GDPR – Procedure for reporting and handling security incidents

  • Home
  • GDPR – Procedure for reporting and handling security incidents
  1. DEFINITIONS”GDPR”, “Regulation” – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing the Directive 95/46/CE (General Data Protection Regulation, in English General Data Protection Regulation);

     

    “personal data” – any information regarding an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more many specific elements, specific to his physical, physiological, genetic, psychological, economic, cultural or social identity;

     

    “processing” – means any operation or set of operations performed on personal data or sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or modification , extract, consult, use, disclose by transmission, disseminate or otherwise make available, align or combine, restrict, delete or destroy;

     

    “operator” – means the natural or legal person, public authority, agency or other body that, alone or together with others, determines the purposes and means of personal data processing; when the purposes and means of processing are established by Union law or domestic law, the operator or the specific criteria for its designation may be provided for in Union law or domestic law;

     

    “person authorized by the operator” – means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the operator;

     

    “recipient” – means the natural or legal person, public authority, agency or other body to whom (to whom) personal data is disclosed, whether or not it is a third party. However, public authorities to whom personal data may be communicated in the context of a specific investigation in accordance with Union or national law are not considered recipients; the processing of this data by the respective public authorities complies with the applicable data protection rules, in accordance with the purposes of the processing;

     

    “third party” – means a natural or legal person, public authority, agency or body other than the data subject, the operator, the person authorized by the operator and the persons who, under the direct authority of the operator or the person authorized by the operator, are authorized to process data personal;

     

    “consent” – of the data subject means any manifestation of the data subject’s free, specific, informed and unambiguous will by which he accepts, through a statement or an unequivocal action, that the personal data concerning him be processed;

     

    “breach of personal data security” – means a breach of security that leads, accidentally or unlawfully, to the destruction, loss, alteration, or unauthorized disclosure of personal data transmitted, stored or otherwise processed, or to unauthorized access to them;

     

    “representative” – ​​means a natural or legal person established in the Union, designated in writing by the controller or the person authorized by the controller, who represents the controller or the authorized person with regard to their respective obligations under the GDPR;

     

    “mandatory corporate rules” – means the personal data protection policies that must be followed by a controller or a person authorized by the controller established in the territory of a Member State, in relation to transfers or sets of transfers of personal data personally to an operator or a person authorized by the operator in one or more third countries within a group of enterprises or a group of enterprises involved in a joint economic activity;

 

“supervisory authority” – means an independent public authority established by a Member State;

 

“DPO” – data protection officer (in English, data protection officer);

 

“DPIA” – data protection impact assessment (in English, data-protection impact assessment, DPIA);

 

“Supervisory Authority” – the National Supervisory Authority for the Processing of Personal Data (ANSPDCP).

 

PURPOSE AND SCOPE

 

2.1. THE GOAL

 

2.1.1. This policy documents the requirements of the GDPR regarding the procedure for reporting and handling security incidents and has the role of presenting the concrete way of notifying the Supervisory Authority regarding the Protection of Personal Data and informing the data subject in the event of a breach of security of personal data.

 

2.1.2. This policy describes the activities carried out when a security incident occurs, namely, the registration of security breaches, the preparation of notifications and information required by the GDPR, the establishment of the flow of their writing and their controlled dissemination to the Supervisory Authority and the persons concerned.

 

2.1.3. The policy aims to ensure a fair, efficient and legal flow of notifications sent to the Supervisory Authority and information to the data subjects in the event of a breach of personal data security, pursuant to the GDPR and related legislation.

 

2.1.4. The GDPR introduces an obligation for all organizations to report certain types of personal data security breaches to the supervisory authority – ANSPDCP, within 72 hours of discovering the breach. If this deadline is exceeded, good reasons for the delay must be provided.

 

2.1.5. The GDPR introduces the obligation to inform data subjects of a breach of personal data security if that breach is likely to generate a high risk of negatively affecting the rights and freedoms of data subjects, without undue delay.

 

2.2. APLICATION DOMAIN

 

This policy applies to all organizational structures of SC TRIPLAST SRL. The procedure is drawn up in order to prepare for a personal data security breach and the reaction plan to it, as well as the duties of the people involved in the process of notifying the Supervisory Authority and informing the affected data subjects. All organizational structures participate in the policy in accordance with their attributions in terms of ensuring the security of personal data.

 

2.3. REFERENCE DOCUMENTS

 

– GDPR

– Internal regulation

– Internal procedures

 

  • RULES REGARDING PROCEDURE FOR REPORTING AND HANDLING SECURITY INCIDENTS3.1. General aspects. Security incident means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data. This includes violations caused both accidentally and intentionally.

     

    Security breaches will be reported to the ANSPDCP without undue delay, within 72 hours at the latest from its detection. To the extent that it is not possible to provide all the information within the mentioned term, it will be transmitted in stages. In any situation of exceeding the 72-hour period from the discovery of the violation, reasons for the delay will be provided, as well as the expected period within which more information will be transmitted.

     

    If the breach is likely to generate a high risk for the rights and freedoms of data subjects, the data subjects will be informed directly and without undue delay as soon as possible.

     

    In the event of a personal data breach, any information provided to ANSPDCP or the data subject shall be concise, easily accessible and easy to understand, and use plain and clear language, as well as graphic elements where appropriate.

     

    3.2. Description of violations. Breach of personal data security may affect the confidentiality, integrity or availability of personal data.

     

    Personal data security breaches may include:

    access by an unauthorized third party;
    the intentional or accidental action (or inaction) of an operator or a person authorized by the operator;
    sending personal data to the wrong recipient;
    loss or theft of computer devices containing personal data;
    modification of personal data without permission;
    loss of availability of personal data.

     

    3.3. Registration of security breaches. The person responsible for recording incidents regarding personal data security breaches is: The DPO has the following tasks:

    receives information on security incidents;
    collaborates with the other departments in order to analyze the security incident;
    records security incidents in the Record Register [Register on personal data security breaches];
    responsible for maintaining the Record Register.

     

    General registration rules:

    a) all documents concerning the same issue are linked to the first registered act, the number of the first act being the base number;
    b) the submitted documents are recorded chronologically, starting on January 1 and ending on December 31 of each year; documents that are sent by the company by post or courier are registered in the order of their transmission;
    c) both the documents that are registered, as well as the responses and documents sent to the Supervisory Authority and/or the concerned persons will bear the registration number of the document;
    d) the circulation within the company SC TRIPLAST SRL of documents regarding the violation of the security of personal data that are not registered is prohibited.

 

3.4. Security breach analysis. Some breaches of the security of personal data will not lead to risks that outweigh the possible inconvenience to people who need that data for their work. Other breaches can significantly affect individuals whose personal data has been compromised.

 

In the analysis of security incidents, the following aspects will be considered:

  • damages of a physical, material or moral nature to natural persons, such as: loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymisation;
  • compromising the company’s reputation;
  • loss of confidentiality of personal data protected by professional secrecy;
  • any other significant disadvantage of an economic or social nature for the natural person concerned.

 

In order to analyze them, the responsible person will obtain information from the departments involved in data collection, processing and storage.

 

The people from the departments who draw up documents and transmit information about the persons concerned bear full responsibility for the data and their content, and in case of transmission of erroneous data or information, they will respond according to the regulations in force.

 

The person responsible for recording violations will record the following elements:

  • description of the factual situation in which the breach of personal data security occurred;
  • the effects produced;
  • the remedial measures undertaken.

 

3.5. Assessment of the severity of the possible or actual impact. In the assessment of the risk for the rights and freedoms of the persons concerned, the emphasis will be placed on the possible negative consequences and elements will be indicated from which the probability of materialization and the seriousness of the risk resulting from the incident produced will result. If there is a likelihood that a risk will materialize, then ANSPDCP must be notified; if there is no such likelihood, then the violation should not be reported.

 

The company keeps documents related to all security incidents, even if there is no obligation to report to the Authority or they do not present a high risk to the persons concerned.

 

The person responsible for assessing the severity of the impact is the DPO. Following the assessment of the seriousness of the impact, the responsible person, in relation to all relevant factors, will complete a report that is kept by HR in its own office.

 

3.6. Notification to the Supervisory Authority. Within the company, notifications are sent regarding the violation of the security of personal data by the following means:

  • email
  • other ways

 

When reporting a violation, the following information must be included:

  • description of the nature of the personal data security breach, including, where possible: the categories and approximate number of data subjects concerned; the categories and approximate number of personal data records in question;
  • the name and contact details of the data protection officer or another point of contact where more information can be obtained;
  • description of the likely consequences of the personal data security breach;
  • description of the measures taken or proposed to be taken to remedy the problem of the personal data security breach, including, as appropriate, the measures taken to mitigate any negative effects.

 

To send the Notification to the Supervisory Authority, the model provided [Form for notification of data security breach to ANSPDCP] will be used.

The person responsible for sending the Notification to the Supervisory Authority is the DPO. The deadline for sending the notification is 72 hours. If this deadline is exceeded, good reasons for the delay must be provided.

3.7. Informing the data subject at the request of the Supervisory Authority. The person responsible for analyzing the request received from the Supervisory Authority regarding the information of the data subjects is: DPO.

 

Within the company, information is sent regarding the violation of the security of personal data by the following means:

  • email
  • other ways.

 

The persons concerned will be informed in the following situations:

  • if the violation is likely to generate a high risk (the threshold for informing the data subjects is higher than that for notifying the ANSPDCP) for the rights and freedoms of the data subjects, directly and without undue delay;
  • the seriousness of the possible or actual impact of a violation on the persons concerned, as well as the probability of its materialization is high.

 

To the extent that the decision is not to inform the persons concerned, the ANSPDCP must be notified, if it cannot be demonstrated that the violation is not likely to generate a risk for rights and freedoms. In any case, documentation of the decision-making process must be kept in accordance with the requirements of the accountability principle.

 

The information to the data subjects will describe, in clear and simple language, the nature of the personal data security breach and will include the following information:

  • the name and contact details of the DPO or another point of contact where more information can be obtained;
  • description of the likely consequences of the personal data security breach;
  • description of the measures taken or proposed to be taken to remedy the problem of the personal data security breach, including, as appropriate, the measures taken to mitigate any negative effects.

 

For the transmission of the Information to the data subjects, the model provided [Information to the data subject regarding the data security breach] will be used.

 

Informing the data subject is not necessary if:

a) adequate technical and organizational protection measures have been implemented in the case of personal data affected by the security breach;
b) measures have been taken to ensure that the high risk for the rights and freedoms of the persons concerned is no longer likely to materialize;
c) would require a disproportionate effort, in which case public information will be provided or a similar measure will be taken by which the persons concerned are informed in an effective way.

 

The person responsible for transmitting the Information to the data subject is the DPO. The deadline for sending the Information is 72 hours. If this deadline is exceeded, good reasons for the delay must be provided.

 

3.8. Persons authorized by the operator. If the company uses one or more authorized persons and they suffer a security breach, they must inform the operator without undue delay as soon as they discover the breach in order to take steps to deal with the breach and fulfill their breach reporting obligations according to the GDPR. The requirements regarding the reporting of violations must be detailed in the contract concluded with the authorized person, according to art. 28 GDPR.

 

3.9. Taxes. Within SC TRIPLAST SRL, the information provided to the data subject and any communication are provided free of charge. If requests from a data subject are manifestly unfounded or excessive (in particular due to their repetitive nature, we will proceed to:

a) charging a fee in the amount of 2,000 lei, taking into account the administrative costs for providing the information or communication or for taking the requested measures;
b) refusal to comply with the request.

 

3.10. Signature. All documents drawn up regarding the reporting and treatment of security incidents to be sent outside the SC TRIPLAST SRL company will be signed by the CEO.

 

3.11. Close. Before the security incident review is closed, it will be investigated whether the breach was the result of human error or a systemic problem, and measures will be considered to prevent recurrence – either through better processes, additional training or other corrective measures.

 

After their resolution, all documents regarding the reporting and handling of security incidents are grouped according to the nomenclature and handed over to the archive within 10 years. Submission to the archive is based on inventories (opis) drawn up in three copies (one copy for the person submitting, one copy for the archive file and one copy for the department record file).

No products in the cart.

X
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.