- The first document describes the organization’s principles for handling personal data. This document focuses in particular on principles of security and confidentiality.
- The second document deals with the specific way of security, confidentiality and how this is controlled . What requirements are imposed on contract parties (ISO certification, location), what security (encryption, two factor authentication) is used for communication, how is the working environment secured (access passes, login codes).
a. What is the basis for the use of customer data (art. 8 Wbp, create separate databases);
b. Which customer data may be used;
c. What can be done with the customer data (separate database for each purpose);
d. How long may the data be kept;
e. How are paper data destroyed, and how digital data;
f. Provision of equipment to employees, the procedure;
g. Use of equipment in the work environment (what security measures are required);
h. Working outside the working environment, what are the agreements;
i. Bring your own device appointments;
j. Access rights to customer data and revocation of access rights;
k. Dealing with security measures (no post-it with password);
l. What is a data breach and to whom should it be reported;