GDPR Privacy and Security

Airtouch Ltd´s privacy and security policy

Updated 21.5.2018

INTRODUCTION
We at Airtouch respect the privacy of our customers, partners and employees. This privacy and security policy explains how Airtouch collects, uses, and processes various personal information and secures privacy. The Privacy and Security Policy defines the principles, responsibilities, obligations, practices, and the monitoring and control that the company pursues in the implementation and development of data protection and security. This policy is complemented by detailed provisions and instructions Company registers include information about customers, employees and activities that must be protected by law. The processing of personal data is governed by the EU Data Protection Regulation and the related local legislation. The data protection and security policy dealt with and enforced by Airtouch’s management covers all tasks related to computing in the company. Each user of the Airtouch employee and the information system must know this policy and follow the instructions and instructions given on it..Non-Airtouch Operators and other third parties should also commit themselves to comply with the laws, data protection and data security policies and data protection and security guidelines as a condition of their access to company information systems and their data files. When a company acts as a controller, it is required to sign a separate agreement on the processing of personal data (or attachment) by the suppliers. Individuals handling individual data are required to sign the privacy statement. When an enterprise acts as a personal data handler, a separate agreement on the processing of personal data is concluded. Privacy refers to privacy when handling personal data. Data protection and security in accordance with an accepted privacy and security policy should be included as a natural part of all activities. The development and maintenance of data protection and security is part of the company’s overall security, risk management and internal control.  


DATA PROTECTION AND INFORMATION SECURITY

The aim of data protection and data security is to safeguard the legitimate processing of personal data, to ensure the uninterrupted operation of enterprise information systems and data networks, to prevent security breaches and the unauthorized access of third parties to information systems and / or their unauthorized use, to prevent unintentional or deliberate destruction or distortion of information and to minimize the resulting damage. In addition, provision is made for action interception threats and solving them.


ORGANIZATION AND RESPONSIBILITIES

Data protection and security are managed and supervised by the company’s director. The director decides on the overall objectives of the development of the various areas of the company, the organization, the resources and the powers of action. The director of the company, who appoints the data protection officer, is responsible for data protection and security. The data protection officer is responsible for the tasks under the EU Data Protection Regulation and local legislation. The security officer is responsible for the company’s overall security work within the resources and powers given by the company management. He is also responsible for the communication and information about security issues.

The duties of the data protection officer are:
• The tasks of the Data Protection Officer are defined in the EU Data Protection Regulation
•The IT security officer is responsible for defining, evaluating, and reporting information security. He is responsible for the information security development plans, monitoring of implementation, promotion of information security and a secure way of operating the company and the services it purchases, as well as reporting.
• The security officer is responsible for hardware and software security.
•The IT security officer is responsible for personnel safety in terms of information security. Each register containing the personal data of the company has a person responsible for the register whose responsibilities are described in the EU Data Protection Regulation and local law.

Each company employee, managing personal information or other information, the administrator or user of information systems or data networks, is responsible for the implementation of data protection and security and for compliance with the instructions. Everyone is responsible for reporting threats and occurrences of data protection or security to a data protection or security officer.


IMPLEMENTATION

The foundation for implementing data protection and security is the company’s written privacy and security policy, which is provided to every employee of the company and to the information system user.The company’s privacy and data security principles are based on the EU Data Protection Regulation and national law. Implementation and maintenance of data protection and security are described in detail in separate instructions. Achieving the goals of data protection and security is a continuous process. User actions are guided by strengthened and available guidance and data protection and data security training.


CONTROLLING AND MONITORING

The task of the company’s management and the person in charge is to monitor the implementation of data protection and security. The task of the security officer is to control and monitor the company’s security and take action to improve security. 


ACQUISITION OF INFORMATION, SOURCES AND DATA GROUPS

The acquisition of information, sources and data groups formed from the registers are described separately in the data protection report for each registry.


CREATING DATA TO CUSTOMERS AND TRANSPARENCY TO REGISTERED

The disclosure of information to customers as well as the transparency of the registrants are described in the data protection report for each registry.


CO-OPERATION WITH DIFFERENT INTEREST GROUPS AND AUTHORITIES
The company co-operates with various interest groups and authorities in accordance with the EU Data Protection Regulation, local legislation and separate legislation.


INTERNATIONALITY

The company does not provide personal data outside the EU without valid reason, with the consent of the person and after checking the recipient’s security procedures.


DATA PROTECTION SUPERVISORY AUTHORITY
The Data Protection Ombudsman is the authority that controls, advises and supervises the processing of personal data in accordance with the Personal Data Act. The EDPS exercises decision-making power in matters relating to the exercise of the right of inspection and correction of information, as well as to provide solutions to the legality of the maintenance of registers and to the exercise of the rights of the data subjects.


UPDATING DATA PROTECTION AND SECURITY PRINCIPLES
The privacy and security principles are in line with our current policy. We update the principles regularly, minimum once a year.