Regulations

The Regulations for Personal Data Protection
at ACT Cielarska, Zioło Sp.j.
with its registered seat in Kraków

These regulations constitute a list of basic obligations with regard to the observance of personal data protection rules in accordance with the provisions of the GDPR for:

• Employees
• Co-workers
• Third party employees with access to personal data processed by the Administrator/Processor
• IT system users with access to personal data processed by the Administrator/Processor

Each of the above mentioned persons should read the following regulations and undertake to apply the rules contained therein.

SPIS TREŚCI

1    RULES OF SAFE USE OF IT EQUIPMENT, DISCS, AND PROGRAMMES
2    PERMISSION MANAGEMENT – PROCEDURE FOR STARTING, SUSPENDING, AND COMPLETION OF WORK
3    THE PASSWORD POLICY
4    SECURING PAPER DOCUMENTATION CONTAINING PERSONAL DATA
5    RULES FOR CARRYING MEDIA CONTAINING DATA OUTSIDE THE COMPANY/ ORGANIZATION
6    RULES FOR USING THE INTERNET
7    RULES FOR USING ELECTRONIC MAIL
8    ANTIVIRUS PROTECTION
9    AN ABRIDGED MANUAL FOR PROCEDURE IN THE EVENT OF INFRINGEMENT OF PERSONAL DATA PROTECTION
10  OBLIGATION TO MAINTAIN CONFIDENTIALITY AND PROTECTION OF PERSONAL DATA
11  DISCIPLINARY PROCEDURE

1 RULES OF SAFE USE OF IT EQUIPMENT, DISCS, AND PROGRAMMES

1. The user who uses IT equipment for processing of personal data is obliged to protect such equipment from destruction or damage. IT equipment is: desktop computers, screens, printers, scanners, photocopiers, laptops, business tablets, and smartphones.
2. The user is obliged to report the loss or destruction of the IT equipment entrusted thereto.
3. Unauthorized installation, opening (disassembly) of IT equipment, installing additional devices (e.g. hard drives, memory) in or connecting any unapproved devices to the IT system is prohibited.
4. The user is obliged to prevent unauthorized persons (e.g. clients, employees of other departments) from viewing data displayed on computer screens – the so-called Clean Screen Policy.
5. Before temporarily leaving the work station, the user is obliged to trigger a password-locked screensaver (WINDOWS + L) or to log out of the system or the programme.
6. After finishing work, the user is obliged to:
7. log out of the IT system, and if required – turn off the computer equipment;
8. secure the work station, in particular all magnetic and optical media on which personal data are located.

7. The user is obliged to delete files from media/disks to which other users unauthorized to access such files have access (e.g. when sharing computers).
8. If the user is entitled to destroy the media, he or she should destroy such media permanently or delete data permanently from such media (e.g. destroying DVDs in the shredder).
9. Users of portable computers in which located are personal data or with access to personal data via the Internet are required to apply the security rules contained in the Regulations for the use of portable computers.

2 PERMISSION MANAGEMENT – PROCEDURE FOR STARTING, SUSPENDING, AND COMPLETION OF WORK

1. Each user (of e.g a desktop computer, laptop, network drive, programmes which the user uses for work purposes, e-mail) must have his or her own individual login ID.
2. Creating user accounts with permissions (e.g. desktop computer, laptop, network drive, programmes which the user uses for work purposes, e-mail) takes place at the instruction of superiors and is performed by IT administrators.
3. The user may not change his or her rights by themselves.
4. Each user must have an individual identifier. It is prohibited to allow other persons to work using the account of another user.
5. Work of many users using a joint account is prohibited.
6. The user (of e.g. desktop computer, laptop, network drive, programmes which the user uses for work purposes, e-mail) starts work using the ID and password.

7. The user is obliged to notify IT administrators about attempts to log into the system of an unauthorized person, if the system indicates that.
8. If the user, while making an attempt to log in, blocks the system, he or she is obliged to notify the IT administrators thereof.
9. The user is obliged to prevent unauthorized persons (e.g. clients, employees of other departments) from viewing data displayed on screens – the so-called Clean screen policy.
10. Before temporarily leaving the work station, the user is obliged to trigger a password-locked screensaver or log out of the system. If she or he fails to do that, the system automatically activates the screensaver after 3 minutes.
11. It is prohibited to run any application or program at the request of another person, unless it such request has been verified by an IT department employee. This particularly applies to programmes sent via e-mail or in the form of an Internet link.
12. After finishing work, the user is obliged to:
13. log out of the IT system, and if required – turn off the computer equipment;
14. secure the work station, in particular all magnetic and optical media on which personal data are located.

3 THE PASSWORD POLICY

1. Passwords should consist of min. 12 characters.
2. Passwords should contain capital letters + lowercase letters + numbers (or special characters).
3. Passwords should be difficult to guess. They should not be commonly used words. In particular, one should not use as passwords: dates, first names and surnames of close relatives, names of animals, popular dates, popular words, typical sets: 123456, qwerty.
4. Passwords should not be disclosed to other people. One should not write passwords down on cards or in notebooks, stick on the computer monitor, keep under the keyboard or in the drawer.
5. If the password is revealed – it should be changed immediately.
6. Passwords should be changed every 60/90 days.

7. If the system does not enforce changing passwords, the user is obliged to change the password individually.
8. The user of the system can change his or her password while working using the application.
9. The user undertakes to keep the password confidential, even after such password is no longer valid.
10. It is prohibited to use the same or similar terms on websites as in the computer system of the company.
11. It is prohibited to use the same password as security in access to various systems.
12. It is prohibited to create passwords in which one part remains unchanged and the other changes according to a predictable pattern (e.g. Anna001, Anna002, Anna003, etc.). One should not use passwords in which any of the parts of such password is the first name, name or number of the month or any other guessable word, etc.

4 SECURING PAPER DOCUMENTATION CONTAINING PERSONAL DATA

1. Authorized employees are obliged to use the so-called “Clean desk policy“. It consists in securing (locking) documents and media, e.g. in cabinets, desks, or premises in order the protect them from theft or access of unauthorized persons after business hours or during working hours in the absence of the authorized employees.
2. Authorized employees are obliged to destroy documents and printouts in shredders or to dispose of such in special, safe containers for safe disposal.
3. It is prohibited to leave documents containing personal data outside protected premises, e.g. in corridors, photocopiers, printers, conference premises.
4. It is prohibited to throw away undestroyed documents.

5 RULES FOR CARRYING MEDIA CONTAINING DATA OUTSIDE THE COMPANY/ ORGANIZATION

1. Users may not carry outside the organization removable electronic data carriers containing personal data without the consent of the Employer/Principal. Such media include: removable hard disks, USB sticks, CDs, DVDs, Flash memory modules.
2. Personal data carried outside the registered office of the organization must be encrypted (encrypted disks, encrypted files).
3. One must ensure secure transportation of paper records in backpacks or briefcases.
4. One must use reliable courier companies.
5. In the event when the documents are carried by an employee, he or she is obliged to secure the transported documents against loss and theft.
6. In the situation of transferring carriers containing personal data outside the premises of the organization, the following security principles may be applied:
   1. the addressee should be notified about the consignment;
   1. data before sending should be encrypted and the password given to the addressee by another route;
   1. use secure deposit envelopes;
   1. the consignment should be sent by courier;

6 RULES FOR USING THE INTERNET

1. The user is obliged to use the Internet in the organisation- exclusively for business purposes.
2. It is prohibited to transfer to a computer contents from a hard drive and run any illegal programs and files downloaded from an unknown source. Such files should be downloaded only with the consent of the person authorized to administer the IT infrastructure (e.g. ASI) and only in justified cases.
3. The user is liable for damage caused by software installed from the Internet.
4. It is prohibited to visit websites where criminal, hacker, pornographic or other information is prohibited by law is displayed (on most websites of this type there is installed malware which automatically infects the operating system of the computer).
5. One should not enable autocompletion of forms and remembering passwords in the web browser options.
6. In the case of using an encrypted connection through the browser, one should pay attention to the appearance of the appropriate icon (padlock) and the web address beginning with the phrase “https:”. In order to be sure one should click on the padlock icon and check if the owner of the certificate is a reliable owner.
7. One should exercise caution in the event of a suspicious request to log in to the website (e.g. a bank website, social network, e-store, email) or provide our logins and passwords, PINs, and payment card numbers via the Internet. This particularly applies to requests for such information by an alleged bank.
8. It is prohibited to arbitrarily plug in modems, mobile phones and other access devices to computers (e.g.: type BlueConnect, iPlus, OrangeGo). It is also prohibited to use such devices in order to connect to the Internet when the computer of the user is connected to the corporate network.

7 RULES FOR USING ELECTRONIC MAIL

1. Transmitting personal data by way of -mail outside the organization may only be carried out by persons authorized to do so.
2. In the case of transfer of personal data outside the organization, one should send encrypted/zipped files (e.g. with the use of zip7, winzip, winrar) and secured with a password, where such password should be sent to the recipient by phone or text message.
3. In the case of securing files with a password, a minimum (e.g. 12) characters are required: uppercase and lowercase letters as well as numbers or special characters; the password should be sent in a separate e-mail or using other method, e.g. by phone or tex message.
4. The users should pay special attention to the correctness of the address of the recipient of the document.
5. It is recommended that when sending personal data via e-mail the user should include in the content a request for confirmation of receipt and reading the information by the addressee.
6. One should report suspicious emails to the IT specialist.
7. The users should not circulate “non-standard” e-mails in the form of chain letters, e.g. Christmas Wishes addressed to 230 people.
8. When sending e-mails to multiple recipients at the same time, one should use the “Unseen CC – BCC” method. It is prohibited to send e-mails to many recipients using the “CC” option.
9. The users should delete unnecessary e-mails at regular intervals.
10. Business e-mail accounts are separated from the private mail.
11. Business e-mail is intended solely for the performance of official duties.
12. It is prohibited to send business correspondence to private mailboxes of employees or other persons.
13. The ussers have the right to use e-mail for private purposes only occasionally and this should be limited to the minimum necessary.
14. It is prohibited for e-mail users to configure their e-mail accounts to automatically redirect messages to an external address.
15. Using the e-mail for private purposes should not affect the quality and quantity of the work provided by the User, as well as the correct and reliable performance of his or her duties.
16. When using the e-mail, the users are required to observe the industrial property and copyright law.
17. The users do not have the right to use the e-mail to distribute content which is offensive, immoral, or inappropriate to the generally applicable rules of conduct.
18. The user, without the consent of the Employer/Principal, has no right to send messages containing personal data related to the Employer/Principal, its employees, customers, suppliers, or contractors via the Internet, including using a private electronic mailbox.

8 ANTIVIRUS PROTECTION

1. Users are required to scan files entered from external media with an antivirus programme if the antivirus system contains such feature.
2. It is prohibited to disable the antivirus system during the operation of the IT system processing personal data.
3. If the system is found to be infected or communications e.g. “Your system is infected!, install an antivirus programme” are displayed, the user is obliged to inform immediately the IT specialist or the authorized person.

9 AN ABRIDGED MANUAL FOR PROCEDURE IN THE EVENT OF INFRINGEMENT OF PERSONAL DATA PROTECTION

1. Every person authorized to process personal data is obliged to notify the Employer/Principal in the case of identifying or suspecting a breach of personal data protection.
2. Situations requiring notification include:

a. improper physical protection of premises, equipment, and documents;

b. improper protection of IT hardware and software against leakage, theft, and loss of personal data;

c. non-compliance with the rules on the protection of personal data by employees (e.g. failure to comply with the clean desk/screen principle, protection of passwords, failure to lock premises, cabinets, or desks).

• Incidents requiring notification include:
  • external extraordinary events (fire of the facility/premises, flooding, power loss, loss of communication);
  • internal emergency events (failure of server, computers, hard drives, software, error of IT specialists, users, loss or misplacement of data);
  • intentional incidents (breaking into an IT system or premises, theft of data/hardware, information leakage, disclosure of data to unauthorized persons, deliberate destruction of documents/data, operation of bugs and other malicious software).
• Typical examples of incidents requiring a response:

4. marks on doors, windows, and cabinets indicate an attempt to break in;
5. records are destroyed without the use of a shredder;
6. physical presence in the building or premises of persons behaving suspiciously;
7. an open door to giving access to premises and cabinets, where personal data is stored;
8. setting of monitors allows for the access of third parties to personal data;
9. taking personal data in paper and electronic form outside the organization without the authorization of the Employer/Principal;
10. allowing access to unauthorized persons to personal data in paper, electronic and oral form;
11. telephone attempts to fraudulently obtain personal data;
12. theft or loss of computers or CDs, hard drives, USB sticks with personal data;
13. e-mails encouraging the disclosure of an identifier and/or password;
14. occurrence of computer bug or non-standard behaviour of computers;
15. systems passwords are displayed in proximity of the computer.

10 OBLIGATION TO MAINTAIN CONFIDENTIALITY AND PROTECTION OF PERSONAL DATA

1. Each of the persons permitted to process personal data is required to:
   1. process personal data only to the extent and for the purpose provided for in the tasks entrusted by the Employer/Principal;
   1. maintain confidentiality of personal data to which he or she has access in connection with the performance of tasks entrusted by the Employer/Principal;
   1. not to use personal data for purposes incompatible with the scope and purpose of the tasks entrusted by the Employer/Principal;
   1. maintain confidentiality of methods of securing personal data;
   1. protect personal data against accidental or unlawful destruction, loss, modification of personal data, unauthorized disclosure of personal data, unauthorized access to personal data, and processing.
2. The person authorized to process personal data – is required to read the content of these Regulations, as well as following the training on personal data protection – is obliged to sign the Letter of Confidentiality.
3. It is prohibited to transmit personal data directly or by phone to unauthorized persons or persons whose identity may not be verified or persons pretending to be someone else.
4. It is prohibited to transmit or disclose data to persons or institutions who are not able not demonstrate a clear legal basis to access such data.
5. It is prohibited to disclose any details related to operations of the company, including information about the hardware and software used by the company, and contact information other than publicly available in external materials on newsgroups, internet forums, blogs, etc.

11 DISCIPLINARY PROCEDURE

1. Cases of unjustified failure to fulfill the obligations arising from this document shall be treated as a serious breach of employee duties or breach of the principles of cooperation.
2. Conduct contrary to the above obligations may also be considered by the Employer/Principal as breach of criminal provisions contained in the EU General Data Protection Regulation of 27 April 2016.