Principles of personal data protection in ABAR EKSPORT-IMPORT
These rules for the protection of personal data in ABAR EKSPORT-IMPORT Bogdan Kamiński, hereinafter also referred to as the Principles, Security Policy or Policy, aim to ensure the processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /EC (hereinafter referred to as the GDPR) and the Act of 10 May 2018 on the protection of personal data (hereinafter referred to as the Implementing Act).

§ 1

The general principles of personal data protection at ABAR EKSPORT-IMPORT Bogdan Kamiński (hereinafter also referred to as the Policy or Principles) are specified in this policy. If any of these rules conflict with the GDPR or the Implementing Act, the GDPR and the Implementing Act shall apply.

§ 2

For the purposes of these Rules, it is agreed that all definitions used in the text have the meanings described in the GDPR, except for:
Local Network – connection of Data Administrator’s IT systems solely for own needs using telecommunications equipment and networks;
Data Set – any set of data containing personal data;
Data processing – any operations performed on Personal Data, such as collecting, recording, storing, processing, changing, sharing and deleting, especially those that are performed in the form of operations on an electronic Data Set;
Data Security – technical measures and practices to protect data against unauthorized processing;
User Identifier – a unique string of characters identifying the person authorized to process personal data;
Password – a unique string of characters known only to the person authorized to work with personal data.

§ 3

1. Data Administrator is at ABAR EKSPORT-IMPORT Bogdan Kamiński based in Józefów, at Zagłoby Street No.10, province Mazowieckie, area Otwock, entered in the CEIDG,
NIP: 5320016844, REGON: 010486360 (hereinafter referred to as ABAR or Administrator).
2. The policy applies to all Personal Data processed in ABAR EKSPORT-IMPORT Bogdan Kamiński, regardless of the form of their processing (collections in paper, electronic form, IT systems).
3. The policy is available for inspection at the request of any person or entity, and is stored in an electronic version and in a paper version at the office of Administrator at Zagłoby Street 10 in Józefów.
4. Each person processing personal data is required to read this Policy. The Policy is constantly available for inspection by persons authorized to process personal data. Persons who should be acquainted with the Policy are, in particular, employees and associates of ABAR EKSPORT-IMPORT Bogdan Kamiński. Each of the processors of Personal Data should be authorized in writing to process in accordance with the “Authorization to process personal data” – the template of the Authorization is attached as Annex 2. The authorization may limit access to personal data.
5. For the effective implementation of the GDPR, the Data Administrator ensures, among others technical measures and organizational solutions for data protection in the form of, among others encryption, access passwords, keys and other physical means of restricting access. The authorized person may not use the means of accessing personal data belonging to other persons.
6. The administrator periodically monitors and constantly controls the processing of personal data on a continuous basis, ensuring compliance with, among others GDPR and Policy. The authorized to process personal data constantly watch over the integrity and security of data sets and devices used in their processing by the interference of outsiders.
7. Monitoring by the Data Administrator of the security measures applied includes, among others Users’ actions, violation of data access rules, ensuring file integrity and protection against external and internal attacks.

§ 4.

1. Personal data processed by ABAR include: name and surname, PESEL number, date of birth, NIP, KRS, REGON, RHB, address of residence and correspondence address, place of service and product sales, and other locations that these persons are interested in, photos of persons or devices, ID cards or other similar documents, e-mail addresses or other identifiers used in electronic systems (in particular logins and names of users of these systems).
2. The data controller does not take processing activities that could be associated with a serious probability of high risk for the rights and freedoms of persons, and if it is determined that such processing takes place immediately, the actions provided for in Article 35 and subsequent GDPR. The administrator processes data only for commercial and advertising purposes.
3. The data administrator keeps a register of processing activities. A sample register of processing activities is attached as Annex 1 to this Policy.

§ 5

1. Personal data shall be processed only to the extent necessary to achieve the purpose of data processing, in particular communication with the contractor and the preparation, delivery or dispatch of related documents and services.
2. It is not allowed to process data of persons who are not employees, business partners of the Administrator, potential business partners, employees or persons related to business partners, or have not consented to it, and there is no other basis for processing this data.
3. The period of data storage is limited to the period of their usefulness for the purposes for which they were collected, and after this period they are anonymized or deleted, or their storage takes place without processing.
4. The data subject is subject to an information obligation in accordance with Article 13 and 14 GDPR, subject to Article 6 paragraph 1 point „b” of GDPR.

§ 6

1. Data Administrator does not provide data information in a situation where these data must be kept confidential in accordance with the obligation of professional secrecy (Article 14 (5) point „d” of GDPR).
2. The data should be secured against violations of the principles of their protection.
3. The violation or attempted violation of the principles of processing and protection of Personal Data shall be considered in particular:
a) a breach of security of electronic or IT systems in which Personal Data are processed, in the event of their processing in such systems or with their participation;
b) sharing or enabling access to data by unauthorized persons or entities;
c) failure to fulfill (intentional or unintentional) the obligation to provide Personal Data with protection, confidentiality of Personal Data and non-compliance with the rules and methods of their protection, regardless of whether it caused damage, loss, alteration or unauthorized copying of Personal Data;
d) processing of Personal Data not in accordance with the purpose and scope for which it was obtained;
e) violation of the rights of persons whose data are processed.
4. In the circumstances of the Personal Data protection rules, User (in particular the Employee) is obliged to take all necessary steps to limit the effects of the breach and to immediately notify Data Administrator.
5. In the event of unnecessary data being acquired, such data must be permanently deleted immediately.

§ 7

1. Administrator ensures that in the scope of employment, termination or change of employment conditions of employees or associates (persons undertaking activities for ata Administrator pursuant to other civil law contracts) these persons:
• were properly prepared to perform their duties,
• each employee has undertaken to keep Personal Data processed at secret. The declaration and obligation of the person processing Personal Data to keep confidential is a part of the “Authorization to process Personal Data”.
• keep Personal Data secret and how to secure it;
• reporting incidents related to data breach and system malfunction.

§ 8

1. The area in which Personal Data are processed includes in particular Administrator’s registered office, computers, telephones, tablets, CDs, flash drives, e-mail servers and virtual disks, as well as other data carriers located outside the area indicated above.
2. The methods of protection (technical and organizational) used should be appropriate to the level of risk identified for individual systems, types of files and categories of data and should not depart from practices typical for this type of security.

§ 9

The methods of protection inlcude:
a) Restricting access to rooms in which Personal Data are processed only to authorized persons, the use of safes and lockers locked with keys or otherwise blocked from access to them. During the period of absence, these rooms are closed and monitored using an automatic warning system.
b) Restriction of residence / access to data – other persons may stay in the rooms used for data processing or use their collections only in the company of an authorized person.
c) Shredding unnecessary personal data and media using a document shredder and shredding software.
d) Protection of the local network and computers and similar devices using firewall / antispyware.
e) Making backup copies of data according to technical needs and capabilities.
f) Securing access to electronic devices by means of access passwords.
g) The use of data encryption for transmission.

§ 10

Violations of personal data protection rules:
Data Administrator does not transfer Personal Data to other entities, except for making entries in the records kept by administrative, in particular when it concerns social security or entitlements to practice the profession.
2. In each case in which the breach may have caused the risk of violation of the rights or freedoms of natural persons, the Administrator shall notify the supervisor authority data protection breach without undue delay, no later than within 72 hours after finding the breach. The model application is set out in Annex 4 to this Policy.
3. In the circumstances of Personal Data breach, Administrator shall assess whether the breach may have caused the risk of violation of the rights or freedoms of natural persons.
4. If the risk of violation of rights and freedoms is high, Data Administrator shall also notify the data subject of the incident.
5. Personal Data Administrator will not transfer them to a other countries, except in situations where this occurs at the request of the data subject.

§ 11 Final Provisions

For failure to comply with the obligations arising from this document, the person processing data contrary to the rules implemented by this Policy, shall be responsible, among others, for the following under based on the Labor Code. The annexes form are an integral part of this Policy:
Annex No. 1- Register of personal data processing activities
Annex No. 2 – Specimen authorization to process personal data
Annex No. 3 – Specimen Statement and obligations of the person processing personal data
Annex No. 4 – Specimen notification of a data breach to the supervisory authority
Annex No. 5 – IT system methods of protection
Annex No. 6 – Information on data processing
Annex No. 7 – Consent to data processing

Annex No.1

Register of personal data processing activities

1. Name and surname of the authorized person or name and contact details …………………………………….;
2. Description of the categories of data subjects and categories of personal data …………………………………….;
3. Purposes of personal data processing …………………………………………………..;
4. Categories of recipients to whom personal data have been disclosed, including recipients in other countries or in international organizations …………………………………….;

Annex No. 2

Model authorization to process personal data

ABAR EKSPORT-IMPORT Bogdan Kamiński based in Józefów, at uZagłoby Street No. 10, province Mazowieckie, area Otwock hereby authorize: … . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . for the processing of personal data of . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
on time: employment / cooperation period on behalf of ABAR EKSPORT-IMPORT Bogdan Kamiński
scope of authorization: processed on paper media,
in the IT system, personal items included in the set:
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . no restrictions / limited to data preview, data entry, data processing, data deletion on laptops)

. . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . .
date
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
first and last name of the authorized person
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
position
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
workplace

Annex No. 3

Model statement and obligations of the person processing personal data

STATEMENT
I declare that – in connection with my work for ABAR EKSPORT-IMPORT Bogdan Kamiński authorizing me to process personal data, I have been acquainted with the relevant provisions and standards of personal data protection. I undertake to comply with the provisions on personal data protection, including Regulation of the European Parliament and of the Council (EU) 2016/679 from 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC Security Policy.
I undertake to:
a. ensuring the protection of personal data processed in the administrator’s collections, and in particular ensuring their security against disclosure to outsiders and unauthorized persons, removal, damage and unjustified modification or destruction,
b. b. keep confidential, even after the work has ceased, any information on the functioning of systems used for processing personal data in the files made available to me,
c. immediately reporting observations to administrator attempts or violations of physical security of the room, security of the file(s) or information systems……………………………………………… [signature of employee / colleague]

Annex No. 4

Model of notification of data protection violations to the supervisory authority.

Registration data and company stamp: …

Urząd Ochrony Danych Osobowych (GIODO)

Dear Sir or Madam
As the supervisory authority we inform you about the data protection rules breach consisting of: …
As a result of the infringement, the following personal data were discloset to the public:

Protection measures have been taken in relation to the above mentioned consisting in: …
The effects of the infringement are assessed at: …

The infringement was notified to:

Yours sincerely

Annex No. 5

Data protection measures in the IT system and archives

Data protection measures in ABAR EKSPORT-IMPORT Bogdan Kamiński.
For the security of Personal Data in the IT system, the proper supervision is the responsibility of the Data Administrator, who performs his duties through IT, HR staff, managers and a specialized IT company.
People who have access to the archive or IT system gain access to them after being authorized to process data. After being authorized to process data, the person receives the user ID and password assigned to them, and the right to access the archive in the form of the option to download the appropriate key. At the moment of assigning the identifier or downloading the key, a person may gain access to IT systems or archives to the extent appropriate for the authorization.
The archive uses keys for its individual elements or creates separate archives by collecting materials in separate rooms. The IT system uses authentication at the operating system access level, where an individual password is used.
Physical security should meet standards that prevent unauthorized access. The minimum password length assigned to the user is 6 alphanumeric characters and special characters.
Procedures for starting and suspending work termination by system users.

Data security
After starting, the employee logs in using the user ID and password to the IT system. At the end or interruption of work the user protects the device against access by outsiders/undersirables.
To ensure data integrity, data is periodically archived.
All archived data should be identified, i.e. contain such information such as: date of recording and identifier saved in copy data.
Media with archival copies should be secured against access by unauthorized persons, against destruction or theft.
Storage media with archived data should not be stored in the same rooms where the data currently used are stored. Information carriers, backups that are not intended for sharing, are stored in conditions preventing unauthorized access to them.

Copies and data that are no longer useful should be destroyed physically or by erasing by repeatedly writing irrelevant information in the area occupied by the erased data.
It is forbidden to take any recorded media containing personal data from the workplace outside archiving.

Method of securing the IT system against the activity of computer viruses, unauthorized access and power failures

The IT system is protected against software that is designed to gain unauthorized access.

Employees may use electronic mail for business purposes and for private purposes to the extent restricted by their duties. Administrator may learn the content of electronic messages used by employees located in all administrator systems.
It is forbidden to open emails originating from an unknown sender or with a suspicious title (so-called phishing email). In particular, it is forbidden to open links or download files saved in external communication from an unknown sender.

Methods of implementation of data processing requirements in the system (method of implementation of the requirement to save in the IT system (information on data recipients)

Information about data recipients is saved in the IT system from which it was made available, taking into account the date and scope of disclosure, as well as the exact specification of the recipient of the data.

Inspection and maintenance procedures of the system and information media for data processing

Inspection reviews, hardware and software service should be carried out by service companies with whom agreements have been concluded containing provisions obliging them to respect the confidentiality of information.
When making the service, the following rules should be observed:
a) service activities should be performed in the presence of a person authorized to process data,
b) before starting these activities, data and programs contained in the system should be protected against their destruction, copying or incorrect change,
c) service should be recorded in a service book containing the type of service activities performed, dates of commencement and termination of the service, persons performing service activities, i.e. name and surname, as well as persons participating in service works,

d) in the case of service work carried out by an external entity that requires access to personal data, relevant personal data entrustment agreements should be concluded with such entity.

Annex No.6

Information on data processing.
…… on …… 20 … year
……. (registration data and company stamp valid as at the date of application) …
……….. (personal data of the person)

Dear Sir / Madam
We inform you that we have become the administrator of your personal data, which we will process only for the purposes of performing the contract concluded with you and in connection with the rights acquired by you in ABAR EKSPORT-IMPORT Bogdan Kamiński with its registered office in Józefów, at Zagłoby Street No. 10, province Mazowieckie, area Otwock, entered in the CEIDG, NIP: 5320016844, REGON: 010486360.

Data administrator is ABAR EKSPORT-IMPORT Bogdan Kamiński with office in Józefów, at Zagłoby Street No.10, province Mazowieckie, area Otwock, entered in CEIDG, NIP: 5320016844, REGON: 010486360. The only recipients of your data may be producers or importers of purchased items or services, companies providing services of transporting purchased items and maintenance services, as well as administrative offices (especially Tax Offices).
The data will be stored for the period of cooperation, the period of implementation (in particular, performance of contracts) or until consent to their processing is withdrawn. You have the right to inspect, change or delete them, however, we would like to point out that they are necessary to perform the contract or to exercise the rights (in particular the property rights to real estate) acquired in cooperation with us or whose acquisition is planned. Your data after the end of the above period will be destroyed.
The administrator profiles your data only in terms of the location of the purchased property (or which has been shown a willingness to purchase).
We would like to kindly inform you that in case of violation of your rights, you have the right to lodge a complaint with the supervisory authority.

Best regards
………………
(date and place, signature)

Annex No. 7

Consent to the processing of personal data

I ……………., residing in ……….., ……………, possessing the NIP/ REGON/PESEL/PASSPORT number …………, I agree to process my personal data by ABAR EKSPORT-IMPORT Bogdan Kamiński (based in Józefów at Zagłoby Street No.10, province Mazowieckie, area Otwock, entered into CEIDG, NIP: 5320016844, REGON: 010486360), for the duration of the contract, the period for which I will acquire or acquire rights or the duration of cooperation (with ABAR EKSPORT-IMPORT Bogdan Kamiński and its subsidiaries – including ……….. ……………) and the time necessary to protect or maintain my rights related to the above.
I confirm that I have received information about my rights related to the processing of personal data.

……………..
(date and place, signature)