Personal data protection policy of the “Kwitnący Dom” project run by the Foundation Inna Przestrzeń
ul. Nowy Świat 23/25 lok. 32, 00-029 Warsaw
NIP: 521-33-93-003
DEFINITIONS
§ 1. The Personal Data Protection Policy, hereinafter referred to as the Policy, has been developed on the basis of Article 24(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation – RODO).
§ 2. The purpose of the Policy is to ensure the security of the processing of personal data through the application of uniform principles for the processing of personal data, in compliance with the RODO and specific provisions.
§ 3. The Policy sets out the principles for the processing of personal data:
by all employees and volunteers providing activities under contract,
in the form of paper documentation as well as records in IT systems and stored on electronic data carriers,
by all persons processing data on behalf of and under the responsibility of the House, regardless of their form of employment or cooperation,
individual personal information,
within data sets:
resident records,
employee and related documentation,
donors and sponsors and collaborators,
financial and accounting records,
documentation of beneficiaries of other forms of assistance and persons applying for such assistance.
§ 4 The terms used in the content of this Policy should be understood as:
Home – the Kwitnący Dom Project at the address in Warsaw, 14 Kwitnąca Street run by Fundacja Inna Przestrzeń ul. Nowy Świat 23/25 lok. 32, 00-029 Warsaw, NIP: 521-33-93-003
personal data – information about an identified or identifiable natural person (an identifiable natural person is one who can be identified, directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person,
special categories of data – data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning the health, sexuality or sexual orientation of that person,
personal health data – all data concerning the health of a data subject, revealing information about the past, present, future physical or mental health of the data subject. collected at the time of his/her registration for health care services, during the provision of his/her health care services, including the number, symbol or designation assigned to the individual, information derived from laboratory or medical examinations of body parts or bodily fluids, any information, for example, about a disease, disability, disease risk, medical history, clinical treatment or physiological or biomedical condition of the individual, the source of which may be a health professional, hospital, medical device or diagnostic test,
data subject – the natural person to whom the data relates,
personal data controller – hereinafter referred to as ADO – Inna Przestrzeń Foundation (Fundacja Inna Przestrzeń) ul. Nowy Świat 23/25 lok. 32, 00-029 Warsaw, NIP: 521-33-93-003, on behalf of which acts the Plenipotentiary Anna Urszula Kłos
personal data filing system – a structured set of personal data which are accessible according to specific criteria, whether the set is centralised, decentralised or dispersed on a functional or local basis,
data processing – shall mean an operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,
personal data breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed,
erasure – destruction of personal data or its modification in such a way that it does not allow for the identification of the data subject,
computer system – a set of cooperating devices, programs, information processing procedures and software tools applied for the purpose of data processing,
processor – an employee of the Home and a volunteer acting under a contract, authorised by the ADO to process personal data,
staff – a processor or other person acting on behalf of or
under the authority of the ADO,
resident – a person applying for a temporary right to use the care services of the Home, a person who uses such services and a person who used such services in the past, as well as a minor child of that person remaining under his/her actual care during his/her use of the care services of the Home.
an outsider – any person, with the exception of the person designated for data processing, in a room designated for that purpose and at a given stage of processing,
including other staff of the Home. A bystander does not include other House staff carrying out professional activities in a shared room, unless required by the specific nature of the activity.
consent of the data subject – means a voluntary, specific, conscious
and unambiguous demonstration of will by which the data subject, in the form of a statement or a clear affirmative action, consents to the processing of personal data concerning them.
GENERAL PRINCIPLES OF DATA PROCESSING
§ 5. 1. Personal data shall be processed on the basis of legal provisions or legitimate interests pursued by the ADO to the extent necessary for the proper provision of the House services.
(2) Data processing may also take place on the basis of the data subject’s consent. This consent should be in writing, indicate the date of its granting and specify the purposes to which it relates. A model declaration of consent is set out in Appendix 1.
3 The ADO shall not be liable for redundant data provided by the data subject on his/her own initiative. Such data, at the discretion of the ADO, may be returned or destroyed.
Prior to giving consent, the data subject shall be informed about the processing of his/her data.
Written consent shall not be required when the action of the data subject confirming consent is clear and unambiguous. An explicit action shall be understood to mean, in particular, the selection by the data subject of certain technical settings in the computer system, the filling in by hand of fields in forms, the provision of personal data by the resident to provide information or assistance in dealing with formal matters.
Consent may be withdrawn at any time. The withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal. The data subject, shall be informed of this before consent is given. If the withdrawal of consent is carried out by means of a verbal declaration by the data subject, the processor shall record this fact in the relevant documentation, indicating the date, and take appropriate steps to discontinue further processing.
The data subject should be informed of the consequences of not consenting to the processing, with regard to residents this may prevent them from being provided with care services.
§ 6 Data shall be processed fairly and transparently for the data subject
for specific, explicit purposes and not further processed in a way incompatible with those purposes, limited to what is necessary for the purposes for which they are processed and kept in a form which permits identification of the data subject for no longer than is necessary for the purposes of the processing or the period prescribed by law.
§ 7. Personal data may be processed after at least one of the following conditions has been met.
of the conditions:
processing is necessary for the fulfilment of a legal obligation incumbent on the ADO,
processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract,
the data subject has given his or her consent to the processing of his or her personal data for one or more specified purposes,
the processing is necessary to protect the vital interests of the data subject or of another natural person,
processing is necessary for the purposes of the legitimate interests pursued by the ADO or by a third party.
§ 8 Special categories of data may be processed if:
the data subject has given his/her explicit consent to the processing of such data,
the processing is necessary for the fulfilment of obligations and the exercise of specific rights by the ADO or the data subject in the field of labour law, social security and social protection,
the processing is necessary to protect the vital interests of the data subject or of another natural person and the data subject is physically or legally incapable of giving his or her consent,
the processing relates to personal data manifestly made public by the data subject,
is necessary for the establishment, exercise or defence of claims,
the processing is necessary for the purposes of providing health care or social security by law.
processing is necessary for statistical purposes.
§ 9. 1. Resident’s health data may be processed if this is necessary for the purposes of ensuring a safe stay, individual care, enabling the use of health care services, ensuring the financing of benefits from public and non-public funds.
(2) Resident data relating to breaches of the law and related measures may only be processed for the purposes of ensuring the safety of residents of the Home.
(3) Data on the resident’s family and financial and living situation may be processed for the purpose of providing additional benefits from non-public funds or enabling the use of public benefits.
(4) Personal data, including data concerning the life, family and material situation, of a person using or applying for other non-residential, forms of assistance may be processed for the purpose of processing applications or providing such a person with assistance. With the consent of that person, data may also be processed for the purpose of providing such assistance in the future.
§ 10. 1. data concerning employees within the scope defined by the Labour Code may be processed only for the purpose of keeping employee files, including time records, settlements with employees, calculation of charges, contributions and benefits, provision of working conditions and tools, professional development, notifications to authorities to which such obligation results from the act.
(2) Data concerning the employee’s family situation may be processed in the event that the employee benefits from specific entitlements set out in the Labour Law with the employee’s consent expressed by submitting an application for such benefits.
(3) Data concerning job applicants within the scope defined by the Labour Code may be processed only for the purpose of recruitment and then destroyed, unless the applicant agrees to participate in future recruitments.
(4) Data concerning volunteers may be processed only for the purpose of fulfilling the volunteer agreement and safeguarding the legal interests of ADO.
§ 11. Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of associations and organisations, genetic data, biometric data for the purpose of uniquely identifying a natural person, sexuality or sexual orientation of that person shall not be processed.
§ 12. 1. Personal data processed at the House can be made public only
in cases where such an obligation results from the Act and within the scope specified by the Act.
(2) The personal data of an employee and a volunteer acting on the basis of a contract may be made public to the extent necessary to carry out the tasks and duties of the ADO related to the running of the Home.
(3) Personal data of a resident shall not be made public in any mode or scope, and may be made public only on the basis of the resident’s consent.
(4) Personal data of another person may be made public only with his/her consent.
§ 13. 1. ADO reserves the right to publish promotional and organisational information, or anonymised data, on his/her profile in an online social network, publicly available, or accessible to a specific group of recipients.
(2) The use by the data subject, to any extent, of the functionalities of such a service is voluntary and takes place on the basis of the rules of that service.
(3) The ADO shall not be held liable for personal data voluntarily made public by the data subject on the profile of the House in an online community service, whether in the form of a main post, comment, link or link.
§ 14 (1) Personal data may be made available to other public entities only on the basis of the Act and within the scope specified by the Act.
(2) Special categories of resident’s personal data, may be made available
to the necessary extent to other entities, only for the purpose of providing social benefits, social care, health care or other vital interests to the resident, only with the resident’s consent.
§ 15 Sharing a resident’s personal data does not include:
the provision of assistance to a resident in the drafting of official letters, formal requests, applications or the service of such by staff in person or by electronic means;
the action of staff before other bodies and authorities on behalf of a resident, at the request or on the authority of a resident;
the publication by the ADO of organisational information on the Home’s profile on social networking sites;
voluntary sharing of data by the data subject on the profile of the Home
on an online community service.
§ 16. the resident’s personal data may be shared to the extent necessary with other residents in order to organise the order of the day, including the division of daily activities
at the House.
§ 17 (1) Data processing does not include providing a resident with access to means of electronic communication, devices and applications for independent writing of letters, messages or independent searching for information.
(2) When using the means referred to in paragraph (1), the resident is solely responsible for deleting user files, deleting browsing history, logging out of access applications, not using autocomplete forms.
(3) It is not data processing to enable a resident to receive mail at the Home’s mailbox address.
(4) It is not data processing to provide the resident with assistance in the use of the means referred to in paragraph (1).
§ 18. Personal data, in particular concerning employees and financial and accounting data, on the basis of a written agreement, may be entrusted for processing, to processors who provide sufficient guarantees for the implementation of appropriate technical and organisational measures to protect the rights of data subjects and comply with the requirements of the RODO, in particular Article 28(1) of the RODO.
§ 19. 1 A processor shall process personal data on the basis of a written authorisation issued by the ADO, only within the scope of the performance of professional duties or the performance of a contract with the ADO. The processor shall not process data beyond the minimum scope necessary to perform the tasks entrusted to him/her.
(2) The processor shall not be entitled to transfer his/her authorisation to another person.
§ 20 (1) The source of personal data processed by the Home shall be the data subject or a person representing their rights or acting under their authority.
(2) The source of personal data of family members is the employee benefiting from special benefits provided for by the Labour Code.
(3) The source of personal data may be a donor, sponsor or collaborator
with regard to the data of which he is the controller.
(4) In specific, justified cases, the source of data may be another person than the data subject.
(5) Personal data from other sources are not collected or processed at the Home.
§ 21. 1. In the House, data are not processed in an automated manner. Automated processing does not include algorithms for searching or presenting content on the profile of the House on an online social network.
(2) Automated data processing is not the transfer of data directly from the IT system to state registers in fulfilment of a legal obligation.
§ 22. personal data shall not be used for the automated assessment of certain personal factors of an individual, in particular for the analysis or forecasting of aspects relating to that individual’s performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement.
§ 23. personal data contained in telephone and e-mail correspondence is processed only for the purpose resulting from the content of that correspondence.
§ 24. The Home’s website, for the convenience of users, may include links leading to external websites not operated by the Home. The Home is not responsible for the collection and processing of data by these sites.
PRINCIPLES FOR THE EXERCISE OF DATA SUBJECT’S RIGHTS
§ The ADO shall ensure the fulfilment of the data subject’s information obligations by means of information clauses published on the website, as an attachment to the application forms, display of advertisements in places accessible to the data subject, presentation of individual clauses to the data subject.
(2) The fulfilment of the information obligation towards the data subject shall take place prior to the acceptance of his/her data from the data subject.
(3) The information referred to in paragraph 1 shall also be provided by the ADO upon request of the data subject.
the requirement referred to in paragraph 1 may be omitted, if the information is already available to the data subject; the provision of the information proves impossible or would involve a disproportionate effort, or the data acquisition is expressly regulated by the law to which the ADO is subject, providing for adequate measures to protect the legitimate interests of the data subject.
§ 26. 1. Communication with the data subject in relation to the exercise of his/her rights shall be conducted in Polish; in a concise, transparent, intelligible and easily accessible form, in clear and plain language; in the form in which the request or demand was submitted, unless a different form results from the essence of the activity or the content of the subject’s request.
(2) The ADO may communicate with the data subject in another language which the data subject understands, however, for legal purposes the Polish language version shall be binding.
§ 27 Communication with the data subject regarding the exercise of his/her rights as a data subject shall be undertaken once his/her identity has been established. This communication shall be free of charge.
§ The exercise of the data subject’s rights referred to in Articles 15-22 of RODO shall be free of charge, whereby the first copy of the data shall be issued free of charge, for subsequent copies a fee shall be charged in accordance with the price list or in the amount of actual administrative costs if the price list is not specified. Issuance to the data subject of a copy of his/her data shall not infringe upon the rights and freedoms of other persons, whereas such infringement shall not constitute disclosure of the data of the persons making the entry in the original documentation.
A request may be refused if it is manifestly unfounded or excessive, however, the reason for refusal shall be communicated to the requester.
§ 29 The data subject’s right to be forgotten shall not apply to data to the extent the processing is necessary for the fulfilment of a
fulfilment of a legal obligation to which the ADO is subject, or to establish, assert or defend claims.
VERIFICATION OF THE DATA SUBJECT’S IDENTITY
§ 30. 1. The data subject’s identity shall be verified before his/her data are recorded on the basis of an identity document issued pursuant to the Act, containing at least the name and surname, a photograph of the person, PESEL number. The document confirming identity shall be in particular: identity card, driving licence, passport (also foreign), student card, school ID card.
(2) In justified cases, the ADO may establish the identity of a data subject on the basis of other documents issued in the country of origin of the data subject or other national documents.
(3) No copy of the document on the basis of which the data subject’s identity has been established shall be made, however, the features of the document may be noted.
(4) The verification of the data of a person under the authority of a legal representative or a de facto guardian shall be carried out by verifying the identity of the said representative or guardian and taking a statement from him/her on the identity of the ward.
(5) In the case, where the verification of identity is carried out in a manner other than in person or by means of electronic communication, or in the situation of doubts regarding the identity of a person, additional information may be requested or additional steps may be taken by the data subject to confirm the identity of that person, such as: comparing the provided data with already possessed data, requesting additional personal data or using a qualified electronic signature or a signature confirmed by the trusted ePUAP profile, bank transfer confirming the compliance of the data, authentication by means of IT systems, remote control of the document confirming the identity.
(6) The ADO may refuse to perform the requested or requested action when the identity of the data subject is not clearly known to him/her.
DATA SECURITY
§ 31. 1. Data processing shall be carried out in separate rooms,
in the presence of processors, without the presence of unauthorised persons. 2.
(2) Data processing, may with the consent of the data subject or on his/her initiative, be carried out by means of electronic communication. In such case, the processor shall be obliged to ensure data security within the scope of its authority.
§ 32. 1. The premises where the personal data are processed shall be secured in a way that prevents access to the data by unauthorised persons for the time of absence of the processor by means of adequate technical solutions.
(2) The presence of outsiders in the premises where the data are processed shall be allowed only with the permission and in the presence of the processor.
§ 33. 1. The ADO shall take the necessary technical and organisational measures to minimise the risk of personal data protection breach at each stage of the processing, in particular when receiving from the data subject his/her data and verifying the data subject’s identity.
(2) The data processor shall, taking into account technical possibilities
premises during data processing, shall take necessary measures to minimize the risk of disclosure of data, in particular of special categories of data.
§ 34. it shall be prohibited, regardless of the duration of the processor’s absence
in the room:
leaving the door to the room unlocked by the last person to leave,
to leave the key in the lock from the outside, both while in the room and after leaving the room and locking it.
leaving the key in the lock from outside, both during the stay in the room as well as after leaving the room and closing the lock,
leave the windows of rooms, especially porter’s windows, open; if necessary, except on the first floor, windows may be left ajar for the duration of a temporary absence,
leaving an unsupervised person in the room,
leaving electronic documents or access applications open.
§ 35. 1. Personal data processed both in paper form and on electronic data carriers should be stored in locked cabinets.
(2) The documents and electronic data carriers on which the current processing operations are performed may be kept outside the cabinet only for the time of such processing.
(3) Redundant copies, print-outs, records, which are not the source document, shall be destroyed immediately by physical dismemberment of the medium in such a way that data cannot be reconstructed.
(4) The storage of data after the period of their current processing and the destruction of the source data after the expiry of the storage period shall be performed on the basis of other regulations adopted by the ADO.
MEASURES FOR THE PROTECTION OF PERSONAL DATA PROCESSED IN ELECTRONIC FORM
§ 36. (1) The workstation where personal data are processed should be protected by anti-virus software and have an updated operating system.
(2) One workstation may be used by multiple users, provided that separate user accounts are separated, or if the activities performed by individual users can be distinguished on the basis of other data.
(3) The use of a private workstation or mobile device is permitted provided that the provisions of the policy are complied with.
§ 37. 1. The right of access to the information system at a certain level shall be granted by A|D|O, according to the responsibilities of the processor.
(2) The processor performing professional activities using the IT system shall comply with generally accepted security rules and ADO guidelines.
§ 38. Printouts containing data from the IT system shall be protected like paper documentation.
§ 39. personal data stored on the workstation should be encrypted at least with commonly available software.
§ 40 (1) Internal electronic correspondence and should only be carried out using an established electronic mailbox.
(2) It is not permissible to store sets of personal data in electronic mail.
(3) In case of sending sets of personal data or special categories of data, these data should be encrypted at least using commonly available tools, the key should not be sent through the same correspondence channel.
(4) In case of multiple correspondence with the same recipient, one key may be used.
§ 41. Personal data processed only on a workstation or mobile device, including files and documents as well as text messages should be deleted immediately after use, unless their further processing is prescribed by law.
PRINCIPLES OF TRANSFERRING INFORMATION CONCERNING A RESIDENT IN AN EMERGENCY SITUATION
§ 42 (1) The ADO may undertake contact with a third party, without the resident’s consent, for the purpose of transferring or obtaining data, including data on the resident’s health, necessary for the protection of the vital interests of the resident or of another person, in particular the protection of health or life, in the event that the resident is not physically or legally capable of giving consent in a timely manner.
(2) As far as possible, the identity of the third party shall be verified and recorded,
GRANTING AUTHORIZATION TO PROCESS PERSONAL DATA
§ 43. 1. The basis for the data processing shall be a written authorization issued by the ADO, which specifies the data filing system, the scope of processing and the validity period, which can be specified by date or reference to another legally binding document. Specimen of the authorization constitutes attachment No. 2.
§ Before the authorisation is issued, the ADO shall familiarise the processor with
the principles of data processing at the workstation and accepts from him/her the statement
of keeping confidential any personal data obtained in connection with the employment, also after the termination of the employment. The ADO may also accept such declaration from other personnel. A model declaration is attached as Annex 3.
(2) The requirement to make a written declaration shall not apply to persons for whom the obligation to keep confidential any personal data obtained in connection with their employment has been laid down by law, unless the law so provides.
§ 45 The authorisation shall cease to have effect upon the expiry of the period for which it was issued or upon the termination of employment or other contract.
PROCEDURE IN CASE OF DATA PROTECTION BREACH
§ 46. 1. Personal data breach – shall mean a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
(2) The incidents referred to in paragraph (1) in particular include:
marks on doors, windows and cabinets indicating a breach of physical security,
the physical presence on the premises, without the presence of an authorised person, of persons behaving in a suspicious manner,
leaving the doors to rooms, cabinets where personal data is stored open, without the supervision of the processor,
destroying data media in a way that makes it possible to reconstruct them,
using personal data for private purposes,
setting up monitors that allow outsiders to see personal data,
taking personal data in paper or electronic form outside the place of its processing without the ADO’s consent.
making personal data available to unauthorised persons,
attempting or modifying or deleting data without appropriate authorisation,
copying data, including in electronic form, without justification,
unlawful taking of data media,
loss of control over a copy of personal data,
the appearance of a computer virus or abnormal operation of computers,
other behaviour or events that may lead to a breach of data protection.
§ 47.1 A processor who discovers or suspects a personal data breach shall:
immediately notify the ADO.
take the necessary actions to stop the effects of the breach of protection and secure evidence making it possible to determine the causes and effects of the breach.
(2) The processor shall also notify the DPO of situations that may lead to a data breach.
§ 48. After receiving the information referred to in § 46 paragraph 1, the ADO shall take the following steps:
acquaints himself/herself with the situation and chooses a further course of action taking into account the threat to the correctness and continuity of work,
receives a detailed account of the data security breach from the notifier as well as from any other person who may have information in relation to the breach that has occurred,
liaises with external specialists, if necessary,
document the data breach incident,
report to the competent authorities if required by law,
take or organise corrective and mitigating actions.
§ 49. 1. In case of a personal data breach, the ADO shall, without undue delay – if possible, not later than 72 hours after the breach has been identified – notify it to the Personal Data Protection Authority, unless the breach is unlikely to result in a risk of infringement of the rights or freedoms of natural persons. A notification submitted to the supervisory authority after the expiry of 72 hours shall be accompanied by an explanation of the reasons for the delay.
(2) Where a personal data breach is likely to result in a high risk of violation of the rights or freedoms of natural persons, the ADO shall notify the data subject of such breach without undue delay.
(3) The notification referred to in paragraph 1 shall not be required if the ADO has implemented appropriate technical and organisational protection measures and these measures have been applied to the personal data affected by the breach, or has applied measures eliminating the likelihood of a high risk of violation of the rights or freedoms of the data subject.
RESPONSIBILITY OF THE PROCESSOR
§ 50 The processor shall be responsible for:
being familiar with and complying on an ongoing basis with the data protection legislation, including the ADO’s guidelines and instructions.
limiting the extent of data processing to the minimum necessary to achieve the purposes of processing at the occupied workstation,
securing, within the limits of the organizational and technical capacities of the workplace, against any violation of the security of the processed data,
the correctness of the processed data,
to keep the personal data confidential both during the period of employment or cooperation and after this period.
§ 51. 1. Allowing unlawful destruction, loss, modification, disclosure or unauthorised access to personal data processed in any form, even if accidental, shall constitute a serious breach of the employee’s duties.
(2) Failure to take the action specified in § 46. 1 may be treated as a grave breach of the employee’s duties.