The purpose of this policy is to put in place a compliance framework that includes appropriate technical and organizational measures, in order to ensure that data processing is performed in compliance with the GDPR. The main objective is to protect the confidentiality, integrity, availability and resilience of processing systems and services.
TwelveSec, as an information security consulting firm specialized in Security Assurance, Security Management and Security Training Services, takes cyber security and data protection very seriously.
Our company has been certified with ISO / IEC 9001: 2015 and ISO / IEC 27001: 2013 for its Information Security Services, ensuring that the services we offer to our customers meet every time our very strict requirements and exceed our client’s specifications. The company focuses in providing quality InfoSec services, spanning across the entire spectrum of engagement, assessment and reporting, successfully helping its customers mitigate the cyber threats they are facing. As a result, we will continue to invest in our security infrastructure and work with third-party vendors to ensure we have the appropriate contractual terms in place.
The GDPR applies across all the Member States of the EU. Also, it applies to any organization anywhere in the world that provides services into the EU that involve processing the data of EU citizens.
Thus, this policy applies to:
- All employees of TwelveSec. This category consists of regular and temporary employees, trainees and interns.
- Contractual third parties of TwelveSec with any form of access to the company’s information and information systems.
All of the above will be referred from now as “employees”.
- All hardware and software systems of TS, laptops, tablets, PCs’, Mac computers, smartphones, smartwatches and any devices that are used by the employees of TS for business purposes, regardless of their type, scale, price or size.
TwelveSec processes personal data of individuals, only after explaining the specific use of the data and obtaining the data subject’s freely given, specific, informed and unambiguous consent.
2.2 Information we collect
Depending on the case, we collect the following information:
- Personal data of our employees.
- Customers’ personal data.
- Personal data from the people that visit our blog / website.
- Vendors’ and partners’ contact details.
- Shareholders’ personal data.
Sensitive Personal Data
- Employees’ sensitive personal data.
- IP Addresses.
- Employees’ contracts.
- Partners’ contracts.
- Customers’ contracts.
- Vendors’ contracts.
- Bank accounts.
- Salary data.
- Financial reports.
TwelveSec’s information assets are identified in the company’s Data Inventory. The same document depicts their interdependencies.
2.3 How do we use the information
We use the information we collect in order to improve our services and to remain in compliance with our customers’ requirements. Additionally, TwelveSec complies with all legislative and regulatory requirements. Specifically:
- Employees’ data are used for HR purposes. They are processed in order to ensure that the company’s personnel are efficient, qualified and lawful.
- Customers’ data are processed explicitly for work-related issues, as they are defined in the signed contracts, whether TwelveSec acts as a controller or as a processor.
- Vendors’ and partners’ data are used for contract-related purposes, as defined each time.
- Information we collect from our website when you register, sign up for our newsletter, respond to a survey, surf the website, or use certain other site features may be used in the following ways:
- To improve our website in order to better serve you.
- To follow up with you after correspondence (email or phone inquiries)
2.4 How do we protect the information
Your personal information is contained within secured networks (Network Security Policy) and is only accessible by a limited number of persons who have special access rights to such systems, in accordance with the company’s Access Control Policy. TwelveSec’s personnel are required to keep the information confidential, as described in our Information Classification Policy.
We implement a variety of security measures when a user enters, submits, or accesses the information to maintain the safety of your personal data. All the company’s policies, procedures and processes are in compliance with international best practices and they are certified with ISO / IEC 27001: 2013.
TwelveSec, in order to fully comply with all the relevant requirements, faithfully applies the “Need-to-Know” fundamental principle. Based on this principle, the handling and knowledge of information and data does not extend to anyone but is limited to the staff that is absolutely necessary to gain knowledge.
We perform Risk Assessment and Data Protection Impact Assessment processes in order to identify and evaluate the impact on confidentiality, integrity and availability in case of loss of security, the impact on the Data Subjects, the threats, the vulnerabilities and the appropriate security controls to mitigate the identified risks.
The company provides continuous information to staff on security issues, with particular emphasis on the importance of maintaining credibility and dedication to duties related with TwelveSec.
During the Recruitment Procedure, a very careful check is carried out for the candidates to ensure that the candidate shares common corporate values. Among others, the candidates must produce a certificate of good conduct from the Greek authorities and/or the authorities of the countries they lived in, the past 5 years. Also, they have to produce a new one every year. At the same time, all TwelveSec employees have signed a Non-Disclosure Agreement for all sensitive information they obtain and/or have access to, during their employment with the company. Apart from these, TwelveSec has a -no prior felonies- policy for all personnel, since all our employees must be eligible for Greece SECRET Clearance, EU SECRET Clearance and NATO SECRET Clearance.
We may also use trusted third-party services that track this information on our behalf.
You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser (like Internet Explorer) settings. Each browser is a little different, so look at your browser’s Help menu to learn the correct way to modify your cookies.
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information, unless the transfer is required by the law.
2.5 Data Retention Period
IT Data and Personal Data collected by TwelveSec from visitors to our website will only be kept in order to provide the required service (if any). Once the service has been completed all information will be destroyed.
Personal Data that we receive from candidates in the company’s Workable are not saved and stored.
Employees’ and customers’ Personal Data, Financial and Legal Data are kept by the company for specific time periods, as these are specified by the Greek Laws. In particular, the retention periods are defined in the following regulations:
- Law 4174/2013 – Greek Code of Tax Procedure “CTP”.
- Law 4308/2014 – Greek Accounting Standards.
- Employment Law.
The retention periods may vary depending on each case. An overview of the categories and the periods is presented in the table below.
2.6 Access, modify and delete information
At any time, you retain the right to update or object to the further processing of your data in accordance with applicable laws on the protection of personal data.
You have the right to withdraw your consent to the processing of your data. Furthermore, you have the right to request correction or modification of your data, as well as deletion of your personal data. In any case, our company must meet the relevant requests within the time limits set by the relevant legislation, as long as there is no other legal issue preventing us from handling your request.
For any questions or suggestions or statements related to these issues, please contact us by sending us an email to email@example.com. TwelveSec’s legal representative will be at your disposal.
2.7 Information Security
We work hard to protect you from unauthorized access to data or unauthorized alteration or disclosure of information we hold. We aim to maintain our services in a manner that protects information from accidental or malicious destruction. In particular:
- We implement a Cryptographic Controls Policy.
- We review on a regular basis our processes and procedures to guard against unauthorized access to systems.
- We implement a Physical and Environmental Security Policy.
- We implement and continuously improve an Information Security Incident Management Procedure. TwelveSec aims to detect and prevent all security events that could lead to data breaches.
2.8 Compliance with the supervisory authorities
TwelveSec has established a Contact with Authorities Policy, which provides a basis for notifying the authorities during information security incidents.
An information security incident can be a standalone result of an action or the combination of many factors such as external malicious attacks, employees’ negligence and systems’ corruption. Depending on the reason of the attack, the authorities will be notified. The indicated authorities are the Cyber Crime Division of the Greek Police, the Greek Police in general, TS’s Internet Service Provider, the Fire Department and the Greek Personal Data Protection Authority.
Additionally, it is upon the Managing Director’s jurisdiction to establish liaisons with independent regulatory bodies, such as the Hellenic Authority for Communication Security and Privacy and the Hellenic Communications and Post Commission, to presume future alterations in terms or regulations of information security in communications.