Opinie
PLEASE FAMILIARIZE YOURSELF WITH THE FULL CONTENT OF THE CONSENT EXPRESSED:
ANNA PRZYBYLSKA
KOALA FAMILY MATERNITY CENTER
SECURITY POLICY – PERSONAL DATA MANAGEMENT POLICY
General provisions
$1
The Security Policy – also hereinafter referred to as the PB – has been issued and implemented at the Koala Family Maternity Center (hereinafter Koala) based on the content and in order to implement the provisions of the following legal acts:
a) the Act of August 29, 1997 on the protection of personal data (Journal of Laws No. 2002.101.926, as amended) – also hereinafter referred to as the Act,
b) Regulation of the Minister of Internal Affairs and Administration of April 29, 2004 (Journal of Laws 2004.100.1024) on the documentation of the processing of personal data and the technical and organizational conditions to be met by devices and IT systems used for the processing of personal data – hereinafter referred to as also later in the DB regulation.
$2
1. The Security Policy is a public document that does not contain technical details of the security and processing of personal data.
2. Technical details referred to in section 1 are regulated in the IT System Management Instruction.
$3
1. PB defines the rules of conduct for the processing of personal data:
a) employees, contractors, persons entrusted with the performance of work, for whom Koala is the Personal Data Administrator (hereinafter referred to as PDA),
b) Koala’s customers, before, during and after the provision of services for which Koala is PDC.
$4
1. Koala complies with the provisions of the Security Policy and obliges its employees and persons employed under civil law contracts to comply with it.
2. Violation by Koala’s employees or persons cooperating with it under civil law contracts of the provisions contained in the PB or in the IT System Management Instruction will be treated by Koala as a serious breach of basic contractual obligations.
$5
Koala processes personal data in a way that ensures:
a) confidentiality – which means that the data is not made available to unauthorized entities,
b) integrity – which means that the data will not be changed or destroyed in an unauthorized manner,
c) accountability – which means that data security will have a feature that ensures that the actions of a given entity in relation to data will always be clearly attributed only to that entity.
$6
1. IT systems in which personal data are processed, for which Koala is the Administrator, are connected to a public network within the meaning of telecommunications law.
2. In order to properly secure personal data, Koala implements a high level of security for the processing of personal data in the IT systems it uses, within the meaning of the regulation.
3. Koala requires the hosting company Krakowskie e-Centrum Informatyczne JUMP Dziedzic Pasek Przybyła s.j. at ul. Zakopińska 9 in Kraków (30-418 Kraków), hereinafter referred to as the „hosting company”, the use of security measures intended for a high level of security of personal data processing in accordance with the information of the hosting company constituting Annex No. 1 to the PB.
$7
The transfer of personal data from and within the public network for which Koala is the Personal Data Administrator takes place only in encrypted form.
$8
Koala:
a) undertakes constant activities to identify and analyze threats and risks to which processed personal data may be exposed,
b) defines security measures adequate to the threats and risks,
c) obliges persons employed or cooperating with Koala to read the PB and the instructions for managing the IT system.
$9
Koala is developing instructions specifying the method of managing the IT system used to process personal data – with particular emphasis on information security requirements. The manual includes in particular:
a) defining procedures for granting and changing authorizations to process data and registering authorizations in IT systems,
b) defining methods and means of authentication in IT systems,
c) defining procedures for starting, suspending and terminating work by system users,
d) defining the procedure for creating data backup copies,
e) determining the method of storing media containing data and backup copies,
f) determining the means of protecting IT systems,
g) determining the method of monitoring access to data,
h) defining procedures for performing inspections and maintenance of systems.
$10
1. Koala appoints an Information Security Administrator (ABI). The Information Security Administrator is the person responsible for the security of personal data in the IT system, and in particular for preventing unauthorized access to the system in which personal data is processed, and for taking appropriate actions in the event of detecting violations in the security system.
2. Whenever PB addresses specific obligations or competences – in the scope relating to the use of technical and organizational measures ensuring the protection of processed personal data – to Koala (also called ADO), these provisions are also addressed to ABI.
$11
1. Only persons authorized by Koala to process this data are allowed to process personal data.
2. Before granting a given person authorization to process personal data, particular consideration is given to whether the given person is discreet and whether his/her past behavior and performance of existing duties guarantee compliance with the Data Protection Regulation and other documents regulating the security and protection of personal data processed in Koalas.
3. Authorizing a given person to process personal data depends on a prior commitment to keep the content of personal data confidential.
$12
Koala requires the hosting company to ensure that servers hosting personal databases are protected against outages and data loss caused by power failure or disruptions in the power supply network.
$13
Koala requires the hosting company to ensure that servers and media containing personal databases cannot be moved outside the company’s server room.
$14
Employee files and personal data of clients and other persons in the form of printouts are stored in a closed cabinet.
$15
Devices, disks or other IT media containing personal data and intended for:
a) liquidation – the data is previously deleted from the recording (including through the so-called „overwriting”), and if this is not possible, it is damaged in a way that makes it impossible to read it,
b) transfer to another entity (which is not authorized to process personal data) – the data is previously deleted (including through the so-called „overwriting”),
c) repairs – the data is deleted before repair (including through the so-called „overwriting”) or repaired under the supervision of a person authorized to process data.
$16
Printouts containing personal data intended for deletion are destroyed in a way that makes them impossible to read.
$17
Koala self-made backups:
a) periodically checks their suitability for restoring data in the event of a system failure,
b) deletes it immediately after its usefulness ceases.
$18
Monitor screens of personal data access stations are automatically turned off after the specified period of user inactivity – as long as technical conditions allow.
$19
The IT system in which personal data is processed is equipped with mechanisms for user authentication (verification of the declared identity of the person seeking access to data) and access control to personal data, while:
a) each user of the IT system in which personal data is processed has an established, separate identifier (a sequence of letter, digital or other characters that uniquely identifies the person authorized to process personal data in the IT system) and a password (a sequence of letter, digital or other characters , and known only to a person authorized to work in the IT system),
b) the frequency of changing the user password is specified in the IT System Management Manual,
c) solutions are introduced to force periodic change of passwords,
d) user passwords enabling access to the IT system are confidential – also after their expiry date,
e) a user ID who has lost the right to access personal data is immediately deregistered from the IT system and his password is invalidated – such a person has no access to personal data.
f) the user ID of a user who has lost access to personal data cannot be assigned to another person.
ADO headquarters
$20
The ADO headquarters is located in Kraków at ul. Rhetoric 1/16.
Physical protective equipment
$21
The ADO premises are located on the fourth floor of a tenement house at ul. Rhetoric 1.
Doors with double locks lead to Koala’s rooms.
Securing the premises
$22
1. All rooms on Koala’s premises are publicly available to Koala’s employees and associates. Customers do not have access to devices that can be used to connect to the database containing personal data. The same applies to cabinets and other places for storing files and collections in paper form.
2. In Koala’s rooms there are locked cabinets and drawers in which personal files, documents, backup copies and electronic media with personal data and other confidential documents in paper and electronic versions are stored.
3. In the absence of Koala employees and associates authorized to process personal data, without the consent of the ADO, customers cannot stay in rooms where there are cabinets and drawers with personal files, documents, backup copies and electronic media with personal data and other confidential documents in paper and electronic versions.
$23
The server on which the Koala customer database is located is located in the premises of the hosting company Krakowskie e-Centrum Informatyczne JUMP Dziedzic Pasek Przybyła s.j. at ul. Zakopińska 9 in Kraków (30-418 Kraków) in a server room inaccessible to third parties. The server room is locked and protected against unauthorized access from the outside 24 hours a day, each entrance to the server room is logged in using an individual magnetic card, the server room is equipped with an alarm system, the server room is covered by a video monitoring system, the server room is equipped with motion sensors connected to the main alarm system, all rooms of the center are equipped with fire sensors connected to the main alarm system.
Protection of devices against failure
$24
1. The server on which the Koala customer database is located is secured by a UPS with operation monitoring and automatic system shutdown – using – a 30 kVA on-line UPS device and a 130 kVA SZR power generator. The server room is air-conditioned to ensure the appropriate operating temperature of the devices.
2. The server on which the Koala customer database is located is protected against software whose purpose is to gain unauthorized access to the IT system and against other threats using the solutions provided for in the information provided by the hosting company constituting Appendix No. 1 to the PB.
Securing information media
$25
1. Data media containing backup copies made by Koala are stored in a metal box. Data media containing backup copies made by the hosting company are stored in the hosting company’s safe.
2. Information media containing personal data are stored in closed drawers or cabinets.
3. It is prohibited to leave media containing personal data in places to which unauthorized persons have access – except for locked cabinets, drawers and boxes.
4. The media on which personal data is stored may be taken outside Koala’s headquarters only in situations that justify such action. In such a case, information containing personal data should be protected against unauthorized access. If possible, data taken outside Koala’s headquarters should be encrypted. Processing of personal data of Koala employees and associates.
$26
1. Koala processes personal data of its employees to the extent permitted by Art. 221 of the Labor Code and the provisions of the Personal Data Protection Act.
2. The legal basis for the processing of employees’ personal data are the provisions of the Labor Code (Article 221 of the Labor Code).
3. The provisions of section 1 shall apply accordingly to persons cooperating with Koala on the basis of civil law contracts.
4. Personal data of employees or collaborators are processed only in connection with the employment of the data subjects.
5. Personal data of employees or collaborators are processed for the purposes of:
a) implementation of labor law provisions,
b) implementation of other legal provisions, such as tax law provisions and social security provisions.
6. Personal data of employees and co-workers comes from the employees.
7. Personal data of employees and collaborators are processed in:
a) in an IT system ensuring HR and payroll management using the Buchalter and Płatnik software (data flows between the Buchalter and Płatnik systems),
b) in a collection kept in a traditional way – in employees’ personal files.
8. The structure of the employee data set collected in the HR and payroll system includes: surnames and given names, date of birth, place of birth, address of residence or stay, PESEL registration number, NIP registration number, citizenship.
9. The structure of the employee data set collected in personal files includes: surnames and given names, date of birth, place of birth, address of residence or stay, PESEL registration number, NIP registration number, citizenship, telephone number, e-mail address, photo.
10. Personal data of employees and associates are transferred to the accounting office in accordance with a separate agreement in force only to the extent necessary to carry out appropriate settlements specified, among others, provisions of labor law, tax law and social security law, etc.
11. Personal data of employees may be transferred to public authorities and third parties in connection with the violation of Koala’s rights, or in connection with the enforcement of Koala’s rights before courts or other adjudicating bodies.
12. Except for the above two points, Koala does not share customers’ personal data with other people.
13. Koala enables data subjects to access their personal data and provides the opportunity to correct and supplement them.
Processing of personal data of Koala customers
$27
1. Koala processes customers’ personal data within the limits provided for in Art. 23 section 1 point 2 – 5 of the Act. In other cases, Koala processes customers’ personal data only after obtaining the customer’s consent.
2. Authorized employees or cooperating persons are responsible for the processing of personal data.
3. The customer’s personal data are processed only for the purpose for which they were provided.
4. If the specific nature of the services provided requires the client to disclose health data, Koala begins to provide these services after obtaining the client’s written consent to the processing of this data.
5. Koala does not process customer data revealing racial or ethnic origin, political views, religious or philosophical beliefs, religious, party or trade union membership, as well as data on the genetic code, addictions or sexual life, as well as data on convictions, judgments on punishment and fines, as well as other judgments issued in court or administrative proceedings. 6. Koala processes customers’ personal data:
a) for the purpose of providing medical services, including the purpose of registering for a course, workshop or other type of service, and when it is necessary to take action before making such registration,
b) to settle services,
c) in connection with the need to keep medical records (where such an obligation exists),
d) for marketing purposes.
7. Customers’ personal data comes from those customers.
8. Personal data of Koala customers are processed in:
a) customer database created when signing up for a course, workshop, class, advice or visit. The database is maintained using MySQL and is located on a server operated by Krakowskie e-Centrum Informatyczne JUMP Dziedzic Pasek Przybyła s.j. at ul. Zakopiańska 9 in Kraków (30-418 Kraków) – data contained in this database also flows to the „Google Drive” disk space for the login anna.przybylska45@gmail.com operated by Google Inc., whose headquarters are at 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. The database is also available in the form of printouts,
b) paper collection; registration forms for gymnastics during pregnancy and after childbirth, examination forms, rehabilitation forms, doula cards, lactation advice cards and home births,
9. The structure of the customer database created when registering for a course, workshop, class, advice or visit in writing and via the website includes:
a) in the case of registration for a course: name and surname, name and surname of the accompanying person, e-mail address, contact telephone number, selection of the class mode (evening – Mondays, Wednesdays, evening – Tuesdays, Thursdays, weekend – Saturdays, weekend – Sundays , pre-cesarean section course, Birth school in English – course in English), month of classes, choice of using the package, additional customer message, data on payment for the service, data on attendance at classes,
b) in the case of registration for a workshop: name and surname, name and surname of the accompanying person, e-mail address, contact telephone number, selection of the type and date of classes, additional message from the client, data on payment for the service, data on attendance at classes,
c) in the case of classes, advice, visits via e-mail: name, surname, e-mail address, contact telephone number.
10. The data structure of the paper file, depending on the type of card or form, includes: name and surname, PESEL number, ID card number, data on the blood group of the woman giving birth, name and surname of any person accompanying the child in childbirth, e-mail address, contact telephone number , planned date of delivery, week of pregnancy, list of ailments during pregnancy, list of medications taken during pregnancy, data on doctor’s consent to participate in classes, type of delivery, detailed description of the course of delivery, summary of delivery, result of newborn examination after birth, result of DNA examination pelvis, list of ailments during the postpartum period, results of examination of the mother and child in connection with with feeding, number of visits/classes, dates of visits/classes, type of subscription – form of payment.
11. Customers’ personal data are transferred to the accounting office in accordance with a separate agreement in force only to the extent necessary to carry out appropriate settlements specified, among others, tax law provisions, etc.
12. Customers’ personal data may be transferred to public authorities and third parties in connection with a violation of Koala’s rights, or in connection with the enforcement of Koala’s rights before courts or other adjudicating bodies.
13. Except for the above two points, Koala does not share customers’ personal data with other people.
14. Koala enables data subjects to access their personal data and provides the opportunity to correct and supplement them. Koala Family Maternity Center.
