1. The Controller formulated particular objectives in the scope of personal data security and undertook actions necessary for their occurrence in the company run by him:
- ensuring that personal data are processed lawfully, fairly and transparently for the Data Subject (‘lawfulness, fairness and transparency’);
- to ensure the collection of personal data for specified, explicit and legitimate purposes and not to further process such data in a way incompatible with those purposes; (‘purpose limitation’);
- ensuring that personal data are collected adequately, appropriately and limited to what is necessary for the purposes for which they are processed (‘data minimization’);
- The Controller shall take steps to ensure that personal data are correct and, where necessary, kept up to date, and that any reasonable steps are taken to ensure that personal data which are inaccurate in relation to the purposes for which they are processed are immediately erased or rectified (‘correctness’);
- The Controller shall take steps to ensure that personal data are kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed (“retention restriction”);
- The Controller shall take actions to ensure that personal data are processed in a manner ensuring their appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organizational measures (“integrity and confidentiality”).
2. The objectives set out in paragraph 1 shall be attained by taking appropriate measures and by applying effective safeguards, which shall include in particular:
- adequate security of the IT systems in which personal data are processed,
- constantly raising the awareness and knowledge of employees/coworkers in the field of personal data security,
- communicating the consequences, including disciplinary consequences, to employees/coworkers in the event of a personal data breach,
- granting access to documents, materials or systems containing personal data only to authorized persons,
- Securing documents, materials or systems form loss or destruction of personal data stored within.
- implementation of detailed rules defining the method of user rights management and authentication rules in all systems operated by the Controller,
- carrying out in-depth tests in the process of preparing new software,
- reporting of information security incidents,
- regular risk analysis in the area of information security and designing actions to minimize potential risks,
3. Taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of the processing as well as the risk of infringement of the rights or freedoms of natural persons with different probabilities of occurrence and the gravity of the risk resulting from the processing, the Controller has implemented – both at the time of determining the means of processing and during the processing itself – appropriate technical and organizational measures designed to effectively implement data protection principles in order to comply with the requirements of generally applicable legal provisions and to protect the rights of the Data Subjects.