Document ID Document Name Document Classification Version Date GP_GDP_COM01 Data Protection Policy Internal V Apr-18

Transcription

1 Dcument ID Dcument Name Dcument Classificatin Versin Date GP_GDP_COM01 Data Prtectin Plicy Internal V Apr-18 Revisin Histry [SEPG] Srl. Versin Authr/Owner Date f Descriptin f Apprved By N. N. Release Release/Change Anand Kapr 26-Apr-2018 Initial Release EVP This is a cntrlled dcument. Unauthrized access, cpying, and replicatin are prhibited. This dcument must nt be cpied in whle r in parts by any means withut the written authrizatin f the Staffing Slutin Head, Pyramid IT Cnsulting, India. 2018, Pyramid IT Cnsulting. All rights reserved. Table f Cntents Table f Cntents GDPR Backgrund Definitins Plicy Statement Rles and Respnsibilities under GDPR Data prtectin principles Data Subject Rights Cnsent Management Security f Data Disclsure f Data Retentin and Dispsal f Data Data Transfer Persnnel Data Inventry Versin Apr-2018 Uncntrlled When Printed Page 1

2 1. GDPR Backgrund The General Data Prtectin Regulatin 2016 replaces the EU Data Prtectin Directive f 1995 and supersedes the laws f individual Member States that were develped in cmpliance with the Data Prtectin Directive 95/46/EC. Its purpse is t prtect the rights and freedms f living individuals and t ensure that persnal data is prcessed with their cnsent and nt prcessed withut their knwledge. 2. Definitins Persnal data any infrmatin relating t an identified r identifiable natural persn ('data subject'); an identifiable natural persn is ne wh can be identified, directly r indirectly, in particular by reference t an identifier such as a name, an identificatin number, lcatin data, an nline identifier r t ne r mre factrs specific t the physical, physilgical, genetic, mental, ecnmic, cultural r scial identity f that natural persn. Special categries f persnal data persnal data revealing racial r ethnic rigin, plitical pinins, religius r philsphical beliefs, r trade-unin membership, and the prcessing f genetic data, bimetric data fr the purpse f uniquely identifying a natural persn, data cncerning health r data cncerning a natural persn's sex life r sexual rientatin. Data cntrller the natural r legal persn, public authrity, agency r ther bdy which, alne r jintly with thers, determines the purpses and means f the prcessing f persnal data; where the purpses and means f such prcessing are determined by Unin r Member State law, the cntrller r the specific criteria fr its nminatin may be prvided fr by Unin r Member State law. Data subject any living individual wh is the subject f persnal data held by an rganizatin. Prcessing any peratin r set f peratins which is perfrmed n persnal data r n sets f persnal data, whether r nt by autmated means, such as cllectin, recrding, rganizatin, structuring, strage, adaptatin r alteratin, retrieval, cnsultatin, use, disclsure by transmissin, disseminatin r therwise making available, alignment r cmbinatin, restrictin, erasure r destructin. Prfiling is any frm f autmated prcessing f persnal data intended t evaluate certain persnal aspects relating t a natural persn, r t analyze r predict that persn s perfrmance at wrk, ecnmic situatin, lcatin, health, persnal preferences, reliability, r behavir. This definitin is linked t the right f the data subject t bject t prfiling and a right t be infrmed abut the existence f prfiling, f measures based n prfiling and the envisaged effects f prfiling n the individual. Persnal data breach a breach f security leading t the accidental, r unlawful, destructin, lss, alteratin, unauthrized disclsure f, r access t, persnal data transmitted, stred r therwise prcessed. There is an bligatin n the cntrller t reprt persnal data breaches t the supervisry authrity and where the breach is likely t adversely affect the persnal data r privacy f the data subject. Data subject cnsent - means any freely given, specific, infrmed and unambiguus indicatin f the data subject's wishes by which he r she, by a statement r by a clear affirmative actin, signifies agreement t the prcessing f persnal data. Child the GDPR defines a child as anyne under the age f 16 years ld, althugh this may be lwered t 13 by Member State law. The prcessing f persnal data f a child is nly lawful if parental r custdian cnsent has been btained. The cntrller shall make reasnable effrts t verify in such cases that cnsent is given r authrized by the hlder f parental respnsibility ver the child. Versin Apr-2018 Uncntrlled When Printed Page 2

3 Third party a natural r legal persn, public authrity, agency r bdy ther than the data subject, cntrller, prcessr and persns wh, under the direct authrity f the cntrller r prcessr, are authrized t prcess persnal data. Filing system any structured set f persnal data which are accessible accrding t specific criteria, whether centralized, decentralized r dispersed n a functinal r gegraphical basis. 3. Plicy Statement Pyramid is cmmitted t dcument its business activities with recrds that are cmplete, authentic, reliable, secure and accessible and cmply with data prtectin requirements f EU GDPR thrughut their lifecycle, frm planning and creatin t ultimate dispsal. It als ensures t cmply with all data prtectin principles. In view f the plicy, the tp management f Pyramid is cmmitted and will ensure the fllwing: The persnal infrmatin btained will be prcessed fairly, supprted by a legal basis and used in a transparent manner, respecting the data subjects rights and will nt be prcessed unless the prcessing is necessary fr the purpses defined under the EU General Data Prtectin Regulatin. The infrmatin btained will be: Adequate, relevant and nt excessive fr the purpses. Accurate and kept up t date. Kept fr n lnger than is necessary fr the purpse and dispsed timely and apprpriately. Prcessed in accrdance with the data subject s rights. Kept secure frm unauthrized access, accidental lss r destructin. Transferred t a cuntry utside the Eurpean Ecnmic Area (EEA) under circumstances where the persnal infrmatin can be adequately prtected. The persnal infrmatin under its cntrl is managed in cmpliance with the EU General Data Prtectin Regulatin. Prcedures are in place t enable the rights f individuals t be respected. Establish a gvernance framewrk t implement, and mnitr this plicy. Prvide clear guidance fr emplyees and external agencies, wrking n behalf f Pyramid t help them t use and share persnal infrmatin securely and in full cmpliance with EU General Data Prtectin Regulatin. Ensure that disclsures t third parties are managed in cmpliance with EU General Data Prtectin Regulatin. Ensure that persnal infrmatin prcessed by third parties n behalf f Pyramid is managed in cmpliance with EU General Data Prtectin Regulatin. Ensure that the level f security impsed t ensure cmpliance and prtect individual rights will nt prevent access t infrmatin where this is a legal r reprting requirement. Ensure the awareness f Privacy thrugh n nging educatin and training prgrams. Implement measures t ensure privacy by design and default, wherever applicable, such as Data minimizatin, Pseudnymizatin, and Annymizatin. Versin Apr-2018 Uncntrlled When Printed Page 3

4 Ensure the respnsibility and accuntability t relevant peple thrughut the rganizatin and ensure cmmunicatin f this plicy. Manage the data prtectin risks by identifying, evaluating and mitigating. Cntinually imprve the persnal infrmatin management system thrugh privacy enhancing innvatins. 4. Rles and Respnsibilities under GDPR Tp Management and all thse in senir managerial rle at Pyramid are respnsible fr spnsring & apprving funds required fr GDPR implementatin, Apprving data prtectin/privacy plicy and its bjectives, Ensuring that cmpliance with data prtectin legislatin under the DPA, EU GDPR, any ther data prtectin legislatin and gd practice can be demnstrated as defined in dcument Rles and Respnsibilities Since nne f the data prcessing at Pyramid is being dne under article 37.1 the designatin f Data Prtectin Officer is nt mandatry. Hwever, Anand Kapr ( anand.kapr@pyramidci.cm) has been appinted as Data Prtectin Officer/GDPR wner and is respnsible fr cmpliance under GDPR. Data Prtectin Officer/GDPR wner is respnsible fr single pint f cntact fr GDPR related activities, ensuring implementatin f the data prtectin plicy, training and nging awareness as required by the data prtectin plicy etc. as defined in dcument Rles and Respnsibilities. Internal Auditr is respnsible fr making judgment n the effectiveness f the data prtectin/privacy plicies, prcedures etc., reprting internal audit findings t the tp management/dpo and recmmending the crrective measures etc. as defined in dcument Rles and Respnsibilities. Emplyees are respnsible fr ensuring that they cmply with data prtectin/privacy plicy and its bjectives, adheres t data prtectin/privacy plicy directins such as cnsent management, dcument retentin, detectin f data breach and breach ntificatin etc. as defined in dcument Rles and Respnsibilities. FR_GDP_COM15-Rles & Respnsibilities 5. Data prtectin principles All prcessing f persnal data at Pyramid is cnducted in accrdance with the data prtectin principles as set ut in Article 5 f the GDPR. Pyramid plicies and prcedures are designed t ensure cmpliance with the principles. Persnal data must be prcessed lawfully, fairly and transparently. Lawful identify a lawful basis befre yu can prcess persnal data. These are ften referred t as the cnditins fr prcessing, fr example cnsent. Fairly in rder fr prcessing t be fair, the data prcessr has t make certain infrmatin available t the data subjects as practicable. This applies whether the persnal data was btained directly frm the data subjects r frm ther surces. Transparently the GDPR includes rules n giving privacy infrmatin t data subjects in Articles 12, 13 and 14. These are detailed and specific, placing an emphasis n making privacy ntices understandable and accessible. Infrmatin must be cmmunicated t the data subject using clear and plain language. The specific infrmatin that must be prvided t the data subject, as a minimum, include: Versin Apr-2018 Uncntrlled When Printed Page 4

5 Identity and the cntact details f the prcessr and/r prcessr's representative. Cntact details f the Data Prtectin Officer r similar rle. Purpses f the prcessing fr which the persnal data are intended as well as the legal basis fr the prcessing. Perid fr which the persnal data will be stred. Existence f the rights t request access, rectificatin, erasure r t bject t the prcessing, and the cnditins relating t exercising these rights, such as whether the lawfulness f previus prcessing will be affected. Categries f persnal data cncerned (Nte: This is nt applicable as per GDPR article 30, because the n f cnsultants placed by Pyramid are less than 250). Recipients r categries f recipients f the persnal data, where applicable (Nte: This is nt applicable as per GDPR article 30, because the n f cnsultants placed by Pyramid are less than 250). Where applicable, that the prcessr intends t transfer persnal data t a recipient in a third cuntry and the level f prtectin affrded t the data. Any further infrmatin necessary t guarantee fair prcessing. Persnal data can nly be cllected fr specific, explicit and legitimate purpses. Data btained fr specified purpses must nt be used fr a purpse that differs frm thse frmally ntified t the supervisry authrity as part f GDPR register f prcessing. This is defined in PIM Plicy. Persnal data must be adequate, relevant and limited t what is necessary fr prcessing (Data Minimizatin). The Data Prtectin Officer/GDPR wner is respnsible fr ensuring that Pyramid des nt cllect infrmatin that is nt required fr the purpse fr which it is btained. All data cllectin frms (electrnic r paper-based), including data cllectin requirements include a Data Prtectin Plicy r link t Data Prtectin Plicy and apprved by the Data Prtectin Officer. Data Prtectin Officer will ensure that, n an annual basis all data cllectin methds are reviewed by internal audit r external experts t ensure that cllected data cntinues t be adequate, relevant and nt excessive. Data Prtectin Officer is respnsible t ensure that Persnal data is accurate and kept up t date with every effrt t erase r rectify withut delay. Data that is stred by the data prcessr must be reviewed and updated as necessary. N data shuld be kept unless it is reasnable t assume that it is accurate. Ensure that all emplyees are trained in the imprtance f cllecting accurate data and maintaining it. It is als the respnsibility f the data subject t ensure that data held by Pyramid is accurate and up t date. Cmpletin f a registratin r applicatin frm by a data subject will include a statement that the data cntained therein is accurate at the date f submissin. Emplyees/Clients/Vendrs shuld be required t ntify Pyramid f any changes in circumstance t enable persnal recrds t be updated accrdingly as defined in prcedure PR_GDP_COM05-GDP. It is the respnsibility f Pyramid t ensure that any ntificatin regarding change f circumstances is recrded and acted upn. The Data Prtectin Officer is respnsible fr ensuring that apprpriate prcedures and plicies are in place t keep persnal data accurate and up t date, taking int accunt the vlume f data cllected, the speed with which it might change and any ther relevant factrs. Data Prtectin Officer will review the retentin dates f all the persnal data prcessed by Pyramid, by reference t the data inventry, and will identify any data that is n lnger required in the cntext f the registered purpse as defined in Dcument Retentin Plicy. This data will be securely deleted/destryed in line with the Secure Dispsal as defined in Data & Media Handling Plicy. Versin Apr-2018 Uncntrlled When Printed Page 5

6 The Data Prtectin Officer is respnsible fr respnding t requests fr rectificatin frm data subjects within ne mnth as defined in prcedure PR_GDP_COM05-GDP. This can be extended t a further tw mnths fr cmplex requests. If Pyramid decides nt t cmply with the request, the Data Prtectin Officer/GDPR Owner must respnd t the data subject t explain its reasning and infrm them f their right t cmplain t the supervisry authrity and seek judicial remedy. The Data Prtectin Officer/GDPR Owner is respnsible fr making apprpriate arrangements that, where third-party rganizatins may have been passed inaccurate r ut-f-date persnal data, t infrm them that the infrmatin is inaccurate and/r ut f date and is nt t be used t infrm decisins abut the individuals cncerned; and fr passing any crrectin t the persnal data t the third party where this is required. Persnal data must be kept in a frm such that the data subject can be identified nly as lng as is necessary fr prcessing. Where persnal data is retained beynd the prcessing date, it will be [minimised/encrypted/pseudnymised] in rder t prtect the identity f the data subject in the event f a data breach as defined in prcedure PR_GDP_COM05-GDP. Persnal data is t be retained as defined in Dcument Retentin Plicy and, nce its retentin date is passed, it must be securely destryed as defined in Data & Media Handling Plicy. The Data Prtectin Officer/GDPR Owner must specifically apprve any data retentin that exceeds the retentin perids defined in Dcument Retentin Plicy, and must ensure that the justificatin is clearly identified and in line with the requirements f the data prtectin legislatin.. Persnal data must be prcessed in a manner that ensures the apprpriate security. The Data Prtectin Officer/GDPR Owner will carry ut a risk assessment taking int accunt all the circumstances f Pyramid s cntrlling r prcessing peratins. In determining apprpriateness, the Data Prtectin Officer/GDPR Owner shuld als cnsider the extent f pssible damage r lss that might be caused t individuals (e.g. emplyees r custmers) if a security breach ccurs, the effect f any security breach n Pyramid itself, and any likely reputatinal damage including the pssible lss f custmer trust. When assessing apprpriate technical and rganizatinal measures, the Data Prtectin Officer/GDPR Owner will cnsider the fllwing: Passwrd prtectin as defined in Passwrd Security Plicy. Autmatic lcking f idle terminals as defined in Acceptable Usage Plicy. Remval f access rights fr USB and ther memry media as defined in Access Cntrl Plicy and prcedure Systems Administratin. Virus checking sftware and firewalls as defined in Firewall Management Plicy, and prcedure Systems Administratin. Rle-based access rights including thse assigned t temprary staff as defined in prcedure Systems Administratin. Encryptin f devices that emplyees take them alng while ging hme such as laptps as defined in Encryptin Plicy and prcedure Systems Administratin. Security f lcal and wide area netwrks as defined in prcedure Systems Administratin. Privacy enhancing technlgies such as pseudnymizatin and annymizatin. Identifying apprpriate internatinal security standards relevant t Pyramid. Regular training sessins and awareness wrkshps t relevant emplyees. Measures that cnsider the reliability f emplyees (e.g. Backgrund Verificatin). The inclusin f data prtectin clauses in emplyment cntracts. Identificatin f disciplinary measures fr data breaches. Mnitring f emplyees fr cmpliance with relevant security standards. Physical access cntrls t electrnic and paper-based recrds. Adptin f a clear desk plicy as defined in Acceptable Usage Plicy. String f paper-based data in lckable cabinets as defined in Acceptable Usage Plicy. Restricting the use f prtable electrnic devices utside f the wrkplace. Prhibiting the use f emplyee s wn persnal devices being used in the wrkplace as defined in Acceptable Usage Plicy. Strictly fllwing clear rules abut passwrds as defined in Passwrd Security Plicy. Versin Apr-2018 Uncntrlled When Printed Page 6

7 Making regular backups f persnal data and string the media in a secure place. As defined in Backup Plicy. The abve mentined cntrls have been selected n the basis f identified risks t persnal data, and the ptential fr damage r distress t individuals whse data is being prcessed. Pyramid s cmpliance with this principle is cntained in its Infrmatin Security Management System (ISMS), which is already in practice since year 2012 in line with ISO/IEC and the infrmatin security plicy as defined in Infrmatin Security Plicy. Pyramid must be able t demnstrate cmpliance with the GDPR s ther principles (accuntability) The GDPR includes prvisins that prmte accuntability and gvernance. These cmplement the GDPR s transparency requirements. The accuntability principle in Article 5(2) requires Pyramid t demnstrate that we cmply with the principles and states explicitly that this is ur respnsibility. Pyramid will demnstrate cmpliance with the data prtectin principles by implementing data prtectin plicies, adhering t cdes f cnduct, implementing technical and rganizatinal measures, as well as adpting techniques such as data prtectin by design, risk assessment, breach ntificatin prcedures and incident respnse plans. GP-GDP_COM03-PIM Plicy SP_SEC_COM02-Infrmatin Security Plicy SP_SEC_COM20-Data & Media Handling Plicy SP_SEC_COM05-Acceptable Usage Plicy SP_SEC_COM18-Passwrd Security Plicy SP_SEC_COM07-Dcument Retentin Plicy SP_SEC_COM25-Access Cntrl Plicy SP_SEC_COM45-Firewall Management Plicy SP_SEC_COM27-Encryptin Plicy PR_SUP_COM25-System Administratin 6. Data Subject Rights Data subjects have the fllwing rights regarding data prcessing, and the data that is recrded abut them: T make subject access requests regarding the nature f infrmatin held and t whm it has been disclsed. Prevent prcessing, which is likely t cause damage r distress. Prevent prcessing fr purpses f direct marketing. Be infrmed abut the mechanics f autmated decisin-taking prcess that will significantly affect them. Sue fr cmpensatin if they suffer damage by any cntraventin f the GDPR. Take actin t rectify, blck, erase, including the right t be frgtten, r destry inaccurate data. Request the supervisry authrity t assess whether any prvisin f the GDPR has been cntravened. Versin Apr-2018 Uncntrlled When Printed Page 7

8 Persnal data prvided t them in a structured, cmmnly used and machine-readable frmat, and the right t have that data transmitted t anther prcessr r cntrller. Object t any autmated prfiling that is ccurring withut cnsent. Make data access requests. Cmplain t Pyramid at supprtgdpr@pyramidci.cm related t the prcessing f their persnal data, and appeal n hw cmplaints have been handled. 7. Cnsent Management Pyramid understands that Cnsent is explicitly and freely given. Cnsent is specific, infrmed and unambiguus indicatin f the data subject s wishes by statement r by a clear affirmative actin. It signifies agreement t the prcessing f persnal data relating t data subject. The data subject can withdraw their cnsent at any time. Pyramid understands that data subject has been fully infrmed f the intended prcessing and has signified their agreement, while in a fit state f mind t d s and withut pressure being exerted upn them. Cnsent btained under duress r n the basis f misleading infrmatin will nt be a valid basis fr prcessing. The basis f Cnsent is the active cmmunicatin between the parties. Cnsent cannt be inferred frm nnrespnse t a cmmunicatin. It is the respnsibility f the prcessr t demnstrate that cnsent was btained fr the prcessing peratin. Pyramid has t btain explicit written cnsent fr sensitive data f data subjects as defined in prcedure PR_GDP_COM05-GDP. In mst instances, cnsent t prcess persnal and sensitive data is btained rutinely by Pyramid using Cnsent Frm. Pyramid is nt prviding the services t children as f nw. The GDPR clause related t children is Nt Applicable. PR_GDP_COM05-GDP FR_GDP_COM05-Cnsent Frm 8. Security f Data All Emplyees are respnsible fr ensuring that any persnal data is kept securely and is nt under any cnditins disclsed t any third party unless that third party has been specifically authrized by Pyramid t receive that infrmatin and has entered int a cnfidentiality agreement. All persnal data shuld be accessible nly t thse wh need t use it. All persnal data shuld be treated with the highest security and must be kept: Under lck in a lcked drawer r filing cabinet (Physical dcuments) Under passwrd prtected as defined in Access Cntrl Plicy. Stred n (remvable) cmputer media which are encrypted as defined in Data & Media Handling Plicy. Versin Apr-2018 Uncntrlled When Printed Page 8

9 Care must be taken t ensure that Laptp and PC screens are nt visible except t authrized emplyees f the divisin. All Emplyees are required t sign the Acceptable Usage Plicy befre they are given access t rganizatinal infrmatin. Manual recrds may nt be left where they can be accessed by unauthrized persnnel and may nt be remved frm business premises withut written authrizatin. As sn as manual recrds are n lnger required fr day-t-day client supprt, they must be remved frm secure archiving. Persnal data may nly be deleted r dispsed f in line with the Dcument Retentin Plicy. Manual recrds that have cmpleted their retentin perid are t be shredded and dispsed-ff. Hard drives f redundant PCs are t be remved and immediately destryed as defined in Data & Media Handling Plicy. SP_SEC_COM25-Access Cntrl Plicy SP_SEC_COM20-Data & Media Handling Plicy SP_SEC_COM05-Acceptable Usage Plicy SP_SEC_COM07-Dcument Retentin Plicy 9. Disclsure f Data Pyramid ensures that persnal data is nt disclsed t any unauthrized persns (e.g. family members, friends, gvernment bdies, plice etc.). All Emplyees exercise cautin when asked t disclse persnal data f data subjects t a third party. The regular awareness sessins cnducted fr the emplyees f the respective divisin helps them t deal effectively with any such risk assciated with disclsure f data. All requests t prvide data fr disclsures are ruted t Data Prtectin Officer (DPO) fr actin. 10. Retentin and Dispsal f Data Pyramid will nt keep persnal data in a frm that permits identificatin f data subjects and fr lnger a perid than is necessary, in relatin t the purpse(s) fr which the data was riginally cllected. Pyramid may stre data fr lnger perids if the persnal data is prcessed slely fr archiving purpses in the public interest, scientific r histrical research purpses r statistical purpses, subject t the implementatin f apprpriate technical and rganizatinal measures t safeguard the rights and freedms f the data subject. The retentin perid fr persnal data is defined in Dcument Retentin Plicy alng with the statutry bligatins Pyramid has t retain the data. Persnal data must be dispsed f securely in accrdance with the sixth principle f the GDPR prcessed in an apprpriate manner t maintain security, thereby prtecting the rights and freedms f data subjects. Any dispsal f data will be dne in accrdance with the Data & Media Handling Plicy. SP_SEC_COM20-Data & Media Handling Plicy SP_SEC_COM07-Dcument Retentin Plicy 11. Data Transfer All imprts f data frm within the Eurpean Ecnmic Area (EEA) t Pyramid (referred t in the GDPR as third cuntries ) are received as defined in Infrmatin Transfer Plicy. Versin Apr-2018 Uncntrlled When Printed Page 9

10 SP_SEC_COM30-Infrmatin Transfer Plicy 12. Persnnel Data Inventry Pyramid has established a data inventry as part f its apprach t address risks and pprtunities thrughut its GDPR life-cycle. The data inventry includes: Business prcess that use persnal data. Surce f persnal data. Vlume f data subjects. Descriptin f each item f persnal data. Prcessing activity. Inventry f data categries f persnal data prcessed, if applicable. Dcuments the purpse(s) fr which each categry f persnal data is used, if applicable. Recipients, and ptential recipients, f the persnal data, if applicable. key systems and repsitries; Data transfer details. Dcument retentin requirements and dispsal. Pyramid is aware f any risks assciated with the prcessing f particular types f persnal data. Pyramid assesses the level f risk t data subjects assciated with the prcessing f their persnal data. Risk assessment are carried ut in relatin t the prcessing f persnal data by Pyramid, and in relatin t prcessing undertaken by ther parties n behalf f Pyramid in rder t reduce the likelihd f a data breach. Pyramid carry ut a risk assessment t find ut the impact n the prcessing peratins n the prtectin f persnal data, where new technlgies are used, resulting int high risk t the rights and freedms f data subjects. The Data Prtectin Officer may escalate the matter t the supervisry authrity, if it ntices that prcessing f persnal data using new technlgies culd cause damage and/r distress t the data subjects. Pyramid is certified fr ISO and maintain this status since year In view f this, Pyramid will leverage the best practices f ISO cntrls and will apply t reduce the level f risk assciated with prcessing f persnal data t an acceptable level. FR_SEC_COM27-Risk Assessment Versin Apr-2018 Uncntrlled When Printed Page 10