I. GENERAL RULES
Art. 1 These procedures establish technical and organizational measures to accomplish the obligations related to information systems security and control, to ensure privacy for data and information as well as mantaining them safe, within the activity performed by S.C. DESIGN YOUR TRAVEL S.R.L employees. Through minimal security requests, it is envisaged a set of technical, informational, organizational, logistic, procedures and security politics measures through which it can be ensure the lowest level of secrity stipulated in 20 art. from Law no. 677/2001, according to minimal requests of security processing personal data.
Art. 2 The society adopted adequate technical and organizational measures to protect personal data against accidental or ilegal destructions, lost, change, disclousure or unauthorized access.
Art. 3. The society took security measures to storage the information, as ensuring an adequate level of protection and security, by law no. 677/2001.
Art. 4. To accomplish the related legal provision and in order to satisfy the requirments of keeping data and information safe, the society developed and implemented organizational and technical measures respecting the next principles:
Notification: The personal data operator is being notified to National Supervisory Authority for Personal Data Processing;
Legality: Processing personal data is made based and in conformity of legal provisions.
Well-defined goal: Any personal data processing is made in well-known purposes, precise and legitim, pertinent and not exccesive by reference to the purpose of collecting and processing;
Privacy: The internal order of organization and functioning of the insitute contains some reglementations regarding the privacy of the information.
The consent of the person concerned: Any personal data processing except those processing which have as targget those information strictly menioned in the Law 677/2001, can be applied only if that concerned person has given her consent specificaly and unambiguously for that processing.
Informing: This act is made by that institution which is processing the personal data of the concerned person.
Protecting concerned persons: These concerned people have the right to access the processed data, the right to intervene, the right to oppose and not being subjected to an individual decision as the right to call the National Supervisory Authority for Personal Data Processing or the court to defend any rights guaranteed by law and which have been violated.
Security: Security measures of personal data are established such that they can ensure a proper level of security for processing personal data.
II. SPECIFIC PROCEDURES
Art. 5 IDENTIFICATION AND AUTHENTIFICATION OF THE USER
The user is any person which acts under the operator authority with a recognised right of access to personal data bases.
To get the access to a personal data base, users must identify themselves.
The identification process inside of DESIGN YOUR TRAVEL SRL institute is made by introducing the identification code on keyboard ( a set of characters ).
Every user has his own identification code. It is never given the same identification code to more than one user.
The identification codes ( or user codes ) unused for a long period of time, are deactivated and destroyed after a prior internal control made by the operator in cause. The period after which those codes must be deactivated and destroyed is established through internal procedures by the operator in cause.
Any user account is accompanied by an authentification procedure. The authentification is made by introducing a password.
Passwords are some character series, proper regarding the security as lenght and composition. When these passwords are typed, they are not clearly displayed on the monitor. Passwords are periodicaly changed depending on the operator’s security policies. The periodical change of passwords is made only by authorised operator users.
Any user which receives an identification code and an authentification way is bounded by job description to keep the privacy of those named and to answer for it in front of the operator.
It is established an own procedure of administrating and managing users accounts. The operator has authorised some users to revoke or supend a certain identification and authentification code if it’s user has quit the job or he was fired, he ended his contract, he was tranfered to another job and his new tasks dosen’t request his access to personal data, he abused of the received codes or if he will miss a long period established by the entity.
Art. 6 TYPE OF ACCESS
Users have access only to those personal data which are needed for accomplish their tasks. To make this happen, there are established some types of access by functionality ( administration, introduction, processing, saving and so on ) and also by actions applied on personal data ( writing, reading, erasure ) and also the procedures as these types of access.
The technical support department can have access to personal data in order to solve some exceptional cases.
Other control measures of access are:
- There are installed burglar and fire alarm systems in those places where society operates;
- The access in the S.C. DESIGN YOUR TRAVEL S.R.L. headquarters is based on some access codes;
- Monitoring and intervention in case of alarm it is ensured by S.C. PP PROTECT S.R.L.
Art. 7 COLLECTING DATA
The operator designates authorized users for collecting and operating personal data in an informational system.
Any modification of personal data can be made only by authorized users appointed by operator.
Art. 8 EXECUTION OF BACKUPS
The operator sets the time interval at which will run the backups of data bases with personal information as well as backups of programs used for automated processing. Users who are running this backups are named by the operator in a limited number.
Art. 9 COMPUTERS AND ACCESS TERMINALS
Computers and other access terminals are installed in locking buildings. Data base servers of clients can be accesed only controlled, in base of some access rights; there can`t be accesed from outside the network. It is not allowed removal of mobile storage media ( CD/DVD, USB stick, Portable HDD), just with prior approval from society management.
Art. 10 STAFF TRAINING
Inside of users training courses, the operator tells them about the previsions of Law no. 677/2001 according to processing of personal data and their free movement, about minimal security requests of processing personal data as well as those risks posed by processing of personal data depending on specific activity.
Users who access personal data are trained by the operator regarding their privacy. They are bound to close the work session when they leave the job.
Employees which have access to personal data of the clients are forbidden to transfer or use them in other purpose than professional. In this order, they are asked to sign a written commitment.
Art. 11 COMPUTER USE
To mantain security in processing personal data ( especially against computer threats ) the operator will take some measures as following:
- Forbidding the use of software programs by users, programs which are coming from external and unknown sources
- Informing users about the danger of computer threats
- Introducing an automatic anti-virus system and security of computers
- Deactivating as much as it can, of „print screen” key when there are displayed personal data, becoming in this manner unable to print them
III. ADDITIONAL MEASURES
Art. 12 Access to clients personal data it`s allowed to employees just for accomplish their tasks, being forbidden any uncontroled movement of them outside in society.
Art. 13 In case that revealing the data is a process imposed by law, the society, via their legal representative or/and their internal control department representative will ensure the fact that the third party who requests the reavealing, actions in accordance with legal provisions.
Art. 14 Access to workstations is based only on monitored credentials at Active Directory level ( user account protected by password ). There are implemented multiple access levels depending on those users authorization.
Art. 15 Both workstations and servers that serve them are protected by anti-viruses and firewalls that update their signatures on a regular and shor time period. The firewalls are set to limit the access from outside to critical servers.
Gana Adrian Ionut