MediTrip Personal Data Protection Policy
for users of the Medic Travel Website on the following domains: meditrip.me
1.This document entitled “Personal Data Protection Policy” (henceforth: the Policy) is designed to map the prerequisites, rules and regulations regarding personal data protection at MEDIC TRAVEL Sp. z o.o., Poland, Lublin 20-325, at Droga Męczenników Majdanka 74, NIP 7393935227, KRS 0000818765 (hereinafter: the Company).
This Policy is a personal data protection policy within the meaning of provisions of General Data Protection Regulation (GDPR) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal EU L 119, p. 1).
2. The Policy contains a description of the data protection principles in force in the Company.
3. The Company’s Management Board is accountable for the implementation and maintenance of this Policy, and within the Management Board:
a) a member of the Management Board entrusted with supervision over the area of personal data protection;
b) a person appointed by the Management Board to ensure compliance with the protection of personal data;
the Data Protection Inspector is accountable for supervising and monitoring compliance with the Policy;
the following are accountable for application this Policy:
a) the Company;
b) Data Protection Inspector;
c) all members of the Company’s staff.
The Company also ensures that the Company’s contracting parties comply with this Policy to the extent applicable when the Company provides personal data to them.
4. ABBREVIATIONS AND DEFINITIONS
The term Policy refers to this privacy policy.
GDPR stands for General Data Protection Regulation (GDPR) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal EU L 119, p. 1)
The term Data refers to personal data.
Specific category data stands for the data listed in art. 9 item 1 GDPR, i.e. personal data revealing racial or ethnic origin, political views, religious or beliefs, trade union membership, genetic, biometric data to uniquely identify a natural person or data on health, sexuality or sexual orientation.
Criminal data means the data listed in art. 10 GDPR, i.e. data on convictions and violations of the law.
Children’s data means the data of persons under 16 years of age.
The term Person refers to the data subject.
Processing entity means the organization or person entrusted with the processing of personal data by the Company (e.g. IT service provider, external accounting).
The term Profiling refers to any form of automated processing of personal data that involves the use of personal data to evaluate certain personal factors of a natural person, in particular to analyse or forecast aspects of the natural person’s work effects, economic situation, health, personal preferences, interests, credibility, behavior, location or movement.
The term Data export refers to the transfer of data to a third country or an international organization.
DPI or Inspector means the Inspector for Personal Data Protection.
RDPA or Register means the Register of Personal Data Processing Activities.
The term Company refers to Company MEDIC TRAVEL Sp. z o.o. ,Poland, Lublin 20-325, at Droga Męczenników Majdanka 74, NIP 7393935227, KRS 0000818765.
5. PROTECTION OF PERSONAL DATA IN THE COMPANY – GENERAL RULES
5.1. The foundation of personal data protection in the Company are the following pillars:
1. Legality – the Company cares for the protection of privacy and processes data in accordance with the law.
2. Security – the Company ensures an adequate level of data security, constantly taking action in this area.
3. Individual rights – the Company enables owners of processed data to exercise their rights and itself exercises these rights.
4. Accountability – the Company documents in what manner it fulfills its obligations in order to be able to demonstrate compliance with GDPR at any time.
5.2. Data Protection Policy
The Company processes personal data in accordance with the following rules:
1. based on a legal basis and in accordance with the law (legalism);
2. honestly and honestly (reliability);
3. in a transparent manner for the data subject (transparency);
4. for specific purposes and not for storage (minimization);
5. no more than necessary (adequacy);
6. with care for the correctness of data (correctness);
7. no longer than necessary (time-saving);
8. ensuring adequate data security (security).
5.3. Data Protection System
The personal data protection system in the Company consists of the following elements:
(1). Inventory of data. The Company identifies personal data resources in the Company, classes of data , dependencies between data resources, identifies ways of using data (catalogues), including the following:
(a) cases of processing specific categories of data and criminal data;
(b) cases of processing data of persons whom the Company does not identify (unidentified data);
(c) cases of processing children’s data;
(d) profiling;
(e) data co-administration.
(2). Register. The Company establishes, maintains and refines a Register of Personal Data Activities in the Company (Register). A Register is a tool for evaluating accordance with data protection in the Company.
(3). The Company provides, identifies, verifies the legal grounds for data processing and registers them in the Register, including:
(a) it maintains the consent management system for data processing and remote communication;
(b) it creates an inventory and refines the justification of cases when Company processes data based on the legitimate interests of the Company.
(4). Handling individual rights. The company fulfills its disclosure obligations towards persons whose data it processed and provides service for their rights by fulfilling requests received in this respect, including:
(1) The Company provides legal persons with the required information when collecting data and in other situations, and organizes and provides documentation of the implementation of these obligations;
(2) The Company verifies and ensures the possibility of effective execution of each type of request in its own case and its Data Processors;
(3) The Company provides adequate expenditures and procedures to ensure that individuals’ requests were met within the deadlines and in the manner required by the GDPR and documented;
(4) The Company applies procedures to determine the need to notify people affected by an identified data breach.
(5). The Company has rules and methods of managing minimization (privacy by default), including the following:
(a) principles of data adequacy management;
(b) rules on rationing and managing access to data;
(c) rules for managing the retention period and verifying their continued usefulness.
(6). The Company ensures an adequate level of data security, including:
(a) performing risk analyses for data processing activities or categories thereof;
(b) performing data protection impact assessments where the risk of violating the rights and freedoms of persons is high;
(c) adapt data protection measures to the risks identified;
(d) has an information security management system;
(e) applies procedures that allow the supervisory authority to identify, assess, and report the identified data protection breach.
(7). The Company has rules regarding selection of Data Processors for the Company, requirements as to the processing conditions (entrustment agreement), and rules for verifying the performance of entrustment agreements.
(8). The Company has rules of verifying that it does not transfer data to third countries (outside the EU zone, Norway, Liechtenstein, Iceland) or to international organizations and in order to ensure of the legality of such transfers if any.
(9). The Company manages the changes affecting privacy. Hence with regard to this the procedures of launching new projects and investments in the Company take into account the need to assess the impact of the change already at the stage of designing the change, investment stage or at the beginning of a new project on data protection, risk analysis and ensuring privacy (including compliance with the purposes of processing, data security and minimization).
(10). The company has rules for verification when there are cases of cross-border processing and rules for determining the lead supervising body and the main organizational unit within the meaning of the GDPR.
6. INVENTORY
6.1. Specific Category Data
The company identifies cases in which it can process specific categories of data or criminal data, and maintains dedicated mechanisms to ensure the lawfulness of processing such data. If the cases of processing particular categories of data or criminal data are identified, the Company proceeds in accordance with the adopted principles in this respect.
6.2. Unidentified Data
The Company identifies cases in which it processes or may process unidentified data and maintains mechanisms to facilitate the exercise of the rights of persons to whom unidentified data relate.
6.3. Profiling
The Company identifies cases in which it processes data processing and maintains mechanisms ensuring compliance of this process with the law. If profiling and automated decision-making are identified, the Company proceeds in accordance with the adopted principles in this respect.
6.4. Co-administration
The Company identifies cases of data co-administration and proceeds in this respect in accordance with accepted principles.
7. REGISTER OF DATA PROCESSING OPERATIONS
7.1. RDPA is a form of documenting data processing activities, acts as a data processing map and is one of the key elements enabling the implementation of the fundamental principle on which the entire personal data protection system is based, i.e. the principle of accountability.
7.2. The Company maintains a Register of Data Processing Activities in which it inventories and monitors the manner in which it uses personal data.
7.3. The Register is one of the basic tools enabling the Company appraising most data protection obligations.
7.4. For each data processing activity found in the Register which the Company has recognized as separate record for the purposes of the Registry, the Company notes down at least: (1) the name of the activity, (2) the purpose of processing, (3) description of the categories of persons, (4) description of the categories of data, (5 ) the legal basis for processing, together with a specification of the category of legitimate interest of the Company, if the basis is a legitimate interest, (6) the method of data collection, (7) a description of the categories of data recipients (including processors), (8) information on transfers outside EU / EEA, (9) a general description of the technical and organizational data protection measures.
8. BASICS OF DATA PROCESSING
8.1. The Company documents in the Register the legal grounds for data processing for individual processing activities.
8.2. The general legal basis indicated in the Company’s documents (consent, contract, legal obligation, vital interests, public task, legitimate purpose of the Company) Company refines this basis in a precise and legible manner when it is necessary. For instance, with regard to a consent – indicating its scope, when the legal basis is current law – indicating a specific provision and other documents, for example a contract, administrative agreement, vital interests – indicating the categories of events in which they will materialize, a legitimate purpose – indicating a specific purpose, for instance Company’s marketing, recompensation.
8.3. The Company implements consent management methods enabling registration and verification of a person’s consent to the processing of specific data for a specific purpose, consent to remote communication (email, telephone, SMS, etc.) as well as registration of refusal of consent, withdrawal of consent and similar activities (objection, limitation, etc.).
8.4. The head of the organizational unit of the Company is required to know the legal basis on which the unit he directs performs specific activities of processing personal data. If the basis is the legitimate interest of the Company, the unit manager is required to know the specific processing of the Company.
9. MANNER OF SERVING INDIVIDUAL’S RIGHTS AND OBLIGATION OF INFORMING
9.1. The Company puts effort into readability and style of the communication of the information communicated with the persons whose data is processed.
9.2. The Company facilitates people to exercise their rights through various activities, including: displaying on the Company’s website information or references (links) to information concerning persons’ rights, how to use them in the Company, including identification requirements, methods of contracting with the Company, including purpose, possible price list for “additional” requests, etc.
9.3. The Company ensures compliance with legal deadlines for fulfilling its obligations towards data owners.
9.4. The Company introduces adequate methods of identification and authentication of persons for the purposes of exercising individual rights and information obligations.
9.5. In order to exercise the rights of the entity, the Company provides procedures and mechanisms to identify the data of specific persons processed by the Company, integrate these data, introduce changes to them and delete them in an integrated manner.
9.6. The Company documents handling of information obligations, notifications, and requests of persons.
10. OBLIGATION OF INFORMING
10.1. The Company defines lawful and effective ways of performing disclosure obligations.
10.2. The Company informs the person about the extension of the deadline to consider the person’s request for more than one month.
10.3. The Company informs the person about the processing of its data when obtaining data from that person.
10.4. The Company informs a person about the processing of its data when acquiring data about that person indirectly from him.
10.5. The Company defines the manner of informing people about the processing of unidentified data where possible (e.g. a sign about the coverage of the area by video monitoring).
10.6. The Company informs the person about the planned change in the purpose of data processing.
10.7. The Company informs the person before lifting the processing restriction.
10.8. The Company informs data recipients about the rectification, deletion or limitation of data processing (unless it requires disproportionate effort or is impossible).
10.9. The Company informs the person about the right to object to data processing at the latest on the first contact with that person.
10.10. The Company shall without undue delay notify a person of a personal data breach if it may result in a high risk of violating his rights or freedoms.
11. PERSONS’ DEMANDS
11.1. By exercising the rights of data subjects, the Company introduces procedural guarantees to protect the rights and freedoms of third parties. In particular, in face of the fact that making a person’s request for a copy of data or the right to transfer data may adversely affect the rights and freedoms of others (e.g. rights related to data protection of others, intellectual property rights, trade secrets, personal rights), the Company may request the person to clarify these doubts or take other lawful steps, including a refusal to satisfy the request.
11.2. The Company informs the person that it does not process data concerning him if the person has made a request regarding his rights.
11.3. The Company informs the person, within one month of receiving the request, of the refusal to consider the request and of the rights of the person-related thereto.
11.4. At the request of a person regarding his access to his data, the Company informs the person whether it is processing his data and informs the person about details of the processing, in accordance with art. 15 GDPR (the scope corresponds to the obligation to informing when collecting data), and also grants the person access to data concerning him. Access to data may be made by issuing a copy of the data, with the proviso that the Company will not consider the copy of the data issued in the exercise of the right of access to data as the first free copy of the data for the purposes of data copy charges.
11.5. Upon request, the Company issues a copy of the data concerning the person and notes the fact of issuing the first copy of the data. The Company introduces and maintains a price list of data copies, according to which it charges fees for subsequent copies of data. The price of the data copy is calculated on the basis of the estimated unit cost of handling the request to issue a copy of the data.
11.6. The Company corrects false data at the request of a person. The company has the right to refuse to rectify data, unless the person reasonably demonstrates the inaccuracies of the data which it requires to be rectified. If the data is corrected, the Company informs the person about the recipients of the data, at the request of that person.
11.7. The Company supplements and updates the data at the request of a person. The Company has the right to refuse to supplement data if the supplement would be incompatible with the purposes of data processing (e.g. the Company does not have to process data that is unnecessary for the Company). The Company may rely on the statement of a person regarding supplemented data unless it is insufficient in the light of the procedures adopted by the Company (e.g. regarding the acquisition of such data), rights or there are grounds to consider the statement unreliable.
11.8. Data deletion. At the request of a person, the Company erases data in the following cases:
1. data is unnecessary for the purposes for which it was collected in the first place or processed for other lawful purposes;
2. consent to their processing has been withdrawn and there is no other legal basis for processing;
3. the person has effectively objected to the processing of this data;
4. data was processed unlawfully;
5. the necessity of removal results from a legal obligation;
6. the request concerns the child’s data collected on the basis of consent to provide the informed society services offered directly to the child (e.g. participation in a competition on the website).
The Company determines how to handle the right to delete data in such a way as to ensure the effective implementation of this right while respecting all data protection principles, including security, as well as verifying that there are no exceptions referred to in art. 17 clause 3 GDPR.
If the data subject to deletion has been made public by the Company, the Company, takes reasonable steps, including technical measures, in order to inform other controllers processing this personal data about the need to delete the data and closing access to it.
In the event of deletion of data, the Company informs the person about the recipients of the data, at the request of that person.
11.9. The Company limits the processing of data at the request of a person when:
1. a person questions the correctness of data – for a period in order to check their validity;
2. the processing is unlawful and the data subject opposes the deletion of personal data, demanding instead a restriction on their use;
3. the Company no longer needs personal data, but it is needed by the data subject to determine, pursue or defend claims;
4. the person has objected to the processing for reasons related to his particular situation – until it is determined whether the Company has legally justified grounds superior to the grounds for the objection.
During the limitation of data processing, the Company stores data, but does not process (does not use, transfer) without the consent of the data subject, unless in order to establish, assert or defend claims or to protect the rights of another natural or legal person, or for important reasons of public interest.
The Company informs the person before lifting the processing restriction.
If the processing of data is restricted, the Company informs the person about the recipients of the data, at the request of that person.
11.10. At the request of a person, the Company issued in a structured, commonly used computer-readable format or transfers to another entity, if applicable, provided to the Company data on that person, processed on the basis of the person’s consent or for the conclusion or performance of a contract with included in the Company’s IT systems.
11.11. If a person raises an objection motivated by his particular situation to the processing of his data, and the data is processed by the Company based on the legitimate interest of the Company or on the task entrusted to the Company in the public interest, the Company will take into account the objection, unless there are valid legally justified grounds on the part of the Company to process, overriding the interests, rights, and freedoms of the person raising an objection, or grounds for establishing, pursuing or defending claims.
11.12. If the Company processes data for statistical purposes, a person may lodge an objection to such processing motivated by its special situation. The Company will accept such objection unless the processing is necessary to perform a task carried out in the public interest.
11.13. If a person objects to the processing of his data by the Company for the purposes of direct marketing, the Company will accept the objection and cease such processing.
11.14. If the Company processes data automatically, including in particular profiling persons, and consequently takes decisions with respect to the person resulting in legal consequences or otherwise significantly affecting the person, the Company allows the opportunity to appeal to human intervention and decision-making of an individual who is a the part of the Company, unless such automatic decision is necessary for the conclusion or performance of the contract between the appellant and the Company, or is expressly permitted by law, or is based on the explicit consent of the appellant.
12. MINIMIZATION
The Company ensures minimization of data processing in terms of:
(1) adequacy of data for the purposes (amount of data and scope of processing),
(2) access to data,
(3) time of data storage.
12.1. Minimization of Range
The Company has verified the scope of the data obtained, the scope of its processing and the amount of data processed in terms of adequacy for the purposes of processing as part of the implementation of the GDPR.
The Company periodically reviews the amount of data processed and the scope of its processing at least once a year.
The Company verifies changes regarding the amount and scope of data processing as part of change management procedures (privacy by design).
12.2. Minimizing Access
The Company applies restrictions on access to personal data: legal (confidentiality obligations, scopes of authorizations), physical (closing rooms) and logical (restrictions on the rights to personal data processing systems and network resources in which personal data reside).
The Company applies physical access control.
The Company updates access rights when there are changes in the composition of staff and changes in the roles of persons and changes in processors.
The Company periodically reviews established system users and updates them at least once a year.
12.3. Time Minimization
The Company implements mechanisms for controlling the life cycle of personal data in the Company, including verification of the further usefulness of data in relation to the deadlines and control points indicated in the Register.
Data which usefulness is limited over time is removed from the Company’s productive systems as well as from reference and main files. Such data may be archived and may be on backup copies of systems and information processed by the Company. Procedures for archiving and using archives, creating and using backups take into account the requirements of data life cycle control, including data removal requirements.
13. SAFETY
The Company provides a degree of security measures corresponding to the risk of violation of the rights and freedoms of natural persons as a result of the processing of personal data by the Company.
13.1. In order to protect data, the requirements referred to in the Regulation have been met, in particular:
1. a data protection impact assessment has been performed,
2. a risk analysis was carried out in relation to the resources involved in individual processes,
3. only persons authorized by the data controller have been allowed to process data;
4. data processing entrustment agreements have been concluded;
5. this security policy has been developed and implemented.
13.2. In order to protect personal data, the following personal data protection measures apply:
1. (1) personal data files are stored in a room secured by a lockable door;
2. (2) the rooms in which personal data sets are processed are equipped with an anti-theft alarm system;
3. (3) access to the rooms where personal data sets are processed is controlled by a monitoring system using industrial cameras;
4. (4) access to the rooms in which personal data files are processed is, during the absence of employees employed there, supervised by a security company alarm system with direct intervention in the event of an alarm;
5. (5) rooms in which personal data files are processed are protected against the effects of fire by means of a fire protection system.
13.3. In order to protect personal data, the following hardware measures of the IT and telecommunications infrastructure are used:
(1) access to the operating system of the computer in which personal data are processed is secured by means of a password authentication process;
(2) system mechanisms were used to force a periodic change of passwords;
(3) disk encryption was used;
(4) methods of data anonymization and pseudonymization were used;
(5) protection measures have been applied against malicious software such as, for example, worms, viruses, Trojan horses, rootkits;
(6) the Firewall system was used to protect access to the computer network.
13.4. In order to protect personal data, the following organizational measures are applied:
(1) persons employed in the processing of data have been acquainted with the provisions on the protection of personal data;
(2) persons employed in the processing of personal data were trained in the field of IT system security;
(3) persons employed in the processing of personal data have been obliged to keep them secret;
(4) computer monitors on which personal data are processed are set in a way that prevents unauthorized access to the processed data.
13.4. The following safeguard measures have been applied to the platforms on which the data is stored:
Platform Protection
1. Website form / Server MediTrip| SSL Certificate
– data encryption
2. WhatsApp / WhatsApp Server:
-WhatsApp server security
-company computer
-business phone
-password management policy
-contracts with employees (no logging in from computers or phones other than company phones)
3. Facebook / Facebook Server App:
-company computer
-business phone
-password management policy
-contracts with employees (no logging in from computers or phones other than company phones)
4. Chat:
-Chat server security
-company computer
-business phone
-password management policy
-contracts with employees (no logging in from computers or phones other than company phones)
6. CallPage:
-Chat server security
-company computer
-business phone
-password management policy
-contracts with employees (no logging in from computers or phones other than company phones)
7. CRM:
-CRM server security
-company computer
-business phone
-password policy
-two-step verification GMAIL (password + SMS)
-contracts with employees (no logging in from computers or phones other than company phones)
8. Gmail & docs:
-security for the Gmail server
-company computer
-business phone
-password policy
-two-step verification GMAIL (password + SMS)
-contracts with employees (no logging in from computers or phones other than company phones)
13.5. Risk analysis and adequacy of security measures
The Company carries out and documents the analysis of the adequacy of personal data security measures. For this purpose:
(1) The Company provides appropriate knowledge about information security, cybersecurity, and business continuity – internally or with the support of specialized entities.
(2) The Company categorizes data and processing activities in terms of the risk they pose.
(3) The Company conducts analyses of the risk of violation of the rights or freedoms of natural persons in case of data processing activities or categories thereof. The Company analyses possible situations and scenarios of a personal data breach, taking into account the nature, scope, context, and purposes of the processing, the risk of violation of the rights or freedoms of natural persons with different probabilities and severity of the threat.
13.6. Impact assessments for data protection
The Company assesses the effects of planned processing operations on the protection of personal data where, according to the risk analysis, the risk of violation of rights and freedoms is high.
Impact assessment is carried out each time there is a significant change in the processing of personal data, e.g. change of service provider, change in the way data is processed, exchange of resources involved in the process.
13.7. Reporting violations
The Company applies procedures to identify, evaluate and report an identified personal data breach to the supervisory authority within 72 hours of determining the violation.
14. PROCESSING
The Company has rules for the selection and verification of Data Processors for the benefit of the Company, designed to ensure that Data Processors provide sufficient guarantees for the implementation of appropriate organizational and technical measures to ensure security, implementation of individual rights and other data protection in order to fufill obligations by the Company.
The Company has adopted certain minimum requirements for the contract for entrusting data processing, which are reflected in the contract for entrusting data processing concluded by the Company as an Administrator.
The Company appraises Data Processors for the use of Sub-Processors, as well as for other requirements arising from the rules of entrusting personal data.
15. DATA EXPORT
The Company registers in the Register cases of data export, i.e. data transfer outside the European Economic Area.
To avoid unauthorized data exports, the Company periodically verifies user behavior and provides equivalent data protection solutions, if possible.
16. PRIVACY DESIGN
The Company manages changes affecting privacy in such a way as to enable adequate security of personal data and minimization of its processing.
For this purpose, the principles of the Company’s projects and investments refer to the principles of personal data security and minimization, requiring an assessment of the impact on privacy and data protection, taking into account and designing security and minimizing data processing from the beginning of the project or investment.
17. FINAL PROVISIONS
17.1. All the rules described in this document are followed by persons authorized to process personal data, with particular regard to the well-being of the data subjects.
17.2. This document is effective from the date of its approval by the data administrator.