Security policy

INFORMATION SECURITY POLICY AT FOCUS GARDEN 

Poznań, April 5, 2025

This Security Policy, hereinafter referred to as the Policy, has been drawn up to demonstrate that personal data is processed and secured in accordance with the requirements of the law concerning the principles of data processing and security in the company, including in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council

(EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the GDPR).

Definitions:

1. Data Controller – Focus Garden sp. z o.o. with its registered office in Poznań, 61-144, ul. Krzywoustego 3, registered in the National Court Register under number 0000928047 by the District Court Poznań Nowe Miasto i Wilda in Poznań, NIP: 7642696142, REGON: 382006469, hereinafter referred to as “Focus Garden”

2. Personal data – any information relating to an identified or identifiable natural person

3. IT system – a set of cooperating devices, programs, information processing procedures, and software tools used for data processing

4. User – a person authorized by the Data Controller to process personal data

5. Data set – any structured set of personal data, accessible according to specific criteria

6. Data processing – any operations performed on Personal Data, such as collection, recording, storage, compilation, modification, sharing, and deletion in traditional form and in IT systems

7. User ID – a string of letters, digits, or other characters that uniquely identifies a person authorized to process personal data in an IT system (User) in the event of personal data processing in such a system

8. Password – a string of letters, numbers, or other characters known only to the person authorized to work in the IT system (User) in the event of personal data processing in such a system

9. Authentication – an action aimed at verifying the declared identity of an entity (User).

General provisions

1. The policy applies to all Personal Data processed at Focus Garden sp. z o.o. with its registered office in Poznań, 61-144, ul. Krzywoustego 3, registered in the National Court Register under number 0000928047 by the District Court Poznań Nowe Miasto i Wilda in Poznań, NIP: 7642696142, REGON: 382006469, regardless of the form of their processing (traditionally processed records, IT systems) and whether the data is or may be processed in data files.

2. The Policy is stored in electronic and paper form at the Administrator's headquarters.

3. The Policy is made available for inspection to persons authorized to process personal data at their request, as well as to persons who are to be authorized to process personal data, in order to familiarize themselves with its content.

4. For the effective implementation of the Policy, the Data Controller shall ensure: a. technical measures and organizational solutions appropriate to the risks and categories of data covered by the protection, b. control and supervision of the processing of personal data, c. monitoring of the protective measures applied.

5. The Data Controller's monitoring of the protection measures applied includes, among other things, the activities of Users, violations of data access rules, ensuring the integrity of files, and protection against external and internal attacks.

6. The Data Controller ensures that activities performed in connection with the processing and protection of personal data comply with this policy and applicable law.

II. Personal data processed by the data controller

1. Personal data processed by the Data Controller is collected in data files.

2. The Data Controller does not undertake processing activities that could involve a high risk to the rights and freedoms of individuals. If such an activity is planned, the Controller shall perform the activities specified in Article 35 et seq. of the GDPR.

3. When planning new processing activities, the Administrator shall analyze their impact on the protection of personal data and take data protection issues into account at the design stage.

4. The data administrator keeps a record of processing activities. A template for the record of processing activities is provided in Appendix 1 to this policy.

III. Obligations and responsibilities in the field of security management

1. All persons are obliged to process personal data in accordance with the applicable regulations and in accordance with the Security Policy established by the Data Controller, the IT System Management Manual, as well as other internal documents and procedures related to the processing of personal data at Focus Garden.

2. All personal data at Focus Garden is processed in accordance with the processing principles provided for by law:

a. In each case, there is at least one of the legal bases for data processing provided for by law.

b. Data is processed fairly and transparently.

c. Personal data is collected for specific, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.

d. Personal data is processed only to the extent necessary to achieve the purpose of data processing.

e. Personal data is accurate and updated as necessary.

f. The storage period of the data is limited to the period of its usefulness for the purposes for which it was collected, and after that period it is anonymized or deleted.

g. The information obligation is fulfilled towards the data subject in accordance with Articles 13 and 14 of the GDPR.

h. The data is protected against breaches of its protection rules.

3. The data controller shall not provide information to data subjects in situations where the data subject already has this information, or where providing such information proves impossible or would require a disproportionate effort (Article 14(5)(a) and (b) of the GDPR).

4. The following, in particular, shall be considered a breach or attempted breach of the rules for the processing and protection of personal data:

a. a breach of the security of the IT systems in which personal data are processed, if they are processed in such systems;

b. disclosure or enabling disclosure of data to unauthorized persons or entities; c. failure, even if unintentional, to fulfill the obligation to ensure the protection of personal data;

d. failure to fulfill the obligation to keep personal data and the methods of securing it confidential;

e. processing Personal Data in a manner inconsistent with the scope and purpose of its collection;

f. causing damage, loss, uncontrolled alteration, or unauthorized copying of Personal Data;

g. violating the rights of persons whose data is being processed.

5. In the event of a breach of personal data protection rules, the User is obliged to take all necessary steps to limit the effects of the breach and to immediately notify the Data Controller.

6. The Data Controller's obligations with regard to the employment, termination, or change of employment conditions of employees or associates (persons performing activities for the Data Controller on the basis of other civil law contracts) include ensuring that:

a. employees are adequately prepared to perform their duties,

b. each person processing Personal Data is authorized in writing to process it in accordance with the “Authorization to process personal data” – a template of the Authorization is attached as Appendix 2 to this Security Policy,

c. each employee has undertaken to keep the personal data processed at Focus Garden confidential. The “Declaration and commitment of the person processing personal data to maintain confidentiality” is part of the “Authorization to process personal data.”

7. Employees are required to:

a. strictly comply with the scope of the authorization granted;

b. process and protect personal data in accordance with the regulations;

c. keep personal data and the methods of securing it confidential;

d. report incidents related to data security breaches and system malfunctions.

IV. Area of personal data processing

1. The area in which Personal Data is processed at the headquarters of Focus Garden sp. z o.o. at ul. Krzywoustego 3, in Poznań 61-144, in the warehouses located at ul. Krzywa 15-17 and Kraszewskiego 10 in Piła,

2. Additionally, the area in which Personal Data is processed includes all laptops and other data carriers located outside the area indicated above.

V. Determination of technical and organizational measures necessary to ensure the confidentiality, integrity, and accountability of the data being processed

1. The Data Controller ensures the application of technical and organizational measures necessary to ensure the confidentiality, integrity, accountability, and continuity of the Processed Data.

2. The protection measures (technical and organizational) applied should be adequate to the identified level of risk for individual systems, types of collections, and categories of data. The measures include:

a. Restricting access to rooms where personal data is processed to authorized persons only. Other persons may only be present in rooms used for data processing when accompanied by an authorized person.

b. Locking the rooms constituting the personal data processing area specified in point IV above during the absence of employees, in a manner that prevents access by third parties.

c. Using lockable cabinets and safes to secure documents.

d. Using a shredder to effectively destroy documents containing personal data.

e. Protection of the local network against external attacks using a firewall.

f. Making backup copies of data on a server belonging to the Data Controller.

g. Protection of computer equipment used by the controller against malware using reputable antivirus software.

h. Securing access to computer devices with access passwords changed every 60 days and consisting of a minimum of 10 characters, including upper and lower case letters, numbers, and at least one special character, e.g., @, #, ^. i. Using data encryption during transmission.

VI. Violations of personal data protection rules

1. In the event of a personal data breach, the Administrator shall assess whether the breach could result in a risk to the rights or freedoms of natural persons.

2. In a situation where the breach could have resulted in a risk of infringement of the rights or freedoms of natural persons, the Administrator shall report the breach to the supervisory authority without undue delay – if feasible, no later than 72 hours after the breach has been identified. A template for the notification is provided in Appendix 3 to this policy.

3. If the risk of infringement of rights and freedoms is high, the Administrator shall also notify the data subject of the incident. VII. Entrusting the processing of personal data 1.

The Personal Data Controller may entrust the processing of personal data to another entity only by means of a written agreement, in accordance with the requirements specified for such agreements in Article 28 of the GDPR. 2. Before entrusting the processing of personal data, the Controller shall, as far as possible, obtain information about the processor's existing practices regarding the security of personal data.

VIII. Transfer of data to a third country

In order to provide, improve, and analyze our services, we also use the services and tools of other entities. These entities pursue the objectives specified by us, but in certain cases, they may also use the data obtained on our Websites to pursue their own objectives and those of their cooperating entities. Below is some information about the services and tools we use that you should be aware of in relation to the protection of your personal data:

1. Google Analytics On our websites, we use Google Analytics, a tool provided by Google Inc. (“Google”) based in the USA. It is a web analytics service that is performed by Google (Google is the processor here) on our behalf using cookies. The information generated by cookies about your use of the Website, which you can find here: https://policies.google.com/privacy?hl=pl, is transmitted to and stored on a Google server in the USA. IP anonymization has been activated on our websites, which means that the IP addresses of Google users in European Union member states or in other countries that are parties to the Agreement on the European Economic Area are shortened beforehand. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. Anonymization takes place immediately after the data is received, before it is stored. On our behalf, Google will use the information collected to verify your use of our services, to create reports on their functionality, and to provide additional services to us related to the use of digital services or the Internet, in particular Google Analytics reports on the services provided according to demographic criteria and interests. The IP address transmitted by your browser as part of Google Analytics will not be linked to other Google data. Please note that you can prevent the data collected by cookies and data (including your IP address) related to your use of the website from being stored by Google, as well as prevent Google from processing such data, by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=pl.

2. Facebook Pixel We use Facebook Pixel to measure the effectiveness of advertising our Services via the Facebook platform and to optimize our ads appearing there. It is a tool that helps us measure the effectiveness of ads based on an analysis of user activity on our Services. We use the data from the pixel in the following areas: a) displaying ads to the right audience, b) creating ad audiences, c) analyzing what happened as a result of clicking on an ad, d) using other Facebook advertising tools. Information about the data collected by our partner can be found here: https://www.facebook.com/business/gdpr#faqs, in the tab “What data does the pixel collect?”.

3. Conversion tracking and Google AdWords remarketing tag We use conversion tracking and remarketing to measure the effectiveness of advertising our Services via the Google AdWords platform and to optimize our ads appearing there. These are tools that allow us to find out what happened after the Customer interacted with the ad—whether they completed the action we defined as valuable. This allows us to optimize our promotional activities within the Google AdWords platform. Using these tools:

a) we can see which keywords, ads, ad groups, and campaigns are most effective at attracting valuable customer actions,

b) we know our return on investment (ROI) in advertising and make informed decisions about advertising spending,

c) we automatically optimize our campaigns to meet our business goals,

d) we can see how many customers interact with our ads on one device or browser and convert on another,

e) we can show AdWords ads to people who have visited our websites. Information about the data processed by our partner can be found here: https://policies.google.com/technologies/ads?hl=pl https://support.google.com/adwords/answer/93148?hl=pl&ref_topic=3119146 IX.

Final provisions

Employees shall be liable for failure to comply with the obligations set out in this document under the Labor Code, the Personal Data Protection Regulations, and the Criminal Code with regard to personal data covered by professional secrecy.