PERSONAL DATA PROTECTION POLICY


in the company


“XOPERO SOFTWARE” S.A.

(joint-stock company)

WITH REGISTERED OFFICE IN GORZÓW WLKP., POLAND


DOCUMENT’S VERSION: 2.0

EFFECTIVE DATE (version 1.0): 05/02/2018

EFFECTIVE DATE (version 2.0): 02/01/2023

NEXT VETTING DATE: 31/01/2025


DISCLAIMER:

This English version of Personal Data Protection Policy is established only for informational purposes. The binding version of this document is the Polish version.


CHAPTER I: POLICIES


§ 1.

THE AIM OF THE PERSONAL DATA PROTECTION POLICY


  1. Personal Date Protection Policy was established in connection with requirements specified in Regulation (EU) NO 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  1. The definitions of the most important terms in this document are determined as follows:

  1. Policy or PDPP – this Personal Data Protection Policy.

  1. The Company – shall be understood as XOPERO SOFTWARE with registered office in Gorzow Wlkp., Herbert 3 street, Gorzów Wlkp., postcode: 66-400, registered in Register of Entrepreneurs of the National Court Register under the KRS no. 0000684240, NIP no. 599-306-66-03, REGON(Official Business Register Number) No. 080285693.

  1. Personal Data – the information about identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  1. Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

  1. Data system – any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis


§ 2.

THE ESSENTIAL PRINCIPLES


The Company introduces this Policy to inform that the personal data processed by The Company will be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject;

  1. collected for specified explicit and legitimate purposes and not further processed in a manner that is incompatible with those purpose;

  1. adequate, relevant and limited to what is necessary in relations to the purpose for which they are processed;

  1. accurate and, where necessary, kept up to date;

  1. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

  1. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures


§ 3.

CONSENT FOR THE PROCESSING OF PERSONAL DATA


  1. Processing of personal data by The Company in the basic standard takes place based on a consent given by the person concerned.

  1. The consent can be granted in writing as well as given by means of distance communication

  1. The data subject has a right to withdraw his or her consent at any time. However, the withdrawal of consent shall not affect the lawfulness of processing performed based on the consent before the withdrawal.

  1. The processing of personal data by the Company takes place within the scope necessary for the implementation of the contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

  1. The consent for having one’s data processed can be granted only by the person who is of lawful age (above 18). On behalf of a person under 18, the consent shall be granted by his or her statutory representatives.


§ 4.

OTHER BASES FOR DATA PROCESSING


The Company may process personal data also when:

  1. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

  1. processing is necessary for compliance with a legal obligation to which the controller is subject;

  1. processing is necessary in order to protect the vital interests of the data subject or of another natural person;

  1. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

  1. processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


§ 5.

ACCESS TO PERSONAL DATA


  1. The data subject shall have the right to obtain confirmation from the Company as to whether or not the personal data processed by the company concern the data subject , and, if that is the case, the data subject is entitled to have an access to the data and the following information:

  1. the purpose of the processing ;

  1. the categories of given personal data;

  1. information about the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular about recipients in third countries or international organizations;

  1. where possible, the planned period of personal data storage, or, if that is not possible, the criteria used to determine that period;

  1. where the personal data are not collected from the data subject, any available information as to their source;

  1. the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

  1. The Company shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

  1. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.


§ 7.

RECTIFICATION OF PERSONAL DATA


The data subject shall have the right to demand immediate rectification of any inaccurate personal data concerning him or her. Taking into account the aims of the processing, the data subject shall have the right to demand the completion of incomplete personal data, including by means of providing a supplementary statement.


§ 8.

RIGHT TO ERASURE

(‘RIGHT TO BE FORGOTTEN’)


  1. The data subject shall have the right to request immediate erasure of personal data relating him or her and the Company shall have the obligation to erase personal data without undue delay where one of the following circumstances applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  1. the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;

  1. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;

  1. the personal data have been unlawfully processed;

  1. the personal data have to be erased for compliance with a legal obligation under European Union law or Polish law;

  1. the personal data have been collected in relation to the offer of information society services.

  1. Where the Company has made the personal data public and is obliged to erase the personal data in accordance to the above mentioned provisions, considering the available technology and the implementation cost, the Company shall take reasonable actions, including technical measures, to inform all the other Administrators processing the personal data that the data subject has requested that the Administrators erase any links to the data, copies of the data or their replications.

  1. The Company will have the right to refuse the removal of all personal data or their parts if theirs processing is essential:

  1. for exercising the right of freedom of expression and information;

  1. for compliance with a legal obligation which requires processing under the law governing the Company;

  1. for the establishment, exercise or defense of legal claims.


CHAPTER II: ESSENTIAL MATTERS


§ 9.

PERSONS ENGAGED IN THE PROCESSING OF THE PERSONAL DATA


  1. The Controller of personal data


The Controller of personal data is:

Name:

XOPERO SOFTWARE S.A.

Legal form:

joint-stock company by Polish law

Tax Id. No. [NIP no.]

599-306-66-03

REGON [Statistics no.]:

080285693

National Court Register [KRS no.]:

0000684240

Address:

Herberta Str. 3

Gorzów Wlkp., post code: 66-400


  1. The person authorized to process personal data


  1. The Company keeps records of persons authorized to process personal data with an indication of the purposes of the specific authorization and personal data files to which the authorization applies.

  1. Records of persons authorized to process personal data are kept in writing and may also be kept in electronic form. Written form is attached as Annex 1 to the Policy (only in Polish language).

  1. Authorization shall be issued and withdrawn by the Company's Management Board in writing. The authorization template is attached as Annex 2 to the Policy (only in Polish language).


  1. Data Protection Officer (DPO)


  1. DPO will be designated, as The Company processes personal data from many sources, providing services for the benefit of numerous parties, thus, the professionalization of issues concerning the protection of personal data is fully justified.

  1. Data Protection Officer will be designated by the Board of The Company for the term of at least 5 years. DPO will directly report to the Board of The Company.

  1. DPO will be immediately incorporated into all the affairs concerning the protection of personal data.


  1. DPO will not receive any instructions concerning the performance of his or her task. They will not be dismissed or sanctioned for fulfilling their task.

  1. Data subjects can contact DPO in all cases relating to the processing of personal data as well as exercising their rights.

  1. DPO is obligated to maintain confidentiality with regard to the tasks performed.

  1. The authorization template is attached as Annex 3 to the Policy (only in Polish language).


  1. Processors


  1. The Company may entrust the processing of personal data to another entity only by way of an agreement concluded in writing or electronically, in accordance with the requirements indicated for such agreements in art. 28 GDPR.

  1. Before entrusting the processing of personal data, the Administrator, as far as possible, obtains information about the previous practices of the processing entity regarding the protection of personal data.

  1. The list of processors with whom we cooperate is attached as Annex 4 to the Policy (only in Polish language).


§ 10.

THE TYPES OF THE PERSONAL

DATA PROCESSED


  1. The Company, in various situations, processes or can process the following types of personal data:

  1. Name and surname,

  1. Personal identification number;

  1. Limited financial data;

  1. Contact details: telephone numbers, e-mails, correspondence addresses etc.;

  1. IP addresses.

  1. It is not prohibited to process other data than only those indicated above, but each time it must be done either on the basis of the consent referred to in Section I point III or on one of the other grounds indicated in Section I point IV.


§ 11.

PERSONAL DATA SYSTEMS


  1. The Company divides the personal data held and processed into filing systems that are created based on the key feature of the data subject, or the content of the system, or the method of obtaining data for a given system.

  1. Only people authorized to process a given data filing system can have access to it.

  1. The list of data filing systems is attached as Annex 5 to the Policy (only in Polish language).


§ 12.

PERSONAL DATA STORAGE AND COMPUTER SYSTEMS


  1. As part of the processing of personal data, the Company will use the following data carriers:

  1. Paper documentation;

  1. Hard disks of various forms;

  1. Mobile phones;

  1. Flash drives;

  1. DVD / CD discs.

  1. IT systems and computer programs that are used or will be used:

  1. Online mailboxes;

  1. Web applications;

  1. Office packages.


§ 13.

ROOMS IN WHICH THE PERSONAL DATA IS PROCESSED


  1. In terms of organizational and technical security, this Policy applies to the registered office of The Company and all real estate under the direct control of the Company.

  1. The building where the rooms are located in which personal data is processed is under the 24-hour protection by a professional external entity (security company). The entrance door to the building is closed from 21:00 to 06:00 and the entrance key can be obtained only through security. Only authorized persons have the access to the offices outside working hours.

  1. The building, its immediate surroundings and internal common parts (staircases, corridors) are covered by audio-visual monitoring. The recording from monitoring is stored for 30 days.


  1. The camera is placed in the company’s corridor, the records are stored for 90 days.

  1. Within the premises occupied by The Company, the thematic sectors are separated, separated by walls and doors, with the possibility of locking. The sectors are as follows:

  1. Office and administration department.

  1. Technical department.

  1. Development department.

  1. Sales department.

  1. The company has implemented a key management policy, which is aimed at limiting the availability of specific sectors only to authorized persons.


CHAPTER III: EMPLOYEES


This section is devoted to the special rules of personal data processing of employees. In the unregulated area, the provisions of Sections I and II of the Policy are applicable.


§ 14.

THE TYPE OF EMPLOYEES’ PERSONAL DATA


The Company processes the following types of employees' personal data:

  1. Name and surname;

  1. contact details;

  1. identification number;

  1. bank account number;

  1. family data;

  1. basic health data;

  1. employment history

  1. education,

  1. personal interests.


§ 15.

THE TYPES OF PERSONAL DATA SUB-SYSTEMS WHICH INCLUDE THE WORKERS’ PERSONAL DATA


  1. The Company divides the filing systems of employees data into sub-systems, which are created based on a distinctive key feature due to the content of this sub-system, or the method of obtaining data for a given sub-system.

  1. Only people authorized to process a given sub-system can have access to it.

  1. The following sub-systems were created in the Company:

  1. Personal files,

  1. Payrolls,

  1. Lists of attendance,

  1. Working time register,

  1. Register of disciplinary penalties.


§ 16.

EMPLOYEES’ PERSONAL DATA STORAGE AND COMPUTER SYSTEMS


Additional IT systems and computer programs that are used or will be used in the processing of employees' personal data:

a) Płatnik;


§ 17.

ROOMS IN WHICH THE EMPLOYEES’ PERSONAL DATA IS PROCESSED


  1. Employees' personal data will be able to be processed as part of the office and administration department.

  1. It is allowed to transfer the personal data of employees to a third party for processing - an external accounting or HR firm.


§ 18.

ACTIVITIES OF PROCESSING THE WORKERS’ PERSONAL DATA


The list of the undertaken activities of processing along with their description:

  1. Recruitment - downloading a CV questionnaire, cover letter, consent to the processing of personal data.

  1. Employment - signing of the contract, preliminary medical examination, health and safety training, employee questionnaire.

  1. Provision of work - verification of attendance, registration of working time, payment of salaries, payment of public and legal liabilities, supervision of employee duties, use of holidays.

  1. Termination of work - issuance of a work certificate, payment of benefits due.


§ 19.

RECRUITMENT


  1. Recruitment is carried out by placing an ad on a selected website - whereby the Company may recruit directly or with the help of third parties.

  1. Based on the documents sent, the candidates are pre-selected.

  1. Selected persons are invited for interviews to the headquarters of The Company.

  1. The conversation is conducted by the Board of Directors and the head of the department to which the recruitment is conducted.

  1. It happens that after several job interviews candidates are invited for one more interview.


§ 20.

THE DESCRIPTION OF ACTIVITIES RELATED TO THE TERMINATION OF EMPLOYMENT RELATIONSHIP


  1. After the termination of the employment relationship, a work certificate is issued immediately.

  1. Personal files are archived at the registered office of The Company. The e-mail account is deactivated, the access card is reprogrammed, data from the time recorder is deleted.


§ 21.

THE DOCUMENTS REQUIRED FROM THE EMPLOYEE DURING THE EMPLOYMENT


  1. Types of documents required from employees during employment:

  1. work certificates,

  1. diplomas,

  1. other certificates.

  1. Statements about family members subject to insurance applications

  1. Medical certificate on the absence of contraindications to the work performed

  1. Declaration on disability, affiliation to the NFZ branch, on subject to the Tax Office, on the willingness to exercise the right to care for a child, on familiarizing themselves with health and safety regulations, internal regulations.

  1. Documents are completed in the administration department of the Company. After completing them, they are delivered to the HR department of the external HR company. In the human resources department, personal files are created and kept in paper form. Personal files are stored in the armored cabinet.


§ 22.

MAINTAINING THE REGISTER OF LEAVING THE WORK PLACE AND THE ATTENDANCE LIST


The register of exits outside the workplace is kept in paper form and is located in the administration department.



The presence is confirmed by a magnetic card or magnetic key ring.

There are also personal paper attendance lists.


§ 23.

PAY SLIPS


  1. The pay slips are clipped in a way that prevents reading without destroying them

  1. Disbursed individually only by an authorized person.


CHAPTER IV: THE IMPLEMENTATION OF THE OBLIGATIONS OF PERSONAL DATA ADMINISTRATOR


§ 24.

THE FORMS OF EXECUTING INFORMATION OBLIGATIONS TOWARDS THE DATA SUBJECT


Forms of providing information to the data subject:

  1. On the website;

  1. By writing

  1. via E-mail

  1. via Telephone.


§ 25.

THE MEANS OF EXECUTING INFORMATION OBLIGATIONS TOWARDS THE DATA SUBJECT


Means of providing information provided for in the GDPR:

  1. a special section on the website,

  1. a dedicated document - an information card, available on the website and at the same time as downloading personal data and consenting to their processing.

  1. in individual cases - personal, e-mail and telephone by the DPO.


§ 26.

THE WAYS OF OBTAINING AUTHORIZATION FOR PROCESSING PERSONAL DATA


Forms and methods of obtaining consent:

  1. Electronic form.

  1. Phone.

  1. Paper form.


The withdrawal of consent to the processing of personal data may take place in any form from the above.


§ 27.

THE PROCEDURE OF VERIFICATION OF THE PERSON REPORTED


Description of the applicant's identity verification methods:

  1. In the case of a personal contact - a request to present an identity document, without the right to detain it or make a copy.

  1. In case of distance contact - questions about characteristic and individual things for the account (e.g. login name, service name, project name, e-mail address)


§ 28.

THE PROCEDURE FOR THE RECOGNITION OF APPLICATIONS RELATED TO THE IMPLEMENTATION OF RIGHTS


Description of how to exercise the rights related to data protection:

  1. Sending an application to the DPO.

  1. Acceptance of the application.

  1. Verification of the reporting person's identity

  1. Consideration of the application - up to 30 days.

  1. The possibility of extending the application deadline to 90 days

  1. Decision making

  1. Implementation of the decision


§ 29.

PROCEDURE FOR REPORTING A PERSONAL DATA BREACH TO THE SUPERVISORY AUTHORITY


  1. In the event of a personal data breach, the Administrator shall, without undue delay - if possible, no later than 72 hours after the breach is identified - notify it to the supervisory authority competent under Article 55 of the GDPR - the President of the Office for Personal Data Protection.

  1. If the Administrator determines that the identified violation is unlikely to result in a risk of violation of the rights or freedoms of individuals, it is possible to waive the notification referred to in paragraph 1 above. In this case, the Administrator will prepare a risk assessment report for the file.

  1. If the notification referred to in paragraph (1) above is not feasible within 72 hours, the Administrator shall make the notification as soon as possible, and attach a written explanation of the reasons for the delay to the notification submitted to the supervisory authority after the expiration of 72 hours.

  1. The notification referred to in item 1 above must at least:

  1. describe the nature of the data breach, including, if possible, the categories and approximate number of data subjects and the categories and approximate number of personal data records affected by the breach;

  1. contain the name and contact information of the Data Protection Officer or the designation of another point of contact from whom more information can be obtained;

  1. describe the possible consequences of the personal data breach;

  1. describe the measures taken or proposed by the controller to remedy the personal data protection breach, including, where appropriate, measures to minimize its possible negative effects.

  1. Each case of an identified personal data breach shall be recorded in the personal data breach register maintained by the Administrator.


CHAPTER V: REGISTERS AND RECORDS


§ 30.

THE REGISTER OF ACTIVITIES CONCERNING THE PROCESSING OF PERSONAL DATA


The Company creates and maintains a register of personal data processing activities on an ongoing basis, which is attached as Annex 6 to the Policy (only in Polish language).


§ 31.

THE REGISTER OF PERSONAL DATA BREACHES


The Company creates and maintains a register of personal data breaches on an ongoing basis, which is attached as Annex 7 to the Policy (only in Polish language).


§ 32.

THE REGISTER OF PERSONS AUTHORISED TO PROCESS PERSONAL DATA


The Company creates and maintains a register of persons authorized to process personal data, which constitutes Annex 1 to the Policy (only in Polish language).


CHAPTER VI: SAFETY MEASURES


§ 33.

THE MEASURES OF PERSONAL DATA PROTECTION OTHER THAN THE INFORMATION SYSTEMS


  1. Appropriate locks

  1. Magnetic access cards

  1. Room access control system

  1. Physically limited access to servers and network infrastructure

  1. Physical protection

  1. CCTV footage

  1. Alarm systems

  1. 24/7 monitoring of the alarm signal

  1. The restrictions in the access to codes disarming the alarm

  1. Supervision over the keys to rooms

  1. Supervision over the keys to the checkout

  1. Closets, strongbox, safes

  1. Clear desk policy

  1. The correct setting of a monitor

  1. The correct transfer of documents


§ 34.

THE MEANS OF PROTECTION OF THE PERSONAL DATA IN THE INFORMATION SYSTEMS


  1. appropriate password policy

  1. a separate identifier for each user in the information system

  1. use of software that allows the creation of user accounts

  1. blocking the assignment of the same ID to another person

  1. access to the system possible after entering credentials

  1. access to devices after entering login and password

  1. restriction of user access to certain resources

  1. automatic logout from the system after a specified period of inactivity

  1. application quality testing (code review, black box tests, force tests)

  1. antivirus programs and scanners

  1. Firewall

  1. Proxy

  1. DNS

  1. Phishing protection

  1. protection against Cross Site Scripting attacks

  1. protection against Cross Site Request Forgery

  1. protection against SQL Injection attacks

  1. use of VNC, RConsole, TeamViewer (with their proper security)

  1. updating software regularly

  1. performing data backups

  1. making backup copies of programs

  1. making server backups

  1. standardization of hardware

  1. standardization of software

  1. control of installed software

  1. Pseudonymization