View cart 0 products | 0 €

    Polityka bezpieczeństwa RODO

    The objective of the Security Policy of La Lalla on-line store, operated by Monika Krawczyńska and Sandra Mianowska under a civil law partnership (La lalla S. C. Monika Krawczyńska, Sandra Mianowska), is to implement the rules and ensure the diligence required in the processing and protection of personal data in accordance with the law requirements, regarding the principles of their processing and security, including the Regulation of the European Parliament and the European Council (EU) 2016/679 of 27 April, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the repeal of the directive 95/46/WE (further: “GDPR”).

     

    § 1. Definitions:

    Whenever the Security Policy refers to:

    1. Data Controller – should be understood as Monika Krawczyńska and Sandra Mianowska (La lalla S. C. Monika Krawczyńska, Sandra Mianowska), ul. Unisławy 13a, 71-402 Szczecin; phone number: 662 100 064; e-mail address: kontakt@la-lalla.pl;

    2. Personal Data – should be understood as any information regarding identified or any possible to identify natural person;

    3. Personal data processing entity – should be understood as a natural person or business unit that processes personal Data on behalf of a Controller pursuant to an agreement of entitlement to process personal data;

    4. Personal data processing – should be understood as an operation or set of operations performed upon personal Data by automated or non-automated means (i.e. by IT systems), such as collection, recording, organizing, ordering, storage, adaptation or alteration, downloading, reviewing, utilizing, disclosure by transmission, promulgating or other form of sharing, matching or combining, limiting, removing or destroying;

    5. Store – on-line store La Lalla, operated by the data Controller, operating under the domain //www.la-lalla.pl/;

    6. Third party – should be understood as a natural or legal person, public body, individual or entity other than the person that the data concerns, data Controller, personal data processing Entity or User that can process personal Data;

    7. IT System – should be understood as a set of hardware and software configured with the function of data processing, including automated processing of the personal Data, using computer technology, along with organizational and information elements, used by the Data Controller to run the Store;

    8. User – should be understood as a person that processes the personal data pursuant to an authorization given by the Data Controller;

    9. Personal data filing system – should be understood as any structural set of personal data, accessible according to specific criteria.

     

    § 2. General provisions

    1. Security policy concerns any personal Data processed by the data Controller, regardless of the processing form.

    2. The security policy has been prepared in written form and is kept at the registered office of the data Controller.

    3. Identical to written form, the electronic form of the Security Policy is available to processing Entities and Users, in order to acquaint with the principles of processing and securing personal Data used as part of the Store's activities by the data Controller.

    4. In order to implement and execute the Security Policy, the Data Controller provides:

      1. appropriate for threats and categories of Data protected by technical means and organizational solutions,

      2. control and supervision over the Processed personal Data,

      3. monitoring of applied security measures.

    5. Monitored by the Data Controller applied security measures includes, among others: supervision over Users' activities and control of processing entities; informing competent authorities about breaches of personal data security data protection rules; an analysis of the methods adopted to protect Personal Data, including ensuring file integrity and the effectiveness of data protection against external and internal attacks.

    6. The Data Controller shall take all appropriate steps that are expedient, reasonable and proportionate to ensure that the activities performed in regard to the processing and security of the personal Data are consistent with the Security Policy and the law.


    § 3. Processing of the personal data by the data Controller

    1. Personal data processed by the Controller are organized in the Data files.

    2. Processing of personal data by the data Controller shall not include activities that could involve high probability of high risk of violation of the rights or freedoms of persons that the Data concerns. In case of planning such action, the Controller shall perform the activities of impact assessment for data protection, referred to in Article 35 and n. of the GDPR.

    3. In the case of planning new processing activities of personal Data for purposes other than those for which they were obtained, the data Controller will obtain for these activities the subsequent consent from the person this Data concerns. At the same time, the data Controller will analyze their consequences for the protection of personal data and will take into account data protection issues in the phase of designing new activities.

    4. The data controller may keep a record of processing operations according to the template constituting Appendix no. 1 to the Security Policy.


    § 4. Security management of the persona Data

    1. Data controller, Processing Entity and Users are obliged to process personal Data in accordance with the applicable regulations and the Security Policy, the Instruction for Use of the IT System, as well as other internal documents and procedures related to the processing of personal data.

    2. The Instruction for Use of the IT System constitutes Appendix no. 2 to the Security Policy.

    3. Processing of any personal Data always requires the following rules to be observed in particular:

      1. processing of personal Data always requires presence of at least one of the bases for data processing provided by the provisions of the GDPR;

      2. Personal data are processed in accordance with the law, fairly and transparently for persons that the data concern;

      3. Personal data is collected for specific, explicit and legitimate purposes and not further processed in a manner inconsistent with these purposes;

      4. Personal data is processed only to the extent necessary to achieve the purpose of data processing;

      5. Personal data is correct and updated if it is necessary;

      6. the storage duration of the Data is limited to the period of their usefulness for the purpose for which they were collected, and after this period they are anonymized or deleted, unless further processing is necessary due to the legitimate interests of the Store or Data Controller;

      7. towards persons that the Data concerns, it is always necessary to perform the information obligation in accordance with the content of Article 13 and Article 14 of the GDPR;

      8. The data is secured against the violation of the principles of its protection.

    4. Violation or attempted violation of the processing and protection of personal Data is:

      1. breach of IT Systems security in where the personal Data is processed;

      2. providing or assisting in providing the Data to unauthorized parties;

      3. omission, including inadvertent, of complying with the obligation to provide personal Data protection;

      4. failure to comply the confidentiality of Personal Data and the rules and methods of securing it;

      5. processing of Personal Data not in accordance with the intended scope and purpose for which it was provided;

      6. damage, loss, uncontrolled change or unauthorized copying of Personal Data;

      7. violation of the rights of persons that the Data concern, including in particular the rights referred to in Article 15-18 of the GDPR.

    5. In the event of the existence of an immediate risk of data breach or violation of personal data protection rules, the Data Controller, processing Entity or User is obliged to take all necessary actions to prevent the infringement and limit the consequences of possible violation.

    6. The Data Controller's obligations with regard to the employment of employees, based on employment contracts or civil law contracts, who will process Personal Data as part of their duties, include:

      1. appropriate training of employees regarding the regulations and rules of personal data protection, including familiarization with the Security Policy and the Instructions for Use of the IT System,

      2. granting employees written authorization to process data in accordance with the template constituting Appendix No. 3 to the Security Policy,

      3. collecting from employees the obligation to keep Personal Data secret.

    7. Users are obliged to:

      1. strict adherence to the scope of the granted authorization;

      2. processing and protection of personal Data in accordance with Data protection regulations and rules;

      3. confidentiality of personal data and ways to secure them;

      4. reporting violations and attempts to violate personal Data and other events that may affect data security, including in that field functioning of the IT System.


    § 5. Place of personal data processing

    Personal data shall be processed at the registered office of the data Collector and in all places used by the IT System, if it is necessary for its proper functioning.

     

    § 6. Technical and organizational measures necessary to ensure confidentiality, integrity and accountability of the processed Data 

    1. The Data Controller ensures the application of technical and organizational measures necessary to ensure confidentiality, integrity, accountability and continuity of the processed Data.

    2. Applied protection measures should be adequate to the level of risk identified for individual systems, types of collections and categories of data.

    3. Necessary protection measures include:

      1. limiting access to the Controller's office excluding the Controller, processing Entities and Users, and their proper protection in the absence of such persons,

      2. ensuring strict control of unauthorized persons for processing personal Data during their presence at the Data Controller's office,

      3. use of lockable cabinets, drawers and safes for storing materials and media containing Personal Data,

      4. use of shredders for destroying materials and media containing Personal data,

      5. use of software to protect the local network against external interference and malware,

      6. creating backup copies of the Data,

      7. protection of the IT System against malware,

      8. limiting access to the IT System by means of individual accounts and passwords of processing Entities and Users,

      9. use of Data encryption in their transmission, as long as the transmission is associated with a serious probability of high risk of violation of the rights and freedoms of the persons that Data concern.

     

    § 7. Violation of personal data protection rules

    1. In case of a breach of personal Data protection, the data Controller assesses whether the breach has caused or could have caused a risk of violating the rights or freedoms of the persons that Data concern.

    2. If the breach caused a high risk of violation of the rights and freedoms of the persons that Data concerns, the Controller shall notify this person about the violation.

    3. If the breach has caused a risk of violating the rights or freedoms of the persons that Data concern, the Data Controller reports to the supervisory body that the data protection rules have been breached without undue delay – if possible, not later than 72 hours after the violation has been found, according to the template form set out in Appendix no. 4 to Security Policy.


    § 8. The entitlement of personal data processing

    1. The data controller can entrust Processing of the personal Data to other entity exclusively by way of a written agreement, provided that the entity provides sufficient guarantees to implement the appropriate technical and organizational measures to ensure that the Process meets the requirements of the provisions of the GDPR and protects the persons that Data concern.

    2. Before concluding the agreement of entitlement, the processing of personal Data, the data Controller, if possible, obtains information about the previous practices of the entity with whom the contract is to be concluded, in order to check whether this entity provides the guarantees referred to in paragraph 1.

    3. The agreement of entitlement to process personal Data shall be concluded according to the template constituting Appendix no. 5 to the Security Policy.

     

    § 9. Personal data transmission to a third country

    The data controller will not transfer personal Data to a third country, except in situations where it occurs at the request of the person that Data concerns.

     

    § 10. Final provisions

    1. Violation of the Security Policy by Users will result in liability specified in the Labor Code and regulations on personal Data protection.

    2. Violation of the Security Policy by processing Entity will result in liability specified in the Labor Code and regulations on personal Data protection.

    3. Appendixes to Security Policy are:

    1. the template of the Register of personal data processing activities – Appendix no. 1,

    2. Instructions for Use of the IT System – Appendix no. 2,

    3. template of the Authorization to process the personal data – Appendix no. 3,

    4. template of the violation of data protection rules Report to the supervisory body – Appendix no. 4,

    5. template of the Agreement of entitlement to process personal data – Appendix no. 5.

    1. The security policy enters into force from May 25, 2018.

    2. Personal data collected by the data Controller prior to the entry into force of the Security Policy from the date of its entry into force are subject to processing in accordance with the Security Policy.

    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    Monika Krawczyńska – the data controller

    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    Sandra Mianowska – the data controller

     

     


    Appendix no. 1 to Security Policy

     

    Registry of data processing activities

    1.

    Data controller – name and contact details

     

    2.

    Description of the category of persons that data concern

     

    3.

    Description of the personal data category

     

    4.

    The purposes of processing personal data

     

    5.

    Categories of recipients to whom the data is to be disclosed or can be disclosed 

     

    6.

    Information on the data transmission to a third country 

     

    7.

    Estimated data processing period/Planned date of data deletion 

     

    8.

    Description of organizational security measures

     

    9.

    Description of technical security measures 

     

     

    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    Monika Krawczyńska – the data controller

    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    Sandra Mianowska – the data controller

     

     


    Appendix no. 2 to Security Policy

     

    1. General provisions

    1. The purpose of Instructions for Use of the Information System used to operate the on-line store La Lalla, operated by Monika Krawczyńska and Sandra Mianowska, operating within the civil law partnership (La lalla S. C. Monika Krawczyńska, Sandra Mianowska), is to ensure the diligence required during the processing and protection of personal data in accordance with the requirements of law, regarding the principles of their processing and security, including the Regulation of the European Parliament and of the European Council (EU) 2016/679 from 27 April, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing the directive 95/46/WE (further: “GDPR”).

    2. The wording in this Manual in capital letters should be understood in accordance with the definitions given to them in the Security Policy, and in addition whenever this Manual refers to:

      1. Local network – should be understood as connecting the data Controller’s Systems for their own needs only with the use of devices and telecommunications networks,

      2. Data security in the IT system – should be understood as implementation and exploitation of technical and organizational measures ensuring data protection of processed data in the data Controller's IT System against their unauthorized processing by third parties,

      3. User identifier – should be understood as a string of letters, digits or other characters that uniquely identifies the Processing Entity or User in the data Controller's Data System in the event of Personal Data Processing in such System by that person,

      4. Password – should be understood as a string of letters, digits or other characters that only known to a person who is entitled to the use data Controller’s IT System.

     

    1. Granting rights to data processing in the Information System and registering these rights 

    1. The data Controller is responsibility for the safety of the personal Data in the IT System.

    2. To use the IT System to the extent to which it is used to Process Personal Data, only Users are allowed.

    3. After the person is authorized to access the processing of Personal Data in the IT System, a User Identifier is given to the person.

    4. At the moment of giving the Identifier, the person may access the IT System to the extent appropriate for the given authorization.

    5. For each person using the IT System, a separate Identifier and Password are set.

    6. The User Identifier cannot be changed, and after the User has been signed out from the IT System register, the Identifier cannot be assigned to another person.

    7. The identifier of a person who has lost the authorization to process personal Data is immediately signed out from the IT System register in which the Data is processed, while the Password is invalidated and other actions necessary to prevent further access to the IT System are taken.


    1. Methods and means of authentication and procedures for their management and use 

    1. The IT system uses authentication at the level of access to the operating system. Authorization of the authorized entity at the level of access to the operating system shall be carried out with the Password and Identifier.

    2. The passwords that enable access to the IT system are kept secret even after their expiration.

    3. The minimum password length is 8 alphanumeric characters and special characters.

    4. It is forbidden to use the Identifier or Password of the other person.

    5. For each person whose Personal Data is processed in the IT System, the system ensures recording:

      1. the date of the first data entry into the System,

      2. Identifier of the person introducing Personal data to the System,

      3. information about the recipients to whom the Personal Information has been disclosed.


    1. Procedures for starting, suspending and terminating work by system Users 

    1. A person entitled after starting work starts the workstation. Before starting the computer, check that no unidentified devices are connected to it. After starting, the employee logs in using the Identifier and Password to the IT System.

    2. During work each time the computer station is left, it is necessary to make sure that personal Data is not displayed on the screen.

    3. When leaving the computer station for a longer time, one should manually set the keypad lock and the screen saver (the screen saver is not less than the activating after 10 minutes of inactivity).

    1. Creating backup copy

    1. To protect data integrity, data is archived in the data Controller's IT System.

    2. DVDs with data from the system are used for archiving.

    3. All archived data should be identified, i.e. contain information such as the date of recording and the identifier stored in the copy.


    1. The manner, place and period of storage of electronic information media containing personal Data and backups 

    1. Media with archival copies should be protected against access by unauthorized persons, against damage or theft.

    2. Media with archived data should not be stored in the same rooms where the personal Data collection used on an ongoing basis is stored.

    3. Information media, backups that are not intended to be disclosed, are stored in conditions that prevent unauthorized access to them.

    4. Backups that are no longer useful should be physically destroyed or erased by repeatedly writing irrelevant information in the area filled by the deleted data.

    5. It is forbidden to carry any recorded media containing personal data from the workplace.

     

    1. The method of securing the IT System against malicious software, unauthorized access and power failures 

    1. The IT system is protected against the operation of software, the purpose of which is to obtain unauthorized access and against actions initiated from the external network. The security includes:

      1. Workstations:

    • an anti-virus system,

    • firewall,

    • encryption of data media,

    • Intranet:

    • an anti-virus system,

    • firewall,

    • Electronic mail:

    • data encryption,

    • an anti-virus and anti-spam system.

    1. The used IT System is automatically scanned at a specific frequency.

    2. The virus database is updated by automatically downloading the virus database by an anti-virus program.

    3. If a virus is detected:

      1. run an anti-virus program and check the system in use,

      2. remove a virus from the System using an anti-virus program.

    4. If the virus removal operation fails, then:

      1. finish work in the System,

      2. disconnect the infected computer from the network,

      3. notify the Data Controller about the situation.

    5. Devices and media containing Personal Data transferred outside the area in which they are processed is protected in a manner that ensures confidentiality and data integrity.

     

    1. Electronic mail

    1. Employees may use e-mail for business purposes to the extent limited by their duties.

    2. The data Controller can learn the content of electronic messages used by employees in all the data Controller's IT System.

    3. It is forbidden to open e-mails from unknown sender or with a questionable title (aka. phishing e-mail). In particular, it is forbidden to open links or download files saved in external communication from an unknown sender.

     

    1. Methods of implementing requirements of storing in the IT System 

    information about data recipients

    1. Information about data recipients is stored in the IT System from which the information was made available.

    2. Information about the recipient of the data is stored in the IT System, including the date and scope of disclosure, as well as the exact identification of the recipient of the data.

    3. It is possible to prepare and print a report containing, in a generally comprehensible form, the above information.

     

    1. Procedures for system maintenance and conservation and information media for data Processing 

    1. Only processors entities with whom agreements were concluded containing provisions requiring them to observe the confidentiality of information obtained in the course of performed tasks may be admitted to the IT system service.

    2. When servicing, please respect the following rules:

      1. service activities should be performed in the presence of an authorized person, for data processing,

      2. before starting service activities, data and programs located in the System should be protected against their destruction, copying or incorrect change,

      3. service activities should be recorded in the book containing the type of service activities performed, the start and end date of the service, the recording of persons performing maintenance activities, i.e. the name and surname, as well as persons participating in the maintenance work.

    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    Monika Krawczyńska – the data controller

    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    Sandra Mianowska – the data controller

     

    Szczecin, 23 May, 2018

    AUTHORIZATION FOR PROCESSING OF PERSONAL DATA
    no. . . . . . /. . . . .

    We hereby authorize Mr./Mrs. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ., holding positions of ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , to process personal data as part of our business in the form of a civil partnership in relation to the on-line store La Lalla, in the following*:

    without restrictions, data preview, data entry, data processing, data modification, data deletion.

    A. Period of authorization:
    l for the period of employment / cooperation with . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . to . . . . . . . . . . . . . . . . . . . . . . . . . including

    −−−−−−

    B. Scope of the authorization:

    l data processed on paper, l the IT system,
    1 data processed on digital media.

    * [leave relevant]

    ...................................

    Monika Krawczyńska – the data controller

    ................................... Sandra Mianowska – the data controller

    La lalla S. C. Monika Krawczyńska, Sandra Mianowska

    ul. Unisławy 13a 71-402 Szczecin

    President of the Office for Personal Data Protection
    above mentioned

    NOTIFICATION OF THE INFRARED BREACH OF THE PERSONAL DATA PROTECTION

    Acting pursuant to Article 33 of Regulation (EU) 2016/679 of the European Parliament and of the European Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (general regulation on data protection), I hereby report the incident of personal data breach.

    1. Data of the Personal Data Controller

    Monika Krawczyńska, Sandra Mianowska

    1. Place and date of the breach ...

    2. Category and approximate number of persons that data concern...

    3. Categories and approximate number of entries of personal data affected by the breach

    ...

    1. Description of the nature of the data protection breach ...

    2. Possible consequences of data breach ...

    3. Measures taken to minimize the potential negative effects of a data protection breach
      ...

    Szczecin, . . . . . . . . . . . . . . .

    ................................... ...................................

    Monika Krawczyńska – the data controller

    Sandra Mianowska – the data controller

    PERSONAL DATA PROCESSING OUTSOURCING AGREEMENT

    concluded in Szczecin on ...
    between
    Monika Krawczyńska and Sandra Mianowska, operating under a civil partnership under the name La lalla S. C. Monika Krawczyńska, Sandra Mianowska, further called: 
    “La lalla”, further called “data Controller”
    and
    _______, further called “processing Entity”,
    further collectively called “Parties”

    <span style="font-fam