Security and integrity of personal data

security and integrity of personal data

Policy concerning the security and integrity of personal data processed within S.C. The Traveling Tulip S.R.L.
1. General provisions

Personal data processing within S.C. THE TRAVELING TULIP S.R.L. , headquartered in Ploiești, 3, Aleea Cirezarilor, Building 25A, apt. 7, Prahova, registered in the Trade Register Office with no. J29/2554/2018, Unique Registration Code 39561181, IBAN RO93INGB0000999908067697, opened at ING Bank Romania, legally represented by Mrs. Iulia Alexandra Fălcuțescu as the Administrator (the “Society” or the “Operator”) will take into account the security requirements below.

Security requirements within the Society are established according to Regulation no. 679/2016 concerning the protection of natural persons in terms of personal data processing and free circulation of this data, also taking into account the development state, the implementation costs and the nature, the domain, the context and the purposes of the data processing, together with the reduced risk for the rights and liberties of the natural persons.

The society applies appropriate technical and organizational measures for the data processing to be executed according to the applicable law.

The measures below will be revised and updated by the Society anytime as often as necessary. 

2. Processing security

The society implements technical and organizational measures according to the law, in order to ensure an appropriate security level for personal data.

When evaluating the appropriate security level, processing risks, generated especially by the destruction, the loss, the changes, the unauthorized communication or access to personal data delivered, stored or otherwise processed were taken into account.

3. Identification and authentication of users with a right to access the operator’s data bases

A user is any person who acts under the authority of the Operator, having a recognized right to access personal data databases.

Identification of the user

In order to get access to a personal data database, users must identify themselves. Identification is done by entering the identification code, using the keyboard (a string of characters).

Each user has his own identification code. More than one users never have the same identification code.

Identification code (or user accounts) left unused for a longer period of time (for example, if the individual labour contract of the user has ended) will be deactivated and destroyed.

Authentication of the user

Any user account has an authentication method. Authentication will be done by entering a complex password, of minimum 5 characters. The password must contain 2 out of the 3 following characteristics: at least 1 capital letter, at least one digit, at least one special character and cannot contain the user’s name or surname;

The password assigned to each user will be changed once every 6 months by deactivation of the previous credentials.

The Operator has an informational system which automatically refuses access to a user after entering an incorrect password 5 times. When entered, the passwords must not be displayed on the monitor.

Confidentiality, user account and password

Any user who is assigned an identification code and an authentication method must keep them as confidential and to answer in this respect to the Operator.

Employees are under the obligation of changing passwords as soon as they have reasons to believe unauthorized persons know them or if the passwords had to be revealed towards another person for any other reasons.

4. Access type

Users must access only the personal data needed for executing their work tasks and according to their access tights assigned by the IT department, according to the decisions taken by the Operator’s leadership.

5. Data processing

The Operator will appoint authorized operators for collecting, introducing, changing the personal data.

The IT department will adopt appropriate measures so that the information system can register changes in the files containing personal data.

6. Security copies

Security copies of files containing personal data will be executed by the IT department periodically.

7. Access files

The IT department of the Operator will implement all necessary measures in order to be able to verify the access to files containing personal data.

8. Computers and access terminals

Computers and access terminals will be installed in rooms that can be locked or other measures will be taken so that access to the computers is made by means of a key or magnetic card.

Accessing the computers or the access terminals will request a password, and the employees will strictly obey the recommendations of the IT department concerning the settings and the changing of the passwords.

In order to maintain the security of the data processing (especially against the informational viruses) the IT department implemented measures for:

  • interdiction to use software programs with external and unknown sources;
  • appropriate defense against informatics viruses (licensed antivirus software).

Employees will avoid saving documents containing personal data to the computer and will work instead on the Society’s server. However, in exceptional cases, the employee will inform the IT department and the documents containing personal data will be protected accordingly.

Employees will not use personal e-mail addresses for professional purposes;

Employees have to close the work session when they leave the office; the work session will close automatically after 15 minutes of inactivity;

Certain users of the Society can access the informatics resources from outside the Society, according to the work needs in a certain period of time. In such a situation, access to the informatics system of the Society will be possible only using a security method and only through VPN.

9. Data printing

Personal data will only be printed for the accomplishment of work tasks.

10. Personnel instruction

The Operator will inform his employees about the stipulations of the the GDPR Regulation and about the policies concerning the personal data.

11. Additional security measures

Personal data in electronic format will be saved in special files, appropriately protected and will be stored mainly on the Society’s sever, which meets the appropriate security measures.

The Operate has implemented firewall and proxy systems in order to ensure safe Internet exploring.

In case of a power outage, the Operator will make sure that a generator set will be available in the office, which will take over automatically, as soon as the power outage occurs.

If there are also documents containing personal data kept on paper, they will be kept in safe deposits or in protected places using special systems (for example lockers or access cards).

12. Notification of the National Supervisory Authority for Personal Data Processing in case of infringement of personal data security

In case of infringement of personal data security, the Society will notify the National Supervisory Authority for Personal Data Processing without unjustified delays and, if possible, not later than 72 hours from the moment of the acknowledgement of the infringement, except for the case where the situation might generate a risk for the rights and liberties of the natural persons involved.

The person responsible with the personal data protection will inform the Society without any unjustified delay after he becomes aware of any infringement to the personal data security.

Regardless of the notification sent to The National Supervisory Authority For Personal Data Processing, the Society will take all necessary measures to solve as soon as possible the problem occurred and, where needed, to reduce the infringement’s negative effects. The Society will keep documents referring to all situations of infringement of personal data security infringement, including a description of the factual situation where the infringement took place, of its effects and of the corrective measures implemented.

Information of the data subject about infringements to the personal data security

If the infringement to the personal data security is believed to generate a high risk for the rights and liberties of the natural persons involved, the Society will inform the data subject without an unjustified delay about the infringement, if this action is stipulated in the applicable law.

Evaluation of the impact on the data protection

In case a certain manner of data processing, especially those using new technologies, is believed to generate a high risk for the rights and liberties of the natural persons involved, the Society will perform an evaluation of the impact of the processing operations on the personal data protection.

When performing the evaluation of the impact on the personal data protection. The Society will demand the advice of the person responsible with the data protection.

The evaluation of the impact on the personal data protection is mandatory, especially in the case of a:

  • systematic and comprehensive evaluation of personal aspects concerning natural persons, based on automatic processing, including profile creation, and that determines decisions having legal effects connected to the natural person involved or affecting her significantly in a similar way;
  • large scale processing of a special category of data or personal data concerning criminal conviction and crime;
  • a systematic monitoring on a large scale of an area accessible to the public.

The evaluation will include at least:

  • a systematic description of the envisioned processing operations and of the purposes of the processing, inclusively, where appropriate, the legitimate interest of the Society;
  • an evaluation of the necessity and proportionality of the processing operations connected to these purposes;
  • an evaluation of the risks for the rights and liberties of the data subject;
  • the envisioned measures with a view to address risks, including guarantees, security measurements and mechanisms meant to ensure personal data protection and to prove conformity, taking into account the rights and legitimate interests of the data subjects and of other interested persons.

Where necessary, the Society executes an analysis to see if the processing takes place according to the evaluation of the impact on the data protection, at least whenever the risk of the processing operations is modified.

Prior consultancy

The Society will consult The National Supervisory Authority For Personal Data Processing prior to the personal data processing if the evaluation of the impact on data protection indicates that data processing would generate a high risk if the Operator doesn’t take measures for risk reduction.

This policy is completed by the other standards and policies in this domain, as adopted by the Society periodically.