic review and update of system users performed at least annually.
12.3. Time minimization
The Administrator implements lifecycle control mechanisms for personal data, including usefulness verification per retention schedules and control points recorded in the Register.
Data that lose usefulness over time are removed from production systems and primary/manual files. Such data may be archived and stored in backups. Archiving and backup procedures ensure compliance with data lifecycle control requirements, including data deletion.
13. SECURITY
The Administrator ensures a level of security corresponding to the risk of violating rights and freedoms of natural persons due to personal data processing.
13.1. Risk analyses and adequacy of security measures
The Administrator carries out and documents analyses of the adequacy of security measures for personal data. This includes:
(1) Ensuring appropriate knowledge of information security, cybersecurity, and business continuity – internally or with support from specialized entities.
(2) Categorizing data and processing activities by risk level.
(3) Analyzing risks of rights or freedoms violations for processing activities, considering nature, scope, context, purposes, and risk levels with varying likelihood and severity.
(4) Determining applicable organizational and technical security measures and assessing implementation costs. Measures include:
(i) pseudonymization,
(ii) encryption of personal data,
(iii) other cybersecurity measures ensuring confidentiality, integrity, availability, and resilience of processing systems and services,
(iv) business continuity and disaster recovery measures allowing quick restoration of data availability and access.
13.2. Data protection impact assessments
The Administrator conducts impact assessments for planned processing operations with high risk of rights and freedoms infringement.
A methodology adopted by the Administrator is applied.
13.3. Security measures
Security measures applied correspond to risk analyses, adequacy evaluation, and impact assessments.
They form part of information security and cybersecurity measures and are described in procedures adopted for these areas.
13.4. Breach reporting
The Administrator applies procedures to identify, assess, and report personal data breaches to the Data Protection Authority within 72 hours of breach determination.14. PROCESSORS
The Administrator has rules for selecting and verifying data processors to ensure adequate organizational and technical measures for security, individual rights, and other data protection obligations.
The Administrator adopted minimum requirements for processing agreements as Annex 2 to the Policy – "Template of Data Processing Agreement."
The Administrator monitors processors' use of sub-processors and compliance with data processing rules.
15. PRIVACY BY DESIGN
The Administrator manages privacy-affecting changes to ensure appropriate security and minimization of personal data processing.
Project and investment principles refer to personal data security and minimization principles, requiring impact assessment on privacy and data protection, incorporating security and minimization from the project or investment design phase.