PERSONAL DATA SECURITY POLICY

OF THE RETURN TO AFRICA FOUNDATION

 

I INTRODUCTION

The Personal Data Security Policy, hereinafter referred to as the Policy, has been prepared in connection with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter: GDPR) and the Act on the Protection of Personal Data.

This document constitutes a set of coherent, precise rules and procedures according to which the Return To Africa Foundation (hereinafter: the Foundation or the Entity) builds, manages, and provides resources and information systems and IT systems. It establishes the actions to be carried out and the manner of establishing principles and rules of conduct necessary to ensure the proper protection of the processed personal data. The Policy sets out the principles of security in processing personal data, which should be observed and applied by all persons processing personal data within the Entity, along with reference to the appropriate legal bases. The Policy governs the principles of organizing work with personal data records processed in the IT system and by traditional methods. It also describes security threats to the processed personal data and the methods of responding to security breaches.

This document also serves an informative and educational function by presenting the obligations and responsibilities of persons involved in personal data processing.

The Foundation applies measures adequate to the situation to ensure information security.

Supplementing and completing this Policy is the Instruction for Managing the IT System Used for Personal Data Processing (Appendix No. 1), establishing the method of managing the IT system used for personal data processing.

II LEGAL BASIS

The principles of personal data processing are in particular regulated by:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

  • The Act on the Protection of Personal Data of 10 May 2018;

III GLOSSARY

ADO – Administrator of Personal Data, being the body, organizational unit, entity, or natural person deciding on the purposes and means of processing personal data; for the purposes of this Policy, it is the Return To Africa Foundation, entered into the register of associations, other social and professional organizations, foundations, and healthcare entities (ZOZ) maintained by the District Court Lublin-East in Lublin, based in Świdnik, VI Commercial Division of the National Court Register under KRS number: 0001152070, holding NIP: ….; contact details: e-mail: …….

Personal data – any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Sensitive data (special categories of data) – data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, sex life or sexual orientation, and data concerning criminal convictions and offenses or related security measures.

PUODO – President of the Personal Data Protection Office, being the authority appointed for matters related to personal data protection.

The Policy – this Personal Data Security Policy document.

Data processing – means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

IT system – a set of cooperating devices, programs, information processing procedures, and software tools applied to process data.

Authorized person – a person having formal authorization issued by the Administrator of Personal Data or by a person designated by the Administrator, authorized to process personal data.

Donor – any person who has made a financial donation (in any amount chosen by them, either one-time or recurring) for the statutory purposes of the Foundation.

Data erasure – destruction of personal data or its modification which makes it impossible to establish the identity of the person to whom the data relates.

Data protection in the IT system – implementation and operation of appropriate technical and organizational measures ensuring the protection of data against unauthorized processing.

Data set – an organized set of personal data accessible according to specific criteria, regardless of whether this set is centralized, decentralized, or functionally or geographically dispersed.

Consent of the data subject – means a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

IV PROCESSING OF PERSONAL DATA

Personal Data

Personal data are considered to be any information relating to an identified or identifiable natural person. When determining whether a particular piece of information or information constitutes personal data, the Foundation conducts an individualized assessment, taking into account specific circumstances and the type of means or methods necessary in a given situation to identify the person.

An identifiable person is one whose identity can be determined, directly or indirectly, in particular by reference to an identification number or one or more specific factors that determine their physical, physiological, mental, economic, cultural, or social characteristics. Personal data include both data that allows the identification of a specific person and data that do not allow immediate identification but are, with a certain expenditure of cost, time, and effort, sufficient to determine their identity.

Processing of Personal Data

When conducting business activities, the Foundation collects and processes personal data. These data fall into the following categories (categories of personal data):

  1. Donor personal data set,

  2. Personal data set of individuals providing services under civil law contracts (including specialists such as those providing accounting, IT, legal services – depending on the form of activity),

  3. Personal data set of persons employed within the structure of legal entities and organizational units not being legal entities, to which the law grants legal capacity, performing services under civil law contracts (including specialists such as those providing accounting, IT, legal services – depending on the form of activity).

Taking into account the provisions on personal data protection, the Foundation processes personal data only when:

  1. the data subject has given consent to the processing of their personal data for one or more specific purposes;

  2. processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;

  3. processing is necessary for compliance with a legal obligation to which the controller is subject;

  4. processing is necessary to protect the vital interests of the data subject or another natural person;

  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

As a rule, the Foundation does not process sensitive data (special categories of data). However, if such processing occurs, the Foundation will process them only when:

  1. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, unless Union or Member State law provides that the data subject may not withdraw consent;

  2. processing is necessary for the purposes of carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;

  3. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

  4. processing relates to personal data which are manifestly made public by the data subject;

  5. processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity;

  6. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

  7. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of Union or Member State law;

  8. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

  9. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Information Obligations Regarding Data Processing

When collecting data from the data subject, the Foundation as the Controller of Personal Data provides the data subject with all of the following information:

  1. its identity and contact details, and where applicable, the identity and contact details of its representative;

  2. the purposes of the processing of personal data and the legal basis for the processing;

  3. where the processing is based on Article 6(1)(f) of the GDPR – the legitimate interests pursued by the controller or by a third party;

  4. the recipients or categories of recipients of personal data, if any;

  5. where applicable – information about the intention to transfer personal data to a third country or an international organization and about the existence or absence of an adequacy decision by the Commission;

  6. the period for which personal data will be stored, or if that is not possible, the criteria used to determine that period;

  7. information about the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, or to object to processing, as well as the right to data portability;

  8. where applicable – information about the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

  9. information about the right to lodge a complaint with a supervisory authority;

  10. information about whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

  11. information about the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR, and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The above principles do not apply if another legal provision allows the processing of data without revealing the actual purpose of collection or if the data subject already possesses this information.

When collecting data not directly from the data subject, the Foundation as the Controller of Personal Data is obliged to inform the data subject, after recording the data, additionally about:

  1. the source from which the personal data originate, and where applicable – whether they come from publicly accessible sources;

  2. the categories of the personal data concerned.

The above principles do not apply if:

  1. another legal provision provides for or allows the collection of personal data without the knowledge of the data subject,

  2. providing the information requires a disproportionate effort – in particular where the data are processed for archiving purposes in the public interest, scientific or historical research, or statistical purposes,

  3. providing the information proves impossible,

  4. recording or disclosure of data is expressly laid down by Union or Member State law,

  5. it concerns professional secrecy arising from Union or Member State law.

Principles of Data Processing

The Foundation fulfills its obligations by exercising particular care to protect the interests of the data subjects, ensuring that such data are:

  1. processed lawfully,

(Compliant with all legal norms, both those existing at the time of the GDPR’s entry into force, and those introduced later into the legal order. Lawfulness covers compliance with both substantive legal provisions and procedural regulations.)

  1. collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes,

  2. accurate and, where necessary, kept up to date,

(Information resulting from data processed by the controller is truthful, complete, and corresponds to the current state of affairs. The Controller processes data only to the extent necessary to achieve the purpose for which the data are processed.)

  1. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

  2. The Controller applies technical and organizational measures ensuring the protection of processed personal data appropriate to the risks and categories of data protected, and in particular should secure data against making them available to unauthorized persons, removal by an unauthorized person, processing in violation of the law, as well as alteration, loss, damage, or destruction.

Additionally, the Entity ensures information security through:

  1. confidentiality of information

(information is not disclosed to unauthorized persons; unauthorized persons have no access to the data),

  1. integrity of information

(information is complete and not unlawfully altered),

  1. accountability of actions

(all significant activities performed during data processing have been recorded and it is possible to identify the person who performed those activities),

  1. reliability of actions

(performed activities lead to intended effects).

Entrusting Data Processing

If it is necessary for data to be processed by separate entities providing services for the Controller of Personal Data, the controller may entrust their processing. Entrusting data processing is based on a contract or other legal instrument subject to Union or Member State law and binding the processor and the controller, specifying the subject and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, as well as the obligations and rights of the controller.

A template for the data processing entrustment agreement is attached to this Policy (Appendix No. 6).

The Foundation maintains a Register of Entities to Whom Data Are Entrusted.

(The Register of Entities to Whom Data Are Entrusted is attached to this Policy (Appendix No. 4)).

Data Disclosure

The Foundation may disclose personal data by actions enabling entities other than the controller to become acquainted with them, while observing the legal requirements. At that:

  1. It is not relevant whether data disclosure is remunerated or not for the act to be considered disclosure.

  2. It is not relevant whether disclosure occurs orally, in writing, by means of common communication channels, or via a computer network, for the act to be considered disclosure.

  3. Personal data disclosure to persons or entities entitled to receive them is carried out on the basis of legal provisions;

  4. Disclosed personal data may be used only in accordance with the purpose for which they were disclosed.

As a result of data disclosure, actual transfer of personal data takes place, whereby the new controller of these data becomes the data controller and, as such, will decide on the purposes and means of processing the data and bear responsibility as provided for a controller. The conditions of disclosure, including the manner of providing the information clause, shall be agreed upon each time in a contract between the Foundation and the entity to which the data are to be disclosed or co-disclosed.

Recording of Processing Activities

The Foundation maintains a record of processing activities for which it is responsible.

This record contains all of the following information:

    1. the name and contact details of the controller, and where applicable, of any joint controllers and the data protection officer;

    2. the purposes of the processing;

    3. a description of the categories of data subjects and of the categories of personal data;

    4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;

    5. where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in Article 49(1) second subparagraph of the GDPR, the documentation of suitable safeguards;

    6. where possible, the envisaged time limits for erasure of the different categories of data;

    7. where possible, a general description of the technical and organizational security measures referred to in Article 32(1) of the GDPR.

The record of processing activities serves as Appendix No. 7 to this Policy.

V AUTHORIZATION TO PROCESS PERSONAL DATA

  1. Only persons Authorized to process personal data are entitled to process personal data.

  2. The purpose of this procedure is to minimize the risk of unauthorized access to personal data and loss of their confidentiality by unauthorized persons.

  3. The Controller of Personal Data is entitled to grant authorizations to process personal data by issuing a written Authorization to Process Personal Data (a template of the authorization is attached as Appendix No. 3).

  4. The Controller of Personal Data may designate persons authorized to grant authorizations for personal data processing by issuing a written authorization.

  5. Authorization to process personal data is given only on the basis of an individual authorization granted in accordance with the provisions of the Act on the Protection of Personal Data.

  6. Granting an authorization to process personal data must take place before the authorized person begins processing data.

  7. The Controller of Personal Data or a person authorized by them keeps a register of persons authorized to process personal data (Appendix No. 2).

  8. If it becomes necessary to grant or change authorizations (e.g., due to the employment of a person or a change in job position), the Controller of Personal Data or a person authorized by them is obliged to verify whether the person will process personal data within the scope and purpose specified in the Policy and the IT system management instruction.

  9. Granting authorization to process personal data requires familiarization with the provisions concerning personal data protection to the extent necessary for the activities performed under the granted authorization.

  10. The Controller of Personal Data is responsible for organizing and conducting training or familiarizing, in another form, the authorized persons with the provisions concerning personal data protection.

VI ENTITY-LEVEL OBLIGATIONS IN THE FIELD OF PERSONAL DATA PROTECTION

Obligations of the Controller of Personal Data

  1. division of tasks and responsibilities related to organizing personal data protection,

  2. undertaking appropriate and necessary actions to ensure proper personal data protection, in particular by preparing and implementing appropriate organizational and technical conditions,

  3. introducing procedures ensuring proper processing of personal data,

  4. in case of a personal data breach, the controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal Data Protection Office, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons,

  5. conducting an assessment of the impact of the planned processing operations on the protection of personal data where required by law,

  6. enforcing the development of security measures for personal data processing,

  7. subjecting the effectiveness of the Personal Data Security Policy to reviews,

  8. ensuring compliance with personal data protection laws, in particular by: organizing and supervising compliance with personal data protection rules both in IT systems and in personal data records kept in paper and electronic forms,

  9. maintaining documentation describing the applied personal data security policy (this Policy and resulting instructions and procedures),

  10. implementing familiarization with personal data protection regulations and threats related to data processing for persons who are members of the Entity,

  11. ensuring control over what personal data, by whom, and when was entered into the data set,

  12. granting and revoking authorizations to process personal data within the Entity,

  13. keeping a register of persons Authorized to process personal data, containing the name and surname of the Authorized person, date of granting and expiration, scope of Authorization to process personal data, identifier if the Authorized person has been registered in the IT system used for personal data processing,

  14. ensuring that Authorized persons are acquainted with the provisions on personal data protection,

  15. analyzing situations, circumstances, and causes that led to personal data protection breaches and preparing recommendations to eliminate the risk of their recurrence,

  16. conducting actions in accordance with the Instruction in case of unauthorized access to the database or data security breach,

  17. ensuring legal bases for personal data processing from the moment of data collection until their deletion,

  18. ensuring proper processing of personal data, in particular by ensuring the currency, adequacy, and substantive accuracy of personal data processed for the purposes specified by them.

Obligations of Authorized Persons

  1. knowledge of the Policy and the generally applicable laws in the area of personal data protection processed by the Entity,

  2. knowledge, understanding, and application to the greatest extent possible of all available personal data protection measures and preventing unauthorized persons from accessing their workstation,

  3. processing personal data in accordance with applicable laws and adopted regulations, within the scope of granted authorization,

  4. acting in accordance with established internal regulations regarding personal data processing,

  5. keeping personal data and information about security measures confidential, even after termination of employment,

  6. protecting personal data and the means processing personal data against unauthorized access, disclosure, modification, destruction, or distortion,

  7. informing about any suspicions of a breach or observed weaknesses in the personal data processing system to a supervisor, who is obliged to inform the Information Security Administrator.

VII RISK ASSESSMENT AND REVIEWS

If a particular type of personal data processing – especially using new technologies – due to its nature, scope, context, and purposes is likely to result in a high risk to the rights and freedoms of natural persons, the Foundation shall, prior to processing, carry out an assessment of the impact of the planned processing operations on the protection of personal data, in accordance with Article 35 of the GDPR.

VIII THREATS TO PERSONAL DATA SECURITY AND INCIDENTS

The security of the personal data processing process consists of accountability, confidentiality, and integrity of the processed data. Accountability means the ability to attribute actions to a person unequivocally and exclusively. Confidentiality is ensured by guaranteeing that personal data are not disclosed to unauthorized entities. Integrity means ensuring that data cannot be altered or destroyed without authorization.

In the event of a personal data breach or threat, any entity authorized to process personal data on behalf of the Foundation is obliged to inform the Controller of Personal Data and/or the appropriate person authorized by them.

Instruction on Actions in Case of a Personal Data Security Threat

A threat to information security is a situation in which there is a threat of an incident occurring. An example list of threats:

  1. failure to comply with the Policy by data processors, e.g., not closing rooms, cabinets, desks, failure to apply password protection rules,

  2. inadequate physical security of documents, devices, or premises,

  3. inadequate software or IT hardware security against leakage, theft, or loss of personal data.

Actions of the Controller of Personal Data or their authorized person upon confirmation of a threat:

  1. determining the scope and causes of the threat and its possible effects,

  2. restoring, if possible, the state compliant with personal data protection principles,

  3. initiating disciplinary actions if necessary,

  4. recommending preventive actions to eliminate similar threats in the future,

  5. documenting the conducted actions in the Security Breach Register (Appendix No. 5).

Instruction on Actions in Case of Personal Data Security Incidents

An incident is a situation of compromised information security concerning availability, integrity, and confidentiality. Incidents should be detected, recorded, and monitored to prevent their recurrence. An example list of incidents:

  1. random internal event, e.g., computer, server, hard drive failure, user or IT personnel error, data loss,

  2. random external event, e.g., natural disasters, flooding, power failure, fire,

  3. intentional incident, e.g., information leak, disclosure of data to unauthorized persons, deliberate data destruction, computer virus activity, intrusion into premises or IT system (internal and external).

Actions of the Controller of Personal Data or the appropriate person authorized by them upon confirmation of an incident:

  1. determining the time of the event constituting the incident,

  2. determining the scope of the incident,

  3. identifying the causes, consequences, and estimated damages,

  4. securing evidence,

  5. identifying persons responsible for the breach,

  6. eliminating the consequences of the incident,

  7. minimizing the damage caused by the incident,

  8. initiating disciplinary actions,

  9. recommending preventive actions to eliminate similar threats in the future,

  10. documenting the conducted actions in the Security Breach Register (Appendix No. 5).

Actions of the Authorized Person upon confirming a threat until the arrival of the Controller of Personal Data or their authorized person:

  1. refraining from starting or continuing work, as well as from taking any actions that may lead to the loss of evidence of the breach or other evidence,

  2. securing elements of the IT system or filing cabinets, primarily by preventing access to them by unauthorized persons,

  3. taking, depending on the situation, all necessary actions to prevent further threats that may result in loss of personal data.

IX LISTS

List of buildings, rooms, or parts of rooms constituting the area in which personal data are processed.

No.

Address

Premises

Applied

Security Measures

1.

Okulickiego Street …

26-600 Radom

- building secured with locks
and a door intercom system and monitoring;

- in the premises, secured with burglar-proof doors;

- documents secured in cabinets;

2.

electronic data

on a portable device

Laptop brand ___, model _____Serial number: _________

Antivirus software, password-protected access;

3.

X FINAL PROVISIONS

  1. The security policy is a binding document within the Entity in terms of implementing, observing, and verifying personal data protection rules.

  2. The security policy is a binding document for all persons authorized to process personal data within the activities of the Foundation.

  3. Every person authorized to process personal data within the activities of the Entity is obliged to familiarize themselves with this security policy.

  4. Violation of the rules arising from the security policy may constitute grounds for initiating disciplinary proceedings against the violator or immediate termination of a civil law contract without notice.

  5. Initiation or conducting of disciplinary proceedings against a person violating the rules of the security policy does not exclude the possibility of initiating criminal proceedings and claiming civil damages.

  6. The security policy together with its appendices comes into force on the day of its approval by the Foundation’s President.

  7. For matters not regulated by the security policy, the provisions of the Act on the Protection of Personal Data shall apply.

  8. Appendices to this Policy constitute its part, provided they are completed.

List of appendices:

    • Instruction for managing the IT system used for personal data processing (Appendix No. 1),

    • Register of persons authorized to process personal data (Appendix No. 2),

    • Authorization to process personal data – template (Appendix No. 3),

    • Register of entities to whom data are entrusted (Appendix No. 4),

    • Security Breach Register (Appendix No. 5),

    • Template of the data processing entrustment agreement (Appendix No. 6),

    • Record of processing activities (Appendix No. 7),

 

Signature of the Data Controller

Date