Richtlinien und Verfahren bei Datenschutzverletzungen

Die englische Version der gesetzlichen Vereinbarungen und Richtlinien gilt als die einzige aktuelle und gültige Version dieses Dokuments.

Policy Statement

Epsilon PS e.K. is committed to our obligations under the regulatory system and in accordance with the GDPR. We maintain a robust and structured program for compliance adherence and monitoring.

Purpose

The purpose of this policy is to provide Epsilon PS e.K.’s intent, objectives and procedures regarding data breaches involving personal information. This policy is specific to personal information and the breach requirements set out in the GDPR.

Scope

The policy relates to all staff (permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents) within the organisation.

Data Security & Breach Requirements

Epsilon PS e.K.’s definition of a personal data breach is any breach of security, lack of controls, system or human failure that leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

We have implemented adequate technical and organizational measures including:

  • Encryption of personal data
  • Restricted access
  • Reviewing, auditing and improvement plans for processing systems
  • Disaster Recovery and Business Continuity Plan
  • Audit procedures and stress testing on a regular basis
  • Frequent training programs for all staff in the GDPR
  • Recheck processes for data transfers, disclosures and disposal

Objectives

  • Adhere to GDPR and German Data Protection laws
  • Develop adequate technical and organisational measures
  • Utilise information audits and risk assessments
  • Ensure data breaches are reported to regulators within required timeframes
  • Use breach investigations to assess root causes and prevent further incidents
  • Ensure the Supervisory Authority is notified within 72 hours where applicable

Breach Monitoring & Reporting

Epsilon PS e.K. has appointed a Data Protection Officer responsible for the review and investigation of any data breach involving personal information, regardless of severity. All data breaches will be investigated, even in instances where notifications are not required.

Breach Incident Procedures

Identification: As soon as a data breach has been identified, it is reported to the Data Protection Officer immediately.

Recording: Epsilon PS e.K. utilises the Breach Incident Form for all incidents, completed after every instance of a data breach.

Investigation: A full investigation is conducted and recorded. The outcome is communicated to all staff involved and upper management.

Breach Risk Assessment

Human Error: A review of associated procedures is conducted and a full risk assessment completed. Resultant outcomes can include re-training, suspension from compliance tasks, or formal warnings.

System Error: The IT team works with the Data Protection Officer to assess the risk and investigate the root cause.

Breach Notifications

Supervisory Authority: Notified no later than 72 hours after becoming aware of the breach, where it is likely to result in a risk to the rights and freedoms of individuals.

Data Subject: When a breach is likely to result in a high risk to rights and freedoms, we will communicate the breach to the data subject without undue delay.

Record Keeping

All records are retained for a period of 7 years from the date of the incident. Incident forms are reviewed monthly.