Regulations of processing by enaf sp. z o.o. of THE PERSONAL DATA entrusted by the customer

 

§ 1. Definitions

The following terms shall have the following meaning for the purposes of the Regulations:

  1. GDPR – REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
  2. Services – any services rendered by ENAF for the benefit of the Customer based on purchase orders submitted by the Customer, in particular producing (printing) business cards, badges, stamps, stationery etc.;
  3. Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
  4. Personal Data – personal data as defined in Article 4 paragraph 1 of GDPR, which is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  5. Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
  6. Supervisory Authority – independent public authority which is established by a member state pursuant to Article 51 of GDPR;
  7. Processing – any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  8. Processor – a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;
  9. Third Country – a country not being a member of the European Economic Area (EEA);
  10. ENAF - company under the business name Enaf spółka z ograniczoną odpowiedzialnością with its registered seat in Warsaw, address: ul. Krakowiaków 16, 02-255 Warsaw, entered into the register of entrepreneurs of the National Court Register by the District Court for the capital city of Warsaw in Warsaw, XIII Economic Division of the National Court Register, under the KRS number: 0000142756, with the initial capital amounting to: PLN 400.000,00, NIP (tax identification number): 534-22-11-228;
  11. Customer - an entity which submitted to ENAF a purchase order for the Services;
  12. Regulations - the present document referring to rules of Personal Data Processing by ENAF, which after being accepted by the Customer in electronic form (in accordance with Article 28 paragraph 9 of GDPR) constitutes the Agreement concluded between ENAF (as the Processor) and the Customer (as the Controller);
  13. Agreement - an agreement for entrusting to ENAF(as the Processor) Processing of Personal Data by the Customer (as the Controller), concluded by acceptance of the Regulations by the Customer in electronic form (in accordance with Article 28 paragraph 9 of GDPR).

 

§ 2. Personal Data processed by ENAF on behalf of the Customer

  1. The Customer, acting as the Controller, based on Article 28 paragraph 3 of GDPR, entrusts to ENAF, acting as the Processor, Processing of the following categories of Personal Data:

a) name and surname;

b) professional position;

c) information about the employer or the other represented entity;

d) information about the capital group;

e) professional address;

f)   e-mail;

g) mobile phone number;

h) fixed phone number;

i)   fax number;

j)   facial image (in case of a purchase order for products with photograph of a data subject);

k) other Personal Data to be put on products by ENAF, given freely by the Customer and specified in the purchase order;

for the purposes of rendering the Services to which ENAF shall be obliged based on the purchase order submitted by the Customer.

  1. ENAF, acting as the Processor, takes and accepts the entrusted Personal Data to Processing and shall be obliged to process them on behalf of the Customer on terms and conditions defined herein.
  2. Scope of the entrusted Personal Data shall be determined in each case by a purchase order submitted by the Customer to ENAF via dedicated IT system (on-line 5X9 system) or in any other form (via e-mail, by phone etc.)
  1. ENAF shall be entitled to perform on the entrusted Personal Data any automated or not automated operations necessary and justified for rendering the Services, including in particular: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
  2. The purpose of the Processing of the Personal Data is appropriate performance of the Services by ENAF, including proper production of all ordered products which may include the entrusted Personal Data. ENAF shall be entitled to process the Personal Data solely for those purposes as defined hereinabove.
  3. The Customer, acting as the Controller, declares and confirms all entrusted Personal Data hereunder is collected and processed by the Controller lawfully and in compliance with all requirements resulting from GDPR. The Customer shall be obliged to cover all costs borne by ENAF as a result of collecting or / and Processing of the entrusted Personal Data by the Customer unlawfully, in specific in contrary to GDPR.
  4. In accordance to Article 28 paragraph 3 point (g) of GDPR, the Customer shall entrust Processing of the Personal Data to ENAF hereunder till the end of the provision of the Services relating to Processing, meaning during the performance period of a particular purchase order submitted by the Customer as well as afterwards (as it is necessary to proper performance thereof by ENAF, in particular for the purposes of correction of the invoice issued by ENAF or considering complaints made by the Customer), which is till the lapse of the time limit of 90 (ninety) calendar days from last day of a calendar month during which a particular purchase order is performed.

 

§ 3. Sub-entrustment of Processing of the Personal Data by ENAF

  1. ENAF shall be entitled, with reference to the Personal Data entrusted to ENAF hereunder, to engage another Processor and to sub-entrust such another Processor Processing of the Personal Data without necessity of obtaining prior specific written authorization of the Customer (as the Controller) (general written authorization of the Controller defined in Article 28 paragraph 2 of GDPR).
  2. The list of another processors to whom ENAF sub-entrusts Processing of the Personal Data shall be provided to the Customer, acting as the Controller, on request sent to the following address: rodo@enaf.pl. ENAF shall update the aforementioned list by each such request, depending on the categories of the processed Personal Data.

 

§ 4. Obligations of ENAF

  1. ENAF shall be responsible for protection of the entrusted Personal Data.
  2. ENAF shall take all measures required pursuant to Article 32 of GDPR in order to ensure security of the Personal Data, including implementing all organizational and technical measures to ensure the protection of the rights of the data subject, as specified in Appendix no. 1 hereto.
  3. ENAF shall ensure all persons authorized to process the Personal Data have committed themselves to confidentiality of the processed Personal Data and security measures, during the performance period of purchase orders submitted by the Customer as well as after they have been performed. 
  4. ENAF, taking into account the nature of the Processing, assists the Customer (as the Controller) by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of GDPR.
  5. ENAF, assists the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR, taking into account the nature of Processing and the information available to ENAF.
  6. ENAF shall be obliged to make available to the Customer (as the Controller) all information necessary to demonstrate compliance with the obligations laid down in the present paragraph and allow for and contribute to audits, including inspections, conducted by the Customer (as the Controller) or another auditor mandated by the Customer (as the Controller), in accordance with the rules specified in § 5 hereof.
  7. With regard to item 6 of the present paragraph, ENAF (as the Processor) shall immediately inform the Customer (as the Controller) if, in its opinion, an instruction infringes the provisions of GDPR.
  8. ENAF shall notify the Customer of any administrative or court proceedings referring to the Processing of the Personal Data by ENAF, of any administrative or court decision referring to the Processing of the Personal Data by ENAF addressed to ENAF, as well as any inspection activities taken against ENAF by the Supervisory Authority, any results of such inspections, provided that they were conducted with reference to the Personal Data entrusted to ENAF hereunder.
  9. ENAF, after having become aware of any Personal Data Breach, shall be obliged without undue delay to notify such a breach to the Customer, describing in the notification:
    1. the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
    2. the likely consequences of the Personal Data Breach;
    3. the measures taken or proposed to be taken by ENAF to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

 

§ 5. Audit rights

  1. The Customer is entitled to conduct audits of Processing of the Personal Data in order to verify and inspect whether ENAF meets its obligations specified in § 4 hereof, according to the rules as provided hereinbelow in the present paragraph.
  2. The audits may be conducted after the Customer and another auditor mandated by the Customer have signed the confidentiality obligation in accordance with the specimen provided by ENAF.
  3. By conducting audits by the Customer and another auditor mandated by the Customer it is forbidden to infringe confidentiality obligations or any other obligations resulting from any agreements concluded by ENAF with any third persons and infringe any principles of Processing of the Personal Data pursuant to GDPR, in relation to Processing of the Personal Data entrusted ENAF by third persons. 
  4. The Customer shall be obliged to notify ENAF in writing of the scope and the date of each intended audits not later that 21 (twenty one) calendar days before the intended audit date.
  5. The parties to the Agreement determine the following rules of conducting audits:
  1. the Customer may demand providing documents and information relating to Processing of the Personal Data, as well as may take inspection activities in the location of Processing of the Personal Data entrusted hereunder, during working days (meaning days from Monday till Friday, except from statutory holidays) between 10:00 AM till 4.00 PM;
  2. the Customer authorizes its employees to conduct audits on its behalf.
  1. Inspection activities taken during the audits, specified in item 5 of the present paragraph, may consist solely in making:
    1. notes from taken activities (especially received explanations and visual inspections);
    2. copies of documents referring to Processing of the Personal Data entrusted hereunder;
    3. printing of the Personal Data entrusted hereunder from IT systems;
    4. screen printing monitor images from IT systems used for Processing of the Personal Data entrusted hereunder;
    5. copies of log records from IT systems as far as they refer to the Personal Data entrusted hereunder;

- with respect to the assets engaged in Processing of the Personal Data entrusted hereunder as well as within the scope necessary to demonstrate implementation of organizational and technical measures adequate to the risk by ENAF. ENAF shall have the right to refuse access to its assets, including IT systems, if it may cause any risk of the access to (Processing of) the Personal Data entrusted to ENAF by third persons (in specific other customers of ENAF), not by the Customer.

  1. All costs of audits shall be borne solely by the Customer.
  2. The Customer shall provide ENAF with the audit report for approval. In case any inconsistency with the Regulations and / or any binding personal data protection provisions that is indicate in the audit report approved by ENAF, ENAF shall implement necessary measures to ensure the Processing of the Personal Data in compliance with the Regulations and / or any binding personal data protection provisions.

 

§ 6. Liability

  1. ENAF shall be liable for damages caused by fault of ENAF to the Customer or third persons as a result of Processing of the Personal Data entrusted hereunder not in compliance with the Regulations.
  2. In the event of non-performance or improper performance of the Agreement by ENAF, ENAF shall bear liability on general terms, however the total amount of liability borne by ENAF, to the extent allowed by the binding provisions of law, shall not exceed the amount of PLN 50.000. Liability of ENAF for lost profits shall be excluded.

 

§ 7. Final provisions

The Appendix no. 1 hetero, covering the list of organizational and technical measures implemented by ENAF in order to ensure security of the processed Personal Data, constitutes the integral part hereof.

 

 

Appendix no. 1 to the Regulations of processing by ENAF Sp. z o.o.

of the Personal Data entrusted by the Customer

 

 

ENAF shall be obliged to implement the following organizational and technical measures to ensure security of Processing of the Personal Data entrusted ENAF by the Customer under the Agreement:

1.    Ensuring constant awareness of threats of cybercrime and improper data protection among ENAF’s personnel (employees and other persons on civil contracts) and teaching them methods of defense against threats.

2.    Ensuring common and constant functioning of anti-virus software in ENAF’s IT systems, as well as appropriate configured software and locking devices in order to block suspicious operations in IT systems.

3.    Prompt update of system and application software used by ENAF in case any path software improving safety or removing vulnerability to cyberattack is released by the software developer.

4.    Securing wired and wireless computer network used by ENAF by ensuring suitable configuration of devices and systems that allows blocking suspicious data transmissions.

5.    Premises, systems and software access management by auditable process of granting, overviewing and revoking access and using secure authentication.

6.    Strong data encryption of mobile devices (such as laptops, smartphones) and external storage cards, as well as strong encryption of communication via external public network (Internet) in case of transfer of the Personal Data entrusted ENAF by the Customer.

7.    Ensuring possibility of controlled implementation of changes in ENAF’s environment, proceeded by formal testing and including post-deployment validation.

8.    Storage backup in safe locations, secured against unauthorized access.

9.    Ensuring controlled information lifecycle management in electronic form and on durable medium, in specific secure collecting, processing, storage and erasure of information. 

10.   Supervising persons not being members of ENAF’s personnel and staying in the locations of ENAF in order to exclude their unauthorized access to the Personal Data processed by ENAF.

11.   Adopting the appropriate personal data protection policy and other organizational policies in ENAF, regulating information safety, such system management, notifying the Customer of the Personal Data Breach, compliant with the binding personal data protection provisions.

12.   Ensuring a process for regularly testing (at least once a year), assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

13.   Having and regular testing of emergency plans which in case of circumstances or occurrences that make proper performance of the Agreement by ENAF impossible, shall ensure ENAF business and performance continuity, in specific emergency plans covering methods of restoring the availability and access to the Personal Data, securing loss of the Personal Data caused by power failure, other breakdowns, accident, disruptions, activities of third persons or any other random events.

The latest version of our Privacy Policy is always available on our Website at link.

 

contact, address

Enaf Sp. z o.o.
Szarych Szeregów 2
05-820 Piastów