PIHR Data protection & Information security & Privacy Policy


This data protection and information security policy explains how PIHR handles customers’ and potential customers personal data.

1 GENERAL REQUIREMENTS

1. PIHR guarantees not to commit any act or omission that has, or can reasonably be expected to have, a negative impact on our customers’ data including systems or personal data.

1.1 PIHR ensures that appropriate technical and organisational measures are taken to ensure a level of safety adapted to the risk of data handling and processing, PIHR will:

a) Protect the personal data in such a way as to prevent the destruction, alteration, blocking, unauthorised dissemination of or access to the data, copying, distribution and other unlawful processing:

b) Ensure that the personal data and the data files containing the personal data can only be used by authorised personnel who need the information to perform their duties and fulfil the obligations of the prevailing contract.

c) Ensure that authorised personnel have either entered into a confidentiality relationship or are subject to the appropriate statutory obligation of confidentiality which continues to apply even after their employment, or the service with regard to the processing of Personal data, has ceased.

d) Ensure that an authorisation system is in place to prevent unauthorised access to personal data (in case of processing involving a high risk of privacy incidents, two-step authentication should be used) and a login system where it is possible to determine who has obtained access to the personal data.

e) Ensure that authorised personnel comply with the terms of this data protection and information security policy as well as the data processing agreement and any additional instructions from the data controller and that they are aware of the provisions of the data protection legislation.

f) Take all appropriate technical, administrative and organisational security measures in relation to the risk of processing to protect the personal data received from the customer against, inter alia, unauthorised access, destruction, accidental loss, alteration, blocking, copying, distribution, unauthorised dissemination and any other form of unlawful processing (such security measures shall include the encryption and pseudonymisation of personal data, password protection and installation of appropriate firewalls). PIHR ensures that personal data is stored in such a way that unauthorised persons cannot access it and that personal data is stored separately from other data.

g) Ensure that there is always appropriate and up-to-date virus protection for data files containing personal data and the creation of backup copies of such files.

2 SPECIFIC SAFETY STANDARDS

2.1 PIHR complies with the best security practices

2.2 Customers may review and confirm the existence and compliance with the safety management of PIHR and review, assess and confirm whether it is adequate for the provision of the services

2.3 PIHR ensures, and makes sure, that any subcontractors and all authorised personnel ensure that the security management in connection with the services at minimum is carried out in accordance with the “controls” and “guidance for implementation” that are defined and described IN ISO 27001 and THE NIST cyber framework, includes clear definition of security responsibility, risk management processes, access protection, authorisation and administration, security design and configuration management, auditing and quality assurance.

3 SAFETY MANAGEMENT

3.1 PIHR has an information security unit responsible for ensuring good practices in the field of information security throughout the organisation and in connection with the provision of the services, including publishing of information security policies.

3.2 The head of the supplier’s information Security Unit shall be responsible for information security throughout the PIHR organisation.

3.3 PIHR ensures that it always complies with this data protection and information security policy in connection with the provision of services agreed.

4 ACCESS MANAGEMENT

4.1 Data handling is only performed by authorised personnel in accordance with this Data Protection and Information Security Policy.

5 PHYSICAL SECURITY

5.1 PIHR takes full responsibility for protecting all personal data against unauthorized physical access and/or damage. This includes physical access control such as protecting buildings against unauthorised access (e.g. by using locks, studs or equivalent on exposed doors and windows), providing only authorised personnel with physical access to critical areas, monitoring external parties that are granted access and protecting communication links and data storage media.

6 RIGHT TO INSPECTIONS AND REVIEW

6.1 PIHR may grant access to customer personnel, or an independent third-party subject to sufficient confidentiality, to inspect and/or review the PIHR’s compliance with this policy

6.2 PIHR may provide a customer (or an independent third party nominated by customer) with any information reasonably required to perform such inspection and/or review as referred to in 6.1. PIHR ensures that the customer has equivalent rights to any subcontractors. PIHR can also provide any supervisory authority for the processing of personal data with the possibility of inspecting PIHR’s premises and/or subcontractors (this includes access to relevant information, IT systems and other relevant resources) to the extent required by Data protection legislation.

7 Third Party Processors

Our carefully selected partners and service providers may process personal information about you on our behalf as described below:
Digital Marketing Service Providers
We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information.  Our appointed data processors include:
(i) Prospect Global Ltd (trading as SoPro) Reg. UK Co. 09648733. You can contact SoPro and view their privacy policy here: http://sopro.io.  SoPro are registered with the ICO Reg: Z123456 their Data Protection Officer can be emailed at: dpo@sopro.io.