PRIVACY AND DATA SECURITY POLICY
I. GENERAL PROVISIONS
1. The Company provides among others direct marketing within the framework of activities, – including promotional activities (sending newsletters and advertisement newsletters, calls to participate in giveaways, offering products/services) and telemarketing/telesales activities – to that end handling company names and residential address data (contact details), as well as personal data.
2. Computer programming (software development) is also an activity of the Company, during which client data may be transferred to the Company in relation to carrying out this activity.
5. The Company ensures that data are collected and used in a fair and lawful manner.
6. The Company shall process such data
- for the purpose specified in the Data Processing Policy, thus for marketing or direct marketing activities;
- and the Client Data in the course of their software development activity performed for their contractual partners exclusively in the interest of carrying out software development activity
(hereinafter jointly: activity or activities) in accordance with them, in addition to be allowed to process only data, which are required and suitable for such respective activities. Data processing is allowed exclusively to the extent required for the purposes of carrying out the respective activity and in the case of Client Data with respect to the software development activity specified in the respective contract for the duration necessary for performing the software development activity under the respective contract.
8. Access to data will be granted by the Company exclusively to employees, or persons working under any other arrangement who by virtue of their duties are authorized and obligated to
- carry out activities, and/or
- operate the server hosting data
9. During data handling attention should be paid to data integrity.
10. In the event the process of activities changes or otherwise warranted by circumstances influencing the performance of activities, the company will – as required – amend this data protection and the data processing policy accordingly.
II. TECHNICAL MEASURES FOR DATA PROTECTION
1. The Company shall store data on password protected servers or also in password protected CRM databases ensuring that they are displayed only on password protected work stations.
2./a. The Company shall provide for the physical protection of the data-hosting server by using premises equipped with security locks (server rooms). The entrance of the premise dedicated to safeguard the server (server room) can only be accessed after entering the building of the company’s seat, any other doors and windows will prevent forced entry using generally accepted methods. The seat of the company is located in an office building with 24-hour concierge and equipped with an alarm system. There is one designated person at the company authorized to use the keys to the server room. At the same time, the Company designates a substitute person to use the keys should the person in care of the keys be unable to perform this duty for any reason. The keys can be handed over exclusively in this latter case, to the identified substitute person with the purpose of handling the keys.
2. b. In addition to this, the Company uses cloud services to store data, where access is also password-protected.
3. To prevent any unauthorized person from accessing the IT assets storing data accessible through networks all IT/information technology tools available at all times should be utilized.
6. The Company by sustaining and maintaining the actually available IT asset park shall ensure their availability and load capacity required for the software development activity as per contract.
7. The erasure of electronically stored data will be performed by final deletion.
III. ORGANISATIONAL MEASURES FOR DATA PROTECTION AND SECURITY
1. The Company will grant data access exclusively for employees, or who work for them under any other arrangement and who due to their duties are authorized and obligated to have access to such data
- to perform their respective activities, they need to have access to data pertaining to given activity, as well as to persons, who
- operate the server hosting data.
4. Displaying data is only allowed during the work when such activity is performed and only for that purpose, only for the time period necessary to carry out given activity.
5. Furthermore, it is expressly forbidden to print or display the data by any other physical means (hard copy) for any other purpose than performing the activity, or to take the hard copy of the document from the premises designated to carry out such tasks. It should also be ensured that while displaying data, no such data is lost, damaged or destroyed and their content does not become known to, or accessed by any unauthorized person. Should the storage of the hard copy of data become inevitable, it should be kept for the time period absolutely necessary to normally carry out the activity and only in closed premises and in lockable filing cabinets. Any hard copy of the data, when the purpose of printing the hard copy ceased to exist, should be immediately destroyed.
7. Client Data forwarding is only permitted strictly in accordance with the provisions of the software development contract, unless otherwise stated in the relevant contract exclusively for the contractual partners under the respective contract of the Company.
10. The Company keeps records of the data handled ensuring control over data handling, as well as over the provisions on data protection and data security, and to trace the database path. The records include the name of the database, the date of each phase and the end of data handling, as well as the name and signature of persons handling the data along with their superiors.
IV. MISCELLANEOUS PROVISIONS
Budapest, 20 May 2018
MULTISOFT Information Technology
Services Limited Liability Company