Data protection policy in accordance
with the EU General Data Protection
Regulation (GDPR) and Data Protection
Act (DPA)
Data protection policy
Goal of the data protection policy
The goal of the data protection policy is to depict the legal data protection
aspects in one summarising document. It can also be used as the basis
for statutory data protection inspections, e.g. by the customer within the
scope of commissioned processing. This is not only to ensure compliance
with the European General Data Protection Regulation (GDPR) and Data
protection Act (DPA) 2018 but also to provide proof of compliance.
Preamble
At “Goalcrushers – Andras Ivanyi”, we recognize the importance of
safeguarding personal data and maintaining the privacy of our users,
clients, and partners. As a German-based company, we are committed to
upholding the principles of data protection as outlined in the General Data
Protection Regulation (GDPR), and we extend this commitment globally
through our English-language policies.
In today’s interconnected world, where information flows seamlessly, we
understand the significance of trust and accountability in handling
personal information. This Data Protection Policy outlines our dedication
to ensuring the confidentiality, integrity, and availability of the data
entrusted to us.
Our commitment to data protection goes beyond mere compliance; it
reflects our respect for the rights and privacy of individuals. We strive to
be transparent in our data practices, empowering you to make informed
choices about how your information is collected, used, and shared.
We invite you to explore our Data Protection Policy, which serves as a
guide to our data management practices. Through this policy, we aim to
foster a culture of privacy, continuous improvement, and accountability
within Goalcrushers – Andras Ivanyi.
Thank you for entrusting us with your data. We are dedicated to ensuring
its protection and handling it with the utmost care and responsibility.
Security policy and responsibilities in the company
Introduction:
At Goalcrushers – Andras Ivanyi, we recognize the critical importance of
maintaining a secure environment for the data entrusted to us. This
Security Policy outlines our commitment to protecting the confidentiality,
integrity, and availability of information and reflects our dedication to
compliance with applicable data protection laws, including the General
Data Protection Regulation (GDPR).
1 Data Protection Goals:
In alignment with our corporate objectives, we have established and
documented our highest data protection goals. These goals are rooted in
the fundamental data protection principles, ensuring that they are tailored
to the specific needs and values of Goalcrushers – Andras Ivanyi. These
goals serve as the foundation for our data protection management
system.
2 Roles and Responsibilities:
2.1 Company Representatives:
Company representatives are designated individuals responsible for
overseeing the overall implementation and adherence to data protection
policies.
2.2 Operational Data Protection Officers
Operational Data Protection Officers are appointed to provide expertise,
guidance, and oversight on data protection matters within the company.
2.3 Coordinators or Data Protection Team:
Coordinators or the Data Protection Team are responsible for coordinating and implementing data protection measures across various departments and ensuring alignment with company policies.
2.4 Operational Managers:
Operational managers are accountable for implementing data protection practices within their respective departments and ensuring compliance among their teams.
3 Continuous Improvement:
We are committed to the continuous improvement of our data protection management system. This includes regular reviews of policies, procedures, and risk assessments to adapt to evolving threats and changes in the regulatory landscape. Feedback from employees and stakeholders is actively sought and considered in our improvement initiatives.
4 Training, Sensitization, and Employee Obligation:
We recognize that the effectiveness of our security measures relies on the awareness and understanding of our employees. We provide regular training sessions to educate our staff on data protection policies, best practices, and the importance of their role in maintaining a secure environment. Every employee is obligated to adhere to our data protection Coordinators or the Data Protection Team are responsible for coordinating and implementing data protection measures across various departments and ensuring alignment with company policies.
Operational managers are accountable for implementing data protection practices within their respective departments and ensuring compliance among their teams. policies and contribute to the overall security posture of Goalcrushers – Andras Ivanyi. This Security Policy is a living document and will be reviewed and updated regularly to ensure its effectiveness in protecting the data we handle.
Legal framework in the company
As a SaaS provider and management consulting, Goalcrushers – Andras Ivanyi operates within a legal framework that ensures the responsible and lawful handling of personal data. This framework encompasses basic principles and considerations relevant to the operations of a sole proprietorship.
1. Industry-Specific Legal or Conduct Regulations:
Goalcrushers – Andras Ivanyi adheres to industry-specific legal or conduct regulations governing the handling of personal data. These regulations serve as a foundation for our data protection practices and guide our commitment to ethical and lawful data processing.
2. Requirements of Internal and External Parties:
The legal framework of Goalcrushers – Andras Ivanyi includes compliance with the requirements set forth by internal and external parties. This may involve contractual obligations with clients, partners, or service providers, ensuring that data processing activities align with mutually agreed-upon terms and conditions.
3. Applicable Laws, Possibly with Special Local Regulations:
Goalcrushers – Andras Ivanyi complies with all applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR). Additionally, any special local regulations relevant to the geographical location of the business are considered and adhered to.
4. Basic Data Protection Principles:
The legal framework underscores adherence to basic data protection principles, including the lawful and fair processing of data, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. These principles form the cornerstone of our commitment to protecting personal data.
This Legal Framework is subject to periodic review and updates to ensure continuous alignment with legal requirements and industry best practices.
Documentation
Conducted internal and external inspections
Data protection need: determination of protection need with regard to confidentiality, integrity and availability.
Existing technical and organisational measures (TOM)
1. Information Security Policies (ISO/IEC 27002: 5):
1.1 Information Security Principles:_
1.1.1 Confidentiality:
Confidential information must be protected from unauthorized access, disclosure, and use.
1.1.2 Integrity:
Information must be accurate, complete, and protected against unauthorized alteration.
1.1.3 Availability:
Information must be available to authorized users when needed and without disruption.
2 Responsibilities:
2.1 Ownership:
Information assets have designated owners responsible for their protection and proper use.
2.2 Users’ Responsibilities:
All users are responsible for understanding and adhering to information security policies and guidelines.
3 Access Control:
3.1 User Access:
Access to information is granted based on job roles and responsibilities.
3.2 Password Policy:
Strong password practices are enforced, and passwords must be kept confidential.
4 Data Classification:
4.1 Classification Levels:
Information is classified into appropriate levels based on sensitivity, and handling procedures are defined accordingly.
5 Acceptable Use:
5.1 Authorized Use:
Information assets are to be used only for legitimate business purposes.
5.2 Prohibited Activities:
Activities such as unauthorized access, data tampering, and malicious software installation are strictly prohibited.
6 Incident Reporting and Management:
6.1 Reporting Procedures:
Any suspected or confirmed security incidents must be promptly reported to Andras Ivanyi.
6.2 Incident Response:
An incident response plan is in place to address and mitigate the impact of security incidents.
7 Physical Security:
7.1 Secure Areas:
Physical access to areas containing sensitive information is restricted.
7.2 Equipment Security:
Equipment housing information assets is physically secured against theft or damage.
8 Communication Security:
8.1 Network Security:
Measures are implemented to secure network communications and prevent unauthorized access.
8.2 Email and Messaging:
Secure methods are used for email and messaging to protect against interception.
1.2 Policy Review:
Policies are regularly reviewed and updated to ensure relevance and effectiveness in addressing emerging security risks.
2 Organization of Information Security (ISO/IEC 27002: 6):
2.1 Responsibility for Information Security:
Andras Ivanyi, as the sole proprietor, holds ultimate responsibility for information security within the organization.
2.2 Information Security Coordination:
Coordination of information security activities is overseen by Andras Ivanyi to ensure consistency and alignment with organizational goals.
3 Asset Management (ISO/IEC 27002: 8):
3.1 Inventory of Assets:
A comprehensive inventory of information assets, including hardware, software, and data, is maintained.
3.2 Ownership of Assets:
Ownership responsibilities for each information asset are clearly defined.
4. Access Control (ISO/IEC 27002: 9):
4.1 Access Control Policy:
An access control policy is in place, outlining rules for granting and revoking access rights.
4.2 User Access Management:
User access is managed through a controlled process, ensuring that access rights are appropriate for job roles.
5 Cryptography (ISO/IEC 27002: 12):
5.1 Cryptographic Controls:
Where applicable, cryptographic controls are implemented to protect sensitive information.
6 Physical and Environmental Security (ISO/IEC 27002: 11):
6.1 Secure Areas:
Physical security measures are in place to restrict access to areas containing sensitive information.
6.2 Equipment Security:
Physical security measures for equipment, including workstations and servers, are implemented.
7 Operations Security (ISO/IEC 27002: 14):
7.1 Operational Procedures and Responsibilities:
Operational procedures are documented and responsibilities assigned to ensure secure daily operations.
8 Communications Security (ISO/IEC 27002: 13):
8.1 Network Security Management:
Network security controls are implemented to safeguard the integrity and confidentiality of communication.
8.2 Information Transfer:
Secure methods are employed for information transfer to prevent unauthorized access.
9 Incident Management (ISO/IEC 27002: 16):
9.1 Incident Management Process:
An incident management process is established to detect, report, and respond to security incidents.
10. Business Continuity Management (ISO/IEC 27002: 17):
10.1 Business Continuity Plan:
A business continuity plan is in place to ensure the organization’s ability to continue essential operations during disruptions.