Joisto Quertum
Personal Data Protection
POLICY
Definitions
​
Organisation - means Joisto Quertum PL and Joisto Quertum UK (“JQ”).
GDPR - means the General Data Protection Regulation.
Responsible Persons - means Managing Director of Joisto Quertum.
DPO - means Data Protection Officer.
UODO - means “UrzÄ…d Ochrony Danych Osobowych” - Personal Data Protection Office in Poland.
ICO - means United Kingdom Information Commissioners Office
ROPA - means a Register Of Processing Activities.
TOM - means Technical and Organizational Measures.
PIA - means Privacy Impact Assessment.
DPIA - means Data Protection Impact Assessment.
1. Purpose of Personal Data Protection Policy
​
Joisto Quertum (“JQ”) operates in an industry in which access and processing of personal data is necessary to perform the services defined.
JQ takes the proper processing of personal data very seriously. This includes fair and transparent processing and compliance with the data protection principle. The rights of the data subject are respected, they are processed only on a legal basis to the extent necessary to provide services offered by JQ or for internal use.
The security and protection mechanisms for personal data processed by JQ are selected on the basis of a risk and privacy assessment. This work takes into account business needs, as well as on the basis of data relating to persons with whom the business has a relationship.
In a situation where JQ processes data entrusted by other Data Controllers, it performs these actions only on the basis of instructions received, to the extent and for the purpose specified in the contract.
When another subcontractor or partner processes personal data entrusted by JQ, it must be ensured that the subcontractor processes the data in accordance with and on the same terms as JQ.
Any misuse of personal data or a threat to it is investigated and reported according to the seriousness of the case.
2. Principles of personal data protection
​
The Organisation is committed to all the data protection legislation, including but not limited to the European General Data Protection Regulation, applicable to its business and this Policy is intended to summarise the key requirements that are applicable to JQ.
The following data protection principles are followed when personal data is processed at JQ:
- Lawfulness, fairness and transparency
Personal data must be used in a lawful, fair and transparent manner from the perspective of the data subject.
- Purpose limitation
Personal data must be collected for a specified, explicit and legitimate purpose and not
processed further in a manner that is incompatible with the original purpose.
- Data minimisation
Personal data must be adequate, relevant and limited to what is necessary for those purposes for which the data is processed.
- Accuracy
Personal data to be processed must be valid and accurate, and updated, if necessary.
- Storage limitation
Personal data can only be stored for as long as is necessary for fulfilling the purpose.
- Authenticity, integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate data security, including protection from unlawful or unauthorised processing and accidental destruction, loss or damage (information security).
The organisation aims is to always be able to demonstrate with both documents and practice that it complies with the abovementioned principles (accountability).
JQ abides by the principles of data protection by design and by default. It is JQ’s objective that the correct processing of personal data is planned, defined, described and documented in all systems, processes, different situations and ways of processing personal data. JQ ensures that all implementations meet all of the above mentioned principles.
3. Roles and responsibilities in data protection
​
The Managing Director of Joisto Quertum (MD) acts as a Responsible Person for Organisation. The MD is responsible for supporting the implementation of this Policy in the whole organisation, including resource allocation.
Quertum as part of Joisto Group is utilising a common Data Protection Officer (DPO). The tasks of the DPO are to lead data protection work at JQ in an independent manner and monitor that JQ is complying with the applicable data protection legislation.
The Data Protection Officer will be fully involved, in a timely manner, in all issues related to the protection of personal data. The DPO guides and advises in matters related to the implementation of data protection. The Officer informs and interprets requirements related to data protection and provides recommendations for procedures and measures.
The DPO monitors the processes developed for the governance of the data protection function as planned. The DPO’s role is to ensure that the personnel’s data protection training is up-to-date and especially that the competence of the key personnel in data protection matters is developed as required by their tasks. DPO keeps an up-to-date data processing activities records (ROPA).
Product and service owners must ensure that all listed principles of personal data protection, as well as technical and organisational measures are implemented in the design and during end-to-end processing.
Team managers, specialists and all employees and co-workers must familiarise themselves with the provision on the protection of personal data, the use of specific procedures and measures to protect this data against unauthorised disclosure. They must exercise special care when performing data processing operations in order to protect the interests of data subjects and follow all other relevant instructions.
4.Data protection processes
​
4.1 General data protection principles
​
Processing of personal data is made transparent so that the data subject has the right to gain knowledge of the processing of their data in the Organisation. Transparency also requires that, if necessary, the decisions, choices and implementations as well as the grounds for them can be shown in documents connected to the processing of personal data.
The safeguards and controls for protecting the personal data processed by JQ are selected based on a risk assessment. The risk assessment must evaluate the potential risks to the rights and freedoms of the data subjects based on the properties of the processed data and the processing activities.
When a subcontractor processes JQ’s or its Customers personal data, JQ is responsible for ensuring that the subcontractor processes data according to the same principles as JQ.
Any misuse or malpractice of personal data or any threats posed to personal data are investigated. These are reported and communicated as necessary according to the severity of the case.
4.2 Training and operational security
Training on data protection will be arranged for all JQ employees and everyone processing personal data for JQ. Training will also be delivered to those who have access to personal data on a general level and for their particular task, if this is deemed necessary.
Work instructions specify the working methods related to the processing of personal data and the correct procedures for ensuring data protection. Measures, work phases and controls may be added to ensure that personal data has been processed in an appropriate manner at every phase. These include, for instance, the appropriate disposal of documents containing personal data in an electronic form or on paper.
4.3 Technical and organisational security measures
The protection of personal data is implemented using the technical and organisational measures (TOM) described in the procedures and security instructions resulting from the JQ Information Security Policy and implemented Information Security Management System.
The protection of personal data is planned to be implemented using the procedures of security and
information security defined in the JQ information security policy and complementary information
security instructions. Information systems that are used for processing personal data are intended to be built and their operations secured so that appropriate implementation of data protection is possible.
There are regular data protection impact assessments, the DPIA (Data Protection Impact Assessment) determines the appropriate level of protection. The impact assessment is based on a description of the security of the system, including security mechanisms, their use, operations, and performance assurance. A Privacy Impact Assessment (PIA) is delivered as part of the DPIA process and shall be created relating to the services and systems processing personal data to ascertain an appropriate and sufficient level of protection.
4.4 Joisto Quertum as a Processor
In majority of organisation activities, JQ processes personal data entrusted by its Customer who is the Data Controller and JQ is a Processor (Art. 28).
A personal data entrustment agreement (DPA - Data Protection Agreement) is signed with each client. This constitutes an attachment to the basic agreement and is related to and referenced in the general terms and conditions.
The DPA includes the purposes and scope of the personal data being processed as well as instructions for JQ for appropriate processing.
JQ undertakes to comply with these instructions and to cooperate in carrying out an assessment of the effects of data processing. JQ will immediately inform the Data Controller of any personal data breach incidents.
4.5 Protection of personal data in suppliers contracts
The need for the inclusion of data protection in agreements and contracts is assessed in all sourcing situations. Special attention is given to situations where the supplier may process personal data in a country outside of EU/ETA or trusted countries. When purchasing work or consulting services, the service agreements are also intended to include training responsibilities so that the skills and competence of an external person will correspond with the requirements of successfully completing the task.
Data protection is taken into account in all agreements in which services involving processing of personal data are bought or sold. When using subcontracting in JQ’s services, the client must be notified of any changes to the subcontractor who are engaged as a sub-processor.
4.6 Management of data breach incidents and offenses
Negligent or adverse actions in breach of data protection instructions, misuse of personal data and information leakage are taken seriously. The same applies to any threats of this nature. Any related events will be investigated.
Joisto Quertum and Joisto Group have a general security incident management process implemented, and events related to personal data are one of the supported cases that require special tasks.
An incident involving a breach of personal data protection may include accidental or intentional destruction, loss, modification, unauthorized disclosure or disclosure of personal data administered or processed by JQ.
Each reported event which can cause a personal data breach shall be recorded and analysed, and the next steps will depend on the specific incident classification. A first action will be to reduce the negative impact of the incident on personal data.
The Data Protection Officer reports the results of the incident investigation internally within the Organisation and, if necessary, to the authorities and/or Data controller, working in cooperation other security teams.
Depending on the criticality of the incident and its scale, it may be necessary to notify the event to
-
If case is related to Poland – to the President of Personal Data Protection Office,
-
If case is related to UK – to United Kingdom Information Commissioners Office
and notify any person who may be involved in the incident. The notification to the authority office shall be done by the approved communication channel and within 72 hours.
​
​