Metricson (defined in the General Conditions as the “Data Processor”), undertakes to implement the following security measures in the processing of data on behalf of its customer (defined in the General Conditions as the “Data Controller”):
1. The Data Processor applies, both when determining the means of processing and at the time of processing itself, appropriate technical and organisational measures, such as those included in this document and mentioned in the contract (defined in the General Conditions as the “Proposal”) designed to apply data protection principles, such as data minimisation, and to integrate the necessary guarantees into the processing.
2. Upon joining the staff of the Data Processor, all employees have signed a confidentiality document, in which they undertake to keep in secret all the data processed for the purpose of carrying out their duties, and those processed for the purposes of this Proposal are covered.
3. The Data Processor has a process for notification, management and response to any personal data breach, as indicated in Articles 33 et seq. of the GDPR.
4. The Data Processor has established a system that allows an identification and authentication, unambiguous and personalized, of any user attempting to access the information system and the verification that he or she is authorized. The system of identification and authentication of users wishing to access the system, is described in a document that will be available to the Data Controller upon request.
5. Users of the Data Processor’s systems shall have authorized access only to such data and resources that they require for the performance of their functions. The system used to limit access in accordance with the privileges of each user is described in a document which is available to the Data Controller upon request.
6. The operating systems and applications used in the processing under this Proposal have mechanisms to prevent a user from accessing to resources with different rights from those authorized.
7. The Data Processor has measures in place to control physical access to the facilities and data processing facilities so that only authorized personnel are allowed access to the data processes under this Proposal.
8. The Data Processor has a policy for the management of supports and documents which ensures that all the applications, systems and subcontractors used have been previously studied and authorized to process customer data in order to comply with the regulations and GDPR. This policy also regulates the entry and the exit of documents from the facilities and systems of the Data Processor, allowing the processing of personal data, subject to this Proposal only in encrypted and/or anonymized devices authorized by the Data Processor.
9. Access to information systems of the Data Processor containing personal data covered by this Proposal may only be granted by encrypting such data or by using any other mechanism that guarantees that the information is not intelligible or manipulated by third parties. The security of these accesses must be guaranteed by the security protocols of the applications involved in the transmission.
10. The Data Processor has a policy of backup and recovery of data in order to ensure that it is always restored to the state it was in at the time of loss or destruction.
11. In the case of working with temporary files that the employees of the Data Processor need to provide the service to the Data Controller, the same security measures as for other personal data shall be applied to those temporary files and they shall be deleted or destroyed once they are no longer necessary for the purposes for which they were created.
12. Devices for the storage of documents containing personal data must have mechanisms to prevent their opening.
13. Continuously and at least once a year, periodic checks shall be carried out to verify the suitability and operability of the security measures implemented and compliance with the provisions of this Proposal.
If the Data Controller, after the formalisation of the Proposal, requires the Data Processor to adopt or maintain security measures other than those agreed in this Proposal, or if they are required by any future regulations, and this significantly affects the costs of providing the Services, the Data Controller and the Data Processor shall agree on the appropriate Proposal ual measures to deal with the effect that such modifications may have on the price of the Services.