Privacy Policy on Personal Data Protection MDP Engineering Sp. z o.o. Sp. K.

DECLARATION

  1. This document constitutes a framework of principles and regulations regarding the protection of personal data at MDP Engineering. This Policy is a policy within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR.
  2. By adopting this Policy, MDP Engineering declares compliance with the rights of individuals whose data is processed, arising from the provisions of the GDPR, as well as transparency and openness in data processing principles.
  3. The Policy contains a description of the principles of personal data protection at MDP Engineering, proportionate to the scale of data processing within the company.
  4. Principles of responsibility:
  5. The Management Board/Partners of MDP Engineering, acting as the Data Controller (ADO), are responsible for the implementation and maintenance of this Policy.
  6. Due to the existence of two partners in the company, the function of ADO constitutes the joint action of both partners.
  7. The monitoring of compliance with the provisions of the Policy and the GDPR is the responsibility of, unless a Data Protection Officer (DPO) is appointed, a designated employee responsible for monitoring the security of processed data and compliance with data protection regulations.

DEFINITIONS

  1. Policy means this Policy of MDP Engineering along with related documents.
  2. GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  3. PUODO – President of the Personal Data Protection Office – the superior national data protection authority.
  4. Personal data – data as defined in Article 4 of the GDPR and in accordance with the definition in Article 9(1) of the GDPR.
  5. Processing means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as: collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and other operations covered by the GDPR definition.
  6. Data Controller (ADO) – a legal entity determining the purposes and means of data processing at MDP Engineering, also a joint controller.
  7. Processor – means a processing entity to which MDP Engineering has entrusted the processing of personal data under a data processing agreement.
  8. Data Protection Officer (DPO) – an employee designated by the management of MDP Engineering responsible for monitoring compliance with the GDPR and this Policy in the processing of personal data at MDP Engineering. If appointed under Article 37(1) of the GDPR as a DPO, they must be registered with the President of the Personal Data Protection Office.
  9. Data set – an organized set of personal data accessible according to specific criteria, regardless of whether it is centralized, decentralized, or functionally or geographically dispersed.
  10. Recipient – a natural or legal person, public authority, agency, or other body to which personal data is disclosed.
  11. Incident – an event that directly affects the loss of a certain level of data security, in particular unauthorized disclosure, loss, unauthorized modification, or unauthorized transfer of data.

GENERAL PRINCIPLES OF PERSONAL DATA PROTECTION

  1. Principle of legality:
    • The company ensures data protection and processes data in accordance with the law.
  2. Principle of necessity (adequacy, minimization) of processing scope:
    • means that only those personal data are processed which, in light of the applicable provisions of the Labor Code, may be required from an employee upon employment. The application of this principle does not infringe on the employee’s right to provide the employer with other personal data which they consider necessary for the realization of their rights and personal needs. The provision of such data is then also voluntary.
  3. Principle of purposefulness and processing:
    • means that personal data is processed only for the realization of a legally justified purpose. The legally justified purpose must be indicated to the employee from whom the data originates, and any change or extension of the processing purpose cannot occur without explicit notification to the employee and obtaining their formal consent for such extension or change.
  4. Principle of transparent information policy:
    • means that the management of MDP Engineering makes every effort to ensure that the employee from whom the data originates is reliably informed about their rights under the GDPR. In documents addressed to data subjects, the general legal basis for processing is provided, along with other information detailed in Section IX.
  5. Principle of data processing security:
    • is implemented through four attributes: confidentiality, integrity, availability, and accountability. It means processing data while maintaining the required organizational and technical protection measures, including protection against unauthorized disclosure, unauthorized processing, destruction, damage, as well as assessing the impact of processing on data protection. It also means storing data only for the period required by law. In the area of incident management, procedures are applied to identify, assess, and report identified breaches to the PUODO.
  1. The legal basis for processing employees’ personal data is Article 6 of the GDPR and the Act of 26 June 1974, the Labor Code (with subsequent amendments):
    • In the internal legal circulation of the company, the basis for processing personal data by an employee is a personal authorization issued by the ADO, which is withdrawn upon termination of employment or in connection with a change in the scope of duties.
    • The number of persons authorized to process personal data at MDP Engineering is limited to the necessary minimum.
  2. Processing purposes:
    • The purpose of processing employees’ personal data is the fulfillment of the employer’s statutory obligations related to the employment process, such as recruitment, employment, social insurance, salary payments, working time accounting, seniority calculation, and maintaining personnel files.
    • The purpose of processing contractors’ personal data is the handling of production processes carried out by MDP Engineering, such as supply, cooperation, subcontracting, product sales, and logistics services.
  3. Inventory of resources:
    • In the area of personal data, data sets have been identified covering employees employed at MDP Engineering, candidates in the recruitment process, and contractors, along with relevant archival data for these sets.
  4. MDP Engineering entrusts the processing of employees’ personal data in connection with employment only to entities with which a data processing agreement has been signed. (Agreement dated 25 May 2018 with TAX FREE).
  5. Data of individuals/candidates in the recruitment process is processed in a system supervised by an entity with which MDP Engineering has signed an agreement for the provision of IT services.

HANDLING OF INDIVIDUALS’ RIGHTS AND INFORMATION OBLIGATIONS

  1. Rights:
    • Right to information – includes the right of the data subject to obtain clear and understandable information about:
      • the data of the controller and the Data Protection Officer, including contact details,
      • data recipients,
      • processing purposes,
      • intention to transfer data,
      • data retention period,
      • requests for access to their data,
      • automated processing and profiling,
      • information on whether the provision of personal data is a statutory requirement for concluding a contract and the consequences of not providing it,
    • Right to erasure (right to be forgotten),
    • Right to complain – includes the possibility to lodge a complaint with the President of the Personal Data Protection Office or directly with the administrative court,
    • Right to access their data,
    • Right to rectification of data,
    • Right to restriction of processing,
    • Right to data portability.
  2. Fulfillment of the information obligation:

In documents addressed to data subjects, the legal basis for the processing activity is included each time, along with:

  • the data of the controller and the Data Protection Officer or another person designated to handle the process,
  • information on the right to consent to processing, the right to access their data, the right to object to processing, the right to restriction of processing, the right to request erasure, rectification, or portability of data, the right to information about data breaches,
  • information on any extension of the request processing period,
  • information on the processing purpose and its changes,
  • information on permanent deletion (anonymization) of data.

For the fulfillment of the information obligation and handling requests related to the realization of data subjects’ rights, the management of MDP Engineering, unless a Data Protection Officer is appointed, designates an employee, specifying their tasks in the scope of duties card.

MEASURES FOR PERSONAL DATA PROTECTION

  1. The Data Controller (ADO) is responsible for implementing appropriate technical, organizational, and legal measures to secure data. These measures are reviewed and updated as necessary. The scope of applied measures should reflect the conclusions from risk analysis and assessment.
  2. Organizational measures include:
    • development and implementation of this Protection Policy,
    • entrusting processing under individual authorizations,
    • employee obligations set out in the MDP Engineering Work Regulations,
    • management’s application of controls to ensure compliance with the GDPR, including control of the Processor and ad hoc checks of internal security procedures,
    • appointment of a Data Protection Officer with tasks according to Article 39 of the GDPR.
  3. Technical and personal measures include:
    • securing processing facilities at ul. Trakt św. Wojciecha 243C, 80-017 Gdańsk, with physical security posts, video surveillance, reception control posts, division of the building into access control zones (SKD), physical locks on rooms with keys, and a fire protection system,
    • securing the IT system with login and password access changed periodically,
    • applied antivirus systems,
    • applied authorizations for access to specific zones and rooms (keys).
  4. Legal measures:
    • Training on GDPR provisions, including criminal and service liability for breaches of the GDPR,
    • Training on access to IT systems, including service liability for breaches of internal IT security regulations,
    • Training employees on procedures in case of data breaches (incidents),
    • Implementation of a legal agreement on data processing, securing the rights of the Controller (MDP Engineering) and securing processed personal data in accordance with GDPR requirements, signed with the Processor (TAX FREE).

UNIDENTIFIED DATA

  • Handling of unidentified data – MDP Engineering identifies cases where the processing of unidentified data may occur and maintains mechanisms for the full realization of the rights of data subjects.

PROFILING

  • MDP Engineering does not apply profiling to processed employees’ personal data. In the area of supervision over processing entrusted to other entities, MDP Engineering reserves the right to ensure compliance with the law through an agreement specifying the Processor’s rights to forms of processing.

REGISTERS

  1. According to Article 30 of the GDPR, the Company is not obliged to maintain a Register of Processing Activities. However, for the purpose of identifying potential breaches, such a register is maintained by the Processor, and for the purpose of handling the recruitment process, by an authorized employee.
  2. A register of breaches (incidents) is maintained to handle the process of identifying, notifying, and managing incidents.
  3. A register of issued authorizations for processing personal data is maintained to ensure accountability and legality of processing.
  4. Depending on the needs of documentation, other registers not mentioned in the Policy may be created, the purpose of which will then be specified in this document.

CONTROL

  1. Control over compliance with the GDPR in the company is exercised by the management (ADO), through a person designated to perform the functions of the Data Protection Officer, or, if a DPO is not appointed, an employee designated by name to perform the same tasks.
  2. Control over compliance with the provisions of the data processing agreement is exercised by the management (ADO) or, based on a personal authorization, by the Data Protection Officer or another designated person.
  3. Controls and checks performed by the Data Protection Officer are documented in writing.

DATA PROTECTION OFFICER

  1. The Data Protection Officer, if appointed under Article 37(4) of the GDPR, reports directly to the ADO and is independent in the performance of their tasks.
  2. If a Data Protection Officer is not appointed under Article 37(4) of the GDPR and the ADO has designated another employee to perform the same functions, the designated employee must be assigned tasks from the catalog of tasks of the DPO set out in Article 39(1) of the GDPR.
  3. Both the ADO and the Processor support the DPO in the performance of their tasks, providing access to data and processing operations.
  4. The Data Protection Officer is the designated contact person for all individuals whose data is processed by MDP Engineering and whose data is concerned.
  5. Tasks of the Data Protection Officer:
    1. Informing the ADO and employees about obligations arising from data processing under the GDPR,
    2. Recommending organizational, technical, and legal solutions and providing advice on data protection in the company,
    3. Monitoring compliance with the GDPR, including staff training,
    4. Providing information and explanations upon request,
    5. Cooperation with the PUODO and other authorities.

INCIDENTS

  1. Every employee of MDP Engineering is obliged to report any identified incident to the ADO. The ADO and the Data Protection Officer acting on their behalf take immediate actions to identify the incident and prevent its negative effects on data security.

FINAL PROVISIONS

  1. The Policy is implemented as of the date of signing.
  2. The Policy is a document for internal use.
  3. The Policy document is available in electronic or written form to all employees of MDP Engineering.
  4. The Policy and related documents are updated on an ongoing basis, particularly following events that directly affect the security of processed personal data.
  5. The Data Protection Officer or another employee designated to perform the same function is responsible for the ongoing updating of the Policy.

In case of any discrepancies or disputes, only the Polish version of this document shall be considered legally binding and valid in court.