Based on the decision of the director and in accordance with Articles 24 and 25 of the Personal Data Protection Act (RS Official Gazette, nr. 94/07), Academia d.o.o., Glavni trg 17b, Maribor issues the the following
on the measures and procedures for the protection of personal data
I. INTRUDUCTORY PROVISIONS
These rules determine the organizational, technical and procedural measures for the protection of personal data at Academia d. o. o. in order to prevent accidental or intentional unauthorized destruction, alteration or loss of data as well as unauthorized access, processing, use or transmission of personal data.
Employees and external associates, who process and use personal data for their work, must be informed about the Personal Data Protection Act, the community legislation governing the individual field of their work and the content of these rules.
The terms used in this policy are as follows:
- ZVOP-1 – Law on the Protection of Personal Data (RS Official Gazette, št. 94/07);
- Personal data – is data of any kind that alludes to an individual, in any shape or form of reference;
- Individual – is a specific or identifiable natural person to whom the personal data relates to; a natural person is identifiable if they can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. By which the way of identification does not require a lot of financial resources or extensive identification time;
- Collection of personal data – is any structured set of data containing at least one instance of personal data that is accessible on the basis of criteria, which allow the use or aggregation of data, whether the set is centralized, decentralized or dispersed over a functional or geographical basis; a structured data set is a data set that is organized in such a way as to determine or enable the identifiability of an individual;
- Personal data processing – any action or series of actions carried out in relation to personal data that is processed automatically or which, in the case of manual processing, is obtained form part of a personal data file or is to be included in a personal data file; in particular this refers to the adaptation or modification, retrieval, accessing, usage, disclosure, transmission, communication or any other kind of dissemination, linking or classification, blocking, anonymization, deletion or destruction. The means of data processing can be manual or automated;
- Personal data manager – is a natural person, legal entity or other entity from the public or private sector who, alone or together with others, determines the purposes and means of processing personal data, or a person determined by law, which also determines the purposes and means of processing;
- Sensitive personal data – data on racial or ethnic origin, political, religious, philosophical beliefs, trade union memberships, health status, sexual life, entry or deletion in or from criminal or misdemeanor records logs, and biometric characteristics;
- Personal data user – is a natural person, legal entity or other entity in the public or private sector to whom personal data is provided or disclosed;
- Data carrier – all resources onto which personal data is recorded to (documents, acts, materials, files, computer equipment including magnetic, optical or other computer data, photocopies, sound and image material, microfilms, data transmission devices and other);
The description of personal data collections managed by Maja Mrđa is kept in the register of personal data collections, which is kept in accordance with the provisions of Article 26 of ZVOP-1. The data referred to in points 1, 2, 4, 5, 6, 9, 10, 12 and 13 of the catalogs of personal data files shall be forwarded to the state body responsible for keeping the Register of personal data files. The register of the personal data collection shall be provided for each personal data collection no later than 15 days before the establishment of the personal data collection, and the data from the catalog shall also be forwarded to the competent state authority within the same period. The register of personal data collections is supplemented with each change in the type of personal data in an individual database, and changes are also submitted to the competent state authority within 8 days.
Employees who process personal data must be informed about the register of personal data files, and the access to register of personal data files must also be made available to anyone who requests it.
Academia d.o.o. or the responsible person for personal data management is obliged to keep an up-to-date list from which it is clear for each personal data file which person is responsible for an individual personal data file and which persons may process personal data relating to an individual personal data file due to the nature of their work. The following data shall be entered in the list: the name of the personal data file, the personal name and post of the person responsible for the personal data file and the personal name and post of persons who may process personal data relating to the personal data file due to the nature of their work. data..
II. SECURITY ON THE PREMISES AND COMPUTER EQUIPMENT SECURITY
The Premises on which personal data carriers, hardware and software (in secured rooms) are located must be protected by organizational, physical and technical measures that prevent unauthorized persons from accessing data.
Access is possible only during regular working hours, and outside this time only with the permission of the head of the unit.
The keys to the secured premises are used and held in accordance with the house rules. The keys are not left in the lock in the door from the outside.
Protected areas must not remain unattended or must be locked in the absence of workers supervised by them.
After working hours, cabinets and desks with personal data carriers must be locked, computers and other hardware must be switched off and physically or programmatically locked.
Employees must not leave personal data carriers on desks and in the presence of persons who do not have the right to inspect them.
Carriers of personal data located outside the secured premises (corridors, common areas) must be permanently locked.
Sensitive personal data must not be stored outside the secure premises.
On premises that are intended for conducting business with customers, data carriers and computer displays must be installed in such a way that customers do not have access to them.
Maintenance and repairs of computer hardware and other equipment can only be permitted by an authorized person, and may only be performed by authorized service and maintenance personnel who have an appropriate contract with Academia d.o.o.
Premises maintenance, hardware and software, visitors and business partners can access the secured premises only on permission by an authorized person. Employees, such as cleaners, security guards, etc., can access, outside working hours, only those secured areas, where access to personal data is disabled (data carriers are stored in locked cabinets and desks, computers and other hardware are turned off or how otherwise physically or programmatically locked).
III. PROTECTION OF SYSTEM AND APPLICATION SOFTWARE, HARDWARE EQUIPMENT AND THE DATA PROCESSED BY COMPUTER EQUIPMENT
Access to the software must be secured, allowing access only to pre-determined employees or legal or natural persons, who as per the work contract, agreed to carry out their services in accordance with the personal data provisions in the contract.
Repairs, modifications and expansions of the system and application software are permitted only with the approval of an authorized person, and may only be performed by authorized services and organizations and individuals who have an appropriate contract with Academia d.o.o. Contractors must properly document the changes and additions to system and application software.
The same provisions apply to the storage and protection of application software data as they apply for other data from this policy.
The contents of the network server disks and local workstations, where personal data is located, are regularly scan for the presence of computer viruses. When a computer virus appears, it is eliminated as soon as possible, with the help of an appropriate professional service, and at the same time the cause of the virus in the computer information system is determined.
All personal data and software intended for use in the computer information system and arriving at Academia d.o.o. on computer data transmission media or via telecommunication channels, must be scanned for the presence of computer viruses before use..
Employees may not install software without the knowledge of the person in charge of the operations of the computer information system. They may not remove software from the company without the approval of the head of unit and the knowledge of the person in charge of the operation of the computer information system.
Access to data via application software is protected by a system of passwords for the authorization and identification of the users of the software and data, and the system of passwords must also provide the possibility for subsequent identification, when the individual personal data was entered into the database, used or otherwise processed and wo processed it.
The authorized person shall determine the procedures for assigning, storing and changing passwords.
All passwords and procedures used to enter and administrate the personal computer network (control passwords), administrate e-mail, and administrate application programs are kept in sealed envelopes and are protected from access by unauthorized persons. They are used only in extraordinary circumstances or in emergencies. Any use of the contents of the sealed envelopes shall be documented. After each such use, a new password content is determined.
For the purpose of restoring the computer system in the event of failure or other unforeseen situations, regular copies of the content on the network server and local machines are created and stored, if any kind of personal data is located on them.
These copies shall be kept in locked designated areas, which must be fireproof, protected against floods and electromagnetic interference, within the prescribed climatic conditions.
IV. SERVICES PROVIDED BY EXTERNAL LEGAL OR NATURAL PERSONS
Article 11 of ZVOP-1 mandates a written contract for any external legal or natural person that works on the collection, editing, saving or sending of personal data. The legal or natural person has to be registered for such work (contractual employee). Within such a contract, the rules and measures for providing personal data safety and security have to be designated. The aforementioned policy is valid for external personnel that maintain or install new hardware and software equipment.
External legal or natural persons are allowed to carry the processing of personal data only as per the authorization given by the client and the data must not be processed or used for any other purpose.
The authorized legal or natural person that carries out the aforementioned services off the premises of the client Academia d.o.o., has to ensure the same level of personal data protection, as it is stated within this policy.
V. COLLECTION AND FORWARDING OF PERSONAL DATA
The employee in charge of receiving and recording mail must deliver postal items with personal data directly to the individual or to the service to which the item is addressed.
The employee in charge of receiving and recording mail shall open and inspect all postal items and items that arrive at the company in any other way, except for items referred to in the third and fourth paragraphs of this Article.
The employee in charge of receiving and recording mail does not open postal items that are addressed to other institutions or organizations, which are accidentally mailed and are designated as personal data or have any other designation, connected with a competition or tender.
The employee in charge of receiving and recording mail does not open postal items that are addressed to an employee, which is
Delavec, ki je zadolžen za sprejem in evidenco pošte, ne sme odpirati pošiljk, naslovljenih na delavca, which indicate on the envelope that they are to be delivered in person on the addressee, and consignments which first state the personal name of the worker without indicating his official position and only then the address of the company.
Personal data may be transferred by IT, telecommunication and other means only when carrying out procedures and measures that prevent unauthorized persons from misappropriating or destroying data and unjustifiably becoming acquainted with their content.
Sensitive personal data is sent to recipients in sealed envelopes and are delivered in person, by signature.
Personal data is sent per registered mail.
The envelope in which the personal data is delivered must ensure that the content of the envelope is not visible under normal light or when the envelope is illuminated with light. The envelope must also ensure that the opening of the envelope cannot be carried out without a visible trace of tampering.
The processing of sensitive personal data must be specifically designated and secured.
The aforementioned data from the previous paragraph may be transmitted over telecommunication networks only if it is additionally protected by cryptographic methods and by electronic signature, to ensure the illegibility of the data during transmission.
Personal data is provided only to those users that indentify themselves on an appropriate legal basis or with a written request or consent of the data subject.
For each transfer of personal data, the beneficiary must submit a written application, where they must clearly state the provision of the law authorizing the user to obtain personal data, or the application must be accompanied by a written request or consent of the data subject.
Each transfer of personal data is recorded in the records of transfers, from which it must be evident which personal data was transferred, to whom, when and on what basis (ZVOP-1, Article 22).
Original documents are never provided, except in the case of a written court order. The original document must be replaced by a copy during the absence.
VI. DELETION OF DATA
After the expiry of the retention period, personal data shall be deleted, destroyed, blocked or anonymised, unless otherwise provided by law or by another act.
The deadlines for the deletion of personal data from the database can be observed in Article 7 of the personal data file register.
The deletion of data from computer media, a deletion method must be used that renders it impossible to restore all or part of the deleted data..
Data on traditional media (documents, files, registers, lists, …) is destroyed in a way that renders it impossible to be read in whole or parts of the destroyed data.
Auxiliary materials are destroyed in the same manner (matrices, calculations and graphs, sketches, trial or unsuccessful printouts, etc.).
It is forbidden to dump data carriers with personal data into rubbish bins.*
When personal data media is transferred to a destruction site, appropriate security must also be ensured at the time of transfer.
The transfer of data carriers to the destruction site and the destruction of personal data carriers shall be supervised by a special committee, which shall draw up a record of the destruction.
VII. ACTIONS IN THE EVENT OF SUSPECTED UNAUTHORISED ACCESS
Employees shall immediately report any activity involving the discovery or unauthorized destruction of confidential information, malicious or unauthorized use, misappropriation, alteration or damage to an authorized person or to a superior, and shall aim towards the prevention of such activities themselves.
VIII. RESPONSIBILITIES FOR THE IMPLEMENTATION OF SECURITY MEASURES AND PROCEDURES
The responsibility for implementing the procedures and measures for the protection of personal data rests with the Head of Unit and the authorised persons designated by the Director.
Anyone processing personal data is obliged to implement the procedures and measures prescribed for data protection and to safeguard the data of which he or she has knowledge or becomes aware in the course of his or her work. The obligation to protect data shall not cease upon termination of the employment relationship.
Before taking up a post where personal data is processed, the employee must sign a specific declaration committing him or her to the protection of personal data..
The signed declaration must indicate that the signatory is aware of the provisions of this Regulation and of the provisions of ZVOP-1, and must also contain an indication of the consequences of a breach of the provisions of this Regulation..
Staff members shall be liable to disciplinary action for breach of the provisions of the preceding Article and others shall be liable on the basis of their contractual obligations.
IX. FINAL PROVISIONS:
The rules from 25 May 2018 shall cease to be valid on the day these Rules enter into force.
This policy shall enter into force on the day following its signature.
Bojan Dapčević, CEO
In Maribor, 15th of July 2020