I. TERMS AND DEFINITIONS
- Terms below shall have the following meanings:
- “ToS” means the Terms of Service the client agreed to when they opened an account with N8 Solutions.
- The Business, providing you services through this website is N8 Solutions Web Hosting (referred to hereinafter as N8 Solutions), a business duly organized under the law of Greece, registered in Greece, having its working address at “Dimitriou Liakou 8, 3rd Floor, Aspropyrgos, Attica, Greece 19300”, represented by Michael Koontz.
- "N8 Solutions Products" means the Software and other products of N8 Solutions together with any products that are hereafter designed, developed or marketed by N8 Solutions.
- “Client Data” means data submitted, stored, sent or received via the Software by Clients or End Users.
- “Client Personal Data” means personal data contained within the Client Data.
- “Data Incident” means a breach of N8 Solutions security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data on systems managed by or otherwise controlled by N8 Solutions. Data Incidents will not include unsuccessful attempts or activities that do not compromise the security of Client Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- “Data Processing Amendment or “DPA” means this Amendment, which is an inseparable part of the Terms of Service the client agreed to abide by with N8 Solutions.
- “European Data Protection Legislation” means, as applicable, the GDPR, as well as any other applicable EU legislation.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- "License" means the Software license granted to the Client by N8 Solutions pursuant to the ToS.
- “Party” means either N8 Solutions or the Client.
- “Parties” means both N8 Solutions and the Client.
- “Term” means the term set forth in the Terms of Service.
- “Services” means the services, provided by N8 Solutions as described in the ToS for the N8 Solutions Services, an inseparable part of this DPA.
- “Standard Contract Clauses” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.
- “Subprocessors” means third parties authorized under this DPA to have logical access to and process Client Data in order to provide parts of the Services and related technical support.
- “Third parties” means any other persons, organizations and authorities, besides N8 Solutions and the Client.
- “Web-site” means the web-based site www.n8solutions.host.
- All terms, which have not been explicitly defined above, such as “personal data”, “data subject”, “processing”, “controller”, “processor”, “supervisory authority”, etc. have the meanings given in the GDPR.
II. SCOPE OF AMENDMENT
- This DPA reflects the Parties’ agreement with respect to the terms governing the processing and security of Client Data under the ToS according to the requirements of GDPR and any other European Data Protection Legislation.
- The parties acknowledge and agree that the European Data Protection Legislation, including the GDPR will apply to the processing of Client Personal Data if, the Client Personal Data is personal data relating to data subjects who are in the EU/EEA and the processing relates to the offering to them of goods or services in the EU/EEA or the monitoring of their behaviour in the EU/EEA as well as when the processing is carried out in the context of the activities of an establishment of Client in the territory of the EU/EEA.
- The Parties agree that the sets of data processing and transfers covered by this DPA qualify as commissioned data processing as per Art. 28 of the GDPR with N8 Solutions qualifying as a processor within the meaning of the GDPR and that they would like to use this DPA as the required contractual processing agreement.
- In order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Client to N8 Solutions of the personal data, the Parties have entered into this DPA.
- The Parties agree that N8 Solutions shall have the right to ask for changes to any part of this DPA to the extent required to satisfy any interpretations, guidance or orders issued by competent Union or Member State authorities, national implementation provisions, or other legal developments concerning the GDPR requirements for the commissioning of data processors in general or other requirements for the commissioning of data processors. The Parties will agree on the necessary changes in good faith effort taking their obligation to carry out this contractual relationship in compliance with applicable data protection law into account.
- N8 Solutions is a processor of Client Personal Data.
- Client is a controller of Client Personal Data.
- Each Party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Client Personal Data.
- Client warrants to N8 Solutions that Client’s instructions and actions with respect to that Client Personal Data, are legitimate and permitted under the applicable European Data Protection Legislation.
- Client is responsible that the processing activities relating to the personal data, as specified in this DPA, are lawful, fair and transparent in relation to the data subjects concerned.
- By entering into this DPA, the Client instructs N8 Solutions to process Client Personal Data only in accordance with applicable law: (a) to provide the Services and related technical support; (b) as further specified via Client’s use of the Services and related technical support; (c) as documented in the applicable ToS and this DPA; and (d) as further documented in any other written instructions given by Client and acknowledged by N8 Solutions as constituting instructions for purposes of this DPA.
- Any further instructions of processing, given by the Client to N8 Solutions that go beyond the instructions contained in this DPA or the ToS shall be considered within the subject matter of the ToS and this DPA and N8 Solutions acts of processing shall be considered lawful and compliant with the GDPR and other applicable legislation. It shall be the Clients responsibility to guarantee the legality of any personal data processing of which the Client has given instructions to N8 Solutions to perform.
- The Client acknowledges that the Services, provided by N8 Solutions to the Client include, among others described above, the provision by N8 Solutions to the Client and all End Users, using the Software on behalf of the Client, of notifications on the scope of Services, their update, upgrade, amendment, new releases, development and/or termination via Newsletters, emails and other electronic and non-electronic means of communication, which may be applicable.
- N8 Solutions will comply with the instructions described above (Client’s Instructions) (including with regard to data transfers) unless EU or Greek State law requires other processing of Client Personal Data by N8 Solutions, in which case N8 Solutions will inform Client (unless that law prohibits N8 Solutions from doing so on important grounds of public interest). Upon providing such notification, N8 Solutions is not obliged to follow the Client’s instruction.
- For clarity, N8 Solutions will not process Client Personal Data for Advertising purposes or serve Advertising in the Services. Notifications from N8 Solutions to the Client and all End Users on the scope of Services, their update, upgrade, amendment, new releases, developments and/or termination via Newsletters, emails and other electronic and non-electronic means of communication, which may be applicable, shall not be considered advertising, marketing or other activity, not included in the Services. Such notifications shall be considered part of the Services provided by N8 Solutions to Client.
- If at any time the Client or any End User would like to unsubscribe from receiving future emails, he or she must follow the instructions on how to unsubscribe at the bottom of N8 Solutions emails.
- N8 Solutions’s provision of the Services and related technical support to Client.
- staff of the Client – End Users;
- other subjects, whose personal data is entered by the End Users.
- The personal data processed concern the following categories of data subjects:
- N8 Solutions will process Client Personal Data submitted, stored, sent or received by Client, its Affiliates or End Users via the Software for the purposes of providing the Services and related technical support to Client in accordance with the DPA.
- The applicable Term plus the period from expiry of such Term until deletion of all Client Data by N8 Solutions in accordance with the DPA, unless the GDPR requires otherwise.
- Personal data submitted, stored, sent or received by Client or End Users via the Services may include the following categories of data:
- Name and User name– necessary for identification of the Data Subject. The main feature of the Software is to manage and control processes, so it is vital to be able to recognise the person, performing the respective activities, which are being monitored.
- Email address – necessary for authenticating the End Users before allowing its access to the Software and Client Data, including Client Personal Data, as well as for providing technical support.
- Phone number - necessary for providing technical support and communicating conditions in respect of the Service providing.
- Job position – necessary for providing of the Services according to the specific job description and job requirements as well as for providing of proper technical support in accordance with the User qualifications.
- other data, uploaded by Client and End Users – entering and upload of any other personal data is at the full discretion of the Client.
- N8 Solutions shall not use any other personal data, entered by Client or End User, except for categories of data, described in Section (a) above.
- It is not N8 Solutions’s obligation to monitor personal data, entered or uploaded by Client or End User, to categorize or process it in any other way.
- It is the Client’s responsibility to provide and guarantee that the processing personal data activities, performed by Client and End Users with the Software shall be compliant with the requirements of the GDPR.
- Each User of the Software provides personally the Personal data, entered or uploaded in the Software.
- Client and End users shall enter third party personal data only with due authorization or GDPR compliant consent by such party. Client and End users are responsible for entering somebody else’s personal data without acquiring their preliminary due authorization or GDPR complaint consent. N8 Solutions does not control the content, entered by Client and End User. N8 Solutions has no contact with any third parties, whose personal data the Client or End User may enter in the software. In the event of a third-party claim or sanctions by a competent authority in respect of entering third party personal data in the Software in violation of GDPR by Client or End User, Client shall compensate N8 Solutions for all sustained damages, including any compensations, administrative penalties and sanctions, reasonable lawyer fees, expenses, etc.
- Personal data submitted, stored, sent or received via the Services may concern the following categories of data subjects: End Users including Client’s employees and contractors; the personnel of Client’s Clients, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with End Users.
- Client shall grant access to End Users after acquainting them to the information, provided to Client in this DPA, the rights of the End Users under the GDPR and the methods of their implementation. Client acknowledges that such provision of information is required by GDPR and is necessary for the implementation of GDPR principals of data protection. Client shall also grant access to End Users, who have accepted the terms and conditions of data protection, included in this DPA. In the event of a Data Subject claim or sanctions by a competent authority in respect of entering or processing personal data in the Software in violation of GDPR by Client or End User, Client shall compensate N8 Solutions for all sustained damages, including any compensations, administrative penalties and sanctions, reasonable lawyer fees, expenses, etc.
- Disabling Website cookies may affect some features of the Website and these may not work properly or as intended.
- If N8 Solutions at its option makes any Additional Services available to Client in accordance with the ToS and if Client opts to install or use those Additional Services, the Services may allow those Additional Services to access Client Personal Data as required for the operation of the Additional Services. For clarity, this DPA shall apply to the processing of personal data in connection with the provision of any Additional Services installed or used by Client, including personal data transmitted out of the EU.
- Even if the Client has not objected initially to the transfer of data out of EU, the Client may at all times inform in writing N8 Solutions that Client does not want personal data to be transferred any more to third parties in case of Additional service integration and N8 Solutions shall not transfer in the future such data after the date on which N8 Solutions has received the communication from the Client. However, if the Client has initially accepted such transfer and has not later on informed N8 Solutions in writing about any objection, it shall be considered that the Client has instructed N8 Solutions to provide the Additional Service and execute data transfers until the date of the objection. If the Client objects to such transfer, the Client and the end Users shall not be able to use those Additional Services anymore.
- N8 Solutions will enable Client and/or End Users to delete Client Data during the applicable Term in a manner consistent with the functionality of the Services, if such deletion is in accordance with applicable law. N8 Solutions will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless EU or Greek law requires storage.
- With this DPA the Client instructs N8 Solutions to delete on expiry of the applicable Term Client all Client Data (including existing copies) from N8 Solutions’s systems in accordance with applicable law. N8 Solutions will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or Greek law requires storage. Client acknowledges and agrees that Client will be responsible for exporting, before the applicable Term expires, any Client Data it wishes to retain afterwards.
- To the extent any Client Data covered by the deletion instruction described in Section (b) is also processed, when the applicable Term expires, in relation to the ToS with a continuing Term, such deletion instruction will only take effect with respect to such Client Data when the continuing Term expires.
- For clarity, this DPA will continue to apply to Client Data until its deletion by N8 Solutions.
- N8 Solutions will implement and maintain technical and organizational measures to protect Client Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The Technical and organizational measures include measures to help ensure ongoing confidentiality, integrity, availability and resilience of N8 Solutions’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. N8 Solutions may update or modify the Technical and organizational Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
- N8 Solutions will take appropriate steps to ensure compliance with the Technical and organizational Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Client agrees that N8 Solutions will (taking into account the nature of the processing of Client Personal Data and the information available to N8 Solutions) assist Client in ensuring compliance with any of Client’s obligations in respect of security of personal data and personal data breaches, including if applicable Client’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining the Technical and organizational Measures in accordance with the GDPR; (b) complying with the procedures for Data Incidents notification and regulation as required by the GDPR; (c) providing Client with the necessary information and documentation as required by the GDPR.
- If N8 Solutions becomes aware of a Data Incident and if it is required by the GDPR, N8 Solutions will notify Client of the Data Incident promptly and without undue delay; and promptly take reasonable steps to minimize harm and secure Client Data.
- Notifications made pursuant to this section will implement the requirements of the GDPR and will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps N8 Solutions recommends Client take to address the Data Incident.
- Notification of any Data Incident will be delivered to the Email Address of the Client, recorded in the clients account information or, at N8 Solutions’s discretion, by direct communication (for example, by phone call or an in-person meeting). Client is solely responsible for ensuring that the Client’s Email Address is current and valid.
- N8 Solutions will not assess the contents of Client Data in order to identify information subject to any specific legal requirements. Client is solely responsible for complying with incident notification laws applicable to Client and fulfilling any third-party notification obligations related to any Data Incident.
- N8 Solutions’s notification of or response to a Data Incident under this Section will not be construed as an acknowledgement by N8 Solutions of any fault or liability with respect to the Data Incident.
- Client acknowledges that although N8 Solutions will take all reasonable precautions to keep personal data safe and secure, N8 Solutions shall not be liable for extraneous circumstances such as theft, communication errors or malicious tampering.
- Client agrees that Client is solely responsible for its use of the Services and the compliance of Client’s and End Users’ activities with GDPR, including:
- making appropriate use of the Services and the Software to ensure a level of security appropriate to the risk in respect of the Client Data;
- securing the account authentication credentials, systems and devices Client uses to access the Services; and
- backing up its Client Data;
- Client agrees that N8 Solutions has no obligation to protect Client Data that Client elects to store or transfer outside of N8 Solutions’s and its Subprocessors’ systems (for example, offline or on-premise storage), or to protect Client Data by implementing or maintaining Technical and organizational Measures except to the extent Client has opted to use them.
- Client is solely responsible for reviewing N8 Solutions’s Technical and Organisational Measures and evaluating for itself whether the Services, the Technical and organizational Measures and N8 Solutions’s commitments under DPA will meet Client’s needs, including with respect to any security obligations of Client under the European Data Protection Legislation, as applicable.
- Client acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Client Personal Data as well as the risks to individuals) the Technical and organizational implemented and maintained by N8 Solutions as set out in this DPA provide a level of security appropriate to the risk in respect of the Client Data.
- Client agrees that N8 Solutions may (taking into account the nature of the processing and the information available to N8 Solutions) assist Client in ensuring compliance with any obligations of Client in respect of data protection impact assessments and prior consultation, including if applicable Client’s obligations pursuant to Articles 35 and 36 of the GDPR, by providing the Client with N8 Solutions’s Technical and Organisational Measures and providing other information contained in the applicable ToS including this DPA.
- N8 Solutions may charge a fee (based on N8 Solutions’s reasonable costs) for any assistance under Section (a) above. N8 Solutions will provide the Client with details of any applicable fee, and the basis of its calculation, in advance of any such assistance.
- N8 Solutions may object in writing to providing any assistance under Section (a) above at its own discretion, if it will harm or may harm in any way N8 Solutions’s legal rights, business interests, normal course of activities or may be otherwise manifestly unsuitable.
- In order to assist the Client with its legal obligation to diligently choose a service provider, N8 Solutions shall monitor, by appropriate means, its own compliance and the compliance of its employees and Sub-processors with the respective data protection obligations of a Processor laid down in Art. 28 of the GDPR and in this DPA in connection with the Services. N8 Solutions shall make available to the Client any information necessary to demonstrate compliance with such obligations when required by the GDPR.
- N8 Solutions has made available for review by Client N8 Solutions’s Technical and organizational measures and Standard Contract Clauses with Subprocessors. The Client is responsible to confirm before processing is carried out that N8 Solutions’s technical and organizational measures are appropriate and sufficient to protect the rights of the data subjects.
- If the European Data Protection Legislation requires, N8 Solutions will allow Client or an independent auditor appointed by Client to conduct audits to verify N8 Solutions’s compliance with its obligations under this DPA. N8 Solutions will contribute to such audits by providing information and documentation as described in Section (a) above or to the extend, required by GDPR and Greek data protection legislation.
- Following receipt by N8 Solutions of a request for an audit, N8 Solutions and Client will discuss and agree in advance on reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit.
- N8 Solutions may charge a fee (based on N8 Solutions’s reasonable costs) for any audit. N8 Solutions will provide Client with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit. Client will be responsible for any fees charged by any auditor appointed by Client to execute any such audit.
- N8 Solutions may object in writing to an auditor appointed by Client to conduct any audit, if the auditor is, in N8 Solutions’s reasonable opinion, not suitably qualified or independent, a competitor of N8 Solutions, or otherwise manifestly unsuitable. Any such objection by N8 Solutions will require Client to appoint another auditor or conduct the audit itself.
- During the applicable Term, N8 Solutions will, in a manner consistent with the functionality of the Services, enable Client to access, rectify and restrict processing of Client Data, including via the deletion functionality provided by N8 Solutions as described in this DPA and to export Client Data.
- N8 Solutions agrees and warrants that it will deal promptly and properly with all inquiries from the Client relating to its processing of the Client personal data and to abide by the advice of the supervisory authorities with regard to the processing of the Client personal data.
- Client agrees that (taking into account the nature of the processing of Client Personal Data) N8 Solutions will assist Client in fulfilling any obligation to respond to requests by data subjects, including if applicable Client’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by complying with the GDPR obligatory requirements.
- Client agrees that N8 Solutions may store and process Client Data in the United States and any other country in which N8 Solutions or any of its Subprocessors maintains facilities.
- If the storage and/or processing of Client Personal Data involves transfers of Client Personal Data out of the EU/EEA and the European Data Protection Legislation applies to the transfers of such data (“Transferred Personal Data”), N8 Solutions may enter into Standard Contract Clauses with Subprocessors as provided by the respective Subprocessors and that the transfers are made in accordance with such Standard Contract Clauses. Taking into account the state of technologies and the extensive use of internet in acquiring some services, Client agrees that N8 Solutions may also accept Subprocessors’ ToS or any equivalent or alternative, provided by Subprocessors via their websites.
- In respect of Transferred Personal Data, shall be considered as a contractual obligation of N8 Solutions in fulfilling N8 Solutions obligation to provide the Services and more specifically as a Client’s instruction in the meaning of GDPR.
- Whenever N8 Solutions has entered into Standard Contract Clauses, N8 Solutions will ensure that any disclosure of Client's personal data, and any notifications relating to any such disclosures, will be made in accordance with such Standard Contract Clauses, the requirements of applicable European Data Protection Legislation and the binding decisions of the European Commission and the European Court of Justice.
- In respect of Transferred Personal Data, Client agrees that any such Transfer of Data, executed in compliance with this Section 22, shall be considered as suitable guarantee and an effective legal tool for personal data protection.
- Client generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”).
- Information about the N8 Solutions Subprocessors is available in Appendix 1 below and may be updated by N8 Solutions from time to time.
- When engaging any Subprocessor, N8 Solutions will ensure via a written contract or another suitable electronic form that: (i) the Subprocessor only accesses and uses Client Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with any Standard Contract Clauses entered into by N8 Solutions; and (ii) if the GDPR applies to the processing of Client Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as required by the GDPR, are imposed on the Subprocessor.
- Subprocessor remain fully liable for all obligations subcontracted to them and all acts and omissions of the Subprocessor except for all cases when the GDPR transfers the liability for Subprocessors to N8 Solutions in its capacity of a processor.
- When any Additional service is engaged via a Third Party Subprocessor during the applicable Term, N8 Solutions will inform the Client of the engagement either by sending to the Client a Newsletter, an email, a message via the Admin Console, or via the Blog.
- Client may object to any new Third Party Subprocessor by discontinuing any services provided by N8 Solutions and terminating their account as per the ToS immediately upon written notice to N8 Solutions, on condition that Client provides such notice within 30 days of being informed of the engagement of the Subprocessor. This termination right is Client’s sole and exclusive remedy if Client objects to any new Third Party Subprocessor.
- Client acknowledges that N8 Solutions is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which N8 Solutions is acting and, where applicable, of such processor’s or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Client Personal Data, Client will, where requested, provide such information to N8 Solutions and will ensure that all information provided is kept accurate and up-to-date.
- Nothing in this DPA will affect the remaining terms of the applicable ToS relating to liability (including any specific exclusions from any limitation of liability).
- To the extent of any conflict or inconsistency between the terms of this DPA and the remainder of the applicable ToS, the terms of this DPA will govern. For clarity, this DPA will, as from the Effective Date be effective and replace any previously applicable data processing provisions.
- Effective Date means, as applicable: (a) 25 May 2018, if Client clicked to accept or the parties otherwise agreed to this DPA in respect of the applicable ToS prior to or on such date; or (b) the date on which Client clicked to accept or the parties otherwise agreed to this DPA in respect of the applicable ToS, if such date is after 25 May 2018.
- This DPA will take effect on the Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Client Data by N8 Solutions.
- This DPA shall be governed by the law of Greece. The place of jurisdiction for all disputes regarding this DPA shall be Athens, Greece, except as otherwise stipulated by applicable data protection law.
Appendix 1: SUBPROCESSORS
- For providing quality services to the Client N8 Solutions engages a number of Subprocessors, carefully selected according to their capacity for Client personal data protection and processing in compliance with N8 Solutions’s obligations under this DPA and the GDPR.
- All Subprocessors, situated out of EU, whose services require transfer of personal data out of EU, shall be compliant with the requirements of Section 22. Transfers of Data Out of the EU/EEA.
- N8 Solutions uses as Subprocessors and Client personal data may be transferred to the providers of the following services:
- Email automation software (Mailchimp);
- Content Delivery Network (Cloudflare);
- Payment gateway (PayPal);
- Datacenter (Hetzner);
- Server Software Support (Cloudlinux);
- Control Panel Support (Plesk).
- N8 Solutions may replace its Subprocessors from time to time following above rules of strict selection. Updated information about the list of current Subprocessors may be found at all times here on our website and we may inform you about such updates via our newsletters.
- The right to object or terminate their account is included in Sec. 23f f: Client may object to any new Third Party Subprocessor by discontinuing their use of any services provided by N8 Solutions and terminating their account immediately via written notice to N8 Solutions, on condition that Client provides such notice within 30 days of being informed of the engagement of the Subprocessor. This termination right is Client’s sole and exclusive remedy if Client objects to any new Third Party Subprocessor.
Appendix 2: DESCRIPTION OF THE TECHNICAL AND ORGANISATIONAL SECURITY MEASURES IMPLEMENTED BY N8 SOLUTIONS:
NETWORK AND SYSTEMS SECURITY
|Firewall and router configurations have to be set-up, in order to restrict the traffic, inbound and outbound, from “untrusted” networks (including wireless) and hosts. Deny all other traffic except, for protocols necessary for the personal data environment (PDE).|
|Application firewalls have to be set-up in front of web servers belonging to PDE, in order to verify and validate the traffic which is directed to the server. Any unauthorized service or traffic should be blocked and an alert should be generated.|
|Production (real) data should only be allowed in production environments. Upon exception and with all necessary approvals, QA environments may process (real) personal data only to the extent that they are protected as production environments. The environment of testing and development, as well as pre-production environments must use either anonymized or synthetic data.|
|Standard hardening configuration templates have to be developed for databases, applications, operating systems and applications containing personal data.|
|Personal data retention time must be limited to the extent which is necessary for each single processing activity, albeit in compliance with legal and/or regulatory (retention) obligations.|
|Personal data has to be made unreadable (e.g. leveraging on encryption), when stored on portable digital media, backup media, log files.|
|Strong cryptography and security protocols have to be implemented, in order to protect personal data during the transmission over open, public or untrusted networks.|
|In case the channel encryption is not possible, files and attachments containing personal data have to be protected by means of encryption whenever they are transmitted over open, public or untrusted networks.|
|Security tools should be used, to monitor and control the flow of personal data through endpoints and towards external networks.|
|Databases/data storages encryption should be based upon a proper classification of assets in scope, according to the level of criticality. As a sample, databases/data storages serving bank’s core business processes/services or storing a large amount of personal data may be protected by strong encryption.|
|Media containing personal data must be protected against unauthorized access, through adequate physical (e.g. lock) and logical (e.g. encryption, access control, etc.) security measures.|
|Upon return and/or dismissal of ICT assets and resources, secure clean-up procedures (e.g. wiping) should be put in place, in order to remove all personal data and/or securely overwrite prior to disposal or re-use.|
|Paper documents or magnetic/optical media (e.g.: hard disks, DVDs, CDs, smart cards, USB flash drives) have to be destroyed or rendered unusable to ensure that the data and information they contain cannot be reconstructed and/or used (even partially) by unauthorized Third Parties. Paper documents have to be physically destroyed before being trashed, through specific shredder devices.|
|Employees must be adequately educated and trained on the correct rules of conduct to be adopted for the protection of personal data contained in paper documents (example: in case of removal from the workstation make sure that nobody can access confidential information, protect the original documents and the photocopies from theft or unauthorized use, keep the documentation in drawers and closets locked at the end of the working session)|
|Proper procedures should be put in place in order to restore the availability of personal data (as a right of the data subject) in a timely manner. Back-up procedures should ensure copies of personal data at least weekly.|
IDENTITY AND ACCESS MANAGEMENT
|Access authorization to production environments containing personal data should be given according to the "need to know" and “least privilege” principles.|
|Policies and procedures must be implemented to ensure the proper identification of users and administrators accessing system components managing personal data. All users should be assigned with a unique user name before allowing them to access system components or personal data.|
|Individual remote administrative accesses to systems managing personal data have to be protected, by means of an authentication mechanism requiring password changes every 90 days. Additionally, password vaulting tools should be evaluated in order to increase credentials' security.|
|Passwords for systems and devices managing personal data must contain at least 8 digits, not easily attributable to the user, and they must be changed at least every 3 months.|
|System resources and access right must be assigned to user accounts, where user accounts are assigned to unique users.|
|Remote access (from external networks) to PDE have to be protected by means of multi-factor authentication.|
|All accesses to databases containing personal data should be protected/controlled as follows: - Application credentials to access databases cannot be used by individual users or other non-application processes - Such application/system user credentials must be appropriately protected against potential misuse. - Access must be granted only to the personnel who really needs it for the performance of own job/tasks (need to know principles) - A formal user registration and de-registration process should be implemented to enable assignment of access rights to manage personal data.|
|Number of personal data repositories (databases, files, copies, archives) should be kept to an absolute minimum, avoiding unnecessary duplication. Instead of duplication, preference should be given to pseudonymised databases, that perform look-ups into master repositories for specific personal data, if, and when needed.|
|Visibility of personal data must be limited to the sole set of information which is necessary for the single processing activities. No unnecessary personal data should be made available to users.|
|Users’ access rights to personal data should be reviewed/re-certified at regular intervals and, in any case, at least annually – as per the regular Identity and Access Management process.|
|Administrators should be required to access a system using a fully logged and non-administrative account. Then, once logged onto the machine without administrative privileges, the administrator should gain administrative privileges.|
LOGGING AND MONITORING
|Access to production environments containing personal data - and where technically possible access to personal data - should be monitored and logged, in order to precisely record the link between access and individual user accessing personal data|
ORGANISATION AND HUMAN SECURITY
|Adequate procedures should be put in place to ensure the continuous availability of personal data: back-up personnel should be identified to ensure the continuity of the service to the data subject willing to access own personal data.|
|A formal security awareness program has to be implemented, to make all personnel aware of policy and procedures related to personal data security. Periodic tests or simulations may be performed, to assess whether employees click on a link from suspicious e-mail or provide personal/sensitive information without following appropriate security procedures to verify the reliability of the source. As a consequence, targeted training should be provided to those employees falling victim to the test.|
|Clear contractual agreements have to be signed-off with service providers, in order to state their responsibility for the security of personal data they process/store/transmit on behalf of the Data Controller.|
|Employees responsibilities and duties on the confidentiality of personal data should be clearly stated as valid also after the termination or change of employment.|
|Personal data must not be copied on removable media, except from those media expressly authorized by the Processor for specific tasks.|
DATA PROTECTION BY DESIGN
|Processes and tools for the Secure Software Development Lifecycle (SDLC) have to be integrated with appropriate security check/controls and requirements, in order to ensure that new ICT software/applications are designed and developed taking into consideration the requirements of embedded security.|
|Processes of ICT Change Management have to be integrated with appropriate security check/controls and requirements, in order to ensure the continuous protection of ICT software/applications in place, upon relevant changes.|
PERSONAL DATA BREACH NOTIFICATION
|Processes and tools for Incident Management have to be properly implemented and/or improved, in order to enable the detection and classification of personal data breaches so that they are correctly communicated to the Controller within the terms established in the paragraph "Notification obligation and Security Breach".|
|A register of personal data breaches should be created and maintained.|