fbpx

25 Oct. 2017

Privacy Policy

 

Content

 

Records of data processing activities

 

INTRODUCTION

 

GENERAL DATA PROTECTION REGULATION GDPR RELATED DEFINITIONS

 

What is personal data? 2 Data Controller 2 Data Processor 3 Data Protection Incident

 

WHAT ACRM DOES TO PROTECT PERSONAL DATA

 

RULES ON THE STORAGE OF PERSONAL DATA

 

RECORDS

 

Record keeping

 

Incident handling rules

 

SALESFORCE’S OWN POLICIES

 

PRACTICAL GUIDES

 

project data migration

 

SABLONS

 

protocol for deletion of personal data

 

incident alert email

 

Register of data processing activities

 

INTRODUCTION

 

This document is a guide to the data management and processing procedures of Attention CRM Consulting Ltd (ACRM), and should be read in conjunction with the Company’s policies in force from time to time.

 

The Data Protection Officer appointed by the Company monitors the data processing process. This person will act as an internal advisor and will provide information and assistance to the staff who process personal data. The DPO also cooperates with the DPA, i.e. acts as an intermediary between the DPA and individuals.

 

GENERAL DATA PROTECTION REGULATION GDPR RELATED DEFINITIONS

 

REGULATION (EU) No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation)

 

https://eur-lex.europa.eu/legal-content/HU/TXT/HTML/?uri=CELEX:32016R0679&from=HU

 

The General Data Protection Regulation applies to personal data stored both in IT systems and on paper and applies to both automated and manual processing

 

What is personal data?

 

Personal data is any information relating to an identified or identifiable living individual. If the information that has been collected can lead to the identification of a particular person, that information is also personal data.

 

This personal information may come to the attention of the company in various ways, e.g. by filling in a form on a website, applying for a job, attending an event, or by contacting us by email, telephone or chat message.

 

Examples of personal data

 

Surname and first name; address; email addresses such as vezetéknév.utónév@vállalkozás.com; ID card number; location data (e.g. mobile phone location function); IP address; in some cases cookie identifier;

 

Examples of data that is not personal data

company registration number; email addresses such as info@vállalkozás.com; anonymised data.

 

Data Controller

 

The controller who decides the purposes and means of the processing of personal data. Where ACRM determines why and how personal data is processed, the company is considered to be the data controller and its employees who carry out personal data processing are doing so in order to fulfil ACRM’s role as data controller.

 

ACRM acts as a data controller in its role as an employer and in its marketing activities.

 

Data processor

 

A processor who stores and processes personal data solely on behalf of the controller.

 

ACRM’s core business is the provision of IT solutions, which typically means a data processor role.

 

Data Protection Incident

 

When the personal data for which ACRM is responsible is affected by a security incident – confidentiality, availability is compromised – a data breach occurs. In such a case, it is presumed that the rights of the data subjects may be affected and the company is obliged to report the incident without delay after the data breach has come to its attention.

 

Where ACRM is the controller, it must report the incident to the supervisory authority within 72 hours at the latest.

 

If ACRM is a data processor, it must report the data breach to the data controller.

 

WHAT ACRM DOES TO PROTECT PERSONAL DATA

 

By examining the company’s business areas and business management processes, ACRM will ensure the following necessary control steps and processes for the protection of personal data.

 

Privacy Notices.

 

Use Restrictions.

 

Security: the existence of administrative, physical, and technological safeguards to prevent unauthorized access, use, alteration, disclosure, or deletion of personal information.

 

Rights of data subjects: maintaining mechanisms and procedures to document and manage the consent of data subjects to the processing of personal data, to enable a response to complaints, requests for modification and requests for erasure.

 

Suppliers: to legalise the transfer of personal data by suppliers and other third parties collecting and receiving personal data, whether within or outside the EU, on the basis of the contractual or contractual clauses of the data controller contracts concluded.

 

Incident management: the process for detecting and responding to security breaches to ensure that the breach is remedied and all necessary parties are notified.

 

Education: Provide training for employees on data protection policies, processes and requirements, and share awareness notices of concerns and suspicious processing activities. Training takes place twice a year in the last week of February and the last week of September. Attendance is recorded in the form of an attendance sheet.

 

Business confidentiality: by signing an employment contract, employees of the Company undertake to keep all business secrets of which they become aware in the course of their work and to safeguard essential information relating to the Company and its activities. In addition, they must not disclose to any unauthorised person any information which they have acquired in the course of their employment and the disclosure of which would be prejudicial to the Company or any other person. This obligation of confidentiality shall apply to Employees without time limitation in the event of termination of employment.

 

RULES ON THE STORAGE OF PERSONAL DATA

 

The Company may collect and use personal data only if it is the owner of the data:

 

  • has entered into a contract with the company – for example, to provide services or to establish an employment relationship (employment contract);

 

  • to comply with a legal obligation – i.e. if the processing is based on a legal requirement. e.g. as an employer, you communicate your salary data to the competent authorities for social security purposes

 

  • the processing of personal data is in the interest of the data owner – for example, if the processing is necessary to protect his or her life;

 

  • it is necessary for the purposes of the legitimate interests pursued by the controller – for example, if, as an Employer, it supplies data to the tax authorities.

 

In all other cases, the company must obtain the data owner’s prior consent to the collection of their personal data.

 

The scope of the data processed under a service contract is specified by the company who is the data controller as set out in the service contract.

 

For each data processing operation, it is necessary to review whether it is lawful and for the purposes for which it is carried out. It should be specified which data processing cannot continue in the absence of a legal basis. Data processing without a legal basis or without a legitimate purpose, databases, records, lists should be deleted or erased (scrapping, shredding, deletion of files).

 

Electronic data

 

Data provided in an electronic format, e.g. data provided by email, form, electronic storage medium.

 

Paper-based data

 

The creation of paper or electronic copies of paper documents (including the transmission of personal data by e-mail) shall be kept to the minimum necessary for the performance of the task

 

Access, access rights

 

A Center of Excellence team has been established within the company, whose responsibilities include the ongoing management of the documentation of project tasks within the scope of the company’s services, including the operational control of access rights.

 

The laptops provided by the company to employees for work purposes have the necessary protection to prevent unauthorised access. Biometric identification, two-factor password authentication, screen protection, automatic lock-out in case of inactivity. Processor’s staff can only access the system from their own company computer. The machines are set to automatic operating system updates on a continuous basis. Access to servers is strictly limited and managed by Salesforce. Attention CRM Consulting’s office access is secured by a portal service and access card.

 

Password requirements and authentication:

 

Minimum 7 characters, number, capital letter.

All internal network application access is on a 2-factor basisInformation is transferred to customers or internal staff in the form of compressed, encrypted communications during service processes:

– case management (Salesforce Enterprise Edition) – uploaded to this system

 

– external / internal communication (instant, authenticated messaging) in Google Workspace or client side as part of Microsoft Teams and

 

– data storage processes (Google Workspace or Microsoft Sharepoint)

 

Rules for deletion, transfer of personal data

 

Personal data must be protected against unauthorised or unlawful processing and to prevent accidental or unlawful destruction, loss, alteration or damage, unauthorised disclosure of or access to personal data.

 

USB – A lockable cabinet shall be used for off-line storage of data media containing personal data. A specific technical environment is required to inactivate the USB device. Client data on USB drives will be handled and stored only upon explicit request – with agreed deletion times and handling.

 

When deleting personal data, a shredder shall be used in the case of paper documents, while in the case of computer databases, a physical erasure command of the programming language and/or multiple overwriting of the storage area shall be used in accordance with the applicable IT security rules. Personal data shall be erased in such a way that its recovery is no longer possible.

 

The system for the disposal of electronic data media shall be implemented in a system supported by an external accounting service provider. The data or the device containing the data medium is stored in an individual locked depot until its final destruction.

 

RECORDS

 

Data backup

 

The company performs regular data backups using an automated Synology NAS device for nightly backups.

 

Record keeping

 

The company must be able to demonstrate that as a data controller it acts in accordance with the General Data Protection Regulation and fulfils all its obligations. One way to do this is to keep detailed records of, among other things, the following:

 

  • the names and contact details of the persons who carry out the processing,

 

  • the contact details and contact persons of the data controllers ● the reason(s) for processing the personal data,

 

  • the reasons for the transfer of personal data to another country or to another organisation

 

the reasons why the personal data are being processed, the reasons why the personal data are being processed, the reasons why the personal data are being processed and the reasons why the personal data are being processed

 

  • the duration of the storage of the personal data,

 

  • a description of the security measures applied when processing personal data.

 

The DPO shall ensure that the procedures and guidelines for data processing are regularly reviewed and communicated to employees.

 

Where part of the tasks of the service provided by ACRM is contracted to a third party as a data processor, the storage of personal data in the company’s local storage facilities should be kept to a minimum.

 

Incident handling rules

 

Each Employee must report without delay, preferably in writing, to his/her line manager and to the Designated Data Protection Officer if he/she becomes aware of the occurrence or the possibility of occurrence of an incident that may compromise data protection and security due to the absence of a regulation in the above policies. Notification process is done in the company’s internal Salesforce system. Incident alert notification goes to the Data Protection Officer. Notifications are investigated by the Data Protection Officer. Concurrent with the investigation, the client-side DPO and/or contact person(s) will be contacted, consulted, impact assessed, agreed upon, coordinated and monitored for implementation. Coordinates with the client.

 

The retention period for the notification and related records is the period prescribed for the retention of data relating to the specific purpose of the processing, but not less than 2 years.

 

The detailed rules are recorded in GDPR-03.01_Data Processing Incident.

 

PRACTICAL GUIDES

 

project data migration

 

The following security policies and procedures apply when ACRM performs data migration tasks under a service contract:

 

Client passwords are stored using a one-way salted hash algorithm

 

Maintaining system-level user access log entries that include: date, time, user ID, URL or entity ID-T executed, operation performed (create, update, delete) and source IP address (if available)

 

Password logging is prohibited.

 

Our public cloud providers are responsible for ensuring appropriate physical security measures.

 

Access to data for data migration is granted only to designated ACRM employees. Data backed up locally during data migration should be limited to the most necessary data and should only be stored locally for the required period of time.

 

Any employee who needs access to the data must first request access and provide a valid business justification to the manager/client manager assigned to that client in the project or evolution consultation.

 

Access will be granted on a need-to-know basis and will be revoked after the requested time has expired.

 

employer responsibilities

 

By ACRM default privacy, it is understood that the company will always use the setting that ensures the highest level of protection of personal data as the default setting.

 

As an employer, it complies with its legal obligations and follows the instructions of the competent authorities and bodies when processing data.

 

Contracts with partner companies used for recruitment purposes always include data protection clauses to ensure that the partner company handles candidates’ material in accordance with the law.

 

marketing activities

 

When sending direct marketing or marketing enquiries with advertising content, ACRM acts as a data controller and processes personal data (e.g. name, telephone number, e-mail address) until it is revoked. These data will not be transmitted to third parties.

 

This type of commercial data collection typically occurs in connection with website usage, communication on Facebook, LinkedIn pages, email newsletters and event management.

 

Data protection procedures

 

Laptop protection

Data transfer protection

USB protection

Lockable locker when not in use

Data, devices lockable Physical protection

Key safe

Screen protection

Password protection

Internal systems password management

  1. For private use

 

ANNEX 1 – TEMPLATES

 

Name of the employee responsible for data destruction:

Mother’s name:

place and date of birth

 

Authorising the destruction

Name of the person who authorised the destruction:

Position:

Place and time of destruction: year/month/day/hour/minute

 

Format and number of data media:

 

e.g. printed CV, document, electronic file

 

Method of data destruction:

 

shredder

electronic destruction

other

 

Record of deletion of personal data

 

incident alert email content

 

date when incident started, when detected/discovered, source/cause of incident (if known)

Description of incident (e.g. how it was noticed, what was experienced);

Identification of the resource(s) involved;

 

What response action was taken (e.g.: disconnection from the network General comments.