Privacy Policy
Poznań, 05.04.2025
This Security Policy, hereinafter referred to as the Policy, has been prepared to demonstrate that personal data are processed and secured in accordance with legal requirements regarding the principles of data processing and security in the enterprise, including in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the GDPR).
Definitions:
1. Data Administrator – Focus Garden sp. z o.o. with its registered office in Poznań, 61-144, ul. Krzywoustego 3, registered in the National Court Register under KRS number 0000928047 by the District Court for Poznań Nowe Miasto and Wilda in Poznań, Tax Identification Number (NIP): 7642696142, National Business Registry Number (REGON): 382006469, hereinafter referred to as "Focus Garden"
2. Personal Data – any information relating to an identified or identifiable natural person
3. IT System – a set of interoperable devices, programs, information processing procedures, and software tools used for data processing
4. User – a person authorized by the Data Controller to Process Personal Data
5. Data Set – any structured set of personal data, accessible according to specific criteria
6. Data Processing – any operations performed on Personal Data, such as collecting, recording, storing, processing, modifying, sharing, and deleting in traditional form and in IT systems
7. User Identifier – a sequence of letters, numbers, or other characters that uniquely identifies the Personal Data Identifying the person authorized to process personal data in an IT system (the User) in the event of Personal Data Processing in such a system.
8. Password – a sequence of letters, numbers, or other characters known only to the person authorized to work in the IT system (the User) in the event of Personal Data Processing in such a system.
9. Authentication – an action aimed at verifying the declared identity of the entity (the User).
I. General provisions
1. This Policy applies to all Personal Data processed by Focus Garden sp. z o.o., with its registered office in Poznań, 61-144, Krzywoustego 3 Street, registered in the National Court Register under KRS number 0000928047 by the District Court for Poznań Nowe Miasto and Wilda in Poznań, Tax Identification Number (NIP): 7642696142, National Business Registry Number (REGON): 382006469, regardless of the form of processing (traditionally processed record files, IT systems) and whether the data are or may be processed in data files.
2. The Policy is stored in electronic and paper versions at the Controller's office.
3. The Policy is available for review by individuals authorized to process personal data at their request, as well as to individuals to whom authorization to process personal data is to be granted, in order to become familiar with its content.
4. To effectively implement the Policy, the Data Controller ensures: a. technical measures and organizational solutions appropriate to the threats and categories of data being protected, b. control and supervision of personal data processing, c. monitoring of the applied security measures.
5. Monitoring of the applied security measures by the Data Controller includes, among other things, User activities, violations of data access rules, ensuring file integrity, and protection against external and internal attacks.
6. The Data Controller ensures that the activities performed in connection with the processing and security of personal data are consistent with this Policy and applicable legal provisions.
II. Personal data processed by the data controller
1. Personal data processed by the Data Controller are collected in data filing systems.
2. The Data Controller shall not undertake processing activities that could involve a serious likelihood of a high risk to the rights and freedoms of individuals. If such activities are planned, the Controller shall perform the activities specified in Article 35 et seq. of the GDPR.
3. If new processing activities are planned, the Controller shall analyze their impact on personal data protection and take data protection considerations into account during their design phase.
4. The Data Controller shall maintain a register of processing activities. A template for the register of processing activities is attached as Annex 1 to this policy.
III. Duties and Responsibilities in the Field of Safety Management
1. All persons are obliged to process personal data in accordance with applicable regulations and in accordance with the Data Security Policy, IT System Management Instructions, and other internal documents and procedures related to the processing of personal data at Focus Garden, as established by the Data Controller.
2. All personal data at Focus Garden is processed in accordance with the processing principles provided for by law:
a. In each case, there is at least one of the legal bases for data processing provided for by law.
b. Data is processed fairly and transparently.
c. Personal data is collected for specific, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.
d. Personal data is processed only to the extent necessary to achieve the purpose of data processing.
e. Personal data is accurate and updated as necessary.
f. The storage period of the data is limited to the period of its usefulness for the purposes for which it was collected, and after that period it is anonymized or deleted.
g. The information obligation is fulfilled towards the data subject in accordance with Articles 13 and 14 of the GDPR.
h. The data is protected against breaches of its protection rules.
3. The data controller shall not provide information to data subjects in situations where the data subject already has this information, or where providing such information proves impossible or would require a disproportionate effort (Article 14(5)(a) and (b) of the GDPR).
4. The following, in particular, shall be considered a breach or attempted breach of the rules for the processing and protection of personal data:
a. a breach of the security of the IT systems in which personal data are processed, if they are processed in such systems;
b. disclosure or enabling disclosure of data to unauthorized persons or entities; c. failure, even if unintentional, to fulfill the obligation to ensure the protection of personal data;
d. failure to fulfill the obligation to keep personal data and the methods of securing it confidential;
e. processing Personal Data in a manner inconsistent with the scope and purpose of its collection;
f. causing damage, loss, uncontrolled alteration, or unauthorized copying of Personal Data;
g. violating the rights of persons whose data is being processed.
5. In the event of a breach of personal data protection rules, the User is obliged to take all necessary steps to limit the effects of the breach and to immediately notify the Data Controller.
6. The Data Controller's obligations with regard to the employment, termination, or change of employment conditions of employees or associates (persons performing activities for the Data Controller on the basis of other civil law contracts) include ensuring that:
a. employees are adequately prepared to perform their duties,
b. each person processing Personal Data is authorized in writing to process it in accordance with the “Authorization to process personal data” – a template of the Authorization is attached as Appendix 2 to this Security Policy,
c. each employee has undertaken to keep the personal data processed at Focus Garden confidential. The “Declaration and commitment of the person processing personal data to maintain confidentiality” is part of the “Authorization to process personal data.”
7. Employees are required to:
a. strictly comply with the scope of the authorization granted;
b. process and protect personal data in accordance with the regulations;
c. keep personal data and the methods of securing it confidential;
d. report incidents related to data security breaches and system malfunctions.
IV. Area of personal data processing
1. The area where Personal Data is processed at the headquarters of Focus Garden sp. z o.o. at ul. Krzywoustego 3, in Poznań 61-144, in the warehouses located at ul. Krzywa 15-17 and Kraszewskiego 10 in Piła,
2. Additionally, the area where Personal Data is processed includes all laptops and other data carriers located outside the area indicated above.
V. Determination of technical and organizational measures necessary to ensure the confidentiality, integrity, and accountability of the data being processed
1. The Data Controller shall ensure that the technical and organizational measures necessary to ensure the confidentiality, integrity, accountability, and continuity of the Processed Data are applied.
2. The protection measures (technical and organizational) applied shall be adequate to the identified level of risk for individual systems, types of data sets, and data categories. The measures include:
a. Restricting access to rooms where personal data is processed to authorized persons only. Other persons may only be present in rooms used for data processing when accompanied by an authorized person.
b. Locking the rooms constituting the personal data processing area specified in point IV above during the absence of employees, in a manner that prevents access by third parties.
c. Using lockable cabinets and safes to secure documents.
d. Using a shredder to effectively destroy documents containing personal data.
e. Protection of the local network against external attacks using a firewall.
f. Making backup copies of data on a server belonging to the Data Controller.
g. Protection of computer equipment used by the controller against malware using reputable antivirus software.
h. Securing access to computer devices with access passwords changed every 60 days and consisting of a minimum of 10 characters, including upper and lower case letters, numbers, and at least one special character, e.g., @, #, ^. i. Using data encryption during transmission.
VI. Violations of personal data protection rules
1. In the event of a personal data breach, the Controller shall assess whether the breach could result in a risk to the rights or freedoms of natural persons.
2. In a situation where the breach could have resulted in a risk of infringement of the rights or freedoms of natural persons, the Administrator shall report the breach to the supervisory authority without undue delay – if feasible, no later than 72 hours after the breach has been identified. A template for the notification is provided in Appendix 3 to this policy.
3. If the risk of infringement of rights and freedoms is high, the Administrator shall also notify the data subject of the incident. VII. Entrusting the processing of personal data 1. The Personal Data Controller may entrust the processing of personal data to another entity only by means of a written agreement, in accordance with the requirements specified for such agreements in Article 28 of the GDPR. 2. Before entrusting the processing of personal data, the Controller shall, as far as possible, obtain information about the processor's existing practices regarding the security of personal data.
VIII. Transfer of data to a third country
In order to provide, improve, and analyze our services, we also use the services and tools of other entities. These entities pursue the objectives specified by us, but in certain cases, they may also use the data obtained from our Services to pursue their own objectives and those of their cooperating entities. Below is selected information about the services and tools we use that you should be aware of in relation to the protection of your personal data:
1. Google Analytics On our websites, we use Google Analytics, a tool provided by Google Inc. (“Google”) based in the USA. It is a web analytics service that is performed by Google (Google is the processor here) on our behalf using cookies. The information generated by cookies about your use of the Website, which you can find here: https://policies.google.com/privacy?hl=pl, is transmitted to and stored on a Google server in the USA. IP anonymization has been activated on our websites, which means that the IP addresses of Google users in European Union member states or in other countries that are parties to the Agreement on the European Economic Area are shortened beforehand. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. Anonymization takes place immediately after the data is received, before it is stored. On our behalf, Google will use the information collected to verify your use of our services, to create reports on their functionality, and to provide additional services to us related to the use of digital services or the Internet, in particular Google Analytics reports on the services provided according to demographic criteria and interests. The IP address transmitted by your browser as part of Google Analytics will not be linked to other Google data. Please note that you can prevent the data collected by cookies and data (including your IP address) related to your use of the website from being stored by Google, as well as prevent Google from processing such data, by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=pl.
2. Facebook Pixel We use Facebook Pixel to measure the effectiveness of advertising our Services via the Facebook platform and to optimize our ads appearing there. It is a tool that helps us measure the effectiveness of ads based on an analysis of user activity on our Services. We use the data from the pixel in the following areas: a) displaying ads to the right audience, b) creating ad audiences, c) analyzing what happened as a result of clicking on an ad, d) using other Facebook advertising tools. Information about the data collected by our partner can be found here: https://www.facebook.com/business/gdpr#faqs, in the tab “What data does the pixel collect?”.
3. Conversion tracking and Google AdWords remarketing tag We use conversion tracking and remarketing to measure the effectiveness of advertising our Services through the Google AdWords platform and to optimize our ads appearing there. These are tools that allow us to find out what happened after the Customer interacted with the ad—whether they completed the action we defined as valuable. This allows us to optimize our promotional activities within the Google AdWords platform. Using these tools:
a) we can see which keywords, ads, ad groups, and campaigns are most effective at attracting valuable customer actions,
b) we know our return on investment (ROI) in advertising and make informed decisions about advertising spending,
c) we automatically optimize our campaigns to meet our business goals,
d) we can see how many customers interact with our ads on one device or browser and convert on another,
e) we can show AdWords ads to people who have visited our websites. Information about the data processed by our partner can be found here: https://policies.google.com/technologies/ads?hl=pl https://support.google.com/adwords/answer/93148?hl=pl&ref_topic=3119146 IX.
Final provisions
For failure to fulfill the obligations arising from this document, the employee shall be liable under the Labor Code, the Personal Data Protection Regulations, and the Criminal Code with regard to personal data covered by professional secrecy.