ACCORDING TO ART. 32 EU GDPR.
Introduction
-
- Controller
The controller according to Art. 4 No. 7 EU General Data Protection Regulation (DSGVO) is HubDo Aps, Ribegade 17, 02tv, 2100 Copenhagen, Denmark, e-mail: gdpr@hubdo.com. We are legally represented by Peter Nicholls (Founder & CEO). - Data protection officer
Our Data Protection Officer is Pete Nicholls as above - Subject of the document
This document summarizes the technical and organizational measures taken by the controller within the meaning of Article 32 (1) of the GDPR. These are measures with which the controller protects personal data. The purpose of the document is to support the controller in fulfilling its accountability obligations under Art. 5 (2) GDPR.
- Controller
- Confidentiality (Art. 32 para. 1 lit. b DSGVO)
- Physical access control
The following implemented measures prevent unauthorized persons from gaining access to the data processing facilities:- Manual locking system (e.g. key)
- Security locks
- Instruction to employees not to work in premises open to the public (e.g. cafés)
- Work in the home office: unauthorized persons have no access to the employee's residence
- Work in home office: instruct employees, if possible, to work in study separate from living quarters
- Data access control
The following implemented measures prevent unauthorized persons from accessing the data processing systems:- Authentication with user and password
- Use of anti-virus software
- Use of Firewall deployment in all SaaS applications
- Encryption of data carriers
- Automatic desktop lock
- User Permissions Management
- Create user profiles
- Use of 2-factor authentication
- General corporate policy on data protection or security
- Protected storage for secure passwords
- Company policy for "least privileges"
- General instruction to manually lock desktop when leaving workstation
- Data usage control
- The following implemented measures ensure that unauthorized persons do not have access to personal data:
- Use of an authorization concept
- Number of administrators is kept as small as possible
- Instruction to employees that only absolutely necessary data is printed out
- Instruction to employees that data will only be deleted after consultation
- Separation control
The following measures ensure that personal data collected for different purposes are processed separately:- Separation of productive and test system
- Logical client separation (on the software side)
- Creation of an authorization concept
- Setting database rights
- Physical access control
- Integrity (Art. 32 para. 1 lit. b DSGVO)
- Transfer control
It is ensured that personal data cannot be read, copied, changed or removed without authorization during transfer or storage on data carriers and that it is possible to check which persons or bodies have received personal data. The following measures are implemented to ensure this:- Logging of accesses and retrievals
- Provision of data via encrypted connections such as SFTP or HTTPS
- Home Office: Employer's Remote Deletion Right
- Input control
The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time:- Logging of the entry, modification and deletion of data
- Traceability of data entry, modification and deletion through individual user names (not user groups)
- Assignment of rights to enter, change and delete data on the basis of an authorization concept
- Clear responsibilities for deletions
- Instruction to employees to delete data only after consultation
- Transfer control
- Availability and resilience (Art. 32 para. 1 lit. b DSGVO)
The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client:-
- Regular backups
- Creation of a backup & recovery concept
- Keeping data backup in a secure, off-site location
- Hosting (at least of the most important data) with a professional hoster
-
- Procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)
- Data protection management
The following measures are intended to ensure that an organization that meets the basic requirements of data protection law is in place:- Supervision by Data Protection Officer Pete Nicholls
- Obligation of employees to data secrecy
- Regular training of employees in data protection
- Keeping an overview of processing activities (Art. 30 GDPR)
- Incident response management
The following measures are intended to ensure that notification processes are triggered in the event of data privacy breaches:- Data breach notification process pursuant to Art. 4 No. 12 GDPR to the supervisory authorities (Art. 33 GDPR)
- Data breach notification process pursuant to Art. 4 No. 12 DSGVO vis-à-vis data subjects (Art. 34 DSGVO)
- Involvement of the data protection officer in security incidents and data breaches
- Data protection-friendly default settings (Art. 25 (2) GDPR)
The following implemented measures take into account the requirements of the principle of "Least Privilege":- Implementation of "Least Privilege", providing access only to data required by employees in order to fulfil their role
- No more personal data is collected than is necessary for the respective purpose.
- Order control
The following measures ensure that personal data can only be processed in accordance with the instructions:
- Written instructions to the contractor or instructions in text form (e.g. by data processing agreement)
- Ensuring the destruction of data after completion of the order, e.g. by requesting appropriate confirmations
- Confirmation from contractors that they commit their own employees to data secrecy (typically in the data processing agreement)
- Careful selection of contractors (especially with regard to data security).
- Data protection management
Also, review our Privacy Policy here.
CONNECT WITH US
Grow Your Business with us
Let's connect and discuss your business needs and issues. Click through to get in touch or choose a day and time to have a chat with Pete.