Employees

Have employees been required to maintain the confidentiality of personal data?

Yes. Every employee and collaborator signs a confidentiality statement confirming their commitment to maintaining the confidentiality of personal data.

Are authorizations issued for employees involved in the personal data processing process?

Yes. Only employees appropriately authorized have access to the data. Access is granted based on the principle of limited access ('need to know')—to the extent necessary to perform duties in their respective roles.

A record of individuals authorized to process personal data is maintained and regularly updated.

Do employees receive identification badges and are they required to wear them?

Yes. Each employee is issued an access control card and is required to carry it at all times. Each identifier is assigned to a specific user and is used to gain access to office spaces. Each use of the identifier is logged in the system.

The assigned identifiers do not display company or employee markings for security reasons, to deter potential misuse if lost.

Are training sessions organized for newly hired employees before they begin processing personal data?

Yes. Within a maximum of 30 days from the start of employment, the ISO Data Protection Officer conducts basic training with the newly hired employee on the processing of personal data within the company. This training also covers job-specific guidelines (Job Instructions) and familiarizes them with the Information Security Policy.

The organization ensures continuous enhancement of its employees' and collaborators' knowledge through regular training sessions and other awareness activities on data protection issues.

At least once a year, the Information Security Officer (ISO) organizes mandatory training sessions for employees on personal data processing within the company and job-specific guidelines. Employees participate in these trainings following the procedures outlined in PBI 04 Annex 1 Access and Resource Management Instruction. The last training took place on 25_01_2023.

In addition to the annual mandatory training sessions on GDPR and ISO requirements, employees and collaborators also participate in additional trainings conducted by a Cybersecurity Penetration Tester. As part of best practices, the organization conducts a cycle of 'Cyber Tuesdays' trainings.

We also provide opportunities for additional trainings related to digital threats. Each employee reviews a detailed Job Instruction immediately upon employment. IT department-specific trainings are also mandatory and periodic, along with training cycles tailored for Customer Support department employees.

We consistently strive for continuous improvement and skill enhancement for employees and collaborators, providing them access to specialized trainings relevant to their roles.

Is pre-employment screening conducted?

Yes. The organization has implemented and follows a system of employment verification procedures.

Verification includes, among other aspects, reviewing employee references, analyzing qualifications, and confirming the following: - Identity verification based on appropriate documentation (ID card or passport) - Confirmation of relevant academic qualifications (based on certificates/diplomas/degree certificates) - Verification of declared professional experience (as stated in the CV and references).

Does the company collect declarations of criminal record from employees?

Yes, employees sign relevant declarations and are required to inform the employer of any changes.

Is the clean desk policy applied?

Yes.

Is the clean screen policy applied?

Yes.

PreviousInformation Classification NextAccess Control and Access Management

Last updated 9 months ago