1. These Regulations for entrusting personal data processing were adopted by:
“LINK” Spółka z ograniczoną odpowiedzialnością with its registered office in Wiązowna, ul. Nadrzeczna 17, 05-462 Wiązowna, entered into the Register of Entrepreneurs kept by the District Court in Warsaw, 14th Commercial Division of the National Court Register under the National Court Register (KRS) number: 0000140604, Tax Identification Number (NIP): 5210086737, National Business Registry Number (REGON): 008055532 (hereinafter referred to as: LINK),
given that:
1) Starting from 25 May 2018 the provisions of the Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) were rendered applicable.
2) LINK participates in the processes of Personal Data Processing within the scope of conducting transport and freight-forwarding operations and concluding and performing transport agreements, both in the capacity of a Personal Data Controller entrusting Personal Data Processing to other carriers and ordering parties commissioning transport, as well as in the capacity of a Personal Data Processor on the behalf of a the Controller, which in that case could be other carriers or ordering parties commissioning transport.
3) The objective of LINK is to determine the conditions under which each time the Personal Data Processor preforms operations of Personal Data Processing on the behalf of the Controller, as a part of concluding and performing transport agreements, so that they fully adhere to the provisions of the GDPR and other provisions of the generally applicable law.
2. Definitions
| 2.1. ”Personal Data” | means information on an identified or identifiable natural persons. |
| 2.2. “Processing” | means an automated or non-automated operation or set of operations on Personal Data or sets of Personal Data such as collecting, recording, organising, structuring, storing, adapting or modifying, downloading, reviewing, using, disclosing by transferring, disseminating or other type of sharing, matching or combining, restricting, erasing and destroying and other forms of processing as defined in the GDPR. |
| 2.3. “LINK’s Client” | means an entity that who orders LINK to perform or organise the transport of goods. |
| 2.4. “LINK’s Subcontractor” | means an entity performing the transport of goods on the behalf of LINK, previously ordered by LINK’s Client. |
| 2.5. “Controller” | means a natural or legal person thatwho, individually or in cooperation with others, establishes the purposes and means of Personal Data Processing; the following entities shall be considered as the Controller hereunder: 2.5.1. LINK – in relation to Personal Data of its employees and associates (including drivers) in form of a name, surname, names, positions name, company telephone numbers, and e-mail addresses, and other contact details, and an ID numbers, the Processing of which shall be entrusted by the Client to LINK or LINK’s Subcontractor and also in relation to LINK’s Client Personal Data in the form of names, addresses, contact telephone numbers, and Tax Identification Number (NIP) numbers, the Pprocessing of which shall be entrusted by LINK to the Subcontractor; 2.5.2. LINK’s Client – in relation to Personal Data of its employees and associates in the form of names, position names, company telephone numbers, and e-mail addresses, and other contact details and in relation to Personal Data of the ordering party commissioning transport, the consignorshipper and the consignee recipient of the consignment and other participants of the transport, in the form of names, surname, addresses, contact telephone numbers and Tax Identification Number (NIP) numbers, the Pprocessing of which shall be entrusted by LINK; 2.5.3. LINK’s Subcontractor – in relation to the Personal Data of its employees and associates (including drivers) in form of names, surname, positions name, company telephone numbers, and e-mail addresses, other contact details and ID numbers, the Processing of which shall be entrusted by LINK. |
| 2.6. “Processor” | means a natural or legal person, public body, unit, or other entity which Processes Personal Data on the behalf of the Controller; the following entities shall be considered as the Processor hereunder: 2.6.1. LINK – in relation to Personal Data of employees and associates of LINK’s Client or LINK’s Subcontractor and in relation to Personal Data of the ordering party commissioning transport, the consignor and the consignee of the consignment and other participants of the transport, the Processing of which shall be entrusted to LINK by LINK’s Client; 2.6.2. LINK’s Client – in relation to Personal Data of LINK’s employees and associates (including drivers); 2.6.3. LINK’s Subcontractor – in relation to Personal Data of LINK’s employees and associates. |
| 2.7. “Sub-processor” | means a natural or legal person, public body, unit, or other entity which Processes Personal Data on the behalf of the Processor; the following entities in particular shall be considered as the Sub-processor hereunder: 2.7.1. LINK – in relation to Personal Data of employees and associates (including drivers) of entities which were further commissioned by LINK’s Subcontractor to carry the goods (in a manner pursuant to the conditions of the Transport Agreement) and in relation to Personal Data of the ordering party commissioning the transport, the consignor and the consignee recipient of the consignment and other participants of the transport, provided that LINK is the Processor of Personal Data and further entrusts the Processing to LINK; 2.7.2. LINK’s Client – in relation to Personal Data of employees and associates (including drivers) of LINK’s Subcontractor and potential further subcontractors of transport of goods; 2.7.3. LINK’s Subcontractor – in relation to Personal Data of LINK’s Client, the ordering party, the shipper and the recipient of the consignment and other participants of the transport. |
| 2.8. “GDRP” | means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) |
| 2.9. “Regulations” | mean these Regulations of entrusting processing of personal data at LINK Sp. z o.o. with its register office in Wiązowna. |
| 2.10. “Transport Agreement” | means an agreement concluded between the Controller and the Processor, on the basis of which the Controller entrusts the Processing of Personal Data to the Processor. |
3. Subject matter of the Agreement
3.1. By performing the Transport Agreement, the Controller, authoriszed to process Personal Data referred to in point 2.5, entrusts Personal Data Processing to the Processor, pursuant to Art 28 of the GDPR, on the terms and for the purpose set out in the Regulations, the Transport Agreement and the written instructions of the Controller.
3.2. The Processor undertakes to Process Personal Data entrusted to them him in accordance with the Regulations, the Transport Agreement, the provisions of the GDPR and other provisions of the generally applicable law.
3.3. In the event where any provision of the Regulations, agreements or instructions, referred to in point 3.1 above, violate the provisions of the GDPR or other provisions of the generally applicable law, the Processor shall immediately inform the Controller about this fact. In such case the Parties shall immediately conduct a legal analysis and negotiations within the scope of the provisions or instructions contrary to the provisions of the GDPR or other provisions of the generally applicable law.
3.4. In order to avoid any doubts, the Processor shall not be entitled to remuneration or a right to demand higher remuneration due to the Processor, resulting from the Transport Agreement on account of performance of the obligations arising from the Regulations.
3.5. The Processor may further entrust Personal Data Processing, if the proper performance of the obligations on the part of the Processor, resulting from the performance of the Regulations and the Transport Agreement require it, within a scope not exceeding the scope of Processing set out in the Regulations. The authorisation to further entrust the Personal Data by the Processor shall not include an authorisation to transfer Personal Data to a third-party state, in the meaning of the GDPR. In such case a prior written or electronic consent of the Controller shall be required.
3.6. The perquisite for further entrustment of Personal Data by the Processor shall be prior notification sent to the Controller informing about the said fact and obtaining their consent with a concurrent statement by the Processor that the entity to which the Personal Data shall be further entrusted by the Processor fulfils the requirements referred to in the Regulations (including the minimum requirements referred to in the Annex to the Regulations), the Transport Agreement, the GDPR and other provisions of the generally applicable law and it shall be guaranteed in the agreement on further Personal Data Processing. The rights of the entity, which will be entrusted with further Personal Data Processing by the Processor, shall be no greater thant the rights of the Processor resulting from the Regulations and the Transport Agreement. It shall be prohibited to allow access to the Personal Data entrusted to the Processor by the Controller to entities, with which no Personal Data Processing agreement or any other legal instrument binding such entity was concluded (excluding entities Processing Personal Data under the authority granted by the Controller or the Processor).
3.7. If the Transport Agreement requires a written consent of the Controller to involve a Sub-processor (consent to perform the transport via a Subcontractor), such consent or lack thereof shall constitute a consent or lack thereof for further entrustment of Personal Data Processing.
3.8. The authorisation referred to in point 3.5 above shall not exclude the possibility for the Controller to object to further entrustment, which may be expressed by the Controller within 24 (twenty-four) hours from the moment of being informed of the intention of further entrustment of Personal Data. No reaction on the part of the Controller within the timeframe referred to in the previous sentence constitutes no objection, unless the Transport Agreement explicitly states the requirement of obtaining consent of the Controller to on further entrustment of Personal Data Processing in the form of performance of the transport via a subcontractor.
4. Duration of entrustment of the Personal Data Processing
4.1. The Processor shall be entitled to Process the entrusted Personal Data for a period necessary to perform the Transport Agreement and a period of limitation for claims resulting from the Transport Agreement.
4.2. The Processor shall undertake to perform the following actions, depending on the decision of the Controller, within a timeframe justified by technical reasons, but in any event no later than within 14 (fourteen) days from the expiry of the Processing period of the entrusted Personal Ddata:
4.2.1. irreversiblye anonymisze all entrusted Personal Data and delete copies thereof; or
4.2.2. return all entrusted Personal Data to the Ccontroller and delete copies thereof, unless appropriate provisions of law require storage of the said Personal Data by the Processor.
5. Obligations of the Parties
5.1. Access to Personal Data entrusted to the Processor shall be solely available to employees or associates of the Processor who received authorisation to Process the said data, preceded by submitting a confidentiality statement regarding the said data and the manner of securing them by the said persons.
5.2. The Processor shall be obliged to ensure security of Processing of the entrusted Personal Data through implementation of proper technical and organisational measures, adequate for the type of entrusted data and the risk of infringement of the rights of the data subjects. The Processor declares that they are acquainted with the rules for Processing and securing Personal Data stipulated in the GDPR and other provisions of the generally applicable law. Additionally, the Processor declares that they have expertise, credibility, infrastructural resources and necessary technical and organisational measures to ensure compliance of Personal Data Processing with the provisions of the GDPR and applies security measures meeting the requirements of the GDPR and allowing proper implementation of the provisions of the Regulations. The Processor shall present the Controller with evidence confirming the authenticity of the aforementioned statement upon a request by the Controller.
5.3. The list of the minimum requirements regarding technical and organisational measures that the Processor is obliged to apply in order to secure Personal Data is set out in the Annex to the Regulations. When amending or updating the said measures, the Processor shall not lower the security level of the Personal Data below the level set out in the Annex.
5.4. The Processor shall undertake to cooperate with the Controller within the scope of providing replies to requests of data subjects, described in chapter III of the GDPR (requests within the scope of the right of information and transparent communication, access to Personal Data, rectification, deletion and restriction of Processing, transfer of Personal Data, objection against Personal Data Processing). To this aim the Processor shall be obliged to immediately inform the Controller about each request of a person authorised within the scope of exercising rights by the said person under the GDPR and provide the Controller with all the necessary information within that scope.
5.5. Taking into account the nature of the Processing of the entrusted Personal Data and the information available to the Processor, the Processor shall be obliged to assist the Controller in fulfilling their obligations within the scope of data security, management of Ppersonal Ddata security breaches and making relevant reports to the supervisory body and the data subject and also, should it be necessary, performing an impact assessment for data protection and consultations within thisat scope with the supervisory body (Art. 32-36 of the GDPR).
5.6. The Processor shall be obliged to immediately inform the Controller after identifying a Personal Data security breach, but no later than within 24 hours from identifying such breach, while providing detailed information on the nature of the breach, possible consequences and applied or planned measures to counteract the breach.
6. Instructions of the Controller
6.1. The Processor Processes Personal Data solely on the basis of documented instructions from the Controller. The Regulations and the Transport Agreement constitute full and final documented instructions for the Processor regarding Personal Data Processing.
6.2. The Controller can issue any additional instructions in e-mail form, provided that they do not exceed the scope associated with the performance of the Transport Agreement and necessary for its implementation. The Processor shall not be entitled to a separate remuneration or a right to demand higher remuneration due to the Processor under the Transport Agreement on the accounts of issuing new instructions by the Controller.
6.3. The Processor may refuse to follow the instructions referred to in point 6.2 in the event where a given instruction is contradictory to the GDPR. In such case the Processor shall undertake to immediately (no later than within 24 hours) send a justification for the refusal to the Controller.
7. Right of scrutiny
7.1. The Processor shall undertake to provide the Controller with any information necessary for the Controller to fulfil all obligations stipulated in the Regulations, the Transport Agreement, the provisions of the GDPR and other provisions of the generally applicable law.
7.2. The Controller shall be entitled to conduct audits of compliance of the Processing of the entrusted Personal Data by the Processor with the provisions of the GDPR, other provisions of the generally applicable law, the provisions of the Regulations and the Transport Agreement, based in particular on requesting written information or explanations, transferring documentation on security of the Personal Data at the Processor or Sub-processors’ sites and inspections of the sites where Personal Data Processing is performed by the Processor or Sub-processors. The Processor shall be entitled to refuse to provide written information or explanations or access to the Personal Data Processing sites only to the extent that the audit could risk disclosure of Personal Data other than the Ddata Processed by the Processor pursuant to the Regulations or the Transport Agreement.
7.3. Information on the planned inspection of the Personal Data Processing site shall be given to the Processor at least 7 days in advance along with an indication of the scope of the inspection and athe list of persons authorised by the Controller to conduct the inspection. In the event where the scope of inspection or the tools utiliszed to perform activities during the inspection provided by the Controller violate the provisions of the data protection law by the Processor, they shall be entitled to refuse the carrying out of the inspection by the Controller and shall be further required to immediately inform the Controller about the said fact in electronic or written form.
7.4. The Controller shall be entitled to give a recommendations to the Processor regarding the manner of Processing of the entrusted Personal Data and technical and organisational measures applied by the Processor in order to secure the entrusted Personal Data. The recommendations shall oblige the Processor to verify the possibilities of its implementation into the internal procedures of Personal Data Processing and cannot assume a violation of the generally applicable law in the case of its implementation by the Processor.
7.5. The Processor shall undertake to immediately inform the Controller of any complaints, letters, inspections of a supervisory body or court and administrative proceedings in connection with the entrusted Personal Data and cooperate with the Controller within that scope, in particular by providing the Controller with any related documentation.
7.6. The Processor shall undertake to immediately remedy any potential irregularities identified during the audit.
8. Confidentiality rules
8.1. The Processor shall undertake to keep any information, data, materials, documents and Personal Data received from the Controller and data obtained in any other manner, deliberate or accidental in oral, written or electronic forms confidential and secure against disclosure or undesirable usage thereof.
8.2. The Parties shall be obliged to protect confidential information regardless of the form of transfer and Processing (hereinafter referred to as: “Confidential information”), subject to the provisions of the Regulations, the Transfer Agreement, provisions of the GDPR and other provisions of the generally applicable law, such as:
8.2.1. Personal Data, in particular Sensitive Data;
8.2.2. information constituting a trade secret (within the meaning of the Unfair Competition Act of 16 April 1993);
8.2.3. information requiring protection whether recorded in a written form or in any other manner, saved in any form and on any media, concerning the Controller or their clients, counterparties and suppliers and also information concerning the services, pricing policy, sales and remuneration of the employees that the Processor received in relation to the conclusion or performance of the Transport Agreement or information that they became aware of or gained access to or shall be in possession of in relation to the conducted discussions and negotiations, which are not publicly known.
8.3. The Parties in particular guarantee that:
8.3.1. any Confidential Iinformation transferred, made available or disclosed by the other Party shall be protected and kept secret in a manner compliant with the applicable provisions of the law and the provisions of the Regulations and the Transport Agreement;
8.3.2. the obtained Confidential Iinformation shall be used solely for the purpose for which they were transferred, made available or disclosed, unless the need to utilise them for another purpose arises from the provisions of the GDPR or other generally applicable provisions of the law;
8.3.3. the possessed Confidential Iinformation shall not be transferred or disclosed to any third party, either directly or indirectly, without a prior written consent of the other Party, unless the obligation or need to disclose or transfer them arises from the provisions of the GDPR or other generally applicable provisions of the law;
8.3.4. they shall protect Confidential Iinformation at their own cost by exercising the greatest degree of care in ensuring adequate infrastructure securing against unauthorised disclosure.
8.4. The Parties shall be obliged not to copy or otherwise reproduce Confidential Iinformation or its parts provided by the other Party with the exclusion of instances, where it shall be necessary for the purpose for which they were transferred. Any copies or reproductions of Confidential Iinformation prepared in such case and recorded on any storage media, including electronic media, remain the property of the Party providing Confidential Iinformation and shall be issued, destroyed or effectively deleted from the data medium upon request.
8.5. The Processor shall undertake to obtain written confidentiality undertaking regarding Confidential Iinformation from the person participating in the Processing (entities designated to perform the Transport Agreement), unless the said persons are covered by the statutory obligation of secrecy.
8.6. The Parties shall be exempt from the obligation to keep Confidential Iinformation secret in case where the obligation to disclose Confidential Iinformation results from the generally applicable provisions of the law or a legally binding decision of a court or body. The Party obliged to disclose Confidential Iinformation shall each time undertake to perform the following actions in case of gaining such information:
8.6.1. disclose only the portion of Confidential information required by the law;
8.6.2. take any necessary actions in order to ensure that the disclosed Confidential Iinformation are treated in a confidential manner and used only within the scope justifiable by the purpose of the disclosure.
8.7. The confidentiality undertaking by the Processor regarding Personal Data entrusted as a part of the Transport Agreement shall be unlimited in time and shall be in force regardless of the expiration or termination of the Transport Agreement.
9. Final provisions
9.1. These Regulations constitute another legal instrument binding the Processor in the matter of entrusting the processing of Personal Data, referred to in Art. 28 section 3 of the GDPR, and shall be published on LINK’s website. The provisions of the Regulations shall be applicable as of 25 May 2018.
9.2. The provisions of the Regulations shall supersede any other arrangements made between the Parties concerning the entrustment of Personal Data Processing and shall prevail over the provisions of the Transport Agreement. The application of the provisions of the Regulations may be exempted solely in case of conclusions of a separate written Personal Data Processing agreement by the Parties.
9.3. LINK shall be entitled to amend the Regulations by publishing their new content on their website. The new content of the Regulations shall be applicable when entrusting Personal Data Processing under any Transport Agreement concluded after the amendment of the Regulations.
9.4. Any notices or statements addressed to LINK pursuant to or in relation to the Regulations shall be made in electronic form and sent to the e-mail address: daneosobowe@linktransport.eu.
9.5. Any disputes arising from or related to the Regulations or in connection thereof shall be resolved by a common court having a jurisdiction over LINK’s registered office.
ANNEX
TO THE REGULATIONS FOR ENTRUSTING PERSONAL DATA PROCESSING
LIST OF MINIMUM ORGANISATIONAL AND TECHNICAL MEASURES APPLIED BY THE PROCESSOR
1. This Annex shall establish the minimum standards of organisational and technical measures, which ought to be ensured by the Processor when Processing Personal Data entrusted to the Processor by the Controller.
2. The Processor shall be obliged to implement the documentation and processes ensuring protection of Personal Data in a manner stipulated in the GDPR, in particular:
2.1. own documentation on the protection of Personal Data, including the nature, scope, context and purposes of Personal Data Processing and the risk of violations of the rights and freedoms of natural persons;
2.2. record of operations related to Personal Data Processing and record of categories of operations related to the Processing, provided that the provisions of the GDPR so require;
2.3. procedure ensuring the right to access Personal Data for the data subjects;
2.4. procedure related to actions in case of breaches of Personal Data;
2.5. procedure restricting Personal Data Processing and deletion of redundant data, in relation to the right „to be forgotten” in cases referred to in the GDPR.
3. List of organisational measures:
3.1. The premises constituting the Personal Data Processing site entrusted to the Processor by the Controller ought to be at the sole disposal of the Processor.
3.2. The Personal Data Processing site shall be secured against unauthorised access by means of at least a lockable door.
3.3. The Processor shall oversee the keys to the premises constituting the Personal Data Processing site entrusted to the Processor by the Controller and declares that unauthorised persons shall not have access to the keys.
3.4. Any hard copy documentation containing Personal Data entrusted to the Processor by the Controller shall be stored in lockable cabinets, the access to which shall only be available to duly authorised persons.
3.5. The Aaccess to Personal Data entrusted to the Processor by the Controller may be granted solely to persons authorised to Process Personal Data.
3.6. Where available, the site of Processing Personal Data entrusted to the Processor by the Controller shall be protected by an alarm system, CCTV, supervision or physical security.
3.7. Processing of Personal Data entrusted to the Processor shall in principle take place solely at the Personal Data Processing site. In the case of need to Process the aforementioned data outside of the Personal Data Processing site, the Processor shall be obliged to ensure the confidentiality of Personal Data Processing, in particular by restricting unauthorized access to the data in question.
4. List of technical measures:
4.1. Any Personal Data medium, regardless whether it is an original or a copy of a document, a note, hand written records or printed records in electronic form shall be subject to protection.
4.2. Only original documents containing Personal Data can be Processed in hard copy. It shall be prohibited to make copies or print documents, the possession of which by the Processor shall be required in hard copy in order to perform the Transport Agreement concluded with the Controller.
4.3. If a copy of a document, a note or a record containing Personal Data was made for working purposes, the Processor shall be obliged to protect such Personal Data medium against unauthorized access, in particular store it in a lockable cabinet and destroy it in a manner both permanent and impossible to read or recreate immediately after the need to store such document, note or record expires.
4.4. Destruction of a hard copy Personal Data medium shall be done solely using a document shredder or in another manner guaranteeing that reading or recovering such data shall be impossible.
4.5. It shall be strictly prohibited to save copies or scans of documents including Personal Data entrusted to the Processor by the Controller on local computer drives, physical or virtual servers, with the exclusion of saving documents in electronic form solely for a purpose necessary to perform the provisions of the Regulations, the Transport Agreement or in order to present or transfer them to an authorised recipient.
4.6. In the event where an electronic copy of a document containing Personal Data is recorded solely for a purpose necessary to perform the provisions of the Regulations or the Transport Agreement, it shall be deleted immediately after achieving the purpose justifying the recording of the electronic copy of the document.
4.7. Recording Personal Data entrusted to the Processor by the Controller on a mobile electronic medium, such as a flash drives or an external drives shall be possible only after meeting the following requirements:
4.7.1. Personal Data can be recorded on a mobile medium only for a short period of time and solely in order to be presented or transferred to an authorised recipient and, in case of a lack of alternative technical measures, to make a backup copy of the documents containing Personal Data;
4.7.2. the medium shall be available solely to the Processor and utilised exclusively for business use;
4.7.3. the media used to save Personal Data entrusted to the Processor by the Controller shall be cryptographically secured and the files containing Personal Dara shall be password protected;
4.7.4. the media used to save Personal Data entrusted to the Processor by the Controller shall be recorded by the Processor;
4.7.5. once the medium on which Personal Data entrusted to the Processor by the Controller were or are stored ceases to be exploited, it shall be psychically destroyed or treated with professional tools to permanently remove data in a manner making it impossible to recreate or recover the data in parts or in full;
4.7.6. destruction of the medium or permanent deletion from it of Personal Data entrusted to the Processor by the Controller shall be confirmed by a report made by the Processor and noted in the media record.
4.8. The Processor shall be obliged to utilise an ICT network, where access to Personal Data entrusted to the Processor by the Controller takes place, which ensures security of the Processed data.
4.9. A company computers shall be protected against software, the objective of which is to gain unauthorised access to such computer and against threats from the public network by implementing physical or logistic safeguards protecting against unauthorised access, in particular a firewall, authentication procedure utilising a user name and a password and up-to-date antivirus system are used.
4.10. A Processor using electronic mail shall be obliged to apply anti-spam tools and not to open strange or suspicious e-mails which may contain malicious software such as viruses or malware. Only one’s own private/company Internet connection shall be used to log on to electronic mails and other information systems where Personal Data entrusted to the Processor by the Controller are Processed. It shall be strictly prohibited to log on using a different Internet networks or public Internet connection such as Wi-Fi or Hotspot. Personal Data Processing in electronic form outside the Personal Data Processing site shall be allowed, provided that the data is encrypted with a professional encrypting tool.
4.11. Passwords to workstations, information systems and eelectronic mails utilised by the Processor for the purposes related to Processing of Personal Data entrusted to the Processor by the Controller shall:
4.11.1. include at least 8 characters, including lower case and upper case letters, numbers or special characters;
4.11.2. be changed no less frequently than every 6 months;
4.11.3. not be composed of full words or expressions or a string of characters or numbers constituting identifiers or easy to guess;
4.11.4. be known solely to a person to whom the login was assigned to, which shall be utilised for user authentication in the system and to the administrator of a given system.
4.12. It shall be strictly prohibited to disclose the password to other persons, write it down in a place accessible to others or set a password known to another person or easy to guess, as well as to allow other persons to learn the password in any other manner.
4.13. In the event of Processing Personal Data entrusted to the Processor by the Controller outside the Processing site using telecommunication links, one ought to utilise exclusively their own Internet connections (modems or an access point on one’s own phone). It is strictly prohibited to utilise free Internet connections available in public places (e.g. free Wi-Fi networks in cafées and shopping malls, etc.) in order to connect with the IT resources, where the aforementioned data are Processed.