Appco

Privacy Policy

The purpose of the Personal Data Protection Policy, hereinafter referred to as the Policy, is to implement and maintain the required personal data protection in accordance with the regulations of the European Parliament and Council Regulation (EU) 2016/679 of April 27, 2016, and the Personal Data Protection Act (Journal of Laws of 2018, item 100) in connection with the processing of personal data.

This Policy applies to personal data processed both traditionally in books, files, registers, and other record collections, as well as in IT systems. It pertains to existing and future collections of personal data. The procedures and principles outlined in this document apply to all persons authorised to process personal data, including employees, interns, and trainees.

The personal data processing area of **Appco** includes buildings located at Harfowa 8/1, Warsaw.

Definitions Used in the Personal Data Protection Policy:

1. Personal Data Administrator (PDA) in Appco
2. IT Systems Administrator (ISA) – a person responsible for managing the IT system used for processing personal data.
3. Personal Data – any information relating to an identified or identifiable natural person.
4. Personal Data Processing – the collection, recording, storage, processing, modification, deletion of personal data, especially in IT systems.
5. User – a person authorised to process personal data.
6. IT System – a system (devices, tools, programs) in which personal data are processed.
7. IT System Security – implementation of appropriate administrative measures and protection against modification, destruction, unauthorized access, and disclosure or acquisition of data, as well as their loss.
8. GDPR – Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC.
9. Personal Data Protection Act – the Act of May 10, 2018, on the protection of personal data (Journal of Laws of 2018, item 100).

1. PRINCIPLES OF PERSONAL DATA PROCESSING

1.1

The data administrator processes personal data:

  • Lawfully, fairly, and transparently for the data subject.
  • Lawfully, fairly, and transparently for the data subject.
  • Collected for specific, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Adequately, relevantly, and limited to what is necessary for the purposes for which they are processed (data minimization).
  • Accurately and, where necessary, kept up to date
  • Stored in a form that allows identification of data subjects for no longer than necessary for the purposes for which the data are processed. In a manner ensuring the security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organisational measures.

1.2

To implement these principles, the data administrator processes data legally, based on the grounds described in Article 6 of GDPR. Personal data is collected adequately to the processing purposes and processed for a specified period. Concerning individuals whose data are processed, the administrator fulfills the information obligations specified in Articles 13 or 14 of GDPR and indicates their rights, such as:

  • Right of access to data
  • Right to rectification of data
  • Right to deletion of data
  • Right to object to processing
  • Right to restrict processing
  • Right to lodge a complaint with the supervisory authority

The data administrator ensures data protection when using the services of external entities by concluding appropriate data processing agreements and using service providers that fulfill GDPR obligations. In case of a technical or physical incident, the data administrator ensures the ability to quickly restore access to personal data.

1.3

Confirmation of fulfilling the information obligations by the data administrator is represented by informational clauses (Annex No. 1) provided to the persons whose data are processed. In the case of employees, this clause is presented to them and included in their personnel files. For clients and contractors, it is provided at the time of contract conclusion.

2. AUTHORIsATION TO PROCESS DATA

The data administrator ensures that only individuals with authorisation issued by the PDA (Annex No. 2) have access to personal data in Appco. Authorizations specify which operations users are permitted to perform, such as creating, deleting, viewing, transferring data, in which systems, and for how long. The data administrator maintains a register of authorized individuals (Annex No. 3).

3. SECURITY MEASURES

Taking into account the state of technical knowledge and the nature, scope, context, and purposes of processing, as well as the risk of violating the rights or freedoms of natural persons with varying likelihood,

4. REGISTER OF PROCESSING ACTIVITIES

The data administrator maintains a register of processing activities, which includes:

  • Name and contact details of the Administrator
  • Purposes of processing
  • Description of the categories of data subjects and categories of personal data
  • Categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or international organizations
  • Where applicable, transfers of personal data to a third country or international organization, including the name of the third country or international organization, and the documentation of appropriate safeguards where transfers under Article 49(1), second subparagraph of GDPR are involved
  • Where possible, the envisaged time limits for erasure of different categories of data
  • Where possible, a general description of the technical and organizational security measures referred to in Article 32(1) of GDPR

5. INCIDENT HANDLING

The data administrator must inform all employees on how to handle any incidents of personal data protection breaches by introducing a personal data protection procedure. The procedure aims to fulfill the obligation arising from Article 33 of GDPR. It defines how to identify incidents threatening personal data security and how to respond and remedy them.

Each person authorised to process personal data is obligated to inform about the possibility of an incident or its occurrence. Such information should be reported to their supervisor, who then reports it to the data administrator or data protection officer.

Notifications require:

  • Inadequate electronic equipment or software security against data leakage, theft, and loss, sharing passwords with unauthorized persons
  • Inadequate physical security of premises, devices, and documents
  • Non-compliance with personal data protection principles by employees (e.g., failure to apply clean desk/screen policy, password protection, not locking rooms, cabinets, desks, safes, sticking password notes on boards at the workplace or in drawers)
  • Signs of attempted break-ins on doors, windows, and cabinets
  • Documentation containing personal data destroyed without using a shredder
  • Open doors to rooms, cabinets where personal data are stored
  • Presence of unauthorised persons in the unit
  • Poor positioning of monitors allowing unauthorised persons to view personal data
  • Taking personal data in paper and electronic form outside the unit without the data administrator's authorization
  • Server, computer, hard disk, software failure
  • Providing personal data to unauthorised persons
  • Phone attempts to disclose data
  • Theft, loss of phones, hard drives, USB drives with personal data
  • Emails urging disclosure of identifiers or passwords
  • Computer virus infection
  • Random events (fire, water damage, power outage, loss of connectivity)
  • System or premises break-ins
  • Data/equipment theft
  • Intentional document destruction

All incident occurrences must be reported to the IT systems administrator. Additionally, all these events should be documented – their consequences, corrective and preventive actions. If an incident results in a breach of the rights or freedoms of natural persons, the data administrator reports it within 72 hours to the President of the Personal Data Protection Office and, if required, notifies the persons affected by the incident.

"In case of a breach - act in accordance with applicable law."

6. PERSONAL DATA PROTECTION REGULATIONS AND INTERNAL TRAINING

The data administrator introduces the Personal Data Protection Regulations at Appco, Harfowa 8/1, 02-389 Warsaw, to ensure that individuals processing personal data have comprehensive knowledge about the principles of personal data processing within the company. Individuals familiarised with the regulations must confirm this by signing a statement acknowledging their understanding and commitment to adhere to its principles (Annex No. 4). Each person should be familiarised with the regulations before employment. The data administrator should ensure employees are trained on applying personal data protection, with attendance confirmed in writing on a prepared attendance list.

7. IT SYSTEM ADMINISTRATOR TASKS

The IT system administrator carries out tasks related to managing and supervising the data administrator's IT system. This includes:

  • Managing the IT system where personal data are processed, using access passwords for all workstations and the server
  • Preventing unauthorised access to the IT system where personal data are processed
  • Assigning each user a password to the IT system and removing user accounts according to the regulations
  • Conducting workstation training for employees on using computer equipment and familiarising them with company documents in this regard
  • Reporting to the data administrator on security breaches of IT systems and cooperating in addressing them
  • Supervising the repair, maintenance, and disposal of computer equipment containing personal data
  • Taking actions to ensure reliable power supply to computers and other devices affecting personal data processing security

8. PERSONAL DATA PROCESSING AGREEMENTS

When outsourcing personal data processing to external entities, the data administrator is obliged to conclude a personal data processing agreement. A register of such agreements should be maintained within the company.

9. CONTROL ACTIVITIES

Supervision and control over personal data protection are exercised by the data administrator.

A protocol is drawn up for control activities, detailing the scope of control and the activities carried out. The protocol is signed by the individuals conducting the inspection and control.

Appco logo

We are a trading company specializing in the sale of fruit and vegetable products, offering both B2B and B2C services.

Appco
AboutProductsContactPrivacy PolicyTerms and Conditions
Products
Concentrates
Purees
NFC Juices
Frozen Foods
Aromas
Contact
Appco Sp. z o.o.
Harfowa 8, 02-389 Warsaw, Poland
REGON: 525830459
NIP: 7011154822
KRS: 0001046643
Copyright © 2024 Appco. All rights reserved.