This data protection policy outlines the technical and organizational measures implemented for secure and compliant processing of personal data. It takes into account the rights of data subjects and requirements of the articles 24, 25, and 32 GDPR to the extent applicable.
<enter company name> deals with three general categories of personal data:
The following description of technical and organizational measures will be differentiated, where applicable, according to these categories of data.
<enter company name> appointed a data protection officer (DPO) who provides advice on data privacy issues, updates the team about changes in regulations and standards and, if required, supports with reviews and improvement of the measures. The DPO can be reached via <enter email address>.
In the future, the company is going to create data privacy guidelines documented in the form of standard operating procedures (e.g. DPR-SOP) and templates.
Reference here your Information-Security-Management-System (ISMS) in place.
<enter company name> operates based on office premises that are not freely accessible. They are locked when employees are away. The company implemented the following measures:
<enter company name> does not maintain servers or server rooms. (…)
If you operate your own server rooms, do your best at describing all security policies to prevent unauthorized people from entering here.
If you use a third party cloud provider, their policies here. Typically, they should provide you with loads of material that is helpful for this exercise.
If your users store data locally on their end devices - good for you. In that case, enter some description of that and outline that no data leaves the end device.
The company has implemented the following measures for access to software systems:
(…)
Describe your access restrictions. Those are measures not only to prevent unauthorized people from entering your offices, but also to prevent unauthorized (electronic) access. Some example measures:
- For every employee, a personally assigned user is set up with a password bound to strict requirements (at least 14 characters long with special characters).
- Passwords must be unique and may not be used for other accounts. Passwords must be changed annually.
- Central authentication with username and password, incl. mandatory 2-factor authentication. Every user has to verify the account at least every 30 days.
- Access is monitored and logged, including unsuccessful login attempts.
- Access is automatically blocked by the system after XXX failed attempts.
- Only employees get access to the majority of files and systems and the extent of access can be determined selectively.
The company has implemented following measures when working within software systems:
(…)
What are your policies when working with your internal systems? Some typical examples:
- The password rules for access control must also be followed for usage control.
- Role-based authorization, administrative user profiles are kept to a minimum.
- User-dependent authentication with username and password.
- The use of personal data is limited, so that only authorized individuals can use the personal data necessary for their task (De Minimis Principle).
- Logging of usage and changes.
- Paperless work by principle and compliant destruction of paper documents with a shredder where applicable.
(…)
This is often an overshoot, but think of scenarios in which identifiable data is really not that necessary. One common example:
- Customer data is pseudonymized so far as the connection to the individual is not absolutely necessary for the result.
(…)
This typically applies to companies managing large amounts of data from various customers:
- Separation of data is ensured for customer data based on software system management, e.g. through data storage in separate folders.
Transfer control shall ensure that only authorized individuals can inspect personal data. Employee mobile devices must be encrypted if personal data is stored on them.
(…)
How do you keep data safe in transmission? Some example measures:
- The use of single USB flash drives or related data carrier tools is not allowed. Information should only be printed out if absolutely needed. Printed copies must be shredded immediately as soon as they are no longer needed.
- Home office policies (e.g. connect to VPN)
The company has implemented the following measures for its software systems:
This applies to most cloud working environments (e.g. Google Drive, MS Sharepoint, Confluence, JIRA etc.). Any other measures to add in your context?
Again, if you are using a large cloud provider, you can add more extensive policies and measures here, such as for example:
- Cloud provider data centers and server rooms are state of the art (temperature control, fire protection, water penetration, uninterrupted power supply (UPS) ensuring controlled shutdown without any loss of data).
(…)
As before, think about your own organizational setup. How do you ensure safe development? Some examples:
- Third party applications must be approved prior to use by (…) according to (…) to ensure compliance with quality management and data privacy requirements.
- Development tools must only be downloaded from secure sources (e.g., the manufacturer’s servers).
- Where possible, single-sign-on authentication is used for third party applications to allow for a complete and compliant access administration within the organization.
- Less secure third-party applications are disabled by administrator default configurations.
(…)
- Product development must take into account giving users the option of entering only the information necessary for the purpose of processing. Input fields with additional, unnecessary information should be avoided or at least designed as non-mandatory.
- By default, privacy-friendly settings must be preselected.
The company implemented the following concept for automatic data deletion:
| Data category | Retention period | Responsible |
|---|---|---|
| User data | <This period typically should be specified as part of the informed user consent> | |
| Customer data | - Customer data after termination of contracts - Lead contact data after 10 years of paused communication |
|
| Employee data | Until end of employment | |
| Applicant data | Until 6 months after hiring decision or longer in case of employment | |
| Website data | Deleted after every session | Automated |
The company has implemented the following measures:
Data protection and IT security within the company is reviewed regularly and, based on these assessments, continuously improved. Internal auditing may include data privacy requirements such as:
The company has implemented the following internal measures:
Template Copyright openregulatory.com. See template license.
Please don’t remove this notice even if you’ve modified contents of this template.