PERSONAL DATA PROTECTION POLICY AT MORE GROUP SP. Z OO WITH REGISTERED OFFICE IN WARSAW
I. General provisions
1. This Personal Data Protection Policy (hereinafter: "Policy" ) has been adopted by More Group Sp. z o. o. with its registered office in Warsaw (hereinafter referred to as the "Company" ) and constitutes a data protection policy prepared for the purposes of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27/04/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
and repealing Directive 95/46/EC (General Data Protection Regulation, OJ L 119, p. 1, hereinafter referred to as "GDPR" ).
2. The purpose of this Policy is to define the rules and standards applicable in the Company for the treatment of personal data and the protection of personal data, taking into account the following principles:
a. Data confidentiality, i.e. certainty that personal data is not made available to unauthorized entities;
b. Data integrity, i.e. the certainty that personal data have not been altered or destroyed in an unauthorized manner and that they are protected against unauthorized or unlawful processing and accidental loss, destruction or damage ;
c. Legality and reliability of data, i.e. compliance of processing in accordance with applicable law and taking into account the interests and reasonable expectations of data subjects;
d. Purpose limitations, i.e. the assurance that personal data are processed for specific, explicit and legitimate purposes;
e. Data minimization, i.e. the appropriateness of the scope of data processed, while limiting it to what is necessary for the purposes for which it is processed;
f. Accuracy, i.e. the certainty that personal data is correct and updated, if necessary;
g. Limiting the storage time, i.e. ensuring that personal data are processed for no longer than necessary to achieve the purposes for which the data are processed;
h. Accountability, i.e. responsibility for compliance with the principles of personal data protection indicated in this Policy, in particular by implementing measures to guarantee compliance with the provisions on the protection of personal data and preparing appropriate data processing documentation confirming the adoption of these measures. This Policy also aims to minimize the possibility of violations of the rights and freedoms of data subjects in connection with the processing of personal data.
3. The Management Board of More Group Sp. is responsible for the implementation and maintenance of this Policy. z o. o., which was entrusted with supervision over the area of personal data protection
II. Definitions
1. The terms used in this Policy have the following meanings:
a. "Controller" means the Company in relation to those Data in relation to which the Company decides on the purposes and means of processing;
b. "Personal Data" or "Data" means information relating to an identified or identifiable natural person ("Data Subject"), unless otherwise expressly provided for in this Policy;
c. "Authorized persons" means employees and other persons indicated in point V section 2 of this Policy, permitted to process Data on the basis of appropriate authorization issued by the Administrator;
d. "Third country" - a country that is not a member of the European Economic Area;
e. "Processor" means a natural or legal person, entity or other entity entrusted by the Company with the processing of Data;
f. "Data Processing" means an operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying;
g. "RCP" means the register of Data processing activities;
h. "RKCP" means the register of categories of Data processing activities;
i. "IT systems" means a set of interoperating devices and/or computer programs as well as procedures and policies regarding the Processing of Personal Data in the Company;
2. Terms used in this Policy that are not defined in section 1 above should be understood in accordance with their meaning given to them under the relevant provisions of the GDPR.
III. Scope of application of the Policy
1. This Policy applies to the processing of Data in both automated and non-automated ways, using traditional methods (in books and paper documents) and new technologies (in IT systems).
2. The provisions of this Policy apply to all Persons authorized in the Company to process Data, including both employees and those providing services to the Company under civil law contracts and other persons, e.g. interns.
IV. General principles of personal data protection
1. When carrying out tasks in the field of personal data protection, the Administrator takes into account in particular the principles set out in point I section. 2 of this Policy. The competences and
responsibilities of the Administrator include:
a. Granting and withdrawing authorizations to process personal data in accordance with the principles set out in point V of this Policy;
b. Providing authorized persons with work stations enabling safe processing of Data;
c. Application of procedures enabling the identification, assessment and reporting of identified personal data protection breaches to the competent supervisory authority - management of data security incidents;
d. Maintaining and updating RCP and RKCP;
e. Ensuring the identification and verification of the legal basis for the processing of Personal Data and, if possible, recording them in the RCP and RKCP;
f. Fulfilling information obligations towards data subjects and ensuring their rights are met, including the implementation of requests received in this regard, such as:
i. Requests to obtain access to Data and specific information about Data processed by the Company,
ii. Requests for rectification of data,
iii. Realization of the right to be forgotten,
iv. Requests to limit processing,
v. Data Transfer.
g. Familiarizing authorized persons with the provisions regarding the protection of Personal Data, in particular by conducting appropriate training in this regard on the principles described later in this Policy;
h. Ensuring an appropriate level of Data security, including:
i. Conducting, where justified, a risk analysis of Data processing and adapting Data protection measures to the level of identified risk,
ii. Implementation of the instructions referred to in point XI section 4 below,
iii. Supervising the records of Authorized Persons,
iv. Responding to identified Data security breaches,
v. Conducting periodic inspections of both organizational and physical security systems;
i. Supervising the activities undertaken in terms of compliance of Data processing with this Policy and provisions on the protection of personal data.
2. The Company is responsible for managing changes in events organized by the Company that affect privacy in accordance with the provisions of point XIV of this Policy.
V. Authorized person. Granting and canceling authorizations
1. Only persons with valid written authorization granted by the Administrator may be allowed to process Personal Data. The scope of authorization to process Data results from the position held or functions and tasks performed.
2. The written authorization to process personal data is made in one copy and is kept at the Administrator's office.
3. Authorized person:
a. It may only process Data to the extent indicated by the Administrator in the authorization and only for the purpose of performing the obligations imposed on it;
b. Is obliged to keep the content of Personal Data secret and to follow the procedures for their safe processing specified in this Policy and the documents attached to it;
c. It is obliged to take all reasonable and careful actions aimed at securing the Data against access by unauthorized persons.
4. The data may only be processed by authorized persons, i.e. employees of the Company or persons providing services to the Company under civil law contracts, or other persons, e.g. interns, trainees, with a written authorization signed by the Administrator.
5. Administrator:
a. withdraws the authorization to process Data in the event of termination, expiry or termination of the employment relationship or other legal relationship under which the Authorized Person was employed;
b. modifies the scope of authorization to process Data in the event of a change in the position or function performed by the Authorized Person;
c. may suspend the authorization to process Data in the event of a long-term absence of the Authorized Person of at least 30 days.
6. The Administrator keeps a register of Authorized Persons, which records the date of granting, scope, modifications and date of withdrawal of the authorization.
VI. Register of Data processing activities and Register of categories of Data processing activities
1. RCP and RKCP are a form of documenting data processing activities aimed at ensuring compliance with the GDPR, including by implementing the principle of accountability.
2. The company maintains and updates on an ongoing basis:
a. RCP, in which it inventories and monitors the way in which it uses Personal Data in relation to which it acts as the Administrator;
b. RKCP, in which it inventories and monitors the way in which it uses Personal Data in relation to which it acts as a data processor on behalf of other entities.
3. RCP and RKCP also contain optional fields in which the Company records information as needed and possible. VII. Basics of Data processing
1. As far as possible, the Company documents the legal basis for data processing for individual processing activities in the RCP and RKCP.
2. Indicating the general legal basis for processing specified in Art. 6 section 1 GDPR, the Company specifies the basis in a clear way when necessary. For example, for consent, indicating its scope, and when the basis is applicable law - pointing to a specific legal provision.
3. The head of a given organizational unit of the Company is obliged to know the legal basis on which the unit he manages carries out specific activities in the processing of Personal Data.
VIII. Information obligations
1. The administrator uses lawful and effective methods to fulfill the information obligation towards data subjects. For this purpose, the Administrator:
a. Where necessary and possible, it will supplement the scope of information provided to data subjects in order to meet the obligations specified in Art. 13 GDPR;
b. Informs the person about the processing of his or her data when obtaining data from this person;
c. Informs data subjects about a change in the purpose of processing their Data.
2. The Data Administrator informs about rectification or deletion of personal data or restriction of processing carried out in accordance with Art. 16, art. 17 section 1 and art. 18 GDPR, each recipient to whom personal data have been disclosed, unless this proves impossible or requires disproportionate effort.
3. If a breach of Personal Data protection may result in a high risk of violating the rights and freedoms of natural persons, the Administrator shall, without undue delay, notify the data subject of such a breach in order to enable the data subject to take the necessary preventive actions. The procedures for dealing with security incidents are described in point XI section. 8 of this Policy.
IX. Exercise of the rights of data subjects
1. In order to ensure the implementation of the rights of data subjects, the Administrator takes reasonable organizational measures enabling data subjects to obtain responses to applications or demands referred to in Art. 15 – 22 GDPR. The Administrator determines that responses will be provided in writing or electronically (e.g. e-mail, text message), depending on the form of contact chosen by the data subject. Information may be provided orally only if the data subject requests it and only provided that the Administrator is able to confirm the identity of the data subject by other means.
2. If the Administrator has justified doubts as to the identity of the natural person from whom the request referred to in Art. 15-21 of the GDPR, may request from such a person additional information necessary to confirm the identity of the person to whom the Data relates.
3. The Administrator meets the requests or requests of the Data Subject referred to in Art. 15-22 of the GDPR (subject to the provisions of section 2 above), without undue delay, but no later than within one month from the date of receipt of the application or demand. Due to the complicated nature of the request or the number of requests from the same person, this deadline is extended by another two months, provided that within one month of receiving the request (demand), the Administrator will inform the data subject about the extension of the deadline, stating the reasons for the delay.
4. If the Administrator does not comply with the request from the data subject, he or she immediately - no later than one month after receiving the request or demand - informs about the fact that the request has not been fulfilled, about the reasons for this state of affairs and about the possibility of filing a complaint with the supervisory authority and about the possibility of using judicial protection of their rights.
5. When exercising the rights of data subjects, the Administrator introduces procedural guarantees to protect the rights and freedoms of third parties. In particular, if there is reliable information that fulfilling a person's request for a copy of data or the right
to transfer data may adversely affect the rights and freedoms of other people (e.g. rights related to the protection of other people's data, intellectual property rights, trade secrets, personal rights, etc.), the Administrator may ask the person to clarify doubts or take other
steps permitted by law, including refusing to satisfy the request.
6. At the request of a person regarding access to his or her Data, the Administrator informs the person whether he or she processes his or her data and informs the person about the details
of processing, in accordance with Art. 15 GDPR, and also grants the person access to data concerning him/her. Access to the Data may be provided by issuing a copy of the data.
7. Upon request, the Administrator issues a copy of his/her Personal Data to the data subject and records the fact of issuing the first copy of the data. The Company introduces and maintains a price list for data copies, according to which it charges fees for subsequent
data copies. The price of a data copy is calculated based on the estimated unit cost of handling the request for a copy of the Data.
8. The Administrator corrects incorrect data at the request of the data subject. The Administrator has the right to refuse to rectify the Data, unless the person making the request reasonably
demonstrates the irregularities or incompleteness of the Data for which rectification is requested.
9. The Administrator completes and updates the data at the request of the data subject. The Administrator has the right to refuse to supplement the data if the supplementation would be inconsistent with the purposes of data processing (e.g. the Administrator does not have to process data that is unnecessary to achieve the defined processing purposes). The Company may rely on the person's statement regarding the completed data, unless there are grounds to consider the statement as unreliable.
10. At the request of the data subject, the Administrator deletes his or her Data when:
a. The data is not necessary for the purposes for which it was collected and is not processed for other purposes;
b. Consent to their processing has been withdrawn and there is no other legal basis for processing;
c. The person has successfully objected to the processing of this Data and there are no overriding legitimate grounds for processing;
d. The data was processed unlawfully,
e. The need to delete Data results from the provisions of generally applicable law.
11. The Administrator determines the method of handling the right to delete data in such a way as to ensure the effective implementation of this right while respecting all data protection principles, including security, as well as to verify whether there are any exceptions referred to in Art. 17. section 3 GDPR.
12. If the data subject to deletion has been made public by the Company, the Company takes reasonable actions, including technical measures , to inform other administrators processing
this personal data about the need to delete the data and access to it.
13. The Administrator limits data processing at the request of the data subject if:
a. This person questions the accuracy of the data - for a period enabling its correctness to be checked;
b. The processing is unlawful and the data subject objects to the deletion of the personal data and requests instead that their use be limited;
c. The Administrator no longer needs personal data for processing purposes, but they are needed by the data subject to establish, pursue or defend claims;
d. This person has objected to the processing for reasons related to his or her particular situation - until it is determined whether the Administrator has legitimate grounds that override the grounds for objection. The Data in respect of which processing has been restricted is separated from other Data by the Administrator and (subject to the following sentence) does not undertake further processing or modify the Data. During the restriction of processing, the Administrator stores the Data, but does not process them in any other way (does not use, transfer, disseminate, or delete) without the consent of the data subject, unless for the purpose of establishing, pursuing or defending claims, or in order to to protect the rights of another natural or legal person, or for important reasons of public interest. The Administrator informs the data subject before lifting the processing restriction.
14. At the request of the data subject, the Administrator provides Personal Data concerning him or her that he or she provided to the Administrator in a structured, commonly used, machine-
readable format (e.g. XML, JSON, CSV), and has the right to send these personal data to another administrator, provided that : :
a. Data processing takes place on the basis of consent (Article 6(1)(a) or Article 9(2)(a) of the GDPR) or for the purpose of performing a contract; and
b. Data processing is carried out in an automated manner.
Specified in this paragraph 14, the right to request the transfer of Data does not apply to Data processed in paper files.
15. If the data subject raises an objection to the processing of his or her data based on his or her particular situation, and the legal basis for the processing of the Data is the legitimate interest
of the Administrator, the Administrator will take into account the objection, unless there are valid legally justified grounds for processing that override the interests, rights or and freedoms
of the person submitting the objection, or the basis for establishing, pursuing or defending claims.
16. The Administrator takes into account the objection of the data subject and immediately ceases to process his or her data (subject to the provisions of the above paragraphs) if this objection
concerns the processing of Data for direct marketing purposes (including profiling).
X. Data Minimization
1. The Administrator ensures compliance with the principle of minimizing Personal Data in terms of:
a. Adequacy of the data for the purposes (i.e. the amount of data and the scope of processing corresponding to the purposes for which the Data is processed);
b. Access to Data;
c. Data Retention Time.
2. The Administrator verified the scope of the Data obtained, the scope of their processing and their quantity in terms of adequacy for the purposes of processing when implementing this Policy. The Administrator periodically reviews the amount of processed data and the scope of their processing at least once a year.
3. The Administrator applies the following restrictions on access to Personal Data: legal (confidentiality obligations, scope of authorizations), physical (access zones, locking rooms) and logical (restrictions on authorizations to systems processing personal data and IT systems in which personal data reside) described in detail in point XI of this Policy.
4. The Company implements mechanisms to control the life cycle of personal data in the Company, including periodic data review and determining the duration of their processing indicated in the RCP and RKCP. Data whose scope of usefulness is limited over time is deleted from the Administrator's systems, as well as from reference and main files. However, such data may be archived and located on backup copies of systems and information processed by the Company. The procedures for archiving and using archives, creating and using backup copies take into account the requirements for control over the data life cycle, including the requirements for data deletion.
XI. Strategy for ensuring the security of Personal Data - organizational, technical and physical measures necessary to ensure the accuracy, confidentiality, integrity and accountability of Personal Data
1. The Company applies physical access control to Personal Data, consisting of:
a. Updating the records of Authorized Persons in the event of personnel changes taking place in the Company, in the event of changes in the positions of Authorized Persons
and in the event of modifications to the processing processes or changes in entities processing Data on behalf of the Company;
b. The authorized person signs a declaration in his/her own hand that he or she has read the provisions on the protection of personal data, the Company's internal documentation in this regard, and that he or she is obliged to keep confidential all Data to which he or she has (or may have) access;
c. The risk of loss of Data security (including its confidentiality or integrity) arising from third parties and external entities, including those being the Administrator's suppliers,
is minimized by drawing up appropriate processing entrustment agreements or adding appropriate provisions in already existing agreements, imposing obligations on thes third parties or external entities obligations arising from the GDPR and other provisions regarding the protection of personal data;
2. The Administrator organizes training in the processing, protection and security of Personal Data, taking into account the following assumptions:
a. Each person who is to obtain the status of an Authorized Person undergoes training;
b. In the event of a change in the principles or procedures applicable at the Administrator
in the field of Data protection, internal training is carried out for all Authorized Persons affected by this change;
c. Training is also carried out for persons other than Authorized Persons, if the functions performed by these persons involve the protection of Personal Data.
3. The Administrator applies physical and organizational security measures adapted to potential threats to the security of the Data, including:
a. metal entrance doors secured, among others, anti-burglary pins and a central, anti- burglary lock with a Gerda key insert;
b. two armored cabinets, to which only persons authorized by the Administrator have access;
c. lockable cabinets;
d. computers secured with individual passwords;
e. password-protected access to all computer systems used, including e-mail.
4. Technical means of securing personal data, in particular those related to the operation of IT systems in which data are processed
and access to these systems, are specified in the IT System Management Instruction.
5. Each Authorized Person, regardless of the provisions of point V of this Policy, is obliged to:
a. Organize your work station in such a way as to prevent unauthorized persons from
reading the content of the documentation (including those displayed on the computer screen) containing Personal Data;
b. Do not leave documents, data carriers and equipment unattended, especially when transferring or processing personal data at the Company's headquarters or outside the Company's headquarters;
c. Not interfering with the Administrator's computer software (systems) and the configuration of the devices entrusted to it (laptop, smartphone ) without the Administrator's express command;
d. Complying with the scope of authorizations to process Data, i.e. using only your own ID and password to access the IT system and following the Administrator's instructions in this regard;
e. Shredding or appropriately securing all documents containing personal data before leaving the workplace or after the end of the working day;
f. Not leaving unauthorized persons in the room where personal data is processed without the presence of an Authorized Person.
6. The administrator introduces and ensures the following procedures for dealing with physical media (e.g. portable drives, CDs/DVDs):
a. Data from physical media that are not backup copies, after being entered into the Administrator's IT systems, should be permanently deleted by destroying them or using software enabling permanent data deletion.
b. After use, all documents containing Personal Data should be immediately destroyed or secured in locked cabinets.
7. The Administrator introduces and ensures the following procedures for dealing with portable devices and data carriers (laptops, smartphones, portable drives), including in connection
with remote work for the Company (outside the Company's headquarters):
a. Portable devices and data carriers taken out of the Administrator's office should not be left unattended in public places; the user is responsible for the proper protection of the carrier;
b. In the case of processing Personal Data outside the Administrator's office, documents containing personal data should, if possible, be returned and properly secured at the Administrator's office after the work is completed;
c. Information stored on portable devices and data carriers should be protected against physical damage and appropriate protection against loss (loss or theft) should be provided.
8. The Company applies procedures to identify, assess and report identified data protection violations to the President of the Office for Data Protection within 72 hours of determining the violation. Details regarding the identification, assessment and reporting of violations to the supervisory authority and the data subject are set out in the Violations Reporting Policy and the incident register.
9. The Company assesses the effects of planned processing operations on the protection of Personal Data where, according to the risk analysis, there is a high risk of violating the rights and freedoms of natural persons. The Administrator applies the impact assessment methodology adopted by the Company, taking into account in particular the requirements of Art. 35 section 7 GDPR. m XII. Recipients of Personal Data
1. The Company verifies the Processing Entities, ensuring that the Processors provide sufficient guarantees of the implementation and application of appropriate organizational and technical
measures to ensure security, implementation of individual rights and other data protection obligations of the Administrator.
2. The Company concludes contracts for entrusting the processing of Data that meet the requirements set out in the provisions on the protection of Personal Data, in particular those resulting from
Art. 28 GDPR.
3. The Company records the transfer of Data to a third country in the T&A.
4. When transferring Data to a third country, the Administrator ensures appropriate safeguards in terms of protecting the privacy and rights and freedoms of the data subject by applying standard contractual clauses for the protection of personal data, approved by the European Commission in accordance with Art. 26 section 4 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
XIV. Privacy management
The Company manages changes in business processes (projects, investments) that affect privacy in such a way as to ensure an appropriate level of security of Personal Data, their correctness, integrity and minimization of their processing.
For this purpose, the principles of conducting projects and investments by the Company refer to an approach based on including privacy in the design phase, as well as the operation
and management of information technologies and systems throughout the entire Data life cycle.
15th Liability of Authorized Persons
Failure to comply with this Policy or violation of other Data protection procedures by employees authorized to process Personal Data may be treated as a serious breach of employee duties, resulting in termination of the employment relationship without notice
pursuant to Art. 52 of the Labor Code. If the Authorized Person cooperates with the Administrator on the basis of a civil law contract, failure to comply with this Policy or violation of other Data protection procedures constitutes the basis for claims for damages against
persons performing services under such contracts. Regardless of this, the Authorized Person is also liable under the principles specified in generally applicable provisions of Polish law (including criminal liability referred to in the Act of May 10, 2018
on the protection of personal data).
XVI. Final Provisions
1. This Policy enters into force on May 25, 2018 and is valid for an indefinite period.
2. The Company may make changes, modifications or additions to this Policy at its discretion. Authorized persons will be informed about any changes to this Policy in advance.
3. This Policy is confidential, therefore it is prohibited to reproduce it in any form without the prior consent of the person indicated in point II section. 3 above and making it available to unauthorized persons.
If you have any questions regarding our Privacy Policy, please write to our address rodo@moregroup.com.pl
Cookies
The owner of the websites: www.moremodels.com.pl , www.moretalents.com.pl and www.moregroup.com.pl is MORE Group Spółka z ograniczoną odpowiedzialnością (address: 00-626 Warszawa, ul. Marszałkowska 9/15 lok. 13 , entered into the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, Commercial Court - XII Department of the National Court Register under KRS number: 0000375606).
The websites www.moremodels.com.pl, www.moretalents.com.pl and www.moregroup.com.pl use Google statistics to assess the effectiveness of their own activities and advertising campaigns. Cookies are used to measure this effectiveness and are placed on your computer when you click or view an advertisement. They do not contain personal data or contact details. Detailed information on how Google uses information collected through cookies can be found at:
http://www.google.com/intl/pl/privacy.html.