Information Security and Privacy Policy

1. Introduction.
1.1. Establishment of the Information Security Management System.
1.1.1. The Information Security Management System (ISMS) is a systematic approach to managing sensitive Company information so that it remains secure by applying risk management process. It includes people, processes and information systems.
1.1.2. The ISMS is based on the international standard ISO/IEC 27001:2013.
1.1.3. The Executive Management of Efinity has decided to develop and implement an Information Security Management System. The purpose of the system is to:
- obtain and maintain the information security level necessary for ensuring the continuity of business processes by applying risk management process and taking into consideration loss minimization and return on investment maximization,
- protect information assets which are key to the Company’s activity regardless of the form (data on paper or electronic data carriers) throughout their whole life cycle,
- ensure compliance with the applicable laws and regulations,protect the image and reputation of the Company,
- continuously improve information security awareness within the Company.
1.1.4. The Executive Management by establishment and implementation of the ISMS makes a commitment to preserves the confidentiality, integrity and availability of information processed within the Company. The ISMS apply to all employees of the Company, customers and third parties (such as consultants, contractors and service providers) who have access or process information of the Company or other information processed by Efinity.
1.1.5. The ISMS is subject to continuous monitoring and improvement.
1.1.6. The objective of ISMS is also to ensure security with regard to the Personal Data, in accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation - hereinafter referred to as the ”GDPR”)

1.2. Declaration of the Executive Management.
1.2.1. It is the concern of the Management Board of Efinity to ensure an adequate security level of information processed within Efinity.
1.2.2. Being aware of the existing threats and the importance of information in the Company’s operations, the Management Board of Efinity adopts this Information Security Policy as a set of rules and principles that underlie the Information Security Management System.
1.2.3. The methods of information processing adopted at Efinity, as well as security mechanisms to protect it, are compliant with the applicable laws and regulations.

1.3. Goal and scope.
1.3.1. This Information Security Policy is implemented in keeping with the declaration of the Executive Management so as to ensure an adequate level of security for information processed at Efinity.
1.3.2. This Information Security Policy takes precedence over all existing in the Efinity documents related to information security.
1.3.3. This Information Security Policy concerns all:
- Efinity’s information resources or information resources processed by Efinity for or on behalf of clients or business partners,
- activities related to the processing of information in Efinity,
- forms of information, regardless of method of recording, in particular paintings, drawings, graphics, video or sound recordings, photos, written words, electronic documents, printouts, copies and extracts,
- types of information mediums in particular paper, disks, flash memory and tapes,
- means for conveying information, especially speech, electronic transmission channels, mail and gestures,
- locations (buildings and facilities) in which information is processed,
- information or communications systems processing the information meant to be protected.
1.3.4. This Information Security Policy sets out the general rules and principles of information security, which are the core element of a complete and consistent Information Security Management System. These rules and principles are further elaborated and detailed in internal regulations, such as the procedures, general terms, guidelines and instructions, which determine the manner in which the rules and principles presented herein are to be implemented.
1.3.5. This document is addressed to all individuals who have access to the information processed by Efinity and to the information systems located at Efinity, especially to the management staff and employees of the Company, as well as third parties involved in the processing of the Company’s information or other information processed by Efinity.
1.3.6. This Information Security Policy can be presented to third parties with whom Efinity has concluded relevant agreements.
1.3.7. Each individual who has access to the information systems of Efinity is obliged to familiarise themselves with the rules and principles of this Information Security Policy, as well as detailed policies, procedures, general terms, guidelines and security instructions, and to observe them at all times.
1.3.8. Ignorance of rules and principles of this Information Security Policy and detailed regulations shall not release from the responsibility for their non-observance.
1.3.9. Violation of security rules and principles shall result in sanctions adequate to the gravity of the breach, as provided for in applicable laws and regulations.
1.4. Glossary.
1.4.1. Definitions of terms used in this document can be found in Appendix 1 - Glossary.

1.5. Roles and responsibilities.
1.5.1. Chief Technology Officer shall:
- set standards and control mechanisms in the field of security,
- give opinions on the changes in information systems, contracts with external suppliers, IT projects from perspective of compliance with the security standards adopted in the Company,
- oversee the implementation of periodic security audits and post-audit recommendations.
1.5.2. Compliance Officer shall:
- oversee the processes of identification of information assets, classification of information and risk analysis in the field of information security,
- oversee the user management process, including periodic reviews of user access rights,
- oversee the physical access management process,
- keep the register of exceptions to the applicable regulations in the area of security,
- review and update the policies and procedures in the area of security,
- ensure existence and oversee development, implementation and compliance with personal data security rules,
- assess compliance of personal data security rules with provisions of law, statutory and contractual obligations.
1.5.3. Security Officer shall:
- monitor the security of computer networks including the supervision of antivirus protection, software updates, vulnerabilities identification,
- conduct security training and carry out activities aimed at raising awareness in this area,
- oversee the management of cryptographic keys process,
- handle security incidents.
1.5.4. Information Owner shall:
- define requirements concerning information security,
- classify information, and perform regular reviews of classification correctness,
- ensure the implementation and maintenance of adequate security mechanisms in his/ her subordinate organisational units,
- authorise access to information (the Information Owner shall have the right to assign the authorisation rights to other individuals or organisational units at Efinity),
- be responsible for utilization, maintenance and supervision of access to information.
1.5.5. Information system user shall:
- protect the information he or she has access to, in accordance with the rules and principles of this Information Security Policy and detailed regulations,
- report promptly any incidents of information security breach to the Security Officer.
1.5.6. Third Party shall:
- ensure security of information which was granted access to at a level not lower than the security level defined in this Information Security Policy,
- guarantee security of the information which was granted access to from the moment the information left the information system of Efinity,
- be responsible for the consequences of information security violations, when such violations took place in the third party systems, or resulted from negligence or insufficient security provided by the third party.

1.6. Information Security Committee.
1.6.1. The Information Security Committee shall be an advisory body that consults in and co-ordinates the operations of the Information Security Management System at Efinity to ensure the uniform application of the rules and principles of the Information Security Policy.
1.6.2. The Information Security Committee is composed of:the Executive Management consisting of the Chief Executive Officer, Chief Technology Officer and Compliance Officer,the Security Officer.The Information Security Committee may include also Operations Director, Financial Director and Technology Director.
1.6.3. The Information Security Committee shall:
- make decisions related to the information security strategy and budget for the performance of the strategic and operational tasks related to information security,
- oversee the implementation of the strategic and operational tasks related to the information security,
- resolve disputes concerning differences in the interpretation of the Information Security Policy by different parties,
- meet formally at least every 12 months to monitor performance of strategic and operational tasks related to the information security, raise issues that might be important to the information security and review Security Incidents that have occurred since the last Information Security Committee meeting. Discussed issues and decisions that have been made during the meeting should be documented in the form of meeting minutes.

2. Information Security Policy.
2.1. Information security definition. Information security is essential to remain Efinity’s competitiveness, financial liquidity, profit, image and reputation, compliance with the laws and regulations.
2.1.1. Information is an asset that has significant value for Efinity and Efinity therefore actively manages its security, identify threats, reacts to information security breaches and defines authorisations and responsibilities for all parties participating in the process of information security management and information users.
2.1.2. Fulfilling the mission and objectives of Efinity in many areas is heavily dependent on the uninterrupted operation of information systems and security of information processed in them.
2.1.3. Information security in Efinity is understood as assurance and maintenance of the appropriate level of confidentiality, integrity and availability of information, defined as:
- Confidentiality – ensuring that access to the information is provided only to authorised users,
- Integrity - ensuring accuracy and completeness of information and processing methods,
- Availability - ensuring that authorized parties have access to the information and associated resources when it is necessary.

2.2. Information security organisation. There is an information owner for each piece of information processed at Efinity. The information owner shall be responsible for ensuring the proper level of information security, including in particular its confidentiality, integrity and availability.
2.2.1. Each piece of information shall have its owner. It is the responsibility of the information owner to classify the information as appropriate and review the correctness of the classification on a regular basis.
2.2.2. The Executive Management shall pass the Information Security Policy, as well as updates and amendments thereto.
2.2.3. The Executive Management shall establish an organisational structure to implement strategic and operational tasks related to information security.
2.2.4. The Executive Management shall approve classification of information adopted in the Company.
2.2.5. The Executive Management shall approve the results of the regular information security risk analysis.
2.2.6. The Executive Management shall commission audits in the area of information security.

2.3. Classification of information. For the purposes of this Information Security Policy, the following classes of information groups are adopted in view of the information confidentiality and integrity: Public, Internal, Confidential and Sensitive.
2.3.1. Information groups classified as Public mean information generally available and intended for the public, sharing it has no negative impact on the business activities of the Company.
2.3.2. Information groups classified as Internal mean information addressed for internal use of the Company, not intended for public distribution, sharing it will have a little or no negative impact on the business activities of the Company.
2.3.3. Information groups classified as Confidential mean internal information, which is not intended for public distribution, sharing it will have a negative impact on the business activities or may cause financial losses, legal and image consequences. To disclose information classified as confidential, it is necessary to obtain permission from Information Owner in consultation with the Compliance Officer.
2.3.4. Information groups classified as Sensitive mean internal information intended for specified group of people, sharing it will have a strong negative impact on the business activities or may cause very high financial, legal or image losses.

2.4. Information access control. Only authorised users who are unambiguously identified, authenticated and recognised shall have access to information.
2.4.1. Each individual who uses the information system must be unambiguously identified.
2.4.2. Each information system user must be authenticated by means of mechanisms that ensure an adequate level of information security.
2.4.3. Each information system user must be assigned to an appropriate user group that meets certain conditions and has certain attributes that define the scope of access to information.
2.4.4. Each action taken in the information system must be clearly linked to the identifier of the user who takes it.
2.4.5. The owner of such identifier shall be responsible for all actions and operations performed with the use of that identifier.
2.4.6. The elements authenticating the user in the information system must be protected against unauthorised access both on the part of the user, and on the part of the information system.
2.4.7. The privileges of the information system user must provide him or her only with the minimum authorised access to the information as required for his or her job function.
2.4.8. The Information Owner or a designated individual shall define the privileges of the user with regard to the information group, and shall authorise granting the information access rights to the user, modifying them or depriving the user of access rights.
2.4.9. The level of privileges of the information system users shall be subject to regular reviews and verification.
2.4.10. The information system shall be equipped with mechanisms that allow for the monitoring and registration of selected actions taken by users in that system.
2.4.11. Where an information system user is deprived of the right to access information, the elements identifying that user should not be re-used, and the history of system operations performed by that user should be archived.
2.4.12. When employees/associates of external entities have access to an Efinity IT System, the agreements with such external entities must include provisions governing that access.

2.5. Information systems security. Each information system shall ensure an adequate level of information security for information processed thereby.
2.5.1. The information systems as well as information processed in those systems may be used for work-related purposes only.
2.5.2. Use of the information systems for purposes other than work-related is permitted only upon consent of the Information Owner.
2.5.3. The information system must be equipped with security mechanisms that ensure confidentiality, integrity and availability of information processed therein.
2.5.4. The information system must be maintained in a manner that ensures confidentiality, integrity and availability of information processed therein.
2.5.5. In justified cases where there is suspicion of a breach of information security, security mechanisms can interfere with the privacy of information systems users.
2.5.6. Owning or using tools used for analysing and cracking the security devices of the information system shall be permitted to authorised users only, upon consent of the Chief Technology Officer.
2.5.7. Using tools used for analysing and cracking the security devices of the information system for illegal or unethical purposes or for purposes contrary to the interests of Efinity shall be considered a serious breach of the information security rules.
2.5.8. Access to and use of elements that determine the effectiveness of the information system security mechanism must be strictly controlled and accounted for.
2.5.9. The use of information system that is not the property of Efinity must not violate or decrease the security of the information environment of the Company.
2.5.10. The information system managed by authorised third parties empowered to process the information must ensure proper level of availability, integrity and confidentiality of the information in accordance with Efinity’s requirements. Efinity must have the ability to control the security level of that system.
2.5.11. Where certain information carriers are recalled from operations, the information stored therein must be deleted in a manner that prevents their recreation.
2.5.12. Information stored on data carriers, and made available to third parties that are not authorised to process information, must be secured against unauthorised access as appropriate.
2.5.13. All equipment and IT Systems used to process Personal Data must:
2.5.13.1. meet technical and organizational requirements adequate to the risk related to the Personal Data Processing in accordance with the regulations referred to in Section 3.12.;
2.5.13.2. take into account Privacy by default and Privacy by design; and
2.5.13.3. in situations and as described in the Principles for conducting a data protection impact assessment (PIA assessment), must take into account the results of the PIA.
2.5.14. The IT Systems ensure confidentiality, integrity and accountability of the Personal Data processed in accordance with the with the regulations referred to in Section 3.12.
2.5.15. Each electronic document or file containing Personal Data, if technologically possible, should be secured against unauthorized access (encrypted).

2.6. Information exchange channels security. Information exchange channels must ensure an adequate level of security for information sent by their means.
2.6.1. Protection of the information exchange channel must be adequate to the confidentiality and availability of information sent thereby.
2.6.2. The information exchange channels must guarantee an adequate level of integrity of information sent thereby.
2.6.3. The information exchange channel, as well as the information sender and recipient must be unambiguously defined.
2.6.4. The terms on which information is exchanged between the information systems must be clearly defined by the information sender and recipient.
2.6.5. In order to ensure an adequate security level for data sent by means of an information exchange channel, and in particular in order to ensure information confidentiality, cryptographic data protection mechanisms must be used.
2.6.6. Without the express consent of the Data Subject the it is prohibited to transfer Personal Data:
2.6.6.1. to private email addresses;
2.6.6.2. using social messaging (e.g. WhatsApp, Facebook Messenger, Snapchat, etc.).
2.6.7. It is prohibited to share Personal Data on social networking sites (e.g. Facebook, Twitter, Instagram) without the express consent of the Data Subject.  

2.7. Changes to the information systems. Changes to the information systems of Efinity must not decrease the specified security level.
2.7.1. The development of the information system must be planned and performed in a controlled manner, while observing the formal provisions of the policies, procedures, bylaws, guidelines and security instructions.
2.7.2. Each change to the system must result from a business need, a security improvement need or changes to the applicable laws.
2.7.3. All parties concerned must be notified in due advance of any modifications that may affect the functionality of the information system or its security level.
2.7.4. Any change that is significant for the information system operations must be properly planned, agreed on with the parties concerned and documented as appropriate.
2.7.5. Each change to be effected must be tested prior to the implementation into production environment.
2.7.6. The testing, development and production environments must be separated in the information system in such a manner that the process of information system modification does not have an adverse impact on the operations of Efinity and the security of information processed by means of the Efinity information systems.
2.7.7. Where it is necessary to effect emergency changes due to a crisis or an actual threat of a crisis, it is possible to apply a simplified development cycle upon the consent of the superior of the individual requesting such an emergency change or upon the consent of the head of the unit responsible for system maintenance.

2.8. Protection from harmful factors. Information processed in the information systems of Efinity must be protected from harmful factors.
2.8.1. The information system should be equipped in mechanisms that allow for prevention, detection and elimination of factors that disturb its operations.
2.8.2. The information system must use the mechanisms allowing for prevention, detection and elimination of disturbing factors in a systematic manner.
2.8.3. Mechanisms that allow for prevention, detection and elimination of factors disturbing the operations of the information system should be used for information processed in the system and for information exchanged with other information systems.
2.8.4. Computer software used for information processing must be approved by the Security Officer.
2.8.5. Any actions aimed at disturbing the operations of the information system shall be a serious breach of the security rules.

2.9. Maintaining continuous operations of the information systems. All actions aimed at maintaining the information systems in continuous operation must be planned and performed in such a manner as to minimise the consequences of a breakdown or crisis.
2.9.1. The information systems must be maintained in a controlled manner, with the observance of formal procedures.
2.9.2. The information systems must be equipped with mechanisms that allow for making back-ups and archive copies of the data.
2.9.3. The organisational unit responsible for the information systems maintenance shall develop rules governing the creation, control, retention and restoration of the back-ups and archive data copies.
2.9.4. The back-ups and archive data copies must be created in accordance with the defined rules, and their correctness and completeness must be tested on a periodic basis.
2.9.5. The back-ups and archive data copies should be stored in a manner guaranteeing the confidentiality, integrity and availability of the information.
2.9.6. The means and mechanisms guaranteeing access to the back-ups should allow for restoring the correct operations of the information systems.
2.9.7. The back-ups and archive data copies should be stored at a location that is physically separate from the place in which the data are stored.
2.9.8. The mechanisms and documentation concerning the means configuration used to create and recover the back-ups and archive data copies must be secured as appropriate and readily available.
2.9.9. The contents of the data carriers and the carriers containing the back-ups and archive data copies must be labelled as appropriate.
2.9.10. The methods applied to maintain continuous operations must be adequate to the availability requirements of the given information system.

2.10. Physical security. The places and equipment used for information processing must be protected as appropriate.
2.10.1. Physical security perimeters shall be defined for the places in which the data are processed.
2.10.2. Server rooms must be protected from unauthorised access.
2.10.3. The level of protection of server rooms from unauthorised access must be adequate to the confidentiality and availability requirements of the information processed therein.
2.10.4. Server rooms must be located in places protected by specific access control mechanisms and protection barriers.
2.10.5. Server rooms must ensure adequate conditions for the operations of the information processing equipment and for retaining the information carriers; they should also have mechanisms supporting the power supply.
2.10.6. The places and equipment used for information processing must be protected from any occurrences that may result in the destruction of, damage to or theft of information system elements.
2.10.7. Access of third parties to the places and equipment used for information processing must be controlled by appropriate staff of the Company.
2.10.8. The places where Personal Data is processed, i.e. buildings, rooms or parts of rooms constituting the area where Personal Data is processed, are subject to protection by means of physical protection measures and the adoption of adequate organizational solutions to protect against unauthorized access to the Personal Data.
2.10.9. Third parties entering the Premises are greeted by authorized front desk personnel who ensure the confidentiality of Personal Data.
2.10.10. In addition, front office employees are required to respect the confidentiality of the Personal Data in the performance of their duties at the front office location.
2.10.11. With the exception of places dedicated to meetings with third parties, the presence of unauthorized persons in the places referred to in section 2.10.8 is permitted only in the presence of a person authorized to process Personal Data.
2.10.12. The locations referred to in section 10.8 must be secured during the absence in them of persons authorized to process Personal Data in a manner that prevents physical access by unauthorized persons.
2.10.13.  With the exception of places dedicated to meetings with collaborating or non-collaborating third parties or their representatives, the recording of image or sound, as well as the transmission of image or sound outside these places, is prohibited in the places referred to in section 2.10.8, except when these activities are undertaken as part of the physical protection measures in place.
2.10.14. Persons authorized to process Personal Data are obliged to control whether any unsecured documents or materials containing Personal Data remain in the places referred to in section 2.10.8 (i.e. to observe the "clean desk" principle).
2.10.15. Maintenance, repair and emergency operation of the equipment and IT Systems at the locations referred to in section 2.10.8 must be carried out in agreement with the Management Board and in the presence of persons authorized to process Personal Data.
2.10.16. Paper documents containing Personal Data must be protected from damage, destruction or unauthorized access.
2.10.17. Documents should be physically protected against loss and unauthorized access. The "clean desk" principle means that all documents containing Personal Data should be stored at the end of the working day in a place where they cannot be accessed by unauthorized persons (e.g.: locked office furniture).
2.10.18. Any paper document containing Personal Data, once it is no longer necessary to use it, must be destroyed in a secure manner that makes its contents unreadable. Until destroyed, it should be stored in a secure location that prevents unauthorized access (e.g.: locked office furniture).
2.10.19. It is forbidden to copy any Personal Data contained in paper documents without permission from the immediate supervisor on the part of Efinity.
2.10.20. The “clean printer” policy means that printouts and copies containing Personal Data are made only by the authorized employee, who is required to take them from the printer immediately.
2.10.21. Documents containing Personal Data shall be sent packaged in a strong, opaque envelope, as registered mail with return receipt requested, via postal and courier service providers.
2.10.22. Electronic Media containing Personal Data should be protected from physical damage or destruction that would make it impossible to read or recover the information contained therein.
2.10.23. Electronic Media containing Personal Data used by users should be physically protected against loss and unauthorized access.
2.10.24. When leaving the workplace, Media should be secured in a manner that prevents unauthorized access (e.g.: store in locked office furniture).
2.10.25. It is prohibited to process Personal Data on private computers.
2.10.26. It is prohibited to copy any Personal Data onto Media other than for Efinity business purposes. The number of electronic copies of documents containing Personal Data should be limited to the minimum necessary.
2.10.27 The use of storage media such as pendrives, external drives, etc. that enable data recording should be limited and allowed only in necessary cases with the consent of the immediate supervisor. Access to Personal Data on such media should be encrypted.

2.11. Mobile devices and teleworking. Terms of use of mobile and teleworking should include applicable security requirements, especially code of conduct in the case of loss of device or other significant incidents.
2.11.1. Teleworking should be only allowed with the use of solutions approved by the Security Officer.
2.11.2. Security controls for teleworking solutions should ensure they:
- meet logical and physical requirements,
- meet communications security requirements and prevent unauthorised access,
- do not cause disputes concerning intellectual property rights for information developed on privately owned equipment,
- do not prevent access to privately owned equipment in the event of an investigation by authorized authorities,
- do not bind Efinity to privately owned software agreement obligations and liabilities,are properly firewalled and protected against malicious code attacks.
2.11.3. Approval for teleworking s should be only granted if appropriate security controls are implemented.
2.11.4. Information systems users should make every effort to guard information processes with use of mobile devices against theft, unauthorized disclosure and unauthorized access.
2.11.5. Information systems users should adhere to the principles of clean desk and clean screen while teleworking.
2.11.6. Portable computers and other mobile devices used for storage of information should employ hard disk encryption
for storage of information.
2.11.7. For the purpose of protection against unauthorized access, password password and lockout features, if available, should be enabled and used on portable computers and on mobile devices used to receive, transmit or store information classified as confidential. A mobile device should be PIN protected.
2.11.8. Mobile devices should be secured in accordance with specified standards, in particular:
- access to the device should be protected,
- data stored on the device should be protected.
2.11.9. When transporting the Mobile Device, the user is obliged to protect it from loss, from being taken by an unauthorized person, and from access by unauthorized persons to the Personal Data contained therein.
2.11.10. The User shall lock the Mobile Device each time after completing work on it. Access to Personal Data on the Mobile Device must be preceded by entry of a PIN.
2.11.11. It is prohibited to display Data on Mobile Devices in the direct presence of unauthorized persons, especially in public places.
2.11.12. It is prohibited to share the Mobile Device with unauthorized persons.
2.11.13. The processing of Personal Data on Mobile Devices must be limited to necessary cases only and must result from the performance of business tasks and be approved by Board Member or person authorized by the Management Board.
2.11.14. The processing on Mobile Devices of Special Categories of Personal Data, as well as Personal Data relating to criminal convictions and violations of law, must be preceded by a PIA in accordance with the Principles for Conducting a Data Protection Impact Assessment (PIA) in Efinity.

2.12. Breaches of information security. Each breach of information security shall be punished, and the offender shall be brought to responsibility in accordance with the internal regulations of Efinity or applicable laws and regulations.
2.12.1. Each instance of violating the security rules or safeguards of information systems shall be considered a breach of information security.
2.12.2. The penalty for breach of information security must be proportionate to the potential loss of the Company, due to such breach.
2.12.3. Each information system user must react to any instances of information security breach and report them promptly to the Security Officer.
2.12.4. Instances of the information security breach must be detected by means of adequate control means, administrative and organisational means, and technical and programme measures.
2.12.5. The results of monitoring and registration of selected actions of the information systems users shall be the proof of information security breach.
2.12.6. Any measures and methods used to respond to any instances of information security breach must be selected in such a manner as to minimise the potential loss due to such information security breach and to prevent major disturbance to the operations of Efinity.
2.12.7. The reasons behind the information security breach should be analysed, and the security mechanisms should be modified accordingly so as to minimise the risk of re-occurrence.
2.12.8. Each detected instance of information security breach should be properly documented and reported. The fact of information security breach, the documentation and report represent protected information.
2.12.9. Non-compliance with the provisions of this Policy by Efinity employees will result in taking disciplinary actions resulting from the Work Regulations and the provisions of the Labor Code

2.13. Formal and legal security. The security mechanisms must be compliant with the applicable laws and regulations.
2.13.1. The information systems and information security mechanisms used by Efinity must be compliant with the applicable laws and regulations.
2.13.2. Each change to the laws applicable to the security rules and principles defined herein requires assessment as to the necessity, and, if necessary, introduction of amendments to this Information Security Policy and detailed regulations of Efinity so as to make them compliant with the new regulations.
2.13.3. Review of this Information Security Policy and detailed regulations of Efinity must take place at least on an annual basis, especially in terms of their compliance with the existing laws, their completeness and adequacy with regard to the needs of Efinity.
2.13.4. Information produced by entities related to Efinity under civil law agreements and pursuant thereto shall be the property of Efinity, unless otherwise expressed in the specific agreements.
2.13.5. Where Efinity provides information to third parties, such third parties shall be obliged to secure the information at least at the same level as the one at Efinity, and the disclosed information must be processed in accordance with the applicable laws and regulations.
2.13.6. Information is disclosed to third parties after third parties become familiar with the information security rules of Efinity. Familiarity with the information security rules shall be confirmed in writing. In particular, it is essential that the information confidentiality and the terms on which the information may be disclosed by the third party to other parties be guaranteed.

2.14. Information security risk management. Efinity shall manage the information security risk in a continuous manner, by taking actions aimed at identifying and mitigating the information security risk.
2.14.1. The risk shall be managed in a continuous manner based on a periodic information security risk analysis, performed at least once a year.
2.14.2. Adequate control mechanisms shall be defined and implemented with regard to identified risks so as to mitigate them.
2.14.3. The risk shall be in particular managed during the development and modification process of the information systems.
2.14.4. The risk level for the entire information environment must be analysed upon effecting a modification to the information systems that might have an impact on its security, especially after each change effected in response to an information security breach.
2.14.5. The information systems security mechanisms must be subject to systematic monitoring in order to ensure their efficiency.
2.14.6. High risk of information and information systems unavailability should be minimised by means of business continuity plans, to be developed and applied accordingly.

3. Personal Data Protection Competence - responsibility.
3.1.1. The realization of tasks in the scope of Personal Data protection in Efinity is supervised by the Management Board.
3.1.2. If a Data Protection Officer is appointed, the Management Board of Efinity will delegate the performance of certain activities to the Data Protection Officer. Until the appointment of the Data Protection Officer, all functions and duties shall be performed by the Management Board of Efinity and persons authorized by the Management Board.
3.1.3. The application of this Policy is the responsibility of all employees and third parties who, in the performance of their tasks, are involved in the processing of Personal Data.

3.2. Purposes and principles of personal data processing.
3.2.1. Efinity processes the Personal Data for the purposes connected with the subject of its statutory activity, in particular, the personal data of the employees, third parties, and persons applying for work, as well as for the purpose of performing the duties resulting from the generally binding legal regulations and the Personal Data entrusted by other entities being their Controllers or Processors, in particular, the Personal Data entrusted by the insurers (syndicates) or insurance intermediaries, for whom Efinity is acting as a service provider on the basis of the contracts concluded with these entities.
3.2.2. The principles set out in this Section 3 and its subsections shall apply to all employees and third parties involved in performing tasks for Efinity if, in order to carry out their tasks, it is necessary to process the Personal Data towards which Efinity is the Controller or which have been entrusted to Efinity on the basis of a contract concluded with another entity which is their Controller.
3.2.3. The Section 3 and its subsections apply to all Personal Data processed at Efinity through IT Systems, on paper, other media, and orally.
3.2.4. All Personal Data processed for Efinity shall constitute Information Assets within the meaning of regulations adopted in Efinity and therefore their sharing outside Efinity may only be done in connection with the performance of business tasks for Efinity.
3.2.5. Efinity processes Personal Data in accordance with the following rules resulting from the commonly applicable laws and internal documents of Efinity (including this Policy):
3.2.5.1. lawfulness, fairness and transparency (the processing of Personal Data must have a lawful basis; it must respect the interests and rights of Personal Data Subjects; it must be transparent to Data Subjects);
3.2.5.2. purpose limitation (the purpose of the Personal Data Processing must be specific, explicit and legally justified; and the Personal Data may not be Processed contrary to that purpose);
3.2.5.3. minimalization of Personal Data (Data should be appropriate and necessary for the purpose of the Processing, as well as to meet the Efinity’s objectives.);
3.2.5.4. correctness of Personal Data (Data should be true, complete and up-to-date);
3.2.5.5. retention restrictions (Data must be Processed only for as long as is necessary to achieve the lawful purpose of the Processing);
3.2.5.6. integrity, confidentiality and availability (Data must be Processed in a manner that ensures its security, including protection against unauthorized or unlawful Processing, accidental loss, destruction or damage);
3.2.5.6.7. accountability (when Processing Data, adherence to the principles indicated in the sections 3.2.5.1. – 3.2.5.6. above is required and the ability to demonstrate compliance).
3.2.6. Methods of collecting Personal Data shall be reviewed by the Management Board before they are implemented to confirm that Personal Data is obtained:
3.2.6.1.  fairly, without intimidation or deception, and
3.2.6.2. lawfully, adhering to all relevant rules of law relating to the collection of Personal Data.
3.2.6. Management Board or a person authorized by it shall confirm that third parties from whom Personal Data is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully.
3.2.7. Where Efinity acts as the Controller, explicit consent shall be obtained directly from the Data Subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise.
3.2.8. As concerns the Personal Data processed by Efinity on the grounds of the Data Subjects’ consent:
3.2.8.1. explicit consent shall be obtained from Data Subjects at or before the time Personal Data is collected or soon thereafter. The individual’s preferences expressed in his or her consent are confirmed and implemented;
3.2.8.2. If Personal Data that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose;
3.2.8.3. Explicit consent is obtained directly from the Data Subject when sensitive Personal Data is collected, used, or disclosed, unless a law or regulation specifically requires otherwise.
3.2.8.4. Consent is obtained before Personal Data is transferred to or from an Data Subjects’ computer or other similar device.

3.3. Responsibilities of individuals with access to Personal Data.
3.3.1. All employees and third parties who, in the performance of their tasks, have access to the Personal Data processed at Efinity, are obliged to:
3.3.1.1. familiarize themselves with and strictly observe the provisions of law and internal procedures regulating the principles of Personal Data protection adopted in Efinity;
3.3.1.2. participate in training provided by Efinity;
3.3.1.3. include, in all planned and implemented processes, technical and organizational solutions or tools related to Personal Data processing:
- the Privacy by design and Privacy by default principles; and
- the results of the PIA conducted in accordance with the Principles for Conducting a Data Protection Imapct Assessment (PIA) in Efinity. 3.3.1.4. compliance with rules of protection of HR Personal Data;
3.3.1.5. maintain indefinitely the confidentiality of the Personal Data processed and of the ways of securing the Personal Data,
3.3.1.6. report to the Management Board and clarify any doubts regarding the correctness of the Processing of Personal Data,
3.3.1.7. cooperation with the Management Board in the case of Efinity Audits (both internal and external), as well as control performed by PUODO;
3.3.1.8. promptly prepare and send, upon request by the Management Board, information regarding the Processing of Personal Data (as per the scope of the request);
3.3.1.9. keeping and observing the records of persons authorized to Process Personal Data within the tasks performed in the organizational unit they supervise, provided that Personal Data is Processed by employees/third parties collaborating with this unit only in paper form or on external carriers, in accordance with the templates of records referred to in section 3.17.7. of this Policy,
3.3.1.10. supervise subordinate employees and third parties in carrying out the responsibilities described in this Policy,
3.3.1.11. report any activity that involves the processing of Personal Data (excluding the Processing of Business Card Data for communication purposes) to the Record.
3.3.1. In addition, employees / third parties shall apply the security requirements of an IT System used by Efinity, in accordance with the regulations referred to in Section 3.12. and its subsections.

3.4. Exercise of data subjects' rights.
3.4.1. Efinity realizes the rights of Personal Data Subjects, i.e.:
3.4.2. The right to information and to obtain confirmation of the Personal Data Processing by the Controller, and access to the Personal Data,
3.4.3. The right to withdraw consent;
3.4.4. The right to rectify/complete the Personal Data,
3.4.5. The right to erasure of Personal Data ("right to be forgotten"),
3.4.6. The right to restrict Processing,
3.4.7. The right to data portability,
3.4.8. The right to object to the processing of Personal Data,
3.4.9. The right not to be subject to decisions made under conditions of automated processing of the Personal Data, including profiling.
3.4.10. The processing of requests from Data Subjects shall be ensured by the Efinity Management Board in accordance with the Manual for handling requests from Data Subjects attached to this Policy.

3.5. Records.
3.5.1. The Management Board shall maintain the Record of personal data processing activities and the Record of categories of personal data processing activities.
3.5.2. Each Employee and Third party is responsible for updating the information in the Records, including the cessation of processing of Personal Data, in particular:
3.5.2.1. shall promptly report the creation of a new data set,
3.5.2.2. shall promptly notify and update information about the processing of Personal Data, including the cessation of processing of Personal Data.
3.5.3. It is the responsibility of the employee or third party responsible for concluding the agreement to prepare and submit to the Management Board a correct notification to the Records or its update with respect to agreements on entrusting or sharing Personal Data, in accordance with Sections 3.6., 3.7. and their respective subsections.

3.6. Data Sharing.
3.6.1. The decision on Sharing Personal Data, including sharing Personal Data at the request of authorized state authorities, is made by the Management Board of Efinity.
3.6.2. The release of Personal Data whose Controller is Efinity shall be recorded in the Register upon notification by the person responsible for the subject matter of the release.
3.6.3. Sharing of Personal Data to a third country is only possible under the terms of the applicable legislation (Article 44 et seq. of the GDPR).

3.7. Data entrustment.
3.7.1. Efinity as the Controller may entrust another entity (the Processor) with the processing of Personal Data on behalf of Efinity exclusively on the basis of a written agreement concluded with this entity.
3.7.2. Efinity as the processor may entrust the Personal Data to another entity only for the purposes and on the terms specified in the contract between the controller and Efinity acting as the processor.
3.7.3. The Personal Data Processing Entrustment Agreement in which Efinity acts as a Data Controller or as a Processor must comply with the requirements of Article 28 of the GDPR and is subject to the prior approval of the Management Board.
3.7.4. The entrustment of the processing of Personal Data, of which Efinity is the Controller, is recorded in the Register, upon notification by the person in charge of the conclusion of the agreement.
3.7.5. In the case of access by external entities to an IT System, for the purpose of implementing, repairing, reviewing, maintaining or upholding that System, if the external entity also obtains Access to Personal Data processed in that System, a Personal Data Processing Entrustment Agreement must be entered into in accordance with the provisions of sections 3.7.1. – 3.7.3. above,
3.7.6. In case of the intention to conclude an Entrustment agreement in which Efinity is to act as a processor, the person responsible for its conclusion is obliged to notify it to the Register.
3.7.7. Efinity as the Controller may entrust the Personal Data to a third country on the principles compliant with the binding provisions of law, whereas the decision in this regard is taken by the Management Board after the presentation by the person in charge of the subject matter of the undertaking related to the entrustment of the Personal Data.
3.7.8. The outsourcing of Personal Data, of which Efinity is the Controller, to a third country is recorded in the Register upon notification by the substantive person responsible for concluding the agreement.
3.7.9. If Efinity jointly with other entities determines the purposes and means of the Processing of Personal Data (joint controlling of Personal Data), an agreement must be concluded which will regulate the responsibilities of each of the joint controllers and the relationship between the joint controllers and the Personal Data subjects.
3.7.10. The conclusion of an agreement on the joint controlling of Personal Data shall be recorded in the Registry upon notification by the person responsible for the subject matter thereof.

3.8. Managing Access to Personal Data in Efinity.
3.8.1. Only persons authorized to do so may be allowed to Process Personal Data. Efinity authorizes any person Processing Personal Data in connection with the performance of their duties to the Efinity, subject to section 3 below.
3.8.2. The authorization to process Personal Data is included in the employment contract, managerial contract, contract of mandate, other type of cooperation contract concluded directly between Efinity and the employee/third party.
3.8.3. The conditions of access to the Personal Data towards which Efinity is the Controller by the employees and associates of the Processor may be specified in the Personal Data Processing Entrustment Agreement concluded by Efinity with the Processor.
3.8.4. The Employees/third parties collaborating with Efinity authorized to Process Personal Data shall:
3.8.4.1. be trained in the principles of Personal Data protection and sign a statement, constituting an element of the employment relationship, that he/she is acquainted with the provisions of the law in the scope of Personal Data protection and the principles of Personal Data protection binding in Efinity.
3.8.4.2. submit, as part of the employment relationship, an undertaking to keep confidential indefinitely the Personal Data processed and the ways in which they are secured,
3.8.4.3. in case of change in the scope of tasks or place of work in Efinity, resulting in lack of need to process the Personal Data, or termination of the employment contract with the employee, the employee is obliged to return the documentation or other carriers containing the Personal Data to the employer.
3.8.5. Access to the IT System where Personal Data is Processed requires, in addition to meeting the requirements of section 3.8.4. and its subsections, that access to the IT System be granted in accordance with the regulations referred to in Section 3.12.
3.8.6. Records of persons authorized to process Personal Data in IT Systems are kept by a person designated by the Management Board, under the supervision of the Management Board.
3.8.7. Access to Personal Data processed outside the Information and Communication Systems is carried out under the supervision of the Management Board.

3.9. Handling Violations of Personal Data Protection.  
3.9.1. Anyone who has obtained information about a suspected Breach of the protection of Personal Data Processed in an IT System and outside such System, as well as about a case of a breach or an attempt to breach the applied physical protection measures and the accepted system of protection of the places where Personal Data is Processed, shall be obliged to immediately, after obtaining such information, report the Breach to the Efinity Board.
3.9.2. Reported Violations are analyzed in accordance with the provisions of internal procedures and forwarded to the Management Board.
3.9.3. In accordance with applicable law, upon confirmation that a Breach has occurred:
3.9.3.1. Management Reports Breach to PUODO;
3.9.3.2. the person whose Data is affected by the Breach is notified about it in accordance with the internal procedures of Efinity
3.9.3.3. The actions referred to in the preceding sections are performed subject to the provisions of the Instruction for dealing with personal data breaches referred to in section 3.17.4. of this Policy.

3.10. Audits.
3.10.1. The audit of the compliance of the Processing of Personal Data at Efinity with the regulations on the protection of Personal Data covers all the organizational units of Efinity where Personal Data is Processed and the processing entities to which Efinity has entrusted Personal Data for processing.
3.10.2. The audit of the compliance of the Processing of Personal Data with the regulations on the protection of Personal Data is carried out in one of the modes as follows:
3.10.2.1. Planned audit - in accordance with the audit plan approved by the Management Board of Efinity, according to ISO/IEC 9001 and 27001:2013 standards,
3.10.2.2. Ad hoc audits - conducted in cases of Personal Data Breaches or a reasonable suspicion of such a Breach.
3.10.3. A scheduled audit is conducted:
3.10.3.1. by employees designated by the Board,
3.10.3.2. according to ISO 27001 Information Security Management System standards, approved by the Management Board.
3.10.4. An ad hoc audit is conducted by employees/third parties indicated by the Management Board. The persons conducting the ad hoc audit or participating in it as experts, shall submit the Audit report to the Management Board immediately after its completion.
3.10.5. Upon completion of the Audit, a report is prepared. The report is prepared in electronic or paper form and presented to the Management Board.

3.11. PUODO (Data Protection State Authority) Controls.
3.11.1. Pursuant to the principles provided for in the applicable legislation, PUODO may carry out checks at Efinity on the compliance of Personal Data Processing with the provisions on the protection of Personal Data.
3.11.2. Anyone who has obtained information about the PUODO control is obliged to immediately inform the Management Board or their direct superior about it, who in turn notifies the Board. The Efinity employee/third party authorized by the Management Board, who is responsible for the area controlled by PUODO, participates in control activities undertaken by PUODO personally or through designated employees/third parties.
3.11.3. The Data Protection Officer shall inform the Management Board of the results of the audit conducted by the PUODO.

3.12. Personal Data Protection - Final provisions.
3.12.1. In matters not regulated by the provisions of this Section 3 of the Policy, the remaining provisions of Information Security Policy and other related internal regulations, such as the procedures, general terms, guidelines and instructions adopted in Efinity, as well as generally applicable legal regulations shall apply.
3.12.2. In execution or interpretation of duties related to protection of Personal Data, special regard shall be had to the SOC2 Privacy Criteria.
3.13. Related documents (PRIVACY)
The following are an integral part of this Policy in the aspect of Personal Data protection:
- The Personal Data Retention Policy;
- Principles for conducting a data protection impact assessment (PIA assessment);
- Instruction for dealing with personal data breaches;
- Instruction for dealing with data subject requests;
- Instruction for performing the information obligation;
- Regulations on templates of authorizations and records of persons authorized to process personal data;
- Regulations on the template of the record of personal data processing activities and the template of record of categories of personal data processing activities.

Appendix 1 – Glossary.
The table below contains definitions of terms as used in this document:

Term

Definition

Access to Personal Data

Allowing you to view or directly perform operations on Personal Data.

(User) Identifier

An element that allows for unambiguous identification of a system user (e.g. ID, login, badge, business card).

Access rights

These define the level of rights, actions and operations that may be performed by the user in the system, as well as the terms and conditions on which these actions and operations may be performed.

Availability

A feature of information and information system; the degree to which they are available and usable at the demand of an authorised user within the scope requested.

Breakdown

Situation that occurs upon an event that disturbs correct operations of the system.

Classification of information

A process of organising information into groups (classes) based on established criteria, to apply adequate security mechanisms.

Company or Efinity

Means Efinity sp. z o.o.

Confidentiality

A feature ensuring that the information will not be made available or disclosed to unauthorised users.

Controller                 

the entity which determines the purposes and means of the processing of Personal Data. Efinity represented by the Board is the Controller.

Continuous operation maintenance

Ensuring correct and continuous operations of the Company in the event of an emergency or a crisis.

Cracking

The defeating of security mechanisms in the information system.

Crisis

A situation following a certain event, e.g. violation of information security or an act of God, as a result of which there is no ability to process information.

Cryptographic data protection mechanisms

Mechanisms used for processing the information in such a manner as to ensure the adequate information security level, and in particular its confidentiality, by encryption.

Data carrier

Material used for recording and storing the information, both in the traditional and electronic form.

Data Processing (processing)

an operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, organization, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Sharing

the transfer to an authorized Recipient of Personal Data selected according to specific criteria, on the basis of a positively considered application or agreement, in paper form, on another information carrier or by enabling access to selected Data in an IT System, for their independent processing by the Recipient as a separate Administrator or as a processing entity.

Emergency change

Measures taken in case of a system emergency or a crisis in order to restore the system to proper operations.

Employee

Person who remains in the relationship of employment, written order or other legal relationship of a similar nature with the Company, and also being a member of the statutory authorities of the Company.

Entrusting the processing of Personal Data (Entrustment)

the transfer of a dataset, a part of it, individual Personal Data, or granting access to Personal Data, under an agreement concluded by Efinity with another entity on the basis of Article 28 of the GDPR, for the purpose of their processing by this entity on behalf of Efinity; this also includes further entrustment of the processing of data processed by Efinity on behalf of other entities.

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Harmful factor

Software or action that results in a decreased efficiency of the information systems or the computer network of the Company; software or actions that cause a breach of the information security of the Company (e.g. viruses, worms, etc.).

Information Carriers / Media

all kinds of carriers used to record information in digital form, in particular hard disks, flash drives, CD/DVD/Blu-ray discs, magneto-optical disks, SSD disks, DLT/DDS tapes, memory cards, smart cards, etc., which are the property of Efinity or the property of other natural persons, legal entities or organizational units without legal personality, but which are used to process the Personal Data of Efinity. which are the property of Efinity or other natural persons, legal entities or organisational units without legal personality, but are used to process Personal Data in Efinity. 

Information exchange channel

Set of mechanisms, tools and equipment that allow for the exchange of information, both in the traditional and electronic form. The computer network of the Company is a special case of an electronic information exchange channel.

Information Owner

A person who is functionally responsible for the information and its security within a specific organisational division.

Information processing

Operations and processes related to information, including collation, recording, retaining, examining, modifying, making the information available and deleting it.

Information Security

maintaining the Confidentiality, Integrity, Availability, Accountability of information in accordance with ISO/IEC 27000:2013.

Information system

A set of processes, technical resources, physical and human resources, regulations, tools and mechanisms used for information processing.

IT System                  

a set of cooperating technical means and software (infrastructure and applications) constituting an integral and logical whole separated in terms of functionality provided, assuming that its main purpose is information processing (including Personal Data).

Integrity

Ensuring that information in the system is protected from unauthorised modification.

Personal data

Any information concerning an identified or identifiable private individual

Personal Data Breach (Breach)

a breach of security leading to the accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to Personal Data transmitted, stored or otherwise Processed. For purposes of this Policy, a Breach is also an unauthorized or unlawful Processing of Personal Data. 

Personal Data Processors

Persons who perform any operations on Personal Data or merely have access to Personal Data. 

Physical security perimeters

Physical security facilities implemented within the Company: office area, server room and archive.

Privacy by default

ensuring, through appropriate technical and organizational measures, that by default only those Personal Data are processed which are necessary for the achievement of each specific purpose of the Processing (this refers to the amount of collected Personal Data, the scope of processing, the period of storage and their availability). In particular, these measures should ensure that Personal Data is not made available to an unspecified number of individuals without the person's intervention (will).

Privacy by design

implementation, at the stage of design and subsequent processing, of appropriate technical and organizational measures to effectively implement Data protection principles, in particular the necessary security of the Personal Data processing and protection of the rights of Personal Data subjects. 

PUODO

the President of the Office for Personal Data Protection - the supervisory authority competent in matters of personal data protection, having jurisdiction in Poland.

Recipient of Personal Data (Recipient)

a natural or legal person, public authority, entity or other body to whom Personal Data is disclosed. Public bodies that may receive Personal Data in the context of a specific proceeding in accordance with Union or Member State law are not considered Recipients.

Register

The register of data processing activities referred to in Article 30 of the GDPR.

Security mechanism

A technical or organisational solution aimed at minimising the risk of certain event.

Server room

Special, separated room in which are located all servers and other devices responsible for uninterruptible functioning internal network.

System maintenance

Any actions aimed at ensuring an adequate system level and conditions in which it operated to enable correct and continuous operations.

Third country

a country that does not belong to the European Economic Area.

Third party

a natural person or juridical entity to whom information, such as Personal Data is or could be disclosed, including in particular third parties collaborating with Efinity, or employed in or by Efinity on the basis of any civil law contract, in particular contract of mandate or contract for specific work, including apprentices and trainees.