SECURITY POLICY OF PERSONAL DATA PROTECTION In MTDI Group Spółka z ograniczoną odpowiedzialnością


    1. The document titled as “Security Policy of Personal Data Protection” (hereinafter: “Security Policy”) was created in order to be a map of requirements, rules and regulations of personal data protection in MTDI Sp. z o.o. (hereinafter: “MTDI”).

    2. The Security Policy include:

      1. information about the personal data protection rules in the MTDI;

      2. appeals to the MTDI instructions about personal data protection constituting attachments to the present Security Policy.

    3. Responsible for implementation the Security Policy is the Management Board of MTDI, and as part of the Management Board:

      • Member of the Management Board, who supervises the area of personal data protection i.e.: Mr. Marek Tryzybowicz;

      • a person designated by the Management Board to ensure compliance with the protection of personal data, i.e.: Mrs. Marta Szymańska – the proxy.

    4. For the application the Security Policy responsible are following:

      • MTDI;

      • organizational unit responsible for the information security area;

      • other organizational units;

      • all staff members of the MTDI;

      • The MTDI should also ensure compliance of the contractors and co-operators with this Security Policy to the applicable extent in case of transfer or personal data.


    1. Security Policy – means this Security Policy of Personal Data Protection;

    2. GDPR – means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

    3. Data – means personal data, unless the context requires otherwise;

    4. Data of special categories – means data listed in art. 9 par. 1 GDPR, this is personal data revealing: racial or ethnic origin, political views, religious or ideological beliefs, trade union membership, genetic and biometric data or data on health, sexuality and sexual orientation;

    5. Processing entity – means an organization or person entrusted with the processing of personal data by the MTDI;

    6. Profiling – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

    7. Data export – means the transfer of data to third country or international organization;

    8. RPDP or Register – means the Register of Personal Data Processing;

    9. MTDI – means the MTDI Group Spółka z ograniczoną odpowiedzialnością.


    1. Pillars of protection of personal data in the Company:

      • Legality – the MTDI cares for the protection of privacy and processes data in accordance with the law;

      • Safety – the MTDI ensures an adequate level of data security;

      • Individual rights – the MTDI enables people whose data is processed to exercise their rights and implement these rights;

      • Accountability – the MTDI documents how it fulfills its obligations to be able to demonstrate compliance at any time.

    2. Data protection system in the MTDI

      1. Data inventory: the MTDI identifies personal data resources in the MTDI, data classes, dependencies between data resources, identification of data usage methods, including:

        • cases of processing of special category data;

        • cases of data processing of persons, which the MTDI does not identify;

        • profiling;

        • common data administration.

      2. Register: the MTDI develops and maintains the Register of Personal Data Processing. The Register is used to settle compliance with data protection in the MTDI.

      3. Legal basis: the MTDI provides, identifies, verifies the legal basis of data processing and registers them in the Register, including:

        • maintains a system for managing consents to data processing and remote communication;

        • inventory and detail of the justification for cases when the MTDI processes data based on the legitimate interest of the MTDI.

      4. Services individual’s rights: the MTDI fulfills its information obligations towards the persons whose data it processes, and ensures the service of their rights, realizing the requests received in this regard, including:

        • information duties;

        • the ability to make requests;

        • requests service;

        • notification of violations.

      5. Minimalization: the MTDI has principles and methods of minimization management, including

        • principles of data adequacy management;

        • principles of regulation and management of access to data;

        • principles for managing of the period of data storage and verification of further suitability.

      6. Safety: the MTDI ensures an adequate level of data security, including:

        • carries out risk analyzes for data processing activities or their categories;

        • carries out impact assessments on data protection where the risk of violation of rights and freedoms is narrow;

        • adapts data protection measures to the specified risk;

        • has an information security management system;

        • applies a procedure to identify, assess and report an identified data breach to the Data Protection Authority.

      7. Processor: the MTDI has rules for the selection of data processing for the benefit of the MTDI, requirements as to the terms of processing, rules for verifying the performance of entrustment agreements.

      8. Data export: the MTDI has rules for verifying that the MTDI does not transfer data to third countries or international organizations and ensures the lawful terms of such transfer, if it takes place.

      9. The MTDI manages changes affecting privacy. For this purpose the procedures for launching new projects and investments in the MTDI take into account the need to assess the impact of changes on data protection, risk analysis, ensuring privacy already in the design phase of changes, investments or at the beginning of a new project.

      10. The MTDI has the rules of verification when cross-border processing occurs and the principles of determining the leading supervisory body and the main organizational unit within the meaning of the GDPR.


    1. The register is a form of documenting the data processing activities, it is a kind of a map of personal data processing and is one of the key elements enabling the implementation of the fundamental principle on which the entire personal data protection system is based that is the principles of accountability.

    2. The MTDI maintains a Register of Personal Data Processing in which it reviews and monitors the manner in which it uses personal data.

    3. In the register for each data processing activity which the MTDI considered to be separate for the needs of the Register the MTDI records at least:

      • name of the activity;

      • the purpose of processing;

      • description of the persons category;

      • description of the data category;

      • the legal basis for the processing;

      • way of collecting data;

      • description of the categories of data recipients;

      • information about transfers outside the EU/EEA;

      • a general description of technical and organizational data protection measures.


    1. The MTDI documents in the Register the legal basis for data processing for particular processing activities.

    2. Indicating in the documents the general legal basis (consent, contract, legal obligation, vital interests, public task/public authority, legitimate purpose of the MTDI), the MTDI defines the basis in a precise and legible manner when it is needed.

    3. The MTDI has implemented the methods of managing the consents allowing registration and verification of the consent of the person to process its specific data for a specific purpose, consent to remote communication, and registration of refusal of consent, withdrawal of consent and similar activities.

    1. The MTDI cares about the clarity and style of information provided and communication with the people whose data it processes.

    2. The MTDI cares for keeping the legal deadlines for the performance of obligations towards persons.

    3. The MTDI has introduced adequate methods of identifying and authenticating persons for the purposes of implementing individual rights and information obligations.

    4. In order to implement the individual rights, the MTDI provides procedures and mechanisms for identifying data of specific persons processed by the MTDI, integrating these data, making changes to them and removing them in an integrated manner.

    5. The MTDI documents the servicing of information obligations, notifications and requests of persons.


    1. The MTDI complies with lawful information obligations.

    2. The MTDI informs the person about the extension of term more than one month to consider the request of that person.

    3. The MTDI informs the person about the processing of its data in case of collecting data not directly from the person who is concerned.

    4. The MTDI informs the person about the planned change of the purpose of data processing.

    5. The MTDI informs the person before repealing the restriction of the processing.

    6. The MTDI informs the recipients of the data on rectification, deletion or limitation of data processing, unless it is impossible.

    7. The MTDI informs the person about the right to object to the processing of data at the first contact with that person at the latest.

    8. MTDI without undue delay informs the person about the violation of personal data protection if it may cause a high risk of violation the rights or freedoms of that person.


    1. Implementing the rights of persons concerned, MTDI applies guarantees to protect the rights and freedoms of third parties. In particular, in case of obtainment of a reliable message that the execution of a person's request to issue a copy of the data or the right to transfer the data may adversely affect the rights and freedoms of others persons, MTDI may ask the person to clarify doubts or take other permissible steps, including refusal to satisfy the request.

    2. The MTDI informs the person that it does not process data concerning it if such a person has made a request regarding its rights.

    3. The MTDI informs the person, within one month after receiving the request of refused the request and the rights of the person related to it.

    4. At the request of persons regarding access to its data the MTDI informs that person whether it processes its data and informs that person about the details of processing, in accordance with art. 15 GDPR, and also gives that person access to data concerning that person. Access to the data can be done by issuing a copy of the data.

    5. At the request, the MTDI issues a copy of data concerning that person and notes the fact of issuing the first copy of the data.

    6. The MTDI corrects incorrect data at the request of a person. The MTDI has the right to refuse to rectify the data, unless the person in a reasonable manner shows the irregularity of the data which are demands.

    7. MTDI supplements and updates data at the request of a person. MTDI has the right to refuse to supplement the data if the supplemented data would be incompatible with the purposes of data processing.

    8. At the request of a person, the MTDI deletes data when:

      • data is not necessary for the purpose for which they were collected or processed in other legitimate purposes,

      • the consent to their processing has been withdrawn, and there is no other basis for processing,

      • the person has effectively opposed to the processing of these data,

      • the necessity of removal results from the legal obligation.


    1. The MTDI provides a level of security corresponding to the risk of violation of the rights and freedoms of individuals as a result of the processing of personal data by the MTDI.

    2. The MTDI analyzes possible situations and scenarios of personal data breach, taking into account the nature, scope, context and purposes of processing, the risk of violation of the rights or freedoms of individuals with different probability of occurrence and the severity of the threat.

    3. The MTDI applies a procedure to identify, assess and report identified data breaches to the Data Protection Authority within 72 hours from the determination of the infringement.


    1. The MTDI has the principles of selection and verification of units processing data for the MTDI designed to ensure that the processors provide sufficient guarantees to implement appropriate organizational and technical measures to ensure security, implementation of individual rights and other data protection obligations incumbent on the MTDI.

    2. The MTDI has adopted minimum requirements regarding to the contract for entrusting data processing.

    3. The MTDI has adopted a draft of authorization for employees and associates processing data on behalf of the MTDI.


    1. The MTDI registers in the Register of Personal Data Processing data export cases meaning data transfer outside the European Economic Area.

    2. The MTDI periodically verifies the behavior of users and if possible provide in compliance with data protection law equivalent solutions, to avoid unauthorized access.

Adopted on 25th May 2018