Privacy policy

Information security policy:

Data controller The personal data controller is DIUNA Group sp. z o.o. with its registered office in Warsaw, address: ul. Słowicza 33, 02-170 Warsaw, entered into the Register of Entrepreneurs of the National Court Register, kept by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register under KRS number: 0000951792, NIP: 7010424337 For personal data protection matters, you can contact: GDPR@diuna.biz Purposes and basis of processing Personal data is processed in connection with the intention to establish a cooperation or acquire services or products for the following purposes:
  1. correspondence purposes in relation to services and products, including order processing (legal basis: Article 6(1)(f) of the GDPR);
  2. internal accounting and administrative purposes, including reporting and analysis, as part of a legitimate interest (legal basis: Article 6(1)(f) of the GDPR);
  3. evidence and archiving purposes in case of the need to establish facts and legal status, objections, complaints, disputes and legal proceedings as part of a legitimate interest (legal basis: Article 6(1)(f) of the GDPR);
Data is processed in electronic form. Recipients of data The recipients of the data are persons and entities to whom we outsource processing activities, in particular translators, proofreaders and other service providers. A detailed list of processors can be found below. Data storage period. We process data processed on the basis of a contract in accordance with the provisions of the contract and for the period of limitation of claims. We process data processed on the basis of consent until you withdraw your consent. We may process data processed on the basis of our legitimate interest as data controller for the duration of our interest or until you object to such processing. Handling client assets Client assets are handled by dedicated project managers and translated by a fixed team of translators, who are obliged to sign non-disclosure agreements. Every project is subject to standard security procedures.

Data categories

GroupSourceBasis for processingTypes of dataStorageFormatAccess by  Transfer
Clients
Companies, institutions (contact persons)E-mail from clientperformance of contract under Article 6(1)(b) and legal interest under Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfactionFull name, e-mail, phone number, Skype IDEmail, BMS – SpaceTMSdatabaseemployeesSpaceTMS, Microsoft356
Individual clientsE-mail from client, phone conversation, personal visit to the officeperformance of contract under Article 6(1)(b) and legal interest under Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfactionFull name, address, phone number, e-mail, Skype ID, business name, NIP, RegonEmail, BMS – SpaceTMS, Invoicing – Saldeo, Financial system, local file serverdatabase and electronic documents (invoices)employeesSpaceTMS, Microsoft356, Saldeo
Prospective clientscontact form on www.diuna.bizconsentFull name, e-mail, phone numberWordPress, email, CRM – Bitrix24databaseemployeesMicrosoft356
Suppliers
Suppliersrecruitment process – applicationperformance of contract under Article 6(1)(b)Full name, address, business name and address, phone numbers, e-mail address, NIP, REGON, bank account details, other payment detailsEmail, SpaceTMS (vendor owned account), Autenti, Saldeo, local file serverdatabase, documents (contracts)employeesMicrosoft356, SpaceTMS, Autenti, Saldeo
Employees
Employeesjob applicationperformance of contract under Article 6(1)(b) and statutory obligation under Article 6(1)(c)Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank accountemail, payroll system – Asseco, Bitrix24 (only name and contact information)documents, contractsGeneral Manager, Office Manager, HR Manageremail, file server
Apprentices and traineesapprenticeship applicationperformance of contract under Article 6(1)(b) and statutory obligation under Article 6(1)(c)Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank accountEmail, Bitrix24 (only name and contact information)documentsOffice Manager, Vendor Manageremail
Translated content
personal data in translated contentshared by clients via e-mail or otherwise (e.g. ftp)data processing agreementas per delivered contentEmail, SpaceTMS, translation memoriesdatabase, fileemployees, shared with vendors employed to do specific tasksemail, SpaceTMS

Data processing

TypeProviderEEA onlyBackupAccessScope of data
MailMicrosoft365– cloudYesProvider – 30 daysPersonal, two-factor authenticationClient data (including personal data), client content, vendor data (including personal data)
Mail 2Home.pl – cloudYesProvider – 3 daysPersonal, two-factor authenticationClient data (including personal data), client content, vendor data (including personal data)
File serverLocal onsiteYesDIUNAIn accordance with user rightsClient content in TM, vendor data (contracts and invoices)
PCLocal onsite / with userYesNOPersonal / passwordNo permanent storage, only for the time of processing, type of data depends on the role at DIUNA
Project management systemSpaceTMS.com – cloudYesProvider, weekly backupsPersonal / passwordClient data (including personal data), client content, vendor content (on accounts owned by vendors)
Translation management system™Trados – local file server Memsource – cloudYesDIUNA, ProviderIn accordance with user rightsClient content
Machine translation (MT)Tilde – cloudYesThrough translation management systemClient content
InvoicingSaldeo – cloud, outsourced accountantYesProviderAuthorised usersVendors’ personal data
CRM, internal communicationBitrix24 – cloudYesProviderAuthorised usersEmployees, trainees, apprentices – names, e-mails, phone numbers
Document editorsMicrosoft – OnedriveYesProviderIndividual usersClient content (only on client’s explicit request)
Agreement handlingAutenti Sp. z o.o.YesProviderIndividual users, managed rolesContractors data (clients and suppliers)
Marketing; marketing automationGetResponse S.A.NoProviderIndividual users, managed rolesClients, leads

Anti-virus software

Our IT resources are secured by anti-virus software with the following functions: a) securing the IT resources against malware with a residential module that scans the entire computer system; b) updating the virus signature database on an ongoing basis; c) automated reaction in case new and unknown malware is detected, e.g. blocking all communications with the infected computer. The software we are currently using is ESET and Windows Defender.

Handling of confidential information

Desktop workstations are secured with a password that is changed every few months. Passwords are comprised of 9 characters or more, including at least one special character, and are never simple. Unlocked workstations are never left unsupervised. Daily work is done on an account without administrator privileges. Access to the network drive is password-protected and is protected by a VPN with additional password and certificates. Desktop workstations are protected with a firewall and anti-virus software.
    • Clean desk policy
    • Every employee is responsible for maintaining the confidentiality of the data to which they have access
    • The company provides regular information security trainings for the personnel
    • Every employee is obliged to protect their access information to IT systems
    • Unsecured confidential information may not be taken outside of the company premises. It is strictly forbidden to take confidential information on digital media (flash drives, CDs, etc.) outside of the company premises
    • Every new employee and service provider is obliged to agree to a non-disclosure agreement.
Protection of premises
    • Secure electronic lock with authorised use only
    • Barred windows
    • Fence with a gate locked with a padlock
Incident procedure
    1. Collection of evidence – identification and recording of information about the security incident
    2. Examination and analysis of the aforementioned information
    3. Documentation of the above steps

Breach protocol

    • Every employee who notices or suspects a personal data breach is obliged to report it to their immediate superior without delay. The superior then notifies the data controller of that fact.
    • If a data breach is confirmed, no actions may be taken that can impede the analysis of the circumstances and the documentation of the breach. The place of the incident must also not be left unattended without justification until the data protection officer or another person authorised by the data controller arrives.
    • The data controller analyses the situation and decides on further steps, taking into consideration the risks to proper and continued operation of the company.
    • The data controller receives a detailed report on the personal data breach from the person notifying of the incident and from any other person who may know something related to it.
    • The data controller contacts external specialists, if needed.
    • Pursuant to the GDPR, any breach of personal data must be reported to the data protection authority within 72 hours following the breach.
    • When the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall communicate the personal data breach to the data subject without undue delay.
Cookie policy Rights of the data subject Under the GDPR (General Data Protection Regulation), data subjects whose personal data is processed have a number of rights. Here are some of the key rights of data subjects in relation to data protection:
  1. Right to information: The data subject has the right to receive clear, comprehensible and exhaustive information about the processing of their personal data, such as the purpose of the processing, the categories of data, the storage period, and information about the controller.
  2. Right of access: The data subject has the right to obtain confirmation as to whether or not personal data is being processed and access to such data and information relating to it.
  3. Right to rectification of data: The data subject has the right to request the rectification or completion of their inaccurate or incomplete personal data.
  4. The right to erasure (the so-called “right to be forgotten”): The data subject may request the erasure of their personal data if there is a legitimate reason, e.g. when the data is no longer needed for the purposes for which it was collected.
  5. Right to restriction of processing: The subject has the right to request the restriction of the processing of their personal data in certain situations, for example in the case of verifying the accuracy of the data or objecting to the processing.
  6. Right to data portability: In some cases, the data subject has the right to receive their personal data in a structured format that is commonly used and machine-readable and to transmit this data to another controller.
  7. Right to object: The data subject has the right to object to the processing of their personal data on grounds relating to their particular situation, unless the controller demonstrates the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.
For matters relating to the exercise of these rights, please contact: GDPR@diuna.biz Last update: April 2023

Information security policy:

Data controller

The personal data controller is DIUNA Group sp. z o.o. with its registered office in Warsaw, address: ul. Słowicza 33, 02-170 Warsaw, entered into the Register of Entrepreneurs of the National Court Register, kept by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register under KRS number: 0000951792, NIP: 7010424337

For personal data protection matters, you can contact: GDPR@diuna.biz

Purposes and basis of processing

Personal data is processed in connection with the intention to establish a cooperation or acquire services or products for the following purposes:

  1. correspondence purposes in relation to services and products, including order processing (legal basis: Article 6(1)(f) of the GDPR);
  2. internal accounting and administrative purposes, including reporting and analysis, as part of a legitimate interest (legal basis: Article 6(1)(f) of the GDPR);
  3. evidence and archiving purposes in case of the need to establish facts and legal status, objections, complaints, disputes and legal proceedings as part of a legitimate interest (legal basis: Article 6(1)(f) of the GDPR);

Data is processed in electronic form.

Recipients of data

The recipients of the data are persons and entities to whom we outsource processing activities, in particular translators, proofreaders and other service providers. A detailed list of processors can be found below.

Data storage period.

We process data processed on the basis of a contract in accordance with the provisions of the contract and for the period of limitation of claims.

We process data processed on the basis of consent until you withdraw your consent.

We may process data processed on the basis of our legitimate interest as data controller for the duration of our interest or until you object to such processing.

Handling client assets

Client assets are handled by dedicated project managers and translated by a fixed team of translators, who are obliged to sign non-disclosure agreements. Every project is subject to standard security procedures.

Data categories

GroupSourceBasis for processingTypes of dataStorageFormatAccess by  Transfer
Clients       
Companies, institutions (contact persons)E-mail from clientperformance of contract under Article 6(1)(b) and legal interest under Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfactionFull name, e-mail, phone number, Skype IDEmail, BMS – SpaceTMSdatabaseemployeesSpaceTMS, Microsoft356
Individual clientsE-mail from client, phone conversation, personal visit to the officeperformance of contract under Article 6(1)(b) and legal interest under Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfaction

Full name, address, phone number, e-mail, Skype ID, business name, NIP, Regon

Email, BMS – SpaceTMS, Invoicing – Saldeo, Financial system, local file serverdatabase and electronic documents (invoices)employeesSpaceTMS, Microsoft356, Saldeo
Prospective clientscontact form on www.diuna.bizconsentFull name, e-mail, phone numberWordPress, email, CRM – Bitrix24databaseemployeesMicrosoft356
Suppliers       
Suppliersrecruitment process – applicationperformance of contract under Article 6(1)(b)Full name, address, business name and address, phone numbers, e-mail address, NIP, REGON, bank account details, other payment detailsEmail, SpaceTMS (vendor owned account), Autenti, Saldeo, local file serverdatabase, documents (contracts)employeesMicrosoft356, SpaceTMS, Autenti, Saldeo
Employees       
Employeesjob applicationperformance of contract under Article 6(1)(b) and statutory obligation under Article 6(1)(c)Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank accountemail, payroll system – Asseco, Bitrix24 (only name and contact information)documents, contractsGeneral Manager, Office Manager, HR Manageremail, file server
Apprentices and traineesapprenticeship applicationperformance of contract under Article 6(1)(b) and statutory obligation under Article 6(1)(c)Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank accountEmail, Bitrix24 (only name and contact information)documentsOffice Manager, Vendor Manageremail
Translated content       
personal data in translated contentshared by clients via e-mail or otherwise (e.g. ftp)data processing agreementas per delivered contentEmail, SpaceTMS, translation memoriesdatabase, fileemployees, shared with vendors employed to do specific tasksemail, SpaceTMS

Data processing

TypeProviderEEA onlyBackupAccessScope of data
MailMicrosoft365– cloudYesProvider – 30 daysPersonal, two-factor authenticationClient data (including personal data), client content, vendor data (including personal data)
Mail 2Home.pl – cloudYesProvider – 3 daysPersonal, two-factor authenticationClient data (including personal data), client content, vendor data (including personal data)
File serverLocal onsiteYesDIUNAIn accordance with user rightsClient content in TM, vendor data (contracts and invoices)
PCLocal onsite / with userYesNOPersonal / passwordNo permanent storage, only for the time of processing, type of data depends on the role at DIUNA
Project management systemSpaceTMS.com – cloudYesProvider, weekly backupsPersonal / passwordClient data (including personal data), client content, vendor content (on accounts owned by vendors)
Translation management system™Trados – local file server Memsource – cloudYesDIUNA, ProviderIn accordance with user rightsClient content
Machine translation (MT)Tilde – cloudYes Through translation management systemClient content
InvoicingSaldeo – cloud, outsourced accountantYesProviderAuthorised usersVendors’ personal data
CRM, internal communicationBitrix24 – cloudYesProviderAuthorised usersEmployees, trainees, apprentices – names, e-mails, phone numbers
Document editorsMicrosoft – OnedriveYesProviderIndividual usersClient content (only on client’s explicit request)

Anti-virus software

Our IT resources are secured by anti-virus software with the following functions:

a) securing the IT resources against malware with a residential module that scans the entire computer system; 

b) updating the virus signature database on an ongoing basis; 

c) automated reaction in case new and unknown malware is detected, e.g. blocking all communications with the infected computer.

The software we are currently using is ESET and Windows Defender.

Handling of confidential information

Desktop workstations are secured with a password that is changed every few months. Passwords are comprised of 9 characters or more, including at least one special character, and are never simple. Unlocked workstations are never left unsupervised. Daily work is done on an account without administrator privileges.

Access to the network drive is password-protected and is protected by a VPN with additional password and certificates.

Desktop workstations are protected with a firewall and anti-virus software.

  •  
    • Clean desk policy
    • Every employee is responsible for maintaining the confidentiality of the data to which they have access
    • The company provides regular information security trainings for the personnel
    • Every employee is obliged to protect their access information to IT systems
    • Unsecured confidential information may not be taken outside of the company premises.
      It is strictly forbidden to take confidential information on digital media (flash drives, CDs, etc.) outside of the company premises
    • Every new employee and service provider is obliged to agree to a non-disclosure agreement.

Protection of premises

  •  
    • Secure electronic lock with authorised use only
    • Barred windows
    • Fence with a gate locked with a padlock

 Incident procedure

  1.  
    1. Collection of evidence – identification and recording of information about the security incident
    2. Examination and analysis of the aforementioned information
    3. Documentation of the above steps
  1.  
  1.  

Breach protocol

  •  
    • Every employee who notices or suspects a personal data breach is obliged to report it to their immediate superior without delay. The superior then notifies the data controller of that fact.
    • If a data breach is confirmed, no actions may be taken that can impede the analysis of the circumstances and the documentation of the breach. The place of the incident must also not be left unattended without justification until the data protection officer or another person authorised by the data controller arrives.
    • The data controller analyses the situation and decides on further steps, taking into consideration the risks to proper and continued operation of the company. 
    • The data controller receives a detailed report on the personal data breach from the person notifying of the incident and from any other person who may know something related to it. 
    • The data controller contacts external specialists, if needed.
    • Pursuant to the GDPR, any breach of personal data must be reported to the data protection authority within 72 hours following the breach.
    • When the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall communicate the personal data breach to the data subject without undue delay.

Cookie policy

Rights of the data subject

Under the GDPR (General Data Protection Regulation), data subjects whose personal data is processed have a number of rights. Here are some of the key rights of data subjects in relation to data protection:

  1. Right to information: The data subject has the right to receive clear, comprehensible and exhaustive information about the processing of their personal data, such as the purpose of the processing, the categories of data, the storage period, and information about the controller.
  2. Right of access: The data subject has the right to obtain confirmation as to whether or not personal data is being processed and access to such data and information relating to it.
  3. Right to rectification of data: The data subject has the right to request the rectification or completion of their inaccurate or incomplete personal data.
  4. The right to erasure (the so-called “right to be forgotten”): The data subject may request the erasure of their personal data if there is a legitimate reason, e.g. when the data is no longer needed for the purposes for which it was collected.
  5. Right to restriction of processing: The subject has the right to request the restriction of the processing of their personal data in certain situations, for example in the case of verifying the accuracy of the data or objecting to the processing.
  6. Right to data portability: In some cases, the data subject has the right to receive their personal data in a structured format that is commonly used and machine-readable and to transmit this data to another controller.
  7. Right to object: The data subject has the right to object to the processing of their personal data on grounds relating to their particular situation, unless the controller demonstrates the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject. 

For matters relating to the exercise of these rights, please contact: GDPR@diuna.biz

Last update: April 2023

Information security policy:

Data controller

The personal data controller is DIUNA Group sp. z o.o. with its registered office in Warsaw, address: ul. Słowicza 33, 02-170 Warsaw, entered into the Register of Entrepreneurs of the National Court Register, kept by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register under KRS number: 0000951792, NIP: 7010424337

For personal data protection matters, you can contact: GDPR@diuna.biz

Purposes and basis of processing

Personal data is processed in connection with the intention to establish a cooperation or acquire services or products for the following purposes:

  1. correspondence purposes in relation to services and products, including order processing (legal basis: Article 6(1)(f) of the GDPR);
  2. internal accounting and administrative purposes, including reporting and analysis, as part of a legitimate interest (legal basis: Article 6(1)(f) of the GDPR);
  3. evidence and archiving purposes in case of the need to establish facts and legal status, objections, complaints, disputes and legal proceedings as part of a legitimate interest (legal basis: Article 6(1)(f) of the GDPR);

Data is processed in electronic form.

Recipients of data

The recipients of the data are persons and entities to whom we outsource processing activities, in particular translators, proofreaders and other service providers. A detailed list of processors can be found below.

Data storage period.

We process data processed on the basis of a contract in accordance with the provisions of the contract and for the period of limitation of claims.

We process data processed on the basis of consent until you withdraw your consent.

We may process data processed on the basis of our legitimate interest as data controller for the duration of our interest or until you object to such processing.

Handling client assets

Client assets are handled by dedicated project managers and translated by a fixed team of translators, who are obliged to sign non-disclosure agreements. Every project is subject to standard security procedures.

Data categories

GroupSourceBasis for processingTypes of dataStorageFormatAccess by  Transfer
Clients       
Companies, institutions (contact persons)E-mail from clientperformance of contract under Article 6(1)(b) and legal interest under Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfactionFull name, e-mail, phone number, Skype IDEmail, BMS – SpaceTMSdatabaseemployeesSpaceTMS, Microsoft356
Individual clientsE-mail from client, phone conversation, personal visit to the officeperformance of contract under Article 6(1)(b) and legal interest under Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfaction

Full name, address, phone number, e-mail, Skype ID, business name, NIP, Regon

Email, BMS – SpaceTMS, Invoicing – Saldeo, Financial system, local file serverdatabase and electronic documents (invoices)employeesSpaceTMS, Microsoft356, Saldeo
Prospective clientscontact form on www.diuna.bizconsentFull name, e-mail, phone numberWordPress, email, CRM – Bitrix24databaseemployeesMicrosoft356
Suppliers       
Suppliersrecruitment process – applicationperformance of contract under Article 6(1)(b)Full name, address, business name and address, phone numbers, e-mail address, NIP, REGON, bank account details, other payment detailsEmail, SpaceTMS (vendor owned account), Autenti, Saldeo, local file serverdatabase, documents (contracts)employeesMicrosoft356, SpaceTMS, Autenti, Saldeo
Employees       
Employeesjob applicationperformance of contract under Article 6(1)(b) and statutory obligation under Article 6(1)(c)Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank accountemail, payroll system – Asseco, Bitrix24 (only name and contact information)documents, contractsGeneral Manager, Office Manager, HR Manageremail, file server
Apprentices and traineesapprenticeship applicationperformance of contract under Article 6(1)(b) and statutory obligation under Article 6(1)(c)Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank accountEmail, Bitrix24 (only name and contact information)documentsOffice Manager, Vendor Manageremail
Translated content       
personal data in translated contentshared by clients via e-mail or otherwise (e.g. ftp)data processing agreementas per delivered contentEmail, SpaceTMS, translation memoriesdatabase, fileemployees, shared with vendors employed to do specific tasksemail, SpaceTMS

Data processing

TypeProviderEEA onlyBackupAccessScope of data
MailMicrosoft365– cloudYesProvider – 30 daysPersonal, two-factor authenticationClient data (including personal data), client content, vendor data (including personal data)
Mail 2Home.pl – cloudYesProvider – 3 daysPersonal, two-factor authenticationClient data (including personal data), client content, vendor data (including personal data)
File serverLocal onsiteYesDIUNAIn accordance with user rightsClient content in TM, vendor data (contracts and invoices)
PCLocal onsite / with userYesNOPersonal / passwordNo permanent storage, only for the time of processing, type of data depends on the role at DIUNA
Project management systemSpaceTMS.com – cloudYesProvider, weekly backupsPersonal / passwordClient data (including personal data), client content, vendor content (on accounts owned by vendors)
Translation management system™Trados – local file server Memsource – cloudYesDIUNA, ProviderIn accordance with user rightsClient content
Machine translation (MT)Tilde – cloudYes Through translation management systemClient content
InvoicingSaldeo – cloud, outsourced accountantYesProviderAuthorised usersVendors’ personal data
CRM, internal communicationBitrix24 – cloudYesProviderAuthorised usersEmployees, trainees, apprentices – names, e-mails, phone numbers
Document editorsMicrosoft – OnedriveYesProviderIndividual usersClient content (only on client’s explicit request)

Anti-virus software

Our IT resources are secured by anti-virus software with the following functions:

a) securing the IT resources against malware with a residential module that scans the entire computer system; 

b) updating the virus signature database on an ongoing basis; 

c) automated reaction in case new and unknown malware is detected, e.g. blocking all communications with the infected computer.

The software we are currently using is ESET and Windows Defender.

Handling of confidential information

Desktop workstations are secured with a password that is changed every few months. Passwords are comprised of 9 characters or more, including at least one special character, and are never simple. Unlocked workstations are never left unsupervised. Daily work is done on an account without administrator privileges.

Access to the network drive is password-protected and is protected by a VPN with additional password and certificates.

Desktop workstations are protected with a firewall and anti-virus software.

  •  
    • Clean desk policy
    • Every employee is responsible for maintaining the confidentiality of the data to which they have access
    • The company provides regular information security trainings for the personnel
    • Every employee is obliged to protect their access information to IT systems
    • Unsecured confidential information may not be taken outside of the company premises.
      It is strictly forbidden to take confidential information on digital media (flash drives, CDs, etc.) outside of the company premises
    • Every new employee and service provider is obliged to agree to a non-disclosure agreement.

Protection of premises

  •  
    • Secure electronic lock with authorised use only
    • Barred windows
    • Fence with a gate locked with a padlock

 Incident procedure

  1.  
    1. Collection of evidence – identification and recording of information about the security incident
    2. Examination and analysis of the aforementioned information
    3. Documentation of the above steps
  1.  
  1.  

Breach protocol

  •  
    • Every employee who notices or suspects a personal data breach is obliged to report it to their immediate superior without delay. The superior then notifies the data controller of that fact.
    • If a data breach is confirmed, no actions may be taken that can impede the analysis of the circumstances and the documentation of the breach. The place of the incident must also not be left unattended without justification until the data protection officer or another person authorised by the data controller arrives.
    • The data controller analyses the situation and decides on further steps, taking into consideration the risks to proper and continued operation of the company. 
    • The data controller receives a detailed report on the personal data breach from the person notifying of the incident and from any other person who may know something related to it. 
    • The data controller contacts external specialists, if needed.
    • Pursuant to the GDPR, any breach of personal data must be reported to the data protection authority within 72 hours following the breach.
    • When the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall communicate the personal data breach to the data subject without undue delay.

Cookie policy

Rights of the data subject

Under the GDPR (General Data Protection Regulation), data subjects whose personal data is processed have a number of rights. Here are some of the key rights of data subjects in relation to data protection:

  1. Right to information: The data subject has the right to receive clear, comprehensible and exhaustive information about the processing of their personal data, such as the purpose of the processing, the categories of data, the storage period, and information about the controller.
  2. Right of access: The data subject has the right to obtain confirmation as to whether or not personal data is being processed and access to such data and information relating to it.
  3. Right to rectification of data: The data subject has the right to request the rectification or completion of their inaccurate or incomplete personal data.
  4. The right to erasure (the so-called “right to be forgotten”): The data subject may request the erasure of their personal data if there is a legitimate reason, e.g. when the data is no longer needed for the purposes for which it was collected.
  5. Right to restriction of processing: The subject has the right to request the restriction of the processing of their personal data in certain situations, for example in the case of verifying the accuracy of the data or objecting to the processing.
  6. Right to data portability: In some cases, the data subject has the right to receive their personal data in a structured format that is commonly used and machine-readable and to transmit this data to another controller.
  7. Right to object: The data subject has the right to object to the processing of their personal data on grounds relating to their particular situation, unless the controller demonstrates the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject. 

For matters relating to the exercise of these rights, please contact: GDPR@diuna.biz

Last update: April 2023

small_c_popup.png

Zadaj nam dowolne pytanie – nasz konsultant skontaktuje się z Tobą szybciej niż możesz się tego spodziewać.

Szybki kontakt