1. Introduction
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), Symposium Cracoviense Sp z o.o. is introducing a new information security policy.
2 Definitions
a) Personal Data Administrator: Symposium Cracoviense Sp. z o.o., based in Kraków (31-511, ul. Rakowicka 1/14, registered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Kraków Śródmieście in Kraków, XI Economic Department under the number 0000210115, NIP 6762061612 Regon 351475079 Person - President of the Board or in the absence of the President - a member of the Board.
b) User - a person authorised to process personal data. A User may be a person employed in the company, a person performing work on the basis of a contract of mandate or another civil law agreement, a person practising in the company or a processor with whom the Personal Data Controller has concluded an appropriate agreement on entrusting the processing of personal data.
c) User ID - is a string of characters uniquely identifying the person authorised to process personal data.
(d) Information System Administrator (ASI) - the employee responsible for the functioning of the information system and the application of technical data protection in the system.
(e) Local area network - the connection of computers working in a company to exchange data for its own purposes
(f) Information system - an assembly of cooperating devices, programs, information processing procedures and software tools used for data processing.
(g) Data processing - means any operation performed on personal data, such as collection, recording, storage, processing, alteration, disclosure and erasure.
(h) Data security in the IT system - the implementation and use of appropriate technical measures to protect data against unauthorised processing.
(i) Data confidentiality - this is the property of ensuring that data is not made available to unauthorised parties.
(j) Data integrity - the property of ensuring that personal data has not been altered or destroyed in an unauthorised manner.
(k) Accountability - the property that ensures that the actions of an entity can be clearly attributed only to that entity.
(l) Application - a computer programme that performs a specific task.
(ł) High level of security - must be present when at least one IT system device used to process personal data is connected to a public network.
3 Obligations of the Data Controller
a) Monitoring compliance with personal data legislation, preventing unauthorised access to the processing of personal data.
(b) Keeping records of persons authorised to process personal data.
c) Organise training and inform employees and processors who process personal data about their obligations under the RODO and other European Union or national legislation,
(d) Taking appropriate action when a breach or suspected breach of security is detected.
(e) Cooperation with the supervisory authority, i.e. the President of the Office for the Protection of Personal Data, including the reporting of data protection breaches
(f) Supervising the circulation and storage of documents containing personal data.
(g) Supervise the correct archiving and deletion of personal data.
(h) Supervise the maintenance of appropriate records.
4 Personal data processing area
Address: ul.Rakowicka 1/14, 31-511 Kraków, floors 1 and 2,
5. Register of data processing activities
Personal Data Administrator
Symposium Cracoviense Sp. z o.o., with registered office in Kraków, ul. Rakowicka 1/14, registered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Kraków Śródmieście in Kraków, XI Economic Department under the number 0000210115, NIP 6762061612 Regon 351475079.
Processors
home.pl Spółka Akcyjna with its registered office in Szczecin, address: ul. Zbożowa 4, 70-653 Szczecin, entered in the Register of Entrepreneurs of the National Court Register, kept by the District Court Szczecin - Centrum in Szczecin, XIII Economic Division of the National Court Register under the KRS number: 0000431335, registered under NIP: 8522103252, REGON: 811158242.
Medicover Sp z o.o. with its registered office at Al. Jerozolimskie 96, 00-807 Warsaw, entered in the National Court Register in Warsaw, held by the District Court for the Capital City of Warsaw, 12th Commercial Division of the National Court Register under the number 000021314, NIP 525-15-77-627 Regon 012396508.
Netventure sp. z o.o. with its registered office in Warsaw at ul. Ojcowska 3, 02-918 Warsaw, registered in the Register of Entrepreneurs of the National Court Register in the District Court for the Capital City of Warsaw, 13th Commercial Division of the National Court Register under the number 0000347932, NIP: 521-35-53-406, REGON: 142229497.
BOKUN a Tripadvisor Company, Tripadvisor LLC, 400 1st Avenue, Needham, Massachusetts 02494, United States Expedia Inc., 10190 Covington Cross, NV89144 Las Vegas, USA
Viator, Inc. , 360 3rd Street #400, San Francisco, CA 94107, USA
Hotelbeds Switzerland AG, Elias Canetti-Strasse 2, 8050 Zurich
FSI Sp. z o.o. with registered office: ul. Gdyńska 19, 31-323 Kraków; District Court for Kraków-Śródmieście in Kraków, XI Economic Department of the National Court Register;NIP: 945-19-26-796, Regon: 357238140, KRS: 0000219900.
FreshMail spółka z ograniczoną odpowiedzialnością with its registered office in Kraków, entered into the register of entrepreneurs of the National Court Register by the District Court for Kraków-Śródmieście in Kraków, XI Economic Division of the National Court Register under KRS no.: 0000497051;
Fakturownia sp. z o. o. with its registered office in Warsaw, ul. Juliana Smulikowskiego 6/8, 00-389 Warsaw, entered in the register of entrepreneurs kept by the District Court for the Capital City of Warsaw, XIII Commercial Division of the National Court Register under the KRS number 0000572426, NIP PL5213704420;
MEETING APPLICATION spółka z ograniczoną odpowiedzialnością based in WROCŁAWIU at ul. św. Antoniego 15, 50-073 Wrocław, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Wrocław-Fabryczna in Wrocław, VI Economic Division of the National Court Register, under KRS number 0000433314, NIP 8992738060, REGON 021940356.
Google Ireland Limited Gordon House Barrow Street, Dublin 4, Ireland IE6388047V
IOD
has not been appointed, the controller is not obliged to appoint an inspector
Purpose of processing
Execution of contracts concluded with clients, contractors,
Marketing of in-house services,
Sending commercial information by means of electronic communication,
Implementation of the employment relationship under employment law
Categories of persons
Customers, contractors, employees
User categories
Trained and authorised employees (the register of authorised persons is attached as Annex 2 to the Information Security Policy)
Home.pl's processing entity on the basis of the main hosting agreement and the agreement on entrusting the processing of ordinary personal data (surname, first name, address, telephone number, email address)
Processor Google Ireland Limited Gordon House Barrow Street, Dublin 4, Ireland IE6388047V on the basis of a master contract for the provision of email and data storage services and a contract for the entrustment of the processing of ordinary personal data (name, first name, address, telephone number, email address)
Processing entity Netventure Sp z.o.o. on the basis of a master hosting agreement and a contract for the entrustment of the processing of ordinary personal data (surname, first name, address, telephone number, email address) Processing entity
Meeting Application on the basis of a master hosting agreement and a contract for the entrustment of the processing of ordinary personal data (name, first name, address, telephone number, email address)
Freshmail on the basis of a master hosting agreement and a contract for the entrustment of the processing of ordinary personal data (surname, first name, address, telephone number, email address)
Invoicing on the basis of the main contract for the provision of hosting services and the contract for the entrustment of the processing of ordinary personal data (surname, first name, address, telephone number, email address)
Medicover Sp z o.o. on the basis of an agreement to the Medical Care Agreement governing the transfer of personal data of employees and their family members.
Categories of personal data
Ordinary data:
Customers and contractors - name, address, email address, telephone number - basis of processing:
Implementation of the contract
Legitimate legitimate interests pursued by Symposium Cracoviense to offer its own services to customers, for marketing purposes and to conduct business in accordance with the law, including tax law. Data is obtained as a result of enquiries made, orders processed and fulfilled, correspondence or as a result of participation in conferences, fairs, workshops, road shows, presentations, etc.
Voluntary consent to processing of personal data for marketing purposes
Voluntary consent to the sending of commercial information by means of electronic communication,
Employees - first name(s) and surname, parents' first name(s), date of birth, correspondence address, e-mail address, telephone number, education, previous employment history, PESEL number, place of residence, as well as first name(s) and surname(s) and date of birth of the employee's children, if necessary due to the employee exercising special rights provided for in the labour law and other data resulting from the law - basis of processing employment relationship
Recruitment applicant - first name(s) and surname, parents' first name(s), date of birth, correspondence address, email address, telephone number, education, previous employment history - basis for processing - voluntary consent of the individual submitting the CV.
Information on transfer to a third country or international organisation
Symposium Cracoviense Sp z o.o. does not transfer data to countries outside the European Economic Area. It does, however, cooperate with contractors and customers outside the EEA and, if personal data is taken over, this will be done on the basis of appropriate legal mechanisms, such as standard contractual clauses or other similar legal instruments provided for in the RODO.
Planned date of deletion of personal data
Employee records - 50 years after the end of the employment relationship.
Contracts, minutes, financial records - 5 years from the end of the calendar year in which the contract was executed, excluding the establishment, investigation and protection of claims.
Ordinary personal data (first name, last name, correspondence address, telephone number and email address) of customers, contractors - after 10 years of personal data processing or immediately after objecting to such processing.
Personal data are processed in the computer system and in hard copies
The system includes:
(a) Paper documentation (correspondence with individuals and businesses).
(b) Computer software for processing information and procedures for processing data in the system.
(c) Computer printouts.
(d) Applications are used to process personal data in the company's IT system:
SYMFONIA FINANCE and ACCOUNTING by Sage,
SYMFONIA PŁACE by Sage,
PAID by Asseco,
access to Alior Bank's electronic banking
Syskonf
Microsoft Outlook
Microsoft Excel
Microsoft Word
mobile phone operating systems: Android and iOS
Meeting Application
Bokun, Tripadvisor Company
Invoice shop
Freshmail
Google Workspace services for business
Zoom Video Communications Inc.
VIMEO, Inc.
The IT system applies a high level of security to the processing of personal data.
The PŁACE application is linked with the applications PAYATNIK and FINANSE and ACCOUNTING. Some of the data from the PAYE application is available in the FINANSE and ACCOUNTING application and data is exported from PAYE to the PAYATNIK application and to the FINANSE and ACCOUNTING application.
The other programmes are independent of each other.
Technical and organisational measures necessary to ensure the confidentiality and accountability of the data processed in the system
(a) Physical protection measures:
The equipment used to process personal data is located in rooms secured by doors with locks.
Access to rooms is controlled by issuing keys only to authorised persons.
A safe was used to store backup media containing personal data.
(b) Hardware, IT and telecommunications resources:
A document shredder is used.
The local network is connected to the Internet via a router that also acts as a hardware-based external firewall filtering data passing between the local network and the public network.
Backups are made once a week to a backup medium.
(c) Software protection measures for tele-transmission equipment:
An anti-virus programme is running on the system users' computers.
A software firewall runs on the system users' computers.
Access to programmes containing personal data is password-protected.
(d) Protection measures within the system software:
Access to personal databases is restricted to authorised employees only.
The system configuration shall allow end users to access personal data stored in the information system only through the applications listed in point d of the previous row of the table.
The IT system allows appropriate access rights to the system's IT resources to be defined separately for each employee.
The network system uses a mechanism to enforce periodic change of access passwords.
(e) Protection measures within database tools and other software tools:
An application-specific ID and password were used to access the data.
A separate identifier is designated for each user of the system.
(f) Protection measures within the utility system:
The computer from which personal data can be accessed is protected by a runtime password.
Screen savers were used in the event of prolonged user inactivity.
(g) Organisational measures:
Temporary printouts with personal data are destroyed once their usefulness has been established.
Persons employed in the processing of personal data are obliged to keep it confidential.
Persons processing personal data shall be trained on the applicable data protection legislation, data processing procedures and informed of the risks involved in processing personal data in the IT system before they are allowed access to such data.
Records are kept of those authorised to process personal data.
An Information System Administrator has been appointed.
A Management Manual for the Information System used to process personal data has been written.
Procedures for dealing with data protection breaches are defined.
Where damage to the equipment containing the data medium on which personal data is stored necessitates its transfer off-site, the data medium shall be removed.
Procedure for dealing with data protection breaches
(a) Any employee of the company who becomes aware of a breach of data security by a person processing personal data, or who has information that may affect the security of personal data, shall immediately report this to the Personal Data Controller
(b) If it is not possible to notify the Data Controller - CEO, another member of the Board of Directors or the immediate supervisor should be notified.
(c) Until the Personal Data Administrator arrives on site:
Immediately take the actions necessary to contain the effects of the security breach, determine the cause and perpetrator of the security breach, consider stopping ongoing work to secure the site; do not leave the site without a legitimate need until the arrival of the Personal Data Controller.
(d) Upon arrival at the site of a personal data security breach, the Personal Data Controller shall take the following steps: familiarises himself with the situation and chooses a way forward taking into account the risk to the regularity of the company's work; may request a detailed account of the personal data security breach from the notifier, as well as from any other person who may have information in relation to the breach.
e) The Personal Data Controller shall document the occurrence of personal data security breach by drawing up a Report - Notification of personal data security breach to the supervisory authority, i.e. the Office for Personal Data Protection, according to the specimen constituting Annex No. 7, which shall contain the following information: indication of the person notifying the breach and other persons involved in clarifying the circumstances of the security breach, determination of the time and place of notification of the security breach, determination of the circumstances surrounding and the type of the breach, description of the action taken and evaluation of the investigation conducted. The notification of the security breach to the supervisory authority will be sent within 72 hours after the breach is identified.
6 Final provisions.
a) An investigation procedure shall be initiated against a User who, in the event of a breach of personal data protection, has failed to take the action specified herein and, in particular, has failed to notify the Personal Data Controller in accordance with the specified rules.
b) In the event of negligence or breach of labour obligations, the User will be liable under the Labour Code, for non-compliance with labour obligations, as well as, in extreme cases, for damages and even criminal liability if the breach is a criminal offence.
c) The Personal Data Controller is obliged to keep a register of persons who have been made aware of this document and who undertake to apply the principles contained herein according to the model set out in Annex No. 2.
7. List of annexes to the "Information Security Policy" at Symposium Cracoviense Ltd.
Annex No. 1 Information system management manual.
Annex No. 2 List of persons authorised to process data.
Annex No. 3 List of premises where personal data are processed.
Annex No. 4 Named authorisation to process personal data.
Annex No. 5: User's commitment to confidentiality.
Annex 6 Consent for use of an individual's likeness
Annex No. 7 Template of data breach report-notification
Anna Jędrocha - CEO
Krakow, dn. 01.03.2023
