1. List of basic abbreviations

Abbreviation	Description
the i.p.a. (Information Privacy Act)	Act of 29 August 1997 on the protection of personal data (Journal of Laws of 2015, item 2135)
regl. MIAA	Regulation of the Minister of Internal Affairs and Administration of 29 April 2004 on documentation of personal data processing and technical and organisational conditions to be complied with by IT devices and systems used to process personal data
GIFPDP	General Inspector for Personal Data Protection
PDA	Personal Data Administrator
ISA	Information Security Administrator
ITSA	Information Technology Systems Administrator
ITS	Information Technology System
PDSMS	Personal Data Security Management System
PDSP	Personal Data Security Policy
ITSMM	Information Technology Systems Management Manual

2. List of basic definitions

1. Personal Data Administrator - it should be understood as a body, organisational unit, entity or person, which decides on the purposes and means of the processing of personal data;
2. Information Security Administrator - it should be understood as a person appointed by the Personal Data Administrator, supervising the compliance with the principles referred to in Article 36a(2) of the i.p.a.;
3. Information Technology Systems Administrator - it should be understood as a person or an entity appointed by Personal Data Administrator, responsible for the functioning of information and communication systems and networks and for compliance with the rules and requirements of security of information and communication systems and networks;
4. Authorized person - it should be understood as a person authorized by Personal Data Administrator to process personal data. The User may be an employee of the company, a person performing work on the basis of a contract of mandate or other civil-law contract, as well as a person performing volunteering, apprenticeship or internship.
5. Personal data - it should be understood as all information concerning an identified or identifiable physical person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more particular factors specific to his or her physical, mental, economic, cultural or social identity;
6. Personal data filing system - it should be understood as any structured set of data of a personal nature which is accessible according to specific criteria, regardless of whether the set is dispersed or functionally divided;
7. Processing of personal data - it should be understood as any operations performed on personal data, such as collection, recording, storage, processing, modification, sharing and erasure, in particular those performed in information systems;
8. Information Technology System - it should be understood as a set of cooperating devices, programs, information processing procedures and software tools used for data processing;
9. Data security in the IT system - it should be understood as the implementation and exploitation of the applied technical and organisational measures ensuring the protection of personal data against unauthorized processing;
10. Information security - it should be understood as a set of principles, which should be followed when designing and using systems and applications used for information processing, so that in all circumstances access to them would be in accordance with assumptions;
11. Deletion of data - it should be understood as the destruction of personal data or their modification in such a way that the identity of the data subject cannot be determined;
12. Data subject's consent - it should be understood as the declaration of will, the content of which is the consent to the processing of personal data of the person making the declaration. Consent may not be presumed or interpreted by a statement of will that is different in content. Consent may be revoked at any time;
13. Recipient of data - it should be understood as anyone to whom personal data are made available, with the exception of:
    1. the person to whom the data relate,
    2. a person authorised to process personal data,
    3. the representative referred to in Article 31a of the i.p.a.,
    4. the person referred to in Article 31 of the i.p.a.,
    5. public authorities or local self-government bodies to which data are made available in connection with the ongoing proceedings;

14. Third country - it should be understood as a country belonging to the European Economic Area;
15. Password - it should be understood as a sequence of letters, digital or other, known only to the user authorized to work in the IT system;
16. User ID - it should be understood as a sequence of letters, digital or other unambiguously identifying a person authorized to process data in specified areas of the company's IT system;
17. Confidentiality of data - it should be understood as the property ensuring that data are not made available to unauthorised persons or entities;
18. Data integrity - it should be understood as the property ensuring that personal data have not been changed or destroyed in an unauthorised way;
19. Data accountability - it should be understood as the property ensuring that the actions of a person or entity can be explicitly attributed only to that person or entity;
20. User of the IT system - it should be understood as a person authorised to process personal data in the IT systems, who has been assigned a unique identification and password;
21. Authorisation - it should be understood as the process of correct identification of the user of the IT system to the extent enabling the granting of appropriate rights or privileges in the company's IT system;
22. Incident - it should be understood as a breach of personal data security due to confidentiality, availability and integrity;
23. Risk - it should be understood as a potential possibility of an incident occurrence;
24. Corrective action - it should be understood as the action taken in order to eliminate the cause of the incident or other undesirable situation;
25. Preventive action - it should be understood as the action to be taken in order to eliminate the cause of the hazard or other potential undesirable situation..

3. Introduction

The Personal Data Security Policy defines the rules of personal data processing and the methods of data security as a set of rights, principles and recommendations regulating the way of their management, protection and distribution in the KOTT company Ltd. The Policy contains information regarding the recognition of personal data processing processes and technical and organizational safeguards in place to ensure the protection of personal data processed. The hereby document is compliant with the binding legal regulations, in particular with the Act of 29 August 1997 on the Protection of Personal Data, as amended, and with the executive acts issued on the basis of it.


4. Objectives of the Personal Data Security Policy

The purpose of the Personal Data Security Policy is to define and to implement the principles of security and protection of personal data processed at KOTT company Ltd, in particular:

1. ensuring that the legal requirements are complied with;
2. ensuring confidentiality, integrity and accountability of personal data processed in the Company;
3. raising the awareness of persons processing personal data;
4. involvement of persons processing personal data of the company in their protection.

5. Information Security Administrator

1. The Personal Data Administrator appoints the Information Security Administrator. The appointment is made on the basis of a written appointment (a sample of the appointment is attached as Appendix A1- PDSP to this PDSP)
2. The Personal Data Administrator may appoint deputies of the Information Security Administrator.
3. Personal Data Administrator grants a proxy to the Information Security Administrator to grant the right to process personal data.
4. The task of the Information Security Administrator is to supervise the compliance with the rules and the technical and organizational measures applied to ensure the protection of the personal data processed at KOTT company Ltd.
5. Information Security Administrator is entitled to the following rights related to the regulation of personal data security:
   1. Preparation, approval of internal instructions
   2. Authorisation of contracts

6. Information Security Administrator is entitled to the following competencies related to the performance of supervisory functions:
   1. Right to create and supervise access rights to software
   2. Right to establish rules on anti-virus and cyber-attack protection

7. Personal Data Administrator may entrust the Information Security Administrator with the performance of other duties, which do not violate the proper performance of the tasks specified in points 5-6.

6. Persons authorised to process personal data

1. The duties of the persons authorized to process personal data include:
   1. getting acquainted with the regulations of the law in the scope of personal data protection and with the regulations of the Personal Data Security Policy and IT Systems Management Instructions;
   2. following the recommendations of the Information Security Administrator;
   3. processing of personal data only to the extent determined individually by the Personal Data Administrator in a written authorization and only for the purpose of performing the imposed official duties;
   4. immediately informing the Information Security Administrator of any irregularities concerning the security of personal data processed at the Company;
   5. the protection of personal data and of the means used to process personal data against unauthorised access, disclosure, modification, destruction or corruption;
   6. using the company's IT systems in a manner consistent with the instructions contained in the operating manuals of the devices comprising the IT systems;
   7. the indefinite confidentiality of personal data and the ways in which it is protected;
   8. exercising special care in the performance of processing operations of personal data in order to protect the interests of individuals involved.

7. Basic principles of personal data protection

1. All personal data at the Company should be processed in accordance with applicable legal regulations.
2. In relation to persons whose personal data are being processed, the information obligation resulting from the regulations of the i.p.a. must be fulfilled.
3. Personal data collected must be processed for specified and legitimate purposes and not further processed in a way that is incompatible with those purposes.
4. It should be ensured that personal data are processed in accordance with the principles of substantive accuracy and in accordance with the purposes for which they were collected.
5. Personal data may be processed at the company no longer than is necessary for the purpose of processing.
6. Confidentiality, integrity and accountability of personal data processed within the company must be ensured.
7. Personal data processed may not be disclosed without the consent of the data subjects, unless the data are disclosed to persons to whom the data relate, to persons authorised to process personal data, to entities to which the data were transferred on the basis of a entrustment agreement, and to state or local government authorities in connection with the proceedings.
8. Processing of personal data in the company may take place both in IT systems and in the traditional form: files, indexes, books, lists and other record-keeping files.
9. With regard to personal data processed in systems other than IT systems, the existing regulations on professional secrecy, circulation and security of official documents remain in force.
10. All individuals whose data are processed are entitled to data protection rights concerning them, to control the processing of such data and to update, delete and obtain all information about their rights.

8. Authorisation to process personal data

1. Only persons who are authorized to process personal data (a sample of authorization is attached as Appendix A2- PDSP) issued by the Personal Data Administrator and who have submitted an appropriate statement concerning proper implementation of the regulations of the i.p.a. may be admitted to process personal data and operate IT files containing such data (a sample of the declaration is attached as Appendix A3 - PDSP).
2. Personal Data Administrator keeps records of persons authorized to process personal data (a specimen of such records is attached as Appendix A4 - PDSP).

9. Entrusting the processing of personal data

1. Personal Data Administrator may commission another entity to process personal data for the purpose of performing a specific task.
2. If the processing of personal data is outsourced to a third party, the agreement entrusting the processing of personal data specifies first of all the purpose and scope of the processing of personal data.

10. Sharing of personal data

The disclosure of personal data in the company is allowed on the basis of one of the legal grounds specified in the Act of the i.p.a. (Articles 23.1 and 27.2) or on the basis of other laws.
Information Security Administrator keeps records of making personal data available to institutions and persons outside the company (a sample of the records is attached as Appendix A5 - PDSP).


11. Transfer of personal data outside Poland

1. The Personal Data Controller may transfer personal data to the following entities:
   1. the countries of the European Economic Area;
   2. other countries (third countries).
2. Transfers of personal data within the EEA are treated as if they had been processed in the territory of Poland.
3. Where personal data are transferred to a third country, one of the conditions must be met:
   1. the country of destination provides guarantees for the protection of personal data on its territory at least as valid on the territory of the Republic of Poland;
   2. where the transfer of personal data results from an obligation imposed by law or by a ratified international agreement;
   3. at least one of the requirements of Article 47(3) of the i.p.a. is fulfilled.
   4. consents to the transfer of the personal data by the GIFPDP.

12. List of buildings, premises or parts of premises constituting the area in which personal data are processed

Information Security Administrator is responsible for keeping and storing documentation containing a list of buildings, premises or parts of premises forming the area in which personal data are processed, both in paper and electronic form. For an updated list of the areas where personal data are processed, see Appendix A6 - PDSP.


13. List of personal data filing systems with an indication of the programmes used to process the data

Information Security Administrator is responsible for keeping and storing documentation containing a list of all personal data filing systems together with indication of programs used to process such data. For an updated list of personal data filing systems, see Appendix A7 - PDSP.


14. Structure description of the personal data filing systems

Information Security Administrator is responsible for keeping and storing documentation containing the description of the structure of personal data files processed in the company. An up-to-date description of the structure of personal data filing systems is included in Appendix A8 - PDSP.


15. Description of the way in which data flows between different systems

The Information Security Administrator is responsible for keeping and storing documentation containing the description of data flow between particular systems. For an up-to-date description of the data flow, see Appendix A9- PDSP.


16. Definition of the technical and organisational measures necessary to ensure confidentiality, integrity and accountability of the data processed

The Information Security Administrator is responsible for keeping and storing documentation containing specific technical and organizational measures necessary to ensure confidentiality, integrity and accountability of the processed data. An up-to-date description of the technical and organizational measures applied is included in Appendix A10 - PDSP.


17. Penal and enforcement regulations

Penal and enforcement regulations are regulated by:

1. Act of 29 August 1997 on the Protection of Personal Data (Journal of Laws of 2015, item 2135) - Articles 49-54;
2. Act of 6 June 1997 on the Penal Code (Journal of Laws of 1997, No. 88, item 553, as amended) - Article 266;
3. Act of 26 June 1974 on the Labour Code (Journal of Laws of 1998, No. 21, item 94, as amended) - Article 52 and Article 108.

18. Final decisions

In matters not regulated in this Personal Data Security Policy, the regulations of the Act of 29 August 1997 on the Protection of Personal Data (Journal of Laws of 2015, item 2135) and the executive regulations to this Act are applicable.


19. Appendixes

A1-PDSP – Appointment to the position of Information Security Administrator;
A2- PDSP - Authorization to process personal data;
A3- PDSP - Statement concerning the proper implementation of the regulations of the IPA;
A4- PDSP - Register of persons authorized to process personal data;
A5- PDSP - Register of personal data sharing;
A6- PDSP - List of buildings, rooms or parts of rooms forming the area in which personal data are processed;
A7- PDSP - List of personal data sets with indication of programs used to process these data;
A8- PDSP - Description of the structure of personal data filing systems;
A9- PDSP - Description of data flow between particular systems;
A10- PDSP - Description of technical and organizational measures applied;
A11- PDSP - Recording of incidents and events.