Appendix to Resolution no 01/05/2018 of the Management Board of EKLEKTIKA sp. z o.o.  dated 16.05.2018

INFORMATION SECURITY POLICY AT EKLEKTIKA SP. Z O.O.

Chapter 1

General provisions

• 1. 1. Information protection policy at EKLEKTIKA sp. z o.o., henceforth referred to as ‘Policy’, regulates the rules of confidential information protection, including personal data processed at EKLEKTIKA sp. z o.o., henceforth referred to as “EKLEKTIKA”.

2. The policy lays down the rules for ensuring the protection of personal data processed in the following filing systems:

• traditional, in particular such as: files, catalogues, books, reports and other sets;
• in the IT system.

3. At EKLEKTIKA no data processing actions are undertaken that could entail a strong likelihood of high risk to the rights and freedoms of natural persons. Should such action be planned, the personal data Controller will perform the actions described in Art. 35 of regulation 2016/679.
4. When new data processing actions are planned at EKLEKTIKA, an analysis of their consequences for personal data protection is made.
5. EKLEKTIKA will not transfer personal data to a third country with the exception of situations when this is done at the request of the data subject.
6. EKLEKTIKA, in implementing the Policy, undertakes special diligence to protect the personal data of natural persons, and in particular to ensure that the data are:

• processed legally, fairly and transparently for the data subject;
• collected for specific, explicit and legitimate purposes;
• adequate to the purposes of their processing;
• correct and amended as needed;
• stored in the form that makes it possible to identify the data subjects no longer than is necessary to reach the goal of processing;
• processed in a way that ensures information security.

7. EKLEKTIKA, in implementing the Policy, aims to systematically update and modernize its technical and organizational data protection measures.

• 2. Whenever the Policy mentions:
• Personal data controller is understood to be EKLEKTIKA Spółka z ograniczoną odpowiedzialnością, with its registered office at Opaczewska 15/31, 02-368 Warszawa, entered into the National Court Registered maintained by the District Court for the Capital City of Warsaw, XII Commercial Division of the National Court Register, under KRS number 0000493181 (“Controller”).
• Regulation 2016/679 is understood to be Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Official Journal of the EU L 119 dated 4.05.2016, page 1);
• IT system is understood as the set of cooperating IT systems that is implemented at EKLEKTIKA, including in particular: devices, programs, program tools used to process data, including the data collected and the users of these systems;
• EKLEKTIKA’s collaborator is understood to be a person or an entity that works with EKLEKTIKA based on a civil law agreement;
• User is understood as a person who has been authorized by the Controller to process personal data at EKLEKTIKA, at the Controller’s request and within the scope indicated in the authorization, or as a collaborator of EKLEKTIKA who is authorized to process personal data at EKLEKTIKA based on an agreement;
• System user is understood to be a user who is authorized to process personal data in EKLEKTIKA’s IT system;
• Information security is understood as technical and organizational measures implemented by the Controller in order to secure and protect personal data from unauthorized processing;
• Electronic carriers are understood to be electronic personal data carriers such as CDs or DVDs, flash memory, hard disks or other devices/materials used to store files containing personal data;
• Paper carriers are understood to be personal data carriers in written form, containing personal data;
• Personal data protection is understood to be the implementation and exploitation of appropriate technical and organizational measures ensuring personal data protection against unauthorized processing.

• 3. The processing of the personal data of employees and other natural persons is connected to EKLEKTIKA’s business activity.

• 4. 1. An Instruction for the management of EKLEKTIKA’s data processing IT system is introduced, henceforth referred to as “Instruction”, which constitutes Appendix 1 to the Policy.

2. A record of personal data processing activities mentioned in Art. 30.1 of Regulation 2016/679 is maintained at EKLEKTIKA. The record is maintained in electronic form. A template of the data processing record constitutes Appendix no. 2 to the Policy.
3. The list of personal data filing systems, including a description of the structure of these filing systems that defines the content of individual data fields, programs used to process these data, links between systems and the manner of data flow between the individual systems is described in Appendix no. 3 to the Policy.

• 5. Data Controller performs the tasks specified in Regulation 2016/679 with the help of IT System Administrator, henceforth “ISA”.

2. The ISA manages user authorizations and ensures that the IT system is functional, conserved and has technical security measures implemented.
3. The ISA maintains a record of programs that are allowed for use at EKLEKTIKA as well as records and logs specified in the Instruction.

• 6. A user can be an employee or a collaborator of EKLEKTIKA.

2. The Controller issues a written authorization for personal data processing maintaining the principle of purposefulness and minimalism within the meaning of Regulation 2016/679.
3. A template of the data processing authorization constitutes Appendix no. 4 to the Policy.
4. Entrusting personal data for processing to EKLEKTIKA’s collaborators is based on an agreement as mentioned in Art. 28.3 of Regulation 2016/679.
5. A template of the data processing agreement constitutes Appendix no. 5 to the Policy.

• 7. 1. The Controller maintains a written record of users, including the electronic form, divided into users acting on the basis of authorization and collaborators.

2. A template of the user record constitutes Appendix no. 6 to the Policy.
3. Authorizations issued to EKLEKTIKA’s employees are stored in the employee’s personal files.

• 8. 1. The user, prior to being admitted to process personal data, is trained on personal data protection laws and the tasks and duties stemming from them.

2. The user undergoes a periodic training, as required due to changes in the IT system and to changes to data protection laws or internal regulations.
3. The training sessions are organized by the Controller.

• 9. 1. The processing of personal data in the scope necessary to perform the tasks mentioned in § 3 can only be entrusted to users who have filed declarations indicating that they have been trained on personal data protection, are familiar with the regulations in this area and undertake to maintain the secrecy of personal data processed at EKLEKTIKA and the manner in which they are protected.

2. A template of the declaration of a user who is an employee of EKLEKTIKA constitutes Appendix no. 7 to the Policy.
3. A template of the declaration of a user who is a collaborator of EKLEKTIKA constitutes Appendix no. 8 to the Policy.

• 10. Personal data protection rules are used as applicable in the protection of confidential information at EKLEKTIKA.

Chapter 2

Personal data protection rules

• 11. Personal data are stored for the period of their usefulness for the purposes for which they have been collected. After this period, they are anonymized or removed.

• 12. § 12. The information mentioned in Art. 13 and 14 of Regulation 2016/679 is provided to the data subject in written form, including the electronic form, at the request of the data subject, upon confirmation of their identity.

• 13. 1. A natural person consents to personal data protection in writing, including electronically. A template of a natural person’s data processing consent constitutes Appendix no. 9 to the Policy.

2. The consent mentioned in item 1 above also applies to a natural person applying for a job with EKLEKTIKA, with respect to personal data other than those specified in Art. 22¹ § 1 and 3 of the Labor Code.

• 14. 1. A natural person whose data are processed by the Controller has the right to audit their data included in the filing systems.

2. As requested by the data subject, the data are subject to rectification, erasure or limitation of processing. With respect to the data processed in the IT system, these actions are performed in accordance with the Instruction.
3. The obligation to provide information to the data subject as specified in Art. 19 of Regulation 2016/679 is realized in writing, including electronically.

• 15. 1. As requested by the data subject, in order to transfer the data, the data are released to the data subject or transferred to another controller.

2. Prior to the transfer of the data at the request of the data subject, the person’s identity is verified.

Chapter 3

Technical and organizational measures needed to ensure confidentiality and integrality of personal data processed

• 16. 1. The room where personal data is processed is secured against the access by unauthorized individuals during the absence of the user.

2. If the room, where unauthorized persons are met, is equipped with devices with access to database systems or traditional filing systems, special security measures must be applied, including:

• unauthorized individuals can remain in the room only in the presence of the user;
• traditional files must be secured against access by unauthorized individuals;
• paper and electronic carriers should not be left in places that make it possible for unauthorized individuals to use them;
• the computer monitor should be placed in such a way that the screen cannot be seen by unauthorized individuals;
• printers and other peripherals should be located away from spaces in which unauthorized individuals move.

3. The room where personal data are processed is locked with a key. During EKLEKTIKA’s working hours, the room may only be opened when the user is inside.
4. The list of buildings, rooms or parts of rooms that constitute the personal data processing area constitutes Appendix no. 10 to the Policy.

• 17. 1. Keys to rooms in which personal data are processed can only be taken by EKLEKTIKA employees who are authorized to process personal data.

3. Personal data stored on paper or electronic carriers are stored outside of business hours in cabinets locked by key or in the server room.
4. Only authorized individuals have access to the rooms where personal data is processed.
5. Service staff can be present in EKLEKTIKA’s premises only in the presence of an authorized individual.

• 18. 1. § 18. 1. IT system users have access to the personal data processed in it (including the electronic course log).

2. Access is only possible through an individual account, following system identification with the use of verification.
3. Users are obligated to secure the data needed for identification in the IT system against loss or takeover by an unauthorized individual.
4. Copying and printing information containing personal data from the IT system is only allowed at the Controller’s consent or express request.
5. Electronic carriers, including electronic copies, cannot be accessible to unauthorized individuals.
6. Personal data must be permanently removed from electronic carriers immediately following its use.

• 19. 1. In the case of approval or express request of the Controller, the personal data exported from the IT system onto mobile IT equipment can only be stored there for the period necessary for their use.

2. The personal data mentioned in item 1 above are removed immediately after their use.
3. The system user who does the printing is the owner of the document he or she creates.
4. Erroneous, excessive or otherwise unnecessary copies are immediately destroyed.
5. Printouts which are not filed are destroyed immediately after their use.
6. Everyone who notices a printout, data carrier or another document containing personal data left without supervision should secure it and transfer to the Controller.

• 20. 1. § 20. Printouts that contain personal data made from the IT system are subject to special protection; in particular, it is not allowed to:
• leave printouts containing personal data where they can be accessed by unauthorized individuals;
• put failed or trial printouts in the litter bin.

• 21. 1. Outdated or faulty paper and electronic carriers are destroyed by a committee in a way that makes processing impossible.

• 22. 1. The following measures are taken at EKLEKTIKA against unauthorized access to personal data files:
• terminal devices (computers, terminals, printers) can only be connected to EKLEKTIKA’s IT system by authorized individuals;
• the resources of the IT system that contain personal data (programs and databases) are made available to system users on the basis of personal data processing authorizations:
• the user is identified in the system with the use of verification;
• the user has a unique ID for which the user’s login times are recorded;
• keys to the rooms where personal data files are processed are only made available to authorized individuals;
• monitors at data processing workspaces are placed in a way that makes it impossible for unauthorized individuals to look at the screens;
• automatic screensaver and the blocking of unused equipment occur after 30 minutes;
• the password to the IT system must be changed every 30 days.

2. 2 The following measures are taken at EKLEKTIKA against unauthorized access to personal data files through the Internet:

• an internal LAN network that is logically separated from the external network in a way that makes it impossible to access the database from outside of EKLEKTIKA’s IT system;
• a network gate with a firewall with a system of network traffic analysis which prevents connections with protected computers and blocks undesired and potentially harmful traffic.

Chapter 4

Procedure in the event of a personal data breach

• 23. 1. § 22. 1. § 23. 1. Everyone who discovers or suspects a personal data breach at EKLEKTIKA must immediately notify the Controller.

2. An authorized person who has discovered or obtained information indicating a personal data breach must immediately:

1) write down all information and circumstances related to this event, in particular the exact time of obtaining the information about personal data breach, or discovering it;

2) if the resources of the IT system allow it, generate and print out all the documents and reports that could help determine all the circumstances of the event, date them and sign them;

3) begin identifying the type of the event, including obtaining written explanations from the person who disclosed the breach;

4) undertake adequate actions to prevent or limit access of unauthorized individuals, minimize losses and prevent the removal of evidence of a data breach.

3. When personal data protections have been restored, a detailed analysis is carried out to determine the type of personal data breach, or the suspected personal data breach, and to eliminate such events in the future.

• 24. 1. In every situation where a personal data breach resulted in the risk of a violation of the rights and freedoms of natural persons, the Controller shall with no undue delay – within 72 hours of the discovery of the breach when possible, notify the appropriate supervisory authority.

2. If the risk of a violation of natural persons’ rights and freedoms is high, the Controller shall, with no undue delay, notify the data subject. Such notification is made in writing, including electronically.

• 25. The Procedure for proceeding in the case of a personal data breach constitutes Appendix no. 11 to this Policy.

Appendix no. 11 to Information security policy

PROCEDURE IN THE EVENT OF A PERSONAL DATA BREACH

1. SCOPE OF THE PROCEDURE
   • The procedure lays down the rules to be followed by all the engaged in personal data processing in the event of the breach of security of such data, in line with the “Personal data breach catalog” which constitutes Appendix A to this Procedure.
   • The objective of this Procedure is laying down the actions to be undertaken when:
     • A personal data breach has been discovered.
     • In the case of data processed through traditional methods, the state of rooms, cabinets, doors, documents or other symptoms observed might indicate a personal data breach.
     • In the case of data processed through electronic methods, the state of the device, the contents of a file, the working practices discovered, the functioning of a program, the quality of communications or other symptoms observed might indicate a personal data breach.

2. SECURITY BREACH
   • A security breach is every discovered event of unauthorized disclosure of personal data, their disclosure or the act of making them accessible to unauthorized individuals, data collection by an unauthorized individual, damage or erasure, and in particular:
     • unauthorized access to data,
     • unauthorized data modification or destruction,
     • disclosure of the data to unauthorized entities,
     • illegal data disclosure,
     • obtaining data from illegal sources.

3. ACTIONS TO TAKE IN THE EVENT OF A BREACH
   • In the case a breach of security measures is discovered, or a situation occurs that might indicate such a breach, every employee engaged in personal data processing is obligated to interrupt personal data processing and to immediately notify the Personal Data Controller of this event, and then to follow the Controller’s decisions.
   • Collaborators should follow the provisions of the civil law agreement concluded by them with the Personal Data Controller, i.e. immediately submit a detailed written notification to the Controller, by electronic mail to the address: biuro@eklektika.pl and by phone to the number 22 6228669.
   • The notification of data security breach should be prepared in accordance with Appendix A, containing:
     • a description of the symptoms of the breach of personal data security measures,
     • a description of the situation in which and the time when the breach of personal data security measures has been discovered,
     • a description of all the relevant information that could indicate the cause of the breach,
     • a description of system security measures known to the given individual as well as all the steps undertaken upon discovering the event.

4. ACTIONS TO BE TAKEN BY PERSONAL DATA CONTROLLER
   • The Personal Data Controller or an authorized individual undertakes all the actions aimed at:
     • minimizing the negative consequences of the event,
     • explaining the circumstances of the event,
     • safeguarding evidence of the event,
     • making continued secure data processing possible.
   • In order to perform the tasks stemming from this Procedure, the Personal Data Administrator or an authorized individual has the right to undertake all actions allowed by the law, in particular:
     • to request explanation from employees / collaborators,
     • to use the aid of consultants,
     • to order that work be interrupted, especially with respect to personal data processing.

5. FINAL REPORT
   • The Personal Data Controller, having dealt with the personal security breach, prepares a final report which presents the causes and the consequences of the event, as well as conclusions, including with respect to human resources, which will limit the risk of recurrence. A template of the report constitutes Appendix B to this Procedure.
6. CONTROLLER’S INSTRUCTIONS
   • Instructions issued by the Personal Data Administrator or an authorized individual aimed at performing the actions stemming from this Procedure have priority status and should be performed before other instructions, to ensure personal data protection.
   • A failure to provide explanation or to cooperate with the Personal Data Controller or an authorized individual will be treated as a violation of the employee’s duties and can give grounds for civil law liability or disciplinary liability as laid down in the Labor Code; in the case of collaborators, it can give grounds for liability specified in the agreement.

APPENDIX A PERSONAL DATA BREACH CATALOG

APPENDIX B. PERSONAL DATA BREACH REPORT

Report created by:

First and last name:

………………………………………………………………………………………………………………………………………….

position:

………………………………………………………………………………………………………………………………………….

Division, room number, phone number

………………………………………………………………………………………………………………………………………….

Personal data breach code (use the table in Appendix A):

………………………………………………………………………………………………………………………………………….

1) Location, exact time and date of the personal data breach (floor, room number, hour etc.)

………………………………………………………………………………………………………………………………………….

………………………………………………………………………………………………………………………………………….

2) Individuals who have caused the breach (through their actions or failure to act):

………………………………………………………………………………………………………………………………………….

………………………………………………………………………………………………………………………………………….

3) Individuals involved in the personal data breach event:

………………………………………………………………………………………………………………………………………….

………………………………………………………………………………………………………………………………………….

4) Data that have or may have been disclosed:

………………………………………………………………………………………………………………………………………….

………………………………………………………………………………………………………………………………………….

5) Secured materials or other evidence connected to the event:

………………………………………………………………………………………………………………………………………….

………………………………………………………………………………………………………………………………………….

6) A short description of the personal data breach event (course of the event,

behavior of the participants, actions undertaken):

………………………………………………………………………………………………………………………………………….

………………………………………………………………………………………………………………………………………….

7) Conclusions:

………………………………………………………………………………………………………………………………………….

………………………………………………………………………………………………………………………………………….

………………………………………………………..

(city, date and hour)

………………………………………………………..

(signature)