PERSONAL DATA PROTECTION POLICY
I. This document titled “Personal Data Protection Policy” (hereafter: the Policy) serves as a map of the requirements, rules, and regulations governing personal data protection at BGM Sp. z o.o. (hereafter: the Company). This Policy constitutes a personal data protection policy within the meaning of the GDPR—Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, p. 1)—and applicable national laws (collectively: GDPR).
II. The Policy includes:
– a description of the personal data protection principles in force at the Company;
– references to detailed annexes (model procedures or instructions covering specific privacy areas that must be defined in separate documents).
III. The Company’s Management Board is responsible for implementing and maintaining this Policy. Within the Board:
– ………………………. is assigned oversight of personal data protection.
– A person designated by the Company ensures compliance with data protection.
– The following oversee and monitor adherence to the Policy:
– the Data Protection Officer (if one has been appointed);
– The following are responsible for applying this Policy:
– the Company;
– the organizational unit responsible for information security;
– organizational units processing personal data;
– Company staff.
The Company ensures that its contractors comply with the Policy whenever personal data is shared with them.
IV. Abbreviations and definitions:
– Policy: this Personal Data Protection Policy unless the context clearly states otherwise.
– GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (OJ L 119, p. 1).
– Data: personal data unless the context clearly states otherwise.
– Sensitive data: special-category data and criminal data.
– Special-category data: data listed in Article 9(1) GDPR (racial/ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic/biometric data used to uniquely identify a person, health, sex life, sexual orientation).
– Criminal data: data listed in Article 10 GDPR (criminal convictions and offences).
– Children’s data: data relating to persons under 16 years of age.
– Person: a data subject unless the context clearly states otherwise.
– Processor: an entity or person engaged by the Company to process personal data (e.g., IT service providers, external accountants).
– Profiling: any automated processing of personal data to evaluate personal aspects of an individual (job performance, economic situation, health, preferences, interests, reliability, behavior, location, movement, etc.).
– Data export: transfer of data to a third country or international organization.
– DPO or Inspector: the Data Protection Officer.
– RCPD or Register: the Record of Processing Activities.
– Company: the entity named in the preamble.
V. Personal data protection – general principles
Data protection pillars:
– Lawfulness: the Company respects privacy and processes data legally.
– Security: the Company provides an appropriate level of data security and continuously improves it.
– Data subject rights: the Company enables data subjects to exercise their rights and fulfills those requests.
– Accountability: the Company documents how it meets its obligations to demonstrate compliance at any time.
Core data-protection principles:
The Company processes personal data in accordance with the following principles:
– Lawfulness: data is processed based on a legal basis and in compliance with the law.
– Fairness: data is processed fairly.
– Transparency: data subjects are fully informed about processing.
– Purpose limitation: processing serves specific purposes and is not carried out “just in case.”
– Data minimization: only data that is necessary for the purpose is processed.
– Accuracy: data is kept accurate and up to date.
– Storage limitation: data is kept no longer than necessary.
– Integrity and confidentiality: appropriate security is applied.
Data protection system elements:
– Data inventory: identification of personal data assets, data classes, interdependencies, and usage methods, including processing of special-category or criminal data, unidentified data, children’s data, profiling, and joint controllership.
– Register: the Company prepares, maintains, and updates a Record of Processing Activities. It serves as an accountability tool and will be implemented once GDPR thresholds require it.
– Legal bases: the Company identifies and records legal grounds for processing in the Register, manages consent for data processing and remote communications, and documents its legitimate interests.
– Data subject rights: the Company fulfills information obligations, handles requests, ensures it can perform each type of request, allocates resources, and documents compliance. It also assesses whether individuals must be notified of data breaches.
– Minimization: the Company manages data minimization (privacy by default) covering data adequacy, access control, and retention.
– Security: the Company performs risk analyses for processing activities, conducts Data Protection Impact Assessments when needed, aligns safeguards with risk, operates an information-security management system, and has incident response procedures.
– Processors: the Company sets criteria for selecting processors, defines contractual requirements, and verifies compliance.
– Data export: the Company ensures transfers outside the EU/EEA meet legal requirements and manages shadow IT risks.
– Privacy by design: new projects and changes go through privacy impact assessments, ensuring data protection and minimization from the outset.
– Cross-border processing: the Company determines when cross-border operations occur and identifies the lead supervisory authority and main establishment under GDPR.
VI. Inventory
– Sensitive data: the Company identifies situations where special or criminal data is processed and applies dedicated compliance mechanisms.
– Unidentified data: the Company notes instances where unidentified data is processed and ensures data subjects can exercise their rights.
– Profiling: the Company identifies profiling or automated decision-making and follows established rules for compliance.
– Joint controllership: the Company recognizes joint processing cases and acts according to established principles.
VII. Record of Processing Activities (inactive until statutory thresholds are reached)
The RCPD documents processing operations, maps data use, and underpins accountability. The Company inventories and monitors personal data usage in the Register, noting at minimum:
– processing name;
– purpose;
– categories of data subjects;
– categories of data;
– legal basis (including the legitimate interest pursued, if applicable);
– data collection method;
– categories of recipients (including processors);
– information on transfers outside the EU/EEA;
– general description of technical and organizational security measures.
Template: Annex 1 (“Sample Record of Processing Activities”). Optional columns are filled as needed to facilitate compliance management.
VIII. Legal bases
The Company documents legal bases for each processing activity in the Register. When citing a base (consent, contract, legal obligation, vital interests, public task/public authority, legitimate interest) it specifies the exact scope—for example, detailing consent, citing legal provisions, or clarifying the specific legitimate interest (e.g., self-marketing, pursuing claims). The Company maintains mechanisms for consent management, including recording opt-ins, remote-communication consent, refusals, withdrawals, and objections.
Each unit manager must know the legal bases used in their area. If processing relies on legitimate interest, the manager must know the particular interest being pursued.
IX. Handling data subject rights and information duties
The Company ensures clear, accessible communication with data subjects. It facilitates exercising rights via website information, guidance on procedures, identification requirements, contact channels, and any fee schedule for additional requests. Legal deadlines are respected, and adequate identification/authentication methods are in place. Processes exist to locate, consolidate, modify, and delete personal data as needed and to record information duties, notifications, and responses.
X. Information obligations
The Company defines lawful, efficient methods to meet information obligations. It informs individuals about deadline extensions beyond one month, data collection directly or indirectly, processing of unidentified data (e.g., CCTV signage), purpose changes, lifting of processing restrictions, and data rectification/erasure/restriction sent to recipients (unless disproportionate). It notifies people about the right to object and promptly reports high-risk breaches.
XI. Data subject requests
– Rights of third parties: when fulfilling requests (e.g., copies or portability), the Company safeguards third-party rights. If fulfilling a request could infringe others’ rights (privacy, IP, trade secrets, personal rights), it may seek clarification or lawfully refuse.
– No processing: individuals are informed if the Company has no data on them.
– Refusal: individuals are notified within one month if a request is denied and told about their remedies.
– Access: upon request, the Company confirms processing and provides details per Article 15 GDPR, along with access (e.g., data copies). Copies supplied under access rights do not count as the free copy for fee purposes.
– Copies: the Company issues one free copy of personal data on request and records it. It maintains a price list for additional copies, reflecting the cost of processing the request.
– Rectification: incorrect data is corrected upon request if the individual reasonably demonstrates errors; recipients are informed on request.
– Completion: data is updated or supplemented if it aligns with processing purposes; the Company may rely on the person’s statement unless inconsistent with procedures, law, or credibility.
– Erasure: data is erased when no longer needed, consent is withdrawn with no other legal basis, an objection is upheld, processing is unlawful, erasure is required by law, or it involves a child’s data collected via consent for information society services. The Company ensures proper execution, checks for exceptions under Article 17(3), and, if data was published, makes reasonable efforts to inform other controllers. Recipients are notified on request.
– Restriction: processing is restricted when accuracy is contested, processing is unlawful but erasure is refused, data is needed for legal claims, or pending resolution of an objection. During restriction, data is stored but not processed or shared without consent, except for claims or rights of others/public interest. Individuals are informed before lifting restriction and about recipients on request.
– Portability: upon request, the Company provides data supplied by the individual in a structured, commonly used, machine-readable format or transmits it to another controller when feasible, if processing is based on consent or contract and carried out by automated means.
– Objection based on special situation: if data is processed on legitimate interest or public task grounds, the Company will honor objections unless it has compelling legitimate grounds overriding the individual’s interests or needs the data for legal claims.
– Research/statistics objections: if processing is for scientific, historical, or statistical purposes, objections tied to the individual’s situation are upheld unless processing is necessary for a public-interest task.
– Direct marketing: any objection to direct marketing (including related profiling) is honored, and processing stops.
– Automated decisions: when automated processing (including profiling) results in legal effects or similarly significant impacts, the Company provides human intervention unless automation is necessary for a contract, explicitly permitted by law, or based on explicit consent.
XII. Data minimization
The Company minimizes data in terms of scope, access, and storage time.
Scope:
– The Company reviewed data collection and processing for adequacy when implementing GDPR.
– It reassesses data volume and scope at least annually.
– It evaluates changes via change-management procedures (privacy by design).
Access:
– Legal, physical, and logical access controls are enforced (confidentiality commitments, authorization scopes, restricted areas, locked rooms, system/network permissions).
– Physical access control is applied.
– Access rights are updated whenever staff roles or processors change.
– User permissions are reviewed at least annually.
– Detailed access control rules are defined in the Company’s security procedures.
Storage time:
– The Company controls data life cycles, checking retention terms from the Register.
– Data beyond its useful life is removed from production systems and files, though it may remain in archives or backups. Archiving and backup procedures respect data life-cycle controls, including erasure requirements.
XIII. Security
The Company provides a security level proportionate to the risk of rights and freedoms being compromised through processing.
Risk analyses and control adequacy:
– The Company maintains expertise in information security, cybersecurity, and business continuity in-house or via specialists.
– Data and processing activities are categorized by risk.
– Risk assessments consider possible scenarios of data-breach impacts based on processing characteristics, scope, context, purpose, likelihood, and severity.
– Organizational and technical safeguards (e.g., pseudonymization, encryption, measures ensuring confidentiality/integrity/availability/resilience, disaster recovery) are matched with risk and cost.
Data Protection Impact Assessments:
– Conducted when high risk is identified.
– Follow the Company’s adopted methodology.
Security measures:
– Implemented per risk analyses and DPIAs.
– Form part of the broader information and cybersecurity framework, detailed in relevant procedures.
Breach notification:
– Procedures exist to detect, assess, and report personal-data breaches to the supervisory authority within 72 hours.
XIV. Processors
The Company has selection and verification rules ensuring processors provide sufficient guarantees of proper organizational and technical measures. Annex 2 (“Sample Data Processing Agreement”) sets minimum contractual requirements. The Company oversees processors’ use of sub-processors and other contractual obligations.
XV. Data export
The Company records in the Register any transfer outside the European Economic Area (EU, Iceland, Liechtenstein, Norway). To prevent unauthorized transfers (e.g., through shadow IT and public cloud services), it periodically reviews user behavior and, where possible, provides compliant alternatives.
XVI. Privacy by design
Change management integrates privacy considerations to ensure security and minimization. Project and investment procedures require assessing privacy impacts and embedding safeguards and minimization from the outset.
XVII. Final provisions
This Policy enters into force on 25 May 2018.