Data Protection Policy

1. Purpose and Scope

This Data Protection Policy outlines how SharpNet Development ("we," "us," or "our") handles personal data in accordance with data protection principles and legal requirements.

1.1 Applicability

This policy applies to:

• All personal data processed by SharpNet Development
• All mobile applications and services we provide
• All employees, contractors, and third-party processors
• All data subjects whose personal data we process

1.2 Policy Objectives

• Ensure lawful, fair, and transparent data processing
• Protect the rights and freedoms of data subjects
• Maintain data accuracy, security, and confidentiality
• Enable accountability and compliance demonstration

2. Data Protection Principles

We process personal data in accordance with the following principles:

2.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We provide clear information about data processing through our Privacy Policy and other notices.

2.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.

2.3 Data Minimization

We collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

2.4 Accuracy

We take reasonable steps to ensure that personal data is accurate and kept up to date. Inaccurate data is erased or rectified without delay.

2.5 Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

2.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure data security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.

2.7 Accountability

We are responsible for and can demonstrate compliance with data protection principles.

3. Legal Basis for Processing

We process personal data only when we have a valid legal basis. The following table outlines our legal bases for different types of processing:

4. Data Subject Rights

We respect and facilitate the exercise of data subject rights under GDPR and other applicable laws.

4.1 Right of Access (Article 15 GDPR)

• Confirmation of whether we process your personal data
• Access to your personal data
• Information about processing purposes, categories, and recipients
• Response time: Within 30 days of request

4.2 Right to Rectification (Article 16 GDPR)

• Correction of inaccurate personal data
• Completion of incomplete data
• Available through app settings or by contacting us

4.3 Right to Erasure (Article 17 GDPR)

• Deletion of personal data (subject to legal exceptions)
• Account deletion available in app settings
• Complete data erasure within 90 days

4.4 Right to Restriction (Article 18 GDPR)

• Limit processing while accuracy is verified
• Restrict processing if unlawful but deletion not desired
• Maintain data needed for legal claims

4.5 Right to Data Portability (Article 20 GDPR)

• Receive personal data in structured, machine-readable format
• Transmit data to another controller
• Available for data processed by automated means based on consent or contract

4.6 Right to Object (Article 21 GDPR)

• Object to processing based on legitimate interests
• Object to direct marketing (absolute right)
• Object to profiling and automated decision-making

4.7 Right to Withdraw Consent

• Withdraw consent at any time
• Does not affect lawfulness of processing before withdrawal
• Easy withdrawal mechanisms provided

4.8 Right to Lodge a Complaint

• File complaint with supervisory authority
• Contact details of relevant authority provided upon request
• We encourage contacting us first to resolve concerns

5. Data Security Measures

5.1 Technical Measures

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Controls: Role-based access control (RBAC) and multi-factor authentication
• Network Security: Firewalls, intrusion detection/prevention systems
• Secure Development: Security-by-design principles, OWASP guidelines
• Monitoring: 24/7 security monitoring and logging
• Vulnerability Management: Regular security assessments and penetration testing

5.2 Organizational Measures

• Policies and Procedures: Documented security policies and incident response plans
• Training: Regular data protection training for personnel
• Confidentiality: Confidentiality agreements with all staff and contractors
• Vendor Management: Due diligence and contracts with third-party processors
• Business Continuity: Backup and disaster recovery procedures

5.3 Cloud Security

We utilize enterprise-grade cloud providers with strong security certifications:

• ISO 27001 certified infrastructure
• SOC 2 Type II compliance
• Regular third-party security audits
• Geographically distributed backup systems

6. Data Breach Notification

6.1 Breach Detection and Response

We have implemented procedures to detect, report, and investigate personal data breaches:

• Automated monitoring and alerting systems
• Incident response team and escalation procedures
• Breach assessment within 24 hours of detection
• Containment and remediation measures

6.2 Notification to Supervisory Authority

In case of a personal data breach likely to result in a risk to individuals' rights and freedoms:

• Notification to relevant supervisory authority within 72 hours
• Description of nature, categories, and approximate number of affected individuals
• Contact details of Data Protection Officer or contact point
• Description of likely consequences and measures taken

6.3 Notification to Data Subjects

If the breach is likely to result in a high risk to individuals:

• Direct notification to affected individuals without undue delay
• Clear and plain language explanation of the breach
• Advice on protective measures individuals can take
• Contact information for further inquiries

7. Data Processing Records

We maintain comprehensive records of processing activities, including:

• Name and contact details of the controller
• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• International data transfers (if applicable)
• Retention periods
• Security measures

8. Third-Party Processors

8.1 Processor Selection

We only engage processors that provide sufficient guarantees of appropriate technical and organizational measures.

8.2 Data Processing Agreements

We enter into written contracts with all processors that:

• Define the subject matter and duration of processing
• Specify the nature and purpose of processing
• Outline processor obligations and controller instructions
• Include confidentiality commitments
• Ensure appropriate security measures
• Address sub-processor engagement
• Facilitate data subject rights
• Require assistance with compliance obligations

8.3 Current Processors

9. International Data Transfers

9.1 Transfer Mechanisms

When transferring personal data outside the EEA, we ensure appropriate safeguards:

• Adequacy Decisions: Transfers to countries with adequacy decisions by EU Commission
• Standard Contractual Clauses: EU-approved SCCs with third-party processors
• Binding Corporate Rules: For intra-group transfers (if applicable)
• Derogations: Explicit consent or contract performance when necessary

9.2 Transfer Impact Assessments

We conduct Transfer Impact Assessments to evaluate:

• Laws and practices in the destination country
• Supplementary measures needed beyond SCCs
• Practical implementation of safeguards
• Ongoing monitoring of transfer safety

10. Data Protection Impact Assessments (DPIA)

We conduct DPIAs for processing operations likely to result in high risk to individuals, including:

• Systematic and extensive profiling
• Large-scale processing of special category data
• Systematic monitoring of publicly accessible areas
• Use of new technologies

10.1 DPIA Process

1. Identify need for DPIA based on screening criteria
2. Describe processing and its purposes
3. Assess necessity and proportionality
4. Identify and assess risks to individuals
5. Determine measures to mitigate risks
6. Document DPIA outcomes and decisions
7. Consult supervisory authority if high risk remains

11. Children's Data

We do not knowingly process personal data of children under 13 (or 16 in the EEA) without parental consent.

• Age verification mechanisms in place
• Parental consent obtained where required
• Special protections for children's data
• Immediate deletion upon discovery of non-compliant processing

12. Retention and Disposal

12.1 Retention Periods

12.2 Secure Disposal

• Secure deletion methods (DoD 5220.22-M standard or equivalent)
• Cryptographic erasure of encrypted data
• Physical destruction of hardware when necessary
• Certificate of destruction for sensitive data

13. Compliance and Accountability

13.1 Data Protection Officer (DPO)

Contact our Data Protection Officer:

• Email: dpo@sharpnet.pl
• Responsibilities: Monitor compliance, advise on obligations, act as contact point

13.2 Regular Audits and Reviews

• Annual data protection compliance audits
• Quarterly review of processing activities
• Regular assessment of security measures
• Continuous monitoring of regulatory changes

13.3 Documentation

We maintain comprehensive documentation including:

• Records of processing activities
• Data protection impact assessments
• Consent records and withdrawal requests
• Data subject requests and responses
• Data breach incident reports
• Processor contracts and agreements

14. Policy Review and Updates

This Data Protection Policy is reviewed and updated:

• At least annually
• When there are changes to processing activities
• When there are changes to applicable laws
• Following data breaches or significant incidents
• Upon recommendation from audits or DPO