• This Data Protection Policy, together with its annexes, is the governing documentation at BRAD Consulting Sp. z o.o., the Operator of WinWinBalance.com System and WinWinBalance Application (Entity), in terms of implementing, adhering to, and verifying personal data protection principles.
• Each person responsible for implementing, maintaining, or monitoring personal data processing principles within the Entity, especially representatives of the highest management and potential Data Protection Officers, are obliged to familiarize themselves with this Data Protection Policy, adhere to it, and enforce its application within the Entity.
• The Data Protection Policy, together with its annexes, becomes effective on the day it is signed by individuals authorized to represent the Entity.
• For matters not regulated by the Data Protection Policy, universally applicable laws are used.
The Entity maintains the following registries:
• The Entity implements a breach procedure, attached as an annex.
• The procedure applies to all individuals working or providing services within the Entity.
• The procedure applies in case of detecting a breach of personal data protection or violation of the rights or freedoms of individuals whose personal data are processed.
The Entity stores the aforementioned documents: as annexes to this Data Protection Policy.
• The Entity implements the application of information obligations, listed in the annex.
• Personal data processing without fulfilling the information obligation is prohibited unless it has been individually determined to exclude this obligation in a given case.
• Storage of templates: as annexes to this Data Protection Policy.
• Storage of fulfilled information obligations: along with the appropriate documentation (e.g., as an annex to the contract).
The Entity stores:
• information obligation templates as annexes to this Data Protection Policy,
• fulfilled information obligations along with the appropriate documentation (e.g., as an annex to the contract).
• The Entity implements the application of authorizations to process personal data,
• Processing of personal data by unauthorized persons is prohibited.
• Authorizations are applied to employees.
• Authorizations can be applied to third-party individuals providing services for the Entity using the Entity’s tools (e.g., IT specialists on contract), but decisions in this regard should be made individually.
The Entity stores:
• authorization templates as annexes to this Data Protection Policy,
• granted authorizations in Part B of personal files, and in the case of individuals who are not employees, as annexes to relevant cooperation contracts,
• authorization records in the registry of persons authorized to process personal data.
The Entity implements the use of personal data processing outsourcing agreement templates.
The administrator template is used in the case of entrusting the processing of personal data to external processing entities.
The processor template is used in cases where the Entity performs personal data processing activities entrusted by their external administrators.
The use of agreement templates provided by contractors is allowed, provided they are documented and accepted by the highest management or a designated person.
It is prohibited to entrust the processing of personal data without a proper data processing outsourcing agreement or another legal instrument, in line with Article 28 of the GDPR.
The Entity stores outsourcing agreement templates and concluded outsourcing agreements as annexes to this Data Protection Policy.
The Entity implements the principle of analyzing the risk of violation of the rights or freedoms of individuals whose personal data are being processed.
Risk assessment will take place on terms established in the annex.
It is prohibited to implement new personal data processing activities, implement new resources for their processing, and change personal data protection measures, without prior risk analysis or its update.
The Entity is committed to updating the risk analysis, available in the annex.
The Entity stores risk assessment documentation as annexes to this Data Protection Policy.
The entity implements a principle to monitor the personal data processing activities to determine whether they require a DPIA (Data Protection Impact Assessment).
In case a certain activity requires a DPIA, the template located in the annex is applied.
It is prohibited to implement new personal data processing activities without prior risk analysis or its update, and in case it confirms such necessity, without carrying out a DPIA.
The entity keeps the template for the assessment of impacts on personal data protection and the documentation of the completed assessments in the annex to this Data Protection Policy.
Considering the recommendations from the risk analysis and the requirements established in Art. 32 of GDPR:
The entity implements the personal data protection measures listed in the annex – Register of protection measures. It is prohibited to implement changes in personal data protection measures without their registration. Furthermore, it commits to their update.
The entity implements procedures (organizational personal data protection measures), listed in the annex – Procedures. It is prohibited to implement changes in implemented procedures without their adoption in accordance with the principles of representation. Furthermore, it commits to their update.
The entity implements the register of devices and the register of applications for processing personal data. It is prohibited to implement devices or applications not registered in the aforementioned registers. Furthermore, it commits to their update.
The entity keeps the mentioned documentation in the annex to this Data Protection Policy.
The entity commits to regular testing, measuring, and evaluating the effectiveness of personal data protection measures, particularly through:
ongoing updates of the register of personal data protection breaches, risk analysis, register of personal data protection measures and implemented procedures, device and application registers, IT system reviews and maintenance register, as well as the register of significant activities in the IT system.
performing audits of the personal data processing system,
recording audits of the personal data processing system in the register of personal data processing system audits.
The entity keeps the register of personal data processing system audits in the annex to this Data Protection Policy.
The entity has appointed a Data Protection Officer, in accordance with the document located in the annex to this Data Protection Policy.
The entity does not use any forms of monitoring.
The annexes to this Data Protection Policy form an integral part of it:
Register of personal data processing activities,
Register of categories of personal data processing activities,
Register of personal data protection breaches,
Register of personal data protection measures,
Register of personal data recipients,
Information obligations,
Authorization for employees – template,
Authorization for persons employed under civil law contracts – template,
Agreement on entrusting personal data processing for the administrator – template,
Agreement on entrusting personal data processing for the processing entity – template,
Risk analysis – guiding document,
Risk matrices,
Data Protection Impact Assessment – template,
Statement on the appointment of the Data Protection Officer,
Procedure for dealing with personal data protection breaches,
Privacy by default procedure,
Device and information carrier registration procedure,
Internet use procedure,
Procedure for using a company computer,
Procedure for using a company phone,
Procedure for using email,
Procedure for using portable devices,
Procedure for handling passwords and access files,
Procedure for entrusting personal data processing,
Privacy by design procedure,
IT system review and maintenance procedure,
Procedure for processing personal data in paper form,
Procedure for accepting personal data for processing,
Procedure for fulfilling the information obligation,
Procedure for deleting personal data,
Procedure for fulfilling data subject requests,
Backup creation procedure,
Procedure for providing access to personal data,
Procedure for accessing keys and premises,
Procedure for deleting devices and information carriers,
Access control procedure to the IT system,
Antivirus security procedure,
Register of persons authorized to process personal data,
Register of audits of the personal data processing system,
Register of devices for processing personal data,
Register of applications for processing personal data,
Register of IT system reviews and maintenance,
Register of significant activities in the IT system.
BRAD Consulting Sp. z o.o.
18 Świętokrzyska Street, Suite 315
00-052 Warszawa, Poland
NIP: 7010213014
© 2023 WinWinBalance. All rights reserved.
