RULES
COLLECTION, PROCESSING AND PROTECTION OF PERSONAL DATA
OF “AJM-GROUP” EOOD
- Legal Basis
- Objectives and Scope of the Regulations
- Technical and organizational measures and purpose of registers
- The premises where personal data is collected, stored and processed are predetermined and locked.
- Only duly authorized employees have access to premises where information systems with personal data are located.
- Registers with personal data on paper are stored in lockers / safes with locking devices.
- Premises where personal data is collected, stored and processed are maintained in a good fireproof condition. The necessary fire extinguishers determined by the project of the given premises are provided.
- When the need for access to the relevant database ceases, it is revoked.
- Granting, changing or terminating authorized access to databases is done only by authorized employees.
- All employees with access to a personal data base sign a declaration of compliance with the rules for the protection of personal data in the Company and acceptance of the responsibilities related to the work with personal data, as well as an agreement to assume an obligation not to distribute personal data. Declarations are registered and stored in a previously regulated place.
- Each personal data processor (user) has his own account and password for the directory to which he has access in information systems and software products.
- When a third-party information system password is reported, it is immediately changed.
- After finishing work with the corresponding program product, it is closed for use without minimizing to the desktop.
- The use of portable personal data carriers is not permitted.
- Backups are created to ensure data recovery.
- All workstations used to work with automated information systems have anti-virus software and a firewall installed that are updated automatically.
- In the event of a breach of personal data security, the personal data protection official (if any) is notified within 72 hours of becoming aware of the breach, and accordingly he contacts CPLD.
- Labor relations;
- Compliance with labor legislation;
- Compliance with the requirements of the Law on Obligations and Contracts;
- Compliance with legal requirements for the provision of information to the National Revenue Agency and the Norwegian National Insurance Institute for natural persons working in the Company;
- On the basis of control of the work process and observance of working hours and self-protection for continuous video surveillance, prevention of fraud, theft and other violations of and by the staff, counterparties, customers or other persons on the territory of the Company;
- Reservations and accommodation in the Hotel Complex;
- Contractual and commercial relations with customers;
- Form of organization and storage of personal data – written (documentary);
- Location of the filing cabinet/cash register – Room with limited access by means of a locking mechanism on the entrance door of the room to which only Company Representatives and personal data processing employees designated by the personal data administrators in the case of Company Representatives;
- A medium (form) for the provision of data by natural persons – invoices and contracts with and to customers. The personal data of the individuals are submitted to the personal data administrator and the authorized persons appointed to process them – personal data processor, on the basis of a legal obligation in all cases where it is necessary;
- Access to the personal data – only the personal data processors designated by the personal data administrator have such access.
- Form of organization and storage of personal data – personal data is stored on a hard disk, on isolated (with limited access) computers;
- Location of the computers – A room with limited access, by means of a locking mechanism on the entrance door of the room, to which only the personal data processors in the case of the accountant and the hotel administrators designated by the Administrator have access. The computer in the hotel reception is positioned in the desk in a way that does not allow free access to it;
- Access to personal data and protection – access to the operating system containing files for processing personal data is available only to the processors of personal data, through an account and password to open these files;
- Periodic archiving – Archiving of personal data on a technical medium is carried out periodically every five days by the personal data processor in order to keep the information about the relevant persons in an up-to-date form.
- Form of organization and storage of personal data: personal data in the form of a video recording of the movement of employees and visitors to the approaches to the adjacent yard, the premises and those used by the Company themselves are stored on a recording device for no more than of 60 days provided for in the Chat Security Act, after which they are automatically deleted from the device;
- Location of the recording device – Room with limited access by means of a locking mechanism on the entrance door of the room, to which only the personal data processors in this case, the employees performing security work on the territory of the hotel complex and the representatives of the Company have access;
- Access to personal data and protection – access to the recording device containing video recordings is only available to the representatives of the Company and the employees assigned by them, performing round-the-clock security on the territory of the hotel complex “CREDO” through an account and password to access the recordings; >
- The data in the register are provided voluntarily by the persons upon entering the Company’s building. At the entrances to the building warning signs have been placed that the site is under permanent video surveillance;
- at the request of the person to whom the personal data refer, when he has established that there is an error or incompleteness in them, and certifies this with a document;
- at the initiative of the personal data processor – in the presence of a document giving grounds for updating;
- if an error is detected in the processing of personal data by the personal data processor;
- reject access of unauthorized persons to the data processing equipment – equipment access control;
- prevent the unauthorized reading, copying, modification or destruction of information media – control of information media;
- prevent the unauthorized addition, entry, viewing, modification or deletion of stored personal data – storage control;
- prevent its use by unauthorized persons using data communication equipment – user control;
- guarantee that the persons who are authorized to use a system for automated data processing and mat access only to the data included in the scope of their access – data access control;
- ensure the possibility of checking and establishing to which authorities the personal data have been or can be sent or provided by using data communication equipment – control of communications;
- provide the possibility of subsequent verification and establishment of what personal data was entered into automated data processing systems, when and by whom the data was entered – input control;
- prevent unauthorized reading, copying, modification or deletion of personal data when transferring personal data or transporting data carriers – transport control;
- ensuring the possibility that the installed systems can be restored in case of interruption of functioning – recovery;
- ensure the proper functioning of the system, reporting the occurrence of errors in functions (reliability) and ensure that stored data cannot be damaged by system malfunction – integrity.
- unauthorized reading, reproduction, modification or removal of the data carrier;
- unauthorized entry, change or deletion of stored personal data;
- unauthorized use of personal data systems by means of data transmission;
- unauthorized access to personal data.
- verbal reference;
- written reference;
- review of the data by the person himself or one authorized by him;
- provide a copy of the requested information.
- Concepts