Appco

Terms and Conditions

DEFINITIONS


Whenever this regulation mentions:

1. Data Controller – refers to a natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may also be determined by Union or Member State law. In this security policy, the Data Controller is understood to be the Municipal Cultural Centre in Leszno, hereinafter referred to as the "Controller".

2. Administrator of IT Systems (or "ASI") – refers to a person appointed by the Controller responsible for ensuring the efficiency, proper maintenance, and implementation of technical safeguards of IT systems, and ensuring that IT systems in which personal data are processed meet the requirements set out by law and regulation.

3. Personal Data (or "data") – refers to information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

4. Data Protection Officer (or "DPO") – refers to a person appointed by the Controller based on their professional qualifications, in particular, their expert knowledge of data protection law and practices and their ability to fulfil the tasks referred to in Article 39 of the GDPR, including:

  • informing and advising the Controller, processor, and employees who carry out processing of their obligations pursuant to this Regulation and other Union or Member State data protection provisions;
  • monitoring compliance with this Regulation, other Union or Member State data protection provisions, and the Controller’s or processor's policies in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations and related audits.

5. Authorised Person – refers to a person who has received written authorisation from the Controller to process data.

6. Data Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

7. Regulation – refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also known as GDPR.

8. Authorisation – refers to a statement issued by the Controller specifying the individual by name who has the right to process data within the scope indicated in the statement.

9. Data Set – means an ordered set of personal data available according to specific criteria, regardless of whether the set is centralised, decentralised, or functionally or geographically dispersed.

GENERAL PROVISIONS
§ 1
To ensure the protection of processed personal data both through IT systems and in paper form, the Controller has implemented a personal data processing security policy. This regulation, which comprises the provisions contained in the security policy and management instructions, is implemented to best acquaint employees and collaborators with the principles of personal data protection, useful for anyone processing data in the course of their daily professional duties.

INFORMATION AND IT SYSTEMS SECURITY ADMINISTRATOR
§ 2
1. The Controller may appoint a Data Protection Officer responsible for data processing in accordance with the law and regulation.
2. The Controller may appoint at least one deputy DPO.
3. The deputy DPO performs all duties within the DPO’s scope during their absence.

§ 3
The Controller may appoint an Administrator of IT Systems.

§ 4
In the absence of the appointment of a DPO or ASI, the Controller is responsible for ensuring proper adherence to personal data protection principles.

§ 5
1. In case of any doubts regarding the legality of planned data processing actions, one must refer to the DPO for clarification.
2. Until the DPO provides clarification on existing doubts, it is prohibited to collect and record personal data. If data related to the doubt is already in possession, all actions on the personal data must be suspended until the doubts are resolved.

AUTHORISED PERSONS FOR DATA PROCESSING
§ 6
1. The Controller is obliged to authorise each person permitted to process data.
2. Authorisation to process personal data expires upon the termination or expiration of the agreement concluded between the Controller and the person to whom it was granted, or if it was granted for a specific period, upon the expiration of that period.
3. A person authorised by the Controller does not have the right to grant further authorisations unless the authorisation to process personal data issued by the Controller includes authorisation to grant further authorisations.

§ 7
1. Everyone who processes personal data is obliged to keep personal data confidential to which they have both intentional and accidental access, including data security methods and any information obtained during data processing. The obligation to keep data confidential is indefinite.
2. During data processing, particular care must be taken to adopt all possible measures to secure and protect data from unauthorised access, modification, destruction, or disclosure.
3. Due diligence must be exercised when sending documents containing data via electronic communication means, ensuring that documents sent via email reach the intended recipient.
4. When sending compilations, lists, or other documents containing personal data via electronic communication means, the document must be encrypted, and the password should be sent, if possible, through a different electronic communication means.

TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE CONFIDENTIALITY, INTEGRITY, AND ACCOUNTABILITY OF PROCESSED DATA
§ 8
1. All documents containing personal data are stored in locked cabinets and rooms.
2. The person holding the keys is obliged not to hand over the keys to buildings and rooms where data is processed to unauthorised persons and must take actions to eliminate the risk of their loss.
3. The person who loses keys to rooms where data is processed must immediately report this circumstance to the Controller.
4. The Controller takes all necessary technical and organisational measures to secure the room for which the keys were lost.

SECURITY MEASURES WHEN WORKING WITH DATA

§ 9
1. The person processing data must secure documents and electronic media with data in specially designated cabinets or rooms after completing their work.
2. Destruction of documents containing data occurs only using a shredder or through a company specialised in document destruction, under a personal data processing agreement.
3. Any document containing data and no longer needed is destroyed immediately.
4. Particular caution must be exercised when using multifunction devices. Documents copied or scanned must be removed from the multifunction device immediately after use. This also applies to documents generated from copying or scanning.
5. The presence of third parties in the area where data is processed is allowed only with the Controller's consent or in the presence of an authorised person.

PROCEDURES IN CASE OF THREAT TO THE SECURITY OF PROCESSED PERSONAL DATA OR VIOLATION OF DATA PROCESSING PRINCIPLES
§ 10
1. In the event of suspected violation of personal data security principles or breaches of security measures applied by the Controller to protect processed personal data, the DPO must be notified immediately, if appointed. If no DPO is appointed, the Controller must be informed immediately of the noticed or suspected violations.
2. In the case described in clause 1, the DPO conducts an ad hoc inspection. The inspection is conducted immediately.
3. During the inspection, the DPO has the rights indicated in the regulation of the Minister of Administration and Digitisation on the mode and manner of performing tasks to ensure compliance with personal data protection regulations by the information security administrator from 11 May 2015 (Journal of Laws 2015, item 745), in particular the right to:

  • record data from the IT system used for processing or securing on an IT data carrier or make a printout of these data;
  • obtain explanations from the person whose actions are covered by the inspection;
  • make copies of received documents;
  • make copies of the screen image of the device that is part of the IT system used for processing or securing personal data.

4. If no DPO is appointed, the Controller must conduct an investigative procedure to determine the effects and causes of the violation or threat to data security principles and methods of securing, corresponding to the actions taken by the DPO in the case of an ad hoc inspection.

PROCEDURES FOR GRANTING AUTHORISATIONS TO PROCESS DATA AND REGISTERING THESE AUTHORISATIONS IN THE IT SYSTEM
§ 11
A user of the IT system is granted access after:
1. Familiarising with the regulations regarding personal data protection.
2. Signing a statement of familiarisation with this personal data processing documentation.
3. Signing a statement of keeping information (including personal data), to which the user will have access during the performance of official duties or contractual obligations, confidential (including after the termination of the agreement between the parties), including refraining from using it for non-official purposes.
4. Receiving authorisation to process personal data.

PASSWORD POLICY
§ 12

1. Every user of the IT system must have a unique identifier and a self-created password authorizing their access to the IT system.
2. User passwords or other authentication data are subject to special protection.
3. The user is fully responsible for creating a password (except for the initial system password assigned by the IT system administrator) and its storage.
4. Every user with access to the data administrator's IT systems is obligated to:

  • maintain the confidentiality of all their passwords or other authentication data used for work in the IT system;
  • immediately change passwords in cases of suspicion or actual disclosure;
  • promptly change temporary passwords provided by the IT system administrator;
  • inform the IT system administrator and information security administrator of suspected or actual password disclosure;
  • use passwords with a minimum length of 8 characters, containing a combination of lowercase and uppercase letters, digits, and/or special characters;
  • use passwords that do not contain parts of the login;
  • use passwords that are not similar to previous ones (e.g., Tadeusz$2013 - Tadeusz$2014);
  • change passwords used no less frequently than once every 30 days.

5. Passwords maintain their confidentiality even after they are no longer in use.
6. Prohibited actions include:

  • saving passwords in a visible manner and placing them in locations accessible to others;
  • using passwords based on associations, easy to guess or deduce from information about a person, e.g., names, phone numbers, birthdates, etc.;
  • using the same passwords in different operating systems and applications;
  • sharing passwords with other users;
  • attempting to break passwords;
  • writing passwords "permanently" (e.g., in login scripts) and using auto-save password options (e.g., in web browsers);
  • after three incorrect password entries, the user is required to report this fact to the IT system administrator for the access password to be reset.

PROCEDURE FOR STARTING, SUSPENDING, CONDUCTING, AND TERMINATING WORK IN THE INFORMATION SYSTEM

§ 13

1. Starting work in the information system occurs after entering a unique identifier and password.
2. Suspending work in the information system, i.e., not performing any activities for a period of 5 minutes in the information system, automatically activates the system screensaver locked with a password. The application of this mechanism does not exempt the user from the obligation to lock the screen with a password-protected screensaver each time they leave their workstation.
3. In a situation where unauthorized individuals may have access to the data displayed on the monitor, it is necessary to temporarily change the display view on the monitor or turn the monitor (close the laptop screen) in a way that prevents viewing the displayed content.
4. Before ending work, make sure that the data has been saved to avoid data loss.
5. After completing work, the user is obliged to log out of the information system processing personal data and the operating system, secure information media (electronic and paper), and turn off the computer.
6. The user of the information system processing personal data must immediately notify the system administrator if:

  • The appearance of the system, its operation, the scope of data, or the way they are presented by the information system deviates from the standard state considered typical for that particular information system.
  • Some options available to the user in normal situations have become unavailable, or options unavailable to the user in normal situations have become available.

RULES FOR USING THE OFFICIAL EMAIL SERVICE

§ 14

1. The user is assigned a dedicated email mailbox address operating in the domain of the data administrator.
2. Information about the official email mailbox address is public and widely available, including on the website of the data administrator in the form of an address book.
3. The assigned user email mailbox address is used exclusively for official or contractual purposes. Correspondence conducted electronically using the data administrator's information systems is recorded and may be monitored. Information transmitted through the data administrator's network (including to and from the Internet) does not constitute the user's private property.
4. Any email correspondence conducted by an employee unrelated to the activities of the data administrator should be conducted through the user's private email mailbox.
5. Users have the right to use the email system for private purposes only occasionally and should be limited to the necessary minimum.
6. Using the email system for private purposes must not affect the quality and quantity of work performed by the user, or the proper and honest performance of their official or contractual duties, nor affect the efficiency of the email system.
7. Prohibited actions include:

  • Sending official materials to private accounts (e.g., for working on documents at home).
  • Using the email system for activities that may harm the image of the data administrator.
  • Receiving shipments from unknown sources.
  • Opening attachments with self-extracting or executable files such as exe, com, etc.
  • Sending executable files via email such as bat, com, exe, multimedia files, and image files.
  • Hiding or changing the sender's identity.
  • Reading, deleting, copying, or changing the contents of another user's mailboxes.
  • Responding to unsolicited advertising messages or chain emails and other forms of data exchange known as spam; in case of receiving such a message, it should be forwarded to the IT system administrator.
  • Using the official email address to register on commercial, informational websites, chats, or discussion forums that are not related to the scope of work performed or contractual obligations.
  • Using email for advertising private goods or services, commercial and service activities other than those required by the data administrator or for seeking additional employment.

RULES FOR USING THE PUBLIC NETWORK (INTERNET)

§ 15

1. Remote use of information systems via the public network may take place after implementing user authentication and encrypted transmission channels.
2. Remote access to servers for administrative purposes may take place after implementing user authentication and encrypted transmission channels.
3. User access to the public network (Internet) should be limited to the necessary minimum at a given workstation.
4. Complete restrictions are introduced on access to content deemed pornographic, racist, violent, related to crimes, as well as protocols enabling file sharing on networks in violation of the law.

PROCEDURES FOR HANDLING ELECTRONIC MEDIA OUTSIDE THE DATA PROCESSING AREA

§ 16

1. Each user of removable electronic media, remote access users to the data administrator's company network (VPN), and users of electronic access cards are fully responsible for the equipment entrusted to them and are obliged to adhere to the following rules:

  • Leaving unattended electronic media processing the data administrator's information in public places is prohibited.
  • Portable computers should be carried as carry-on baggage and, if possible, disguised.
  • When performing professional or contractual duties at home, the user should ensure the proper protection of the entrusted equipment and access to information against unauthorized access by third parties.
  • Eating and drinking while working with assigned equipment is prohibited.
  • Sharing electronic media information and entrusted company-owned equipment with third parties is prohibited.
  • In case of loss of electronic media or computer equipment, this fact should be reported immediately to the immediate supervisor or IT system administrator. The immediate supervisor or IT system administrator must immediately report this fact to the information security administrator, as losing media processing data may result in the loss of confidentiality of information protected by the data administrator.
  • Problems arising from the improper functioning of computer equipment should be reported to

USE OF COMPUTER EQUIPMENT, SOFTWARE, AND DATA MEDIA

§ 17

1. Computer equipment includes, among others:

  • Desktop computers,
  • Laptops,
  • Tablets,
  • Smartphones,
  • Printers,
  • Modems,
  • Monitors,
  • Routers,
  • Accessories provided together with the above-mentioned equipment or purchased separately, including power supplies, bags, keyboards, computer mice.

2. The administrator provides assistance to the user in operating the equipment and software.
3. In case of incorrect or improper use of computer equipment by the user, the IT system administrator informs the information security administrator about this.
4. The user is responsible for the care of the equipment and software, as well as for securing it against unauthorized use and protection against theft or loss.
5. The user cannot independently change the configuration of the provided computer equipment or install or uninstall software, including using private software on the provided equipment.



USE OF VOICE AND VIDEO COMMUNICATION DEVICES

§ 18

1. Each user is obliged to comply with the prohibition of conducting conversations during which personal data or confidential information may be exchanged with the data administrator, if these conversations take place in public places, open office spaces, or places that do not guarantee the confidentiality of conversations.
2. Using default ("factory") passwords for the above-mentioned devices is prohibited.
3. Printers cannot be left unattended if they are being used (or will soon be used) to print documents containing sensitive information.



PROTECTION AGAINST HARMFUL SOFTWARE

§ 19

1. Identified areas of the data administrator's IT system vulnerable to virus and other harmful software interference include hard drives or memory cards of devices, RAM memory, and electronic information media.
2. The pathway for viruses or harmful software to enter may be a public network, internal data network, or electronic information media.
3. System users are required to scan each external electronic information medium they intend to use.
4. In case of detecting a virus and inability to remove it by antivirus software, the user should contact the IT system administrator.

FINAL PROVISIONS

§ 20

1. Cases of unjustified failure to perform duties arising from this document will be treated as serious breaches of employee obligations or failure to fulfill obligations in cases other than employment relationships.
2. Matters not regulated in the regulations or security policy are subject to the provisions of universally applicable law, including in particular statutory provisions.

Appco logo

We are a trading company specializing in the sale of fruit and vegetable products, offering both B2B and B2C services.

Appco
AboutProductsContactPrivacy PolicyTerms and Conditions
Products
Concentrates
Purees
NFC Juices
Frozen Foods
Aromas
Contact
Appco Sp. z o.o.
Harfowa 8, 02-389 Warsaw, Poland
REGON: 525830459
NIP: 7011154822
KRS: 0001046643
Copyright © 2024 Appco. All rights reserved.