Login
Free Trial
Login
Free Trial

Terms and Conditions of Teamiy HRM

  • Teamiy
  • Terms and Conditions of Teamiy HRM

Organizational and Information Security Model Personal Data Protection Management Document

Introduction

This document illustrates the governance system adopted for managing information security and personal data protection, in compliance with Regulation (EU) 2016/679 (GDPR).

The security policy consists of a set of measures aimed at the following objectives:

  • Protect information from unauthorized access
  • Safeguard the confidentiality of information
  • Prevent unauthorized individuals from processing and modifying information
  • Ensure availability of information to authorized users
  • Prepare and maintain constantly updated and monitored business activity plans
  • Train personnel on information security
  • Analyze weaknesses and violations of current regulations

Fundamental Processing Principles

It is specified that:

  • Genetic and biometric data are not processed, except in exceptional cases
  • Personal data processing is carried out within the European area, limited to the national territory where the Data Controller is located
  • Personal data processing follows the principles set out in Article 5 of EU Regulation No. 679/16

1. Roles and Responsibilities

  • Internal roles and responsibilities, as well as relationships with external parties (clients, suppliers, collaborators), have been organized in accordance with Article 4 of EU Regulation 679/16.
  • Definitions Data Controller: The natural or legal person, public authority, service, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
  • Authorized Processor: A natural person authorized to process personal data under the direct authority of the controller or processor.
  • Data Processor: The natural or legal person, public authority, service, or other body which processes personal data on behalf of the data controller.
  • Third Party: Any natural or legal person, public authority, service, or other body other than the data subject, data controller, data processor, and persons authorized to process personal data under the direct authority of the controller or processor.

2. Dissemination and Scope of Application

This document is made available to all individuals authorized to process personal data, who are required to comply with its provisions to safeguard data processing.

According to Article 4(2) of the GDPR, data processing means any operation or set of operations performed on personal data, whether or not by automated means.

3. Organizational Measures Adopted

The organization adopts the following organizational measures:

  • Appointment of a Data Protection Officer (DPO)
  • Authorization and training of internal personnel (employees, collaborators) who process personal data
  • Appointment of qualified Data Processors with a specific Data Protection Agreement
  • Maintenance of an updated register of appointed external processors
  • Formal appointment of system administrators with annual performance verification
  • Adoption of a record of processing activities (both as Controller and Processor)
  • Data breach management procedures and company incident register
  • Procedures for exercising data subject rights
  • Regulation on appropriate use of IT resources for personal data management
  • Limitation of personal data transfers to third countries, with assessment of adequate safeguards
  • Use of cloud services only through certified providers

4. Security Measures

4.1 Asset Management

  • Preparation and updating of an asset inventory
  • Return of all organizational assets at the end of employment or contractual relationships
  • Classification of information according to value and criticality
  • Secure disposal of unnecessary media through formal procedures
  • Protection from unauthorized access during transport of information media

4.2 Logical Access Control

  • Definition of a documented and updated access control policy
  • Assignment of authorized access to networks and services only
  • Formal registration and deregistration process for assigning access rights
  • Assignment and revocation of rights through a unique SSO system managed by qualified personnel
  • Annual verification of active authorizations
  • Encryption measures for mobile devices used externally
  • Limitation of privileged access rights
  • Removal of access rights upon termination of employment or contract
  • Continuous monitoring of security threats and vulnerabilities
  • Compliance with authentication password security practices
  • Secure log-on controls for system and application access
  • Interactive password management to ensure high quality

4.3 Physical andEnvironmental Security

  • Definition and use of security perimeters to protect critical areas
  • Access controls for restricted security areas limited to authorized personnel
  • Design and implementation of physical security for offices and facilities
  • Protection against natural disasters, malicious attacks, and accidents
  • Equipment protection to reduce environmental threat risks
  • Protection against power failures and auxiliary service disruptions
  • Protection of energy and telecommunications cables from interception and damage
  • Proper maintenance of equipment to ensure availability and integrity
    • Restrictions on transporting equipment and information outside the site without authorization

4.4 Operational Security

  • Monitoring organizational changes affecting information security
  • Malware detection, prevention, and recovery controls
  • Appropriate user awareness programs
  • Scheduled data backup and synchronization at data centers
  • Redundant backup and disaster recovery policies within EU locations
  • Timely acquisition of information on technical system vulnerabilities
  • Assessment of exposure to vulnerabilities and adoption of mitigation measures
  • Implementation of software installation governance rules

4.5 Communication Security

  • Network management and control to protect information in systems and applications
  • Segregation of services, user groups, and information systems
  • Formal policies, procedures, and controls protecting information transfers
  • Appropriate protection of electronically transmitted information

4.6 Incident Management and Business Continuity

  • Definition of responsibilities and procedures for rapid response to security incidents
  • Establishment of reporting channels for security events
  • Personnel reporting of any observed security weaknesses
  • Evaluation of security events to classify them as incidents
  • Use of acquired knowledge to reduce likelihood and impact of future incidents
  • Procedures for identifying, collecting, acquiring, and preserving evidence
  • Processes and controls ensuring required security continuity levels

5. Data Breach Management

5.1 Response Procedures

In the event of an incident resulting in loss of availability, integrity, or confidentiality of personal data, the organization, together with the DPO, will immediately secure the system, isolating affected areas where possible, and verifying:

  • Nature of the breach, including categories and approximate number of affected data subjects
  • Categories and approximate number of personal data records involved
  • IT systems and infrastructure involved
  • Likely consequences of the breach
  • Measures adopted or proposed to remedy and mitigate negative effects

5.2 Communication to External Processors

If a data breach occurs at a supplier appointed as Data Processor, they must provide the above information within a reasonable time and no later than 72 hours after the incident.

5.3 Notification to the Supervisory Authority

The organization will notify the Data Protection Authority without undue delay and, where possible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to pose a risk to individuals’ rights and freedoms.

If notification occurs after 72 hours, reasons for the delay will be provided.

5.4 Communication to Data Subjects

If verification determines that:

  • The breach poses a high risk to individuals’ rights and freedoms; AND
  • Adequate protective technical and organizational measures (e.g., encryption) were not implemented; AND
  • Subsequent measures did not eliminate the high risk

The organization will notify affected data subjects without undue delay through traceable communication methods. If direct communication requires disproportionate effort, public communication may be used.

5.5 Incident Documentation

Even outside the above cases, the Data Controller will document any incident involving personal data breaches, including circumstances, consequences, and corrective actions taken.

6. Exercise of Data Subject Rights

6.1 Access Points

The organization provides formal channels through which data subjects may exercise their rights under Chapter III of the GDPR (Articles 15 and following).

Communication channels are monitored by the administrative office, which forwards privacy-related communications to the DPO and records requests.

6.2 Request Management

Upon receiving a request, the organization follows these steps:

  1. Identity verification by comparing request data with available records
  2. Request for documentation if discrepancies or doubts exist
  3. Internal coordination with authorized personnel based on requester type (employee, supplier, client, consultant, etc.)
  4. Identification of data across all IT systems, documents, and third-party providers

6.3 Right of Access

Data subjects may request confirmation of whether personal data concerning them is being processed and obtain:

  • Access to personal data
  • Processing purposes
  • Categories of personal data involved
  • Recipients or recipient categories
  • Data retention period or criteria used to determine it
  • Right to request rectification, deletion, or restriction
  • Right to lodge a complaint with a supervisory authority
  • Source of data if not collected directly from the subject
  • Existence of automated decision-making or profiling

Data subjects may also request a copy of processed data, provided it does not violate others’ rights.

6.4 Right to Rectification

Data subjects have the right to correct inaccurate personal data or complete incomplete data.

6.5 Right to Erasure

Data subjects have the right to obtain deletion of personal data without undue delay if:

  • Data is no longer necessary
  • Consent has been withdrawn and no legal basis exists
  • The data subject objects and no overriding legitimate reason exists
  • Data was unlawfully processed
  • Deletion is required by law
  • Data was collected for information society services

In some cases, data must be retained for legal obligations. In such cases, access will be limited to legal purposes and competent authorities.

6.6 Right to Restriction of Processing

Data subjects may request restriction if:

  • Accuracy of data is contested
  • Processing is unlawful and deletion is opposed
  • Controller no longer needs data but it is required for legal claims
  • The data subject objects pending verification of legitimate grounds

Restricted data will only be processed for storage or legally permitted purposes.

6.7 Right to Data Portability

Data subjects may request:

  • Personal data in a structured, commonly used, machine-readable format
  • Direct transfer to another Data Controller when processing is automated, based on consent or contract, and data was provided by the subject

Paper archives and manually processed data are excluded.

6.8 Right to Object

Data subjects may object at any time to processing based on:

  • Public interest or official authority
  • Legitimate interest of the controller or third parties (unless overridden)
  • Direct marketing, including profiling
  • Scientific, historical, or statistical research

Processing will cease unless compelling legitimate grounds exist.

7. Reviews and Updates

This document is subject to periodic review at least annually or following significant organizational, regulatory, or technological changes affecting data security and protection.
Each revision is documented and communicated to authorized personnel.

Document subject to annual review

  • Version: 1.10
  • Adoption Date: 12 Feb 2026
  • Prepared by: Teamiy
  • Approved by: Teamiy