INTRODUCTION
This document contains the most relevant prescriptions set forward by National rules related to the usage of IT resources that each consultant and employee of Softphone International Ltd (further the “Company”) must comply with.
The usage of IT instruments should always be driven by the correctness and diligence of each professional relationship.
The Company offers its services through the development and the implementation of applications and access to the web is part of the daily corporate activity of its consultants and employees. This may expose the Company to risks, both economic and legal, generating potential issues related to the internal security of sensitive information of the core business and the company's public image.
The Company may change the contents of the present document at any time in relation to changes in the applicable rules and technical necessities by communication to all employees and consultants.
After having read the document, all employees and consultants must sign Attachment A as a receipt and acceptance statement.
1.0 OBJECT AND APPLICATION RULES
The object of this document (further the “Policy”) is to give each consultant and employee the conditions set by the company for the correct usage of the corporate IT resources, email, and Internet.
Moreover, the Company being the Owner of the processing of personal data or Data Controller (hereinafter, the "Owner" or the “Data Controller”), is adopting the present Policy in order to comply with the rules within the UK General Data Protection Regulation – The Data Protection Act 2018 (amended 28/02/2019 and 14/10/2020) – further UK GDPR, related to personal data protection and to comply with the international standards related to IT and data security.
This Policy is for internal use only and may not be copied or distributed outside the Company or used for many different objectives.
This Policy applies to all Company subsidiaries and offices.
1.1 GENERAL RULES, INTERESTED PARTIES, AND POLICY CLASSIFICATION
This document applies to all Company’s employees and anyone who, in relation to a professional relationship (such as consultants, providers, business partners, and clients), manage data or uses IT resources that are property of Softphone International Ltd.
This Policy substitute any previous internal regulation on the matter.
Copy of the document is distributed at the start of the employment contract or consultancy relationship to all employees and consultants of the Company.
It is the duty of each employee and consultant to apply the present set of rules to provide for the security of the Company's data and IT resources.
The non-compliance to this Policy contents is a contractual breach and may be prosecuted as set in the contracts and agreements and in the applicable regulations.
Each employee and consultant must also comply with any other applicable rule or regulation issued by the Company (such as the Code of Conduct, the rules on workplace security, etc).
Any other subject, even if not employed, entitled to the usage of the Company IT resources must apply the general confidentiality rules in relation to their characteristics, functionalities, and security and protection systems.
The interested parties are:
- all employees
- anyone who, in relation to a professional relationship (such as consultants, providers, business partners, and clients), manage data or uses IT resources that are property of Softphone International Ltd.
All interested parties must treat the present information only in relation to their own responsibilities and working objectives and must not communicate its contents outside the Company or to subjects not included in the interested party category.
The present Policy must also be diligently archived.
1.2 GLOSSARY
System administrator: the professional figure aimed at the management and maintenance of a processing plant or its components, including database administrators, network and security equipment administrators, and administrators of complex software systems;
Computer authentication: the set of electronic tools and procedures for verifying identity also indirectly;
Database: any organized complex of data, divided into one or more units located in one or more sites;
Private document folder: the folder, created by the IT, for the use and exclusive access of the user, within which each employee can save and keep a limited amount of data and personal information not related to the work activity;
Authentication credentials: the data and devices, in possession of a person, known by him or uniquely related to it, used for computer authentication;
Personal data relating to criminal convictions and crimes: personal data suitable to reveal criminal convictions or crimes or connected to security measures;
Personal data: any information concerning an identified or identifiable (interested) natural person; the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as name, identification number, location data, an online identifier or one or more characteristic elements of his physical, physiological identity is considered identifiable, genetic, psychic, economic, cultural or social;
Data processors/subjects authorized to process personal data: the natural persons authorized to perform processing operations by the owner or manager;
Interested: the natural person to whom the personal data being processed by the Data Controller refers.
Particular categories of personal data (sensitive data / particular data): personal data suitable to reveal racial and ethnic origin, religious, philosophical or other convictions, political opinions, adhesion to parties, unions, associations or religious, philosophical, political, or trade union organizations, as well as personal data capable of revealing the state of health and sexual life;
Data processor: the natural person, the legal person, the public administration, and any other body, association, or body appointed by the owner to process personal data;
Electronic tools: computers, computer programs, and any electronic or automated device with which the treatment is carried out;
Data controller: the natural person, the legal person, the public administration and any other body, association or body to which, also jointly with another owner, the decisions regarding the purposes, the methods of processing personal data and the tools used, including the security profile;
Treatment: any operation or complex of operations, carried out even without the aid of electronic tools, concerning the collection, registration, organization, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, cancellation, and destruction of data, even if not recorded in a database;
Violation of personal data: breach of security that also accidentally involves the destruction, loss, modification, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed in the context of the provision of a communication service accessible to the public.
1.3 RULES AND REGULATIONS REFERENCES
[1] The Data Protection Act 2018 – amended in 2019 and 2020 - UK GDPR;
Personal data can be processed only if explicitly authorized by the Data Controller.
The Company must carry out an impact assessment on data protection for each data processing activity, as defined by the Guidelines on the assessment of the impact on personal data protection (Data Protection Impact Assessment Guidelines).
Of particular importance is the impact assessment in cases of new products or new services, or changes to existing products and services, as well as in cases of significant organizational changes that were adopted by the Company.
1.5 COMMUNICATION TO INTERESTED PARTIES
At the time of collection or before the collection of personal data for any type of processing activity, including but not limited to the sale of products, services or marketing activities, the Data Controller is responsible for adequately informing interested parties of the following: type of personal data collected, the purposes of the processing, the methods of treatment, the rights of the interested parties in relation to their personal data, the retention period, the potential international transfers of data, if the data will be shared with third parties and the Company security to protect personal data.
This information is provided through general information on data protection.
If the company has multiple data processing activities, it will be necessary to develop different communications that will be differentiated according to the processing activity and the categories of personal data collected. Where personal data are shared with third parties, the Data Controller must ensure that the interested parties have been informed of this through general information on data protection.
In the event that sensitive personal data is collected, the Data Controller must make sure that the general information on data protection explicitly clarifies the purpose for which such sensitive data is collected.
1.6 CONSENT
The processing of personal data is allowed only with the express consent of the interested party. Consent must necessarily be in writing when it concerns sensitive data.
Consent is not prescribed when the processing is necessary to fulfill a legal obligation or deriving from the regulation or legislation. It is also not necessary for cases in which obligations deriving from a contract of which the interested party is to be performed, or when it concerns data deriving from public registers, lists, deeds or documents known to anyone, or data relating to the performance of activities economic.
The acquisition of consent is a prerequisite for the Company to proceed with the opening of any relationship with:
- customers, in the event of the provision of services for which access or processing of the customer's personal data is necessary;
- staff (employees and collaborators), as part of the Company's administrative staff management process.
With regard to the personal data of the Company's suppliers, the information on the processing of data will be provided under a single specific agreement. It is not, in general, necessary to acquire consent, given that the processing of these data should be limited to the execution of contractual obligations.
When asked to correct, modify or destroy records of personal data, the Privacy Contact Person must ensure that these requests are handled within a reasonable period of time. The Privacy Contact Person must also record requests and keep a special register.
Personal data must be processed only for the purpose for which they were originally collected. In the event that the Company wishes to process the personal data collected for another purpose, the Company must request the consent of its interested parties in written, clear and concise form. Any such requests should include the original purpose for which the data was collected and also new or additional purposes. The request must also include the reason for the change of purpose (s). The Data Processors are responsible for compliance with the rules in this paragraph.
The Privacy Contact Person is responsible for the creation and maintenance of the treatment register.
1.7 SUBJECTS AUTHORISED TO THE TREATMENT
The responsibility for ensuring adequate processing of personal data lies with anyone who works within the Company or on his behalf and has access to the personal data processed by it.
The data controller is the entity as a whole or the peripheral unit or body that exercises a completely autonomous decision-making power on the purposes and methods of the processing. For the Company, the owner is therefore Softphone International Ltd itself, through its strategic-decision-making body, the Board of Directors.
The main areas of responsibility for the processing of personal data refer to the following organizational roles:
- the Board of Directors or the Chief Executive Officer makes decisions and approves the general strategies of the Company regarding the protection of personal data.
- The Data Processors are responsible for managing the personal data protection program and for developing and promoting end-to-end personal data protection procedures.
- Privacy referent: the privacy referent who takes care of the verification of the updating of the internal regulations by the Data Processor.
The external or internal Data Processors, who are the privacy representatives of the business units for the processing of data relating to the activities carried out by these units, are appointed by the Data Controller by specific resolution or assignment letter, where indicated the detailed tasks attributed to them. The Data Processors carry out the treatment according to the instructions given in this policy and in compliance with the Regulation. The Data Controller supervises the punctual observance of the current treatment provisions. The list of data processors, internal and external, is available from the Company for those interested who request it.
The processing operations can only be carried out by agents who operate under the direct responsibility of the data processor.
The appointment letter to the Owner, both for common and sensitive personal data, is delivered at the time of hiring to all employees, attached to the hiring contract.
1.8 SECURITY MEASURES
The personal data being processed are kept and controlled, also in relation to the knowledge acquired on the basis of technical progress, the nature of the data, and the specific characteristics of the treatment, so as to reduce to a minimum, through the adoption of suitable and preventive measures security, the risks of destruction or loss, even accidental, of the data themselves, of unauthorized access or of processing not allowed or not in accordance with the purposes of the collection.
The Company, as data controller, is required to adopt the following minimum measures, in the ways provided for in the technical specification attached to the Code (ANNEX E):
- computer authentication;
- adoption of procedures for managing authentication credentials;
- use of an authorization system;
- periodic updating of the identification of the scope of the treatment allowed to the individual appointees and persons in charge of the management or maintenance of electronic tools;
- protection of electronic tools and data against illegal processing, against unauthorized access, and to certain IT programs;
- adoption of procedures for the safekeeping of security copies, the restoration of the availability of data and systems.
To correctly manage the measures required by law, it is necessary to monitor the correct functioning of the following instruments:
- user creation/modification system on the corporate network;
- user creation/modification system on all company application systems which provides for the creation of the user with the assignment of the relative user permissions and a personal password with the characteristics required by law;
- malicious software protection systems with constant updating of the effectiveness of the protection systems;
- systems for saving company archives, whether they are documents in the form of files or managing databases.
The detail of the control procedures of the highlighted points is described in the technical specification in force and updated annually by the Information Systems Manager (IT Manager).
The IT Manager is also responsible for the activities relating to the management of information systems and System Administrator.
1.9 FEEDBACK TO INTERESTED PARTIES
The Privacy Contact Person is responsible for finding any requests from interested parties, be they customers, employees, or suppliers of the Company.
The same will prepare the feedback notes with the collaboration of the competent Units (Information Systems, Administration, etc.). and in compliance with the Operating Instructions contained at the end of this policy.
1.10 MAIN SUPERVISORY AUTHORITY (the Commissioner)
The Company is based only in the United Kingdom but its processing activities, both as Owner and Manager, also concern people interested in other countries (mainly the EU Member States).
For the Company, the only competent authority will be the supervisory authority in the country where the company has its registered office and the central administration, i.e. the UK authority.
For the purposes of the UK GDPR, a transfer of personal data to a third country or an international organization is based on adequacy regulations if, at the time of the transfer, regulations made under this section are in force which specify, or specify a description which includes— (a) in the case of a third country, the country or a relevant territory or sector within the country, or (b) in the case of an international organization, the organization.
1.11 MANAGEMENT OF DATA BREACH
When the company becomes aware of a suspected or actual violation of personal data, the Data breach manager (IT Manager) must conduct an internal investigation and take appropriate measures in a timely manner, as required by the Operating Instruction for the violation of some data.
If there are threats to the rights and freedoms of data subjects, the Company must notify the data protection authorities without delay, and if possible, within 72 hours, always as provided in the relevant Operating Instruction.
1.12 AUDIT AND RESPONSIBILITY
The CEO has instructed the IT Manager to verify the correct application of this procedure by the other business areas.
Anyone who violates this procedure may be subject to disciplinary action, and, if the violation committed infringes laws or regulations, the person will also be subject to civil and criminal liability.
SECTION II – OPERATIVE INSTRUCTIONS
1.13 GUIDELINES FOR THE TREATMENTS REGISTER MAINTENANCE
Ref. rule
Article 30 UK GDPR
Processing activities inventory objective
The inventory of processing activities is first of all an internal document that will allow the Company to better understand how and why personal data should be processed, as well as how to develop policies and procedures to protect data. Furthermore, in the case of an investigation by the supervisory authorities, it will be used to demonstrate that the Company is aware of and has control over its data operations.
The Privacy Contact Person is responsible for keeping the Company's processing activities recorded in the form of an inventory of the processing activities.
In order to ensure compliance with the requirements of the GDPR, the following information must be included in the inventory of processing activities:
- name and contact details of the Privacy Contact Person;
- purpose of the treatment activities;
- categories of personal data processed;
- recipients to whom personal data have been or will be communicated, including recipients in third countries;
- transfers of personal data to a third country, including the identification of these countries;
- proposed terms for deleting the various categories of data;
- Where possible, a general description of the technical and organizational security measures;
- offices (business units) where processing activities take place;
- name of the system (intended as software, service or archive) that processes the data;
- if the Company processes data together with other companies, specify the name of the latter (definition of the joint owner);
- name and contact details of the manager or managers and of each owner in whose name the manager is operating and, where applicable, the representative of the owner or manager;
- categories of treatment processed;
- where applicable, transfers of personal data to a third party (sub-responsible) or to an international organization, including the references of that country or international organization.
Compiling the inventory of processing activities is the responsibility of the Data Processors, with the support of the Privacy Contact Person.
Annex F - Inventory of processing activities at the date of approval of this Policy
1.14 EXTERNAL DATA PROCESSOR MANAGEMENT
The purpose of this operating instruction is to list the subjects who perform the role of external data processors on behalf of the Data Controller.
Ref.rule
Articles 26, 28 e 29 UK GDPR
Operative processes and responsibilities
Each person who is entrusted with the task of external data controller must demonstrate compliance with the requirements of the UK GDPR, compliance that can be verified through a specific checklist.
The role of external manager must be entrusted through a specific agreement between the parties also by means of a specific appointment letter to external data processors, which, once signed, must be archived, and kept by the Company.
All subjects who hold the role of external managers must be included in a specific list.
In the event that, a business or support unit identifies a person as a supplier of an activity that involves the processing of personal data, it must notify the Privacy Contact Person who inserts the subject in the list of external managers.
1.15 SPECIFIC CONSENT MANAGEMENT
The consent of the interested party to the personal data processing activities is essential in order to legitimize the data processing activities by the Company, owner of the data processing.
The purpose of this procedure is to define the specific consent management methods and the obligations related to this activity.
This procedure applies to all data processing activities that require specific consent, for example, promotional activities, direct marketing or newsletters, management of "sensitive" data.
Ref.rule
Articles 7, 8 UK GDPR
Operative processes and responsibilities
The Data Controller must map all data collection and processing activities, identifying those that go beyond the direct purpose and require specific consent, such as promotional activities, direct marketing, or sending newsletters.
Sensitive data and judicial data for the purposes of articles, respectively, 9 and 10 of the Regulation are processed by the Company for the sole purpose of hiring employees, managing the employment relationship, or for checking the integrity requirements of company representatives, and therefore for legal purposes or with the prior consent of the employee concerned.
For each identified activity it is necessary to clarify the specific consent management methods. The collection of consent (and the consequent possibility of revocation of the same), must be managed through specific forms.
The consents issued and collected must be recorded in specific fields of the lists (management programs, software, or lists on spreadsheets) of the subjects whose data are collected through data collection forms or forms on websites.
This activity must be recorded and archived.
Consent management must be carried out in coordination with the operating information management instruction.
Annex G - Consent to data processing of the interested party
1.16 MANAGEMENT OF ACCESS AND MAINTENANCE OF DATA TO THE INTERESTED PARTY (DATA SUBJECT)
The data subject has the right to access the information concerning him, collected by the manager or by the data controller. For this reason, it is important to establish how to handle these requests.
The purpose of this operating instruction is to define the methods for managing requests for access to data by the data subject, his representative or other interested parties and also governs the maintenance of the data.
Terms and definition
Request for access to data: any request made, in writing, by a person or his legal representative regarding his information held by the company.
Operative processes and responsibilities
The data access request of the interested party gives the interested parties the right to view or request a copy of their personal data. As far as the Company is concerned, the possible requests for access or maintenance of the data may come from the staff (employee or collaborator) or from customers and suppliers.
A request for data access by the interested party can be made by written request to the Privacy Contact Person.
The management of data access requests involves several stages:
1) receipt of the request: upon receipt of a request for access to data, the Responsible for the response to the interested parties (Privacy Contact) will confirm what has been received;
2) identity verification: the Responsible for the response to the interested parties (Privacy Contact) must verify the identity of those who make requests for access to the data to ensure that the information is provided only to those who have the right to receive it. If the applicant is not the interested party, a written authorization from the person who delegated it is required;
3) communication to the applicant: if the information presented by the person who received the request is sufficient, the Responsible for the response to the interested parties (Privacy Contact) will communicate to the applicant that his / her application will be received within 30 calendar days. The 30-day period will start from the date the request was received. The applicant will be informed in writing in the event that there are deviations from the 30-day period due to other events that have occurred;
4) revision of the information: the Responsible for the response to the interested parties (Privacy Contact) will contact and request the requested information from the departments concerned. The function that holds the information must communicate it respecting the deadline set by the Manager. The Responsible for feedback to interested parties (Privacy Contact) will determine if there is information subject to derogation and/or if consent is required from third parties. The Responsible for the response to the interested parties (Privacy Contact) must ensure that the information is reviewed/received within the set deadline of 30 calendar days;
5) response to access requests: the Responsible for responding to data subjects (Privacy Contact) will provide the final answer together, as appropriate, with the information retrieved by the departments, a declaration certifying that the Company does not hold the requested information, or that a derogation from the right of the data subject to receive feedback applies. The Responsible for feedback to interested parties (Privacy Contact) ensures that a written response is sent to the applicant. This can be given by email, unless the applicant has specified another preference for the response method (for example, by post). The Company will only provide information via secure channels. When hard copies of the information are released, they will be securely sealed and sent with tracked systems;
6) archiving: after the reply has been sent to the applicant, the request for data access is considered satisfied and archived.
Annex H - Communication of the data of the interested party
1.17 MANAGEMENT OF COMMUNICATIONS
Ref.rule
Articles 12, 13 e 14 UK GDPR
Operative process and responsibilities
For each processing activity that involves the collection of personal data, whether the interested employees, customers, suppliers, or others must be identified:
- type of information;
- how to present the information;
- timing of presentation of the information; • date of update of the information text.
This information is kept by the Company.
The Privacy Contact Person must monitor and approve the information contained in the register and must validate the conformity of the text with respect to what is required by articles 13 and 14 of the Regulation. The Privacy Contact in checking the information must ensure that the request of article 12 regarding the simplicity and transparency of the communication is respected.
Attachments:
I - Information for employees
J - Information for customers
1.18 DATA BREACH MANAGEMENT
The Company's ability to identify a computer-related incident, or which generally affects information, is essential to understand if the incident involved personal data and if this incident caused a violation of the rules on the protection of personal data.
The purpose of this operational instruction is to ensure rapid identification of security breaches or risk events and weaknesses and a rapid reaction and response to accidents.
Ref.rules
Articles 33 e 34 UK GDPR
Terms and definitions
Information security incidents: a single or a series of unexpected or unwanted information security events that have a significant probability of compromising business activities and threatening information security.
Operative processes and responsibilities
Employees and collaborators who are in contact with the Company's information or systems and who detect system weaknesses, accidents, or events that could cause a possible accident, must report it promptly to the Data Breach Manager (IT Manager).
In the event that the accident occurred to systems or archives, including paper files, which manage personal data, it is necessary to record it in the Accident Register.
In the event of a personal data breach, it is necessary to make a communication to the competent authority without undue delay and where possible within 72 hours from the time when the violation was discovered, unless the violation is unlikely to present a risk to the freedom and rights of individuals. It is also mandatory to communicate to interested parties where there is a high risk for the rights and freedoms of natural persons without undue delay (see specific Operating Instruction).
The communication to the interested party may not take place in cases where there are adequate technical and organizational protection measures and that these measures have been applied to the data subject to the violation, in particular those intended to make personal data incomprehensible to anyone who is not authorized to access them, or where measures have subsequently been taken to avoid the occurrence of high risk for the rights and freedoms of the interested party.
Attachment: K Accident Register
1.19 CONSENT WITHDRAWAL
Where the personal data collected are no longer necessary with respect to the purposes for which they were collected or otherwise processed and without prejudice to the application of the applicable legislation, the data subject has the right to withdraw his consent to the processing with the same ease with which he granted it.
Ref.rules
Articles 13, 14 e 17 UK GDPR
Definitions
Consent of the interested party: any manifestation of the free, specific, informed, and unequivocal will of the interested party, with which the same expresses its consent, through unequivocal declaration or positive action, that the personal data concerning him are subject to treatment.
Operative processes and responsibilities
This activity can take place by an employee, or by a customer or supplier who exercises their rights. This exercise is permitted through a written request.
1.20 MANAGEMENT OF COMMUNICATIONS TO DATA SUBJECTS IN CASE OF DATA BREACH
The data subject must be promptly informed if his personal data have been violated and this violation represents a high risk for the rights and freedoms of the person.
The purpose of this operating instruction is to describe the general principles and actions to effectively manage the response to the data breach and fulfill the obligations relating to the notification to data subjects as required by the European Regulation.
Ref.rules
Article 34 UK GDPR
Definitions
Violation of personal data: the breach of security that accidentally or unlawfully involves the destruction, loss, modification, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.
Operative processes and responsibilities
The data breach response process begins when anyone notices that a suspected/suspected or actual data breach has occurred and is promptly communicated to the Data Breach Manager (It Manager). This activity is regulated by the incident management procedure referred to in paragraph 1.18 above. The Data Breach Officer (IT Manager) is responsible for determining whether the incident should be considered a personal data breach.
The Data Breach Officer (IT Manager) must document all decisions made regarding the breach. Since these documents could be viewed by the supervisory authority, they must be drawn up in a precise and accurate manner to ensure their traceability and responsibility.
The Data Breach Officer (IT Manager) must assess whether the violation of personal data can pose a high risk for the data subject's rights and freedoms. If so, the Data breach manager (IT Manager) must notify the interested party without delay.
The notification to the interested parties must be in written form in clear and simple language and must contain the following information:
- a description of the nature of the violation;
- a list of the categories of personal data affected;
- the approximate number of affected people;
- the name and contact information of the Data breach manager (IT Manager); • the consequences of the violation of personal data;
- the measures are taken to respond to the violation of personal data;
- any information relating to a data breach.
If the number of data subjects affected is so high that it is impossible to notify the individual data subject, the Data breach manager (IT Manager) must take the necessary measures to ensure that the data subjects affected are informed using appropriate publicly available channels.
Data breaches must be recorded in a special register.
Attachment: L - Notification of data breach to the interested party
1.21 TRAINING MANAGEMENT
To ensure an adequate level of protection of personal data, personnel who have permanent or regular access to it must receive appropriate instructions and training.
The purpose of this Operating Instruction is to define the operating methods adopted by the Company to establish initiatives aimed at training, informing and sensitizing personnel on the protection and processing of personal data.
Operative processes and responsibilities
All personnel who have permanent or regular access to data must receive adequate training and information on the requirements of the Regulation and on the procedures implemented by the Company to ensure compliance with this legislation and to ensure that data subjects are properly treated and their rights are respected. and fundamental freedoms.
Training can be carried out in the manner deemed most appropriate for the Company's needs. This activity will be carried out at least annually.
Attachments:
M - Letter of identification of the subjects in charge of the processing of common personal data
N - Letter of identification of the subjects in charge of the processing of sensitive personal data.
To ensure an adequate level of protection of personal data, personnel who have permanent or regular access to it must receive appropriate instructions and training.
The purpose of this Operating Instruction is to define the operating methods adopted by the Company to establish initiatives aimed at training, informing, and sensitizing personnel on the protection and processing of personal data.
POLICY ON THE USE OF INFORMATION TECHNOLOGY RESOURCES, EMAIL AND THE INTERNET
2.0 COMPANY OBLIGATIONS
The treatments carried out by the Company respect the guarantees put in place by the Legislator on data protection and take place in compliance with the following principles:
a. the principle of necessity, according to which, in relation to the purposes pursued, the information systems and computer programs must be configured by minimizing the use of personal data and identification data;
b. the principle of correctness, according to which the essential characteristics of the treatments must be made known to the workers, in order to avoid the possible carrying out of further treatments than those ordinarily connected to the work activity and carried out without the knowledge or without the full awareness of the workers;
c. the principle of processing for specific, explicit, and legitimate purposes, observing the principle of relevance and not excess.
With this in mind, the Company processes worker data to the least invasive extent possible, entrusting any monitoring activities exclusively to those appropriately appointed persons and carrying out any checks exclusively in a targeted manner on the risk area, taking due account of the legislation on data protection and, if applicable, the principle of confidentiality of correspondence.
Based on the aforementioned principle of correctness, any treatment must be inspired by a canon of transparency. Therefore, the burden on the employer is to indicate in any case, clearly and in a detailed way, what are the methods of use of the tools made available believed to be correct and if, to what extent and with what methods controls are carried out.
This Policy is intended to fulfill this obligation.
Furthermore, the Company has prepared all the necessary precautions so that the personal data contained in the computer workstations are protected against the risk of intrusion - both from the outside (Internet) and from the inside (local network) -. The workplace programs are also constantly updated, as required by law, in order to prevent the vulnerabilities of electronic instruments and to correct defects (the so-called bugs).
The aforementioned obligations are guaranteed by the use of cloud software solutions (e.g. CRM, ERP, Cloud Storage, Corporate Wiki, corporate collaboration tools) which natively provide data backup, high service reliability, security access, granular user profiling, and automatic platform updates carried out automatically and on a regular basis to guarantee the smooth functioning of the software and the resolution of any security gaps.
3.0 EMPLOYEE OBLIGATIONS
The obligations and rules of conduct required for each worker and for all those who, by virtue of an employment or supply relationship, process information or use information systems or electronic equipment owned by Softphone International Ltd are specified below.
3.1 PERSONAL COMPUTER USAGE
The personal computer (PC) (be it a laptop, a static position, a PDA, or other telecommunication tools) used by each worker is a work tool, therefore, it must be used only for production and work purposes.
Any misuse of it can contribute to creating inefficiencies, maintenance costs, and, above all, threats to the security of sensitive information for the company's core business and the public image of the Company. Each employee is therefore responsible for the use and safekeeping of the IT tools received.
In light of this, each worker is explicitly prohibited from:
- modify any hardware and software features set on your personal computer, unless prior written authorization from the IT sector manager;
- install and/or run any type of computer program other than those authorized by the Company (Annex B), even if it is properly licensed software, software under test (so-called "shareware"), or free software and freely downloadable from the Internet (so-called "freeware");
- withdraw from the Internet, copy and/or archive on the personal computer any kind of information (such as, by way of example and not exhaustively, audio, video, executable files, etc.) not necessary for the work activity;
- use any type of removable storage media or communication technology for the storage or sending to the outside of information relating to the employment relationship, if not in the face of proven service needs;
- leave unattended and accessible, or transfer your personal computer to unauthorized persons, especially after passing the authentication phase;
- eliminate the request for the password for the screensaver, automatically set in case of prolonged inactivity by the worker on his work station, in order to avoid improper use in case of absence, even temporarily.
Without prejudice to particular technical or working needs, the workstations must also be switched off at the end of the working day.
The user is also responsible for the portable personal computer possibly assigned to him by the Company and must therefore keep it with the diligence of the good father of the family, both during travel and during normal use.
All the rules of use and the prohibitions previously foreseen apply to portable personal computers.
In particular, please note that, even more so during their use outside our facilities, the laptop must never be left unattended and must be adequately preserved in the places and with the most suitable means for its optimal protection.
Furthermore, the information strictly necessary for the activity that takes place outside of our facilities must be stored inside, in order to limit the loss of corporate information in the event of damage, loss or theft.
In the event of theft or loss, the assignee user of the personal computer has the obligation to promptly inform his / her direct Manager and the Head of the IT sector, as well as to promptly report the incident to the Law Enforcement, providing the Company, the copy of the complaint.
3.1.1 WORKING PROCESS CONTINUITY IN ABSENCE OF THE EMPLOYEE
Nobody, not even the Data Controller, can access the electronic workstation using the worker authentication credentials.
An exception to this rule is necessary only in the event that the following occur together
conditions:
- prolonged absence or impediment of the Appointee;
- the intervention is indispensable and cannot be postponed;
- there are concrete operating and security needs of the system.
To this end, in the event of prolonged absence or impediment, workers must communicate the password to the company in order to access the equipment provided.
3.2 PASSWORD MANAGEMENT
Access to each computer workstation is governed by a personal identification system based on the use of access credentials (consisting of one or more coupled username and password), which allow their use in the ways and forms defined by each company profile exclusively to the authorized worker.
The access credentials are and must be known only by the subject for which they were prepared. It is also lawful that these credentials can be contained in an authentication device in possession and exclusive use of the worker, possibly associated also with an identification code or a keyword, for which the subject is to be considered always responsible both in terms of secrecy (username/password), which under that of the housing (authentication device).
The keyword (password), as required by law, must be composed of at least 8 (eight) alphanumeric characters (lowercase, uppercase letters, and numbers), preferably with the addition of "special" characters as well. Furthermore, it must not contain references directly attributable to the worker and must be replaced at first use and, subsequently, at least every 3 (three) months. The user is required to keep the password and/or any other information related to the authentication/authorization process in complete secrecy and to immediately change the password if you suspect that it has lost its secrecy character.
The authentication code is unique and will not be assigned - even at different times - to different subjects, whose account, indeed, will be promptly deactivated if it is not used at least within 6 (six) months. The only exception to this rule is provided if the account was created for technical management purposes only and the extension of its duration beyond the legal term established by the Privacy Code has been previously authorized.
The credentials will however be promptly deactivated in case of loss of qualification which allows the worker access to company and/or personal data.
The employer has also provided for the use of an authorization system in cases where a worker needs to access multiple types of different data and/or heterogeneous treatments, in order to make it easier, not only to the organizational level, the identification the data that the employee and collaborator can access and the treatments that are allowed. Periodically, and in any case, at least annually, it will be up to the employer to verify the existence of the conditions for the conservation of the aforementioned authorization profiles. The user assigned the code is responsible for any action or activity carried out using the identification code and/or the assigned password, who is liable to the Company and possibly to the Internet Provider and/or third parties.
3.3 CORPORATE IT NETWORK USAGE
The corporate telematic network is the set of technologies - devices, programs and platforms in the cloud - through which internal connectivity, and / or in the cloud, is created between the various components of the corporate IT system. The perfect and continuous availability of the same is therefore a strategic factor for the operational functioning of the Company.
Network units are strictly professional information sharing areas and cannot in any way be used for purposes other than those for which they were prepared. Therefore, any application or file related to it that is not related to work cannot be located, even for short periods, in said network drives.
Furthermore, on them, control, administration and backup synchronization activities are regularly carried out by the System Administrator.
The IT equipment made available to employees is configured to perform automatic data backup synchronization on the company cloud storage, for this purpose users have only been provided with the backup copy in the "One Drive Softphone" folder. Each work file saved outside the aforementioned folder will not be synchronized and therefore saved and, in the event of malfunctions, could be irreparably lost. Therefore, there is a specific obligation for each employee and collaborator to save the files relating to work activities exclusively in the "One Drive Softphone" folder.
The passwords for entering the network and network programs are secret and must be communicated and managed according to the procedures previously imparted. It is strictly forbidden to enter the internal network and programs using any other user's authentication credentials.
The System Administrator can at any time remove each
application that it deems dangerous for security, both on the PCs of the employees and on the network drives.
The worker is responsible for printing the data only if strictly necessary for the needs of
work and promptly withdraw it from the shared network printer trays.
If confidential information is to be printed, it is mandatory to personally supervise
the area where printing takes place.
With regard to the care of the printing tools, the worker is required to promptly report any malfunction directly to the Head of the IT sector.
Finally, it is a good rule to avoid printing unsuitable documents or files on common printers. If necessary, the current print can be canceled.
In light of this, it is explicitly forbidden to:
- use the internal company network for purposes not expressly provided for and/or authorized;
- connect electronic devices (PCs, printers, cell phones, and any mobile devices, etc.) to the local network or any other type of device (router, switch, etc.) that could alter the configuration of the internal network and/or damage applications.
The Company reserves the right to remove, without prior notice, any type of electronic equipment or software installed on the internal company network and which has not been previously authorized.
3.3.1 CORPORATE TELEPHONE NETWORK USAGE
The use of traditional telephone systems or VoIP (Voice over IP), owned by the company or its end customers, to which the employee and collaborator have access, is authorized exclusively for business purposes.
The company reserves the right to use electronic systems aimed at verifying the level of expenditure of the assigned telephone users and the analysis of the call lines, without however monitoring the numbers called and the duration of the conversations.
3.4 MOBILE PHONE DEVICE USAGE
In order to avoid any unwanted or illegal access and use of the mobile phone or any mobile phone device supplied by the Company, including SIM cards only, it is mandatory that each device is protected by its user at least through a PIN code, or a keyword (password) which, as far as technically possible, must follow the rules previously dictated in the paragraph called "3.2 Password management".
The use of mobile telephony devices for private purposes is not allowed except in case of unavoidable necessity. The same rule is valid for any information not strictly related to the working activity registered within the device, including, by way of example and not limited to, names and surnames, telephone numbers, messages, photographs, videos, and quant other is kept inside.
It is mandatory that each device is kept with extreme diligence. In the event of theft or loss, the user assignee of the device has the obligation to promptly inform his direct Manager and the Head of the IT sector, as well as to promptly report the incident to the Law Enforcement, providing the Company with a copy of the deed of the complaint.
3.5 CORPORATE EMAIL USAGE
In order to facilitate the communication and transmission of data within the company, or between the company and the outside, the Company has a sophisticated e-mail system consisting, among other things, of an e-mail server. in the cloud.
The email box assigned by the Company to each user is a work tool and, as such, must be used exclusively for professional purposes in relation to the specific tasks assigned to the employee and collaborator within the company.
Those who are assignees of one or more e-mail boxes, therefore, are responsible for their correct use.
The Company, while protecting the management systems of the mailboxes from with the appropriate software
potentially dangerous messages, however, explicitly prohibits all users from:
- use company e-mail boxes for sending personal messages or for participating in debates, forums or mailing lists, etc., unless otherwise expressly authorized;
- use company e-mail boxes to send messages completely unrelated to the employment relationship or work interrelationships between colleagues;
- open e-mails and/or above all attachments from unknown senders or which also have only unusual content; in case of doubt, the IT sector manager must be informed in advance, who will give instructions on the matter;
- send or initiate telematic chains of messages (also called "Chains");
- send e-mails from any post office box, even generic, by signing third parties, or in a way that induces recipients to believe that the e-mail comes from a third person;
- use e-mail in such a way that it can result in damage or disturbance to third parties; for example, the indiscriminate sending of e-mail messages addressed to the same subject (mailbombing), the dissemination by e-mail of unsolicited advertising and/or commercial material (spamming), etc .;
- transmit via email viruses, worms, trojan horses, or other malicious code, known to cause damage to IT operations;
- send messages and/or archive computer attachments of an outrageous nature, discriminatory by sex, religion or ethnic origin, trade union membership, or politics that may, in any case, be offensive to human dignity;
- use the e-mail tool in order to send, transmit, distribute confidential information to the Company to third parties except in cases where there is specific authorization to do so;
- modify the content of the Headers of the communication protocols;
- use e-mail for purposes not permitted by current regulations.
The Company also obliges all users to:
- use the specific system functions which, in case of absence (for example, for holidays or off-site work) allow you to automatically send reply messages containing the "coordinates" (electronic and/or telephone) of another worker, i.e. useful ways to contact the Company. This in order to avoid and/or limit as much as possible, in case of need, the opening of the employee's email;
- insert within the e-mail messages a notice to the recipients stating the possible non-personal nature of the messages themselves and specify whether the replies will be known in the organization to which the sender belongs.
Lastly, the e-mail box must be kept in order by archiving unnecessary, redundant or inactive documents and, above all, bulky attachments that are no longer useful for business purposes.
If, by way of derogation from the provisions of this paragraph, the employee and the collaborator use the company e-mail address for private and personal purposes, the relative messages must be immediately removed from the "Inbox" and "Sent" folder, as even from the "Trash".
In case of termination of the employment relationship, for any reason, the IT Manager or the System Administrator will deactivate the e-mail address and the messages related to the work activity will be automatically stored in the cloud.
In addition, the IT Manager or the System Administrator will promptly inform the customers with whom the worker has lent his work so that they disable the utilities that have been assigned to him for the performance of the work activity (to by way of non-exhaustive example, domain users, mail users, VPN users, DB users, and all administrative users or badges for access to customers' offices).
3.5.1 CONTINUITY IN THE USAGE OF THE EMAIL BOX IN CASE OF ANNUAL LEAVE OR UNSCHEDULED ABSENCES
In the event of any unscheduled absences (e.g., due to illness), if the worker cannot activate the procedure previously described (also using the webmail service), the Company, continuing his absence beyond the time limit of 3 ( three) weeks, however, it may lawfully arrange, as long as it is necessary and by means of specifically appointed personnel (e.g., the System Administrator or, if present, a corporate Data Protection Officer), the activation of a similar measure, previously warning the interested party.
In anticipation of the possibility that, in the event of holidays, sudden or prolonged absence, in the event of urgent needs related to work, the content of e-mail messages should be known, the worker will be enabled to delegate another trust worker, preferably operating in the same sector as the delegator, to verify the content of messages and to forward to the Data Controller those deemed relevant for the performance of the work activity.
A special report will be drawn up by the Data Controller for this activity and the worker concerned will be promptly informed of what happened on the first useful occasion.
The delegation will automatically lose its effectiveness when the employee returns.
3.5.2 CONTINUITY IN THE USAGE OF THE EMAIL BOX IN CASE OF HOLIDAYS OF THE DELEGATED COLLEAGUE
In case of holidays, if the period of absence of the worker coincides in whole or in part with that of the delegate referred to in the previous paragraph, the employee must appoint another colleague trust to know the content of the e-mail messages and to forward to the Owner of the processing those deemed relevant for the performance of the work activity. A special report will be drawn up by the Data Controller for this activity and the worker concerned will be promptly informed of what happened on the first useful occasion. The delegation will automatically lose its effectiveness when the employee returns.
3.6 USAGE OF THE INTERNET AND ITS RESOURCES
The Internet is the essential communication operating tool and the navigation-enabled personal computer is in all respects the corporate tool necessary for carrying out the work activity.
Its indiscriminate use, however, can make the Company vulnerable in terms of security.
In light of the foregoing, the Company has adopted some measures deemed appropriate to protect its electronic systems from any improper use of Internet browsing by workers (for example, software such as navigation proxies and firewalls have been identified).
The user is directly responsible for the use of the Internet access service, the content that he searches for, the sites he contacts, the information he enters, and, more generally, the ways in which he operates.
The download (download) of images, audio or music files, video files, and in any case large quantities of data capable of degrading the performance offered by the service to other workers is in no way permitted. Therefore, the user is not allowed to:
- use or allow others to use the Internet access station for non-institutional activities, for activities carried out in violation of copyright or other rights protected by current regulations;
- use Peer to Peer (P2P), file sharing, podcasting, webcasting, torrent, cyberlocker, or similar systems without prior written authorization from the Head of the IT sector;
- download any type of software from the Internet; any needs must be specifically requested in writing to the Head of the IT sector;
- use Internet Providers other than the official one provided by the Company and connect their corporate workstation to the networks of these Providers with connection systems other than the centralized one (e.g., through modems, internet keys, etc.); any needs must be specifically requested in writing to the Head of the IT sector;
- use the network in a manner inconsistent with the provisions of this Policy and criminal, civil and administrative laws governing the activity and services performed on the Internet.
However, the Company reserves the right to store the links of the pages accessed through the Internet in special automated registers (log files), in the forms and according to the methods explained below in this Policy.
3.7 ANTIVIRUS PROTECTION
Each worker must behave in active cooperation with the Company to minimize the risk of attacks on company IT systems through malicious software (e.g. worms, viruses, trojans, etc.) and, more generally, through the action of programs having the purpose or effect of damaging an IT or telematic system, of the data or programs contained therein or relevant to it, or the total or partial interruption, or alteration of its functioning.
Each user, therefore, is required to:
- check for the presence and regular functioning of the installed antivirus software;
- promptly report to the Head of the IT sector and/or to the System Administrator the case in which the antivirus software cannot automatically eliminate the threat from corporate systems;
- check with the antivirus software, before opening any file, any device (e.g. USB sticks, DVDs, CDs, external hard drives, etc.) coming from outside our facility and whose use was previously authorized by the IT manager.
The Company reserves the right to install programs that prevent the installation and dissemination of software potentially harmful to the security of the corporate network on any electronic workstation. The arbitrary removal of these programs is absolutely prohibited.
3.8 MONITORING AND CONTROLS
The Company has an obligation to safeguard the functionality and correct use of IT tools by workers from a production, organization and safety point of view, in order to ensure the availability and integrity of the information systems and data, also to prevent misuse that could be a source of responsibility.
To do this, the Company makes use of IT control systems aimed at verifying the correct functioning and use of electronic instruments. The IT manager performs periodic checks using remote management consoles and control dashboards. In addition to this, the Company also reserves the right to access the single local workstation to detect any activities that do not comply with this policy and to implement the necessary corrective actions.
The Company reserves the possibility of placing control and security cameras to monitor access to the server room.
The data collected in compliance with the provisions of the reference legislation can be used by the employer for all purposes related to the employment relationship, including that aimed at checking the exact fulfillment of the work performed as well as the disciplinary one.
The Company, therefore, reserves the right to check, even occasionally and/or intermittently, the correct use of the work tools, providing correct information, and implementing every technological measure aimed at minimizing as much as possible the use of identification data of the workers, in the ways and within the limits explained below and in the following paragraph called "Graduation of controls".
ANTIVIRUSES AND FILTERS
Activities on the use of the Internet access service are automatically recorded electronically through system logs and control dashboards.
In these cases, the processing of personal data will be limited to the information essential to pursue said purposes and will be carried out with logic and forms of organization strictly related to the obligations, tasks, and purposes previously explained.
3.8.1 MONITORING AND CONTROLS OF THE SYSTEM ADMINISTRATOR ACTIVITY
As regards the computer workstations of the employees designated as System Administrator, in addition to all that has been highlighted so far, also in this case suitable systems for recording logical access (computer authentication) to the processing systems and electronic archives will be adopted.
The logs (access log) will have the characteristics of completeness, inalterability, and the possibility of verifying their integrity by reason of the control purpose for which they are requested and will also include the time references and the description of the event that generated them for a period that is adequate, in any case not less than 6 (six) months, as required by law.
Finally, it should be noted that, for the purposes of fulfilling the obligation of registering logical accesses by the System Administrators, the accesses made by them on the clients will also be recorded, understood as "computerized workstations", and not only on the server.
3.8.2 CONTROLS MEASURE
If it is necessary to carry out checks on the use of electronic tools, the principles of relevance and not excess of the same will be respected, in order to avoid unjustified interference on the fundamental rights and freedoms of workers, as well as of external subjects who receive or send electronic communications.
In the event that a harmful event or a dangerous situation has not been prevented with preventive technical measures, the Company will therefore implement the appropriate technical and technological measures aimed at verifying anomalous behavior according to the following procedure:
- as far as possible, a preliminary check on aggregate and anonymous data, referring to the entire work structure or to its specific areas, will be preferred;
- the anonymous control will end with a generalized notice relating to the detected anomalous use of corporate tools and with an invitation to scrupulously comply with the assigned tasks and instructions given through this Policy and further internal company regulations. The notice may also be limited to employees belonging to the area or sector in which the anomaly was detected;
- in the event of persisting anomalies, it will be considered justified to put in place the appropriate checks on an individual basis, which, in any case, cannot be extended beyond the reasonable time for carrying out the assessment or be constant and indiscriminate.
3.9 COMPLIANCE TO CORPORATE REGULATION
All users are required to observe the provisions brought to the attention of this Policy. Failure to comply or violate the aforementioned rules can be prosecuted against the staff with the disciplinary measures provided for by the current Labour Rules, as well as with the civil and criminal actions allowed.