Internal regulation on data management

The objective of this internal regulation regarding the management of personal data is to ensure the employees and collaborators of TELL SECURITY SYSTEMS S.R.L. (hereinafter referred to as TELL or the company) a summary of the most important information related to the data management activity carried out by TELL SECURITY SYSTEMS S.R.L.

At the same time, this document is not considered an individual consultation and replaces the data protection audit. The purpose of this document is the internal regulation and provision of assistance and general guidance to TELL staff and collaborators, in order to ensure compliance with data protection requirements.

During the course of its activity, ARI manages various personal data of different groups of natural persons, such as:

people applying for a job

his employees

former employees

delegates of suppliers with whom TELL carries out economic activities, other than legal entities of statutory representation for clients who participate in certain promotions of the company natural person customers who use TELL services through retail and/or web-shop sales

associates/investors/representatives of associates/investors.

Regarding the collection and management of data of these persons, TELL must comply with European and national legislation on the protection of personal data. At the same time, it must take into account its own business interests, operational conditions, technical and organizational opportunities, respectively the interests of its employees and customers.

The objective of this regulation is to briefly present the applicable legislation and the measures the Company takes to comply with the law. TELL’s goal is to always ensure that GDPR is respected in a clear and verifiable way.

This regulation applies to all systems, people and processes that make up the TELL information system, including management, employees, suppliers and other third parties who have access to the Company’s system. 

General Data Protection Regulation

General Data Protection Regulation no. 2016/679/EU (GDPR) is the most important legislative norm that influences the conduct of our data management activity. The community regulation produces effects in all the member states of the European Union, therefore it is applied in Romania without implementation.

1.1 Data management and processing

Given TELL’s activity, the data protection regulation applies to it. As can be seen from the following GDPR concepts, the company and its staff carry out data management and processing activities.

Definition of “personal data”:

Personal data is any information relating to an identified or identifiable natural person (“data subject”). A data subject is that person who can be identified, directly or indirectly, in particular by reference to a name, identification number, location data, online ID or to one or more factors specific to his physical, physiological, genetic identity, psychological, economic, cultural or social.

Therefore, personal data is any information that TELL records about a person identified by the person’s various attributes (for example: phone number, email address, birthday, etc.), so not only the data that allows identification itself of it.

Given that TELL is a company, in its daily activity it deals with personal data, mainly through direct sales (retail and online), respectively indirectly, as delegates, representatives of legal entity partners.

Definition of “personal data management”:

Data management means any operation performed on personal data, by automatic or non-automatic means, such as collection, recording, organization, storage, modification, extraction, consultation, use, disclosure to third parties by transmission, limitation or deletion.

Consequently, throughout the activity TELL manages personal data.

Definition of “operator”:

Data operator refers to any natural or legal person, which establishes the purpose and means of personal data processing.

ARI determines the purpose and means of managing the data of employees and other persons and is therefore considered a data controller. The employees of the company become data operators by exercising the function within the activity carried out within the company. 

Definition of “data processor”:

The data processor is a natural or legal person who processes personal data on behalf of the data controller. 

1.2 Principles of data management

The legislation establishes mandatory principles regarding the management and processing of data, valid erga omnes.

When managing personal data, the following principles will be taken into account and respected:

Personal data:

the management of personal data is done in accordance with the legal provisions, in a fair and transparent manner (“legality, fairness and transparency”);

the collection is done only for well-defined, explicit and legitimate purposes, and the data will not be managed in ways incompatible with these objectives; further processing of data for statistical purposes is not considered incompatibility (“well determined purpose”); 

they must be appropriate and relevant to the management of the data and must be limited to what is absolutely necessary (“sparing”);

be correct and, if necessary, updated; incorrect personal data must be removed or corrected as soon as possible (“accuracy”);

the storage must be in a form that allows the identification of the data subjects for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed; personal data can be stored for longer periods to the extent that they will be processed exclusively for archiving purposes in the public interest or for statistical purposes, subject to the implementation of the appropriate technical and organizational measures provided for in this regulation in in order to guarantee the rights and freedoms of the data subject (“storage restrictions”);

must be managed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures (“integrity and confidentiality” ).

compliance with these principles must also be recognized by the data controller (“responsibility”).

1.3 Management of special categories of personal data

According to the legal grounds detailed in Article 9 of the GDPR the company sometimes manages special categories of data (e.g. health data). The management of these categories of data is done for preventive reasons regarding health or health at work (for example, managing the results of an employee’s capacity analysis or granting benefits to people with disabilities).

If the need arises to manage a special category of data other than the above, a preliminary examination of the legal basis is required.

1.4 The rights of data subjects

Regarding the personal data managed by the company, the GDPR offers data subjects a number of privileges that appear as an obligation for the company.

These rights are the following:

1. The right to information

The data subject has the right to be informed about the source of personal data, the purpose, the duration of storage, the legal basis of management, the identity of the processor, the type of legitimate interest, the transfer of data to third countries, the recipients of the data and the categories of recipients in case of legitimate interests.

2. Right of access

The data subject has the right to receive full information from the data controller regarding the purpose and manner of the management of his personal data and, if such management takes place, he has the right to have access to the data and information intrinsic to its personal data and the related information it manages.

3. The right to rectification

The data subject has the right to obtain from the operator, without undue delay, the rectification of inaccurate personal data concerning him. Taking into account the purposes for which the data were processed, the data subject has the right to obtain the completion of personal data that are incomplete, including by providing an additional statement.

        

4. The right to erasure

The data subject has the right to ask the operator to delete his personal data without undue delay, and the data operator is obliged to carry out the deletion (in some special cases – Article 17 of the GDPR) if the purpose or legal basis of the data management has ceased, data management took place without any legal basis.

5. The right to restrict data management

In specific cases provided for in Article 18 of the GDPR, the data subject may request the restriction of data processing. The restriction means that the operator will continue to store the data in question, but can only handle it with the consent of the data subject or in order to validate rights of the data subject or the operator related to the data subject.

6. Notification obligation regarding the rectification or deletion of personal data or the restriction of processing

The operator communicates to each recipient to whom personal data has been disclosed any rectification or deletion of personal data or restriction of processing carried out in accordance with the provisions of article 16, article 17 paragraph (1) and article 18 of the Regulation, unless where this proves impossible or requires disproportionate efforts. The operator shall inform the data subject of the respective recipients if the data subject so requests.

7. The right to data portability

The data subject has the right to request the issuance of his personal data by the Operator in a readable and/or accessible form for the purpose of porting, having the right to transfer this information to another data operator, without this porting the interests or information belonging to a third parties to be harmed.

    

8. The right to opposition

The data subject has the right to oppose, for reasons related to his particular situation, the processing of personal data concerning him, including the creation of profiles based on those provisions. The operator no longer processes personal data, unless the operator demonstrates that it has legitimate and compelling reasons that justify the processing and that prevail over the interests, rights and freedoms of the data subject or that the purpose is to ascertain, exercise or defend a right in court. The right to opposition and the processing conditions will be brought to the attention of the data subject at the latest at the time of the first communication with him.

9. Rights related to profile creation and automatic decision-making

The data subject has the right not to be subject to a decision based solely on automatic processing including profiling, which produces legal effects that concern the data subject or similarly affect him to a significant extent.

The GDPR also sets deadlines for the Company’s obligations arising from the data subject’s rights listed in 4.1. During the execution of the procedures, the company’s responsible collaborators must also take these terms into account.

The Company must take all reasonable steps to ascertain the identity of the data subject who wishes to request access or exercise data subject rights.

1.5 Legal bases applied in the activity regarding data management by TELL

In the management of personal data in relation to the needs imposed by TELL’s activity, the most common legal grounds for data management are consent, contract execution, the company’s interest and the obligation arising from legal provisions. In all data management processes, the legal basis for data management must be identified in advance.

                Consent

For the company’s online sales and marketing activities (newsletter, telephone campaign, SMS information, etc.), the prior consent of the concerned party is required. In the case of children under 16, the permission of their legal representative is required.

Before receiving consent, data subjects must be provided with transparent information about how their personal information is managed, their rights in this regard must be presented, in particular the right to withdraw their given consent. This information must be provided in an accessible form, in plain language and free of charge.

If the personal data is not obtained directly by the company, this information must be provided to the data subject as soon as possible after obtaining the data, but no later than one month.

The consent, including the details of the data subject, respectively the place where and the date when the consent was given must always be recorded and kept by the company in accordance with the Data Storage and Deletion Regulation.

Execution of the contract

The personal data provided at the conclusion of the contract are necessary for the execution of the contract by the company. This interest is a sufficient legal basis for the management of personal data.                 The interest remains valid until the legitimate interests related to the performance of the contract can be enforced – that is, until the expiry of the five-year period after the performance of the contract, according to the civil code. At the same time, it is important that this consent refers exclusively to the personal data necessary for the execution of the contract, following that these data (phone number, email, etc.) are removed (deleted) from the registers and records of the company.

                Fulfilling the Company’s legal obligation

The fulfillment of the legal obligations of the data controller may require the management of personal data (for example, as an employer, it must manage certain information about employees, such as name, address, tax identification number and personal identification number, etc. in order to fulfill its obligations related to filing tax returns and paying taxes, salaries, etc.).

                Pursuing the company’s own legitimate rights or rights belonging to third parties

The legal basis for data management may also be the need to ensure compliance with the legitimate interests of the Company or a third party. In the case of data management based on a legitimate interest, the ratio of the legitimate interest that must be applied is above the obligation and purpose of personal data protection will be evaluated. The company is obliged to present the relevant assessment. Such an interest is involved in the employer’s decision to monitor its employees and customers with a surveillance camera in order to prevent or detect possible thefts / frauds. In this case, an adequate assessment must be made regarding the rights of the employees and customers concerned, and adequate guarantees must be provided for the protection of the private life of the employees, the persons concerned being obligatorily informed about the existence, location of the rooms, respectively the method and location of data storage. Also, after evaluating the prevailing interests, in justified cases, the employer can access the employer’s correspondence from the e-mail used for the performance of work duties, if there are suspicions of a violation of the obligations assumed by the employee, respectively to the extent that the information whose recovery is sought belongs to the employer or represents a potential produces legal effects that target the employer in any aspect. In this case, it is necessary to ensure that employees can be present when their email account / internet or telephone usage is checked during an audit.

Integrated data protection

According to the GDPR regulations, the data management process must include the basic principles and the adequate protection of the rights of those concerned. In addition to the creation of appropriate data management conditions, these conditions will be subject to periodic revisions, in accordance with the real imposed needs of society, adapted to the evolution of the technologies used, changes in data management and new data management processes. Depending on the development of science and technology and implementation costs, as well as the nature, purpose, circumstances and objectives of data management, as well as the risks regarding the rights and freedoms of natural persons, the data controller shall take appropriate technical and organizational measures, both in defining how to manage data, as well as during management – such as a pseudonymization – for the effective implementation of data protection principles, such as saving data and including guarantees necessary to meet the requirements of this regulation and to protect the rights of data subjects. The data controller adopts appropriate technical and organizational measures to ensure that only personal data that is necessary for the specific purpose of data management is processed. This obligation refers to the amount of personal data collected, the extent of management, the duration of storage and their availability. These measures must ensure, in particular, that personal data are not made available to an indefinite number of people by default without the intervention of a natural person.

The company has taken note of the integrated principle of data protection and ensures that it pays due attention to data protection, carries out data protection impact assessments in the event of the implementation of changes to data storage systems (upgrades) and/or new systems that collect or manage personal information .

In addition, the Company will periodically review the operation of the data management systems to ensure that they correspond to the current needs for which they were created, respectively the legal norms applicable at that time are respected.

In order to properly apply the provisions of the GDPR regarding data management, the company ensures that:

all staff members involved in the management of personal data understand the responsibility for monitoring good data protection practices

all staff members benefit from data protection training

data subjects have easily accessible contact details in case they want to exercise their rights regarding personal data, and manage these requests effectively

1.6 Transfer of personal data

The transfer of personal data outside the European Union must be carefully checked before transmission, so that the transfer takes place within the limits set by the GDPR. This partly depends on how the European Commission assesses the compliance of personal data safeguards in the country of destination, which may change during the course of enforcement.

1.7 Data processors

The GDPR stipulates that the own data storage and processing needs can be achieved through those data processors, which offer sufficient guarantees to introduce technical and organizational measures to meet the requirements of the GDPR, ensuring data security and traceability of data exchange in their own systems. In the case of data processors outside the European Economic Area, such as third parties providing cloud data storage or other types of data storage, it is essential that these contracts with such third parties include General terms and conditions for data management, in accordance with the specific rules drawn up by the company for the management of this data.

1.8 Notification of Infringement

The company is obliged to establish, based on the principles of fairness and proportionality, the manner and term according to which it will inform the data subjects in the event of a breach of personal data (data protection incident).

In the event of a data protection incident that may result in effects on the rights and freedoms of natural persons in the terms defined by the GDPR, the competent authority for data protection must be informed within 72 hours.

The procedure to be followed is that which complies with the provisions of the Incident Management Rules, establishing the entire information security incident management process.

Violation of personal data security rules attracts the penalty provided by the GDPR, the penalty applied by the competent authority for data protection consists of a fine of up to 4% of the total annual turnover or EUR 20 million.

1.9 Limiting the storage period of personal data

ARI will design its own procedure for establishing the procedures for storing and deleting personal data received and used according to the object of activity. In the development of these procedures, the general principles of the GDPR will be respected, especially the principle of legality, purpose and saving. The rules regarding the processing of data in time by TELL are regulated by the Data Storage and Deletion Regulation.

1.10 Obligations regarding record keeping

The GDPR stipulates the obligation to keep records related to personal data management activities in cases where data management is not occasional. The method of highlighting TELL activities involving personal data is regulated by the Data Management Record.

The data management records reflect the manner in which TELL complies with the principles established by the GDPR with reference to:

the legal basis for the management of personal data is always clear and unambiguous

the purpose of data management is well defined, the scope of the data managed is necessary to achieve the purpose

the data subject has been properly informed about the data management

the duration of data management and deletion are regulated

data storage takes place in compliance with appropriate security measures

data transfer takes place with appropriate guarantees

the person responsible for data management has been designated.

2. Responsibility for data management

The safety of personal data is a special priority in TELL’s activity. In order to ensure the institutional framework for follow-up and control of the manner of compliance with the regulations and measures applied as well as their efficiency, within the company the aspects regarding: identified possible sources of provenance of personal data, ways of receiving this data, sorting of data are audited , the storage and management of data according to the stated purpose for which the consent of the holder was obtained, the duration of processing and storage, the elimination of data whose term or usefulness has expired. In order to ensure a fair and legal management, Impar designates the persons responsible within the company for the supervision of data management procedures as well as the tasks that this supervision responsibility implies.

This document should be read and applied in conjunction with other documents related to data management activities within the company, such as:

the internal regulation on data management

procedure for notification of personal data breaches (data protection incidents)

the procedure for managing the data subject’s request

The clear definition of roles and responsibilities, the adequate regulation of relevant tasks aims to prevent the occurrence of personal data protection incidents and allows effective and appropriate measures to be taken in the event of such incidents.

2.1 Rules regarding data protection

In order to comply with the relevant legal rules and regulations, TELL will store and process the data necessary to achieve its objectives in a legal and fair manner, and the employees involved in these procedures will be involved in the following qualities:

Data controller

Information Security Manager

Responsible for compliance

The specific responsibilities of each role are described further in this document.

All employees and partners of the Company carrying out data management activities are obliged to fulfill the tasks and obligations below to ensure the proper application of the general principles of the GDPR, such as the principle of legitimate, fair and transparent data management, the principle of well-established purpose, the principle of saving and accuracy of data and the principle of integrity and confidentiality.

This Regulation establishes the responsibilities of each quality within the GDPR procedures in the ARI organization, without these qualities producing effects on the employee’s function, duties or general competencies, which are not related to the GDPR and cannot be considered a complete job description.

2.1.1 Data Operator

According to the provisions of the GDPR, the data controller is a natural or legal person, a public authority, an agency or any other body that alone or together with others determines the purposes and means of personal data processing.

The data operator basically has the following responsibilities:

It ensures compliance with the principles established in Article 5 of the GDPR of the way of managing personal data, ensuring the possibility of verifying and demonstrating the way of their realization. It therefore ensures that personal information:

                o are managed in a legal, fair and transparent manner,

                o are collected according to defined, concrete and legitimate objectives,

                o are limited to the appropriate, relevant and necessary,

                o are accurate and, if necessary, updated,

                o are stored in such a way as to allow the identification of the data subjects only for as long as necessary,

                o are managed in adequate security.

It ensures obtaining the consent of the data subject regarding the management of personal data, including parental consent in the case of children.

Make available to the data subject all the information required by the GDPR in a concise, transparent, easily understandable and easily accessible form, in simple and clear language.

It allows the exercise of the rights conferred by the GDPR by the data subjects and informs them about the processing of their request. In this sense, the data subjects have the right to access the data collected about them and have the right to verify the legality of the data management. They can also receive information about the duration of data management, the consequences of data management (such as profile identification), the logic of data management.

It assures that it will only work with data processors that provide the appropriate guarantee that appropriate technical and organizational measures will be taken to comply with the GDPR and protect personal data

Keep records of personal data management activities, which is the responsibility of the data controller.

Upon request, it cooperates with the supervisory authority in order to fulfill its tasks.

It ensures that any person acting on behalf of the data controller who has access to personal data only handles the information in accordance with the instructions of the data controller.

Notify the supervisory authority without undue delay of any breach of personal data rights, unless the breach of personal data is unlikely to pose a risk to the rights and freedoms of natural persons in accordance with organizational procedures .

Document any personal data breach, including the facts of the personal data breach, its effects and the corrective measures taken.

If applicable, inform the data subject without undue delay about the violation of personal data rights.

Carry out a data protection impact assessment, as appropriate, in accordance with the procedures.

In the performance of his duties, he is supported by the compliance officer who provides him with the necessary resources to perform his duties and to access and manage personal data, respectively helps him from a professional point of view.

Personal data may be transferred to a third country or an international organization where the data controller or a data processor has provided adequate safeguards and provided that the rights of data subjects are respected and effective remedies are available.

2.1.2 Manager for information security

The primary task of the Information Security Manager is to develop and maintain information security.

The responsibilities of the Information Security Manager are as follows:

Develops and presents to management the measures to be taken to ensure information security;

Leads the implementation of decisions made by management to ensure information security;

Oversees the operation of the information security system;

Identifies, quantifies and monitors the types, extent and impact of incidents and operational errors and takes the necessary measures to prevent and resolve them;

Prepares reports on a regular basis and as necessary to management regarding the management of all safety related matters;

Collaborates with the Compliance Officer and executes his instructions;

Execute the provisions of the information security regulation;

It deals with risk management related to access to services or systems;

Ensures the application and documentation of security controls;

Establishes development plans and objectives for the financial year;

Monitors the implementation of development plans.

2.1.3. Responsible for data protection

The responsibilities of the Data Protection Officer are as follows:

provide information and professional advice to the data operator or data processor respectively to the employees responsible for data management regarding their obligations under applicable data protection legislation;

oversee compliance with data protection legislation and the internal regulation on the protection of personal data by the data operator or data processor;

develop and maintain internal and external data protection regulations, information security regulations, objectives and plans;

assigns responsibilities, contributes to staff awareness in data management operations, trains staff and performs related audits;

upon request provides professional advice on data protection impact assessment and monitors the impact assessment;

cooperate with the competent supervisory authority for data protection;

is the person who liaises with the supervisory authority in subjects related to data management and, if necessary, a consultation related to any other subject.

ensures that legal and information security requirements are established and met to minimize risk and use effective controls within the company in relation to customers;

establishes resources for planning, implementing, monitoring, reviewing and developing legal compliance, security and information management and takes measures to ensure this (for example, hiring appropriate staff and managing staff turnover);

oversees the management of risks affecting the organization and its services;

periodically reviews information security from the point of view of suitability, compliance and efficiency;

reviews major information security incidents;

ensure that external organizations’ access to IT systems is based on a formal agreement that sets out all necessary legal and security requirements.

The company will permanently examine the appropriateness and actuality of appointing a Data Protection Officer and, based on these conclusions, appoint/or not appoint the person in charge.

2.1.4 Employees

The main responsibilities of the employee are the following:

Knows and respects all the organization’s regulations related to data protection, involved in his role;

Report any actual or potential data protection incidents:

If necessary, contribute to the data protection impact assessment.