REGULATION REGARDING THE PROCESSING OF INFORMATION CONTAINING PERSONAL DATA IN THE "CLIENTS" RECORD SYSTEM
I. GENERAL PROVISIONS
1.1. The Regulation on the processing of information containing personal data in the "Customers" record system (hereinafter the Regulation) is developed in order to implement the provisions of Law no. 133 of July 8, 2011 on the protection of personal data and the Requirements for ensuring data security of a personal nature when processing them within the informational systems of personal data, approved by Government Decision no. 1123 of December 14, 2010, as well as in compliance with the provisions of the Security Policy for the processing of personal data within ÎM"Efes Vitanta Moldova Brewery "SA, IDNO- fiscal code 1003600015208 ("Operator").
1.2. This Regulation regulates the general conditions and requirements regarding the processing of the personal data of the Operator's customers in the "Customers" record system.
II. PURPOSE, CATEGORIES OF DATA PROCESSED
2.1. The purpose of processing information containing personal data in the record system is to perform the following actions:
- economic and administrative management;
- sales record and analysis;
- advertising;
- sending informative materials including by SMS, e-mail, MMS;
- provision of goods and services;
- operation of IT and communication systems;
- organizing promotions and raffles;
- handing out prizes;
- registration of customer complaints and complaints;
- alignment with legal requirements;
- execution of fiscal, reporting and record keeping obligations;
- taxes and fees,.
2.2. Within the record system, the following categories of personal data are processed: name and surname, date of birth; signature; phone number; mobile phone number; email adress; address (domicile/residence); IDNP; identity card series and number; the issuing authority (if indicated), the date of issuance of the document and the validity period, the copy of the identity card, other information that the Client wishes to provide and which allows the identification of the subject of personal data with the Client's consent. - Any use of personal data entered in the "Clients" record system for other purposes
- than those mentioned above is prohibited.
III. LOCATION AND DESCRIPTION OF RECORD SYSTEM
3.1. The personal data contained in the "Clients" record system within the Operator are processed/stored in a combined way, both on paper and in electronic format. Thus, personal data are kept both in paper files, in cardboard folders, which are stored in a metal cabinet, which can be locked with a key and to which only the persons duly authorized to process the personal data of the Clients have access, as well as in electronic format. Such as electronic databases, including accounting programs, and forms for payment orders, invoices, earnings tax withholding orders, and others used to record merchandise returns, release prizes and winnings, enter sweepstakes and promotions , registration of complaints, etc.
3.2. The person responsible for processing personal data is appointed by the company's administration.
IV. STORAGE DURATION
4.1. The processing of personal data in the record system is carried out during the existence of legal relations. Upon the expiration of the mentioned terms, the data are kept in archived form for a period of 5 years or another term established by the indicator of standard documents and their retention terms for organizations and enterprises of the Republic of Moldova.
V. RIGHTS OF CUSTOMERS AND PERSONS CONCERNED
5.1. The Operator, as a personal data operator, guarantees compliance with the rights regarding the protection of personal data belonging to the Clients, as well as, as the case may be, to other data subjects.
5.2. In accordance with the principles of personal data protection, the data subjects benefit from the following rights: to information, access to data, intervention, opposition to the personal data concerning them, as well as the right to address in justice.
5.3. All persons involved in the activity of administration and/or processing of information in the record system shall comply with the procedure for access to personal data.
5.4. Granting the right of access to the Operator's employees to the information concerning personal data is carried out by express request, in written form, with the direct consent of the management, unless the access is necessary for the exercise of work duties. The information provided will be provided in such a way as not to prejudice the rights of third parties. Persons requesting personal data must indicate the purpose of the request, as well as the specific period for which they request the information.
5.5. There is the possibility of denying the right of access in the situation where the exceptions provided by law apply. The need to restrict access may be imposed if there is an obligation to protect the rights and freedoms of third parties, for example, if other persons appear in the requested information and there is no possibility of obtaining their consent or they cannot be extracted, by editing, irrelevant personal data.
VI. PROTECTION MEASURES OF PROCESSED PERSONAL DATA
IN THE "CUSTOMER" RECORD SYSTEM
6.1. The personal data processed in the Customer record system are confidential and can only be disclosed under the conditions of this Regulation. All persons who have access to the data processed by the Operator undertake to maintain their confidentiality and the protection measures regulated in the unit.
6.2. Access to the premises/offices of the Operator, or other spaces where the personal data information systems processed by the Operator are located is restricted, based on identification cards, being allowed only to employees of the Operator, partners and authorized visitors ("Users "). Visitor access is recorded in logs, which are kept in accordance with the security policy. Before granting physical access to personal data information systems, access powers are checked.
6.3. Administration and monitoring of physical access is carried out at all access points to personal data information systems, including reacting to violations of the access regime.
6.4. In the spaces intended for the public, personal data processing activities will be minimized as far as possible, and the means and equipment that provide access to the data processed by the Operator will be secured. Any registers, lists, forms and other media containing customer data shall not be accessible to third parties, shall not be left on the table or in other easily accessible places. At the same time, they will not be left unattended, being placed in cardboard folders in drawers, including metal cabinets.
6.5. Access to the data processed by the Operator is allowed only for the execution of service duties, with strict compliance with the security measures, principles and security rules provided by the Security Policy adopted by the Operator.
6.6. The data processed by the Operator are confidential and may not be disclosed to third parties except in accordance with the legislation in force. It is prohibited to copy information owned by the Operator, including transcription, copying by xerox, telephone or other mobile means as described below.
6.7. The personal data processed by the Operator will be printed out only by the persons authorized by the Operator for this operation. Printed materials that are no longer used or needed are destroyed with the help of the shredder (the document destruction device). The person who will remove from the Operator's secure perimeter the information printed or otherwise exited from the system, which contains personal data, will ensure that this information is marked with the marking model specified below, indicating prescriptions for further processing and dissemination it, including indicating the unique identification number of the Operator. Model warning mark: "This document contains personal data, processed within the record system no. 000000X-00X, registered in the Register of Personal Data Operators www.registru.datepersonale.md. The subsequent processing of these data can only be carried out under the conditions provided by Law no. 133 of 08.07.2011 on the protection of personal data."
6.8. The information, which contains personal data and which is contained on the information carriers, is physically destroyed or transcribed and destroyed by safe methods, avoiding the use of standard destruction functions after the execution of the purpose for which this information is processed by the Operator and / or the expiry of the term for keeping it. As well as when decommissioning the device on which they are stored (clean the memory of the xerox, memory sticks, discs, etc. before throwing them away, selling them, passing them on to third parties).
ARE YOU COMING. USER IDENTIFICATION AND AUTHENTICATION
"CUSTOMER" RECORD SYSTEM
7.1. The operator will identify, register and authenticate the users of the personal data information systems and the processes executed on behalf of these users. All users (including employees, duly authorized persons, technical support staff, network administrators, programmers and database administrators) will have a personal identifier (user ID), which must not contain accessibility level indications of the user. If a computer has several users, each user must have his own login and password.
7.2. Before granting access to the system, users will be informed that the use of personal data information systems is controlled and that their unauthorized use is pursued in accordance with the law.
7.3. The work session is locked (at the user's request or automatically, after a maximum of 15 minutes of user inactivity), which makes further access impossible until the user unlocks the work session.
7.4. The operator and his employees will comply with the following safety rules
information in the case of choosing and using passwords:
a) keeping passwords confidential;
b) it is forbidden to write passwords on paper, if the security of its preservation is not ensured;
c) changing passwords every time there are indications of a possible system or password compromise;
d) choosing qualitative passwords with a size of at least 8 symbols, which are not related to the user's personal information, do not contain consecutive identical symbols and are not entirely composed of groups of numbers or letters;
h) disabling the automated password registration process (using saved passwords);
g) the possibility for users to choose and change individual passwords is ensured, including the activation of the procedure for recording their wrong entries;
i) access is blocked after three wrong authentication attempts;
j) at the time of entry, the passwords are not clearly reflected on the monitor.
VIII. SECURITY AUDIT IN THE "CUSTOMER" RECORD SYSTEM
At least once a year, the fulfillment of the technical and/or organizational measures taken to detect malfunctions regarding the use of telecommunications systems in the personal data processing process and/or making improvements, if necessary, are checked.
IX. ENSURING THE INTEGRITY OF THE INFORMATION IN THE "CUSTOMER" RECORD SYSTEM
All methods of remote access to the personal data information systems of the Operator will be secured with the use of VPN, encryption, encryption, as well as other security methods, as well as will be documented, subject to monitoring and control by the Operator. Each method of remote access to personal data information systems is authorized by the Operator's administrator and/or the responsible person of the Operator designated by the administrator according to this Policy and is allowed only to Users, for whom the respective access is necessary for the fulfillment of professional objectives established.
X. MANAGEMENT OF SECURITY INCIDENTS A
"CUSTOMER" RECORD SYSTEM
10.1. The person responsible for managing security incidents is designated HR Manager. Security incidents of personal data information systems are tracked and documented on a permanent basis. The employees will immediately inform the administrator of the Operator and the responsible person, by phone or by other means of communication, about the incidents that violate the security of personal data information systems.
10.2. Incident processing will include not only detection, but also analysis, preventing development, removing them and restoring security. Annually, by January 31, the Operator will present to the National Center for the Protection of Personal Data the generalized report on security incidents of personal data information systems.
XI. FINAL PROVISIONS
11.1. This Regulation complies with the provisions of the legislation in force.
11.2. The regulation is brought to the attention of employees against signature.