Security policy - the name of the Entity.
 
DEFINITIONS

Policy: the above Policy for processing personal data in the Exorigo-Upos Group S.A.

Administrator: Grupa Exorigo-Upos S.A. (Kolejowa 5/7, 01-217 Warszawa), entered in the register of entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, XII Commercial Department of the National Court Register under KRS number: 0000216709., Tax Identification Number: 9281838767, REGON: 971302261.
Personal data: information about an identified or identifiable physical person (the data subject). An identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name, identification number, location data, internet identifier or one or more specific factors determining physical, physiological, genetic, psychological, economic, cultural or social identity of a natural person.


RODO: Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (general regulation on protection data).
data subject: every natural person whose personal data is processed by the Administrator in connection with the activity conducted by him, eg a person going to restricted access areas in Administrator's locations, a person with whom the Administrator binds or orders a contract in the form of an e-mail.


INFORMATION ON PROCESSING OF PERSONAL DATA BY THE ADMINISTRATOR
The Personal Data Administrator collects and processes personal data in accordance with applicable law, including in particular the ROPE for the purpose of conducting business activity.
The administrator applies to the principle of ensuring transparency (transparency) of personal data processing. Data subjects are informed about the processing of data at the latest at the time of collection, furthermore they are informed of the purpose and legal basis of their processing - eg when concluding a contract for the sale of goods or services.
The Administrator makes sure that the principle of personal data minimization is respected in the Company. Data is collected to the extent necessary for the indicated purpose of processing, and processed only for a minimum retention period. In order to speed up and improve the service of its clients, the Administrator obtains personal data from them, which are not necessary, for example, to perform the contract concluded with them - such as a phone number or e-mail, only with their consent, and before collecting such data, inform clients about voluntary applications.
The administrator provides an adequate level of security and confidentiality of personal data processed by him. In the event of an incident related to the security of personal data, the Administrator informs about such an event persons whose personal data concern, in a manner consistent with the law.

CONTACT ON MATTERS RELATED TO THE PROTECTION OF PERSONAL DATA
The data administrator has appointed the Data Protection Officer, which can be contacted by:
a) e-mail ................... .
b) by mail to the address ...................... With the note "personal data protection".
SECURITY OF PERSONAL DATA
Procedures introduced by the Administrator ensure an appropriate level of confidentiality and integrity of personal data processed by him. Only persons who are properly trained and have appropriate authorizations can access personal data. The administrator applies organizational and technical solutions to ensure that all operations on personal data are registered and made only by authorized persons.
The administrator takes the necessary steps when selecting the processors and other subcontractors, so that the level of personal data protection of these entities is sufficient.
The administrator conducts risk analysis on an on-going basis and monitors the adequacy of data security measures applied to the identified threats. If necessary, the Administrator implements additional measures to increase data security.

OBJECTIVES AND BASIS

LEGAL DATA PROCESSING BY THE ADMINISTRATOR
Contact details
The administrator uses the contact details provided by the clients (e-mail address, telephone number) in order to implement the contracts concluded with them. This data can also be used for marketing purposes (informing about new products or services), but only after prior consent to contact for such a purpose.
All personal data contained in both traditional and electronic correspondence and collected by telephone contact addressed to the administrator in matters not related to the provision of services to the sender are turned off for communication with the sender of the message. In such a case, providing certain data is required by the Administrator only if it is necessary for the above purpose, and the lack of providing such data results in the inability to settle the matter. In the above case, the legal processing of data is the legitimate interest of the Administrator (Article 6 (1) letter f of the RODO), consisting in the correspondence addressed to him in connection with his business.
The administrator ensures that the amount of data processed in the correspondence is consistent with the principle of data minimization and that only authorized persons have access to it.
Telephone calls can also be recorded - in this case, at the beginning of the conversation, information about recording the call is transferred. Calls are recorded in order to verify the quality of the service provided and verify the work of consultants, as well as for statistical purposes. Recordings are also used to register complaints or express (or withdraw) consent to receive marketing content. The recordings are available only to authorized employees of the Administrator and persons servicing the administrator's hotline.

VIDEO MONITORING AND ADMISSION CONTROL
In order to ensure the safety of persons and property, the Administrator uses video monitoring and controls access to buildings managed by the Administrator. Data in the form of camera images are not used for any other purpose.
Personal data in the form of recordings from monitoring and personal data collected in the register of entries and exits are processed in order to ensure security and order on the premises and possibly to defend or pursue claims. Refusing to provide data in the form of an image results in the impossibility of staying on the premises of the Administrator. The basis for the processing of personal data is the legitimate interest of the Administrator (Article 6 paragraph 1 point f of the RODO) consisting in ensuring the Administrator's security and protection of his rights.
In order to inform people entering the premises of the Administrator, information on the inclusion of a given facility by video monitoring was posted in prominent places.

RECRUITMENT
The administrator processes personal data provided by potential employees in the recruitment process, the scope of data which the Administrator expects from candidates for work does not exceed the catalog included in the labor law. However, when a potential job applicant provides a range of data greater than that required by applicable law, it is presumed that he has consented to the processing of this data. Such consent may be withdrawn at any time, without affecting the legality of the processing carried out prior to its withdrawal. If the uploaded applications contain information that is inadequate for the purpose of recruitment, it will not be used or included in the recruitment process.
Personal data is processed:
1. in order to perform duties resulting from the provisions of law - the Labor Code, and more specifically related to the employment processes. The legal basis for the processing is the legal obligation incumbent on the Administrator (Article 6 (1) (c) of the GDPR in relation to the provisions of the Labor Code)
2. in order to carry out the recruitment process in the field of data not required by the provisions of the Labor Code, as well as for the purposes of future recruitment processes - the legal basis for processing is consent (Article 6 paragraph 1 point and RODO)
3. to establish or pursue possible claims or defend against such claims - the legal basis for data processing is the legitimate interest of the Administrator (Article 6 (1) (f) of the RODO).
To the extent that personal data are processed based on the expressed consent, it may be withdrawn at any time, without affecting the legality of the processing carried out prior to its withdrawal.
The retention period for consent for the purposes of future recruitment has been set at two years. After this time, the data will be deleted.
Collection of data in connection with the provision of services or the performance of other contracts
In the event of data collection for purposes related to the execution of a specific contract, the Administrator provides the data subject with detailed information regarding the processing of his personal data at the time the contract is concluded.

COLLECTING DATA IN OTHER CASES
In connection with the conducted activity, the Administrator collects personal data also in other cases - eg during business meetings, at industry events or through exchange of business cards - for purposes related to establishing and maintaining business contacts. Personal data is provided in such cases on a voluntary basis. The legal basis for processing is in this case the legitimate interest of the Administrator (Article 6 (1) letter f) of the RODO, consisting in creating a network of contacts in connection with the conducted activity.
Personal data collected in such cases are processed only for the purpose for which they were collected, and the Administrator provides them with adequate protection.
DATA RECEIVERS
Personal data may be transferred to entities that process personal data at the request of the administrator, including IT service providers - where such entities process data on the basis of a contract with the administrator and only in accordance with the administrator's instructions.
Personal data may be disclosed to the competent authorities or to a third party in the event that by requesting the disclosure of such information they will refer to the appropriate legal basis and this will be in accordance with the applicable law.

TRANSMISSION OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
The level of protection of personal data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Administrator transfers personal data outside the EEA only when it is necessary and with an adequate level of protection, primarily through:
1. cooperation with entities, processing personal data in countries for which an appropriate decision of the European Commission has been issued
2. use of standard contractual clauses issued by the European Commission
3. application of binding corporate rules, approved by the competent supervisory authority
4. in the event of data transfer to the USA - cooperation with entities participating in the Privacy Shield program, approved by the European Commission.
The administrator always informs about the intention to transfer personal data outside the EEA at the collection stage.


PERIOD OF PROCESSING OF PERSONAL DATA
The period of data processing by the Administrator depends on the purpose of processing.
Agreement
If the basis of the processing constitutes a necessity to conclude and perform the contract, the personal data will be processed until its completion. If the processing is based on consent, personal data is processed until it is withdrawn.

AGREEMENT
If the basis of the processing constitutes a necessity to conclude and perform the contract, the personal data will be processed until its completion. If the processing is based on consent, personal data is processed until it is withdrawn.
The rule of law
Where the legal basis is the law, the period for the processing of personal data also results from specific provisions.
LEGITIMATE INTEREST OF THE ADMINISTRATOR
In the case of data processing on the basis of the legally justified interest of the Administrator, personal data are processed for a period enabling its implementation or for reporting effective objections to the processing of data.
Protection against claims
The data processing period may be extended if the processing is necessary to establish, investigate or defend against any claims, and after this period, only in the case and to the extent that the law will require it.
If the retention period has expired, personal data shall be deleted or anonymized without delay.

PROTECTION AGAINST CLAIMS
The data processing period may be extended if the processing is necessary to establish, investigate or defend against any claims, and after this period, only in the case and to the extent that the law will require it.
If the retention period has expired, personal data shall be deleted or anonymized without delay.

POWERS RELATED TO THE PROCESSING OF PERSONAL DATA
Rights of data subjects
The data subjects have the following rights:
1. The right to information about data processing - on the basis of the person submitting such a request, the Administrator provides information about the processing of personal data, in particular about the purposes and legal grounds of processing, scope of data held, entities to which they are disclosed and the date of their removal ;
2. The right to obtain a copy of data - on this basis, the Administrator provides a copy of the data processed concerning the person making the request;
3. Right to rectify - the Administrator is obliged to remove any incompatibilities or errors of personal data being processed and to supplement them if incomplete;
4. Right to delete data - on this basis, you can request deletion of data, the processing of which is no longer necessary to carry out any of the purposes for which they were collected;
5. The right to limit processing - in the event of such a request, the Administrator ceases to conduct operations on personal data, except for operations agreed to by the data subject and their storage, in accordance with accepted retention rules or until the reasons for processing limitations cease to exist. data (eg a decision of the supervisory authority will be issued, allowing further processing of data);
6. The right to data transfer - on this basis, to the extent to which personal data are processed in connection with the concluded agreement or consent, the Administrator will provide personal data provided by the person concerned in a format that allows their reading by a computer. It is also possible to request that data to be sent to another entity - provided, however, that there are technical possibilities in this regard, both on the part of the Administrator and that other entity;

  1. Right to object to the processing of data for marketing purposes - the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such objection;
    8. Right to object to other purposes of data processing - the data subject may at any time object to the processing of personal data on the basis of the Administrator's legitimate interest (eg for analytical or statistical purposes or for reasons related to the protection of property). Opposition in this respect should contain justification;
    9. Right of withdrawal - if personal data are processed on the basis of the expressed consent, the data subject has the right to withdraw it at any time, but this does not affect the legality of the processing carried out prior to the withdrawal of the consent;
    10. The right to complaint - in the event that the processing of personal data is found to violate the provisions of the GDPR or other provisions on the protection of personal data, the data subject may file a complaint to the President of the Office of Personal Data Protection.

REPORTING REQUESTS RELATED TO THE IMPLEMENTATION OF RIGHTS
An application for the exercise of the rights of data subjects may be submitted:
1. in writing, by traditional mail, to the address: ............................ "Data Protection Supervisor" or
2. via e-mail to the following address: ................................................
The response to the application should be given within one month of its receipt. If it is necessary to extend this deadline, the Administrator informs the applicant about the reasons for such extension.