Data Processing Addendum
Please reach out to email@example.com if you have any questions or concerns about your data.
- TERMS AND DEFINITIONS
- a. Terms below shall have the following meanings:
- “Agreement” means the Software license agreement signed between PREPPIO and the Client.
- The Company, providing you services through this website is Preppio AS. (referred to hereinafter as PREPPIO), a company duly organized under the law of Norway, registered in Norway.
- “PREPPIO Products” means the Software and other products of PREPPIO together with any products that are hereafter designed, developed, or marketed by PREPPIO.
- “Client Data” means data submitted, stored, sent, or received via the Software by Clients or End Users.
- “Client Personal Data” means personal data contained within the Client Data.
- “Data Incident” means a breach of PREPPIO security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data on systems managed by or otherwise controlled by PREPPIO. Data Incidents will not include unsuccessful attempts or activities that do not compromise the security of Client Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- “Data Processing Addendum” or “DPA” means this Addendum, which is an inseparable part of the Software license agreement signed between PREPPIO and the Client.
- “European Data Protection Legislation” means, as applicable, the GDPR, as well as any other applicable EU legislation.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- “License” means the Software license granted to the Client by PREPPIO pursuant to the Agreement.
- “Party” means either PREPPIO or the Client.
- “Parties” means both PREPPIO and the Client.
- “Term” means the term set forth in the Agreement.
- “SaaS model” means a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted by PREPPIO. The Software is accessed by Clients via a web browser.
- “Software” means computer software (Preppio SaaS), developed by PREPPIO, and PREPPIO visualized on the Web-site www.preppio.com.
- “Standard Contract Clauses” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.
- “Subprocessors” means third parties authorized under this Data Processing Addendum to have logical access to and process Client Data in order to provide parts of the Services and related technical support.
- “Third parties” means any other persons, organizations and authorities, besides PREPPIO and the Client.
- “Web-site” means the web-based site www.preppio.com.
- All terms, which have not been explicitly defined above, such as “personal data”, “data subject”, “processing”, “controller”, “processor”, “supervisory authority”, etc. have the meanings given in the GDPR.
2. SCOPE OF ADDENDUM
- Software License Agreement
- PREPPIO provides a SaaS (Software as a Service) web-based application which by functionality helps customers with their digital onboarding of new hires.
- Parties have signed an Agreement for the use of PREPPIO Software by the Client for the Client’s own internal business purposes.
- In rendering the Services, the PREPPIO may from time to time be provided with, or have access to, information of the Client which may qualify as personal data within the meaning of the GDPR and other applicable European data protection laws and provisions.
- This Data Processing Addendum reflects the Parties’ agreement with respect to the terms governing the processing and security of Client Data under the Agreement according to the requirements of GDPR and any other European Data Protection Legislation.
- The parties acknowledge and agree that the European Data Protection Legislation, including the GDPR, will apply to the processing of Client Personal Data if, the Client Personal Data is personal data relating to data subjects who are in the EU/EEA and the processing relates to the offering to them of goods or services in the EU/EEA or the monitoring of their behavior in the EU/EEA as well as when the processing is carried out in the context of the activities of an establishment of Client in the territory of the EU/EEA.
- The Parties agree that the sets of data processing and transfers covered by this DPA qualify as commissioned data processing as per Art. 28 of the GDPR with PREPPIO qualifying as a processor within the meaning of the GDPR and that they would like to use this DPA as the required contractual processing agreement.
- In order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Client to PREPPIO of the personal data, the Parties have entered into this DPA.
- The Parties agree that PREPPIO shall have the right to ask for changes to any part of this DPA to the extent required to satisfy any interpretations, guidance, or orders issued by competent Union or Member State authorities, national implementation provisions, or other legal developments concerning the GDPR requirements for the commissioning of data processors in general or other requirements for the commissioning of data processors. The Parties will agree on the necessary changes in good faith effort taking their obligation to carry out this contractual relationship in compliance with applicable data protection law into account.
- Processor and Controller
- PREPPIO is a processor of Client Personal Data.
- Client is a controller of Client Personal Data.
- Each Party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Client Personal Data.
- Client warrants to PREPPIO that Client’s instructions and actions with respect to that Client Personal Data, are legitimate and permitted under the applicable European Data Protection Legislation.
- Client is responsible that the processing activities relating to the personal data, as specified in this DPA, are lawful, fair, and transparent in relation to the data subjects concerned.
- Scope of Processing
- Any further instructions of processing, given by the Client to PREPPIO that go beyond the instructions contained in this DPA or the Agreement shall be considered within the subject matter of the Services Agreement and this DPA and PREPPIO acts of processing shall be considered lawful and compliant with the GDPR and other applicable legislation. It shall be the Clients responsibility to guarantee the legality of any personal data processing of which the Client has given instructions to PREPPIO to perform.
- The Client acknowledges that the Services, provided by PREPPIO to the Client include, among others described above, the provision by PREPPIO to the Client and all End Users, using the Software on behalf of the Client, of notifications on the scope of Services, their update, upgrade, amendment, new releases, development and/or termination via Newsletters, emails and other electronic and non-electronic means of communication, which may be applicable.
- PREPPIO will comply with the instructions described above (Client’s Instructions) (including with regard to data transfers) unless EU law requires other processing of Client Personal Data by PREPPIO, in which case PREPPIO will inform Client (unless that law prohibits PREPPIO from doing so on important grounds of public interest). Upon providing such notification, PREPPIO is not obliged to follow the Client’s instruction.
- For clarity, PREPPIO will not process Client Personal Data for Advertising purposes or serve Advertising in the Services. Notifications from PREPPIO to the Client and all End Users on the scope of Services, their update, upgrade, amendment, new releases, developments, and/or termination via Newsletters, emails, and other electronic and non-electronic means of communication, which may be applicable, shall not be considered advertising, marketing or other activity, not included in the Services. Such notifications shall be considered part of the Services provided by PREPPIO to Client.
- If at any time the Client or any End User would like to unsubscribe from receiving future emails, he or she must follow the instructions on how to unsubscribe at the bottom of PREPPIO emails.
- Subject Matter
- PREPPIO’s provision of the Services and related technical support to Client.
- Data Subjects
The personal data processed concern the following categories of data subjects:
- staff of the Client – End Users;
- other subjects, whose personal data is entered by the End Users.
- Nature and Purpose of the Processing
- PREPPIO will process Client Personal Data submitted, stored, sent, or received by Client, its Affiliates or End Users via the Software for the purposes of providing the Services and related technical support to Client in accordance with the Data Processing Addendum.
- Duration of the Processing
- The applicable Term plus the period from expiry of such Term until deletion of all Client Data by PREPPIO in accordance with the Data Processing Addendum, unless the GDPR requires otherwise.
- Categories of Data and Purpose of its Processing
- Personal data submitted, stored, sent, or received by Client or End Users via the Services may include the following categories of data:
- Name and User name– necessary for identification of the Data Subject. The main feature of the Software is to manage and control processes, so it is vital to be able to recognize the person, performing the respective activities, which are being monitored.
- Email address – necessary for authenticating the End Users before allowing its access to the Software and Client Data, including Client Personal Data, as well as for providing technical support.
- Phone number – necessary for providing technical support and communicating conditions in respect of what the Service provides.
- Employee information – necessary for providing of the Services according to the onboarding of new hires and their interaction with other stakeholders within their organization.
- other data, uploaded by Client and End Users – entering and upload of any other personal data is at the full discretion of the Client.
- PREPPIO shall not use any other personal data, entered by Client or End User, except for categories of data, described in Section (a) above.
- It is not PREPPIO’s obligation to monitor personal data, entered or uploaded by Client or End User, to categorize or process it in any other way.
- It is the Client’s responsibility to provide and guarantee that the processing personal data activities, performed by Client and End Users with the Software shall be compliant with the requirements of the GDPR.
- Personal data submitted, stored, sent, or received by Client or End Users via the Services may include the following categories of data:
- Method of collection
- Each User of the Software provides personally the Personal data, entered or uploaded in the Software.
- Client and End users shall enter third party personal data only with due authorization or GDPR compliant consent by such party. Client and End users are responsible for entering somebody else’s personal data without acquiring their preliminary due authorization or GDPR compliant consent. PREPPIO does not control the content, entered by Client and End User. PREPPIO has no contact with any third parties, whose personal data the Client or End User may enter into the software. In the event of a third-party claim or sanctions by a competent authority in respect of entering third party personal data in the Software in violation of GDPR by Client or End User, Client shall compensate PREPPIO for all sustained damages, including any compensations, administrative penalties, and sanctions, reasonable lawyer fees, expenses, etc.
- Data Subjects
- Personal data submitted, stored, sent, or received via the Services may concern the following categories of data subjects: End Users including Client’s employees and contractors; the personnel of Client’s Clients, suppliers, and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with End Users.
- Client shall grant access to End Users after acquainting them to the information, provided to Client in this DPA, the rights of the End Users under the GDPR, and the methods of their implementation. Client acknowledges that such provision of information is required by GDPR and is necessary for the implementation of GDPR principles of data protection. Client shall also grant access to End Users, who have accepted the terms and conditions of data protection, included in this DPA. In the event of a Data Subject claim or sanctions by a competent authority in respect of entering or processing personal data in the Software in violation of GDPR by Client or End User, Client shall compensate PREPPIO for all sustained damages, including any compensations, administrative penalties, and sanctions, reasonable lawyer fees, expenses, etc.
- Disabling Website cookies may affect some features of the Website and these may not work properly or as intended.
- Additional Services
- Even if the Client has not objected initially to the transfer of data out of EU, the Client may at all times inform in writing PREPPIO that Client does not want personal data to be transferred any more to third parties in case of Additional service integration and PREPPIO shall not transfer in the future such data after the date on which PREPPIO has received the communication from the Client. However, if the Client has initially accepted such transfer and has not later on informed PREPPIO in writing about any objection, it shall be considered that the Client has instructed PREPPIO to provide the Additional Service and execute data transfers until the date of the objection. If the Client objects to such transfer, the Client and the end Users shall not be able to use those Additional Services anymore.
- Data Deletion
- PREPPIO will enable Client and/or End Users to delete Client Data during the applicable Term in a manner consistent with the functionality of the Services if such deletion is in accordance with applicable law. PREPPIO will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days unless EU law requires storage.
- With this DPA the Client instructs PREPPIO to delete on expiry of the applicable Term Client all Client Data (including existing copies) from PREPPIO’s systems in accordance with applicable law. PREPPIO will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days unless EU law requires storage. Client acknowledges and agrees that Client will be responsible for exporting before the applicable Term expires, any Client Data it wishes to retain afterward.
- To the extent any Client Data covered by the deletion instruction described in Section (b) is also processed, when the applicable Term expires, in relation to an Agreement with a continuing Term, such deletion instruction will only take effect with respect to such Client Data when the continuing Term expires.
- For clarity, this Data Processing Addendum will continue to apply to Client Data until its deletion by PREPPIO.
- Data Security
- PREPPIO will implement and maintain technical and organizational measures to protect Client Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The Technical and organizational measures include measures to help ensure ongoing confidentiality, integrity, availability, and resilience of PREPPIO’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. PREPPIO may update or modify the Technical and organizational Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
- PREPPIO will take appropriate steps to ensure compliance with the Technical and organizational Measures by its employees, contractors, and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Client agrees that PREPPIO will (taking into account the nature of the processing of Client Personal Data and the information available to PREPPIO) assist Client in ensuring compliance with any of Client’s obligations in respect of security of personal data and personal data breaches, including if applicable Client’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by (a) implementing and maintaining the Technical and organizational Measures in accordance with the GDPR; (b) complying with the procedures for Data Incidents notification and regulation as required by the GDPR; (c) providing Client with the necessary information and documentation as required by the GDPR.
- Data Incidents
- If PREPPIO becomes aware of a Data Incident and if it is required by the GDPR, PREPPIO will notify Client of the Data Incident promptly and without undue delay; and promptly take reasonable steps to minimize harm and secure Client Data.
- Notifications made pursuant to this section will implement the requirements of the GDPR and will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps PREPPIO recommends Client take to address the Data Incident.
- Notification of any Data Incident will be delivered to the Email Address of the Client, recorded in the Agreement or, at PREPPIO’s discretion, by direct communication (for example, by a phone call or an in-person meeting). Client is solely responsible for ensuring that the Client’s Email Address is current and valid.
- PREPPIO will not assess the contents of Client Data in order to identify information subject to any specific legal requirements. Client is solely responsible for complying with incident notification laws applicable to Client and fulfilling any third-party notification obligations related to any Data Incident.
- PREPPIO’s notification of or response to a Data Incident under this Section will not be construed as an acknowledgment by PREPPIO of any fault or liability with respect to the Data Incident.
- Client acknowledges that although PREPPIO will take all reasonable precautions to keep personal data safe and secure, PREPPIO shall not be liable for extraneous circumstances such as theft, communication errors or malicious tampering.
- Client’s Security Responsibilities
- Client agrees that Client is solely responsible for its use of the Services and the compliance of Client’s and End Users’ activities with GDPR, including:
- making appropriate use of the Services and the Software to ensure a level of security appropriate to the risk in respect of the Client Data;
- securing the account authentication credentials, systems, and devices Client uses to access the Services; and
- backing up its Client Data;
- Client agrees that PREPPIO has no obligation to protect Client Data that Client elects to store or transfer outside of PREPPIO’s and its Subprocessors’ systems (for example, offline or on-premise storage), or to protect Client Data by implementing or maintaining Technical and organizational Measures except to the extent Client has opted to use them.
- Client is solely responsible for reviewing PREPPIO’s Technical and Organisational Measures and evaluating for itself whether the Services, the Technical and organizational Measures and PREPPIO’s commitments under DPA will meet Client’s needs, including with respect to any security obligations of Client under the European Data Protection Legislation, as applicable.
- Client acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing of Client Personal Data as well as the risks to individuals) the Technical and organizational implemented and maintained by PREPPIO as set out in this DPA provide a level of security appropriate to the risk in respect of the Client Data.
- Client agrees that Client is solely responsible for its use of the Services and the compliance of Client’s and End Users’ activities with GDPR, including:
- Impact Assessments
- Client agrees that PREPPIO may (taking into account the nature of the processing and the information available to PREPPIO) assist Client in ensuring compliance with any obligations of Client in respect of data protection impact assessments and prior consultation, including if applicable Client’s obligations pursuant to Articles 35 and 36 of the GDPR, by providing the Client with PREPPIO’s Technical and Organisational Measures and providing other information contained in the applicable Agreement including this Data Processing Addendum.
- PREPPIO may charge a fee (based on PREPPIO’s reasonable costs) for any assistance under Section (a) above. PREPPIO will provide the Client with details of any applicable fee, and the basis of its calculation, in advance of any such assistance.
- PREPPIO may object in writing to providing any assistance under Section (a) above at its own discretion if it will harm or may harm in any way PREPPIO’s legal rights, business interests, normal course of activities or may be otherwise manifestly unsuitable.
- In order to assist the Client with its legal obligation to diligently choose a service provider, PREPPIO shall monitor, by appropriate means, its own compliance and the compliance of its employees and Sub-processors with the respective data protection obligations of a Processor laid down in Art. 28 of the GDPR and in this DPA in connection with the Services. PREPPIO shall make available to the Client any information necessary to demonstrate compliance with such obligations when required by the GDPR.
- Data Subject Rights
- During the applicable Term, PREPPIO will, in a manner consistent with the functionality of the Services, enable Client to access, rectify and restrict processing of Client Data, including via the deletion functionality provided by PREPPIO as described in this DPA and to export Client Data.
- PREPPIO agrees and warrants that it will deal promptly and properly with all inquiries from the Client relating to its processing of the Client personal data and to abide by the advice of the supervisory authorities with regard to the processing of the Client personal data.
- Client agrees that (taking into account the nature of the processing of Client Personal Data) PREPPIO will assist Client in fulfilling any obligation to respond to requests by data subjects, including if applicable Client’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by complying with the GDPR obligatory requirements.
- Transfers of Data Out of the EU/EEA
- Client agrees that PREPPIO may store and process Client Data in the United States and any other country in which PREPPIO or any of its Subprocessors maintains facilities.
- In respect of Transferred Personal Data, shall be considered as a contractual obligation of PREPPIO in fulfilling PREPPIO obligation to provide the Services and more specifically as a Client’s instruction in the meaning of GDPR.
- Whenever PREPPIO has entered into Standard Contract Clauses, PREPPIO will ensure that any disclosure of Client’s personal data, and any notifications relating to any such disclosures, will be made in accordance with such Standard Contract Clauses, the requirements of applicable European Data Protection Legislation and the binding decisions of the European Commission and the European Court of Justice.
- In respect of Transferred Personal Data, Client agrees that any such Transfer of Data, executed in compliance with this Section 22, shall be considered as a suitable guarantee and an effective legal tool for personal data protection.
- Client generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”). In order to provide Client’s optimal comfort, thorough understanding, and effective use of the Software, PREPPIO may also from time to time engage Subprocessors, local to Client and/or speaking the language of Client’s country of registration or operation.
- Information about the PREPPIO Subprocessors is available in Appendix 1 below and may be updated by PREPPIO from time to time. When any new Subprocessor is engaged during the applicable Term, PREPPIO will spend reasonable efforts to inform the Client of the engagement either by sending a Newsletter or an email to the Client Email Address or via the Admin Console. Client agrees and instructs PREPPIO that Subprocessors, engaged in order to facilitate communication between parties in the language of the Client, shall not be listed in Appendix 1 or announced via Newsletter or an email, or the Admin Console. Client accepts and agrees that PREPPIO may introduce such native speaking Subprocessor to the Client via email.
- When engaging any Subprocessor, PREPPIO will ensure via a written contract or another suitable electronic form that: (i) the Subprocessor only accesses and uses Client Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with any Standard Contract Clauses entered into by PREPPIO; and (ii) if the GDPR applies to the processing of Client Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as required by the GDPR, are imposed on the Subprocessor.
- Subprocessor remains fully liable for all obligations subcontracted to them and all acts and omissions of the Subprocessor except for all cases when the GDPR transfers the liability for Subprocessors to PREPPIO in its capacity of a processor.
- When any Additional service is engaged via a Third Party Subprocessor during the applicable Term, PREPPIO will inform the Client of the engagement either by sending a Newsletter or an email to the Client Email Address or via the Admin Console.
- Client may object to any new Third Party Subprocessor by terminating the applicable Agreement or the Service, provided by the Subprocessor immediately upon written notice to PREPPIO, on condition that Client provides such notice within 30 days of being informed of the engagement of the Subprocessor. This termination right is Client’s sole and exclusive remedy if Client objects to any new Third Party Subprocessor.
- Client acknowledges that PREPPIO is required under the GDPR to (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which PREPPIO is acting and, where applicable, of such processor’s or controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Client Personal Data, Client will, where requested, provide such information to PREPPIO and will ensure that all information provided is kept accurate and up-to-date.
- Nothing in this DPA will affect the remaining terms of the applicable Agreement relating to liability (including any specific exclusions from any limitation of liability).
- Effect of Addendum
- To the extent of any conflict or inconsistency between the terms of this Data Processing Addendum and the remainder of the applicable Agreement, the terms of this Data Processing Addendum will govern. For clarity, this Data Processing Addendum will, as from the Effective Date be effective and replace any previously applicable data processing provisions.
- Effective Date means, as applicable: (a) 25 May 2018, if Client clicked to accept or the parties otherwise agreed to this Data Processing Addendum in respect of the applicable Agreement prior to or on such date; or (b) the date on which Client clicked to accept or the parties otherwise agreed to this Data Processing Addendum in respect of the applicable Agreement, if such date is after 25 May 2018.
- This Data Processing Addendum will take effect on the Effective Date and, notwithstanding the expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Client Data by PREPPIO.
- Applicable law
- This DPA shall be governed by the law of Norway. The place of jurisdiction for all disputes regarding this DPA shall be Oslo, Norway, except as otherwise stipulated by applicable data protection law.
Appendix 1: SUBPROCESSORS
- For providing quality services to the Client PREPPIO engages a number of Subprocessors, carefully selected according to their capacity for Client personal data protection and processing in compliance with PREPPIO’s obligations under this DPA and the GDPR.
- All Subprocessors, situated out of the EU, whose services require a transfer of personal data out of EU, shall be compliant with the requirements of Section 22. Transfers of Data Out of the EU/EEA.
- PREPPIO uses as Subprocessors and Client personal data may be transferred to the providers of the following services:
- Customer relationship management (HubSpot)
- Email server (Gmail, Mailgun)
- SMS services (Twilio)
- Database services (MongoDB)
- Authentication services (Auth0)
- Hosting services (Amazon Web Services, Salesforce)
- Digital signing software (DocuSign, PandaDoc) – personal data for a given person (email) is transferred only after prior communication between Preppio and that person
- Marketing automation software (Mailchimp) – personal data (email) is transferred upon explicit request by the user to receive notifications about new blog content
- PREPPIO may replace its Subprocessors from time to time following the above rules of strict selection. Updated information about the list of current Subprocessors may be found at all times here on our website and we may inform you about such updates via our monthly newsletters.
- You should keep in mind that our website is integrated with and uses Google Analytics. Google platform uses tools to acquire information when you have visited our site. Within these tools, we do not have the ability to recognize the individuals whose data is generated. However, this information can be personalized by Google and affect the content Google shows you. For more information and deactivation of certain features, you should use the settings of the Google platform, as we have no control over it and we can not block its functionalities. Through the control panels of your accounts on the platform, you can also make the appropriate privacy and privacy management settings, including the data management and information Google receives from us, since after the data is transmitted we cannot exercise full control over data processing, including data deletion.
- The right to object or terminate the agreement is included in Sec. 23f: Client may object to any new Third Party Subprocessor by terminating the applicable Agreement or the Service, provided by the Subprocessor immediately upon written notice to PREPPIO, on condition that Client provides such notice within 30 days of being informed of the engagement of the Subprocessor. This termination right is Client’s sole and exclusive remedy if Client objects to any new Third Party Subprocessor.
Appendix 2: DESCRIPTION OF THE TECHNICAL AND ORGANISATIONAL SECURITY MEASURES IMPLEMENTED BY PREPPIO:
|SECURITY AREAS||SECURITY MEASURES FOR PERSONAL DATA PROTECTION|
|NETWORK AND SYSTEMS SECURITY||Firewall and router configurations have to be set-up, in order to restrict the traffic, inbound and outbound, from “untrusted” networks (including wireless) and hosts. Deny all other traffic except, for protocols necessary for the personal data environment (PDE).|
|Application firewalls have to be set-up in front of web servers belonging to PDE, in order to verify and validate the traffic which is directed to the server. Any unauthorized service or traffic should be blocked and an alert should be generated.|
|Production (real) data should only be allowed in production environments. Upon exception and with all necessary approvals, QA environments may process (real) personal data only to the extent that they are protected as production environments. The environment of testing and development, as well as pre-production environments must use either anonymized or synthetic data.|
|Standard hardening configuration templates have to be developed for databases, applications, operating systems and applications containing personal data.|
|DATA SECURITY||Personal data retention time must be limited to the extent which is necessary for each single processing activity, albeit in compliance with legal and/or regulatory (retention) obligations.|
|Personal data has to be made unreadable (e.g. leveraging on encryption), when stored on portable digital media, backup media, log files.|
|Strong cryptography and security protocols have to be implemented, in order to protect personal data during the transmission over open, public or untrusted networks.|
|In case the channel encryption is not possible, files and attachments containing personal data have to be protected by means of encryption whenever they are transmitted over open, public or untrusted networks.|
|Security tools should be used, to monitor and control the flow of personal data through endpoints and towards external networks.|
|Databases/data storages encryption should be based upon a proper classification of assets in scope, according to the level of criticality. As a sample, databases/data storages serving bank’s core business processes/services or storing a large amount of personal data may be protected by strong encryption.|
|Media containing personal data must be protected against unauthorized access, through adequate physical (e.g. lock) and logical (e.g. encryption, access control, etc.) security measures.|
|Upon return and/or dismissal of ICT assets and resources, secure clean-up procedures (e.g. wiping) should be put in place, in order to remove all personal data and/or securely overwrite prior to disposal or re-use.|
|Paper documents or magnetic/optical media (e.g.: hard disks, DVDs, CDs, smart cards, USB flash drives) have to be destroyed or rendered unusable to ensure that the data and information they contain cannot be reconstructed and/or used (even partially) by unauthorized Third Parties. Paper documents have to be physically destroyed before being trashed, through specific shredder devices.|
|Employees must be adequately educated and trained on the correct rules of conduct to be adopted for the protection of personal data contained in paper documents (example: in case of removal from the workstation make sure that nobody can access confidential information, protect the original documents and the photocopies from theft or unauthorized use, keep the documentation in drawers and closets locked at the end of the working session)|
|DATA AVAILABILITY||Proper procedures should be put in place in order to restore the availability of personal data (as a right of the data subject) in a timely manner. Back-up procedures should ensure copies of personal data at least weekly.|
|IDENTITY AND ACCESS MANAGEMENT||Access authorization to production environments containing personal data should be given according to the “need to know” and “least privilege” principles.|
|Policies and procedures must be implemented to ensure the proper identification of users and administrators accessing system components managing personal data. All users should be assigned with a unique user name before allowing them to access system components or personal data.|
|Individual remote administrative accesses to systems managing personal data have to be protected, by means of an authentication mechanism requiring password changes every 90 days. Additionally, password vaulting tools should be evaluated in order to increase credentials’ security.|
|Passwords for systems and devices managing personal data must contain at least 8 digits, not easily attributable to the user, and they must be changed at least every 3 months.|
|System resources and access right must be assigned to user accounts, where user accounts are assigned to unique users.|
|Remote access (from external networks) to PDE have to be protected by means of multi-factor authentication.|
|All accesses to databases containing personal data should be protected/controlled as follows: – Application credentials to access databases cannot be used by individual users or other non-application processes – Such application/system user credentials must be appropriately protected against potential misuse. – Access must be granted only to the personnel who really needs it for the performance of own job/tasks (need to know principles) – A formal user registration and de-registration process should be implemented to enable assignment of access rights to manage personal data.|
|Number of personal data repositories (databases, files, copies, archives) should be kept to an absolute minimum, avoiding unnecessary duplication. Instead of duplication, preference should be given to pseudonymised databases, that perform look-ups into master repositories for specific personal data, if, and when needed.|
|Visibility of personal data must be limited to the sole set of information which is necessary for the single processing activities. No unnecessary personal data should be made available to users.|
|Users’ access rights to personal data should be reviewed/re-certified at regular intervals and, in any case, at least annually – as per the regular Identity and Access Management process.|
|Administrators should be required to access a system using a fully logged and non-administrative account. Then, once logged onto the machine without administrative privileges, the administrator should gain administrative privileges.|
|LOGGING AND MONITORING||Access to production environments containing personal data – and where technically possible access to personal data – should be monitored and logged, in order to precisely record the link between access and individual user accessing personal data|
|ORGANISATION AND HUMAN SECURITY||Adequate procedures should be put in place to ensure the continuous availability of personal data: back-up personnel should be identified to ensure the continuity of the service to the data subject willing to access own personal data.|
|A formal security awareness program has to be implemented, to make all personnel aware of policy and procedures related to personal data security. Periodic tests or simulations may be performed, to assess whether employees click on a link from suspicious e-mail or provide personal/sensitive information without following appropriate security procedures to verify the reliability of the source. As a consequence, targeted training should be provided to those employees falling victim to the test.|
|Clear contractual agreements have to be signed-off with service providers, in order to state their responsibility for the security of personal data they process/store/transmit on behalf of the Data Controller.|
|Employees responsibilities and duties on the confidentiality of personal data should be clearly stated as valid also after the termination or change of employment.|
|Personal data must not be copied on removable media, except from those media expressly authorized by the Processor for specific tasks.|
|DATA PROTECTION BY DESIGN||Processes and tools for the Secure Software Development Lifecycle (SDLC) have to be integrated with appropriate security check/controls and requirements, in order to ensure that new ICT software/applications are designed and developed taking into consideration the requirements of embedded security.|
|Processes of ICT Change Management have to be integrated with appropriate security check/controls and requirements, in order to ensure the continuous protection of ICT software/applications in place, upon relevant changes.|
|PERSONAL DATA BREACH NOTIFICATION||Processes and tools for Incident Management have to be properly implemented and/or improved, in order to enable the detection and classification of personal data breaches so that they are correctly communicated to the Controller within the terms established in the paragraph “Notification obligation and Security Breach“.|
|A register of personal data breaches should be created and maintained.|