ERP systems
Effective business management
Customise your product

Personal Data Protection Policy

An Abridgement for Clients



Appendix A. A Description of Technical and Organisational Measures Employed by ABS S.A. to Ensure the Protection of Processed Personal Data

Asseco Business Solution S.A. maintains an Information Security Management System (ISMS) dovetailed with the requirements of the ISO/IEC 27001 standard. The ISMS is a strategy for ensuring proper protection of information processed within the Company. The strategy is envisaged to support the continuous enhancement of measures aimed at optimising risks associated with security breaches of information, in particular personal data, and potential violations of the rights or freedoms of individuals.

The security of information processed by Asseco BS rests upon the following organisational and technical safeguards:

  1. Information Security Policy
    The Company has an Information Security Policy in place. Within the policy, the Management Board defined information security objectives and expressed support for and commitment to the protection of information processed in the Company, while undertaking to meet any legal and corporate obligations related thereto.
  2. Personal Data Protection Policy
    The Personal Data Protection Policy is yet another crucial internal document. It sets out the terms of personal data processing that ensure its lawfulness, fairness, transparency, purpose limitation, minimisation, storage limitation, integrity, and confidentiality.
  3. Organisation of information security
    Asseco BS has established an in-house structure that is in charge of supervising the effective implementation and application of the Information Security Policy and the Personal Data Protection Policy as well as of continuous enhancement of the security processes in place. The Management Board has established the roles of Data Protection Officer, GDPR Coordinator, ISMS Coordinator, and Security and Business Continuity Director. These roles are responsible for implementing and enhancing security principles, including concerning personal data protection, in accordance with the objectives set by the Management Board.
  4. Human resource security
    The Company’s personnel, including its associates, are trained in the principles of information security and personal data protection. They enter into confidentiality agreements covering all information considered a business secret, including clients’ data.
  5. Asset management
    Asseco BS has identified its key information assets. The Company has drawn up and implemented internal security policies that mandate the use of security measures that correspond to the criticality and sensitivity of information assets.
  6. Access control
    The Company has defined and applies information access control rules. Personnel authorised to process personal data are granted minimum access rights to data depending on their function requirements and tasks performed.
  7. Access to IT systems and network and infrastructure elements
    Each person at the Company authorised to access an IT system, element of IT infrastructure or network is assigned a unique ID that cannot be linked to another person. User identification is performed through secure data transmission methods for authentication, with access passwords configured to change at predefined intervals.
  8. Cryptography
    The Company employs cryptographic controls for workstations, mobile devices, electronic mail, and data transmitted to external IT networks; these means correspond to the degree of sensitivity of processed information and the form and purpose of processing.
  9. Physical and environmental security
    Keys, access codes, and access rights in the system of access control to zones and premises in which personal data is processed are assigned to persons authorised to process personal data to the extent required for a specific function or scope of tasks. Buildings, zones, premises or parts thereof in which personal data is processed are protected against access by unauthorised persons. Persons not authorised to enter premises where personal data is processed may only remain there under the supervision of authorised personnel.
  10. Acquisition, development, and maintenance of systems
    Asseco BS is actively engaged in the processes of acquisition, development, and maintenance of IT systems in a supervised manner that guarantees the desired level of information security. These processes include, but not only:
    • taking account of appropriate security requirements for new or enhanced IT systems,
    • multi-level testing of IT systems and their enhancements,
    • protection of confidentiality, authenticity, and integrity of information through system-embedded mechanisms,
    • separation of the development and test environments from the production ones,
    • supervision over access to software source codes,
    • proper management procedures, including software change/update controls.
  11. Vendor relationships
    The quality and safety of the services provided are continuously monitored and measured. Information safeguards are determined on a case-by-case basis during the vendor selection process in order to allow for risks related to external access to corporate information. When defining security requirements, contractual and legal requirements are taken into account.
  12. Management of information security incidents, including data breaches
    The Company has an incident management procedure in place aligned with the industry’s best practice. Each reported incident is carefully investigated for possible causes. As part of the incident response process, corrective and improvement measures are put in place to minimise the likelihood of re-occurrence.
  13. Information security aspects in business continuity management
    The Company has a Business Continuity Management System in place governed by the Business Continuity Policy. The Company’s operation in a crisis situation and the recovery procedure are described in the business continuity plans and contingency plans for the Company’s individual products. Requirements regarding information security and continuity of access to information in crisis situations are considered at the stage of designing business continuity plans.

A list of the main technical and organisational measures that ensure safe and correct operations and protection of personal data

I. Minimum organisational measures
  1. The following have been drawn up and implemented:
    • Information Security Policy
    • Personal Data Protection Policy
    • Business Continuity Policy
  2. A Data Protection Officer has been appointed who supervises compliance with the per-sonal data protection requirements as well as performing the tasks listed in Article 39 GDPR,
  3. Persons engaged in data processing are required to partake in personal data protection training and be cognizant of the relevant personal data protection regulations,
  4. Persons engaged in data processing undertake to keep the data confidential. They make a commitment thereto in a relevant declaration.
  5. Only authorised members of the personnel are allowed to process personal data,
  6. A clean desk and clean screen policy have been put in place (the automatic locking of computer screens after leaving a workstation, no documents left on desks, closed cabi-nets, etc.)
  7. Regular audits/checks of data processing security are carried out,
  8. An effective procedure for data breach event/incident reporting has been implemented.
II. Minimum technical data protection measures
  1. Access management.
    • The assignment and modification of information access rights follow the least privi-lege principles and a need-to-know basis.
    • Access management – access to IT resources and data is secured by means of authentication and authorisation mechanisms.
    • Privileged access rights – the least privilege principle applies, ensuring that access rights are granted only at the required level and only to necessary resources.
  2. Full accountability is ensured for access to resources. Secure authentication:
    • Standard and privileged accounts are separated.
    • The use of complex authentication measures, such as 12-character passwords, mandatory special characters, enforcing a password policy
    • Proper protection of stored passwords (technical safeguards and encryption, se-cure password transmission and recovery mechanisms)
    • Verification of the identity of individuals who have been granted access; the use of user access unique IDs
    • Safe access policies in line with MFA or CAS as best practice
  3. Computers on which data processing is carried out
    • have an up-to-date operating system supported by the vendor,
    • have a system firewall up and running,
    • have up-to-date malware protection systems,
    • have encrypted hard drives protected by strong encryption protocols,
    • have password-protected screen savers,
    • can be accessed only by authorised users (identity and authorisation check).
  4. Mobile devices (smartphone, tablet) on which personal data is processed:
    • have an up-to-date operating system supported by the vendor,
    • have up-to-date malware protection systems,
    • have their memory encrypted,
    • have access protected by user identity verification mechanisms
  5. A firewall system in place to secure access to computer network,
  6. Encrypted external and internal communications using strong encryption protocols,
  7. Safeguards are provided when connecting devices to LANs and WLANs; network separa-tion and segmentation is applied along with the isolation of required VLAN virtual subnets,
  8. Optional VPN links enabling secure access to systems are possible,
  9. Network traffic and operating systems are monitored 24/7/365,
  10. Multi-level system access security for critical roles (2-factor authentication),
  11. Security audits aimed to detect systems vulnerabilities that might increase the risk of un-authorised access,
  12. Data leak prevention procedures are in place; the services are rendered by a team of the Cybersecurity Department equipped with SIEM tools to screen for vulnerabilities and threats from the network, server, and application infrastructure, as well as user work-stations.
III. Minimum physical data protection measures
The physical and environmental data security measures follow the following approach:
  1. Server rooms (special zones) – Asseco BS has three Data Processing Centres (DPC), all in Lublin. Each DPC’s premises, including the technical rooms, meet the requirements for improved security structures, i.e. non-flammable building framework, completely non-flammable materials used in the server room, fire protection installation with 24/7 moni-toring, automatic inert gas extinguishing system, and VESDA (very early smoke detection apparatus).
  2. The DPCs are secured by a special system of keys and locks. They enable access to the buildings and specific zones (premises) only by authorised persons having a system key. Access to the most sensitive areas is further secured by an access card system recording entries and, in the case of special-purpose rooms, also exits.
  3. Physical protection of offices, rooms, and facilities by means of physical security systems, such as a fire detection system with an automatic extinguishing system and a modular precision air-conditioning system (only in separate rooms – DPC zones), security supervi-sion, central locking system, burglary or assault supervised alarm system.
  4. Power supply and its monitoring – the DPC are equipped with a Level 2 emergency pow-er supply system. All resources in the server room are secured by a dedicated, redundant, modular UPS system. The other level is power generators which can deliver up to 48 h of power supply without refuelling (refuelling possible at work), thus ensuring an uninter-rupted power supply for the Company’s IT systems.
  5. The DPC premises are equipped with modular air conditioners that maintain a constant temperature and humidity in the server rooms. This doubled installation can be powered from a backup source if necessary.
  6. The Company has systems in place to monitor the physical security of its premises. They include an anti-burglar system, a fire protection system, a video monitoring/CCTV system, electronic monitoring measures (with text notification to selected Company’s staff), con-trolled entry, controlled movement between designated zones in the building, and exit from the premises using an access control system, and 24/7 monitoring by a security company.

Detailed information regarding the Statement of Applicability (SoA) is available upon client’s request.

updated: 28 Jan 2025