DATA SECURITY POLICY
Doc. version: 1.0
Changes: Basic version
Last changed: 25.05.2018
TABLE OF CONTENTS
5. Protection of personal data in the Company – general principles.
5.1. Pillars of protection of personal data in the Company:
5.2. Data protection rules.
5.3. Data protection system…
6. Register of Personal Data Processing Activities.
7. Register of Personal Data Processing Activities Categories.
8. The manner of handling the rights of an individual and the fulfilment of information obligations.
9. Information obligations.
10. Natural person’s requests.
14. Data export.
15. Privacy design.
16. Final provisions.
1. This document entitled “Personal Data Protection Policy” (hereinafter referred to as Policy) is intended as a map of the requirements, rules and regulations of personal data protection in Fully Verified Private limited company in Harju maakond, Kuusalu vald, Pudisoo küla, Männimäe, 74626, registry code 14455170 (hereinafter referred to as the Company).
This Policy is a policy of personal data protection within the meaning of the GDPR – Regulation of the European Parliament and of the Council (EU) 2016/679 of 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repeal of Directive 95 / 46 / EC (general regulation on data protection) (OJ EU L 119, p. 1).
2. The Policy includes:
1) description of data protection rules in force at the Company;
2) references to annexes that establish procedures and instructions regarding individual areas in the field of personal data protection
3) responsible for the implementation and maintenance of this Policy is the Management Board of the Company
3. The Company ensures compliance of the Company’s contractors’ conduct with this Policy in an appropriate scope when personal information is transferred to them by the Company, in particular by means of the data entrustment model, which constitutes Annex No. 1 to this document.
4. Abbreviations and definitions:
Policy means this Policy for the protection of personal data, unless it is otherwise clear from the context.
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation ) (OJ EU L 119, p. 1).
The data means personal data, unless it is otherwise clear from the context.
The person means the person to whom the data relates, unless it is otherwise clear from the context.
Processing entity means an organization or person entrusted with the processing of personal data by the Company
Data export means the transfer of data to a third country or an international organization.
RCPD or Registry means the Register of Personal Data Processing Activities.
The company means Fully Verified Private limited company in Harju maakond, Kuusalu vald, Pudisoo küla, Männimäe, 74626, registry code 14455170
5. Protection of personal data in the Company – general principles
5.1. Pillars of personal data protection in the Company:
1) Legality – the Company cares for the protection of privacy and processes data in accordance with the law.
2) Security – the Company ensures an appropriate level of data security by constantly taking action in this area.
3) Rights of the Entity – the Company enables persons whose data it processes to exercise its rights and implements these rights.
4) Accountability – the company documents how it fulfills its obligations to be able to demonstrate compliance at any time.
5.2. Data protection rules
The company processes personal data respecting the following principles:
1) based on the legal basis and in accordance with the law (legalism);
2) fairly and honestly (reliability);
3) in a transparent manner for the data subject (transparency);
4) for specific purposes and not for “spare” (minimization);
5) no more than necessary (adequacy);
6) with care for the correctness of data (correctness);
7) no longer than necessary (temporality);
8) ensuring adequate data security (security).
5.3. Data protection system
The system of personal data protection in the Company consists of the following elements:
1) Data inventory. The company monitors the data in its possession and verifies them
2) Record. The Company maintains a register of processing activities for data of which it is an administrator (Annex No. 2) and a register of processing activities categories for data that have been entrusted to it (Annex No. 3)
3) Legal basis. The company provides, identifies and verifies the legal grounds for data processing
4) Handling of individual rights. The company fulfills the information obligations towards the persons whose data it processes, and ensures the service of their rights, implementing the requests received in this regard, including:
a) Information obligations. The company provides legal persons with the required information when collecting data based on the model set out in Annex 4;
b) Ability to make requests. The company verifies and ensures the possibility of effective implementation of each type of request by itself and its processors;
c) Handling of requests. The company supports the requests of persons whose data concern using the contact point on the website ………… The handling of each request is documented on the application form for exercising the rights of the data subject, the model of which is attached as Annex 5
5) Procedure for reacting to violations. The company uses procedures to respond to data breaches, the scheme of which is shown in Annex 6
6) Minimization. The company has principles and methods of managing the minimization (privacy by default), including:
a) data adequacy management principles;
b) principles of regulation and management of data access;
c) rules for managing the period of data storage and verification of further suitability;
7) Security. The company ensures an adequate level of data security, including:
a) carry out impact assessments on data protection where the risk of violation of the rights and freedoms of persons is high;
b) adapts data protection measures to the risks identified;
c) has a basic policy for managing the IT system, which is Annex No. 7 to this document
d) apply procedures to identify, assess and report identified data breaches to the Data Protection Authority – manage incidents.
8) The processor. The Company selects the data processing for the benefit of the Company, based on their reliability, the level of data security provided, and the certificates and reputation transferred.
9) Data export. The company has the rules of verifying whether the Company does not transfer data to third countries, ie entities processing data on behalf of the Company are required to obtain written consent for further data entrustment, so that the Company can verify the safety of such operations in advance.
10) Privacy by design. The company manages changes affecting privacy. To this end, the procedures for launching new projects and investments in the Company take into account the need to assess the impact of changes on data protection, ensuring privacy (including compliance of processing goals, data security and minimization) already at the design stage of change, investment or at the beginning of a new project.
6. Register of Personal Data Processing Activities
6.1. The Registry is a form of documenting data processing activities, acts as a data processing map and is one of the key elements enabling the implementation of the fundamental principle on which the entire personal data protection system is based – accountability principles.
6.2. The Company maintains a Data Processing Data Record in which it reviews and monitors the manner in which it uses personal data.
6.3. The Registry is one of the basic tools enabling the Company to settle most of the data protection obligations.
6.4. The Registry template established in Annex 2 also contains optional columns. In non-mandatory columns, the Company registers information as needed and opportunities, taking into account that the fuller content of the Register facilitates the management and compliance of data protection compliance
6.5. The registry is kept in electronic form.
7. Register of Personal Data Processing Activities Categories
7.1. The Company documents in the Register the legal grounds for data processing for particular processing activities.
7.2. By indicating the general legal basis (consent, contract, legal obligation, vital interests, public task / public authority, legitimate purpose of the Company), the Company describes the basis in a clear way when it is needed. For example, for consent, indicating its scope when the law is the basis – indicating a specific provision and other documents, eg a contract, administrative agreement, vital interests – indicating the categories of events in which they materialize, a legitimate goal – pointing to a specific goal, e.g. self-marketing, redress.
7.3. The company implements methods of managing consents that allow registration and verification of the consent of the person to process its specific data for a specific purpose.
8. The manner of handling the rights of an individual and the fulfillment of information obligations
8.1. The company cares about the readability and style of information provided and communication with the people whose data it processes.
8.2. The company makes it easier for people to exercise their rights through various activities, including: posting information or appeals on the Company’s website to information on the rights of individuals, how to use them in the Company, including identification requirements, methods of contacting the Company, including order, optional price list of “additional” requests, etc.
8.3. The company cares for keeping the legal deadlines for the performance of obligations towards persons.
8.4. The company introduces adequate methods of identification and authentication of persons for the purposes of the implementation of individual rights and information obligations.
8.5. In order to exercise the rights of the entity, the Company provides procedures and mechanisms to identify the data of specific persons processed by the Company, integrate these data, introduce changes to them and delete them in an integrated manner,
8.6. The company documents the handling of information obligations, notifications and requests of persons by means of entry reports, which constitute attachment no. 5
9. Information Obligations
9.1. The company defines lawful and effective means of performing information obligations.
9.2. The company informs the person about the extension of over one month deadline for considering the request of that person.
9.3. The company informs the person about the processing of its data when collecting data from that person.
9.4. The company informs the person about the processing of its data when collecting data about that person indirectly from it.
9.5. The company informs the person about the planned change of the purpose of data processing.
9.6. The company informs the recipients of data about rectification, deletion or limitation of data processing (unless it will require a disproportionately large effort or will be impossible).
9.7. The company informs the person about the right to object to the processing of data at the latest at the first contact with that person.
9.8. 9.8. The Company informs the person without undue delay about the breach of personal data protection, if it may cause a high risk of violating the rights or freedoms of that person in accordance with the Map of infringements established in Annex No. 6
10. Natural person’s requests
10.1. Rights of third parties.
In implementing the rights of data subjects, the Company introduces procedural guarantees to protect the rights and freedoms of third parties. In particular, when reliable information is received that the execution of a person’s request for a copy of the data or the right to transfer the data may adversely affect the rights and freedoms of others (eg rights related to the protection of other people’s data, intellectual property rights, trade secrets, personal rights, etc.), the Company may ask the individual to clarify doubts or take other lawful steps, including refusal to comply.
10.2. No processing.
The company informs the person that it does not process data concerning it, if such a person has made a request regarding its rights.
The company informs the person, within one month of receiving the request, of refusing to consider the request and the rights of the person related to it.
10.4. Access to the data.
At the request of persons regarding access to its data, the Company informs the person whether it processes its data and informs the person about the details of processing, in accordance with art. 15 GDPR (the scope corresponds to the information obligation when collecting data), and also gives the person access to data concerning him / her.
10.5. Correction of data.
The company corrects incorrect data at the person’s request. The company has the right to refuse to rectify the data, unless the person in a reasonable manner shows the irregularity of the data which he or she demands. In the case of data rectification, the Company informs the person about the recipients of the data at the request of that person.
10.6. Completion of data.
The company complements and updates data at the request of a person. The company has the right to refuse to supplement the data if the supplement would not be compatible with the purposes of data processing (eg the Company does not have to process data that is unnecessary to the Company). The Company may rely on a statement of the person regarding the data to be completed, unless this is insufficient in the light of the procedures adopted by the Company (eg regarding obtaining such data), the law or grounds to consider the statement unreliable.
10.7. Deletion of data.
At the request of a person, the Company deletes data when:
1) data are not necessary for the purposes for which they were collected or processed for other purposes,
2) the consent for their processing has been withdrawn, and there is no other legal basis for the processing,
3) the person has submitted effective objection to the processing of such data,
4) the data was processed unlawfully,
5) the necessity of removal results from the legal obligation,
10.2. Processing limitation.
The Company limits data processing at the request of a person when:
1) the person questions the correctness of the data – for a period allowing to check their correctness,
2) the processing is unlawful, and the data subject opposes the removal of personal data, requesting instead to limit their use,
3) The Company no longer needs personal data, but it is needed by the data subject to determine, assert or defend claims,
4) the person has objected to the processing for reasons related to its special situation – until it is determined whether the Company has legally justified grounds overriding grounds of objection.
During the processing restriction, the Company stores data but does not process it (does not use it, does not transmit it) without the consent of the data subject, unless to establish, investigate or defend claims, or to protect the rights of another natural or legal person, or because of important public interest considerations.
The company informs the person before revoking the processing limit.
In the case of limiting the processing of data, the Company informs the person about the recipients of the data at the request of that person.
10.3. Data transfer.
At the request of a person, the Company issues in a PDF file, if possible, data about the person who provided it to the Company, processed on the basis of the person’s consent or to conclude or perform the contract concluded with it, in the Company’s IT systems.
The company cares about minimizing data processing in terms of:
1) the adequacy of the data for purposes,
2) access to data,
3) time of data storage.
11.1. Minimizing the scope.
The company verified the scope of acquired data, the scope of their processing and the amount of data processed in terms of adequacy for purposes of processing as part of the implementation of the GDPR.
The Company periodically reviews the amount of data processed and the scope of its processing at least once a year.
11.2. Minimizing the access.
The company applies restrictions on access to personal data: legal, technical and organizational. The company updates the access rights for changes in the composition of staff and changes in the roles of persons, as well as changes in the processing entities.
The company periodically reviews established system users and updates them at least once a year.
The detailed rules of the above procedures are described in the Data Storage and Use Rules, which constitute Annex No. 8.
11.3. Minimizing time.
The Company implements life-cycle data protection mechanisms in the Company, including verification of the further suitability of the data in relation to the dates and control points indicated in the Register.
Data whose scope of use is limited with the passage of time are removed from the Company’s production systems, as well as from handheld and main files. Such data may be archived and be stored on back-up systems and information processed by the Company. Procedures for archiving and using archives, creating and using backup copies take into account the requirements of control over the data life cycle, including data deletion requirements.
The company provides a level of security corresponding to the risk of violation of the rights and freedoms of individuals as a result of the processing of personal data by the Company.
12.1. Risk analysis and adequacy of security measures
1) The company carries out and documents the adequacy analysis of personal data security measures. For this purpose:
2) The Company ensures an appropriate state of knowledge on information security, cybersecurity and business continuity – either internally or with the support of specialized entities.
3) The Company conducts analyzes of the risk of violation of the rights or freedoms of individuals for data processing activities or categories of data. The Company analyzes possible situations and scenarios of personal data breach taking into account the nature, scope, context and purposes of processing, the risk of violation of the rights or freedoms of individuals with varying likelihood of occurrence and the severity of the threat.
4) The Company determines the organizational and technical security measures that can be applied and assesses the cost of their implementation. In this the Company determines the suitability and applies such measures and approach as:
b) encryption of personal data,
c) other cyber-security measures consisting of the ability to continually ensure the confidentiality, integrity, availability and resilience of processing systems and services,
d) measures to ensure business continuity and to prevent the consequences of disasters, i.e. the ability to quickly restore the accessibility and access to personal data in the event of a physical or technical incident.
The risk analysis is attached as Annex 9.
12.2. Impact assessment for data protection
The Company evaluates the effects of planned processing operations for the protection of personal data where, in accordance with the risk analysis, the risk of violating the rights and freedoms of persons is high.
The Company applies the impact assessment methodology adopted at the Company.
12.2. Security measures
The company applies security measures established as part of risk analyzes and the adequacy of security measures and impact assessments for data protection.
Personal data security measures are part of information security measures and provide cyber security in the Company and are described in more detail in the procedures adopted by the Company for these areas.
12.3. Data breach report
The Company uses procedures to identify, assess and report identified data breaches to the Data Protection Authority within 72 hours of the establishment of the infringement.
13.1. The Company verifies each time the entities that process data for the Company designed to ensure that the processors provide sufficient guarantees to implement appropriate organizational and technical measures to ensure security, implementation of individual rights and other data protection obligations incumbent on the Company.
13.2. The Company has adopted the minimum requirements as to the contract for entrusting data processing, constituting Annex No. 2 to the Policy – “Template for entrusting the processing of data”.
13.3. The company settles processors using sub-processors, as well as other requirements arising from the Principles of entrusting personal data.
13.4. The Company requires from the processors to conclude a contract with subcontractors to entrust data with the content corresponding to the template adopted by the company
13.5. Derogation from the rule provided for in paragraph 13.4. it is possible only with the consent of the Company and only if the data processing, due to the scale, categories of data, and other factors indicates that the data will be processed in a secure manner.
14. Data export
The company registers in the Register cases of data export, that is data transmission outside the European Economic Area (EEA in 2017 = European Union, Iceland, Lichtenstein and Norway).
To avoid unauthorized data export, in particular in connection with the use of publicly available cloud services (shadow IT), the Company periodically verifies the behavior of users and, where possible, provides equivalent solutions to data protection law.
15. Privacy design
15.1. The company manages the change affecting privacy in such a way as to enable adequate security of personal data and minimize their processing.
15.2. To this end, the principles of project and investment management by the Company refer to the principles of personal data security and minimization, requiring an impact assessment on privacy and data protection, consideration and design of security and minimization of data processing from the beginning of the project or investment.
16. Final provisions
16.1. This policy has been adopted unanimously adopted by the Management Board of the Company.
16.2. The Management Board of the Company undertakes to supervise compliance with the Policy and perform its duties.
16.3. The Management Board of the Company undertakes to update this policy along with the development of the company, which will be documented on page 1 of the contract in the document’s history table.
The policy comes into force on May 25, 2018.