DATA PROCESSING SECURITY POLICY
FOR THE PROCESSING OF PERSONAL DATA
The purpose of the Data Processing Security Policy within the activities carried out by the Sinusoida Freedom Foundation (KRS: 0001157027) is to ensure the due diligence required when processing and securing personal data in accordance with legal requirements concerning the principles of their processing and protection, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”).
1. Definitions
Whenever this Security Policy refers to:
Data Controller – this shall mean “Sinusoida Freedom Foundation”, ul. Piastowska 7/4, 43-300 Bielsko-Biała; e-mail address:
Personal data – this shall mean any information relating to an identified or identifiable natural person;
Processor – this shall mean a natural person or an organisational unit that processes Personal data on behalf of the Controller on the basis of a personal data processing entrustment agreement;
Data processing – this shall mean an operation or set of operations performed on Personal data, whether or not by automated means (that is, through IT Systems), such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Third party – this shall mean a natural or legal person, public authority, agency or body other than the data subject, the Data Controller, the Processor or the User, who may process Personal data;
User – this shall mean a person processing Personal data on the basis of an authorisation granted by the Data Controller;
Data set – this shall mean any structured set of personal data accessible according to specific criteria.
2. General provisions
The Security Policy applies to all Personal data processed by the Data Controller, regardless of the form of processing.
The Security Policy has been prepared in written form and is stored at the seat of the Data Controller.
An electronic version of the Security Policy identical to the written version is made available to Processors and Users in order to familiarise them with the principles of processing and securing Personal data used within the activity of the enterprise conducted by the Data Controller; in order to implement and carry out the Security Policy, the Data Controller ensures:
appropriate technical measures and organisational solutions adequate to threats and categories of Data covered by protection,
control and supervision over the Processing of Personal data,
monitoring of the applied protective measures.
Monitoring by the Data Controller of the applied protective measures includes, inter alia: supervision over Users’ activities and control of Processors; informing relevant authorities about a breach of the security of Personal data protection principles; analysis of adopted methods of protection of Personal data, including ensuring file integrity and the effectiveness of Data protection against external and internal attacks.
The Data Controller undertakes all actions that are purposeful, justified and proportionate to ensure that activities performed in connection with processing and securing Personal data comply with the Security Policy and legal provisions.
3. Data processing by the Data Controller
Personal data processed by the Controller are organised in Data sets.
Data processing by the Data Controller will not include activities that could involve a high probability of a high risk of infringement of the rights or freedoms of persons to whom the Data relate. In the event of planning such an activity, the Controller will perform a data protection impact assessment referred to in Article 35 et seq. of the GDPR.
In the event of planning new processing activities of Personal data for purposes other than those for which they were obtained, the Data Controller will obtain renewed consent of the data subject for these activities. At the same time, the Data Controller will analyse their effects on the protection of personal data and will take data protection issues into account in the design phase of new activities.
The Data Controller may maintain a register of processing activities according to the template constituting Appendix No. 1 to the Security Policy.
4. Management of the security of Personal data
The Data Controller, Processors and Users are obliged to process Personal data in accordance with applicable regulations and the Security Policy, as well as other internal documents and procedures related to the Processing of personal data.
Processing of all Personal data always requires, in particular, compliance with the following principles:
processing of Personal data always requires the existence of at least one of the GDPR legal bases for data processing;
Personal data are processed lawfully, fairly and in a transparent manner for the data subjects;
Personal data are collected for specific, explicit and legally justified purposes and not further processed in a manner incompatible with those purposes;
Personal data are processed only to the extent necessary to achieve the purpose of data processing;
Personal data are accurate and, where necessary, kept up to date;
the storage period of Data is limited to the period of their usefulness for the purposes for which they were collected, and after that period they are anonymised or erased, unless further processing is necessary due to the legitimate interests of the enterprise or the Data Controller;
with respect to the data subjects, it is always necessary to fulfil the information obligation in accordance with Article 13 and Article 14 of the GDPR;
Data are secured against breaches of the principles of their protection. A breach or an attempt to breach the principles of processing and protection of Personal data constitutes:
a breach of the security of IT Systems in which Personal data are processed;
making Data available or aiding in making Data available to unauthorised entities;
failure, including unintentional failure, to fulfil the obligation to ensure the protection of Personal data;
failure to fulfil the obligation to maintain confidentiality of Personal data and the principles and methods of their security;
processing of Personal data contrary to the assumed scope and purpose for which they were provided;
damage, loss, uncontrolled change or unauthorised copying of Personal data;
infringement of the rights of data subjects, in particular the rights referred to in Articles 15–18 of the GDPR.
If a direct risk of a breach of Data or a breach of personal data protection principles is identified, the Data Controller, the Processor or the User is obliged to take all necessary actions to prevent the breach and limit the effects of a possible breach.
The obligations of the Data Controller with regard to employing employees under employment contracts or civil law contracts who, within the scope of their duties, will process Personal data include:
appropriate training of employees in the scope of regulations and principles of protection of Personal data, including familiarising them with the Security Policy and the Instructions for Using the IT System,
granting employees a written authorisation to process data in accordance with the template constituting Appendix No. 3 to the Security Policy,
obtaining from employees an undertaking to keep Personal data confidential.
Users are obliged to:
strictly comply with the scope of the granted authorisation;
process and protect Personal data in accordance with regulations and data protection principles;
keep personal data and methods of their security confidential;
report breaches and attempts to breach Personal data and other events that may affect the security of Data protection.
5. Place of processing of personal data
Personal data are processed at the seat of the Data Controller and in all locations used by the IT System, insofar as this is necessary for its proper functioning.
6. Breach of personal data protection principles
In the event of identifying a breach of the protection of Personal data, the Data Controller assesses whether the breach has caused or could have caused a risk of infringement of the rights or freedoms of the data subjects.
If the breach has resulted in a high risk of infringement of the rights and freedoms of the data subject, the Controller notifies that person of the breach.
If the breach has resulted in a risk of infringement of the rights or freedoms of the data subjects, the Data Controller reports the breach to the supervisory authority without undue delay – where feasible no later than within 72 hours after becoming aware of the breach, according to the reporting template specified in Appendix No. 4 to the Security Policy
7. Entrustment of personal data processing
The Data Controller may entrust the Processing of Personal data to another entity only by way of an agreement concluded in written form, provided that this entity provides sufficient guarantees to implement appropriate technical and organisational measures so that the Processing meets the requirements of the GDPR and protects the rights of the data subjects.
Before concluding a personal data processing entrustment agreement, the Data Controller, where possible, obtains information on the previous practices of the entity with which the agreement is to be concluded, in order to verify whether the entity provides the guarantees referred to in section 1.
The personal data processing entrustment agreement will be concluded according to the template constituting Appendix No. 5 to the Security Policy.
8. Transfer of data to a third country
The Data Controller will not transfer Personal data to a third country, except in situations where this occurs at the request of the data subject.
9. Cookies policy
This policy sets out the rules for the use of cookies on the website sinusoidafreedom.org, operated by the SINUSOIDA FREEDOM FOUNDATION, with its registered office at ul. Piastowska 7/4, 43-300 Bielsko-Biała, entered in the National Court Register under KRS number 0001157027, e-mail address:
Cookies are small text files saved on the user’s end device while using the website. They are used to ensure the proper operation of the service, remember user preferences, conduct statistical analyses and – where consent is given – for marketing purposes.
Within the website sinusoidafreedom.org, the following types of cookies are used: a) cookies necessary for the functioning of the service (e.g. login, forms); b) analytical and statistical cookies enabling the collection of data on how the website is used in order to optimise it; c) marketing cookies, including those originating from third parties (e.g. Google, Facebook), used for advertising purposes and analysis of user behaviour.
In accordance with applicable law, the storage of and access to cookies that are not necessary for the operation of the website requires the user’s prior consent. During the first visit to the website, the user is presented with a cookies notice with the possibility to manage consents – both for all cookies, selected categories, as well as the possibility to refuse (except for necessary cookies).
The user may at any time manage cookie settings by making appropriate changes in the settings of the web browser or using tools available on the website. Restricting the use of cookies may, however, affect the operation of certain website functions. Detailed information on cookie configuration is available on the websites of browser manufacturers: Google Chrome, Mozilla Firefox, Microsoft Edge, Safari.
Cookies are divided into: a) session cookies – deleted after the browser session ends; b) persistent cookies – stored for the period specified in their parameters or until deleted by the user.
Some cookies may come from external service providers (e.g. Google, Meta), who may gain access to information collected via cookies in accordance with their own privacy policies. The SINUSOIDA FREEDOM FOUNDATION does not transfer users’ personal data without their explicit consent.
Users have rights arising from the GDPR, in particular: the right to withdraw consent, the right of access to data, the right to erasure, and the right to object to processing.
The SINUSOIDA FREEDOM FOUNDATION reserves the right to make changes to this cookies policy at any time, in particular in the event of changes in legal regulations or technological development. Changes enter into force on the date of their publication on the website.
10. Final provisions
Violation of the principles of the Security Policy by Users will result in liability specified in the Labour Code and provisions on the protection of Personal data.
Violation of the principles of the Security Policy by the Processor will result in liability specified in the Civil Code and provisions on the protection of Personal data.
The appendices to the Security Policy are:
template of the Register of personal data processing activities – Appendix No. 1,
template of the Authorisation to process personal data – Appendix No. 2,
template of the Notification of a breach of data protection principles to the supervisory authority – available at https://uodo.gov.pl/pl/501/2278
The Security Policy enters into force as of 27 December 2024.
Personal data collected by the Data Controller before the entry into force of the Security Policy, as of its entry into force, are subject to processing in accordance with the Security Policy.