53-605 Wrocław

Pl. Orląt Lwowskich 20c


+48 535 425 100


Privacy Policy



Creative Platform TONY 


2. Definitions 


1. Data controller - An entity that alone or jointly with another entity decides on the purposes and means of processing personal data, i.e.  TONY SP.  z o.o.  Limited partnership, Pl.  Orląt Lwowskich 20c, 53-605 Wrocław, tax identification number NIP 8971881007, REGON 386529632, KRS number 0000850280; 

2 Personal data / data -  information allowing the identification of a natural person directly (e.g. name and surname, telephone number and e-mail address) or indirectly (position, company and age);

3. Documentation of data processing - documentation describing the method of personal data processing as well as technical and organizational measures ensuring the protection of personal data being processed, appropriate to the threats and categories of data covered by protection;

4. Personal data breach - a security breach leading to accidental or illegal use,  destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed;

5. Data integrity -   a property ensuring that personal data has not been changed or destroyed in an unauthorized manner;

6. Legality - a property ensuring that data is processed after meeting at least one condition of art.  6 (1) of the GDPR or Art.  9 (2) of the GDPR or Art.  10 GDPR; 

7 Periodicity -  the property that the data is processed for a specified period of time as long as there is a purpose and basis for the processing of personal data;

8 Authorized person - a person authorized by the data controller to process personal data;

9. Data confidentiality - a property that ensures that the data is not disclosed to unauthorized entities; 

10. Processor -  the entity entrusted with the processing of personal data within the meaning of art.  28 GDPR;

11. Accountability - the property that the actions of an entity can be uniquely attributed only to that entity;

12 Reliability - a property that ensures the substantive correctness of personal data through their compliance with the facts, completeness and up-to-date status;

14. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016  on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC;

15 Data collection -  means an ordered set of personal data accessible according to specified criteria, whether that set is centralized, decentralized or functionally or geographically dispersed;

16. Data processing - an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner;

17 Supervisory authority - an independent public authority appointed to monitor the application of data protection law.





The Administrator is entitled to modify this policy and its annexes, based on changing factual or legal circumstances. 


The purpose of implementing the Security Policy is to define the methods of data processing in accordance with the following principles: 

  • 1. lawfulness;  
  • 2 fair processing;  
  • 3. transparency of processing, 
  • 4 purposefulness of processing;  
  • 5 adequacy of processing, 
  • 6. correctness of processing;  
  • 7. periodicity of processing 


4. Means of ensuring: integrity, confidentiality and accountability of personal data. 


The applied measures have been selected in order to limit the risk of possible incidents related to the violation of the rules of personal data protection.  


In order to meet the above requirements, the following organizational measures have been introduced: 

  • 1. Each person employed / cooperating in personal data processing has been authorized to process the data.  
  • 2. A register of authorizations to process data is kept.  
  • 3. A declaration of data preservation and confidentiality was received from each of the persons employed / cooperating with the processing of personal data. 
  • 4. With third parties processing data on behalf of the controller, data processing agreements have been concluded.  
  • 5. Third parties are present in the data processing area only in the presence of an authorized person
  • 6. The authorized persons have been trained in the principles of personal data processing.  
  • 7. Responsibility for activities related to the security of personal data has been specified 
  • 8. A statement on the confidentiality of personal data and methods of securing personal data has been received from persons processing personal data.  
  • 9. Persons authorized to process have been obliged to set computer monitors in a way that prevents other people from seeing the information displayed on the monitor, use a privacy-protecting screen if the monitor used is located in a place where visitors or employees from other unrelated company branches can  easy to see the monitor or laptop at work;  
  • 10. Persons authorized to process have been obliged to block computer screens in the event of leaving their workplace;  
  • 11. Persons authorized to process have been obliged to turn off computers at the end of the day. 



Technical measures 


In order to meet the above requirements, the following technical measures have been implemented: Selected technical safeguards: 


  • 1. The data processing area is protected against unauthorized access;  
  • 2 Personal data in paper form are stored in locked cabinets / wardrobes / drawers, 
  • 3. Access to data in the IT system is possible only after successful authentication and authorization of the user, 
  • 4. Data sent via the public network is encrypted;  
  • 5. Computers on which personal data are processed have anti-virus software installed that automatically downloads the latest virus signatures;  
  • 6. Logical access to personal data from the public network is limited by the use of a firewall.  It protects all IT systems against unauthorized access and external attacks: 
  • 7. Securing portable equipment and media against theft.  
  • 8. Protection against unauthorized access;  


It is permissible to process personal data outside the processing area only if the following conditions are met: 

  • 1. Be especially careful during transport, storage and use of media containing personal data;  
  • 2. Media containing personal data should not be left in publicly accessible places;  
  • 3. The media can only be used for business purposes. 
  • 4. Do not use private computers or portable devices at work.  


Devices, disks or other electronic information carriers, containing personal data, intended for:

  • 1. Liquidation, the data is previously deprived of recording, and if it is not possible, it is damaged in a way that prevents its reading, 
  • 2. Repairs - it is deprived of the recording of these data beforehand in a way that prevents their recovery or they are repaired under the supervision of a person authorized by the data controller.  
  • 3. Handing over to an entity unauthorized to process data is deprived of the recording of this data in a way that prevents its recovery; 


5.Specifying the obligations of the Data Administrator 


  • 1. Providing the necessary resources to create and operate the system of personal data protection.  
  • 2. Ensuring that persons authorized to process personal data comply with the provisions on the protection of personal data, and in particular that 

• the basis for data processing is provided;  

• the information obligation has been fulfilled; 

• personal data protection documentation has been separated and, if necessary, personal data filing systems have been submitted for registration;  

• the necessary organizational and technical measures have been implemented to ensure accountability, integrity and confidentiality of the personal data processed.  

  • 3. Provision of appropriate technical security measures;  
  • 4. Ensuring that the IT systems used for data processing meet the requirements set out in the Regulation, 
  • 5. Ensuring appropriate technical and organizational measures so that only personal data that is necessary to achieve a specific processing purpose are processed by default, 
  • 6. Ensuring that  developing, designing, selecting the use of applications, services and products that are based on the processing of personal data or process personal data in order to perform their task, the right to the protection of personal data is taken into account, 
  • 7. Using only the services of processors (processors) that ensure sufficient  guarantees of the implementation of appropriate technical and organizational measures so that the processing protects the rights of data subjects and meets the requirements of the GDPR;  
  • 8. Ensuring that access to personal data is granted only to persons authorized to process it.  
  • 9. Exercising special care in the processing of personal data in order to protect the interests of persons whose data is processed, 
  • 10. Ensuring the efficient and effective implementation of the rights expressed in Chapter III of the GDPR due to the person whose personal data is processed by TONY, in particular the right to rectify personal data, the right to delete personal data, the right to limit processing, the right to object, the right to transfer data;  
  • 11. Cooperation with the supervisory authority, in particular with regard to reporting personal data breaches to the supervisory authority pursuant to Art.  33 GDPR 
  • 12. Providing control, what data, when and by whom were entered into the collection and to whom they are transferred.  


6. Definition of the obligations of the Authorized Person.  


  • 1. Compliance with the principles of personal data protection adopted by the data controller, with particular emphasis on the security principle;  
  • 2 Informing the Data Administrator about breaches of personal data protection, 
  • 3. Exercising special care in the processing of personal data in order to protect the interests of persons whose data is processed;  
  • 4. Processing of personal data to the extent resulting from the received authorization to process personal data;  
  • 5. Maintaining the confidentiality of the processed personal data and the methods of their protection.  


7. Method of ensuring transparency


In accordance with the principle of transparency, the processing of personal data should be transparent for the data subjects.  This means that the data subjects should be informed in an accessible and understandable form about the manner in which their personal data is collected, used, viewed or otherwise processed and to what extent these personal data are or will be processed. 


Data Administrator  ensures that the information provided for in Articles 13 and  14 GDPR will be provided to the data subject in an easily accessible and understandable form, in clear and simple language.  


The data controller undertakes to ensure that all information and communication regarding data processing, addressed to data subjects, is carried out in accordance with the principle of transparency.  


The data administrator ensures that the information provided under the information obligation will be up-to-date. 


8. Liability 


To a person who, in the event of detecting a breach of the security of the IT system or a reasonable suspicion of such a breach, has not taken the action specified in this document, and in particular has not notified the appropriate person in accordance with the specified rules, or if such a case has not been documented, proceedings may be initiated  discipline.  


A disciplinary penalty imposed on a person who evades the notification referred to above does not exclude that person's criminal liability in accordance with the Act and the possibility of using other rights of the employer specified in the provisions of the labor law.  


9. Procedure for reporting personal data breaches 


The procedure defines a catalog of threats of incidents that may lead to a breach of the protection of personal data processed by the data controller, authorized persons or a third party (including data that has been entrusted to the data controller by another entity) and the manner of responding to  the above-mentioned threats and incidents The purpose of the manual is to: 

  • 1. Effective assessment of the events that have occurred and their classification as a breach of personal data protection; 
  • 2. Assessment of the need to report a personal data breach to the supervisory authority or to the data subject. 
  • 3. Keeping a register of personal data breaches, 
  • 4. Limiting the effects of personal data breaches and reducing the risk of their occurrence in the future.  


Each employee or associate of the data administrator, in the event of a threat or suspected violation of personal data protection, is obliged to immediately inform the data administrator 


  • 5. Types of the most common threats to personal data security: 


✓ improper protection of workstations, laptops, tablets, smartphones, portable media  and IT software against theft, destruction or loss of personal data, 

✓ sending unencrypted e-mails containing attachments, files with personal data, in particular Microsoft Excel and Word files;  

✓ improper physical security of premises, devices and documents, 

✓ failure to comply with the adopted rules for the protection of personal data by authorized persons. 


  • 6. Examples of events constituting a breach of personal data protection 


✓ external random incidents (eg fire in the facility / room, flooding with water, loss of power, loss of communication);  

✓ internal random incidents (e.g. breakdowns of workstations, server, software, loss / loss of data contained on portable media, sending an e-mail to the wrong person);  

✓ deliberate incidents (e.g. stunt attacks, burglary into rooms where personal data are processed, deliberate and conscious destruction of documents, malware) 


  • 7. In the event of suspicion of a threat or incident, the Administrator conducts preliminary proceedings in the course of which;  


✓ determines the scope and causes of the threat / incident and its possible effects;  ✓ initiates any disciplinary proceedings, 

✓ recommends preventive actions aimed at eliminating similar violations in the future, ✓ documents the proceedings;  

✓ presents a note of the conducted proceedings to the data administrator 


  • 8. In the event of an incident or receiving reasonable information about a suspected breach of personal data protection, the DPO immediately informs the data administrator about the breach. As part of the activities necessary to determine the breach of data protection.  personal data and preparation of a notification to the Supervisory Authority: 


✓ defines the method of documenting a breach of personal data protection;  

✓ secures any evidence related to a breach of personal data protection;  

✓ identifies the people responsible for the incident;  

✓ indicates possible ways of restoring legal status;  

✓ requests the initiation of disciplinary proceedings, 

✓ notes the violation in the register of personal data breaches;  

✓, if necessary, prepares a notification of a breach of personal data protection,  

✓ The data controller, however, no later than 24 hours from the delivery of the prepared notification of personal data protection, sends it to the Supervisory Authority or the person affected by the breach.  


10. Procedure for disclosing personal data 


  • 1. In the event of a request for access to personal data, each person who receives such a request is obliged to transfer it to the Data Administrator.  
  • 2. The administrator indicates the person who considers the submitted request and determines whether the request for disclosure:


1) is made in writing;  

2) sufficiently identifies the person whose data are to be made available;  

3) indicates the appropriate legal basis for the disclosure of data;  

4) determines the scope of personal data to which the request for disclosure of personal data concerns. 


  • 3. Before providing the information, the Data Controller assesses whether it is possible to legally disclose personal data and makes a decision, which is then communicated to the recipient of the request.  
  • 4. After a positive consideration of the application, the Administrator provides personal data.  Personal data should be made available in a manner ensuring their confidentiality towards third parties.  
  • 5. After the application is rejected, the Administrator does not provide personal data.  
  • 6. The recipient of the application orders or independently records in the IT system in which the data are processed, the seal of making the data available.  If the Company has an IT system dedicated to recording cases of sharing personal data, the fact of sharing personal data is recorded in this system.  


11. Procedure for responding to requests from data subjects 


  • 1. In the case of a request for access to personal data, a request for data rectification, a request for deletion of data, a request for use of the right to transfer data, a request to limit processing, an objection to data processing, any person to whom such a request is received is obliged to provide it to the Data Administrator.  
  • 2. The administrator considers the submitted application and determines whether 


a.  The request sufficiently identifies the person making the request;  

b.  There are circumstances provided for by law obliging the data controller to take action in accordance with the person's request.  


  • 3.The data controller assesses whether there are circumstances obliging to take action in accordance with the person's request and makes a decision, which is then transferred to the recipient of the request 
  • 4. The data controller without undue delay - and in any case within one month of receiving the request - grants the person  the data pertains to information about the actions taken in connection with the request;  
  • 5. If the administrator processes large amounts of information about the data subject, the Administrator, before providing the information, requests the applicant to specify the information or processing activities to which the request relates.  
  • 6. The administrator requests the applicant to provide additional information necessary to confirm the identity of the person, 
  • 7. Information provided to the data subject should be provided in a concise, transparent, understandable, easily accessible form, as well as in clear and simple language;  
  • 8. The data controller refuses to take action at the request of the data subject, if he is unable to identify the data subject   
  • 9. The data controller refuses to take action at the request of the person, if there are no circumstances provided for by law obliging the data controller to take action in accordance with the person's request, 
  • 10. If the data controller does not act in accordance with the person's request, it informs the data subject about  failure to act and the possibility of lodging a complaint to the supervisory body and using legal remedies before the court, 
  • 11. Personal data should be made available in a manner ensuring their confidentiality to third parties;  


12. Procedure for deleting personal data 


  • 1. The Company controls and supervises the destruction of redundant data.  personal data. 
  • 2 Deletion of personal data is possible after fulfilling the conditions specified in art.  17 GDPR, and consists in destroying or modifying them in such a way that they lose the characteristics of personal data specified in art.  4 point 1 of the GDPR 
  • 3. The destruction of unnecessary personal data consists in particular
  • their physical, permanent destruction together with carriers to a degree that prevents their subsequent reconstruction, 
  • depriving them of features that make it possible to identify a natural person (anonymization);  
  • 4. There is freedom in the choice of data deletion.  
  • 5. In order to delete data, you can use a shredder or anonymize the document, i.e. delete personal data from it, e.g.  blackening them so as not to.  it was possible to recreate them.  
  • 6 Violation of the procedures for the destruction of unnecessary personal data and their files by persons authorized to process personal data will lead to the initiation of appropriate proceedings against that person. 


13. Final provisions 


  • 1. The data protection policy is an internal document and persons who obtained access to its content are obliged to keep it in full confidentiality.  
  • 2 The data protection policy may be made available to third parties only in paper form 
  • 3. Modification of attachments to the data protection policy does not require approval by the data controller 
  1. pl
  2. en