Privacy policy
Personal Data Protection Policy
1. This document entitled “Personal Data Protection Policy”, (hereinafter: the Policy) aims at describing the scope of requirements, rules and regulations for personal data protection at Antal sp. z o.o. (hereinafter: Antal sp. z o.o.) with its registered office in Warsaw, ul. Puławska 2, entered in the Commercial Register, under KRS number: 0000825336, with its register documents kept by the District Court for Warsaw, XIII Commercial Division of the National Court Register, Tax ID No (NIP): 5252813780, Statistical ID No (REGON): 385420420.
This Policy is the personal data protection policy within the meaning of the GDPR – a Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Journal of Laws UE L. 119, No 119, p. 1).
2. The Policy includes:
a) description of data protection rules applicable at Antal sp. z o.o.,
b) references to attachments containing details (models of procedure or instructions regarding certain areas of personal data protection which require more precise description in separate documents).
3. The management board of Antal sp. z o.o. is responsible for implementing and maintaining this Policy, including:
a) Member of the Management Board who was appointed to supervise the personal data protection issues.
b) A person appointed by the Management Board for ensuring the compliance of personal data protection;
the following persons are responsible for the supervision and monitoring of the Policy observance:
c) Data Protection Inspector, at Antal sp. z o.o. iod@antal.pl,
d) Internal audit unit, if it operates at Antal sp. z o.o.,
the following parties are responsible for applying this Policy:
e) Antal sp. z o.o.,
f) organisational unit in charge of the information security issues,
g) organisational units processing big personal data,
h) other organisational units,
i) all members of personal at Antal sp. z o.o.,
Antal sp. z o.o. should also ensure the compliance of actions performed by the contractors of Antal sp. z o.o. with this Policy in due time, when the transfer of personal data takes place at Antal sp. z o.o.
4. ABBREVIATIONS AND DEFINITIONS:
Policy means this Policy of personal data protection unless clearly specified otherwise in the context.
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Journal of Laws UE L. 119, No 119, p. 1).
Data means personal data unless the context clearly specifies otherwise.
Special categories of personal data means data listed in Article 9 Paragraph 1 of the GDPR, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Criminal data means data listed in Article 10 of the GDPR, namely data regarding convictions and law infringements.
Children’s data means data of persons under 16 years of age.
Person means the data subject, unless the context clearly specifies otherwise.
Processor means an organisation or party to whom Antal sp. z o.o. entrusted processing personal data (e.g. IT services provider, internal Accounting Department).
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Data Export means transferring data to a third state or to an international organisation.
PDPI or the Inspector means the Personal Data Protection Inspector.
RPDA or the Register means the Register of Personal Data Processing Activities.
Antal sp. z o.o. means Antal sp. z o o. with its registered office in Warsaw, ul. Puławska 2, entered in the Commercial Register, under KRS number: 0000825336, with its register documents kept by the District Court for Warsaw, XIII Commercial Division of the National Court Register, Tax ID No (NIP): 5252813780, Statistical ID No (REGON): 385420420.
5. PERSONAL DATA PROTECTION AT Antal sp. z o.o – GENERAL PRINCIPLES
5.1. The Pillars of Personal Data Protection at Antal sp. z o.o:
a) Legality – Antal sp. z o.o. cares for protection of privacy and data processing in compliance with the law.
b) Security – Antal sp. z o.o. ensures the relevant level of data security undertaking continuous actions in this regard.
c) Individual rights – Antal sp. z o.o. enables data subjects to exercise their rights and performs these rights.
d) Accountability – Antal sp. z o.o. documents the method of performing obligations in order to prove compliance at all times.
5.2. Data protection rules:
Antal sp. z o.o. processes personal data while observing the following rules:
a) based on the legal grounds and in compliance with the law (legality);
b) in the reliable and fair manner (fairness);
c) in the clear manner for the data subject (transparency);
d) for specified purposes and not “in advance” (minimisation);
e) not more than necessary (adequacy);
f) with due care for data to be true (correctness);
g) not longer than necessary (timeliness);
h) ensuring applicable data security (security).
5.3. Data protection system
The System of Personal Data Protection at Antal sp. z o.o comprises the following elements:
1. Data stock taking. Antal sp. z o.o. identifies personal data resources, data classes, dependence between data resources, identification of applied methods (stock taking), including:
a) cases of processing special categories of data and criminal data;
b) cases of processing data of persons who are not identified by Antal sp. z o.o. (non-identified data);
c) cases of processing children’s data;
d) profiling;
e) joint controlling of data.
2. Register.
Antal sp. z o.o. prepares, maintains and keeps the Register of Personal Data Processing Activities (the Register). The Register is the accountability tool for compliance with security at Antal sp. z o.o.
3. Legal Basis.
Antal sp. z o.o. ensures, identified, verifies legal bases for data processing and records them in the Register, including:
a) maintains the management system for data processing and distant communication,
b) performs stock taking and particularly justification of cases when Antal sp. z o.o. processes data on the basis of legally justified interest of Antal sp. z o.o.
4. Serving Individual’s rights.
Antal sp. z o.o. performs notification duties towards subjects of data processed by it and ensures servicing their rights, performing demands received, including:
a) Notification obligations Antal sp. z o.o. submits to data subjects information required by law while collecting data and in other situations and organises and ensures documenting the performance of these obligations;
b) Possibility of performing requests Antal sp. z o.o. verifies and ensures the possibility of effective performance of each type of request by itself and its processors;
c) Servicing requests Antal sp. z o.o. ensures relevant expenditures and procedures so that requests submitted by data subjects are performed on time and in the manner required by the GDPR and documented;
d) Notification about breaches Antal sp. z o.o. applies procedures allowing for establishing the necessity of notifying data subjects to whom applies the identified data protection breach.
5. Minimisation.
Antal sp. z o.o. applies principles and methods of minimisation management ( privacy by default ), including:
a) the principles for managing date adequacy;
b) the principles for limiting and managing access to data;
c) the principles for managing the period of storing data and verifying its further usability.
6. Security.
Antal sp. z o.o. ensures the relevant level of data security, including:
a) performing the analysis of risk for data processing activities or data categories;
b) making an assessment of effects for personal data protection where the risk of infringement of rights and freedoms is high;
c) adjusting data protection measures to the established risk;
d) holding the information security management system;
e) using procedures allowing for identifying, assessment and notification about identified breach of data protection to the Data Protection Office – manages incidents.
7. The Processor.
Antal sp. z o.o. applies the rules of selecting data processors acting in its name, requirements for processing conditions (an agreement for entrusting), verification rules of performance of agreements for entrusting.
8. Data export.
Antal sp. z o.o. holds verification procedures to check whether Antal sp. z o.o. does not transfer data to third parties (namely outside the EU, Norway, Lichtenstein, Island) or to international organisations and to ensure conditions for such transfer, if any, that comply with the law.
9. Privacy by design.
Antal sp. z o.o. manages changes affecting the privacy. For this purpose, the procedure of opening new projects and investments take into account the necessity of assessment of impact of the change on data protection, risk analysis, ensuring privacy (including the compliance of processing objectives, data security and minimisation) already at the stage of designing the change, investment and at the beginning of a new project.
10. Trans-border processing.
Antal sp. z o.o. has the rules of verifying when trans-border processing occurs and the rules of establishing the leading supervisory authority and the main establishment within the meaning of the GDPR.
6. STOCKTAKING
6.1. Special categories data and criminal data
Antal sp. z o.o. identifies the cases where it processes or may process data of special category, or criminal data and it maintains dedicated mechanisms ensuring compliance with law when processing such data. In the event of identifying cases of processing data of special category or criminal data Antal sp. z o.o. acts in line with adopted rules in this regard.
6.2. Non-identifiable data
Antal sp. z o.o. identifies the cases where it processes or may process non-identified data and it maintains mechanisms facilitating exercising rights of non-identifiable data subjects.
6.3. Profiling
Antal sp. z o.o. identifies cases where it performs profiling of processed data and maintains mechanisms ensuring the compliance of this process with the law. In the event of identifying cases of profiling and automated decision making Antal sp. z o.o. acts in line with rules adopted in this regard.
6.4. Joint conrolling
Antal sp. z o.o. identifies cases of joint controlling of data and acts in line with rules adopted in this regard.
7. REGISTER OF DATA PROCESSING ACTIVITIES
7.1. RDPA constitutes the form of documenting data processing activities, it is the map of data processing and it is one of the key elements allowing for the performance of the fundamental principle on which the whole system of personal data protection is based, namely the accountability principle.
7.2. Antal sp. z o.o. maintains the Register of Data Processing Activities which allows for stock taking and monitoring the manner of using personal data.
7.3. The Register is one of the basic tools allowing Antal sp. z o.o. the clearance of the majority of data protection obligations.
7.4. For each data processing activity which Antal sp. z o.o. considered separate for the Register’s needs, Antal sp. z o.o. records in the Register at least:
a) activity name,
b) purpose of processing,
c) description of persons categories,
d) description of data categories,
e) the legal basis for processing with details of category of justified interest of Antal sp. z o.o., if it is based on a justified interest,
f) method of collecting data,
g) description data recipients categories (including processors),
h) information on transferring data outside the EU/EEA;
i) general description of technical and organisational measures of data protection.
7.5. Template Register is attached as Attachment No 1 to the Policy – “Template Register of Data Processing Activities.” The template Register contains also voluntary columns. In voluntary columns Antal sp. z o.o. registers information, according to the needs and possibilities, taking into account that a more detailed content of the Register facilitates management of data protection compliance and accountability.
7.6. In the course of the data processing, the administrator collects the following personal data categories for processing:
a) contact details, e.g. name and surname, telephone number, e-mail address, etc.,
b) education data,
c) history of previous employment and professional qualifications,
d) candidate's image and voice recorded in an audiovisual form during the recruitment interview,
e) other necessary data for conducting the recruitment process.
a) contact details, e.g. name and surname, telephone number, e-mail address, etc.,
b) education data,
c) history of previous employment and professional qualifications,
d) candidate's image and voice recorded in an audiovisual form during the recruitment interview,
e) other necessary data for conducting the recruitment process.
8. COOKIES
8.1. Website https://en.antal.pl uses cookies. These are small text files sent by the www server and stored by the browser’s software in the computer. When the browser reconnects with the website, the site recognises the type of the user’s equipment for the connection. Parameters allow for reading information included therein only by the server which created them. Cookies facilitate the use of websites already visited earlier.
8.2. Gathered information include IP address, type of used web browser, language, type of operating system, supplier of internet services, information on the date and time, location and information sent to the website using the contact form.
8.3. Cookies identify the user which enables adjusting the content of the website used by them to the user’s needs. Remembering the user’s preferences, it enables relevant adjusting of advertisements directed to this user. Antal sp. z o o. uses cookies in order to ensure the highest standard of convenience of our service, and collected data is used solely internally in the company in order to optimise activities.
8.4. We use the following cookies on our website:
1. “necessary” cookie files, allowing for the use of services available within the service, for instance authorising cookies used for services which require authorisation within the service;
cookies files used for ensuring security, e.g. used for finding cases of abuse of certification within the service;
2. “performance” cookies, allowing for collecting information about the manner of using the service websites;
3. “functional” cookies allowing for “remembering” settings selected by the user;
4. “advertising” cookies files allowing for submitting advertising content better adjusted to the user’s interests.
8.5. The user is at all times able to switch off or switch on the option of gathering cookies by changing settings in the Internet browser. The cookies management instruction is available on the website.
8.6. Cookies used by Antal sp. z o.o. may serve the following purposes:
1. optimising the use of the website by the user, improving the efficiency and optimisation of the website’s functions.
8.7. Information collected and generated by cookies does not enable the user’s identification.
8.8. No personal data of the user are stored a result of using cookies. Cookies used by Antal sp. z o.o. are safe and do not have any harmful effect on the user’s computer.
9. BASIS FOR PROCESSING
9.1. Antal sp. z o.o. documents in the Register legal bases for data processing for certain processing activities.
9.2. By indicating in documents the general legal grounds (consent, agreement, legal obligation, vital interests, public tasks/ public authority, justifies purpose of Antal sp. z o.o.), Antal sp. z o.o. provides a more precise basis in a clear and readable manner, when it is necessary. For instance for a consent – indicating its scope, where it is based on the law, indicating certain provision and other documents, e.g. an agreement, administrative arrangement, vital interests, indicating categories of events in which it will materialise, a justified purpose – indicating explicit purpose, e.g. own marketing, pursuing claims.
9.3. Antal sp. z o.o. implements the methods of consents management allowing for registration and verification of holding a consent of a data subject for processing their certain data for certain purpose, consent for distant communication (e-mail, phone, text message etc.) and registration of the denial of consent, withdrawal of consent and similar activities (a protest, limitation etc.).
9.4. Manager of an organisation unit at Antal sp. z o.o. is obliged to know legal basis for the unit he manages to perform certain personal data processing activities. If it is based on the justified interest of Antal sp.z o.o., the manager of the unit is obliged to know the certain interest of Antal sp. z o.o in the performance of processing.
10. METHODS OF SERVICING INDIVIDUAL’S RIGHTS AND INFORMATION OBLIGATIONS
10.1. Antal sp. z o.o. takes care of the clear style of information and communication with processed data subjects.
10.2. Antal sp. z o.o. facilitates exercising rights by data subjects through various activities, including publishing on the website of Antal sp. z o.o. information or references (links) to information on the rights of data subjects, methods of exercising these rights, including requirements regarding identification, methods of contact with Antal sp. z o.o. for this purpose, possible log of “additional” requests, etc.
10.3. Antal sp. z o.o. cares about keeping legal time limits while performing its obligations towards individuals.
10.4. Antal sp. z o.o. introduces adequate methods of identification and certification of persons for the needs of exercising their rights and information obligations.
10.5. In order to exercise the rights of an entity, Antal sp. z o.o. ensures procedures and mechanisms allowing for identifying data of certain persons, processed by Antal sp. z o.o., integrating the data, introduce changes to it, and to remove it in an integrated manner,
10.6. Antal sp. z o.o. documents servicing information obligations, notifications and requests of data subjects.
11. INFORMATION OBLIGAITONS
11.1. Antal sp. z o.o. specifies methods of performing information obligations that comply with law and are effective.
11.2. Antal sp. z o.o. notifies the data subject about extending the time limit for reviewing their task over one month.
11.3. Antal sp. z o.o. notifies a data subject about processing their data while collecting data regarding this person.
11.4. Antal sp. z o.o. notifies a data subject about processing their data while collecting data regarding this person directly from them.
11.5. Antal sp. z o.o. specifies the method of informing data subjects about processing non-identified data, wherever possible (e.g. a plate informing that the area is covered by visual monitoring).
11.6. Antal sp. z o.o. notifies a data subject about the planned change of the purpose of processing their data.
11.7. Antal sp. z o.o. notifies a data subject before removing processing limitation.
11.8. Antal sp. z o.o. notifies data recipients about rectification, deletion or restriction of data processing (unless this proves impossible or involves disproportionate effort).
11.9. Antal sp. z o.o. notifies the person about the right to protest against data processing no later than during the first contact with them.
11.10. Antal sp. z o.o. notifies the data subject, without undue delay, about a breach of personal data security, if the breach may cause a high risk of infringing the rights or freedoms of this data subject.
12. REQUESTS OF PERSONS
12.1. Third party rights
When performing the rights of data subjects, Antal sp. z o.o. introduces procedural guarantees for the protection of rights and freedoms of third parties. In particular, in the event of receiving a credible information about the fact that the performance of a person’s request for issuing copies or the right to transfer data may negatively affect the rights and freedoms of other persons (e.g. rights related to protection of date of other persons, intellectual property rights, trade secret, personal goods), Antal sp. z o.o. may refer to the person in order to explain doubts or to undertake other steps permitted by law, including denial.
12.2. Non-processing
Antal sp. z o.o. notifies the data subject that it does not process their data, if such person submitted a demand regarding their rights.
12.3. Refusal
Antal sp. z o.o. notifies a person within a month from the receipt of the request about the refusal to review the demand and about the rights of the person related to it.
12.4. Access to data
At the request of a data subject regarding access to their data, Antal sp. z o.o. notifies the data subject whether it processes their data and about details of processing, according to Article 15 of the GDPR (the scope corresponds to the information obligation during data collection), and grants the data subject access to their data. Access to data may be performed by issuing copies of data, with the reservation that a copy of data issued in the performance of the right of access to data.
12.5. Copies of data
Following a request, Antal sp. z o.o. issues a copy of data to the data subject and records the fact of issuing the first copy of data. Antal sp. z o.o. introduces and maintains the price list for data copies, according to which it collects fees for consecutive copies of data. Data copies price is calculated on the basis of estimated unit cost of servicing a request for issuing data copies.
12.6. Rectification of data
Antal sp. z o.o. will document rectification of incorrect data at the request of a data subject. Antal sp. z o.o. is entitled to refuse data rectification, unless the data subject proves in a reasonable manner that data they want to rectify is incorrect. In the case of data rectification, Antal sp. z o.o. notifies the data subject about data recipients, at the data subject’s request.
12.7. Supplementing data
Antal sp. z o.o. supplements and updates data at the request of a data subject. Antal sp. z o.o. is entitled to refuse supplementing data if it would be contrary to the purpose of data processing (e.g. Antal sp. z o.o. does not have to process data which is redundant). Antal sp. z o.o. may rely on the declaration of the person as to supplementing data, unless it is not sufficient in the light of procedures adopted by Antal sp. z o.o. (e.g. regarding procuring such data), of the law, or if there are grounds to consider the declaration unreliable.
12.8. Removing data
Antal sp. z o.o. removes data at the request of a data subject, when:
a) Data is neither necessary for the purposes for which it was collected, nor processing for other legal purposes,
b) The consent for their processing was withdrawn and there are no other legal grounds for processing,
c) The person submitted an effective protest against processing the data,
d) Data was processed illegally,
e) The necessity to remove data is imposed by a legal obligation,
f) The request applies to child’s data collected on the basis of a consent in order to provide services of information society offered directly to the child (for instance, the child’s profile on a social media platform, participating in a competition on a website).
Antal sp. z o.o. specifies the method of servicing the right to data removal in the manner ensuring effective exercising of this right while observing all data protection rules, including safety as well as verification in case of any exemptions described in Article 17 Paragraph 3 of the GDPR.
If data subject to deletion was published, Antal sp. z o.o., undertakes reasonable actions including technical measures in order to notify other controllers processing the personal data about the necessity of removing the data and access to it.
In the case of removing data Antal sp. z o.o. notifies the person about data recipients, at the person’s request.
12.9. Processing limitation
Antal sp. z o.o. limits data processing at the request of a person, if:
a) The person questions the correctness of data – for the period allowing for checking its correctness
b) Processing is against the law and the data subject protests against removing personal data demanding instead limiting its use
c) Antal sp. z o.o. does not need personal data any more but it is necessary for the data subject to establish, pursue or defend their claims
d) The data subject submitted a protest regarding processing due to their special situation – by the time of confirming whether there are legally justified grounds on the site of Antal sp. z o.o. that supersede the right to protest.
During the limitation of processing Antal sp. z o.o. stores data, but it does not process it (does not use, does not transfer) without the consent of a data subject, except for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
Antal sp. z o.o. notifies the person before removing the processing limitation.
In the case of limitation of data processing, Antal sp. z o.o. notifies the data subject about data recipients, at the data subject’s request.
12.10. Data transfer
At the request of a data subject, Antal sp. z o.o. issues in structured, commonly used machine-readable format, or if possible transfers to another entity , data regarding this data subject, provided by them to Antal sp. z o.o., processed pursuant to the consent of this data subject or in order to enter into or perform an agreement with this person in information systems.
12.11. Protest in special situation
If a person submits a protest against processing their data justified with their special situation, while data is processed by Antal sp. z o.o. pursuant to justified interest or entrusted task of public interest, Antal sp. z o.o. will take the protest into account unless there is no pertinent legal justification on its side for processing, which prevails over interests, rights and freedoms of the person submitting the protest or basis for establishing, pursuing or defending claims.
12.12. Protest against scientific and historical research or statistical purposes
If Antal sp. z o.o. performs scientific, historical research or processes data for statistical reasons, the data subject may submit a protest against such processing justified with their special situation. Antal sp. z o.o. will take into account such protest, unless processing is necessary for the performance of the task for public interest.
12.13. Protest against direct marketing
If a data subject submits a protest regarding processing their data by Antal sp. z o.o. for direct marketing purposes (including possibly profiling) Antal sp. z o.o. will take into account this protest and will cease such processing.
12.14. The right to human intervention in automated processing
If Antal sp. z o.o. processes personal data in automated manner, particularly if it profiles data subjects and, as a consequence, makes decisions regarding data subject resulting in legal effects or otherwise significantly affecting the data subject, Antal sp. z o.o. ensures the right to obtain human intervention, unless such automated decision:
a) Is necessary for entering into and performing an agreement between the appealing person and Antal sp. z o.o. or
b) It is directly allowed under the law or
c) It is based on an explicit consent of the appealing person
12.15. The right to submit a complaint to the supervisory authority
If you feel that we are processing your data unlawfully, you can file a complaint to the Data Protection Office or another competent supervisory authority.
12.16. The right to withdraw the consent for personal data processing
You have the right to withdraw your consent for the processing of personal data at any time.
13. MINIMIZATION
Antal sp. z o.o cares about minimisation of data processing in terms of:
a) Data adequacy to the purposes (volume of data and scope of processing)
b) Access to data
c) Duration of data storing
13.1. Scope minimisation
Antal sp. z o.o. verified the scope of collected data, its processing and volume of processed data in terms of their suitability for the purpose of processing within the implementation of the GDPR.
Antal sp. z o.o. makes periodical reviews of the volume of processed data and the scope of data processing, at least once a year.
Antal sp. z o.o. verifies changes with regard to the volume and scope of data processing within the change management procedures (privacy by design).
13.2. Access minimisation
Antal sp. z o.o. applies restrictions of access to personal data: legal (confidentiality obligation, scopes of authorisations), physical (access zones, locking premises) and logical (restrictions of authorisation to personal data processing systems and to network resources where personal data is stored).
Antal sp. z o.o., applies control of physical access.
Antal sp. z o.o. performs updates of access rights when changing personnel and changing roles of persons and changes of processors.
Antal sp. z o.o. performs periodical reviews of authorised users of systems and updated their data at least once a year.
Detailed rules of controlling physical and logical access are included in the physical security and information security procedures of Antal sp. z o.o.
13.3. Time minimisation
Antal sp. z o.o. implements the mechanisms of control of personal data life cycle at Antal sp. z o.o., including verification of further usability of data against terms and control points indicated in the Register.
Data the scope of usability of which is subject to limitation with the lapse of time is removed from production systems of Antal sp. z o.o. and from main and operating files. Such data may be archived and may be recorded as back up copies of systems and information processed by Antal sp. z o.o. The Procedures of archiving and using archives, creating and using back up copies take into account requirements of control over data life cycle, including requirements for data erasure.
14. SECURITY
Antal sp. z o.o. ensures the level of security corresponding to the risk of an infringement of rights and freedoms of natural persons as a result of personal data processing by Antal sp. z o.o.
14.1. The analysis of risk and adequacy of security measures
Antal sp. z o.o. performs and documents the analysis of adequacy of personal data security. For this purpose:
a) Antal sp. z o.o. ensures the state of the art knowledge about information security, cyber security and continuity – internally or with the support of specialised entities.
b) Antal sp. z o.o. divides data and processing activities in terms of the risk they present.
c) Antal sp. z o.o. performs the analysis of the risk of infringement of rights or freedoms of natural persons for data processing activities or data categories. Antal Sp. z o.o. analyses possible situations and scenarios of personal data protection taking into account the scope, context and purposes of data processing and the risk of infringement of rights and freedoms of natural persons of varying likelihood and severity.
d) Antal sp. z o.o. establishes organisational and technical security measures that may be applied, and makes an assessment of costs of their implementation. Also, Antal sp. z o.o establishes the usability and applies such measures and approach as:
1) Pseudonimisation
2) Encryption of personal data
3) Other cyber security measures ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
4) Measures ensuring the continuity and preventing disasters effect, namely the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
14.2. Assessment of effects of data protection
Antal sp. z o.o. makes an assessment of effects of planned processing operations for personal data protection where the risk of infringement of rights and freedoms is high, according to the risk analysis.
Antal sp. z o.o. applies the methods of assessment of effects adopted at Antal sp. z o.o.
14.3. Security measures
Antal sp. z o.o. applies security measures agreed within the risk analysis and adequacy of security measures and assessment of effects for data protection.
Personal data security measures constitute an element of information security measures and the measures of ensuring cyber security at Antal sp. z o.o. and they are described in more detail in procedures adopted by Antal sp. z o.o.
14.4. Breaches notification
15. THE PROCESSOR
Antal sp. z o.o. has the rules of selection and verification of data processors for Antal sp. z o.o. developed in order to ensure that the processors give sufficient guarantees of implementing relevant organisation and technical measures in order to ensure security, execution of individual rights and other obligations of data protection imposed on Antal sp. z o.o.
Antal sp. z o.o. adopted minimum requirements for an agreement for entrusting data processing with its template attached hereto as Attachment No 2 – “Template agreement for entrusting data processing”.
Antal sp. z o.o. makes processors accountable for the use of sub-processors, and for meeting other requirements resulting from the Rules of entrusting personal data.
16. EXPORT OF DATA
Antal sp. z o.o. records in the Register the case of exporting data, namely of transferring data outside the European Economic Area (EEA).
17. PRIVACY DESIGNING
Antal sp. z o.o. manages the change affecting the privacy in the manner allowing for ensuring relevant safety of personal data and minimising data processing.
For this purpose the principles of conducting projects and investments by Antal sp. z o.o. refer to the security rules for personal data protection and minimisation, requiring the assessment of impact on privacy and data protection, taking into account and designing security and minimisation of data processing from the beginning of the project or investment.
18. FINAL PROVISIONS
1) Antal sp. z o.o. is entitled to introduce amendments in the Privacy Policy.