* Required fields
Breach Establishment, Escalation and Notification Policy of “TESY” OOD
I. GENERAL PROVISIONS
“Tesy” OOD (the Company, Tesy), UIC 040029337, is domiciled in the town of Shumen, 48 “Madara” Blvd. and is represented by the Managing Director Zhechko Kyurkchiev.
This policy is part of the measures intended to ensure information security and an efficient system for personal data protection at Tesy in compliance with the effective legislation and the applicable good practices.
Regulation (EU) 2016/679 of the EP and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, which is applicable as from 25 May 2018, as well as the effective Personal Data Protection Act are focused on the security of personal data. By means of suitable technical and organisational measures, the data shall be processed in a way that guarantees their proper security, including the protection against unauthorised or unlawful processing and against accidental loss, destruction or damages. The damages may be physical, as well as material or non-material damages for the natural persons, for example loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural persons concerned.
The aim of this policy is to establish the following organisational arrangements:
· granting the level of access that corresponds to the risk arising in relation to the specific personal data processing;
· taking into account the achievements of the technical progress, the costs of implementation, the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons;
· ensuring the timely establishing of security breaches, the need to notify and the respective notifying of the supervisory authority/the data subjects concerned;
· when designing an effective action plan (playbook) for each specific case, all circumstances related to the breach shall be duly taken into account.
II. KEY CONCEPTS
“Policy” means this Breach Establishment, Escalation and Notification Policy concerning the personal data security, as adopted by “Tesy” OOD;
“GDPR” means Regulation (EU) 2016/679 of the EP and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
“PDPA” means the Personal Data Protection Act;
“CPDP” means the Commission for Personal Data Protection;
“DPO” means the data protection officer, to whom the tasks under art. 39 GDPR have been entrusted. The DPO is appointed by order of the Managing Director of “Tesy” OOD;
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, address, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Data Subject” means the natural person, whose Personal Data are processed, regardless whether he/she is a contracting party of the Company, an Employee or another person, whose data are processed by the Company;
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Controller” means the person which, alone or jointly with others, determines the purposes and means of the processing of personal data. In this case, the Controller is the Company;
“Processor” means a natural (other than the employees of the Company) or legal person which processes personal data on behalf of the Company, provided that Tesy shall strictly define the purpose and the means of the processing, including the verification of the person’s compliance with GDPR requirements;
“Sub-Processor” means a subcontractor of the selected Processor;
“Employee” means any person, hired by the Company under an employment and/or service contract, who processes Personal Data;
“Special Categories of Personal Data” means data in accordance with art. 9 GDPR, namely revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
“Data Relating to Criminal Convictions and Offences” means data in accordance with art. 10 GDPR whose processing is carried out only under the control of CPDP;
“Security Breach” means an event leading to an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, where:
· “destruction” means that the data do not exist anymore/do not exist in a form that is usable by the Controller;
· “loss” means that the Personal Data exist, but the Controller has lost control over, access to, or physical possession over them;
· “unauthorised or unlawful processing” means the disclosure of, or access to Personal Data for unauthorised recipients, as well as any other form of processing, which breaches GDPR, for example the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed unlawfully;
· “damages” means any physical, material and non-material damages resulting from the unauthorised, unlawful processing or loss.
The Security Breaches may be divided into three main groups:
1. Confidentiality Breaches – in relation to an unauthorised or accidental disclosure of, or access to, personal data;
2. Accessibility Breaches – in case of an accidental or unauthorised loss of, access to, or destruction of, personal data;
3. Reliability Breach – in case of an accidental or unauthorised alteration of the personal data.
Certain breaches may be simultaneously classified in two or three of the categories specified hereinabove in points 1-3 inclusive.
“Response Team” is the team which is set up in cases of security breaches and which coordinates the activities related to the investigation of the circumstances related to a potential security breach, assists the DPO in the carrying out of activities, such as analyses, suggestions and damage limitation; implements an action plan and measures for damage limitation and recovery of the information security. The team consists of members having knowledge and experience in the in the field of information security, human resources, etc. and, if necessary, it is supported by additional employees from other departments, for example legal or information security.
III. POLICY AIM
This policy is intended to be used as an effective tool to uphold security and prevent any processing which is in breach of Tesy’s internal rules, GDPR and the applicable legislation in the field of personal data; as well as to establish effective safeguards in case of personal data security breach with a view to gain control over incidents in an appropriate and timely manner.
IV. ACTIONS IN CASE OF BREACHES
The Company is undertaking all possible measures, in order to train its Employees to identify the occurrence of Security Breaches, including the risk of such occurrence. The Employees shall receive clear instructions as to the priority nature of the immediate reporting of a potential Security Breach, as well as of the necessary assistance in relation to the provision of incident details in writing as soon as possible.
Having been familiarised with this Policy, each Employee shall apply it with priority in the Company’s activities related to the Personal Data Processing. In cases of doubts concerning a Security Breach, the first Employee to identify the potential of the occurrence of such event, shall immediately notify the DPO, who shall set up the Response Team after assessing the specific situation.
The Response Team shall immediately examine the report of the potential Security Breach using all organisational and technical resources of the Company, and shall notify the DPO and support him/her in the conducting of the follow-up activities, such as analysis, proposals and damage limitation.
The DPO shall prepare an assessment report concerning the potential risk of the breach and its consequences, including the safeguards, which can mitigate its effect and shall forward this report to the Company Managing Director. Based on the document as per the preceding sentence, the Managing Director shall make a reasoned decision as to whether he is obliged:
· to notify the Commission for Personal Data Protection regarding the occurred breach; and
· to notify the data subjects concerned, when there is a high risk pursuant to the preceding point.
Each Security Breach shall be documented by the Company.
V. PLAN AND BREACH MANAGEMENT
The scheme herein below illustrates the actions to be taken in case of an established breach.
VI. ESTABLISHING SECURITY BREACHES
On the basis of the collected information, the Response Team and the DPO shall assess the risk for the data subjects resulting from the Security Breach. If such a risk is identified, the DPO shall give his/her opinion as to the established Security Breach and shall recommend measures for the minimisation of the damages or for recovery.
When the personal data Security Breach is likely to give rise to a high risk for the rights and freedoms of the natural persons, the Company, within an appropriate time-limit after becoming aware of the assessment of the risk that the specific Security Breach might cause, shall notify the data subject of the personal data security breach.
The notification to the persons concerned shall be based on the approved template (Appendix No 1). The persons concerned shall be notified personally in an appropriate manner, at the Company’s choice: by e-mail, SMS, letter, telephone, public notice, so as to make sure that the Data Subjects are effectively informed.
Conditions under which no notification is required:
· when the Security Breach is not going to cause any risk for the rights and freedoms of the Data Subjects;
· when the Personal Data are publicly available and their disclosure is not going to cause any risk for the Data Subjects;
· when the Security Breach affects only the confidentiality, and the Personal Data concerned are encoded in a secure manner by a state-of-the-art algorithm, the decoding key is not disclosed and it is so generated that it cannot be identified through the available technical means by a person who does not have access to the key.
The Company is deemed to have become aware of a Security Breach, when the Response Team and the DPO come out with an opinion of the presence of conditions for such occurrence.
NOTIFYING THE CPDP
Within a period of 72 (seventy-two) hours after having become aware of the Breach, the Company shall notify the CPDP. The notification to the supervisory authority shall be done using an approved template (Appendix No 2).
If the Company, at the time of submission of the notification to the CPDP, has still not informed the data subject of the security breach relating to his/her personal data, the CPDP, after having evaluated the likelihood of the personal data security breach to cause a high risk, may impose the obligation on the Company to notify the breach. In such case, the Company shall take measures to inform the data subjects in a suitable manner for the specific case in compliance with the instructions of the CPDP.
The different kinds of breaches may require the submission of further information, in order to provide a complete explanation of the circumstances in each specific case.
The lack of precise information (for example the specific number of persons concerned) shall not prevent the timely notification of the CPDP. In such cases, the approximate number of persons concerned shall be provided.
If the necessary information cannot be provided along with the notification to the CPDP, it shall be submitted in phases without undue delay. The conditions for such notification in phases are the following:
· all relevant facts are not yet available;
· the security breach is more complex in fact (for example certain incidents in the field of cyber security);
· to specify the reasons for the delay and to inform the CPDP in due time that it is impossible to provide the complete information;
· to obtain the CPDP’s approval for such notification in phases;
· to receive instructions from the CPDP as to whether, when and how to inform the data subjects concerned.
As an exception and under specific circumstances, a delayed notification may be used - for example if it is found in the course of the investigation that there are repeated and similar Security Breaches for certain categories of data for a short period of time and concerning a great number of Data Subjects, the Company may notify the CPDP for all of them at the same time, exceeding the 72-hour time-limit. This opportunity shall be applied restrictively and taking due account of the specific characteristics of the case at hand.
In such cases, the notification to the supervisory authority shall specify the reasons for the delay.
As soon as a report of potential Security Breach is received or there are doubts as to the presence of such a breach, the Response Team shall notify the DPO and the latter shall proceed to the implementation of the following action plan (provided that the Company shall supply the necessary resources/additional expert knowledge, if needed):
· risk assessment on a scale of 1 to 5 (from negligible to high; as well as in terms of likelihood of occurrence and intensity) concerning the rights of the data subjects with a view to the magnitude;
· identifying the categories of personal data concerned;
· establishing the lack/presence of encoding/other relevant circumstances, which minimise the risk caused by the Security Breach and respectively can avoid the need to notify the Data Subjects;
· coming out with recommendations, based on the level of the established risk, as to whether the CPDP shall be notified; and
· suggesting specific follow-up measures to limit the risk of the occurred Security Breach.
When assessing the risk, the Response Team can use as guidelines the indicative risk breaches and the need of notification (Appendix No 4). The DPO shall keep the guidelines up-to-date and can complement them with other good practices.
For the purposes of the assessment, there is a high risk, when the Security Breach is likely to result in a physical, material or non-material damage to the data subjects, whose data security is breached. The discrimination, identity theft or fraud, financial loss or damage to reputation are examples of such damages. When the Security Breach concerns Personal Data related to the racial or ethnic origin, health status, sexual orientation, criminal convictions and offenses, enforcement actions in this respect, the occurrence of a physical, material or non-material damage is presumed.
The risk assessment of the Security Breach shall take into account the specific circumstances, including the complexity of the potential effect and the likelihood of its occurrence, such as:
· the type of the Security Breach;
· the nature, sensitivity and volume of the Personal Data concerned – the more sensitive the data, the higher the risk of damages to the Data Subjects.
The sensitive data may be personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Moreover, small proportion of the sensitive data may have a considerable effect on a given Data Subject, while a broad range of details about these data may reveal more information about him/her. Any Breach which concerns a great amount of Personal Data for a broad range of Data Subjects may also have a material negative effect;
· the unlawful identification of the Data Subjects concerned by third persons, when a third person has gained an unauthorised access to the Personal Data concerned, the issue that shall be taken into account is how easy it is for this person to identify the Data Subjects. Depending on the circumstances, the identification might be realised through the use of the data without further exploring the identity of the person concerned, but it can also be extremely difficult to associate the Personal Data concerned with a specific Data Subject, however, the identification might be possible under certain circumstances;
· the severity of the consequences for the Data Subjects;
· the specific particularities of the Data Subjects;
· the specific characteristics of the activity of the Company as a Controller;
· the number of Data Subjects concerned.
VII. BREACH REGISTER
Whether the Security Breach requires notification or not, the Company shall document all facts associated with it, the consequences from it, the actions taken and the arguments for the decisions made. At the recommendation of the DPO and the decision of the Managing Director, the Company shall create a special register for this purpose (Appendix No 3).
The following data shall compulsorily be entered into the register: the presumed time of occurrence, the moment of establishment, the time of reporting and the name of the employee, who made the report. Based on the analysis of the Response Team, the consequences from the incident and the measures taken for their overcoming shall be entered into the register.
PREVENTIVE PROCEDURES AND MECHANISMS
The DPO shall draw up the plan for the training of the newly appointed and/or reappointed employees, as well as periodic trainings and briefings for all employees. When fulfilling their duties, the employees shall also comply with the internal policies, rules and procedures of the Company related to the processing of the personal data.
When the employees are leaving the Company, all necessary technical and organisational measures shall be undertaken in relation to the protection of each register/category of personal data kept by “Tesy” OOD, such as:
1) changing of passwords;
2) restricting the access (including VPN, cloud services, servers, etc.);
3) returning of all Company devices, such as telephone, laptop, USB flash drive, etc., depending on the specific case; the returning of the devices shall compulsorily be followed by erasing of the personalising information of the employee who has used the device last, incl. in the cases when the returned device is subject to direct discarding/destruction;
4) limiting the physical access through the returning of the keys, changing of access codes, etc.
The data are encoded, if there is a higher risk of unlawful physical access to carriers of sensitive data or in case of a theft of Company devices, on which personal data are stored.
If it is necessary to retrieve certain data, the procedure shall be implemented with the written permission of the relevant person who is in charge of the information security, provided that this fact shall be recorded in the register for data archiving and restoring.
Should a password be compromised, it shall be changed immediately with a new one, while the certificate for access of the relevant employee shall be invalidated and the event shall be recorded in the incident register.
The Response Team, together with the DPO, may implement other preventive measures, mechanisms and internal instructions.
These rules and the appendices hereto are drawn up on 21 May 2018 and shall enter into force on 25 May 2018.
Zhechko Kyurkchiev, Managing Director of “Tesy” OOD