Personal Data = any information relating to an identified or identifiable natural person.
Data Controller = the entity that determines the purposes and means of the processing of personal data
Data Processor = the entity which processes personal data on behalf of the controller
Processing = any operation which is performed on personal data (such as collection, recording, organisation, structuring, storage, consultation, etc.)
Technical and Organisational Measures for Compliance with GDPR
The Beneficiary is the controller of personal data which it holds, processes and for which it is liable before the National Supervisory Authority for Personal Data Processing. dot.design shall act as processor in relation to the Beneficiary. dot.design shall secure this personal data by measures required to protect it against cyber-attacks, exploitation of weaknesses in computer systems and other methods of security breach. These measures are required to minimize the possibility of illegal access to this data. dot.design cannot guarantee that it is impossible to breach these protections. The principles underlying the security strategy of dot.design are:
- Privacy by Default (complex and unpredictable usernames and passwords, hard to break through brute force, dictionary or phising)
- Minimising the attack area (restricted access by IP to sensitive protocols)
- Operation with minimum privileges (maintaining access and writing rights to the required minimum)
- Security Through Obscurity (use of non-standard settings, hard to predict by potential attackers)
- Security through simple and clear rules (avoiding intricate security settings, with several setting points, hard to administrate)
- Use of secure protocols for data access (SSL, FTPS, SSH, RDP)
Data Security and Privacy
The data is processed by dot.design on behalf of the Beneficiary in a manner that ensures appropriate security. The principles underlying data security are:
Privacy by Design is a web hosting approach that promotes privacy and data protection from the very start. The objectives of privacy by design – ensuring privacy protection – can be achieved by adopting the fundamental principles of the “Privacy by Design” concept:
- Proactive, not Reactive– anticipating and preventing invasive privacy events before they occur;
- Privacy by Default – aiming to provide the maximum privacy level, ensuring the automatic protection of personal data in any computer system;
- Privacy by Design– by incorporating it into the design and architecture of computer systems, privacy becomes an essential component of basic functions, an integral part of the system;
- End-to-End Security– complete protection over the entire lifecycle. All data is kept secure until the end of the process;
- Visibility and Transparency– regardless of the commercial practice or technology involved, all mentioned promises and objectives may be subject to independent inspection;
- Respecting user privacy– architects and controllers must protect the interests of individuals, placing the privacy of individuals at the centre of any computer system.
Privacy by Default means that the strictest privacy settings shall be applied by default. Ensuring data protection from the moment of creation and by default – means building systems that take into account data privacy as early as the stage of system’s architecture, operation and management, business processes or even design specifications. If the Beneficiary requests relaxation of these settings, dot.design shall notify the Beneficiary on the negative potential of the requested measures. If the Beneficiary orders the implementation of such changes, the Beneficiary shall also be liable for the negative effects which may derive from the implementation of said measures.
Management of Security Incidents
Examples of security incidents: cyber-attacks, wrongful access to personal data by dot.design employees or other identifiable individuals, information leaks related to computer system access data provided to the Beneficiary. In the event of a security incident, dot.design undertakes to immediately inform the Beneficiary, within 48 hours at most. The notification shall describe the incident in detail, its probable consequences and any measures taken to remedy the issue. dot.design shall cooperate with the National Supervisory Authority for Personal Data Processing if the situation requires it.
“Private Information” means any information held by the Beneficiary and transmitted to dot.design in verbal or written form or on other tangible or intangible media. This includes, without limitation to: discoveries, ideas, concepts, know-how, techniques, design, specifications, drawings, sketches, projects, diagrams, models, computer software, offers, information on employees, clients or providers’ names, and any other information related to technical, financial or commercial data, video clip and audio recording scenarios, storyboards, images, whether this information is expressly marked as “private” or “exclusive property” or not. “Private Information” does not include information which dot.design can prove that it is independently used by dot.design or was public when dot.design entered into its possession.
dot.design shall use the Private Information received from the Beneficiary only to the interest and for the purposes determined by the Beneficiary.
dot.design undertakes not to disclose to any third parties, its agents or providers the Private Information provided to it by the Beneficiary unless they need to know this Private Information to execute the projects jointly developed by the Beneficiary and dot.design. The employees of dot.design shall receive Private Information only if they actually need it to execute the projects, in which case they are recommended to employ discretion in processing the information.
dot.design shall treat the Private Information provided by the Beneficiary with the same care it treats any other similar information. The care in keeping the information private shall be, in all cases, equal to the care any individual would give, in similar circumstances, to protecting the privacy of their own information.
Agreeing to respect privacy, dot.design undertakes not to copy, multiply, reproduce, distribute or disclose, in any manner or form, fully or partially, to any other natural or legal person, any Private Information or aspects related thereto which have been communicated to it by the Beneficiary. dot.design also undertakes not to allow any third parties access to any Private Information.
dot.design undertakes to immediately notify the Beneficiary and offer any information related to the unauthorized disclosure, loss and/or wrongful use (abuse, negligence) of any Private Information.
dot.design undertakes not to transfer, take over or use, in any way or form, any Private Information (creative concepts, ideas, etc.) without the prior written approval of the Beneficiary.
dot.design shall immediately notify the Beneficiary in relation to any requests for disclosure of any Private Information coming from judicial or administrative institutions, and in this situation, the Beneficiary shall attempt to find means of duly protecting the Private Information requested. If the Beneficiary finds no legal means to stop the disclosure of such Information, dot.design undertakes to offer only strictly necessary data within the limits of the law. At the same time, dot.design undertakes to make best efforts to obtain assurance that the Private Information it has sent to the legally entitled authorities is kept private.
dot.design confirms and acknowledges that the Beneficiary is and will continue to be the holder of the exclusive ownership over all Private Information.
Based on a written request by the Beneficiary or if the discussions and negotiations between the parties do not lead to an agreement, dot.design shall return to the Beneficiary all media which stores the Private Information received, including all copies thereof, if applicable. This return does not exonerate dot.design from the obligation to keep the information private.