Datensicherheit

MIND ONE takes care about your data

Introduction

Your data are an important, valuable asset of MIND ONE which we manage with great care. Harmonisation with the current data protection procedures is our highest priority. This document contains information about our activities focused on compliance with the General Data Protection Regulation (GDPR) which takes effect on 25 May 2018.

We are committed to being GDPR compliant by 25 May 2018. You may be assured that MIND ONE collects, processes and keeps data taking care about their sensitivity and security – meeting or exceeding GDPR compliance.

What is GDPR and how it affects our relationship?

GDPR is designed to enhance data protection and the right to privacy for EU citizens, giving them greater control over their personal data and how it is used. According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

The GDPR has introduced significant changes in protection of personal data that impact our services and our clients:

  • More rights for individuals. Individuals are granted the rights to access their personal data, they have the right to have inaccurate personal data rectified, to have personal data erased, the right to request the restriction or suppression of their personal data, individuals can obtain and reuse their personal data for their own purposes and they may object to data processing.
  • Liability: Organisation, no matter if it acts as a data controller and/or data processor, must implement appropriate technical, organisational and procedural measures so as to comply with the GDPR requirements.
  • Breach notification requirement. Organisations must report breaches of personal data to the Data Protection Authority within 72 hours of becoming aware of them.
  • An expanded definition of personal data. The definition of ‘personal data’ has widened and now explicitly includes online identifiers such as IP addresses and mobile device identity.
  • A wider geographic scope. The GDPR applies to the personal data of all individuals within the EU and organisations processing their data are required to comply with the GDPR, regardless of whether those organisations are based within the EU themselves

Our GDPR compliance

To minimise the possibility of human errors, hacker attacks and system malfunctions in working with your data we have implemented a number of security measures. We have also prepared instructions that may help mitigate security risks.
MIND ONE is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data in accordance with all of our legal obligations, including GDPR compliance.

We have undertaken all necessary measures to ensure that our services are in compliance with the GDPR rules:

Nominating Data Protection Officer
The Data Protection Officer, who has expert knowledge of data protection law and practices, is responsible for overseeing the MIND ONE’s compliance with the GDPR. The DPO assists MIND ONE to monitor internal compliance, inform and advise on our data protection obligations, provide advice regarding Data Protection Impact Assessments and acts as a contact point for data subjects and the supervisory authority.

Training and awareness
We will continue with our long-standing data protection training program, that will be expanded with the GDPR requirements. Additionally, we perform extensive training to key individuals as required under the GDPR. Trainings will be held twice a year.

Our Data Center is set in Germany
A video-monitored, high-security perimeter surrounds the entire Data Center park where your data are stored. Entry is only possible via electronic access control terminals with a transponder key or admission card. All movements are recorded and documented. Ultra-modern surveillance cameras provide 24/7 monitoring of all access routes, entrances, security door interlocking systems and server rooms.
Having a Data Center in Germany ensures that customers who use our services will not have their respondent data transferred outside of EU without their approval.

Upgrading policies and procedures
As a part of our strategy of ensuring compliance with the GDPR requirements we have revised and upgraded existing procedures, policies and contracts, so as to ensure that they are harmonised with the GDPR. All employees of MIND ONE have been introduced with the new policies, ways to implement them and importance of following them strictly.

Management Responsibility
Key people in MIND ONE have shown support in developing new policies and processes, and they promote the new culture of data protection compliance across the business.

We do not reuse, sell, or otherwise share respondent data
All information collected in surveys belongs solely to the customer, not MIND ONE. Under no circumstances do we reuse, sell, or otherwise share respondent data.

Information risks and data protection impact assessments
We will continue to regularly review and audit the security of our services and our compliance with our GDPR policies and procedures.

Data Protection by Design and Default
Protection by design and default calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. MIND ONE has implemented appropriate technical and organizational measures to show we have considered and integrated data protection into our processing activities. We have implemented the following measures to ensure protection by design and default, including:

  • Data minimisation
  • Pseudonymisation
  • Transparency
  • Allowing individuals to monitor processing
  • Creating and improving security and enhanced privacy procedures on an ongoing basis

Accuracy and relevance
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the DPO.

Reporting breaches
Any breach of this policy or of data protection laws must be reported as soon as practically possible. This means as soon as you have become aware of a breach. MIND ONE has a legal obligation to report any data breaches to the Austrian Data Protection Authority within 72 hours.

User Access Management Policy
Access controls are put in place to protect your information by controlling who has the rights to use different information resources and by guarding against unauthorised use.
User access is provided according to the principles of “least privilege” and „need to know“ required for achieving the desired function. Formal user access control procedures is documented, implemented and kept up to date for the application and information system to ensure authorised user access and to prevent unauthorised access.

If you have any further questions please either speak to your account manager or email datenschutz@ito.co.at.