GDPR Policy

Personal Data Controller / Controller / PDC: a natural or legal person, public authority, agency, or other entity that, alone or jointly with others, determines the purposes and means of processing personal data.

For the purposes of this Personal Data Protection Policy, the Personal Data Controller is AMAZEMET Sp. z o. o. with its registered office in Warsaw, al. Jana Pawła II 27, 00-867 Warsaw.

IT Systems Administrator / ASI: a natural or legal person supporting the PDC

in ensuring that the IT infrastructure complies with personal data protection rules.

EEA / European Economic Area: European Union (EU) member states, Norway, Liechtenstein, and Iceland.

EDPB / European Data Protection Board: an independent European body that works to ensure the consistent application of data protection rules across the European Union and promotes cooperation between EU data protection authorities. The European Data Protection Board consists of representatives of national data protection authorities and the European Data Protection Supervisor (EDPS) and, in accordance with Article 70 of the GDPR, issues guidelines, recommendations, and best practices to ensure the consistent application of the GDPR.

DPO (Data Protection Officer): a natural person who supports the PDC in fulfilling its obligations under personal data protection regulations, including the GDPR and the Act.

Personal data processing area: the area where the PDC processes personal data in paper or electronic form.

Supervisory authority: an entity responsible for supervising compliance with the provisions of the GDPR. The supervisory authority in Poland is the President of the Personal Data Protection Office.

Processor: a natural or legal person, public authority, agency, or other entity that processes personal data on behalf of and for the PDC.

President of the Personal Data Protection Office / President of the UODO: the competent authority for personal data protection in Poland; the supervisory authority within the meaning of the GDPR.

Personal data protection regulations: applicable laws and regulations concerning the protection of personal data. These include, in particular, the GDPR, the Act, and regulations from the PDC industry.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016

on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data Protection Policy: this document.

Act: Act of May 10, 2018, on the protection of personal data.

1.2 Personal Data Protection Policy and its purpose

1. This Personal Data Protection Policy is a data protection policy within the meaning of Article 24(2) of the GDPR.
2. The Personal Data Protection Policy has been developed taking into account:

1)    generally applicable laws related to personal data protection and information security, in particular the GDPR,

2)    guidelines of the President of the Personal Data Protection Office and other authorities involved in personal data protection,

3)    good practices, guidelines, or standards of the industry represented by AMAZEMET

Sp. z o. o.

3. The personal data protection policy serves to ensure a level of security for personal data processed by the Administrator that will protect it from:

1)    access by unauthorized persons,

2)    unauthorized alteration, loss, damage, or destruction.

4. The personal data protection policy is subject to periodic reviews. If necessary, appropriate changes are made to its content, taking into account in particular:

1)    the provisions or guidelines referred to in section 2 above,

2)    the current state of technical knowledge,

3)    the logistical, human resources, and financial capabilities of the Administrator.

5. The appendices to the Personal Data Protection Policy (listed

in section 8 below) form an integral part of the Policy. In addition, the PDC may introduce or allow the use of additional guidelines, regulations, or instructions aimed at implementing the principles of personal data protection set out in the Personal Data Protection Policy.

6. The personal data protection policy is an internal document of AMAZEMET Sp. z o. o.

Its content may not be disclosed to unauthorized persons or entities.

1.3 Basic principles of personal data protection

1. The PDC ensures the implementation of the following principles of personal data use:

1)    the principle of lawfulness, fairness, and transparency;

The processing of personal data must be lawful, fair,

and transparent to the data subject. There must be a basis for data processing (e.g., legal obligation, necessity for the performance of a contract, legitimate interest, or consent of the data subject), and all information

and communications related to data processing (addressed to data subjects at the time of data collection) must be easily accessible and understandable, and formulated in clear and simple language.

2)    the principle of purpose limitation;

The processing of personal data may take place for a specific (precise), explicit (easy to understand) and legitimate purpose (it must not violate the law). Data processing may not continue once the purpose for which it was obtained has been achieved.

3)    the principle of data minimization;

Personal data should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. The controller is authorized to process data only to the extent necessary to achieve the purpose for which they are processed. Excessive data that is not needed in a specific processing operation shall be anonymized or deleted.

4)    Principle of data accuracy;

Personal data processed must be accurate (true, complete, and up-to-date). Data that is inaccurate in light of the purposes for which it is processed should be deleted or corrected without delay.

5)    Principle of data storage limitation;

Personal data may be stored in a form that allows the identification of the data subject for no longer than is necessary for the purposes for which the data are processed.

Data whose storage period has expired (and there are no other legal grounds for their processing) should be anonymized or deleted. In order to prevent personal data from being stored for longer than necessary, the Controller shall set a deadline for its deletion or periodic review.

6)    integrity and confidentiality principle;

Personal data should be processed in a manner that ensures appropriate security and confidentiality, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.

7)    accountability principle;

The controller is responsible for compliance with personal data protection regulations and must be able to demonstrate such compliance.

2. PDC demonstrates compliance with personal data protection principles in particular by:

1)    developing and implementing a Personal Data Protection Policy,

2)    developing and implementing additional guidelines, procedures, regulations, and instructions,

3)    using paper or electronic lists, records, memos, or correspondence.

2. 
   Entities involved in personal data protection

and their responsibilities

2.1 PDC

1. PDC decides on the purposes and means of personal data processing.
2. The PDC takes measures to ensure:

1)    an adequate level of security of personal data,

2)    compliance of personal data processing with the principles set out in section 1.3 above.

3. The actions of the PDC referred to in section 2 above include in particular:

1)    implementing appropriate organizational solutions, physical security measures, and IT solutions (indicated in section 5 and the appendices to the Personal Data Protection Policy),

2)           granting authorizations to persons who need access to personal data for business purposes,

3) ensuring that the KOD is properly and promptly involved in all matters relating to personal data protection.

4. If the data subject proves to the PDC that the personal data concerning him or her is incomplete, outdated, untrue, collected in violation of the law, or unnecessary for the purpose for which it was collected, the PDC is obliged to take the necessary steps to remedy the situation.
5. The PDC keeps a record of processing activities in accordance with Article 30(1) of the GDPR. A template for the record is provided in Appendix 12 to the Personal Data Protection Policy.
6. The PDC performs a risk analysis of personal data processing activities in accordance with Article 32(2) of the GDPR. The PDC also carries out an impact assessment in accordance with Article 35(1) of the GDPR if the analysis determines that the processing operation is likely to result in a high risk to the rights and freedoms of natural persons, or if such an obligation arises from legal provisions or guidelines issued by the supervisory authority. The risk analysis and impact assessment are carried out in accordance with

the procedure set out in Appendix 1 to the Personal Data Protection Policy.

7. If a personal data breach has occurred, the PDC shall immediately take appropriate steps to fulfill the obligations described in Articles 33-34 of the GDPR. The procedure for dealing with breaches is described in Chapter 6 and Appendix 3 to the Personal Data Protection Policy.
8. The controller may decide to appoint a data protection officer or designate a person to perform tasks related to personal data protection.
9. Tasks related to personal data protection will be performed by the Data Protection Coordinator.

2.2 Data Protection Coordinator

1. The tasks of the DPC include supporting the PDC and other persons and entities involved in personal data protection, in particular by:

1)    providing information on obligations related to personal data protection and advising

on this matter,

2)    monitoring compliance with regulations and policies in the field of personal data protection, including division of responsibilities, awareness-raising activities, staff training, and related audits,

3)    comprehensive handling of data breaches,

4)    in cases where necessary, conducting additional audits followed by a report and a set of recommendations,

5)           supervision of the compliance of processing operations with the requirements of the GDPR,

6)    drafting of contracts, clauses, or other documents relating to personal data protection, and reviewing internal regulations for compliance

with personal data protection regulations,

7)           advising on the security of networks and IT systems in terms of compliance with personal data protection regulations,

8)    providing ongoing support to PDC employees in the field of personal data processing,

9)    developing or reviewing studies and updates to personal data protection policies and processing procedures,

10)        keeping a record of processing activities by preparing and periodically reviewing it,

11)    keeping a record of categories of processing activities by preparing

and periodically reviewing it,

12)    preparing responses to data subjects on matters related to the processing of personal data,

13)        consulting on projects requiring the consideration of personal data protection

at the design stage and when creating default data protection mechanisms,

14)    advising on the implementation of data protection impact assessments,

15)    monitoring the correctness of data protection impact assessments

and actions taken on their basis,

16)        recommendations regarding the reduction/elimination of irregularities in the field of personal data protection,

17)    supporting the PDC in administrative and court proceedings concerning personal data protection

18)    supporting the PDC in the performance of the obligations specified in the Personal Data Protection Policy and other documents specified in section 1.3 above.

2.3 IT systems administrator

1. The PDC may appoint a person cooperating with the PDC (an employee hired as an IT specialist) as the ASI or entrust the performance of the ASI’s duties to an external entity (providing IT services on the basis of a civil law contract).
2. The tasks of the ASI include ensuring compliance with the rules for the protection of personal data processed using applications, programs, systems, or devices used by the PDC, in particular by performing the tasks and activities specified in Appendix 8

to the Personal Data Protection Policy.

3. The ASI reports directly to the senior management of the PDC.
4. If the PDC does not appoint an ASI, the senior management of the PDC or a person designated by the PDC shall be responsible for performing the duties specified in paragraph 2 above. Introduced at the PDC the regulations concerning ASI shall then apply accordingly to the senior management of the PDC or the person designated by the PDC.

2.4 Persons authorized to process personal data

1. Only persons authorized by the PDC are permitted to process data at the PDC.
2. Authorization is granted in accordance with the template constituting Appendix 15 to the Personal Data Protection Policy and the procedure constituting Appendix 14 to the Personal Data Protection Policy. The PDC may, after consultation with the KOD, allow authorization to be granted in another manner, e.g., by including the content of the authorization in the agreement forming the basis for cooperation with the person concerned.
3. After granting authorization to process personal data, the authorized person receives from ASI (or a person designated by ASI) access to the applications, programs, systems, or devices necessary to perform their duties. During their work, the authorized person is required to comply with the recommendations related to working in systems, on computers

and other devices, described in Appendix 9 to the Personal Data Protection Policy.

4. The person authorized to process personal data is required to:

1)    comply with:

1. a) the Personal Data Protection Policy,
2. b) other guidelines, regulations, or instructions concerning personal data protection applicable at PDC,
3. c) instructions from PDC, KOD, or ASI related to personal data protection.

2)    keep confidential both personal data and the methods of securing it,

5. Any action or omission by an authorized person resulting in a breach of the procedures or instructions referred to in paragraph 4 above may:

1)    have disciplinary consequences,

2)           be considered a serious breach of basic employee obligations

(in the case of cooperation under the Labor Code),

3)    be considered a valid reason for termination or dissolution of the contract forming the basis of cooperation.

6. Upon termination of cooperation with the PDC:

1)    the authorization to process personal data shall automatically expire,

2)    the authorized person’s access to the applications, programs, systems, or devices used by them shall be revoked or blocked.

2.5 Persons present in the area of personal data processing

1. Persons cooperating with PDC who, in connection with the performance of their duties, are present in the area of personal data processing and whose scope of duties does not justify granting authorization to process personal data, shall sign a confidentiality statement, a template of which is attached as Appendix 5 to the Personal Data Protection Policy.
2. The persons referred to in paragraph 1 above, in the event of coming into possession of personal data or information about their security, are obliged to maintain confidentiality in this regard, both during and after cooperation with the PDC.
3. The persons referred to in section 1 above, in the event of becoming aware of a breach or suspected breach of personal data protection, are obliged to notify KOD or their immediate superior.
4. If the persons referred to in paragraph 1 above perform their duties on behalf of and for the benefit of a contractor who has a service agreement with the PDC, the obligation referred to in paragraph 1 above may be replaced by an appropriate contractual obligation.

3. Principles of personal data processing

3.1 Grounds for personal data processing

1. The processing of personal data by the PDC is permissible if at least one of the grounds specified in the following provisions applies:

1)    Article 6(1) of the GDPR – with regard to ordinary personal data,

2)           Article 9(2) of the GDPR – with regard to special categories of data,

3)    Article 10 of the GDPR – with regard to personal data relating to criminal convictions and offenses or related security measures.

2. With regard to data processing based on the grounds specified in paragraph 1 above, the PDC uses templates for consents, statements, etc., as well as procedures related to their use, prepared or approved for use by KOD.
3. In case of doubts regarding the legal grounds for the processing of personal data, the PDC consults with KOD. If:

1)           the PDC has not yet processed the data in question, data processing may only take place after the doubts have been resolved,

2) the PDC is already processing the data in question, the PDC shall take steps to suspend the processing of personal data until the doubts have been resolved.

3.2 Exercising the rights of data subjects

1. The information obligation should be fulfilled towards persons whose personal data is processed by the PDC, in accordance with the rules set out in Articles 13-14 of the GDPR. In justified situations, agreed with the KOD or the person performing tasks related to personal data protection, it is permissible to fulfill the information obligation in stages. In this regard, the PDC uses document templates (information clauses and related procedures) developed or approved for use by the KOD.
2. The PDC accepts requests under Articles 15-22 of the GDPR relating to the rights of data subjects. When performing tasks related to the handling of requests, the PDC shall ensure in particular:

1)    confirmation of the identity and rights of applicants,

2)    provision of information in a clear, legible, and understandable manner,

3)           ease of access to data,

4)    responding to requests within the time limits specified in Article 12(3) of the GDPR.

3. The procedure for handling requests under Articles 15-22 of the GDPR is set out in Appendix 10 to the Personal Data Protection Policy.
4. The PDC documents the manner in which the rights of data subjects are exercised. Documentation may take the form of, in particular, collecting correspondence related to requests and maintaining a Register of the exercise of data subjects’ rights, in accordance with the template in Appendix 11 to the Personal Data Protection Policy.

3.3 Balance test

1. The PDC is obliged to carry out a balancing test when processing personal data on the basis of a legitimate interest, i.e. the grounds set out in Article 6(1)(f) of the GDPR.
2. The balancing test should be carried out before the processing of personal data begins, and if such processing is already underway, as soon as possible.
3. The balancing test should take into account the principles of adequate protection of the interests and fundamental rights of data subjects, including in particular: whether there are other legal grounds, whether the PDC’s interest is justified, whether the processing is necessary to achieve the objective, whose interests prevail, factors guaranteeing the balance or predominance of the PDC’s interests, or whether it will be possible to exercise the rights of the data subjects. The balancing test shall be carried out on the basis of the template in Appendix 18 to the Personal Data Protection Policy.
4. If several separate activities specified in the processing activity register are carried out as part of a single process based on a legitimate interest, it is permissible to carry out a single joint balancing test.
5. The PDC documents the manner in which the balancing test is carried out.

3.4 Taking data protection into account during the design phase, default data protection (privacy by design and by default)

1. Personal data protection is a mandatory element to be examined when implementing new services, products, tools, or solutions. When designing each new service, product, tool, or solution, and prior to their implementation, the PDC takes into account the protection of personal data if the project involves their processing.
2. The PDC implements appropriate technical, organizational, and IT measures to ensure that only personal data that is necessary for each specific processing purpose is processed by default. This obligation applies to the amount of personal data collected, the scope of its processing, the period of its storage, and its availability.
3. Where a tool or project involves the protection of personal data, the PDC shall implement appropriate technical, organizational, and IT measures (such as pseudonymization) designed to effectively implement data protection principles, such as data minimization, and to provide the necessary safeguards for processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
4. Transfer of personal data within the framework of cooperation

with external entities

In a situation where:

1. The PDC transfers personal data to an external entity, where the PDC decides on the purposes

and means of using personal data – the PDC applies the guidelines from section 4.1.1 below,

2. an external entity transfers personal data to the PDC, where the external entity decides

on the purposes and means of using personal data – the PDC applies the guidelines from section 4.1.2 below,

3. The PDC transfers personal data to an external entity, where each party pursues its own purposes for the use of personal data – the PDC applies the guidelines from section 4.2 below.
4. An external entity transfers personal data to the PDC, where each party pursues its own purposes for the use of personal data – the PDC applies the guidelines from section 4.2 below.
5. PDC and the external entity or entities jointly decide

on the purposes of personal data use – PDC applies the guidelines from section 4.3 below.

4.1 Entrusting

4.1.1 PDC as data controller

In a situation where the PDC entrusts the processing of personal data to an external entity as a processor, the following guidelines apply:

1. Before commencing cooperation, the PDC verifies whether the external entity provides sufficient guarantees to implement appropriate technical and organizational measures

so that the processing meets the requirements of the GDPR and protects the rights of data subjects. Verification may take place, in particular, by requiring the external entity

to complete the questionnaire attached as Appendix 6 to the Personal Data Protection Policy.

2. The entrusting of personal data processing takes place by signing an entrusting agreement, an annex to the main agreement, or by adding the relevant content to the main agreement. A template entrustment agreement is attached as Appendix 7 to the Personal Data Protection Policy (in consultation with KOD, it is possible to use a different template entrustment agreement,

in particular one provided by the other party to the agreement).

4.1.2 PDC as a processor

In a situation where an external entity entrusts the processing of personal data to PDC as a processor, the following guidelines apply:

1. The entrusting of personal data processing takes place by signing a processing agreement, an annex to the main agreement, or by adding the relevant content to the main agreement. A template of the processing agreement is attached as Appendix 7a to the Personal Data Protection Policy (in consultation with KOD, it is possible to use a different template of the processing agreement
2. The PDC shall enter information about the fact of entrusting the processing in the register of processing activities. A template of the register is attached as Appendix 13 to the Personal Data Protection Policy.

4.2 Disclosure

In a situation where the PDC or an external entity disclose personal data to each other, the disclosure of personal data requires the signing of a disclosure agreement, an annex to the main agreement, or the addition of appropriate content to the main agreement. The content of the agreement and other obligations of the PDC related

to the disclosure are consulted in advance by the PDC with the KOD.

4.3 Joint administration

In a situation where the PDC becomes a joint administrator of personal data, the determination of the rules for the use of personal data requires the conclusion of a joint administration agreement, an annex to the main agreement, or the addition of an appropriate passage to the main agreement. The content of the agreement and other obligations of the PDC related to joint administration are consulted in advance by the PDC with the KOD.

4.4 Transfer of personal data outside the EEA

1. As part of its personal data processing operations, the PDC is required to analyze whether data is being transferred outside the EEA and, if so, to take appropriate measures in accordance with the Data Protection Policy.
2. The transfer of personal data outside the EEA may take the form of entrusting, joint administration, or sharing of personal data.
3. The transfer of personal data outside the EEA occurs when

1)    personal data is physically transferred from the EEA to a third country; or

2)    an entity from a third country has access to personal data stored in the EEA (i.e., the personal data does not physically have to leave the EEA); or

3)    personal data is re-exported, i.e. a situation in which an entity from a third country entrusts an entity from the EEA with the processing of personal data,

and then the entity from the EEA transfers this personal data back to the third country. In such a situation, the re-export involves the transfer of data outside the EEA.

4. If it is determined that a given data processing operation involves the transfer of personal data outside the EEA, the PDC shall carry out a transfer impact assessment (TIA). The first step of the TIA is to establish the legal basis for such data transfer, in accordance with Articles 45-47 of the GDPR:
5. first, it must be confirmed whether the transfer of data outside the EEA is to countries for which the European Commission has issued a decision confirming an adequate level of protection,
6. in the absence of the decision referred to in point 1) above, the legal basis preferred by the PDC are the standard data protection clauses PDCpted by the European Commission, in accordance with the model set out in Commission Implementing Decision (EU) 2021/914

of June 4, 2021, on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council, as well as any other future decision of the European Commission in which the Commission PDCpts new models of standard contractual clauses.

5. Further assessment of the risks of data transfers outside the EEA (TIA) is carried out on the basis of the action plan set out in EDPB Recommendations 01/2020 on complementary measures to transfer tools to ensure compliance with the EU level of protection of personal data PDCpted on November 10, 2020. (as well as other EDPB guidelines on international transfers to be PDCpted in the future).
6. The level of data protection for identified data transfer processes outside the EEA is assessed by the PDC periodically at appropriate intervals and in any case where changes have occurred that may affect the level of personal data protection.
7. If the PDC identifies a data transfer outside the EEA, it shall provide the necessary information in the information clause and shall also include the relevant information.

5. Measures taken to ensure the security of personal data

5.1 Organizational solutions

The PDC applies the following organizational measures in particular:

1. implementation and application of the provisions of the Personal Data Protection Policy,
2. implementation and application of other guidelines, regulations, procedures, and instructions aimed at implementing the principles of personal data protection and information security,
3. obligation of employees to keep confidential both personal data

and the methods of securing it.

4. separation of two security zones at the PDC headquarters, covering the rooms that constitute the personal data processing area:
5. zone one:
6. a) a room with a server, which may only be accessed by authorized IT staff; other persons authorized to process personal data may only enter this room when accompanied by an IT staff member. Outsiders do not have access to this room;
7. b) IT room, which may only be accessed by authorized IT staff; other persons authorized to process personal data may only enter this room when accompanied by an IT employee. Unauthorized persons do not have access to this room;
8. c) cashier’s room, which may only be accessed by an employee performing the function of a cashier; other persons authorized to process personal data may only enter this room when accompanied by the cashier. Outsiders are not allowed to enter this room;
9. d) archive rooms, which may only be accessed by employees performing the function of archivists; other persons authorized to process personal data may only access this room when accompanied by an archivist. Outsiders do not have access to this room.
10. zone two:
11. a) other rooms to which all persons authorized to process personal data have access, in accordance with their job responsibilities. Outsiders have access to the rooms only in the presence of an employee authorized to process personal data or without the supervision of an employee – after obtaining the prior consent of the PDC’s senior management.
12. ensuring control over the activities of persons authorized to process personal data and persons present in the area of personal data processing,
13. ensuring control over the activities of outsiders temporarily present

in the area of personal data processing.

5.2 Physical security measures

1. PDC applies the following physical security measures in particular:

1)    the data processing area is secured against unauthorized access by means of patented locks, electronic access cards, burglar alarms, and video intercoms,

2)    employees are provided with the ability to lock all rooms where personal data is processed,

3)           employees are provided with access to lockable cabinets, drawers, and cupboards.

4)    access to paper shredders.

2. In the event of the destruction of a larger number of paper or electronic media by the PDC, confirmation of destruction in accordance with security procedures shall be provided in a report, a template of which is attached as Appendix 16 to the Personal Data Protection Policy.
3. Detailed information on the physical security measures used by the PDC can be found

in Appendix 17 to the Security Policy.

5.3 IT system management instructions

1. The PDC uses the following IT solutions in particular:

1)    granting and monitoring access rights to the IT system in accordance with the PDCpted procedure,

2)    authentication of persons working in applications, programs, or IT systems (in particular using logins and passwords),

3)    applications, programs, or systems protecting against malware,

4)    encryption of data transmitted via a public network,

5)           measures ensuring the continuous operation of IT systems,

6)    measures ensuring the possibility of data recovery in the event of an undesirable incident,

7)    monitoring access to the IT system, including keeping a record of failures

and breaches of the security of PDC’s IT systems.

2. Detailed information on the IT solutions used by PDC can be found in Appendix 8 to the Personal Data Protection Policy.

6. Personal data breaches
7. Every person authorized to process personal data is responsible for its security.
8. Any person cooperating with PDC who suspects or confirms a personal data breach is required to report such a breach immediately. The report shall be made on the form provided in Appendix 2 to the Personal Data Protection Policy or in another manner agreed with KOD.
9. The rules of conduct in the event of a suspected or confirmed personal data breach are described in Appendix 3 to the Personal Data Protection Policy.
10. The PDC documents data breaches by keeping an Incident Log, in accordance with Appendix 4 to Data Protection Policy

7. Final provisions
8. The personal data protection policy is an internal document and persons who have gained access to its content are obliged to keep it confidential.
9. The personal data protection policy may be made available to third parties only on the basis of applicable law or in connection with an important interest of the Administrator, in paper form.
10. The Personal Data Protection Policy shall be effective from the date of its introduction in the manner PDCpted

by the Administrator. Any changes to the Personal Data Protection Policy shall be effective from the date of their introduction in the manner PDCpted by the Administrator .

4. On the date of introduction of the Personal Data Protection Policy, the personal data protection documentation previously in force at the Administrator shall cease to be valid.
5. In matters not covered by the Personal Data Protection Policy, the provisions on personal data protection shall apply.