General information clause

In accordance with art. 13 of the General Data Protection Regulation of April 27, 2016. (Journal of Laws EU L 119 of 05/04/2016) I inform that:

1) The administrator of your personal data is PICK A VOICE Marcin Gontarz with its registered office in Warsaw (02-555), at al. Niepodległości 161/18,

2) contact with the Data Protection Officer at PICK A VOICE Marcin Gontarz is possible at the email address: info@pickavoice.com,

3) Your personal data will be processed for the purpose of conclusion, implementation and settlement of the contract – pursuant to art. 6 clause 1 lit. b GDPR,

4) the recipients of your personal data will be entities providing the service of the Administrator’s IT systems and software, external entities providing services to the Administrator, and entities authorized to obtain personal data on the basis of legal provisions (including public administration bodies),

5) Your personal data will be stored for a period of 5 years,

6) you have the right to access your personal data and the right to rectify, delete, limit processing, the right to transfer data, the right to object, in the cases specified in the provisions of the GDPR,

7) you have the right to lodge a complaint to the President of the Office for Personal Data Protection, if you feel that the processing of your personal data violates the provisions of the GDPR.

8) providing personal data is a condition for concluding the contract, failure to do so may result in the contract not being concluded

Regulations for the protection of personal data at PICK A VOICE Marcin Gontarz with its registered office in Warsaw (02-555) at Al. Niepodległości 161/18; NIP 9522025943

1 BASIC RULES FOR THE PROTECTION OF PERSONAL DATA

1 BASIC RULES FOR THE PROTECTION OF PERSONAL DATA

1. Persons processing personal data shall be familiar with these Regulations before allowing them to process personal data.

2. Persons familiar with the content of the Personal Data Protection Regulations are required to sign a Confidentiality Statement.

3. Each of the persons allowed to process personal data is obliged to:

processing personal data only to the extent and purpose specified by the data administrator,

keep confidential personal data to which he has access in connection with the tasks performed, relevant to the position held,

keeping secret the methods of securing personal data in the entity,

protection of personal data against accidental or unlawful destruction, loss, modification of personal data, unauthorized disclosure, access to personal data and processing.

4. It is prohibited to transfer or disclose data to persons or institutions that do not have a legal basis entitling them to access such data.

5. It is forbidden to transfer personal data directly to the unauthorized persons or persons whose identity cannot be identified.

2 USE OF ELECTRONIC EQUIPMENT

1. Users work on their own accounts assigned to them by the IT system administrator. It is forbidden to allow other people to use the account of another user.

2. Each user processing personal data using electronic equipment (e.g. on a computer, on a network drive, in a program or application, in electronic mail) has their own individual identifier (login) for logging in.

3. Users may not change their privileges on their own.

4. All persons processing personal data using electronic equipment (e.g. desktop computers, laptops, monitors, printers, scanners, photocopying devices, work tablets and telephones) are obliged to protect it against any destruction or damage.

5. It is forbidden to arbitrarily open (disassemble) IT equipment, install additional devices (e.g. hard drives, memory) or connect any devices not allowed by the IT system administrator to the IT system.

6. In the event of loss, loss or destruction of equipment, the user is required to immediately report such an event to the data administrator (or appointed data protection officer).

7. Users of the equipment working with personal data must ensure that unauthorized persons are not able to view the data displayed on the computers used.

8. In case of temporary leaving the workplace, the user is obliged to activate a password-blocked screen saver or log out of the system or the program.

9. After finishing work, the user is obliged to log out of the IT system, then turn off the computer equipment and secure the workplace, in accordance with the Clean Desk Policy.

10. Use an antivirus program. It is forbidden to disable the antivirus system while the IT system is processing personal data.

3 PASSWORD POLICY

1. Passwords should be at least 5 characters long and contain uppercase letters + lowercase letters + numbers (or special characters).

2. Passwords should have an appropriate level of complexity. Therefore, they cannot be easily guessed words.

3. It is forbidden to share your passwords to unauthorized persons. If you disclose your password – you must change it immediately.

4. They must not be saved anywhere or sticked, for example, on a computer monitor, under a keyboard or in a drawer.

5. Passwords must be changed every 30 days.

4 RULES OF HANDLING WITH PAPER DOCUMENTATION CONTAINING PERSONAL DATA

1. Persons working with personal data are obliged to use the so-called Clean desk policy. According to its principles, documents containing personal data should be secured against theft or access by unauthorized persons both during and after business hours.

2. Persons processing personal data are obliged to destroy unnecessary documentation and its printouts containing personal data in shredders.

3. It is forbidden to leave documents with personal data outside secure rooms.

4. It is forbidden to throw undamaged documents in the trash or to leave them outside, outside the unit.

5 REMOVING MEDIA WITH DATA OUTSIDE THE COMPANY

1. Users may not take removable electronic information media outside the organization (e.g. hard drives, pen drives, Flash memory, discs) with personal data stored without the consent of the data administrator or data protection officer.

2. If the documents are transported by an employee, he shall be responsible for securing the documents carried against loss and theft.

3. Personal data in paper form must be securely transported, eg in bags, backpacks, briefcases. If possible, use proven courier companies.

4. In the event that data on such media is transferred outside the company should be properly encrypted.

6 REGULATIONS REGARDING THE USE OF THE INTERNET

1. Employees are required to use the Internet only for business purposes.

2. It is forbidden to run any illegal programs or files downloaded from unknown sources. In this case, the user is liable for damages caused by software installed from the internet.

3. The unit has restrictions on access to websites, therefore it is forbidden to access pornographic, criminal, hacker or other websites prohibited by law.

4. Do not turn on the option of auto-complete forms and remember passwords in your browser options.

7 USING ELECTRONIC E-MAIL

1. Business email should be used only for the performance of official duties.

2. Do not send official correspondence to private mailboxes of employees or other persons.

3. In the case of sending documentation containing personal data via e-mail, it should be secured with passwords.

4. Pay special attention to the correctness of the recipient’s address.

5. Before opening attachments (files) in emails, always verify the sender first.

6. Do not “click” on hyperlinks in emails, as they may be hyperlinks to infected or dangerous websites.

7. When sending e-mail to many recipients at the same time, use the “Hidden for Message – Bcc” method.

8. Periodically delete unnecessary emails.

9. Users may not send messages containing personal data about the company, its employees, customers, suppliers or contractors via a private electronic mailbox without the consent of the data controller or data protection officer.

8 DISCIPLINARY LIABILITY

Cases of deliberate violation of the provisions of the Regulations for the protection of personal data or unjustified omission of obligations may be considered by the data controller as a serious violation of employee obligations and as a violation of the criminal provisions contained in the GDPR.

Personal data protection policy at PICK A VOICE Marcin Gontarz with its registered office in Warsaw (02-555) at al. Niepodległości 161/18; NIP 9522025943

The purpose of the Personal Data Protection Policy, hereinafter referred to as the Policy, is to introduce and maintain the provisions of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 and the Act on the Protection of Personal Data (Journal of Laws of 2018, item 1000). ) proper protection of personal data in connection with the processing of personal data at PICK A VOICE Marcin Gontarz with its registered office in Warsaw (02-555) at al. Niepodległości 161/18, entered into CEIDG under the NIP number 9522025943.

This Policy applies to both personal data processed in the traditional way in books, files, lists and other records, as well as in IT systems. Applies to existing and future personal data files processed. The procedures and principles set out in this document apply to all persons authorized to process personal data, both employed and others, e.g. volunteers, apprentices, interns.

The personal data processing area at PICK A VOICE Marcin Gontarz includes buildings and / or premises located in Warsaw (02-555) at al. Independence 161/18.

The terms used in the Personal Data Protection Policy mean:

1. personal data administrator (ADO) – PICK A VOICE Marcin Gontarz

2. IT systems administrator (ASI) – a person obliged to manage IT systems used to process personal data,

3. personal data – any information regarding an identified or identifiable natural person,

4.processing of personal data – collecting, recording, storing, developing, modifying, sharing and deleting personal data, especially in IT systems,

5. user – a person authorized to process personal data,

6. IT system – a system (devices, tools, programs) in which personal data are processed,

7. IT system security – it ought to be understood as the implementation of administrative and technical measures used as well as protection against modification, destruction, unauthorized access and disclosure or acquisition of personal data as well as their loss,

8. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC,

9. Personal Data Protection Act – the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2018, item 1000).

1. Rules for the processing of personal data

1.1.

The data administrator processes personal data:

in accordance with the law, fairly and transparently to the data subject (“legal compliance, reliability and transparency”),

collects them for specific, explicit and legitimate purposes and does not further process them in a manner incompatible with those purposes (“purpose limitation”),

adequate, appropriate and limited to what is necessary for the purposes for which they are processed (“data minimization”),

correctly and if necessary updates the collected data (“correctness”),

stores them in a form that allows identification of the data subject for no longer than is necessary for the purposes for which the data are processed (“storage restriction”),

in a manner ensuring adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures (“integrity and confidentiality”).

1.2.

In order to implement these principles, the data controller processes data legally, based on the conditions described in art. 6 GDPR. It collects personal data adequately for the purposes of processing and processes it for a specified period of time. In relation to the persons whose data it processes, it fulfills the information obligations specified in art. 13 GDPR or in art. 14 GDPR (when information is collected in a different way than from the data subject) and indicates their rights such as the right to:

access to data,

rectification of data,

deleting data (the right to be forgotten),

transfer,

object to processing,

processing restrictions,

lodging a complaint to the supervisory body, objecting to being profiled.

The data administrator ensures data protection in the case of using the services of external entities in the form of concluding relevant entrustment agreements and using the services of processing entities carrying outbundles resulting from the GDPR. In the event of a technical or physical incident, the data controller shall ensure the ability to quickly restore access to and access to personal data.

1.3.

Confirmation of compliance with the information obligations by the data controller are information clauses provided to persons whose data are processed. For employees

they are presented with clauses to sign and placed in the contract concluded with the employee.

In the case of clients and contractors, they are provided to them at the time the contract is concluded, they are

również wywieszane w widocznym miejscu na stronie internetowej www.pickavoice.com oraz w siedzibie firmy przy al. Niepodległości 161/18, 02-555 Warszawa.

2. Authorizations to process data

The data administrator provides access to personal data at PICK A VOICE Marcin Gontarz, al. Niepodległości 161/18; 02-555 Warsaw was only available to persons with an authorization issued by ADO. The authorizations define what operations the users are entitled to, i.e. creating, deleting, viewing, transferring data, in which systems and for how long. The data administrator keeps a record of authorized persons. Authorizations to process personal data may be granted at the request of the immediate superior of the system user.

3. Risk analysis

The data administrator conducts a risk analysis in order to secure personal data adequately to the identified threats. The analysis is conducted in the event of a threat and cyclically once a year. Data analysis is carried out separately for each data set or for several files with a similar data range. Where necessary, an impact assessment shall be carried out for the risk assessment pursuant to Article 35 GDPR.

4. Security list

Taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing, and the risk of violation of the rights or freedoms of natural persons with different probability of occurrence and severity of the threat, the administrator and the processor shall implement appropriate technical and organizational measures to ensure a level of security corresponding to this risk.

5. Register of processing activities

The data administrator keeps a record of processing activities. The register shall include:

a) the administrator’s name and contact details,

b) the purposes of processing,

c) description of the categories of data subjects and categories of personal data,

d) categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or international organizations,

e) where applicable, information on the transfer of personal data to a third country or international organization, including the name of that third country or international organization and, in the case of transfers referred to

in art. 49 paragraph 1 second paragraph of the GDPR, documentation of appropriate safeguards,

f) if possible, the planned dates for deleting individual categories of data,

g) if possible, a general description of the technical and organizational security measures referred to in Article 32 section 1 GDPR.

6. Appointment of the data protection officer

The Personal Data Administrator may / must appoint a data protection officer.

If a data protection officer is appointed, his tasks include:

informing the administrator, the processing entity and employees who process personal data about the obligations incumbent on them under the provisions of the GDPR and the Personal Data Protection Act,

monitoring compliance with the provisions of the GDPR and the Act on the protection of personal data and the Data Protection Policy in force in the unit, including the division of duties, awareness-raising activities, training of personnel involved in processing operations and related audits, providing on demand recommendations for data protection impact assessment and monitoring its implementation in accordance with art. 35 GDPR,

cooperation with the supervisory body, i.e. the President of the Office for Personal Data Protection,

performing the function of a contact point for the supervisory authority on matters related to processing, including prior consultation, and, where appropriate, consulting on all other matters.

If a data protection officer is appointed, his appointment should be notified to the President of the Office for Personal Data Protection within 14 days from the date of appointment, indicating the name, surname, e-mail address or telephone number of the inspector.

7. Procedure for dealing with incidents

The data administrator introduces the procedure for dealing with incidents of personal data breach. The purpose of this procedure is to fulfill the obligation under Article 33 GDPR. The procedure specifies how to define incidents that threaten the security of personal data and how to respond to them, as well as the procedure for implementing corrective actions. Any person authorized to process personal data is required to inform about the possibility of an incident or its occurrence. Such information should be provided to the immediate supervisor or the data protection officer.

Notifications require:

improper protection of electronic equipment and software against leakage, theft and loss of personal data, providing passwords to unauthorized persons,

inadequate physical security of rooms, equipment and documents,

non-compliance with personal data protection rules by employees (e.g. non-compliance with the clean desk / screen principle, password protection, not closing rooms, cabinets, desks, sticking cards with passwords in drawers),

marks on doors, windows and wardrobes indicating a burglary attempt,

documentation containing personal data destroyed without the use of a shredder,

open doors to rooms, wardrobes where personal data is stored,

presence of bystanders in the unit,

wrong monitor settings allowing unauthorized persons to see personal data,

taking out personal data in paper and electronic form outside the unit without the authorization of the data administrator,

server, computer, hard disk and software failures,

disclosure of personal data to unauthorized persons,

telephone phishing attempts,

theft, loss of computers or CDs, hard drives, pen-drives with personal data,

emails urging you to reveal your ID or password,

infection of computers with a virus or other erroneous computer behavior,

random events (facility fire, flooding, power loss, loss of communication),

hacking into the IT system or rooms,

data / equipment theft,

deliberate destruction of documents.

You must also notify the IT systems administrator. In addition, you should succeedto document the occurrence of the incident, its effects and corrective and remedial actions taken. In the event that the incident results in a violation of the rights or freedoms of natural persons, the data controller shall report them within 72 hours to the President of the Office for Personal Data Protection and, if there is such a requirement, shall inform the persons concerned about the incident.

8. Regulations for the protection of personal data and internal training

The data controller enters PICK A VOICE Marcin Gontarz, al. Niepodległości 161/18; 02-555 Warsaw; Regulations on the protection of personal data in order to provide persons processing personal data with a full range of knowledge about the principles of personal data processing in the unit and the related obligations. Persons familiar with the Regulations are obliged to confirm that they have read this document and declare compliance with its rules. Before employment, each person should read the Regulations. The data controller also provides training for employees in the application of the provisions on the protection of personal data, and the presence of employees must be confirmed in writing.

9. Tasks of the IT system administrator

The IT system administrator carries out tasks in the field of management and ongoing supervision over the IT system of the data administrator. Therefore:

manages the IT system in which personal data is processed, using the password to access all workstations and the server from the administrator’s position,

prevents unauthorized access to the IT system in which personal data is processed,

assigns each user an ID and password to the IT system and makes possible modifications to permissions, as well as deletes user accounts in accordance with the principles set out in the IT system management instructions used for processing personal data,

carries out user on-the-job training in the use of computer hardware and network resources, acquainted with the documents in force in this respect

supervises the operation of user authentication mechanisms and access control to personal data,

if a breach of information system security is found, it informs the data controller / data protection officer about the breach and cooperates with him in removing the effects of the breach,

keeps detailed documentation of breaches of security of personal data processed in the IT system,

supervises repairs, maintenance and decommissioning of computer devices on which personal data is stored, backups, storage and periodic checking for their further suitability for data recovery in the event of an IT system failure,

undertakes actions to ensure the reliability of power supply for computers and other devices affecting the security of data processing and to ensure secure data exchange in the internal network and secure teletransmission.

10. Contracts for entrusting the processing of personal data

10.1.

When ordering the processing of personal data to external entities, the data controller is obliged to conclude a entrustment agreement. The unit maintains a register of contracts entrusting the processing of personal data.

10.2.

The agreement sets out the categories of data subjects, obligations and rights of the administrator. In addition, it obliges the processor to:

a) processing personal data only on documented instructions of the administrator – which also applies to the transfer of personal data to a third country or international organization,

b) ensuring that persons authorized to process personal data commit themselves to secrecy or are subject to the appropriate statutory obligation of confidentiality,

c) take any measures required pursuant to Article 32 GDPR,

d) compliance with the conditions of using the services of another processing entity,

e) helping the administrator through appropriate technical and organizational measures to comply with the obligation to respond to the requests of the data subject in the exercise of his rights set out in Chapter III of the GDPR,

f) helping the administrator to meet the obligations set out in Article 32-36 GDPR,

g) deleting or returning personal data to the administrator and deleting any existing copies, unless Union or Member State law requires personal data to be stored,

h) providing the administrator with all information necessary to demonstrate compliance with the obligations set out in the provisions of the GDPR and enabling the administrator or auditor authorized by the administrator to carry out audits, including inspections, and contributes to them.

11. Control activities

Marcin Gontarz supervises and controls the protection of personal data

Control activities are carried out once a year

A control report is drawn up in which a detailed description of the scope of the check and performed activities, as well as recommendations and corrective actions are made. The report is signed by persons performing control activities.

12. Responsibility of persons authorized to process data

Failure to comply with the Data Protection Policy pursued by the data controller, the assumptions of which are set out in this document, and violation of data protection procedures by employees authorized to process personal data may be treated as a serious violation of employee obligations.

Any questions?

phone:

+48 792 202 703

email:

info@pickavoice.com

phone:

+48 792 202 703

email:

info@pickavoice.com