The principles of international acts - Universal Declaration of Human Rights, the Convention for the Protection of Human Rights and Fundamental Freedoms, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Directive 95 / 46 / EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and of national data - the Constitution of the Republic of Moldova, the Personal Data Protection Act, the Law on Access to Information , Requirements for ensuring the security of personal data in their processing within the personal data information systems, approved by the Government Decision no. 1123 of December 14, 2010, the Regulation of the Register of personal data recorders, approved by the Government Decision no. 296 of 15 May 2012 and other relevant legislative / normative acts.
SRL "Megatradecom" has registered office in Chisinau, Truseni, 28/2 Calea Iesilor Street, Chisinau, Republic of Moldova.
The policy is approved by the administrator of SRL "Megatradecom", acting under the status of SRL "Megatradecom".
This Policy is also approved, including for the compliance of LLC "Megatradecom" with the provisions of the Government Decision of the Republic of Moldova no.1123 dated December 14, 2010 "on the approval of the Requirements for the security of personal data in their processing within the information systems personal "and the Law of the Republic of Moldova no.133 of 08.07.2011" on the protection of personal data ".
III. GENERAL NOTIONS
In this Security Policy, the following terms are defined / used:
personal data - any information relating to an identified or identifiable natural person (subject of personal data). An identifiable person is a person who can be identified, directly or indirectly, by reference to an identification number or to one or more elements specific to his or her physical, physiological, psychological, economic, cultural or social identities;
special categories of personal data - data revealing the racial or ethnic origin of a person, her political, religious or philosophical beliefs, social affiliation, health or sex life data, as well as criminal convictions, procedural coercive measures or contravention sanctions;
operator - natural person or legal person governed by public or private law, including the public authority, any other institution or organization which, individually or jointly with others, establishes the purposes and means of processing the personal data expressly provided by Legislation in force;
operator - natural person or legal person governed by public or private law, including the public authority and its territorial subdivisions, processing personal data on behalf of and on behalf of the operator on the basis of instructions received from the operator;
authentication - verification of the identifier attributed to the access subject, authentication confirmation;
security control - actions undertaken by LLC "Megatradecom" in order to ensure the adequate level of security of the personal data processed in the information systems and / or the registers kept;
temporary files - a set of data or digital information created for a limited period of time before initiating the tasks for which they were designated;
identification - assigning an identifier to subjects and access objects and / or comparing the identified identifier with the list of assigned identifiers;
integrity - the certainty, non-contradictory and up-to-date information containing personal data, its protection against destruction and unauthorized modification;
means of cryptographic protection of information containing personal data - technical, program and technical-applicative means, systems and complex systems that perform algorithms of cryptographic conversion of information containing personal data meant to ensure the integrity and confidentiality of the information in the process of processing, storing and transmitting it through the communication channels;
level of protection - a level of security proportional to the risk involved in the processing of personal data and the rights and freedoms of individuals, developed and updated accordingly to the level of technological development and the cost of implementing these measures;
personal data security policy - a document developed by the data giant "Megatradecom", which provides a precise description of the security measures and selected security features for data security, taking into account the potential hazards to the data processed personal data and the real risks to which they are exposed;
security perimeter - the area which itself represents a passageway provided with physical and / or technical access control means;
the person responsible for the personal data security policy - the person responsible for the proper functioning of the complex information protection system containing personal data, as well as for the elaboration, implementation and monitoring of compliance with the security policy provisions of the data holder personal;
protection of information against unintended actions - a set of measures aimed at preventing unintended actions caused by user errors, defects in technical-applicative means, natural phenomena or other causes not directly aimed at modifying information but leading to distortion, destruction, copying, the blocking of access to information, as well as its loss, destruction or damage to the material support of information containing personal data;
personal data carrier - a magnetic, optical, laser, paper or other support bracket, on which the document is created, fixed, transmitted, received, retained, or otherwise used its reproduction;
restoration of data - procedures for the reconfiguration / pre-setting of personal data in the state in which they were at the time of their loss or destruction;
information technology - all the methods, procedures and means of processing and transmitting information containing personal data and the rules for its application;
user - the person acting under the authority of the personal data holder with a recognized right of access to the personal information systems;
work session - the period that elapses between the start of the computer and the application for the use of the information resource, or from the start of the information resource to the moment when it is stopped;
personal information system - all interdependent resources and technologies, methods and personnel, intended for the preservation, processing and provision of information containing personal data;
processing of personal data - any operation or series of operations performed on personal data by automated or non-automated means such as collecting, recording, organizing, storing, preserving, restoring, adapting or modifying, extracting, consulting, using , disclosure by transmission, dissemination or in any other way, joining or combining, blocking, deleting or destroying;
storage - keeping on personal data any support;
personal data record system - any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or allocated according to functional or geographic criteria;
the consent of the subject of personal data - any manifestation of free, express and unconditional will in written or electronic form, according to the requirements of the electronic document, whereby the personal data subject accepts to process the data concerning him / her;
depersonalizing data - modifying personal data so that details of personal or material circumstances no longer allow it to be attributed to an identified or identifiable individual, or to allow attribution only under the conditions of an investigation requiring disproportionate time, resources and labor costs.
IV. Objectives of the Security Policy
The main objectives of the Policy are the availability, integrity and confidentiality of all information, including personal data processed by LLC "Megatradecom", both in the manual processing and information technology systems and processes. Security is an essential component of the optimal deployment of IT-based processes within LLC "Megatradecom". The basis for an adequate IT security is compliance with this Policy. It includes requirements and rules for the protection of all information, including personal data, IT systems and processes against natural influences, human and technical errors, and against deliberate actions that may cause material or immaterial damage, or which may lead to violations of legislation. Given that IT security can not be guaranteed solely by technical systems, this policy also addresses organizational, legal and other issues.
The company "Megatradecom" will protect the personal data of the participants in the process / visitors as well as of its employees.
The regulations of this Policy are a minimum standard for LLC "Megatradecom", including all employees of LLC "Megatradecom". Starting from this regulation, all employees of LLC "Megatradecom" shall comply strictly with the provisions of the Internal Market Policies and Rules of Megatradecom SRL regarding the protection of personal data and IT systems.
V. Provisions on the hierarchy and responsibility of the person in charge of the Security Policy
The Personal Data Operator deriving from the specifics of the activity, through this Security Policy, transposes the procedures and measures necessary to ensure an adequate level of protection for the processing of personal data within the managed recordsystems.
The personal data security policy will be reviewed at least once a year as a result of changes or reassessment of the entity's competencies, and it is the responsibility of the directors to designate the person / s who will proceed immediately to adjust the provisions of this Act.
The security policy will necessarily be brought to the attention of all employees responsible for the processing of personal data before granting access to the processing of personal data, including the operation of the changes, with the need to ensure an adequate level of protection of personal data.
The person responsible for the implementation and monitoring of compliance with the personal data security policy will be the person who, according to the job description and / or internal order, will have sufficient resources (time, human resources, equipment and budget) and will have free access to the information necessary for the performance of its functions insofar as it does not operate outside of this policy.
The responsible person, regardless of the functions exercised in the monitoring of the implementation / observance of the security policy provisions, will be subordinated directly to the manager of "Megatradecom" SRL or to the person who performs the interim function.
The person in charge of the personal data security policy ensures the clear definition of the different responsibilities regarding the security of the processing of personal data (prevention, surveillance, detection and processing), as well as the operation with them, outside the pressures as a result of personal interests or other circumstances.
The person in charge of the personal data security policy will clearly define the responsibilities and processes of personal data security management, with their proper integration into the organizational and general structure, will provide the technical and organizational measures necessary to organize the management process of the personal data security, will develop procedures for the classification of information containing personal data so that it is possible to draw up a nomenclature and all personal data being processed to be located, regardless of the type of data bearer, will train persons involved in the processing of personal data in order to fulfill their functional responsibilities and the assumption of personal data security responsibilities, including their confidentiality.
VI. Means subject to the principles of personal data protection
The protection of personal data within the "Megatradecom" SRL (as a personal data operator) is ensured by a complex of technical and organizational measures to prevent the illicit processing of personal data.
Protection by specific means / procedures is subject to all the personal data manager of the personal data controller, containing personal data, kept on:
- magnetic, optical, laser or other media of electronic information, massive information and databases;
- information systems, networks, operational systems, databases management systems and other applications, telecommunications systems, including means of making and multiplying documents and other technical means of processing information.
ARE YOU COMING. Personal data protection measures are ensured in order to:
§ prevent the leakage of information containing personal data by the method of excluding unauthorized access to it;
§ to prevent the destruction, modification, copying, unauthorized blocking of personal data in telecommunication networks and information resources;
§ non-admission of third party disclosure of information with limited accessibility;
§ Improving information resources both on paper and electronically.
VIII. The protection of personal data processed in information systems is carried out by the following methods:
§ prevention of unauthorized connections to telecommunication networks and interception by technical means of personal data transmitted through these networks,
§ Exclusion of unauthorized access to processed personal data;
§ Prevention of special technical and program actions, which condition the destruction, modification of personal data or malfunctions in the work of the technical and program complex,
§ to prevent intentional and / or unintentional actions of internal and / or external users as well as other members of the operator / persons authorized by the operator, which condition the destruction, modification of personal data or failures in the work of the technical and program complex,
§ preventing the leakage of information containing personal data transmitted through the connection channels is ensured by using the encryption methods of this information as well as the use of VPN channels,
§ prevention of destruction, modification of personal data or malfunctions in the functioning of the software for personal data processing is ensured through the use of special technical and program protection means, including licensed programs, antivirus programs, the organization of the security control system software and periodic backup,
§ to prevent the leakage of information containing personal data, is ensured by the internal audit of information systems, which is carried out permanently.
§ precise setting of the order of access to the information containing personal data, processed within the information and evidence systems established for both internal and external users.
IX. The organizational and technical procedures to be observed within the "Megatradecom" SRL in the processing of personal data
1. General information security management measures
a) In the case of temporary non-use of paper or electronics (digital) carriers containing personal data, they shall be stored in locks or locks of metallic cabinets.
b) Computers, access terminals, and printers are disconnected at the end of work sessions.
c) The security of mailboxes is secured as well as security against unauthorized access to fax machines and copiers.
d) Security and physical access to the means of representing information containing personal data is ensured in order to prevent unauthorized persons from viewing it.
e) Means for the processing of personal data, information containing personal data or software for the processing of personal data are removed from the security perimeter only on the basis of a written permission of the management.
f) All programs used within the IT system comply with the licensing conditions.
g) It is forbidden to install Shareware or Freeware programs without the permission of the IT administrator.
2. Security of physical environment and information technologies used in the processing of personal data
a) Access to the premises / offices / offices or premises where the personal information systems are located is restricted, being allowed only to persons with the necessary authorization according to the appropriate list or badges (badges, badges, identification cards).
b) It is ensured the administration and monitoring of the physical access at all access points to the personal information systems, including the reaction to the violation of the access regime.
c) Megatradecom LLC Security Perimeter is the perimeter of offices where personal data are processed / stored.
d) The perimeter of the building or rooms where the personal data processing facilities are located is physically fit, the exterior walls of the rooms are resistant, the entrances are equipped with locks and signage.
e) The location of the personal data processing means corresponds to the necessity to ensure their security against unauthorized access, thefts, fires, floods and other possible risks.
f) Doors and windows shall be locked if the members are missing in the room.
g) Computers, servers, other access terminals are located in places with limited access for foreigners.
h) Access to the security perimeter of the "Megatradecom" building SRL where personal data is processed / stored with unauthorized photo / video equipment is prohibited, taking into account the necessity to ensure the confidentiality and security regime of the processing of personal data provided by art. 29 and art. 30 of the Personal Data Protection Act, as well as point 26 of the Requirements.
i) The use of photo, video, audio, or other means of recording in the perimeter of uncer- tainty is only allowed if special management permission is present.
3. Identify and authenticate users
a) The identification and authentication of users of personal information systems and processes executed on behalf of such users is carried out.
b) All users (including technical support staff, network administrators, programmers, and database administrators) have a personal identifier (user ID) that does not contain the user access level alerts.
c) Passwords, physical token access or microprocessor cards, biometric authentication means based on unique and individual characteristics of the person are used to confirm the user ID.
d) If the work contract / user service reports have been terminated, suspended or modified and new tasks do not require access to personal data or the user's access rights have been modified or the user has abused the received codes for the purpose of committing a degrading act, has been absent for a long time, the identification and authentication codes are revoked or suspended by the IT administrator
4. Identification and authentication of the equipment
It is possible to identify and authenticate the equipment used in the personal data processing operations, while maintaining this information for a long period of time.
5. Managing user identifiers
Managing user identifiers includes:
- univocal identification of each user,
- verifying the authenticity of each user.
6. Use of passwords in the process of providing information security
The rules for ensuring information security are respected when choosing and using passwords that include:
- maintaining the confidentiality of passwords,
- prohibiting the registration of passwords on paper, if the security of keeping it is not ensured,
- Changing passwords every time there are clues to possible compromise of your system or password,
- the choice of qualitative passwords with a minimum of 8 symbols that are not related to the user's personal information, do not contain consecutive identical symbols and are not entirely composed of groups of figures or letters,
- changing passwords over 3-month intervals,
- Deactivating the automated recording process (using saved passwords).
7. Access management control
Systematic control of user actions is performed to assess the correctness and compliance of operations and actions performed through personal information systems.
8. Remote access
a) All remote access methods to personal information systems are secured (using VPN, encryption, encryption, etc.) as well as documented, subject to monitoring and control.
b) Each method of remote access to the personal information systems is authorized by the responsible persons of the "Megatradecom" SRL and allowed only to the users, whom it is necessary for achieving the established objectives.
9. Limiting the use of wireless technologies
a) Wireless access to personal information systems is limited to the maximum, documented, subject to monitoring and control.
b) Wireless access to personal information systems is only allowed when cryptographic information protection is used.
c) The use of wireless technologies is authorized by the responsible persons of "Megatradecom" SRL.
10. Power security
a) Electrical equipment used to maintain the functionality of personal information systems, electrical wiring, is secured against damage and unconnected connections by mounting them in special niches.
b) In the event of exceptional, crash or force majeure situations, the possibility of disconnecting electricity from personal information systems, including the possibility of disconnection of any IT component, is ensured.
c) Automated fire detection and fire detection systems are implemented in the offices where the personal data information systems and the personal data processing facilities are located.
11. Controlling the installation and removal of components T.I.
a) The control and the recording of the installation and removal of the means of the program, the technical means and the technical programs used in the personal data information systems are exercised.
b) Information containing personal data and containing the information bearers is physically destroyed or transcribed and destroyed by safe methods, avoiding the use of standard destruction functions.
12. Disclosure of personal data
a) Disclosure of the electronic format of personal data contained in the recording systems, communications networks, or other digital storage and storage support shall be provided to encrypt this information or to examine the possibility of using a VPN secure channel bilateral connection. Wireless access to personal data recording systems is only allowed to authorized users. Each case of requesting disclosure by transmission of personal data by electronic means will be examined separately, taking into account the technical possibilities provided by the recipient and the operator, as well as in accordance with the organizational and technical measures implemented by the parties. If communication networks pose a risk to the privacy and security of personal data, traditional methods of transmission (postage with recommended endorsement, stockmarking, etc.) will be used.
b) Disclosure by transmission of personal data through non-compliant communication networks (for example: sending information via personal emails such as @ gmail.com, @ mail.ru, @ yahoo.com, etc. .) are forbidden.
c) The disclosure of personal data between LLC "Megatradecom" and other entities that are located geographically on the left bank of the Dniester River, which refuses to comply with the legislation of the Republic of Moldova, is forbidden, based on the fact that at the moment there is no possibility of exercising effective control on this part of the territory, including the part regarding the conformity of personal data processing with the provisions of the Law on the protection of personal data.
d) The procedure for the disclosure of personal data stored on paper and / or digital support, outside the borders of the Republic of Moldova, shall be regulated by an institutional / bilateral agreement, taking into account the need to ensure an adequate level of protection of personal data.
e) Cross-border transmission of personal data is carried out in strict compliance with the provisions of art. 32 of the Law on the Protection of Personal Data, especially in cases where the international treaty on which the transmission is made does not contain any safeguards regarding the protection of the personal data subject's rights.
f) The volume and categories of personal data collected for the purposes of keeping records by LLC "Megatradecom" is limited to what is strictly necessary to achieve the declared purposes.
g) Access to information systems managed within the "Megatradecom" LLC, by the General Prosecutor's Office (the territorial / specialized prosecutor's office), the Ministry of Internal Affairs, the National Anticorruption Center, etc., will be allowed only if the request complies with the provisions of art. . 15 and art. 212 Code of Criminal Procedure.
It is explained that in accordance with the provisions of Art.157 of the Criminal Procedure Code, documents in any form (written, audio, video, electronic, etc.) originating from official physical or juridical persons, if they are exposed or certain circumstances of importance for the case, (including information stored in the audit of information and evidence systems) may be requested by a criminal prosecution body in the course of criminal prosecution or in the trial of the case. In this case, however, the provisions of Article 214 of the Code of Criminal Procedure, which stipulate that in the course of criminal proceedings, no official information with limited accessibility can be administrated, used and distributed without necessity. The persons to whom the criminal prosecution body or the court requests them to communicate or to make available official information with limited accessibility (including personal data operators) has the right to convince them that these data are collected for the criminal proceedings concerned, and otherwise refuse to communicate or to submit data. Persons to whom the criminal investigative body or the court requests them to communicate or submit official information with limited accessibility is entitled to receive in advance from the person requesting the information a written explanation confirming the need to provide the said data.
It is necessary to take into account the fact that according to the provisions of Article 8 of the Access to Information Act, personal data is part of the category of official information with limited accessibility, the access to which is carried out in accordance with the provisions of the legislation on the protection of personal data personal.
In the event that the lawyer or person empowered to acquaint himself with the client's personal record, they shall be informed in writing of their obligations under the provisions of art. 15 Criminal Procedure Code, art. 29 and 30 of the Personal Data Protection Act, including liability under Art. 741 Code of Conduct.
13. The rights of the subjects of personal data
a) If the personal data are collected directly from the subject of these data, in accordance with the provisions of Article 12 of the Personal Data Protection Act, the person requires the following information to be provided, unless he already holds that information:
- the identity of the operator or, where applicable, of the person empowered by the operator (name, legal address, IDNO, registration number in the Personal Data Operator Register);
- regarding the specific purpose of the processing of collected personal data;
- regarding recipients or categories of recipients of personal data;
- the existence of rights to information and access to collected data; (in particular, to rectify, update, block or delete personal data whose processing is contrary to law due to their incomplete or inaccurate character) and the opposition and the conditions under which those rights may be exercised; if the answers to the questions with which the data are collected are mandatory or voluntary, including the possible consequences of the refusal to answer the questions through which the information is collected.
b) The right of access and the possibility of acquainting with the documents drawn up for the purpose of verifying the correctness of their preparation, the contestation against the incorrect inclusion or incorrect inclusion of data, as well as against other errors committed in the registration of data about itself. In this respect, the persons responsible for the processing of personal data will ensure the person's access only to the personal data which directly concerns him / her, being excluded
the possibility of consulting personal data relating to other subjects contained in personal records (other materials), unless the applicants have a legitimate interest that does not harm the interests or fundamental rights and freedoms of the subject of personal data.
c) The right to information is provided by the operator of personal data (or entities that provide the system maintenance and / or outsourced services to the operator) to all persons subject to processing.
d) If the personal data subject issues the right to intervene, the inaccurate data will be updated by rectification or deletion as a basis serving only legal sources (identity documents, civil status, main state information resources, etc.). ), the modification to be carried out in all managed information and records systems.
14. Storage, storage and destruction of processed personal data
a) Access to the premises / perimeter where information systems and personal data records are located is restricted, being allowed only to persons authorized under the institutional security policy / approved departmental regulations.
b) The storage and preservation of the electronic format of personal data, structured in record systems, in computers that are connected to the Internet, are not equipped with special technical and program protection means and have no installed license programs, antivirus programs, systems software security controls, periodic backups, and auditing - is forbidden.
c) The introduction into the institutional security perimeter and the use of personal computers or information bearers for service purposes is forbidden. Additionally, access to computer equipment is protected / restricted by creating user profiles, and the administrator rights are entrusted only to the person responsible for implementing the security policy designated within the "Megatradecom" SRL.
d) The storage of personal data on a magnetic, optical, laser, paper or other information carrier, on which the document is created, fixed, transmitted, received, stored or otherwise used allows it to be reproduced, is ensured by placing it in locks or lockers. Removing personal data carriers from the operator's perimeter without authorization is forbidden.
15. Audit of managed information systems
a) Registration of user input / output attempts is carried out in the system according to the following parameters:
- date and time of entry / exit attempt;
- User ID
- the result of the entry / exit attempt - positive or negative.
b) See the registration of attempts to obtain access (execution of operations) for applications and processes for processing of personal data according to the following parameters:
- the date and time of attempted access (executed),
- the application or process name (identifier), o the user ID,
- Specification of the protected resource (identifier, logical name, filename, number, etc.)
- the type of operation requested (reading, recording, deletion, etc.)
- the result of the attempt to obtain access (execution of the operation) - positive or negative.
c) The registration of changes in user access rights (competences) and status of access objects is made according to the following parameters:
- date and time of change of competencies,
- The administrator ID that made the changes,
- User ID and its competencies or specification of access objects and their new status.
d) The recording of the exit from the system of information containing personal data (electronic documents, data, etc.), registration of modifications of subjects' access rights and status of access objects shall be made according to the following parameters:
- date and time of release,
- name of the information and ways of accessing it,
- specification of the equipment (device) that issued the information (logical name),
- The user ID that requested the information.
16. Provide protection against harmful programs (viruses)
Protection against malicious software infiltration in personal data processing software is ensured through the existence of anti-virus licensed programs.
17. Testing the functional possibilities to ensure the security of personal information systems
Testing for the correct functioning of security features of personal information systems (automatic at system start and monthly at the request of the user authorized for this purpose) is ensured.
18. Managing security incidents
(a) Personnel operating the personal information systems shall, at least once a year, undertake training on responsibilities and obligations in the event of security incident management and response actions.
b) The personnel of LLC "Megatradecom" informs the management immediately about the incidents that violate the security of the personal data information systems.
c) Incident processing includes the detection, analysis, prevention, development, removal and restoration of security.
d) By January 31 of each year, the personal data controller shall inform in writing the National Center for Personal Data Protection of the detected security incidents.
e) "In the event of the occurrence of security incidents within the" Megatradecom "LLC, the person responsible shall take the necessary steps to trace the source of the incident, analyze it and remove the causes of the security incident by informing, within 72 hours of the moment the security incident, the National Center for the Protection of Personal Data of the Republic of Moldova.
f) As part of the checks carried out by the National Center for Personal Data Protection of the Republic of Moldova, it will be provided with necessary and assured access to the necessary information relevant to the object of the control. "
19. Marking documents
All information that is intended to be disclosed and containing personal data is to be marked by including the registration number of the Personal Data Operator Register.
Model Attention! The document contains personal data, processed in the registration system no. 000000X-00X, registered in the personal data recorder register www.registru.datepersonale.md. Subsequent processing of these data may be carried out only under the conditions provided by Law no. 133 of 08.07.2011 on the protection of personal data
20. Responsibility to ensure the security of personal data as well as information with limited accessibility
The personal data controller, the person empowered by the operator, the third persons as appropriate, the signatories of the annex no. 1, for non-observance of the provisions of the Security Policy - bear civil liability (Civil Code), contraventional (Article 741 of the Code of Penal Procedure) and penal (Art.177, 178, 180 Penal Code).