This document applies to the whole Greensoft employees and Service Providers. Reference documents: General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 06 April 2016. Principles relating to the processing of personal data Article 5 of GDPR sets out the main principles for processing personal data:
  • Personal data shall be "processed in a lawful, fair and transparent manner";
  • Personal data are "collected for specified, explicit and legitimate purposes, and may not be further processed in a way incompatible with those purposes";
  • Personal data are "adequate, relevant and limited to what is necessary for the purposes for which they are processed" (data minimization principle);
  • Personal data are "accurate and, where necessary, kept up to date";
  • Personal data are "kept [...] for no longer than is necessary for the purposes for which they are processed.
  • Personal data are "processed in such a way as to ensure appropriate security of personal data".
Personal Data are collected by Greensoft for a specific purpose. It cannot be used in any way that is incompatible with the initial specific purpose. The data collected is necessary in relation with the purpose for which it is processed and only accessible by designated Greensoft employees. The purposes for which Greensoft collects and processes Personal Data are primarily as follows:
  • Administrative management of human resources;
  • Payroll management;
  • Career management and HR development;
  • Recruitment management;
  • General accounting;
  • Management of current and potential customers;
  • Management of service providers
  • The provision of IT tools for personnel;
Inside our organization we have been defined “Technical and Organisational Security Measures”. Those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Organizational security measures The 2016/679 European regulation of 27th April 2016 specifies that protecting personal data requires taking "appropriate technical and organizational measures to ensure a level of security appropriate to the risk" (GDPR - article 32).   The organizational security measures are as follows:
  • Appointment of a Data Protection Officer (DPO)
  • Appointment of GDPR ambassadors
  • Dissemination of an internal personal data protection policy
  Technical security measures
  • Raising user awareness
    • raise the awareness of users working with personal data by educating them on the privacy risks, inform them of the measures implemented by their organization in order to deal with the risks and their potential consequences.
    • Document the operating procedures, keep them up to date and make them available to all the users concerned.
  • Authenticating users
    • define a unique identifier per user and prohibit shared accounts between several users
  Access management
  • Define the authorization profiles in the systems by separating the tasks and area of responsibility, in order to restrict users' access to the only data strictly necessary for fulfilling their responsibilities.
  • Withdraw the users’ access rights as soon as they are no longer authorized to access a room or an IT resource, as well as at the end of their contract.
  Securing workstations
  • Implement an automatic logout procedure to lock any workstation not-used for a given period of time.
  • Use regularly updated antivirus software and define a policy imposing regular updates of the software’s.
  • Limit the connection of mobile media (USB sticks, external hard drives, etc.) to what is essential.
    Securing servers  
  • Only allow qualified individuals to access the tools and administration interfaces.
  • Use accounts with less privileges for common operations.