Softeh Plus considers that is important to ensure the confidentiality of the personal data provided by you.
- The principles governing the processing of personal data
- Your data will be collected only for the specified, explicit and legitimate purposes. The data will not be processed to third parties in a manner that is not compatible with those purposes.
- Personal data will be accurate and, where necessary, updated.
- Your data will be processed in a legal, fair and transparent manner.
- All your data will be kept confidential and stored in a manner that ensures the necessary security.
- Your data will not be distributed to third parties unless this is necessary for the purpose of providing services according to the agreements.
- The persons concerned have the right to request access to personal data, their rectification and deletion, opposition or restriction of data processing, as well as the right to data portability.
- What is personal data?
Personal data is any information that can be linked to an identified or identifiable person (the data subject). Personal data includes all types of direct or indirect information (i.e. used in connection with other data) that refer to the data subject, such as name, date of birth, addresses, email addresses, telephone numbers.
Ensuring the security of personal data within IT systems
Securing access to applications
- Password Policy:
Configurations through which an appropriate password policy can be implemented in order to ensure a level of personal data security according to the General Data Protection Regulation (GDPR) in Softeh applications:
a) All passwords are encrypted with a standard algorithm. Even the administrator of the application does not have the right to decrypt and view the passwords clearly.
b) If a user forgets his password, then the system administrator will reset the password in the system, will send the new password to the user, following which he will change it again with a password known only to him.
The administrator can change a user’s password in the regular User Rights window.
c) In the computer system, user passwords must comply with the following rules (there is the possibility of defining these rules):
– The password must contain at least x characters, where x must be configurable by the system administrator (initially set with the value 9) .
– The password must not be repeated after at least y password variants used. This y will be configured by the administrator.
– The password must contain characters from at least 3 groups [(a-z)(A-Z)(0-9)(!-+)]
– The password must not contain the name and/or first name of the user
– The password has a number of days of validity set (configurable setting by the system administrator). After the password expires, the user will be obliged to change his password by entering the user and the old password (the expired one) as well as the new password with its confirmation and compliance with the above rules (length, characters contained, not to contain the user, not to be identical to an older password, etc.)
– Setting the inactivity time in the application. After a certain no. of minutes / seconds in which the user does not use the application, the password will be requested again.
d) All users can change their password without the need for the intervention of the system administrator. (the new password must comply with the established password policy)
e) “Warning personal data window” option. Upon its activation, the user will be warned when accessing a window that contains personal data. (for applications that require this)
Data structuring and user rights
Data structuring can be defined by assigning limited access rights to certain categories of personal data.
Each user will access the application or application modules using unique credentials (username and password according to the established password policy). Each user will be assigned certain rights regarding access (viewing, modification) to the application screens that contain personal data depending on the type of activity carried out and in accordance with the job description.
Anonymization of data
Softeh provides data anonymization mechanisms for all databases that may contain personal data.
Anonymization will be done on personal data for the purpose of creating a test environment or as support for troubleshooting.
The pseudo-anonymization of the data will be achieved by keeping a link to recover the anonymized data. The anonymized data and the “key” to recover the anonymized data will be saved in different areas.
Logging of data processing
Softeh has developed mechanisms regarding the trace functionality on tables that may contain personal data but also on those that contain sensitive data (e.g. patient data, medical data, transactions, etc.). Thus, it will be possible to have a record of users who perform operations on personal data.
Access to databases
Accessing the databases is done exclusively through the applications / application modules and only using the user and password and in the context of the rights assigned to the respective user.
Direct access to the database can only be done by the personnel designated by the beneficiary, according to the established access rights and only using the password (only representatives from the IT department).
A test environment will be created on which the databases used will contain anonymized data. The access of Softeh consultants will be done only on the test environment and only with the consent of the designated IT staff and only at the request of the beneficiary in order to ensure the maintenance of the IT system or in order to test new versions of applications before launching them into production. Softeh will not have access to the beneficiary’s production environment.
Ensuring an adequate level of security regarding access to the server where the production database is located will be ensured by the beneficiary through the designated IT staff.