Travset Personal Data Protection Policy
1. This document defines the principles of the security policy of personal data processing
in connection with the distribution and operation of the Travset application,
hereinafter referred to as the “Security Policy”.
2. The entity responsible for providing services related to the distribution and operation
of the Travset application, hereinafter referred to as “the Application”, is EMSAF
Spółka z ograniczoną odpowiedzialnością spółka komandytowa with its registered
office in Poznań (60-860) at ul. Żurawia 9/11 lok.2, entered into the Register of
Entrepreneurs of the National Court Register under number 0000749169, hereinafter
referred to as “EMSAF”. EMSAF’s registration documents are kept in the District
Court for Poznań – Nowe Miasto and Wilda 8th Economic Department of the National
Court Register.
3. The Security Policy is compliant with the provisions of the Ordinance of the European
Parliament and Council (EU) 2016/679 of 27th April 2016 on the protection of
physical persons in connection with processing of personal data and on free transfer of
such data and revocation of Directive 95/46/EC (general ordinance on data
protection), hereinafter referred to as “GDPR”.
4. The personal data administrator is EMSAF, hereinafter also referred to as the
“Administrator”.
5. The Security Policy defines the principles of personal data processing and its
protection against unauthorized access and constitutes a set of good practices applied
by the Administrator with respect to Application users and counterparties.
6. The Security Policy shall aim at implementing and respecting the principles on the
processing of personal data as set out in art. 5 it. 1 and 2 of the GDPR:
a. lawfulness, fairness and transparency,
b. purpose limitation,
c. minimization,
d. correctness, limited storage, integrity and confidentiality,
e. accountability.
7. The Security Policy applies to all areas of Administrator’s activity in Poland and
abroad related to the release and operation of the Application.
8. Personal data protection is carried out by the Administrator through the application of
security measures in the form of organizational, physical and technical measures,
including IT systems, as well as increasing the knowledge and qualifications of
employees in their use.
9. The Security Policy is also intended to evaluate and minimize the risk of personal data
protection by the Administrator. The implementation of the Security Policy was
preceded by an analysis of the scope of personal data processing and the associated
risks.
10. In connection with the release and operation of the Application, the Administrator
processes the following personal data (data sets):
2
a. User data,
b. Counterparty data,
c. Subscriber data (newsletter system).
11. Personal data is collected:
a. User Data – in the form of electronic records on Microsoft Azure servers,
collection of this data and storage on electronic media or in the form of print-outs
in the Administrator’s office is allowed only in the event of a complaint or in
connection with a legal dispute,
b. Counterparty Data – in the form of electronic records on Microsoft Azure servers
and in the form of electronic records or print-outs at the Administrator’s registered
office,
c. Subscriber data – in the form of electronic records on Microsoft Azure servers.
12. The Administrator processes the following User Data for information and marketing
purposes, including the profiling of commercial information, in particular
advertisements and sponsored materials, as well as for the purposes of using the
Application by Users:
a. name and surname,
b. sex,
c. citizenship,
d. date of birth,
e. e-mail address,
f. information about past and current diseases,
g. information about medications taken,
h. information on allergies;
i. weight,
j. height,
k. blood type,
l. status of organ donor,
m. other information which the User, in their discretion, provides in their profile, e.g.
information about insurance and information about surgeries undergone.
13. The Administrator processes the following Counterparty Data for information and
marketing purposes and for the purposes of performance of concluded contracts:
a. name and surname,
b. registered office address,
c. telephone number,
d. e-mail address,
e. back account number,
f. number identifying the entrepreneur in commercial registers and for tax purposes.
14. The Administrator processes the following Subscriber Data for information and
marketing purposes, including the profiling of commercial information, in particular
advertisements:
a. name and surname,
b. e-mail address.
3
15. User data is processed during the activity of the user account on the basis of consent to
the processing of personal data.
16. Counterparty data is processed during the time necessary for the performance of the
agreement or on the basis of consent to the processing of personal data.
17. Subscriber data is processed during the duration of the subscription in the newsletter
system on the basis of consent to the processing of personal data.
18. The Administrator has the right to process User Data also after deleting the user’s
account to the extent necessary to consider the complaint, or the legally valid
conclusion of a court dispute. When determining the time when it is possible to
process personal data, the Administrator shall take into account, in particular, the
statute of limitations for claims and for the exercise of rights and obligations provided
for by applicable laws.
19. The Administrator is not responsible for the truthfulness, correctness and
completeness of the personal data provided thereto by the persons concerned. The
Administrator provides the possibility of independent edition of data by Users,
including in particular the possibility to correct data.
20. The Administrator processes special categories of data concerning the health of Users
on the basis of a consent. The legal basis for data processing in this respect is art. 9 it.
2 a of the GDPR. Granting the consent by the User to the processing of personal data
also includes the right to process such data after deletion of the User’s account in order
to consider a complaint or to settle a dispute in court. In this case, the data shall also
be processed on the basis of art. 9 it. 2 f of the GDPR.
21. The Administrator processes other categories of User Data or Subscriber Data on the
basis of a consent. The legal basis for data processing in this respect is art. 6 it. 1 p. a
of the GDPR. Granting the consent by the User to the processing of personal data also
includes the right to process such data after deletion of the User’s account in order to
consider a complaint or to settle a dispute in court. In this case, the data shall also be
processed on the basis of art. 6 it. 1 d and f of the GDPR.
22. The Administrator processes personal data of counterparties pursuant to art. 6 it. 1 a, d
and f of the GDPR.
23. The Administrator uses profiling of user data, consisting in an automated adjustment
of commercial information presented to the user, including advertisements and
sponsored materials, to their needs determined on the basis of the User’s data provided
in particular in their profile. Profiling refers to the following user data:
a. age,
b. citizenship,
c. sex,
d. diseases and allergies,
e. user’s location,
f. tasks checked in the Trip Planner.
24. The Administrator shall appoint the Personal Data Inspector, hereinafter referred to as
the “PDI”.
The Administrator shall notify the supervisory authority of the appointment of the PDI
and publish the PDI data on the website www.travset.com.
25. Entities processing personal data on behalf of the Administrator are:
a. Microsoft Azure,
b. Entities providing services in the scope of improving and servicing the Travset
application.
26. All employees and associates of the Administrator are obliged to apply the Security
Policy, within the framework of agreements constituting the basis for the performance
of work or provision of services.
27. The Security Policy is applied when the Administrator uses or implements IT systems
used for the business activity.
28. The basic assumptions of the Security Policy applied by the Administrator include:
a. security of office premises, where documents containing personal data are located,
against unauthorized persons’ intrusion,
b. issuing access authorizations to information systems,
c. monitoring and ensuring the continuity of the IT system and databases,
d. backup encryption,
e. concluding and enforcing data processing agreements,
f. organizing trainings for employees and co-workers and committing them to the
protection of personal data in accordance with the Security Policy,
g. control of employees’ activities in terms of compliance of personal data processing
with the Security Policy,
h. keeping a register of personal data processing activities,
i. keeping records of persons authorized to process personal data,
j. investigating breaches of personal data protection,
k. cooperation with the supervisory authority,
l. initiating and undertaking undertakings in the field of personal data protection
improvement,
m. optimizing the performance of IT systems, databases, installations and
configurations of network and server hardware, including software updates,
n. configuration and administration of system, network and database software in a
way that protects personal data against unauthorized access,
o. cooperation with service providers and suppliers of network and server equipment,
p. management of backup copies of system and network software configurations,
q. counteracting attempts to compromise information security,
r. improving security procedures and security standards,
s. conducting anti-virus prevention,
t. processing personal data only on authorized business devices, including laptops,
tablets and mobile phones.
u. using, as far as possible, the services of entities holding certificates in the field of
personal data protection.
29. The commitment of the Administrator’s employees and associates to the protection of
personal data in accordance with the Security Policy includes in particular:
5
a. acquaintance with the Security Policy,
b. making it possible to acquaint oneself with, understand and apply any personal
data protection measures available at the Administrator,
c. enforcing compliance with the Security Policy,
d. preventing unauthorized persons from accessing workstations,
e. the obligation to keep confidential the personal data to which the employees and
associates of the Administrator have gained access and information on how to
protect it,
f. the obligation to inform the Administrator about any suspicions of violation or
noticed violations and weaknesses of systems processing personal data,
g. ensuring participation in training courses to raise awareness of personal data
protection.
30. The rules for granting access to personal data shall include:
a. granting access to personal data only to the extent necessary for the performance
of official duties or entrusted tasks,
b. the obligation to protect personal data and to process such data within the limits of
the authorization granted,
c. individual authorizations granted by the PDI,
d. ensuring the possibility of revoking the authorization granted and immediate
deprivation of access to personal data within the limits of technical means,
e. deprivation of access to personal data after the end of work or cooperation with the
Administrator,
f. keeping records of authorized persons.
31. The rules for providing personal data include:
a. making personal data available only to entities authorized to receive such data
under the law and to persons to whom such data relates,
b. informing about the possibility of using personal data only for the purposes for
which the data was made available.
32. The principles of collecting User Data and Subscriber Data include informing about:
a. The Administrator and the PDI,
b. the purpose of processing of personal data, and the legal basis for the processing,
c. the legal basis for the processing of personal data, including whether the provision
of personal data is a statutory or contractual requirement or a condition for the
conclusion of an agreement, whether the data subject is obliged to provide such
data and what are the possible consequences of not providing the data,
d. entities processing personal data,
e. the intention to transfer personal data to a third country,
f. the right to access and rectify one’s data,
g. the data storage period,
h. the right of access to personal data relating to the data subject, the right of
correction, deletion or limitation of the processing, the right to object to the
processing and the right to move data,
6
i. the right to withdraw consent at any time without affecting the lawfulness of a
processing carried out on the basis of the consent prior to its withdrawal,
j. the right to lodge a complaint with the supervisory authority.
33. Information referred to in point 32 is provided by the Administrator in the course of
creating a user account or registering in the newsletter system.
34. The Administrator shall not collect personal data in any way other than from the
person to whom the data relates.
35. In order to ensure confidentiality and integrity of the processed data, the Administrator
shall apply in particular:
a. Organizational measures:
implementation of the Security Policy,
individual procedure of granting authorizations by the Administrator,
trainings in the field of personal data protection regulations and rules,
keeping records of persons authorized to process personal data,
applying procedures to deal with situations of risk or personal data protection
breaches,
submission of a confidentiality declaration.
b. Technical measures:
storage of personal data in electronic form only on authorized equipment,
equipping workstations with anti-virus protection,
ensuring access to workstations using a user ID and a password,
destruction of documents containing personal data after the expiry of their
usefulness in a mechanical way, using shredders.
c. Physical protection measures:
protection of premises where personal data is stored by installing a burglary
alarm system and keeping it on standby by a specialized entity providing
services in the field of protection of persons and property,
separating the room intended for the archive and storing the documentation
containing personal data after its use,
restricting access to the archive room by installing a lock and making the keys
available only to authorized persons.
36. In case of a threat or violation (incident) of personal data protection, each employee or
co-worker is obliged to inform the Administrator about the threat or incident.
37. Typical risks to the security of personal data include:
a. inadequate physical protection of rooms, equipment and documents,
b. inadequate protection of hardware and software against leakage, theft and loss of
personal data,
c. failure to comply with data protection rules by employees or co-workers.
38. Typical incidents within the security of personal data include:
a. random events, including fire of an object or room, flooding, loss of power supply,
loss of communication, failure of server, computers, hard drives, software,
requiring interference by persons unauthorized to process personal data,
7
b. loss of documents or data carriers containing personal data,
c. intentional actions such as intrusion into an IT system or premises, theft of
documents or data carriers containing personal data, transfer of personal data to
unauthorized entities, deliberate and unauthorized destruction or modification of
documents or data in electronic form,
d. viruses and other malware.
39. In the event of a threat, the Administrator conducts an investigation in the course of
which the Administrator:
a. determines the scope and causes of the threat and its possible consequences,
b. where necessary, initiates disciplinary proceedings,
c. recommends preventive measures aimed at eliminating similar threats in the
future,
d. documents the proceedings conducted in accordance with the specimen of the
Report on threat or breach of personal data protection.
40. If a personal data protection breach is found, the Administrator conducts an
investigation in the course of which the Administrator:
a. determines the time of occurrence of the infringement, its scope, causes, effects
and the extent of the damage caused,
b. secures possible evidence,
c. determines the persons responsible for the infringement,
d. takes corrective action, removes the effects of the incident and limits damage,
e. initiates disciplinary action,
f. recommends preventive measures aimed at eliminating similar threats in the
future,
g. documents the proceedings conducted in accordance with the specimen of the
Report on threat or breach of personal data protection,
h. notifies the supervisory authority immediately, but no later than 72 hours after
detection of the incident, unless the incident is unlikely to result in a risk of a
breach of the rights and freedoms of natural persons. The notification shall be
accompanied by a personal data protection breach report.
41. The Administrator shall ensure periodic review of the Security Policy and the
procedures for personal data protection based thereon.
42. The Service Provider provides access to the Security Policy at the address
www.travset.com/rodotravset.pdf in the form of a PDF file. In order to read the
Security Policy, it is necessary to install software enabling reading of PDF files.
43. In matters not provided for in the Security Policy there apply the provisions of the
GDPR and the Act of May 10, 2018 on the Protection of Personal Data (JoL of 2018,
item 1000).