Privacy policy

Privacy Protection Policy

  2. This document entitled “Privacy Policy” (hereinafter: Policy) is a set of requirements, rules and regulations for the protection of personal data collected by Bartosz Szumiel, running a business under the name “NEARSHORE SERVICES POLAND BARTOSZ SZUMIEL” address: 00-850 Warsaw Prosta 20, based on an entry in the Central Register and Information on Economic Activity, REGON: 142867252, Tax Identification Number: 8761973387, hereinafter referred to as ‘NSP’.
  1. This Policy is a policy for the protection of personal data within the meaning of Regulation of the European Parliament and Council (EU) 2016/679 of 27/04/2016 on the protection of individuals with regards to the processing of personal data and on the free movement of such data and repeal of Directive 95 / 46 / EC (EU Official Journal L 119, p. 1) – hereinafter the RODO(ROPE).
  2. The policy includes:
  3. a) a description of the data protection principles in force at NSP,
  4. b) references to supplementary annexes (reference procedures or instructions regarding individual areas in the scope of personal data protection that need to be specified in separate documents).
  5. The processing of data, the administrator of which is NSP, will follow the generally applicable regulations and accepted procedures, in particular this Policy. In the case of data for which NSP is a Processing Entity (processor) within the meaning of the RODO, their processing will follow the applicable regulations, regulations adopted by NSP and in accordance with the NSP’s detailed obligations to contractors arising from agreements concluded with counterparties, in particular with respect to confidentiality and data security, including procedures for dealing with data security incidents. If the contracts for entrusting the processing of personal data or confidentiality agreements with the NSP Customers do not provide otherwise, the data is processed based on the rules and procedures adopted in this Policy and the relevant attachments. If the NSP Client obliges to apply more detailed or stricter rules of data processing or confidentiality, NSP will apply in relation to the data entrusted by this Customer with the rules adopted in specific regulations.
  6. Bartosz Szumiel is responsible for the implementation and maintenance of this Policy, as an entrepreneur who is the administrator of personal data processed by NSP.
  7. The Inspector for Personal Data Protection is responsible for the supervision and monitoring of compliance with the Policy. Other tasks of the Data Protection Supervisor include:
  8. a) Informing the administrator, the processor and employees who process personal data, of the duties incumbent on them under the Regulation and other Union legislation or data protection laws and advising them on this matter;
  9. b) monitoring compliance with applicable data protection legislation and relevant policies in the field of personal data protection, including segregation of duties, awareness raising activities, training of personnel involved in processing operations and, where appropriate, related audits;
  10. c) if applicable, on a case-by-case basis, recommendations on the assessment of the effects on data protection (DPIA) and monitoring of the implementation of this assessment in accordance with Article 35 RODO;
  11. d) cooperating with the Supervisory Body (PUODO) and acting as a “point of contact” for the Supervisory Authority in matters related to data processing;
  12. e) acting as a “point of contact” for data subjects in all matters related to the processing of their personal data and exercising their rights;
  13. f) register of activities or categories of data processing activities.
  14. The following are responsible for the application of this Policy:
  15. a) NSP personnel having access to personal data;
  16. b) persons cooperating with NSP, processing personal data of NSP clients and data entrusted for processing by NSP clients;
  17. c) entities to which NSP will provide personal data.
  18. The NSP’s data protection obligations include:
  19. a) facilitating to the data subject the exercise of rights granted to him by the RODO (right to information, access, rectification, deletion of data – “to be forgotten”, to limit processing, to transfer data, to objection);
  20. b) information obligation completed when collecting personal data;
  21. c) special care in the processing of personal data in order to protect the interests and rights of persons whose data is processed;
  22. d) providing information on the scope of personal data being processed, enabling the data subject to monitor data processing;
  23. e) the obligation to supplement, update, rectify data, temporarily or permanently suspend the processing of the data in question or delete it from the collection, when requested by the person whose data is processed by the administrator;
  24. f) the obligation to implement and apply technical and organizational measures ensuring protection of personal data being processed, appropriate to the threats and categories of data protected, as well as allowing to demonstrate the processing of personal data in accordance with the RODO;
  25. g) control what data, when and by whom were introduced to the file and to whom are disclosed / transmitted (recipients of data), creating and maintaining a register of personal data processing activities by the Administrator of personal data, the obligation to inform the recipient of data on rectification, deletion or limitation of data processing personal;
  26. h) keeping records of persons authorized to process personal data;
  27. i) enabling the transfer of data of the person they refer to, to another service provider, generating a file with processed personal data;
  28. j) in the case of entrusting the processing of personal data – verification of the ability of the processor to comply with the obligations and requirements laid down by the RODO;

(k) implementation and application of Procedures for detecting, analysing, reporting data protection violations and, if possible, informing data subjects of data protection breaches (Procedure for dealing with a security incident);

  1. l) conclusion of contracts for entrusting data processing with the processing entity and control of their execution – if data processing is entrusted to an external entity and in the case of processing personal data entrusted by other administrators, conclusion of relevant agreements and data processing in accordance with the rules and contractual obligations;
  2. m) cooperation with the Supervisory Body when performing tasks in the field of personal data protection;
  3. n) appointing a Data Protection Supervisor.

Policy – this Privacy Policy, unless it is otherwise clear from the context.

RODO – Regulation of the European Parliament and of the Council (EU) 2016/679 of 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (Official Journal of the EU L 119, p. 1).

Data – personal data, unless it is otherwise clear from the context.


Policy – this Privacy Policy, unless it is otherwise clear from the context.

RODO – Regulation of the European Parliament and of the Council (EU) 2016/679 of 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (Official Journal of the EU L 119, p. 1).

Data – personal data, unless it is otherwise clear from the context.

Data of specific categories – data listed in art. 9 paragraph 1 of the GDP, i.e. personal data revealing racial or ethnic origin, political views, religious or ideological beliefs, trade union membership, genetic or biometric data to uniquely identify a natural person or data on health, sexuality or sexual orientation.

Criminal records – data listed in Article 10 of the GDPR, i.e. data on convictions and violations of law.

Data of children – data of persons under 16 years of age.

Person – the person to whom the data pertains, unless otherwise apparent from the context.

NSP Client – an entity using NSP services

Processor– an organization or person whose NSP or other personal data administrator has entrusted the processing of personal data (e.g. IT service provider, external accounting).

Profiling – any form of automated processing of personal data, which involves the use of personal data to assess some of the personal factors, in particular to analyze or forecast aspects related to the effects of the work of that individual, its economic situation, health, personal preferences, interests, credibility, behaviour, location or movement.

Data export – transfer of data to a third country or international organization.

IOD / Inspector – Inspector of Personal Data Protection

RCPD / Register – Register of Personal Data Processing.


  1. The pillars of personal data processing by NSP are:
  2. a) legality – NSP cares for the protection of privacy and processes data in accordance with the law;
  3. b) security – the NSP ensures an adequate level of data security while constantly taking action in this area;
  4. c) rights of the individual – NSP allows persons whose data is processed to exercise their rights and implement these rights;
  5. d) Accountability – The NSP documents how it fulfils its obligations to demonstrate at any time the compliance of data processing with legal requirements.
  6. Personal data must be processed in compliance with the following rules:
  7. a) compliance with the law (based on the legal basis and in accordance with the applicable provisions in this area) as well as reliability and transparency for the data subject;
  8. b) limit the purpose of personal data collection (to specific explicit and legitimate purposes);
  9. c) minimization and adequacy of the collected data – their limitation to the necessary minimum within the purpose for which the data is processed (no more than needed and not “on stock”);
  10. d) regularity – ensuring correctness and – as far as possible – the topicality of the data being processed;
  11. e) storage restrictions – for a period that is necessary for the purposes for which the data are processed;
  12. f) integrity and confidentiality – in a manner that ensures adequate security of the data being processed;
  13. g) ensuring security – the responsibility of the Administrator for compliance with the principles of personal data protection and the accountability of their compliance (ability to demonstrate compliance with the principles of personal data protection).



The personal data protection system in NSP consists of the following elements:

  1. Data inventory.

1.1. NSP identifies personal data resources, categories of data collected and processed, relationships between data resources, and identification of data usage methods.

1.2. NSP does not collect or process specific category data.

1.3. In the case of unidentified data collection, e.g. in the case of recording of premises monitoring, NSP clearly informs its clients, employees or co-workers about it (in particular through clear information on monitoring and the possibility of processing unidentified data), ensuring the implementation of the rights of persons affected by unidentified data.

  1. The Register.

2.1. For all categories of data processed by itself or cooperating entities, NSP maintains a Register of Personal Data Activities (Register), which is a tool for accounting for compliance of data processing, in which it monitors the manner in which it uses personal data of specific categories.

2.2. In the Register, the NSP records at least: (i) the name of the activity, (ii) the purpose of the processing, (iii) a description of the category of persons, (iv) a description of the data categories, (v) the legal basis for processing, specifying the category of NSP’s justified interest, if there is legitimate interest, (vi) the method of data collection, (vii) description of the categories of data recipients (including processors), (viii) information on transfers outside the EU / EEA; (ix) a general description of technical and organizational data protection measures.

The Register template is attached as Appendix No. 1 to the Policy.

  1. Legal basis for processing.

3.1. NSP provides the legal grounds for data processing and collects them in the Register for individual processing activities. For this purpose:

  1. a) maintains a system for managing consents to data processing and communication at a distance by keeping an appropriate register of granted consents for data processing, indicating the date of withdrawal of consent or other reported activities by the data subject (opposition to data processing, request to limit data processing, etc.)
  2. b) gathers and stores consents to the processing of personal data, (consent to the processing of personal data is attached as Annex 2 to this Policy), consent is given by means of remote communication (by marking the relevant clause) or in writing in duplicate, one of whom stays in NSP, the other receives the data subject;
  3. c) inventory and specify the justification for cases where data processing is to take place on the basis of the legitimate interest of NSP, and ensure that the head of the organizational unit, employee or associate of the NSP knows the detailed and specific interest of NSP carried out in the processing of personal data,
  4. d) indicating the general legal basis for data processing, NSP clarifies as far as possible the detailed scope of the base by indicating a specific legal provision, document, scope of granted consent, a specific purpose that is reasonable for the processing of data;
  5. Individual rights.

4.1. The NSP fulfils the information obligations towards the persons whose data it processes as an administrator, and ensures the handling of their rights, fulfilling the requests received in this regard. For this purpose, NSP:

  1. a) when collecting data, provides to the persons required information, and organizes and ensures documenting the fulfilment of these obligations by concluding in the consent form for the processing of personal data information clauses in accordance with the RODO;
  2. b) upon request, provides information in the scope specified in a separate Procedure, which constitutes Annex 3 to this Policy
  3. c) verifies and ensures the possibility of effective performance of any type of request for personal data by itself and its processors, provided that the fulfilment of these requests is not related to excessive costs for NSP;
  4. d) apply procedures to detect breaches in the processing of personal data and to determine the need to notify persons affected by an identified breach of data protection – The procedure for dealing with a security incident is attached as Annex 4 to this Policy.

4.2. Personal requests regarding personal data, including non-processing of personal data, access to data, obtaining copies of data, rectification, supplementing or deleting data, limiting their processing, data transfer, opposition to data processing (including opposition in a specific situation, in research scientific, historical or statistical purposes, in relation to direct marketing and in the field of automatic data processing) are carried out by NSP on the conditions specified in the Procedure of Information and Implementation of Requests constituting Annex 3 to this Policy.

  1. Minimization.

5.1. NSP ensures minimization of data processing in terms of data adequacy for purposes (categories, amount of data and scope of their processing), data access and storage time. For this purpose:

  1. a) ensure that data collected in the NSP IT system are limited only to data necessary for the proper provision of services by NSP;
  2. b) perform periodic (at least once a year) reviews of the amount of data processed and the scope of their processing;
  3. c) applies restrictions on access to personal data of the following categories:

– legal: authorizations to process personal data, confidentiality obligations, contracts for entrusting the processing of personal data, the formulas of which constitute Annex 5 to this Policy;

– physical: closed rooms in which personal data are collected and processed

– logical: limitations of entitlements to systems in which personal data and network resources in which personal data are collected are processed;

  1. d) updates of access rights and authorizations are made whenever there is a change in personnel or processors
  2. e) periodically reviews the life cycle of personal data, including verification of the further suitability of the data in relation to the dates and checkpoints indicated in the Register. Data whose scope of use is limited with the passage of time are removed from the NSP system, as well as from handheld and main files. Such data can be archived and be located on system backups and information processed by NSP. Procedures for archiving and using archives, creating and using backup copies take into account the requirements of control over the life cycle of data, including data deletion requirements. In the case of processing by NSP data entrusted by NSP Clients, the principles of controlling the life cycle of personal data, their suitability and archiving are regulated by the contractual provisions concluded between the NSP and a given Client.

5.2. The authorization to process personal data is granted by the Personal Data Administrator in the form of a written document, after conducting the training or familiarizing, in another form, with the person authorized with the principles of personal data protection. Authorization is given individually, with a clear indication of which categories of data it covers. The authorization template is attached as Annex 5 to the Policy. Each person who has been authorized to process data is obliged to protect it in a manner consistent with the provisions of the Act, the GDP and the provisions of this Policy. With regard to the processing of data entrusted by NSP Clients – unless the NSP Client requires the use of a specific authorization template, NSP authorizes the processing of personal data as specified in the attachment to this Policy, otherwise the contractual provisions concluded between NSP and the NSP Client apply in this range.

5.3. The authorized person is obliged to keep confidential personal data and ways to secure them. This obligation also exists after the end of employment or termination of cooperation. The relevant provision on the acceptance of the obligation to keep secret the processed personal data includes the authorization, a specimen of which can be found in Appendix No. 5.

5.4. The security measures and rules adopted by NSP, including the principles of data access control, are described in item 6 below. A description of the technical and organizational measures necessary to ensure the confidentiality, integrity and accountability of the personal data being processed is Annex 6 to this Policy.


  1. Security.

6.1. NSP ensures an adequate level of data security, including:

(a) carry out risk analyses for data-processing activities or categories thereof;

(b) carry out impact assessments on data protection where the risk of violation of the rights and freedoms of persons is high;

  1. c) adapts data protection measures to the identified risks;
  2. d) has an information security management system;
  3. e) apply procedures to identify, assess and report identified data breaches to the Data Protection Authority – the appropriate procedure is attached as Annex 4 to this Policy;
  4. f) takes care of the appropriate state of knowledge about information security and cybersecurity.

6.2. Before implementing the appropriate security measures, NSP analysed the risk of violation of the rights or freedoms of individuals for data processing activities, including possible situations and scenarios of personal data breach, taking into account the nature, scope, context and purposes of processing, the risk of violating the rights and freedoms of natural persons with different probability of occurrence and the severity of the threat.

6.3. Based on the above analysis, NSP adopted the following principles and security measures:

  1. a) Access to personal data is provided by the Personal Data Administrator, Data Protection Inspector and persons authorized to process them within the scope resulting from the authorization.
  2. b) The presence of unauthorized persons for data processing in the room where personal data are processed is only allowed in the presence of a person authorized to process them, unless the data is appropriately protected from access.
  3. c) For the security of processing personal data of a specific category, individual responsibility is primarily borne by every person authorized to process them.
  4. d) Employees / employees who have access to personal data can not disclose them both at work and outside, in a way that goes beyond the operations related to their processing in the field of official duties, within the authorization granted for data processing.
  5. e) No one should provide individual passwords and identifiers to IT systems.
  6. f) Send a serial email requires the “hidden copy” option.
  7. g) No one should provide personal information to other entities based on a request for such data in the form of a telephone inquiry.
  8. h) At the place of processing personal data recorded in paper form, employees / associates are obliged to apply the so-called “Clean desk”. This rule means not leaving material containing personal data in a place that allows physical access to unauthorized persons. The Employer is responsible for the implementation of the above principle.
  9. i) Destruction of scrapbooks, erroneous or unnecessary copies of materials containing personal data must be done in a way that makes it impossible to read the content contained in them, e.g. using shredders.
  10. j) It is unacceptable to take materials containing personal data out of the area of ​​their processing without connection to the performance of official duties. For the security and return of materials containing personal data, in this case the person making them is responsible.
  11. k) After finishing work in the IT system where personal data are stored, log out of the system.
  12. l) A person who uses a portable computer containing personal data is obliged to exercise extreme caution during its transport, storage and use outside the area in which personal data are processed.
  13. m) The presence of unauthorized persons in the room in which personal data are processed is allowed only in the presence of a person authorized to process personal data, unless the data is appropriately protected from access.
  14. n) In the case of NSP clients adopting appropriate contracts for entrusting data processing to more stringent security requirements, NSP will first apply principles resulting from contractual obligations.

6.4. In a situation where, in accordance with risk analysis, the risk of violation of rights and freedoms of persons is high, NSP carries out an assessment of the effects of planned personal data processing operations for the protection of personal data.

6.5. In order to ensure an adequate level of security of personal data, NSP uses procedures to identify, assess and report identified data breaches to the Data Protection Authority within 72 hours of the establishment of the breach. As far as technical possibilities are concerned, NSP immediately informs the person about the possibility of violating the protection of his personal data. A detailed procedure in this regard is attached as Appendix 4 to this Policy.

  1. The processor.

7.1. NSP selects data processors for NSP, subject to the data processing conditions set out in the entrustment agreement, to ensure that the processors provide sufficient guarantees to implement appropriate organizational and technical measures to ensure data security, implementation of individual rights and other data protection obligations incumbent on NSP.

7.2. Entities entrusted with the processing of data by NSP are obliged to apply at least such requirements as NSP in the scope of personal data protection and ensure their integrity and confidentiality and bear responsibility for the processing of personal data in accordance with the legal provisions applicable to the protection of personal data.

7.3. NSP periodically controls and settles processors in the scope of requirements arising from the rules of entrusting personal data.

  1. Data export.

8.1. NSP regularly verifies that data are not transferred to third countries (i.e. outside the EU, Norway, Liechtenstein, Iceland) or to international organizations, and if it occurs – it is obliged to ensure the lawful conditions of such transmission.

8.2. The Registry records cases of data export outside the EEA. In order to avoid unauthorized data export, in particular in connection with the possibilities of using publicly available cloud services, NSP periodically verifies the behaviour of system users (employees, co-workers) and, where possible, provides equivalent solutions.

  1. Privacy by design.

9.1. NSP manages changes that affect privacy. To this end, the procedures for launching new projects and investments in NSP, include the need to assess the impact of a given change on data protection, risk analysis, ensuring privacy (including compliance of processing goals, data security and minimization) already at the design stage of change, investment or at the beginning of a new project.

9.2. If it is determined that the planned project carries a significant risk of violation of the rights and freedoms of persons in the field of data protection, NSP will make a necessary modification of the project or intent to ensure proper data protection or withdraw in full from the plans for the implementation of the project or project.

  1. Cross-border processing.

10.1. NSP may process data entrusted by Clients in a cross-border context, while there is no cross-border processing of data for which the administrator is NSP.

10.2. In a situation where cross-border processing takes place, the following principles for determining the lead supervisory authority will apply:

  1. a) on the basis of regulations and guidelines regarding the protection of personal data, the leading authority will be the supervisory body of the main organizational unit of a given client (data controller);
  2. b) in order to determine the headquarters of the organizational unit, the Customer (on its own initiative or at the request of NSP) will provide NSP with detailed contact details for the leading supervisory body (competent for the location of the central administration of the customer and the seat of its main organizational unit);
  3. c) NSP in the case of accession to cross-border processing of customer data, inform the lead supervisory body of contact details of the NSP Data Protection Officer, and in the event of any security incidents in connection with the cross-border processing of these data will perform all information obligations towards the leading supervisory body;
  4. d) Within the meaning of the provisions on cross-border data processing, the central administration of NSP is located on the territory of Poland, and the supervisory body for NSP is the President of the Office for Personal Data Protection. In the case of cross-border processing of data entrusted by clients, PUODO is the “supervisory body concerned” and the supervisory authority will be appointed by the supervisory body as a rule.


  2. This Policy shall enter into force on 25 May 2018. All changes to the Policy must be made in writing under pain of nullity.
  3. All attachments are an integral part of this Policy.
  4. In matters not covered by the relevant procedures provisions of generally applicable law apply.

Nearshore Services Poland
Prosta 20
00-850 Warsaw, Poland

Starokrakowska 133
26-600 Radom, Poland

+48 604 279 798

® Nearshore Services Poland