Our company fully complies with the new regulation on personal data protection and as those responsible for processing personal data of individuals we must take the appropriate organizational and technical measures to ensure that the level of security of personal data we process is proportionate to the risks involved the processing and nature of the data being processed. Our company should be aware of these measures and then may make corrective procedures in order to improve them.
The Code of Conduct contains rules for self-commitment of professional teams, which include how to handle personal data. This code must be binding on your employees or members of the professional team to which you belong.
The Security Policy is a document that describes the security objectives and the corresponding rules / procedures that must be followed to achieve these objectives. Defines the commitment of the Management and the approach of an organization or a company regarding the security and protection of personal data. The security policy should, at a minimum, describe the basic principles of personal data protection and security that apply. In particular, security policy should set out the basic principles for a) organizational security measures regarding the roles and responsibilities of staff and external collaborators performing the processing, designation and responsibilities of the security officer, staff training, incident management security, as well as the destruction of personal data, b) the technical security measures regarding the management of the users of the information system, the identification and authentication of the users, the security of the communications, the operation of the log files of the information system, the export of the backups, c) the physical security measures.
The Security Plan is the document that describes the organizational and technical measures, as well as the physical security measures that are or will be implemented to meet the basic principles and rules mentioned in the security policy, as well as the necessary actions for their implementation.
The Disaster Recovery and Contingency Plan is the document that refers to the measures for protection, recovery and restoration of information systems and technological infrastructures in case of emergency, such as natural disasters, external attacks / invasions, etc. This Plan completes the Security Plan.
The above plans concern both automated and non-automated data management and processing systems and are implemented precisely for the protection of personal data, sensitive and non-sensitive. These plans are subject to regular reviews and revisions, given the rapid development of technological solutions and their application to information systems and technological infrastructure.
The safety policy, the security plan and the disaster recovery plan are formally approved by the Management, are communicated to all staff and are binding. Their training is recommended to be based on the results of the risk analysis of the computer and communication infrastructure.
We must also, ως υπεύθυνος επεξεργασίας, take care of the safe destruction of personal data after the end of the period required for the realization of the purpose of the processing.