The General Data Protection Regulation or GDPR (EU regulation 2016/679 of 27 April 2016) contains new provisions to ensure that the personal details of European citizens are more efficiently managed, processed and secured.
The GDPR, which further reinforces the 1995 Data Protection Directive, provides a more detailed framework of obligations, which the Data Protection Officer will have to comply with. It also lays down the rights a person has with regard to the acquisition and use of these types of data.
Group S is commissioned by its clients to process personal details, and is therefore required not only to comply with the current regulations both nationally and at European level, but also to adequately protect the data of its clients.
Group S guarantees its clients an appropriate level of data protection in accordance with the national and European regulations. We perform a risk assessment whenever we develop new operating processes. This assessment enables us to implement the correct levels of security for the relevant processes. Our security levels are based on international standards. They are regularly re-assessed, both by our internal audit department as well as by external departments commissioned by our clients. On 25/07/2017, we were awarded our ISAE 3402 type 1 and 2 certification, and this further confirms that our procedures are correctly implemented. Upon a simple request, the report which provides all the necessary information concerning this certification granted by an independent auditing body, can be made available to our affiliates.
How does Group S ensure that your details and privacy are protected?
- We adhere to a set of procedures and guidelines in order to ensure that your data are kept secure. These procedures are drawn up and reviewed by the management, the in-house auditing department and the legal department.
- All company personnel have clear job descriptions detailing the job title and the respective duties, and this ensures that these guidelines are correctly applied.
- The computer and server rooms housing the software and data are physically secured. These security systems consist of electronic and centralised access management, an alarm system, a cooling system and devices to protect against power cuts and fires.
- Redundant safeguards enable us to ensure an uninterrupted service at all times, without any loss of data.
- Group S has a logical safeguarding plan in place, which consists of:
- An internal firewall, a proxy server and antivirus software.
- Formal management of access rights based on the job titles and duties, both for the internal users and affiliated users.
- Our Disaster Recovery Plan is based upon redundant systems located at various sites and equipped with separate internet connections. We regularly perform failover tests. We have also installed all the necessary back-up sites and infrastructure in the event of accidents.
- We manage our software updates ourselves with the use of planning software, a Change Management tool, and separate development, acceptance and production environments.
- We have put a hotline in place to manage any complaints, with impact analysis and priority management of any potential incidents and the respective diagnostic and response times.
- We have implemented widespread access and identity verification technologies based on double identification and the use of electronic identification or e-ID.
- Our contracts and agreements, our contracts of employment and other documentation include confidentiality and data protection clauses in order to ensure awareness among our personnel and co-workers.
- We guarantee smooth data transfer and uninterrupted service in the event of a change of service provider.
- Upon a simple request from the customer, we can provide regular reports in writing about our service levels.
Please find below the measures implemented by Group S in order to comply with the GDPR requirements with effect from May 2018:
- A data protection officer has been appointed. The DPO is responsible for data protection and for the methods of implementing the GDPR.
- A data protection register has been created in order to record all the personal data processing activities, based on the model suggested by the data protection commission.
- If necessary, we perform a data protection impact assessment for each of these activities.
- With the aid of the above-mentioned security systems, any potential incident can be quickly detected and dealt with in accordance with the GDPR requirements.
- We make every effort to ensure that all the processing is performed in-house and to restrict the number of sub-contractors. We have also entered into specific agreements with each sub-contractor in order to ensure compliance with all the GDPR regulations.
- We inform and train our staff on the implementation of this regulation.
- Our contracts and publications include a privacy and data protection clause, which complies with the GDPR requirements.