Skip links

Data Protection and Information System Security Policy

This document was created for the Evviva L’arte Foundation

with its registered office in Warsaw 02-601, at 23/20 Racławicka Street

registered under NIP number: 5213720643 (hereinafter: Administrator).

Table of contents

1 Terminology 4

1.1 Introduction 4

1.2 The basis for document 4

1.3 Information systems as a measure of business security 5

1.4 Threats to IT security 5

1.5 Main objectives of IT system security 5

2 Presentation of security policy 7

2.1 Objective 7

2.2 Safety principles in a global approach 7

2.3 Data security design by the Administrator 7

2.4 Application scheme 8

2.5 Review of information systems security policy 8

3 Basic SAFETY objectives 8

3.1 Safety culture 8

3.2 The Regulation on Customer Data 9

3.3 Access control and authorisations 9

3.4 Enabling the tracking of operations 9

4 Personal data protection policy 10

4.1 Personal data protection with the Administrator – protection procedures. 10

4.1.1 The fundamentals of personal data protection: 10

4.1.2 Data protection principles 11

4.1.3. Applicable data protection systems 11


4.2.1 Specific categories and criminal data 13

Unidentified data 13

Profiling 14

4.2.4. Co-administration 14







4.8.1 Minimisation of access to personal data 20

4.8.2 Minimisation of data processing time 20

4.8.3 Minimisation of data processing 20


4.9.1 Risk analyses 21

4.9.1. Data protection impact assessments 22

4.9.2 Security measures taken by the Administrator 22

4.9.3 Reporting infringements 22




5. classification of documents 23

5.1 Ownership, updating and review 23

1 Terminology


This document, entitled “Policy on personal data protection and security of information systems” (hereinafter referred to as the “Policy“) is a map of requirements, principles and regulations of personal data protection and information security in the systems used by the Administrator. The Policy is a description of the security of the Administrator’s information systems, as well as the personal data protection policy within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “the TDC“).

1.2 The basis for the document       

The Administrator, who fulfils his obligations imposed on him by the PEPO as well as the provisions introducing the PEPO into the Polish legal order in the manner indicated herein, is also in the meaning of the above mentioned legal acts:

  • Administrator’s associates,
  • business processes and working methods of the Administrator,
  • knowledge about the Administrator’s Clients,
  • the Administrator’s business partners and his relations with them.

Trust between Clients and our company and co-workers, as well as our heritage, are the elements that make the value of the Administrator distinguish us and create our identity, reflect our culture. It is our duty to protect them.

1.3 Information systems as a measure of business security

Information systems are developing more and more every day, facilitating the exchange of information. For these reasons, the Administrator’s Information Systems have become the main tool in the company:

– to develop and share our heritage, which allows us to be more dynamic and effective;

– creating and maintaining lasting and trustworthy relationships with our customers and employees, thus enabling us to ensure high productivity and provide services tailored to the needs and customs of each individual.

Our IT system is a key factor in the development of our heritage and the full confidence of our clients.

However, we are aware that, today, our IT systems are subject to all kinds of risks which, if an incident occurs, can have negative consequences for our business, and we are therefore careful to protect them in an appropriate manner and to face new challenges in this area on a daily basis, as well as to strive to continuously improve the security of the IT systems we use.

1.4 Threats to IT security

The level of IT security risk is determined on the basis of a global strategic risk map. The main IT security risks are:

– inability of the Information System at a critical time for business;
– inability to detect internal fraud in IT systems;
– decision errors due to erroneous financial data;
– loss of data or disclosure of Client’s data records;
– loss of competitive advantage due to data leakage;

Our legacy and the information systems that support our critical business processes are included in security threats.

1.5 Main objectives of IT systems security

Yes, to avoid risks, we must protect our sensitive information systems in practice. This strategy is included in the Information Systems Security Policy and refers to the main security objectives, which aim to reduce risks to an acceptable level.
The main security objectives are described in detail in Chapter 4 of this document.

The Personal Data Protection and Information System Security Policy is the basic document of the Administrator’s corporate security, adjusted to strategic threats and a document consistent with the Council of Central Statistical Offices.

2. presentation of security policy

2.1 Purpose

The Policy of Personal Data Protection and Security of Administrator’s Information Systems aims at inspiring, encouraging and increasing trust among users (co-workers, customers, partners) in information systems and services provided.

2.2 Safety principles in a global approach

With the global security of the Administrator’s information systems in mind, we distinguish the following principles of motivation:

– Realism: the IT security policy is built step-by-step, adapted to the Administrator’s size, while aiming for gradual improvement (dynamic approach),

– Pragmatism: solutions (rules, measures, procedures) are applied in such a way as to find the right compromise between efficiency, simplicity and cost control, focusing on customer service,

– Responsibility: the organisation of the safety management system is adapted to the Administrator, autonomous and responsible, acting in synergy with the common interest,

– consistency: the actions of persons cooperating with the Administrator are consistent with security, applicable in the Administrator’s area of activity, taking into account improvement of cooperation and common vision (global approach),

– Prediction: more secure prediction (in IT projects, service definitions, creation of new projects or their evolution), more specific activities and applications can be adapted effectively and sustainably,

2.3 Data security design by the Administrator

The Administrator’s security architecture is based on a model reference document. The template consists of:

this document, which sets out the strategic security points for the Administrator and translates them into fundamental objectives: it is the basis for all the Administrator’s security issues;

– security standards defining security grades, which will be achieved through the implementation of the basic security objectives set by the Administrator and in various ways, including using tools and best practices known to the Administrator;

– procedures and operating modes describing the technical implementation of security measures.

This security architecture is implemented at the Administrator’s premises and takes the form of the Personal Data Protection and Information System Security Policy so that specific objectives can be achieved.

2.4 Application scheme

This document applies to all information systems used by the Administrator, including in particular:

– all the Administrator’s associates;

– all partners (entrepreneurs, including commercial companies, service providers, subcontractors);
– all processes and applications;
– all components of IT systems (office computers, laptops, smartphones, tablets, etc.).

2.5 Review of information systems security policy

In order to ensure its continued relevance, adequacy and effectiveness, the Administrator’s Data Protection and Information System Security Policy shall be updated every two years, or in the event of material changes in the process of reassessing its validity and identifying strategic risks.

3 Basic SAFETY objectives

3.1 Safety culture

The persons cooperating with the Administrator are the main elements in information security systems. They are the core of the security strategy. However, their actions can also lead to serious accidents due to ignorance of risks and non-compliance with best practices.

As a consequence, an information and training programme should be implemented in order to spread the safety culture among all employees of the Administrator, including third parties (partners, subcontractors, etc.) throughout the whole period spent with the Administrator and on departure.

3.2 Legal regulations concerning the Client’s data

Information systems are subject to numerous legal regulations (personal data protection, financial information protection) or information protection regulations (credit card payment).

Regulation is not an option, but an obligation. Therefore, regulatory monitoring relating to IT security must comply with local legislation. Advice on legal requirements must be sought from legal advisers.

Furthermore, all necessary security measures must be applied to information systems, taking into account regulatory requirements.

3.3 Access control and authorisations

The Information System stores most of the data and, moreover, some information is more vulnerable than others to leakage because of its content, but also because of constantly changing IT threats. Some of these data are subject to regulations or legal obligations (customer data etc.). Access to confidential information must naturally be strictly limited.

Procedures and operational activities shall therefore be put in place to control access to the Information System where necessary. These are the following principles:

– unambiguous identification of users,

– secure authentication of users, which means that the means for authentication are personal and the level of security is ensured,

– lower privileges, which means that users have rights tailored to their position, no more and no less,

– the need for knowledge – this means that users only have access to those services that are necessary for their work, no more and no less.

3.4 Enabling the tracking of operations

Numerous sensitive operations pass through the information system. It is worth mentioning here financial operations, customer operations or employee management. These operations are to be monitored in accordance with an adapted flow rate process.

Consequently, the traceability of sensitive operations is ensured:

– the definition of a logging policy adapted to the importance of monitoring operations and compliance with applicable legal requirements,

– defining and implementing automatic solutions for secure management of all aspects of the log management process (generation, collection, storage, archiving, storage time),

4 Personal data protection policy

The policy is in its content:

  1. description of the data protection rules applicable to the Administrator,
  2. if necessary, also references to specific annexes (model procedures or instructions for specific areas of personal data protection to be clarified in separate documents).

The Administrator’s Board is responsible for the implementation and maintenance of this Policy, and within the Board:

  1. a member of the Management Board or members of the Management Board entrusted with the supervision of the area of personal data protection,
  2. the person appointed by the Management Board to ensure compliance with data protection.

They are responsible for applying this Policy:

  1. Administrator,
  2. all staff members of the Administrator.

The Administrator should also ensure that contractors’ conduct complies with this Policy to an appropriate extent, especially in cases where the Administrator has provided them with personal data. For this purpose, the Administrator enters into agreements with contractors who gain access to personal data of the Administrator’s clients.

4.1 Personal data protection with the Administrator – protection procedures.

4.1.1 The fundamentals of personal data protection:

  1. Legitimacy – The controller takes care of the protection of privacy and processes data in accordance with the law and only on the basis of the applicable legal regulations.
  2. Security – the controller ensures the level of data security corresponding to the sector of his activity, taking continuous actions in this respect (the controller uses the services offered by entities professionally dealing with data protection issues, such as law firms).
  3. Rights of natural persons – the Administrator enables the natural persons whose data is being processed to exercise their rights granted by the provisions of the PDPA and to exercise these rights by complying with all stages of data protection described in this Policy.
  4. Accountability – The administrator shall document how he fulfils his obligations so that he can demonstrate compliance at all times. The documentation shall be kept in properly protected places, with safety rules against data leakage.

4.1.2 Data protection principles

The controller processes personal data with a view, in particular, to the processing of data:

  1. on a legal basis and in accordance with the law (legalism),
  2. fairness and respect for individual rights (reliability),
  3. in a way that is transparent to the data subject, bearing in mind that individuals have limited time to familiarise themselves with the data processing methods used by the controller (transparency),
  4. for specific purposes and not for more specific unspecific purposes – processing of data ‘for the future’ (minimisation),
  5. only to the extent necessary (adequacy),
  6. with care to ensure that the data processed by the Administrator is consistent with reality (correctness),
  7. no longer than it is necessary for the performance of the obligations arising from the legal or factual relationship between the Administrator and the other party and only to the extent that the Administrator has informed the individual about the time when the data will be processed (timeliness),
  8. ensuring adequate data security in view of the potential risks and threats associated with operations involving personal data (security).

4.1.3. Data protection systems in place

The personal data protection system of the Administrator consists primarily of such components as

  1. Data inventory. The controller identifies personal data resources, data classes, relations between data resources, identification of the ways of using the data (inventory), including:
    1. cases of processing data of persons not identified by the Administrator (unidentified data),
    1. cases of processing children’s data,
    1. profiling,
  2. Register for the Processing of Personal Data. The Administrator shall develop, maintain and maintain a register of activities performed on personal data at the Administrator’s premises (hereinafter: “the Register” or “RCPD“). The Register is a tool for settling the compliance of personal data processing at the Administrator’s premises with the generally applicable law.
  3. The legal basis. The controller shall ensure, identify and verify the legal grounds for the processing of data and register them in the Registry, including:
    1. maintain a system for managing the consent for data processing and remote communication in order to easily determine the ability to communicate with individuals for specific purposes;
    1. justifies cases where the controller processes data on the basis of the controller’s legitimate interest.
  4. Handling of individual rights. The controller shall fulfil the information obligations towards the persons whose data are processed and ensure the handling of their rights (Article 12(3) of the GCRL) by fulfilling the requests received in this respect, including:
    1. information obligation. The Administrator provides the persons with the required information when collecting data and in other situations (at the initial stage of implementing the rules of the PDPO, the Administrator legalises the existing database to the extent of notification of new rights granted by the PDPO to natural persons) and organises and ensures that the fulfilment of these obligations is documented so as to be able to demonstrate their fulfilment in the event of a possible inspection by the Personal Data Protection Office,
    1. Execution of requests from individuals. The controller shall ensure the possibility of executing the requests addressed to it by natural persons whose personal data it processes both by itself and its processors (obligations of processors imposed by means of personal data processing outsourcing agreements),
    1. handling requests from individuals. The administrator shall ensure appropriate financial and personnel expenses, as well as procedures to ensure that the requests of the individuals are carried out on time and in the manner required by the TYPE, as well as that their execution is documented in an appropriate manner each time,
    1. notification of infringements. The controller shall apply procedures which make it possible to determine the necessity of notifying persons affected by an identified data breach. For this purpose, a member of the Management Board in the person appointed for this purpose shall supervise the data processing processes in such a way that the notification of breaches can take place immediately, however, always within the deadlines not later than those specified in the generally applicable law.
  5. Minimisation. The Administrator has implemented principles and methods compatible with the rules of the TYRO, the principle of minimization, so as not to process unnecessary and redundant personal data. By means of the minimisation principle, the Administrator strives to ensure that his database does not contain data which are not absolutely necessary for the correct performance of legal and factual relations between the Administrator and its customers and contractors (privacy by default), including:
    1. rules that help to effectively manage data adequacy already at the stage of data collection (forms adapted for not collecting redundant data),
    1. principles of managing access to the data of natural persons who request such access, through appropriate training of persons responsible for these issues on the Administrator’s premises as well as preparation of an appropriate procedure of action,
    1. rules to manage the period of data retention and to verify the continued relevance and, as a result, the immediate deletion of individuals’ personal data when the legal basis for such action expires.
  6. Safety. The controller ensures an appropriate level of data security, including:
    1. carry out the necessary risk analyses for data processing activities or categories of data processing activities, using the appropriate risk scale as an annex to the Register of Data Processing Activities,
    1. carry out data protection impact assessments where the risk of infringement of persons’ rights and freedoms is high due to their nature or place of storage,
    1. adjust data protection measures to the risks identified,
    1. has internal information security management procedures,
    1. apply procedures to identify, assess and report the identified data breach to the Data Protection Authority – manage incidents.
  7. Processors. The Administrator shall have the principles of verification of the entities processing data on behalf of the Administrator, requirements as to the conditions of processing (for this purpose a personal data processing entrustment agreement shall be concluded with each entity processing personal data entrusted by the Administrator), principles of verification of the performance of entrustment agreements, first of all by applying the requirements of presentation by the processing entities of the security procedures applied by the Administrator as annexes to the data processing entrustment agreements on behalf of the Administrator.
  8. Transfer of data to third countries. The controller shall verify that personal data of natural persons are not transferred to third countries (i.e. outside the European Union, Norway, Liechtenstein and Iceland) or to international organisations and shall ensure the lawfulness of such transfer, if any.
  9. Privacy by design. The administrator manages and controls changes that affect privacy in a way that is appropriate under data protection legislation. To this end, the procedures for launching new projects and investments by the Administrator take into account the need to assess the impact of the change on data protection, risk analysis, ensuring privacy (including the compatibility of processing objectives, data security and minimisation) already at the stage of designing the change, investment or at the beginning of a new project.
  10. Cross-border processing. The controller shall each time verify that there is no cross-border processing of personal data in order to fulfil all legal obligations imposed on the controller in this respect.


4.2.1. Special categories and criminal data

The controller does not identify cases where it processes or may process special categories of data or criminal data and therefore it is not necessary to maintain mechanisms dedicated to ensuring the lawfulness of the processing of these categories of personal data.

Unidentified data

The controller shall identify cases where unidentified data are or may be processed and, where necessary, shall take all necessary steps to facilitate the exercise of the rights of unidentified data subjects.


The controller shall identify cases in which it profiles the data being processed and shall take all measures and efforts to ensure that this process is carried out in accordance with the law and with respect for the rights of the individuals whose data are processed.

4.2.4. Co-administration

The controller shall not identify cases of co-administration of personal data.


  1.  The RCPD is a form of documenting data processing activities, it acts as a map of data processing and is one of the basic elements enabling the implementation of the fundamental principle on which the whole system of personal data protection is based, i.e. the principle of accountability, so that not only the entities controlling data processing can clearly define the way in which the obligations imposed on the data controller are to be performed, but also the controller can identify and respond to internal infringements.
  2. The Administrator shall keep an RCPD in which he shall take stock and supervise the ways in which he uses personal data.
  3. The RCPD is, next to this document, which the Administrator provides to colleagues for educational and informational purposes, one of the basic tools enabling the Administrator to account for the majority of data protection obligations.
  4. In the RCPD, for each data processing activity which the controller considered separate for the purposes of the RCPD, the controller shall record at least:
  5. the name of the activity,
    1. business unit
    1. the purpose of the processing,
    1. categories of people,
    1. categories of data,
    1. the legal basis for the processing,
    1. data source,
    1. the planned date of deletion of data categories,
    1. the name of the co-administrator and his contact details (if applicable),
    1. the name of the processor and its contact details (if applicable)
    1. categories of recipients (if applicable),
    1. the name of the system or software used to process the personal data,
    1. A general description of the technical and organisational security measures in accordance with Article 32(1) of the TTEs,
    1. Transfer to a third country or international organisation (name of country and entity),
    1. If the transfer and the second subparagraph of Article 49(1) TODO, documentation of the relevant safeguards.
  6. The Model RCPD constitutes Appendix 1 to the Policy – “Model of the Register of Data Processing Activities”, the Model RCPD also contains columns not required by law. In the optional columns, the Administrator registers information as necessary and possible, taking into account that a more complete RCPD facilitates data protection compliance management and settlement.  The Administrator shall attach to the register a scale of risks which makes it possible to identify more fully the risks associated with the processing of specific categories of data in order to best adapt protection measures to the categories of data being processed.


  1. The controller shall document in the RCPD the legal basis of data processing for individual processing activities in order to be able to adapt the register to amendments to the legal acts from which the obligations arise.
  2. By indicating in the documents the general legal basis (consent, contract, legal obligation, vital interests, legitimate purpose of the Administrator), the Administrator shall define the basis in a precise manner, where necessary and necessary in view of the category of data and the principle of transparency. In this way, the Administrator shall indicate, for example, the scope of the consent obtained, while at the same time presenting the purpose for which it is obtained, and when the basis is the law – indicating a specific provision and other documents, such as an agreement, administrative agreement, etc. – indicating the categories of events in which they will materialise, the justified purpose – indicating a specific purpose, e.g. direct marketing, defence against claims, as well as the possibility of pursuing them.
  3. The controller shall implement methods of managing consents, enabling the registration and verification of a person’s consent to the processing of his/her specific data for a specific purpose at each stage of data processing, consent to remote communication in accordance with the provisions of the Act of 16 July 2004. Telecommunications Law (Journal of Laws 2004, No. 171, item 1800) and the Act of 18 July 2002 on the provision of electronic services (Journal of Laws 2002, No. 144, item 1204), as well as the registration of refusal of consent, withdrawal of consent and similar actions (objection, request to delete data, etc.).


  1. The controller shall ensure the legibility of the information provided and communication with the persons whose data it processes, so as to ensure that the person has read the information provided and fully understands its content. To this end, the Administrator shall cooperate with external entities (legal advisers) in order to create information obligations with the content that is as transparent as possible and in accordance with the provisions of generally applicable law.
  2. The Administrator makes it easier for persons to exercise their rights by such actions as: placing links to information on the Administrator’s website about persons’ rights, how to use them in the Administrator’s area of activity, as well as methods of contacting the Administrator for this purpose.
  3. The controller shall ensure compliance with the legal deadlines for the performance of obligations towards natural persons whose personal data it processes by using appropriate procedures and forms, by means of which it provides answers to requests and questions addressed to the controller concerning the protection of personal data of natural persons whose data are processed.
  4. The controller shall introduce adequate methods of identifying persons for the purposes of exercising the individual’s rights and information obligations in such a way that unauthorised persons do not gain access to personal data which does not concern them.
  5. In order to exercise the rights of the individual, the Administrator shall provide procedures and mechanisms to identify the data of specific persons processed by the Administrator in order to respond effectively to the requests of individuals, providing them with personal data concerning them as well as giving them the opportunity to exercise such rights as rectification, erasure or transfer (to the extent possible).
  6. The Administrator shall document the handling of information obligations, notices and requests of natural persons in order to maintain transparency of the Administrator’s activities in the area of personal data protection.


  1. The administrator, in consultation with external parties (legal advisers), shall determine the lawful and effective means of carrying out the information duties.
  2. The controller shall inform a person about an extension of more than one month of the period for consideration of that person’s request (Article 12(3) of the TAB) if it is impossible to consider his request before the expiry of that period.
  3. The controller shall inform a person about the processing of his/her data when personal data are collected directly from that person.
  4. The controller shall inform a person about the processing of personal data, also in the case where personal data are obtained indirectly from that person.
  5. The controller shall determine the manner of informing persons about the processing of unidentified data, if possible (e.g. information at the entrance to the building about covering the area with video surveillance).
  6. The controller shall inform the person of the planned change of the purpose of data processing, if such a situation arises.
  7. The controller shall inform the recipients of the data about the rectification, erasure or restriction of the processing of personal data (unless this would require disproportionate effort or would be impossible).
  8. The controller shall inform a person about the right to object, as well as all the rights to which he or she is entitled, derived from Articles 13 or 14 of the GDR, to the processing of his or her personal data, at the latest when he or she first contacts that person.
  9. The controller shall, without undue delay, notify a person of a breach of personal data protection if it is likely to cause a high risk of infringement of that person’s rights or freedoms.


  1. Third party rights. In exercising the rights of data subjects, the controller introduces guarantees for the protection of the rights of third parties with regard to the protection of their personal data. If, for example, the execution of a person’s request for a copy of the data or the right to transfer the data could adversely affect the rights and freedoms of other persons or significantly infringe their legal interests (e.g. rights related to data protection of other persons where the Administrator would have to provide access to documents containing personal data of the person concerned, which also contain personal data of other persons who cannot be anonymised for various reasons, intellectual property rights, trade secrets or personal rights), the Administrator may turn to the person to clarify doubts or refuse to satisfy the request.
  2. Refusal to comply with the request. The administrator, by sending an appropriate form, shall inform the person, within one month from the receipt of the request, about the refusal to consider the request and about the rights of the person related thereto in the event that, for various reasons referred to in this document or resulting directly from generally applicable law (e.g. tax obligations), it is impossible to satisfy the person’s request.
  3. Access to personal data. Upon a person’s request concerning access to his or her data, the controller shall inform the person whether or not he or she is processing his or her data and shall inform the person about the details of the processing, in accordance with Article 15 of the GCRL (the scope of the processing corresponds to the information obligation at the collection of data). The controller allows access to the personal data of a person who requests it, however, only if it does not threaten to violate the personal data of other persons (the lack of possibility to anonymize the personal data not directly related to the person making the request or the risk of commercial secrets being disclosed, etc.). Access to the data may be realized by issuing a copy of the data, with the reservation that each subsequent (after the first one) copy of the personal data is a copy for which the Administrator may charge appropriate fees, justified by the workload related to its obtaining and issuing to the person concerned.
  4. The processing will be stopped. The controller shall inform a person that he or she is not processing data relating to him or her if such person has made a request concerning his or her rights.
  5. Correction of data. The Administrator shall rectify incorrect data at the request of the natural person whose personal data are processed by the Administrator. The Controller shall have the right to refuse to correct the data, unless the person reasonably proves that the data he or she requests to be corrected are incorrect.
  6. Data completion. The administrator completes and updates the data at the request of a person. The controller has the right to refuse to supplement the data if the supplementation would be incompatible with the purposes of data processing due to the fact that the documents informing the individual about the purposes of processing have already been provided to him/her (e.g. the controller shall not process the data which are redundant or redundant according to this document). The controller may rely on the person’s statement concerning the data to be supplemented, unless it is insufficient in the light of the procedures adopted by the controller (e.g. concerning the acquisition of such data), the law, or there are factual circumstances justifying the fear that the statement of the person who makes the request is unreliable.
  7. Copies of data. Upon request, the Administrator shall issue a copy of the data concerning him/her and shall record the fact of issuing the first copy of the data, subject to the situations contained herein, related to the possibility of infringing the personal data of third parties.
  8. Data transfer. At the request of a person, the Administrator shall issue, in a commonly used computer readable format or transfer to another entity, if possible, the data concerning that person which that person has provided to the Administrator, processed on the basis of that person’s consent or for the purpose of concluding or performing an agreement concluded with that person in the Administrator’s IT systems.
  9. Right of appeal when processing personal data. If the Administrator processes data in an automatic manner, including in particular profiling of persons, the Administrator shall at the same time ensure the possibility to appeal to the decision of a colleague or member of the management board authorised to do so by the Administrator, unless such automatic decision
  10. is necessary for the conclusion or performance of the contract between the person making the appeal and the Administrator,
    1. is expressly permitted by law,
    1. is based on the explicit consent of the appellant.
  11. Deletion of data. At the request of a person, the Administrator deletes the data when:
  12. the data are not necessary for the purposes for which they were collected or processed for other lawful purposes or for legally required purposes,
    1. consent to their processing has been withdrawn and the Administrator has no other legal basis for processing,
    1. the natural person whose personal data are being processed has raised an effective objection to the processing of those data,
    1. data were processed illegally,
    1. The need for removal stems from a legal obligation,
    1. the request concerns data of the child collected on the basis of consent in order to provide services offered directly to the child.

The controller shall determine the manner in which the right to erasure shall be exercised, bearing in mind the obligation to ensure the effective exercise of that right. It is primarily about the principle of security, as well as respecting the obligation to verify that there are no exceptions referred to in Article 17(3) of the TYPE.

If the data to be deleted have been made public by the Administrator on the website or for marketing purposes of an event organised by the Administrator or one in which the Administrator actively participates, while assuming that the necessary consents of persons whose personal data are processed in this way have been obtained, the Administrator shall take reasonable actions, including technical measures, to inform other administrators processing these personal data about the need to delete the data and access them.

In case of data deletion, the Administrator shall inform a person about the recipients of the data, at that person’s request.

  1. Restriction of processing. The controller shall restrict the processing of data at the request of a person when:
    1. personal data processed by the Administrator shall be questioned by the natural person to whom the data relate – for the period necessary to verify their accuracy,
    1. the processing is unlawful, but the data subject opposes the deletion of personal data, simply wanting the processing to be limited in view of the purposes indicated by him,
    1. The controller no longer needs personal data, but it is needed by the data subject to establish, pursue or defend claims,
    1. a person has lodged an objection to the processing of his/her personal data – until it is determined whether there are legal grounds for objection on the part of the Administrator that prevail over the grounds for objection (e.g. tax and other regulations).

In the course of limiting the processing, the Administrator shall store the data, but shall not use them or pass them on to third parties or other entities separate from the Administrator and his employees who are entitled to access the data in question. The exception is the explicit consent of the data subject as well as the establishment, investigation or defence of claims.

In the case of a restriction of data processing, the controller shall, at the request of the data subject, inform that person about the recipients of the data.

  1. Objection against the processing of personal data. If a person raises a justified objection to the processing of his or her data and the data are processed by the Administrator based on the Administrator’s legitimate interest or on a task entrusted to the Administrator in the public interest, the Administrator shall take into account the objection. An exception to this is a situation where the Controller has important, legally justified grounds for processing, which due to the whole set of circumstances and generally applicable provisions of law should be considered superior to the interests and rights of the person objecting.
  2. Opposition to direct marketing. If a natural person whose personal data are processed by the Administrator objects to the processing of his/her data by the Administrator for the purposes of direct marketing, the Administrator shall take into account the objection and discontinue such processing, without exceptions justified by the factual situation or legal regulations.


The controller shall ensure that data processing is minimised from the point of view of principles such as

  1. the adequacy of the personal data processed for the purposes for which they are processed,
  2. access to personal data processed by the Administrator,
  3. the duration of personal data storage.

4.8.1 Minimising access to personal data

The controller applies limitations of access to personal data which are of legal nature (obligations of co-workers to confidentiality, authorization of co-workers having access to personal data), physical (access to personal data files only for authorized persons in such a way as to minimize the risk of data leakage, closing the premises) and logistic (assignment of appropriate access passwords to personal data in such a way as to minimize the risk of access to data of unauthorized persons).

The Administrator shall also apply physical access control by preventing customers and persons who have not signed a cooperation agreement with the Administrator and relevant annexes authorizing them to access the data as well as confidentiality declarations.

The administrator shall update the access rights in the event of changes in the composition of the staff and changes in the roles of persons and of processors.

The administrator shall periodically review the established users of the systems and update them at least once a year.

Minimisation of data processing time

The controller implements mechanisms for controlling the processing of personal data at all stages of processing, including verification of further suitability of the data in relation to the dates and checkpoints indicated in the RCPD, as well as in the information obligations provided to persons whose personal data are processed.

Data whose scope of usefulness is limited with time are removed from the Administrator’s IT systems as well as from places where documents containing personal data are stored.
The data referred to above may be archived in justified cases and be placed on backup copies of systems and information processed by the Administrator.

4.8.3 Minimisation of the scope of data processing

During the implementation of the TODO Administrator, the Administrator verified the scope of collected data, the extent to which the data in question are processed as well as the amount of data processed in terms of adequacy to the purposes of processing.

The controller undertakes to periodically review the content, quantity and scope of personal data processed at least once a year.

The controller shall verify changes in the amount and scope of personal data processing in the manner referred to above as part of the procedures for managing the change in question (privacy by design).


The controller shall ensure a degree of security appropriate to the risk of infringement of the rights of natural persons in relation to the nature of the personal data which are processed and the places where the data are stored.

4.9.1 Risk analyses

The controller shall carry out and document the adequacy analyses of personal data security measures. For this purpose:

Data protection impact assessments

The controller shall assess the impact of planned processing operations on the protection of personal data where, according to a risk analysis (annexed to the RCPD), the risk of infringement of individuals’ rights and freedoms is high.

4.9.2 Security measures taken by the Administrator

The controller shall apply the security measures established by risk analyses specific to each category of data processing as well as the adequacy of the security measures taken and data protection impact assessments.

Personal data security measures are part of the Administrator’s information and cyber security measures.

4.9.3 Reporting of infringements

The controller shall apply procedures allowing the identification, assessment and notification of the identified data breach to the Data Protection Authority within 72 hours from the identification of the breach, as well as notification to the person whose personal data processed by the controller has been breached, so that the person concerned can take the necessary steps to protect his/her rights.


The Administrator has rules for selection and verification of entities processing personal data for and on behalf of the Administrator. The principles and procedures in question have been developed to ensure that the processors provide guarantees of implementation of appropriate organisational and technical measures to ensure security, exercise the rights of the individual and other data protection obligations incumbent on the Administrator, in a manner specified by the provisions of the PDPA, adapted at the same time to the specificity of the Administrator so as to protect the processed personal data as effectively as possible.

The controller has adopted appropriate requirements as regards the data processing entrustment agreement, which constitutes Appendix 2 to the Policy – “Model data processing entrustment agreement”.

The controller shall account the processors for the use of subcontractors for the processing of personal data, as well as for other requirements resulting from the principles of personal data entrustment. For this purpose, the controller shall impose on the entities processing personal data the obligations to observe the security rules of the processing subcontractors to the extent referred to in the imposition of exactly the same factual and legal requirements on these entities as on the entities processing personal data on behalf of the controller.


The controller registers in the RCPD cases of data export, i.e. transfer of data outside the European Economic Area (EEA in 2018 = European Union, Iceland, Liechtenstein and Norway).

In order to avoid situations of unauthorised export of data to third countries, in particular in relation to the use of publicly available cloud services, the Administrator shall periodically verify users’ behaviour.


The controller shall actively respond to changes in the processing of personal data which have or may have an impact on privacy in such a way as to make it possible to ensure appropriate security of personal data and to minimise their processing.

For this purpose, the rules of conducting projects and undertakings by the Administrator refer to the principles of personal data security and minimisation, requiring an impact assessment on privacy and data protection. When planning new projects, the Administrator takes into account the security and minimisation of data processing from the beginning of the project.

5. classification of documents

This document is classified as an “Administrator’s internal document” and should not be disclosed outside the company without the formal consent of the Administrator’s management.

5.1 Ownership, updating and review

This Data Protection and Information System Security Policy is owned by the Administrator.  Updating of this document is performed by the Administrator’s management or persons authorized to do so.