Technical and Organisational Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, appropriate technical and organizational measures must be implemented to ensure a level of security appropriate to the risk.

I. Confidentiality

1. Access control of processing areas / Admittance control

Let's Get Digital has implemented suitable measures to prevent unauthorized persons from gaining physical access to the data processing equipment where personal data is processed. This has been accomplished through the following:

• Protection and restriction of access paths;

• Established access authorizations for staff and third parties, including the respective documentation;

• Regulations on card keys;

• Restriction on card keys;

• Logging, monitoring, and tracking of all access to the data centre where personal data is hosted;

• Securing the data centre where personal data is hosted by means of a security alarm system, among other appropriate security measures.

2. Access control to data processing systems / Entry Control

Let's Get Digital has implemented suitable measures to prevent its data processing systems from being used/accessed by unauthorized persons. This has been accomplished through the following:

• Issuance of individual logins to users; passwords must adhere to constraints in length, complexity, ageing and history;

• Identification of the terminal and/or the terminal user to the Supplier systems;

• Automatic turn-off of the user ID when several erroneous passwords are entered, log file of events (monitoring of break-in-attempts);

• Dedication of individual terminals and/or terminal users, identification characteristics exclusive to specific functions;

• Compliance with staff policies in respect of each staff access rights to personal data (if any), informing staff about their obligations and the consequences of any violations of such obligations, to ensure that staff only access personal data and resources required to perform their job duties and training of staff on applicable privacy duties and liabilities;

• Logging, monitoring, and tracking of all access to data content.

3. Access control to use specific areas of data processing systems / Access Control

Let's Get Digital has committed that the persons entitled to use its data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied, modified, or removed without authorization. This is accomplished through the following:

• Assignation of minimum access rights to staff members of Let's Get Digital dependent on their job requirements;

• Compliance with staff policies in respect of each staff member's access rights to the personal data;

• Allocation of individual terminals and/or terminal users, and identification characteristics exclusive to specific functions;

• Monitoring capability in respect of individuals who delete, add or modify personal data and at least yearly monitoring and updating of authorization profiles;

• Release of data to only authorized persons;

• Policies controlling the retention of backup copies;

• Use of state-of-the-art encryption technologies.

4. Separation of processing for different purposes

Let's Get Digital has implemented suitable measures to make sure that data collected for different purposes can be processed separately. This is accomplished through the following:

• Ensuring strict logical or physical separation between personal data and other personal information in respect of which Let's Get Digital is a controller or a processor;

• Processing personal data received from different clients separately;

• Separation of access to data through application security for the appropriate users;

• Separation of data used for different purposes through modules within the Let's Get Digital database, i.e. by functionality and function;

• Storing of data in different areas (at the database level), separated per module or function they support;

• Designing of interfaces, batch processes and reports for only specific purposes and functions, so data collected for specific purposes is processed separately;

5. Job control

Let's Get Digital has implemented suitable measures to ensure that personal data is processed in accordance with the instructions of the controller. This is accomplished by:

• Binding policies and procedures for Let's Get Digital's employees, subject to the controller's review and approval.

Let's Get Digital ensures that if security measures are adopted through external entities it obtains a written description of the activities performed that guarantees compliance with the measures adopted with this document. Let's Get Digital further implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by:

• Individual appointment of system administrators;

• Adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months;

• Yearly audits of system administrators' activity to assess compliance with assigned tasks, the instructions received by importers and applicable laws; and

• Keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned.

• Disaster recovery and business continuity plans;

• Conducting regular checks of all the implemented and herein described security measures at least every six months;

• Only re-using backup tapes if information previously contained is not intelligible and cannot be reconstructed by any technical means; other removable media is destroyed or made unusable if not used;

• Recording any detected security incident, alongside the followed data recovery procedures, and the identification of the person who carried them out;

• Firewalls, anti-virus solutions;

6. Pseudonymization

Let's Get Digital processes personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person

7. Encryption

Let's Get Digital uses state-of-the-art encryption technologies.

II. Integrity

1. Input control

Let's Get Digital shall implement suitable measures to make sure that it can check and establish whether and by whom personal data has been inputted into data processing systems or removed. This is accomplished through the following:

• An authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data;

• Logging of entries, amendments and deletion of personal data in data processing systems; operating document management systems;

• Authentication of the authorized personnel; individual authentication credentials such as user IDs that, once assigned, cannot be re-assigned to another person (including subsequently);

• Protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data;

• Utilization of user codes (passwords) of at least eight characters or the system maximum permitted number and modification at first use and thereafter at least every 90 days in case of processing of sensitive data;

• Following a policy according to which all staff of Let's Get Digital who have access to personal data processed for controller shall reset their passwords at a minimum once in a 180-day period;

• Ensuring that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked;

2. Transmission Control

Let's Get Digital implements suitable measures to prevent personal from being read, copied, altered or deleted by unauthorized parties during the 180 days or during the transport of the data media. This is accomplished through the following:

• Use of appropriate firewall and encryption technologies;

• Logging and monitoring of all data transmissions as far as possible;

• Monitoring of the completeness and correctness of the transfer of data (end-to-end check);

III. Availability

Let's Get Digital shall implement suitable measures to make sure that Personal Data is protected from accidental destruction or loss. This is accomplished through the following:

• Infrastructure redundancy to ensure data access is restored within seven days and backup performed at least weekly;

• Conducting regular checks of all the implemented and herein described security measures at least every six months;

• Only re-using backup tapes if information previously contained is not intelligible and cannot be reconstructed by any technical means; other removable media is destroyed or made unusable if not used;

• Recording any detected security incident, alongside the followed data recovery procedures, and the identification of the person who carried them out;

• Firewalls, anti-virus solutions

IV. Resilience

Let's Get Digital has implemented the following points

• Infrastructure redundancy;

• Disaster recovery;

• Back-up databases;

V. Process to restore the availability and access to personal data in the event of a physical or technical incident

• Restoring availability and access to personal data promptly in the event of a physical and technical incident;

• Implementing a suitable incident response management;

VI. Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the data processing

• Implementing a suitable data protection management in its organization;

• Conducting regular audits;

• Preparation of an internal audit plan.