PERSONAL DATA SECURITY POLICY
1. ONE-UP introduces this Security Policy in order to perform tasks related to the protection of personal data.
2. For the purpose of this Security Policy terms listed below shall have the following meaning:
- accountability - all actions of an entity on the personal data can be assigned only to this entity;
- data confidentiality – a guarantee that personal data shall not be disclosed to unauthorized entities;
- data controller – an entity deciding about the purposes and means of processing personal data;
- data files - it means any structured data files of a personal nature, available according to specific criteria, regardless of whether the file is distributed or functionally divided;
- data integrity – a guarantee that personal data has not been altered, erased or destroyed in an unauthorized manner;
- data processing - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- data safety – it means providing confidentiality and integrity to personal data;
- IT system - it means an ensemble of cooperating devices, programs, information processing procedures and software tools used to process data;
- IT system controller – a natural person supervising the security of personal data processing in IT systems;
- ONE-UP - Katarzyna Tokarek, conducting business activity under the company name “ONE-UP Katarzyna Tokarek” with its registered seat in Łódź, pl. Zwycięstwa, no. 2, 90-312 Łódź POLAND, entered into the Central Registration and Information on Businesses, NIP (tax identification no.): 7281810584, REGON (registration no.): 100592109; ONE-UP is the data controller;
- personal data protection documentation - all documentation, in paper or electronic version, which establishes and records principles of processing personal data by ONE-UP and all activities related to such processing - in particular this Security Policy;
- Security Policy – this Personal Data Security Policy;
- sensitive personal data - personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sexual activity or sexual orientation;
- processor – it means an entity to whom ONE-UP entrusted processing personal data on the basis of an agreement on personal data processing.
3. Security Policy regulates processing and protecting personal data performed in compliance with the provisions of law as well as rights of persons whose personal data is processed by ONE-UP.
4. Security Policy applies to all personal data processed by ONE-UP, in files or outside of them.
5. The principles of Security Policy are:
- indicating actions to be taken, their forms and the manner of conducting, which are necessary to fulfil the obligations of ONE-UP as the data controller;
- creating the organizational basis for the implementation of ONE-UP'S personal data security management system;
- defining the basic principles and organizational, technical and legal requirements necessary to ensure proper protection of the personal data;
- proper recording of security breaches and ensuring proper course of action to restore data security.
6. ONE-UP declares to conduct all actions necessary to prevent any threats to the security of personal data.
ONE-UP Data Controller Obligations
1. ONE-UP shall fulfil its obligations concerning personal data security to ensure compliance with applicable laws, by in particular:
- providing supervision over the development and update of personal data protection documentation;
- providing supervision over the compliance with the principles and rules set in the personal data protection documentation;
- providing technical and organizational measures that ensure personal data security;
- ensuring that only authorized persons are granted access to personal data;
- protecting personal data from an authorised access and being collected, altered, destroyed or erased by an unauthorized entity;
- ensuring lawfulness of the personal data processing and its compliance with the relevant regulations;
- ensuring that sharing and entrusting of the personal data is conducted in accordance with the provisions of law;
- taking appropriate action in the event of a threat to the security of personal data processing.
2. ONE-UP authorises an appointed natural person to take the position of the IT system controller, who in particular:
- ensures correct usage of the IT system;
- assigns each user a username and password to the IT system, sets and modifies rights of such user, deregisters and deletes user accounts;
- explains all reported irregularities, data security threats and incidents regarding data processing with the usage of IT resources.
3. ONE-UP exercises the right of the data subject to:
- obtain information about data controller, processors, object, scope and means of data processing, processing commencement date and categories of data that is processed, source and means of sharing data and its recipients;
- request completing, updating and rectifying data;
- submit a reasoned motion to discontinue processing of their personal data;
- withdraw their consent to the processing of personal data.
4. Recipient of the data is an entity to whom personal data is provided, excluding:
- data subject;
- person authorized to process data;
- state bodies or local self-government bodies to whom the data is made available under legal proceedings.
Rules of Personal Data Processing
1. ONE-UP processes personal data exclusively in dedicated IT systems.
2. ONE-UP processes personal data on the basis of the data subject’s consent. The consent of the data subject shall be understood as a declaration of will, the content of which constitutes a consent to the processing of personal data of the person submitting such declaration. Such consent is granted by marking and accepting the appropriate box on the ONE-UP online store website. This box is marked in a manner visible to the data subject. This consent cannot be implied or implied from a declaration of will of a different content. The consent can be withdrawn at any time. The consent of the data subject may also include data processing in the future, if the purpose of the processing does not change. Reconciliation of the data subject is required if the purpose of the processing has changed.
3. ONE-UP does not process sensitive personal data or does not plan to process it in the future.
4. ONE-UP processes personal data in order to provide information society services to data subjects – registering and maintaining an account at the online store operated by ONE-UP and concluding specific task contracts for manufacturing and supplying customers with wearable clothing on an individual order in accordance with the parameters indicated by the customers.
5. ONE-UP processes only personal data which processing is necessary to accomplish objective referred to in § 3 item 4 hereof and other objectives permitted by the law and related to the ONE-UP business, fulfilment of which requires collection of personal data. Categories of processed personal data are listed below:
- e-mail address,
- first and last name,
- mailing address,
- telephone number.
6. Data referred to in
- § 3 item 5.a and 5.b hereof are necessary for the purpose of proper registration and maintenance of user’s account the online store operated by ONE-UP;
- § 3 item 5.a - 5.d. hereof are necessary to conclude specific work contracts for manufacture and delivery of wearable clothing to the customers.
7. After information society services provided to the person whose data is processed are completed, ONE-UP may only process that personal data which is necessary for:
- settlement of services and pursuing claims connected with them,
- explanation of the circumstances of unauthorized use of the information society services provided by ONE-UP by the data subject.
8. ONE-UP can process following personal data characterizing the manner in which clients (data subjects) use the information society services (operational data):
- markings identifying the Service buyer assigned on the basis of data mentioned in § 3 item 5 hereof,
- markings identifying the telecommunications network termination or IT system used by the client,
- information on the start, end and scope of every use of the information society service,
- information on the use of the information society services by the client.
9. Processing personal data for reasons other than its collection, is permitted only if:
- those objectives are compatible;
- it does not violate the rights and freedoms of the data subject;
- it is used for statistical purposes while meeting the relevant requirements regarding the data controller.
10. The processed personal data must reflect the actual state of affairs.
11. Sharing of personal data may only take place after submission of an motion for transfer or disclosure of specific information. Such motions should be made in writing and contain the following information:
- the applicant's data,
- indication of the legal basis,
- specification of the type and scope of information needed and the form of their transfer or disclosure,
- indication of the first and last name of a person authorized to obtain information or become familiar with its content.
12. Sharing of personal data on the basis of an oral motion is permissible only if immediate action is necessary.
13. ONE-UP shall hold a record regarding instances of sharing personal data.
Persons Authorized to process Personal Data
1. Personal data may be processed only by a person who has a written authorization to process personal data issued by ONE-UP and entered in a records of authorizations, and who has submitted a written confidentiality agreement.
2. A person holding such authorisation is authorised to process personal data within a scope and time specified therein.
3. The person authorized to process personal data must be properly trained, familiarized with personal data protection documentation and relevant legal regulations.
4. The person authorized to process personal data is obliged to:
- keep confidentiality of personal data;
- observe procedures for the secure processing of personal data, in particular procedures referred to in the personal data protection documentation;
- protect personal data against disclosure to unauthorized entities, its destruction or modification;
- not to transmit personal data outside of the data files, in particular not to make any printed or electronic backups;
- log out during a break in work or after finishing the work on a computer device with an access to personal data files;
- electronically share personal data only if encrypted;
- not to leave third persons in the premises in which the personal data is processed without presence of a person authorized to process personal data;
- close windows in the event of leaving the premises in which personal data is processed;
- locking the door in the event of leaving the premises where personal data is processed.
Personal Data Processing Area
1. Personal data can be processed only on an area assigned to this purpose.
2. ONE-UP processes personal data at the following address:
- pl. Zwycięstwa 2, 90-312 Łódź, POLAND
Personal Data Files
1. ONE-UP processes all personal data in following files:
- online store users database,
- e-mail server database.
2. Categories of personal data referred to in § 3 item 5 are processed in the files referred to in § 6 item 1 hereof.
Data Flow between individual IT Systems
1. IT systems – which process personal data collected by ONE-UP - constitute of online store database stored on the server and one desktop computer.
2. Processors or persons authorized to process personal data have access to the information system stored on the server via the ONE-UP desktop computer.
Definition of Technical and Organizational Measures Necessary to Ensure Confidentiality, Integrity and Accountability of Data Processing
1. The protection of personal data is carried out through physical security, organizational security, hardware security of the IT and telecommunications infrastructure, security of software tools and databases as well as by authorized persons.
2. ONE-UP applies security measures at a high level in accordance to Polish regulations on the personal data security.
3. Organizational security:
- Persons employed for the purpose of processing of personal data are familiarized with the provisions and regulations on the protection of personal data;
- Persons employed for the purpose of processing of personal data are trained on the field of IT system security means;
- Persons employed in the processing of personal data are obliged to keep their activities connected to it confidential;
- Monitors of computers used to process personal data are set in a way that prevents unauthorized access to data - they are not directed to windows or doors and are protected by screen savers and password.
4. Physical security:
- Personal data files are stored at premises equipped with fire protection system;
- Access to the premises where personal data is processed is supervised by security employees.
5. Hardware security of the IT and telecommunications infrastructure:
- Only desktop computers are used to process personal data via IT systems;
- Access to the operating system of devices in which personal data is processed is secured by means of the authentication process using the user ID and the password changed every 30 days;
- Anti-malware (worms, viruses, trojans, rootkits) protection measures have been applied;
- Firewall is used to limit access to computer network.
6. Security of software tools and databases:
- ONE-UP applies measures enabling to define the rights of access to the indicated scope of data within the processed data files;
- Access to data files requires authorization with the use of username and a password changed every 30 days;
- Systemic measures were used to determine appropriate rights of access to IT resources, including personal data files for individual users of the IT system.
7. Safeguards referred to above are implemented to achieve the purposes of data processing and to ensure the confidentiality, integrity and accountability of personal data and the integrity of the system.
Procedure for dealing with Personal Data Security Breaches
1. Each person authorized to process personal data is obliged to inform ONE-UP of any case of a threat to the security of personal data or an security incident.
2. The threat to the security of personal data shall mean any event, dependent and independent of human will, which may result in the loss of the integrity, confidentiality or accountability of personal data. In case of any doubts, the threat to the security of personal data is considered in particular:
- improper protection of rooms and devices;
- improper protection of IT equipment or software against unauthorized access by third parties, theft and loss of personal data;
- failure to comply with the rules established in the personal data protection documentation and relevant legal regulations by the persons obliged to comply with them;
- breach of physical securities by a third party.
3. The security incident shall mean a breach of the personal data security system, which have caused unauthorized disclosure, destruction or damage. In case of any doubts, the security incident is considered in particular:
- external random events, such as fire or flooding, resulting in the destruction of devices used for data processing;
- internal random events, such as system, device and software failure;
- unintentional behaviour, such as loss of personal data or mistake of the IT system user;
- intentional behaviour such as breaching into an IT system or premises, theft of data or equipment, disclosure of data to unauthorized persons, deliberate destruction of data or hardware, or damage caused by a malicious software.
4. In the event of a threat to the personal data security or incident, ONE-UP conducts explanatory proceedings in the course of which it determines:
- the cause;
- potential consequences;
- actions to be taken to prevent negative impact of the event;
- persons responsible for the event.
5. In the course of the investigation, ONE-UP shall secure the evidence and documents the findings.
6. After an investigation, ONE-UP shall notify competent authorities and other authorized persons in accordance with the applicable regulations.
7. After each security threat or incident ONE-UP shall analyse what actions should be taken to minimize the risk of a similar situation occurring in the future.
1. An overview of the personal data protection documentation is held at least once a year in order to check their relevance and compliance with the applicable law.
2. Personal data protection documentation is updated when necessary.
3. Cases of unjustified failure to perform duties or breach of other rules resulting from this Security Policy may render the given person liable to prosecution, accordingly to the legal relationship between the person and ONE-UP.
4. In matters not covered by this Security Policy, relevant legal provisions shall apply.
5. This Security Policy shall come into force as on March 19, 2018.