1. COLLECTION OF PERSONAL DATA
The purpose of this security policy is to ensure the appropriate level of protection for the personal data of the data subjects, by properly implementing national legislation regarding data protection and communication confidentiality.
2. PRINCIPLES OF PERSONAL DATA PROCESSING
Lawfulness:
The processing of personal data is carried out in good faith and is based on and in accordance with legal provisions;
Well-defined purpose:
Any processing of personal data is carried out for well-defined, explicit, and legitimate purposes, adequate, relevant, and not excessive in relation to the purpose for which they are collected and subsequently processed;
Information:
Through this information, individuals are made aware that their personal data will be processed;
Storage:
Personal data is not stored for a period longer than necessary to achieve the purposes for which it was collected;
Protection of data subjects:
The processing of personal data will be carried out by authorized personnel within the company "Online Broker de Asigurare" SRL or by other authorized persons in accordance with the law.
Security:
The technical and organizational measures for the security of personal data are established to protect personal data against accidental or unlawful destruction, loss, modification, disclosure, or unauthorized access (access to user databases is done based on username and password, regulated by roles and access rights). The possibility of altering accessed data is protected by a firewall monitored by "Online Broker de Asigurare" S.R.L., as well as by permanently updated antivirus solutions. The transfer between clients and administrators or operators is encrypted using a digital certificate, ensuring that data cannot be intercepted.
3. PERSONAL DATA PROCESSING POLICY
In accordance with the provisions of LAW No. 133 from 08.07.2011 pregarding the protection of personal data, "Sykors Media" is obligated to manage safely and only for the purposes outlined below, the personal data provided to it.
Sykors Media undertakes to maintain the confidentiality of personal data provided through the website sykors.com, as stipulated by the provisions of LAW No. 133 of 08.07.201, with subsequent amendments regarding the protection of personal data. Sykors Media" commits to maintaining the confidentiality of the personal data provided through the website sykors.com, as stipulated by the provisions of LAW No. 133 from 08.07.2011 with subsequent amendments, regarding the protection of personal data.
4. THE REQUIREMENTS FOR ENSURING THE SECURITY OF PERSONAL DATA
The following categories of personal data processing operations present special risks to the
rights and
freedoms of individuals:
1) the adaptation,
modification,
disclosure through transmission, dissemination, or in any other way, of personal data related to racial
or
ethnic origin, political, religious beliefs, membership in a political party or religious organization,
personal data regarding health or private life, as well as personal data referring to criminal
convictions,
coercive measures, disciplinary or contravention
sanctions;
2) the processing of genetic, biometric
data,
and data that allow the geographical location of individuals through electronic communication
networks;
3) the processing of personal data by electronic
means, with the purpose of evaluating aspects of personality, such as professional competence,
credibility,
behavior, etc.;
4) the processing of personal data by
electronic
means within record-keeping systems, aimed at analyzing solvency, economic-financial status, actions
likely to
attract disciplinary, contravention, or criminal responsibility of
individuals;
5) the processing of personal data of
minors
for commercial purposes (direct marketing
activities);
6) the processing of personal data
mentioned
in subpoints 1) and 2) of this annex, as well as the personal data of minors collected through the
Internet or
electronic messaging.
The requirements for ensuring the security of personal data when processing it within personal data information systems (hereinafter - Requirements) aim to establish the minimum rules for the implementation by personal data holders of the necessary technical and organizational measures to ensure the security, confidentiality, and integrity of personal data processed within personal data information systems and/or manually kept registers, in accordance with the provisions of Law no. 17-XVI of February 15, 2007, regarding the protection of personal data (Official Gazette of the Republic of Moldova, 2007, no. 107-111, art. 468) and Law no. 71-XVI of March 22, 2007, regarding registers (Official Gazette of the Republic of Moldova, 2007, no. 70-73, art. 314).
These Requirements create the necessary framework for the application of the Convention for the protection of individuals regarding the automated processing of personal data, concluded in Strasbourg on January 28, 1981, published in the European Treaty Series, no. 108, ratified by the Republic of Moldova through Parliament Resolution no. 483-XIV of July 2, 1999.
According to Decision no. 1123 of 14.12.2010 regarding the approval of Requirements for ensuring the security of personal data during their processing within information systems of personal data, the protection measures for personal data represent an integral part of the work of creating, developing, and operating the personal data information system and will be continuously carried out by all holders of personal data. The protection of personal data in information systems of personal data is ensured through a set of technical and organizational measures to prevent the unlawful processing of personal data. The protection measures for personal data processed in information systems of personal data are carried out taking into account the necessity of ensuring the confidentiality of these measures. The implementation of any measures and works using the informational resources of the personal data holder is prohibited in cases where appropriate measures for protecting personal data are not adopted and implemented.
"Sykors Media" certifies that it meets the minimum requirements for the security of personal data.
According to Decision No. 1123 of 14.12.2010, the protection of personal data
in informational systems of personal data is ensured for the purpose
of:
1) preventing
the leakage of information containing personal data by excluding unauthorized access to
it;
2) preventing unauthorized destruction, modification, copying, or blocking of personal
data in
telecommunication networks and informational
resources;
3) ensuring
compliance with the regulatory framework for the use of informational systems and programs for
processing
personal data;
4) ensuring
the completeness, integrity, and accuracy of personal data in telecommunication networks and
informational
resources;
5) maintaining the ability to manage the process
of
processing and storing personal data.
The protection of personal data processed in informational systems is carried out through the following
methods:
1) preventing unauthorized connections to telecommunication networks and interception
of
personal data transmitted
through these networks using technical means;
2) excluding unauthorized access to processed personal
data;
3) preventing
technical and software actions that may lead to the destruction, modification of personal data, or
failures in
the operation
of the technical and software complex;
4) preventing
intentional and/or unintentional actions by internal and/or external users, as well as other employees
of the
personal data holder,
that may lead to the destruction, modification of personal data, or failures in the operation of the
technical
and software complex.
Access to premises/offices/rooms or spaces where informational systems containing personal data are located is restricted, being permitted only to individuals who have the necessary authorization and only during working hours, in accordance with the list and corresponding identifiers (badges, cards, microchip cards). The spaces where informational systems containing personal data are installed are equipped with access control systems and video surveillance to monitor access to these areas.
During monitoring, surveillance and alarm tools are used in real-time mode for all cases of authorized and/or unauthorized access. Automated tools are used to identify cases of unauthorized access and initiate actions to block access. Computers, servers, and other access terminals are placed in highly secure locations with limited access for unauthorized individuals.
The security of electrical equipment used to maintain the functionality of informational systems handling personal data, as well as electrical cables, is ensured, including protection against damage and unauthorized connections. In case of emergencies, failures, or force majeure, it is ensured that electricity to the informational systems handling personal data can be disconnected, including the ability to disconnect any IT component. Autonomous short-term power supply sources are provided and used to correctly terminate the system's (component's) session in case of disconnection from the main power supply. Fire safety measures are also ensured in the premises/offices/workspaces where informational systems handling personal data and data processing tools are located. Automated systems for fire detection/signaling and suppression are implemented in the premises/offices/workspaces where informational systems handling personal data and data processing tools are located.
Computers, access terminals, and printers are disconnected at the end of work sessions. Processing tools
for
personal data, information containing personal data, or software intended for processing personal data
are
removed from the security perimeter only based on written permission from the management of the personal
data
holder.
The removal and introduction of personal data processing tools into/from the security perimeter are
recorded.
User identification and authentication are carried out for personal data information systems and processes executed on behalf of these users. All users (including technical support staff, network administrators, programmers, and database administrators) will have a personal identifier (user ID), which must not contain indications of the user's accessibility level. To confirm the user's ID, passwords, special physical access devices with memory (tokens), microprocessor cards, or biometric authentication means based on the unique and individual characteristics of the person are used.
User identifier management includes:
1) unique identification of each user;
2) verification of each user's authenticity;
3) obtaining authorization from the person responsible for
issuing the user's ID;
4) ensuring that
the user's ID is issued
to a specific person;
5) deactivating the user account
after a
period of inactivity,
set in time (inactivity for a maximum of 2
months);
6) performing
backup copies of user IDs.
Information leaving the system, which contains personal data, is marked, indicating instructions for further processing and distribution, including the unique identification number of the personal data holder. All remote access methods to personal data information systems are secured (using VPN, encryption, encoding, etc.), and are also documented, monitored, and controlled. Each remote access method to personal data information systems is authorized by the responsible persons of the data holders and allowed only to users for whom it is necessary to achieve the established objectives.
Wireless access to personal data information systems is documented, monitored, and controlled. Wireless access to personal data information systems is allowed only when using cryptographic means to protect the information. The use of wireless technologies is authorized by the responsible persons of the personal data holder.
The impossibility of external access to the internal network where personal data is processed is ensured.
The integrity of the transmitted personal data is ensured using cryptographic protection means.
The confidentiality of the transmitted personal data is ensured using cryptographic protection means for the information.
Protection against the infiltration of malicious programs into the software used for processing personal data is ensured, a measure that ensures the timely and automatic renewal of protection tools against malicious programs and virus signatures. Centralized administration of the protection mechanisms against malicious programs in the software used for processing personal data is ensured.
Personal data holders regularly verify, at least once a year, the implementation of technical and/or organizational measures taken to detect any malfunctions in the use of telecommunication systems in the personal data processing process and/or to make improvements if necessary. Security controls are updated each time the data holder is reorganized or changes its infrastructure. In order to verify the level of protection of personal data information systems, as well as to prevent any cases of unauthorized or accidental access to these information systems, and to identify weak points in their protection mechanisms, the Center periodically conducts security controls, including technical measures to simulate a model of access to personal data information systems. The results of the controls conducted by the Center are immediately made available to the data holder, detailing the level of protection of the personal data information systems that were subject to the control, with recommendations, if necessary, on actions to be taken to ensure the security of personal data processing.
5. PURPOSE OF COLLECTING PERSONAL DATA
"Sykors Media" processes the personal data of its clients and other individuals who are connected to or contact it, which are provided to it through browsing the website sykors.com, for the purpose of issuing and delivering purchased insurance policies.
Personal data (identity data, address, personal identification number, phone number, age, or any other similar data that has been provided) may be processed and used by "Sykors Media" both for the purposes of issuing and delivering the insurance policies ordered on the company's website, and for the purpose of creating databases and using them in future actions and activities of the operator, in accordance with the provisions Law no. 133 of 08.07.2011 on the protection of individuals with regard to the processing of personal data.
"Sykors Media" will not disclose any of your data (personal information or optional information) to any third party without your consent, except when we have a good faith belief that the law requires us to do so, or when it is necessary to protect the rights or property of our company.
6. AUDIT OF SECURITY IN INFORMATION SYSTEMS OF PERSONAL DATA
"Sykors Media" organizes the generation of audit records for the security of personal data in information systems for the following events:
o The registration of user login/logout attempts is performed (the date and time of the login/logout attempt are recorded; user ID; the result of the login/logout attempt – successful or failed);
o The registration of attempts to gain access for applications and processes intended for processing personal data is performed;
o The registration of attempts to start/end the working session of application programs and processes intended for processing personal data, the registration of changes to user access rights, and the status of access objects is performed;
o The registration of changes to the user's access rights (competencies) and the status of access objects is performed;
o The registration of the exit from the system of information containing personal data (electronic documents, data, etc.), the registration of changes to the access rights of the subjects, and the status of access objects is performed.
In case of malfunction of the audit of personal data security in information systems or the completion of the entire memory allocated for storing the audit results, the person responsible for the personal data security policy is informed, and measures are taken to restore the working capacity of the audit system.
Permanent monitoring and analysis of the security audit records in personal data information systems are carried out to detect unusual or suspicious activities in the use of these information systems, with the preparation of a report regarding the cases of detecting such activities, stored in electronic computing means, and the implementation of predefined actions in the security policy for such cases.
The results of the security audit in personal data information systems, which represent personal data processing operations and the means of performing the audit, are protected against unauthorized access by implementing appropriate security measures, including ensuring their confidentiality and integrity.
To ensure the integrity of information containing personal data and information technologies, the identification, logging, and removal of deficiencies in the software intended for processing personal data are ensured, including the installation of corrections and renewal packages for this software. Protection against the infiltration of harmful programs into the software intended for processing personal data is ensured, a measure that ensures the possibility of timely and automatic renewal of the means for protection against harmful programs and virus signatures. Technologies and intrusion detection tools are used, allowing the monitoring of events in the information systems of personal data and detecting attacks, including those that ensure the identification of unauthorized attempts to use the information systems.
For restoring information containing personal data (for creating backup copies), based on the volume of processing performed, individually, “Sykors Media” establishes the time interval in which backup copies of information containing personal data and the software used for automated processing of personal data are made. In any case, this period is less than one year, and they are stored in protected locations, outside the area where this information and the core software are located. Backup restoration procedures are regularly updated and tested to ensure their effectiveness.
“Sykors Media” regularly checks, at least once a year, the fulfillment of technical and/or organizational measures taken to detect malfunctions regarding the use of telecommunications systems in the personal data processing process and/or to make improvements if necessary. Security controls are to be updated whenever the owner is reorganized or changes its infrastructure. To verify the level of protection of personal data information systems, as well as to prevent any potential cases of unauthorized or accidental access to these information systems, and to identify weaknesses in their protection mechanisms, the Center periodically conducts security checks, including implementing special technical measures to simulate a model of accessing personal data information systems.
7. MANAGEMENT OF INFORMATION SYSTEM SECURITY INCIDENTS AND TECHNICAL PROTECTION OF PERSONAL DATA
The personnel responsible for operating the personal data information systems undergo training at least once a year regarding their responsibilities and obligations when managing and responding to security incidents. A mechanism is in place to promptly inform the leadership of the data controller about incidents that breach the security of the personal data information systems. The processing of incidents includes detection, analysis, prevention of development, resolution, and restoration of security. Automated tools are used to support the incident management process for personal data information systems security incidents. Security incidents in personal data information systems are monitored and documented on a continuous basis.
The uncontrolled presence of individuals or vehicles, as well as the accidental installation of antennas, is excluded within a zone of at least 15 meters from the location of the main technical equipment of the personal data information system, in order to ensure the security of personal data processing. Server rooms are protected against information leakage containing personal data due to electromagnetic emissions by shielding the rooms or installing electromagnetic jamming systems, which are designed, implemented, and tested by specialized companies in the field. Unauthorized installation of other electrical, radio, or other devices is excluded or limited in rooms where the technical means for processing personal data are located, to ensure the security of personal data processing. Equipment with lines that exit outside the controlled perimeter is installed at least 3 meters away from the IT equipment where personal data is processed.