Data Protection
1.1 Introduction
This document, entitled „Personal Data Protection Policy and Information System Security“ (hereinafter: „Policy“) is a map of the requirements, rules and regulations for the protection of personal data as well as information security in the systems used by the Administrator. The policy is a description of securing the Administrator’s information systems, as well as the personal data protection policy within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation, hereinafter: „GDPR“).
1.2. Basics of creating a document
The administrator, fulfilling in the manner indicated in this document his obligations imposed on him by the GDPR as well as the provisions introducing the GDPR into the Polish legal system, also within the meaning of the above-mentioned legal acts:
Administrator’s associates,
Administrator’s business processes and working methods,
knowledge about the Administrator’s clients,
the Administrator’s business partners and his relations with them.
Trust between clients and our company and associates as well as our heritage are the elements that make the value of the Administrator distinguish us and create our identity, reflect our culture. It is our responsibility to protect them.
1.3. Information systems as a determinant of the level of business security
Information systems are developing more and more every day, they facilitate the exchange of information. For these reasons, the Administrator’s IT Systems have become the main tool in:
- developing and sharing our heritage, which allows us to be more dynamic and effective;
- creating and maintaining lasting and trustworthy relationships with our clients and employees, which enables us to ensure high efficiency and provide services tailored to the needs and habits of each person.
Our IT system is a key factor in the development of our heritage and the development of full customer confidence.
However, we are aware that nowadays our IT systems are subject to all kinds of threats that, in the event of an incident, may have negative consequences for our business, therefore we exercise due diligence to protect them in an appropriate manner and face new challenges on a daily basis, including scope as well as strive to constantly increase the security of the information systems we use.
1.4. IT security threats
The level of IT security risk is determined on the basis of a global strategic risk map. The main threats to IT security are:
- inability of the Information System at a critical moment for business;
- inability to detect internal fraud in information systems;
- decision errors due to incorrect financial data;
- data loss or disclosure of customer data records;
- loss of competitive advantage as a result of data leakage;
Our heritage and information systems that support our critical business processes are embedded in security threats.
1.5. The main goals of IT systems security
Yes, in order to avoid any risk, we must protect our sensitive information systems in practice. This strategy is included in the Information Systems Security Policy and refers to the main security objectives that are aimed at reducing the risk at an acceptable level.
The main security objectives are detailed in Chapter 4 of this document.
The Policy of Personal Data Protection and Information Systems Security is the basic document of the Administrator’s corporate security, adapted to strategic threats and a document consistent with the GDPR.
- Presentation of the security policy
2.1. Objective
The Administrator’s Personal Data Protection and Information System Security Policy aims to inspire, encourage and increase trust among users (colleagues, customers, partners) in information systems and services provided.
2.2. Safety rules in a global approach
Bearing in mind the global security of the Administrator’s information systems, we distinguish the following motivating principles:
- realism: the IT security policy is built step by step, adjusted to the level of the Administrator’s size, aiming at gradual improvement (dynamic approach),
- pragmatism: solutions (rules, measures, procedures) are applied in such a way as to find the right compromise between efficiency, simplicity and cost control, focusing on customer service,
- responsibility: the organization of the safety management system is adapted to the Administrator, autonomous and responsible, acting in synergy of common interest,
- consistency: the actions of persons cooperating with the Administrator are consistent with the security applicable in the area