Privacy policy

Information security policy:

Data controller

The personal data controller is DIUNA Group sp. z o.o. with its registered office in Warsaw, address: ul. Słowicza 33, 02-170 Warsaw, entered into the Register of Entrepreneurs of the National Court Register, kept by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register under KRS number: 0000951792, NIP: 7010424337

For personal data protection matters, you can contact: GDPR@diuna.biz

Purposes and basis of processing

Personal data is processed in connection with the intention to establish a cooperation or acquire services or products for the following purposes:

1. correspondence purposes in relation to services and products, including order processing (legal basis: Article 6(1)(f) of the GDPR);
2. internal accounting and administrative purposes, including reporting and analysis, as part of a legitimate interest (legal basis: Article 6(1)(f) of the GDPR);
3. evidence and archiving purposes in case of the need to establish facts and legal status, objections, complaints, disputes and legal proceedings as part of a legitimate interest (legal basis: Article 6(1)(f) of the GDPR);

Data is processed in electronic form.

Recipients of data

The recipients of the data are persons and entities to whom we outsource processing activities, in particular translators, proofreaders and other service providers. A detailed list of processors can be found below.

Data storage period.

We process data processed on the basis of a contract in accordance with the provisions of the contract and for the period of limitation of claims.

We process data processed on the basis of consent until you withdraw your consent.

We may process data processed on the basis of our legitimate interest as data controller for the duration of our interest or until you object to such processing.

Handling client assets

Client assets are handled by dedicated project managers and translated by a fixed team of translators, who are obliged to sign non-disclosure agreements. Every project is subject to standard security procedures.

Data categories

Data processing

Anti-virus software

Our IT resources are secured by anti-virus software with the following functions:

a) securing the IT resources against malware with a residential module that scans the entire computer system; 

b) updating the virus signature database on an ongoing basis; 

c) automated reaction in case new and unknown malware is detected, e.g. blocking all communications with the infected computer.

The software we are currently using is ESET and Windows Defender.

Handling of confidential information

Desktop workstations are secured with a password that is changed every few months. Passwords are comprised of 9 characters or more, including at least one special character, and are never simple. Unlocked workstations are never left unsupervised. Daily work is done on an account without administrator privileges.

Access to the network drive is password-protected and is protected by a VPN with additional password and certificates.

Desktop workstations are protected with a firewall and anti-virus software.

• • Clean desk policy

• • Every employee is responsible for maintaining the confidentiality of the data to which they have access

• • The company provides regular information security trainings for the personnel

• • Every employee is obliged to protect their access information to IT systems

• • Unsecured confidential information may not be taken outside of the company premises.
    It is strictly forbidden to take confidential information on digital media (flash drives, CDs, etc.) outside of the company premises

• • Every new employee and service provider is obliged to agree to a non-disclosure agreement.

Protection of premises

• • Secure electronic lock with authorised use only

• • Barred windows

• • Fence with a gate locked with a padlock

 Incident procedure

1. 1. Collection of evidence – identification and recording of information about the security incident
   2. Examination and analysis of the aforementioned information
   3. Documentation of the above steps

Breach protocol

• • Every employee who notices or suspects a personal data breach is obliged to report it to their immediate superior without delay. The superior then notifies the data controller of that fact.

• • If a data breach is confirmed, no actions may be taken that can impede the analysis of the circumstances and the documentation of the breach. The place of the incident must also not be left unattended without justification until the data protection officer or another person authorised by the data controller arrives.

• • The data controller analyses the situation and decides on further steps, taking into consideration the risks to proper and continued operation of the company. 

• • The data controller receives a detailed report on the personal data breach from the person notifying of the incident and from any other person who may know something related to it. 

• • The data controller contacts external specialists, if needed.

• • Pursuant to the GDPR, any breach of personal data must be reported to the data protection authority within 72 hours following the breach.

• • When the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall communicate the personal data breach to the data subject without undue delay.

Cookie policy

Rights of the data subject

Under the GDPR (General Data Protection Regulation), data subjects whose personal data is processed have a number of rights. Here are some of the key rights of data subjects in relation to data protection:

1. Right to information: The data subject has the right to receive clear, comprehensible and exhaustive information about the processing of their personal data, such as the purpose of the processing, the categories of data, the storage period, and information about the controller.
2. Right of access: The data subject has the right to obtain confirmation as to whether or not personal data is being processed and access to such data and information relating to it.
3. Right to rectification of data: The data subject has the right to request the rectification or completion of their inaccurate or incomplete personal data.
4. The right to erasure (the so-called “right to be forgotten”): The data subject may request the erasure of their personal data if there is a legitimate reason, e.g. when the data is no longer needed for the purposes for which it was collected.
5. Right to restriction of processing: The subject has the right to request the restriction of the processing of their personal data in certain situations, for example in the case of verifying the accuracy of the data or objecting to the processing.
6. Right to data portability: In some cases, the data subject has the right to receive their personal data in a structured format that is commonly used and machine-readable and to transmit this data to another controller.
7. Right to object: The data subject has the right to object to the processing of their personal data on grounds relating to their particular situation, unless the controller demonstrates the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject. 

For matters relating to the exercise of these rights, please contact: GDPR@diuna.biz

Last update: April 2023