PERSONAL DATA PROTECTION POLICY
In performance of the obligations imposed on the personal data controller under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, MLabs spółka z ograniczoną odpowiedzialnością introduces the following personal data protection policy as of 25 May 2018. The Company’s management board requires that all employees of the Company read this Policy and implement its rules.
Definitions and abbreviations
personal data - any information relating to an identified or identifiable natural person (‘data subject’);
processing - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
filing system - any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
DC – data controller - the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal dat;
processor - a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
recipient - a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with the law are not regarded as recipients;
restriction of processing -the marking of stored personal data with the aim of limiting their processing in the future;
consent of the data subject - any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
personal data breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
pseudonymisation - the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
genetic data - personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
biometric data - personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
data concerning health - personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
RODO - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
supervisory authority - Personal Data Protection Office;
Company - MLabs sp. z o.o., an enterprise which introduced this Personal Data Protection Policy.
Purpose and scope of personal data processing
§ 1
1. The Company processes personal data for the purpose of performing tasks related to its business operations to the extent necessary and adequate to the performance of these tasks.
2. The Company acts as the personal data controller within the meaning of the GDPR.
3. The rules set out herein apply to the protection of personal data processed in the Company in paper form and personal data on any electronic data carriers, in IT systems, also in the case of processing data outside the filing system.
4. The Company does not intend to use data profiling within the meaning of the GDPR.
5. The Company does not intend to use automated decision-making.
6. The Company does not intend to process personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, and to process genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning a natural person's sex life or sexual orientation.
7. If this follows from the provisions of law or if one of the conditions listed in Article 9(2) of the GDPR is met, the Company shall allow for the processing of data concerning health and trade union membership.
8. The processing of personal data concerning criminal convictions and offences in the Company shall be permissible only in the cases expressly provided for by law.
Organisation of personal data protection
§ 2
1. The President of the Company shall be responsible for organising and ensuring appropriate protection of the personal data processed in the Company.
2. All the documents and materials processed in the Company which contain information on identified or identifiable natural persons form the Personal Data Resource (PDR) of the Company.
3. Heads of the Company’s organisational units shall be obliged to perform the tasks and obligations of the personal data controller, as referred to in the GDPR, with respect to the personal data processed in their subordinate organisational units of the Company.
4. When performing the tasks of the data controller with respect to the personal data processed in their subordinate organisational units, the heads of the Company’s organisational units shall be obliged to apply technical and organisational measures which ensure protection of the personal data processed that is adequate to the risks and protected categories of data, in particular they should secure the data against their disclosure to unauthorised persons, processing in breach of the Act and unauthorised change, loss, damage or destruction. These persons shall also be obliged to ensure and organise appropriate physical protection, including physical protection of the personal data processed in their subordinate organisational unit of the Company.
5. When performing the tasks of the data controller, the head of the Company’s organisational unit shall be obliged to implement appropriate technical and organisational measures so that the processing of personal data complies with the GDPR and is in accordance with the provisions of these Regulations, and shall be obliged to apply such measures so that they can demonstrate the correctness of these activities.
6. The head of the Company’s organisational unit should exercise particular care with respect to the personal data processed in their subordinate organisational unit in order to protect the interests of the data subjects, and in particular they shall be obliged to ensure that these data are:
6.1. processed lawfully;
6.2. collected for specified, legitimate purposes and not further processed in a manner that is incompatible with those purposes;
6.3. factually correct and adequate in relation to the purposes for which they are processed;
6.4. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of processing.
Principles of personal data processing
§ 3
1. Personal data processing shall be understood as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. When processing personal data, particular care should be exercised in order to protect the interests of data subjects and the following principles must be strictly complied with:
2.1 Lawfulness, fairness and transparency in accordance with which:
2.1.1 personal data shall be processed in accordance with the applicable provisions on personal data protection and provisions which govern the operations of data processors,
2.1.2 particular care should be exercised to protect the interests of data subjects,
2.1.3 personal data processing operations must be transparent for data subjects. Any information and communication relating to the processing of their personal data should be easily accessible and easy to understand.
2.2 Purpose (purposefulness) limitation in accordance with which personal data should be collected for specified, legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means that:
2.2.1 the purpose of data collection should be identified in an explicit and specific manner,
2.2.2 the purpose of data collection has to be specific enough so that it is possible to identify what data processing operations are covered by that purpose,
2.2.3 the purpose may not be omitted or withheld when collecting data,
2.2.4 the purpose of data processing may not be specified in general terms,
2.2.5 this purpose should be communicated to the person concerned prior to collecting personal data.
2.3 Data minimisation (adequacy) in accordance with which data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The controller should process only such data and only with such content as are necessary in respect of the purpose of collecting these data.
2.4 Data accuracy (factual correctness) in accordance with which the controller shall be obliged to take any action in order for the personal data that are inaccurate in view of the purposes for their processing to be erased or rectified without delay.
2.5 Storage limitation (limitation in time) in accordance with which data have to be kept in a form which permits identification of a data subject for no longer than is necessary for the purpose of processing After the purpose has been fulfilled, the data should be erased, anonymised or transferred to an entity authorised by law to receive them from the controller.
2.6 Integrity and confidentiality in accordance with which data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
2.7 Accountability in accordance with which the controller shall be responsible for, and be able to demonstrate compliance with, the aforementioned principles.
3. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
3.1 the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
3.2 processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3.3 processing is necessary for compliance with a legal obligation to which the controller is subject;
3.4 processing is necessary in order to protect the vital interests of the data subject or of another natural person;
3.5 processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3.6 processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
4. The condition for the lawfulness of processing specified in item 3.5 shall not apply to processing carried out by public authorities in the performance of their tasks.
5. The listing of conditions for the lawfulness of personal data processing specified in item 3 is an exhaustive list. Each condition legitimising the processing of personal data is of autonomous and independent nature and therefore, the fulfilment of at least one of them forms the basis for the lawful processing of personal data.
6. Whenever the Company’s operations performed on personal data fall under the directive of the conditions specified in items 3.2–3.6, the processing of data shall not require the consent of the data subject. In other cases, the consent of the data subject shall determine the lawfulness of the processing of personal data.
7. Each head of the Company’s organisational unit shall be obliged to list the cases of personal data processing which require the consent for the processing of personal data from data subjects.
8. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Obligations to provide information
§ 4
1. With respect to the personal data processed in their subordinate organisational unit, the head of the Company’s organisational unit shall be obliged to take appropriate measures to provide any information referred to in item 4 to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
2. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
3. The head of the Company’s organisational unit shall communicate any rectification or erasure of personal data or restriction of processing performed to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The head of the Company’s organisational unit shall inform the data subject about those recipients if the data subject requests it.
4. Where personal data relating to a data subject are collected from the data subject, the head of the organisational unit shall provide the data subject with the following information:
4.1 the address of the registered office, contact details and full name of the Company;
4.2 the purposes of the processing for which the personal data are intended;
4.3 the legal basis/bases for the processing;
4.4 the recipients or categories of recipients of the personal data, if any;
4.5 the period for which the personal data will be stored in the Company, or if that is not possible, the criteria used to determine that period;
4.6 the existence of the right to request from the Company access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability, if any;
4.7 the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal – where the processing is based on the consent of the data subject;
4.8 the right to lodge a complaint with an authority supervising the processing of personal data;
4.9 whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
4.10 the fact that the Company intends to transfer personal data to a third country or an international organisation, where applicable.
5. Where the head of the Company’s organisational unit intends to further process the personal data for a purpose other than that for which the personal data were collected, the head of the Company’s organisational unit shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in item 4.
6. The Company shall provide the information referred to in item 4:
6.1 within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
6.2 if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
6.3 if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
7. The obligation to provide information referred to in item 4 shall not apply where and insofar as:
7.1 the data subject already has the information, whereas the burden of demonstrating that the data subject already has the information shall be borne by the Company;
7.2 the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or in so far as the obligation referred to in item 4 is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the Company shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;
7.3 obtaining or disclosure is expressly laid down by the law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests;
7.4 where the personal data must remain confidential subject to a statutory obligation of secrecy.
Rights of data subjects
§ 5
1. At the request of the data subject, the Company shall confirm whether or not personal data concerning him or her are being processed, and, where that is the case, provide access to the personal data and the following information:
1.1 the purpose of the processing;
1.2 the categories of personal data concerned;
1.3 the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
1.4 where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
1.5 the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
1.6 the right to lodge a complaint with a supervisory authority;
1.7 where the personal data are not collected from the data subject, any available information as to their source.
2. Prior to granting the request, the employee concerned shall identify and confirm the identity of the person submitting the request.
3. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
4. The Company shall provide the data subject with a copy of the personal data undergoing processing.
5. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
6. The disclosure of data on the basis of the request of the data subject and the provision of the first copy of personal data referred to in item 4 is free of charge. For any further copies requested by the data subject, the Company may charge a reasonable fee based on administrative costs.
7. The data subject shall have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning him or her.
8. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
9. The data subject shall have the right to obtain from the Company the erasure of personal data concerning him or her (‘right to be forgotten’) without undue delay and the Company shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
9.1 the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
9.2 the data subject withdrew consent on which the processing is based and there is no other legal ground for the processing;
9.3 the data subject objects to the processing pursuant to Article 21 of the GDPR and there are no overriding legitimate grounds for the processing;
9.4 the personal data have been unlawfully processed by the Company;
9.5 the personal data have to be erased for compliance with a legal obligation to which the Company is subject.
10. Where the Company has made the personal data public and is obliged pursuant to item 9.1 to erase the personal data, the Company, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
11. The provisions of items 9.1 and 9.2 shall not apply to the extent that processing is necessary:
11.1. for exercising the right of freedom of expression and information;
11.2. for compliance with a legal obligation which requires processing by the law to which the Company is subject;
11.3. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right referred to in item 9.1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
11.4. for the establishment, exercise or defence of legal claims.
12. The data subject shall have the right to obtain from the Company restriction of processing where one of the following applies:
12.1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
12.2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
12.3. the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
12.4. the data subject has objected to processing – pending the verification whether the legitimate grounds of the Company override those of the data subject.
13. Where the processing of personal data is based on consent of the data subject or on a contract and the purpose for processing allows it, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
14. Where technically feasible, the data subject shall have the right to have the personal data transmitted directly from one controller to another.
15. The right to data portability referred to in item 1 shall not adversely affect the rights and freedoms of others.
16. The heads of the Company’s organisational units shall be obliged to keep records of data subjects’ requests for data access, a copy of data, data rectification, data erasure, the exercise of the right to data portability, to restriction of processing of personal data and to object against their processing.
Responsibility of the controller
§ 6
1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the applicable laws, in particular with the GDPR.
2. In particular, in view of the protection of the rights and freedoms of data subjects, the technical and organisational measures for the processing of personal data applicable in the Company shall be reviewed and updated.
3. In the performance of the tasks of the controller, the heads of the Company’s organisational units shall be obliged to apply appropriate technical and organisational measures for the processing of personal data by design, at the time of the determination of the means for processing and at the time of the processing itself.
4. In the performance of the tasks of the controller, the heads of the Company’s organisational units shall maintain a record of processing activities.
5. The record of processing activities shall contain the following information:
5.1. the full name and contact details of the Company as the data controller;
5.2. the full name and contact details of the joint controllers, if any;
5.3. the Company’s organisational units as controllers of data processed during the performance of a task/process;
5.4. the purposes of processing identifying the tasks/processes carried out in the Company in connection with which these data are processed;
5.5. the categories of data subjects;
5.6. the categories of personal data;
5.7. the categories of recipients to whom the personal data have been or will be disclosed;
5.8. the envisaged time limits for erasure of the different categories of data;
5.9. the technical and organisational security measures;
5.10. the manner of performing the obligations to provide information.
6. If the Company acts in a certain process as the processor (processes data under a data processing agreement), the head of the organisational unit who performs the tasks arising from an agreement or a legal provision, relating to entrusting the task of processing, shall maintain records of all categories of processing activities carried out on behalf of a controller which entrusted the Company with the processing of data, containing:
6.1. the full name and contact details of the Company as the processor;
6.2. the full name and contact details of controllers on behalf of which the Company processes data;
6.3. the full name and contact details of other processors;
6.4. the details of the Personal Data Protection Officer, data controllers and other processors, where applicable;
6.5. a general description of the technical and organisational security measures.
Granting, changing and revoking authorisations to process personal data and keeping
records of persons authorised to process personal data and agreements related
to personal data processing
§ 7
1. Only persons with up-to-date, personal authorisations to process personal data or, for processors, with instructions for data processing detailed in an agreement or a legal provision on the basis of which the task of processing has been entrusted may be permitted to process the personal data controlled by the Company.
2 The processor (the entity with which the Company has entrusted the task of personal data processing) and any person acting on behalf of the Company or the processor, who has access to personal data, shall process them solely under the instructions of the Company, unless this is based on the provision of law.
3. The authorisation referred to in item 1 shall be granted prior to allowing the person to process personal data.
4. All persons who process personal data controlled by the Company on the basis of an authorisation or instruction shall undergo training on the protection on personal data.
5. The authorisation to process personal data in the Company can be granted to:
5.1. persons commencing employment, regardless of their legal basis of employment;
5.2. other persons, if this is in accordance with the law or if there is a justified need to grant an authorisation.
6. Authorisations to process personal data shall be granted for a period of time specified in the authorisation or for the period of employment with the Company and may be revoked at any time.
7. A detailed scope of the authorisation to process personal data granted to the Company’s employee follows from the current scope of their duties and currently held access rights to the Company’s ICT systems.
8. The authorisation to process personal data shall be changed by the persons authorised to grant it.
9. Loss of the authorisation to process personal data shall take place as a consequence of revoking it by the person authorised to grant it or as a result of the lapse of the period of time for which it has been granted.
Disclosure of personal data
§ 8
1. Disclosure of personal data is one of the forms of their processing, after fulfilling one of the conditions of the lawfulness of processing referred to in § 3(3).
2. Disclosure of data comprises any activities that enable entities other than the Company to familiarise themselves with the data processed by the Company.
3. The Company shall disclose personal data upon a written request, on the basis of an agreement or a legal provision.
4. The request referred to in item 3 should include:
4.1. the determination of the requester;
4.2. the legal basis entitling the requester to receive personal data;
4.3. the information enabling the search for the data requested;
4.4. the indication of the scope of personal data;
4.5. the determination of the purpose of the data requested;
4.6. the determination of the method of transferring the data.
5. The requests for personal data disclosure received by the Company shall be recorded in the record of requests concerning personal data disclosure.
6. The decision to disclose data shall be taken by the President of the Company’s Management Board.
7. If the request meets the condition specified in item 4, personal data should be disclosed without undue delay.
8. Information containing personal data shall be transferred to authorised entities in a manner that ensures its safety and confidentiality:
8.1. in the form of a printout by registered letter or against confirmation of personal receipt;
8.2. on electronic data carriers, against confirmation of receipt;
8.3. by way of remote data transmission, when the connection meets the requirements of information security;
8.4. in another way provided for in the provisions of law or in an agreement.
Entrusting the task of processing personal data with other entities
§ 9
1. The Company may entrust the task of processing personal data with another entity which is going to process them on the Company’s behalf.
2. The entity which is going to process personal data controlled by the Company on its behalf (the processor) must provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and national provisions on personal data protection, while taking account in particular of the protection of the rights of data subjects.
3. The processor may not engage another processor without prior specific or general written authorisation of the Company.
4. Processing by a processor shall be governed by a contract, agreement or a legal provision that is binding on the processor with regard to the Company and that explicitly sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the Company and the processor.
5. That contract or agreement on data processing shall stipulate that the processor:
5.1. processes the personal data only on documented instructions from the Company;
5.2. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
5.3. undertakes to take appropriate technical and organisational measures required pursuant to Article 32 of the GDPR;
5.4. respects the conditions for engaging another processor;
5.5. taking into account the nature of entrusting the task of processing personal data, assists the Company by appropriate technical and organisational measures for the fulfilment of the Company's obligation to respond to requests of data subjects;
5.6. at the choice of the Company, deletes or returns all the personal data to the Company after the end of the provision of services relating to the processing of personal data, and deletes existing copies, unless the law requires their archiving;
5.7. makes available to the Company all information necessary to demonstrate compliance with the obligations laid down in this item and allows for audits and inspections of compliance of personal data processing with the GDPR and national provisions on personal data protection conducted by the Company or another auditor mandated by the Company.
Cybersecurity
§ 10
1. The person designated by the President of the Company’s Management Board, whose duties include ICT support to the Company, shall:
1.1. prepare a list of processing activities in the Company’s ICT systems, along with indicating the software used to process the data;
1.2. determine the technical and organisational measures necessary to ensure confidentiality, integrity and accountability of the personal data processed in the Company’s ICT systems;
1.3. prepare records of persons entitled to use the ICT systems in the Company.
2. The President of the Management Board shall give their consent to granting rights to use the system to:
2.1. persons commencing employment, regardless of their legal basis of employment;
2.2. other persons, if this is in accordance with the law or if there is a justified need to grant an authorisation.
3. The procedures related to the granting, changing and revoking of authorisations to process personal data and the maintenance of records of persons authorised to process personal data shall apply in accordance with the consent to the rights to use the ICT systems.
Liability for the infringement of personal data protection rules
§ 11
1. Infringement of the provisions on personal data protection is punishable by the sanctions set out in the GDPR and national provisions on personal data protection.
2. Notwithstanding the liability provided for in the provisions referred to in item 1, the infringement of personal data protection rules by the Company’s employee may be considered an infringement of the basic employee duties.
Notification of personal data breaches
§ 12
1. In the case of a valid or suspected personal data breach, all persons authorised to process personal data in the Company and the processors acting under the Company’s instructions shall without undue delay notify the personal data breach or the suspected breach to the President of the Company.
2. In the case of becoming aware of a personal data breach, the Company shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
3. Where the notification to the supervisory authority is not made within 72 hours, the Company shall attach thereto the reasons for the delay.
4. The processor shall notify the Company without undue delay after becoming aware of a personal data breach.
5. The notification of the personal data breach shall at least:
5.1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
5.2. communicate the name and contact details of the Company’s employee who can provide information about the breach;
5.3. describe the likely consequences of the personal data breach;
5.4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
6. The Company shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
7. The personal data breach shall be understood as a single event or a series of undesired or unexpected events associated with information security, which create a significant likelihood of jeopardising or jeopardise the safety of the personal data processed.
8. Personal data breach can be of:
8.1. intentional nature, e.g. theft of data and equipment, disclosure of data to unauthorised persons, deliberate destruction of data, breaking into the IT system or premises;
8.2. random internal nature, e.g. server, software failures, loss/misplacement of data carriers, sending personal data by email to an unauthorised person, loss of paper documents which contain confidential information or personal data, disclosure of medical records to an unauthorised person, misplacement of a device;
8.3. random external nature, e.g. fire, flooding, power loss.
9. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall communicate the personal data breach to the data subject without undue delay.
10. The communication to the data subject on the personal data breach shall describe the nature of the personal data breach and contain information referred to above.
11. The communication to the data subject on the personal data breach shall not be required if any of the following conditions are met:
11.1. appropriate technical and organisational protection measures have been implemented, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access them, such as encryption;
11.2. subsequent measures have been taken, which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
11.3. it would involve disproportionate effort (in such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner).