1. Definitions

1. Administrator - Ciacek Piotr, STIBITZ (hereinafter STIBITZ).
2. Personal data - information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact data, location data, information contained in correspondence, information collected through recording equipment or other similar technology.
3. Data Protection Officer (DPO) - a person appointed by the Administrator, who oversees compliance with the regulations on the protection of Personal Data in the Administrator's organization, performing the tasks specified in Article 39 RODO in STIBITZ this role is performed by the Administrator on the basis of the analysis of the appointment of the DPO
4. Supervisory Authority - The President of the Office for Personal Data Protection or, alternatively, the competent supervisory authority for Personal Data designated by another European Union member state.
5. Data Subject - the natural person to whom the Personal Data processed by the Controller relates.
6. Policy - this Personal Data Protection Policy.
7. Employee - an individual employed by the Administrator under a contract of employment.
8. RODO - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
9. Associate - a natural person providing services to the Administrator on the basis of a civil law contract (e.g. contract of mandate, contract for specific work).

2. General principles

1. This Policy is the primary document governing the Administrator's processing of Personal Data.
2. The implementation of the Policy is intended to ensure that the Administrator's processing of Personal Data complies with the RODO, regardless of the form (electronic or paper) in which such processing takes place.
3. In connection with its activities, the Administrator collects and processes Personal Data in accordance with the relevant legislation, including in particular the RODO, and the processing rules provided for therein, i.e.:

1. The Administrator shall ensure that its processing of Personal Data is lawful and based on one of the grounds for processing set out in the RODO, i.e. either Article 6(1), Article 9(2) or Article 10 (lawfulness principle);
2. The Administrator shall ensure that the processing of Personal Data is fair and transparent, and in particular shall always inform the public of the processing of Personal Data at the time of collection, including the purpose and legal basis of the processing (principle of fairness and transparency);
3. The controller shall ensure that Personal Data is collected for specific, explicit and legitimate purposes and is not further processed in a manner incompatible with those purposes (purpose limitation principle);
4. The Administrator shall ensure that he processes data only to the extent necessary to fulfil the purpose for which the Personal Data was collected (principle of minimisation);
5. The Controller shall ensure that the Personal Data processed by him is correct and, where necessary, updated, and that he takes all reasonable steps to ensure that Personal Data which is inaccurate in the light of the purposes for which it is processed is deleted or rectified without delay (principle of accuracy);
6. The Controller shall ensure that Personal Data is only processed for as long as is necessary for the purposes of the processing (time-limitation principle);
7. The Administrator shall ensure the security of Personal Data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by implementing appropriate technical or organisational measures (principle of integrity and confidentiality).

4. The Administrator shall, through appropriate technical and organisational measures, ensure that it is possible to demonstrate compliance of the processing of Personal Data with the RODO and other regulations concerning Personal Data (accountability).
5. The Administrator shall ensure that all Employees and Associates of the Administrator comply with the Policy.

3. Organisation of the personal data protection system

1. Prior to granting access to the processing of Personal Data, the Administrator shall familiarise each Employee, Associate or other persons processing Personal Data under their authority with the Policy, including the procedures and rules relating to the protection of Personal Data in force in the Administrator's organisation.
2. Processing of Personal Data by Employees and Associates may only take place on the basis of a documented authorisation from the Administrator. In addition, the Administrator shall require authorised persons to maintain the confidentiality of Personal Data and information concerning the security of Personal Data, and to comply with the Policy, including procedures and rules concerning the protection of Personal Data in force in the Administrator's organisation.
3. The controller himself is responsible for the area of protection of Personal Data.
4. Where necessary, it uses specialist outsourcing to perform tasks in the area of Personal Data protection.
5. Employees and Associates processing Personal Data are obliged in particular to:

1. process Personal Data in accordance with its authorisation and with due diligence;
2. in the event of the observation of an incident that may constitute a breach of the protection of Personal Data, to report it immediately to his/her immediate superior in accordance with the principles described in a separate procedure;
3. participate in organised training on the protection of Personal Data;
4. maintain the confidentiality of the Personal Data and information on how it is secured, in accordance with the signed confidentiality clause;

4. Security of Personal Data

1. The Administrator shall implement appropriate technical and organisational measures to ensure a degree of security appropriate to the risk of violation of the rights or freedoms of natural persons of varying probability and seriousness. In doing so, the Administrator shall take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing.
2. In assessing whether the degree of security is adequate, the Administrator shall take into account in particular the risks involved in the processing, in particular those arising from the accidental or unlawful destruction, loss, modification, unauthorised disclosure of or unauthorised access to the Personal Data transmitted, stored or otherwise processed.
3. In order to ensure the integrity and confidentiality of the Personal Data, the Administrator shall ensure that only authorised persons have access to the Personal Data and only to the extent that this is necessary due to the tasks they perform. The Administrator shall apply organisational and technical solutions to ensure that all operations on Personal Data are recorded and performed only by authorised persons.
4. The Administrator shall carry out on an ongoing basis an analysis of the risks involved in the processing of Personal Data and monitor the adequacy of the safeguards applied to Personal Data to the risks identified. If necessary, the Administrator implements additional measures to enhance the security of Personal Data.
5. Where the type of processing - in particular using new technologies - is, by its nature, scope, context and purposes, likely to result in a high risk of interference with the rights or freedoms of natural persons, the Administrator shall carry out an assessment of the effects of the intended processing operations on the protection of Personal Data prior to the start of processing. Where the impact assessment indicates that the processing would result in a high risk if the Administrator did not take measures to minimise that risk, the Administrator shall consult the Supervisory Authority prior to commencing the processing.
6. If the purposes for which the Controller processes Personal Data do not require the Controller to identify the Data Subject, the Controller is not required to retain, obtain or process additional information to identify the Data Subject solely to comply with the requirements of the DPA.

5. Data protection violations

1. The Controller shall ensure that Personal Data breaches are notified to the Supervisory Authority, unless the breach is unlikely to result in a risk of infringement of the rights or freedoms of individuals. To this end, the Administrator shall in particular oblige all persons processing Personal Data to promptly report any perceived breach of Personal Data protection.
2. The Controller shall ensure that it notifies Data Subjects of a Personal Data breach without undue delay if it is likely to result in a high risk of infringement of rights or freedoms.
3. In any event, the Administrator shall investigate the breach and implement appropriate organisational and technical corrective measures.
4. The Administrator shall document any breach of protection of Personal Data, including the circumstances of the breach of protection of Personal Data, its consequences and the remedial action taken.

6. Exercise of Data Subjects' Rights

1. The Controller shall ensure that it exercises the Data Subjects' rights in accordance with the principles set out in the RODO, including:

1. Right to information about data processing - the Administrator shall provide the person making the request with information about the processing of Personal Data, including, in particular, the purposes and legal basis of the processing, the scope of the Personal Data held, the entities to which they are disclosed, and the planned date of deletion of the Personal Data;
2. The right to obtain a copy of the data - the Administrator shall provide the person making the request with a copy of the Personal Data concerning him/her;
3. The right to rectification - The Administrator shall, upon request, rectify any inconsistencies or errors in the Personal Data processed and complete them if they are incomplete;
4. Right to erasure - Upon request, the Controller shall erase or make anonymous Personal Data, the processing of which is no longer necessary for any of the purposes for which it was collected;
5. The right to restrict processing - the Controller shall, upon request, cease performing operations on the Personal Data - with the exception of operations to which the Data Subject has given his/her consent - and their storage, in accordance with the retention rules adopted or until the reasons for restricting the processing of the Personal Data cease to exist (e.g. a decision of the Supervisory Authority authorising further processing is issued);
6. The right to data portability - to the extent that Personal Data is processed by automated means in connection with a contract or consent given, the Controller shall, upon request, issue the Personal Data provided by the data subject in a computer-readable format;
7. Right to object to processing for marketing purposes - The Data Subject may object at any time to the processing of Personal Data for marketing purposes, without having to justify such objection;
8. Right to object to other purposes of processing - The Data Subject may object at any time, on grounds relating to his/her particular situation, to the processing of Personal Data that is carried out on the basis of a legitimate interest of the Controller;
9. Right to withdraw consent - where Personal Data is processed on the basis of consent given, the Data Subject has the right to withdraw it at any time, which does not, however, affect the lawfulness of the processing carried out before the withdrawal.

7. Contacts with the Data Subject

1. The Controller shall implement appropriate measures so that communication with the Data Subject is made in a concise, clear and easily accessible form, in clear and simple language.
2. The Controller shall provide information to Data Subjects in writing or by other means, including electronically where appropriate. If requested by the Data Subject, the Administrator shall provide the information orally, provided that it is possible to confirm the Data Subject's identity by other means.
3. The Controller shall facilitate Data Subjects' exercise of their rights under the RODO, including the rights provided for in Articles 15-22 of the RODO.
4. The Controller shall, without undue delay, provide Data Subjects with information on the actions taken in connection with the request made pursuant to Article 15-22 of the RODO.

8. Sharing and entrusting Personal Data

1. An administrator shall share Personal Data with another administrator only if one of the conditions referred to in either Article 6(1) or Article 9(2) of the RODO is met.
2. The Administrator's entrustment of the processing of Personal Data is based on a data processing entrustment agreement or other legal instrument referred to in Article 28 of the RODO.
3. The Administrator entrusts the processing of Personal Data after prior verification that the processor provides sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the RODO and protects the rights of Data Subjects. In addition, the Administrator shall take all necessary measures to ensure that also its subcontractors and other cooperating entities provide guarantees of the application of appropriate security measures whenever they process Personal Data on behalf of the Administrator.

9. Transfer of Personal Data to a Third Country

1. The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Administrator transfers Personal Data to a third country only when necessary and with an adequate level of protection, primarily by:

1. Cooperation with processors of Personal Data in countries for which a relevant decision of the European Commission has been issued regarding the determination of ensuring an adequate level of protection of Personal Data;
2. Use of standard contractual clauses issued by the European Commission;

10. Ensure continuity of compliance

1. The Administrator shall ensure that the organization's operations are continuously maintained in compliance with the requirements for the protection of Personal Data provided for in the RODO, including reviewing and optimizing the records and procedures implemented in the organization.
2. To this end, the Administrator, among other things, monitors changes in the law, guidelines of national and international data protection authorities and case law of courts and tribunals, and takes into account best market practices.

11. Attachments

1. The Administrator shall maintain and apply the following records and procedures for the protection of Personal Data, which are an integral part of the Policy:

11.1.1. Register of Processing Activities;

11.1.2. Register of Categories of Processing Activities;

11.1.3. Records of persons authorized to process personal data;

11.1.4. Authorization to process personal data - model;

11.1.5. Procedure for conducting risk analysis and impact assessment;

11.1.6. Risk analysis sheet_template;

11.1.7. Data protection impact assessment;

11.1.8. Instructions for proceeding in the event of a violation of odo;

11.1.9. Register of data protection violations;

11.1.10. Procedure for handling data subject tasks;

11.1.11. Task register of data subjects;

11.1.12. Model for answering a person's question;

11.1.13. Personal data retention procedure;

11.1.14. Procedure for cooperation with the supervisory authority;

11.1.15. The procedure for selecting a supplier that processes personal data;

11.1.16. Register of Processors;

11.1.17. Questionnaire for evaluation of fulfillment of personal data protection requirements under RODO

11.1.18. Contract for entrustment of personal data processing

12. Final provisions

1. The policy takes effect on 20.09.2024