This document applies to the whole Greensoft employees and Service Providers.
Reference documents: General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 06 April 2016.
Principles relating to the processing of personal data
Article 5 of GDPR sets out the main principles for processing personal data:
- Personal data shall be "processed in a lawful, fair and transparent manner";
- Personal data are "collected for specified, explicit and legitimate purposes, and may not be further processed in a way incompatible with those purposes";
- Personal data are "adequate, relevant and limited to what is necessary for the purposes for which they are processed" (data minimization principle);
- Personal data are "accurate and, where necessary, kept up to date";
- Personal data are "kept [...] for no longer than is necessary for the purposes for which they are processed.
- Personal data are "processed in such a way as to ensure appropriate security of personal data".
- Administrative management of human resources;
- Payroll management;
- Career management and HR development;
- Recruitment management;
- General accounting;
- Management of current and potential customers;
- Management of service providers
- The provision of IT tools for personnel;
- Appointment of a Data Protection Officer (DPO)
- Appointment of GDPR ambassadors
- Dissemination of an internal personal data protection policy
- Raising user awareness
- raise the awareness of users working with personal data by educating them on the privacy risks, inform them of the measures implemented by their organization in order to deal with the risks and their potential consequences.
- Document the operating procedures, keep them up to date and make them available to all the users concerned.
- Authenticating users
- define a unique identifier per user and prohibit shared accounts between several users
- Define the authorization profiles in the systems by separating the tasks and area of responsibility, in order to restrict users' access to the only data strictly necessary for fulfilling their responsibilities.
- Withdraw the users’ access rights as soon as they are no longer authorized to access a room or an IT resource, as well as at the end of their contract.
- Implement an automatic logout procedure to lock any workstation not-used for a given period of time.
- Use regularly updated antivirus software and define a policy imposing regular updates of the software’s.
- Limit the connection of mobile media (USB sticks, external hard drives, etc.) to what is essential.
- Only allow qualified individuals to access the tools and administration interfaces.
- Use accounts with less privileges for common operations.