Privacy Policy

On Personal data processing and information security

Introduction

Over the past two decades, the ways people are using information have significantly changed, considering the rapid technological development. Therefore, European Union adopted the privacy reform package that sets a new bar globally for privacy rights, security and compliance. One of these legislative acts is the European Regulation 2016/679 (GDPR).

Fitek has devoted its time and efforts to assess if its information security and personal data processing practices meet the new regulatory requirements and identified technical and organizational measures that are implemented to ensure compliance with the new rules and regulations.

Commitment to GDPR Compliance

Fitek acknowledges its responsibilities under GDPR and commits to ensure GDPR compliance prior to its entry into force on 25thof May 2018.

Fitek has defined awareness raising routines and made data security a priority in its service design.

Scope

This whitepaper outlines privacy practices of Fitek with respect to its services and systems.

This whitepaper is divided into 2 main sections: Regulatory Compliance and Information Security. Regulatory Compliance reflects Fitek approach to compliance requirements, in terms of Data Processor/Controller role, protection Data Subject’s privacy, and awareness. The Information Security includes details on data access controls and operational security controls applied by Fitek.

Regulatory Compliance

Fitek recognizes its role under the GDPR as both, Data Controller and Data Processor. Therefore, Fitek must ensure the highest level of security for the data it controls and ensure that its vendors and service providers process data in conformity with the applicable rules and regulations.

Considering the number of processing activities carried out by Fitek, such as, (i) collection; (ii) storage; (iii) transmission; (iv) and making personal data available to third parties, Fitek considerably strengthened its security practices and redesigned its processes and documentation to reflect the principles of secure personal data processing.

Fitek established a strong governance and appointed a Data Protection Officer to handle data security related requests from public authorities, customers, and data subjects.

Fitek as a Controller

When Fitek collects personal data for its own business purposes, Fitek acts as a Controller by defining the processing means that is compatible with the purposes for which the Data Subject allowed his/her data to be processed.

Fitek acts as an employer and service provider, therefore Fitek is directly engaged in the personal data processing.

Fitek processes personal data by collecting those from data subjects based on their consent expressed directly or in the applicable service contract.

Fitek ensures lawful, transparent, and secure personal data processing.

Fitek as a Processor

When customer (legal entity – Controller) is using Fitek as its trusted partner, customer instructs Fitek on necessary data processing.

Third Party Processors

Fitek may engage a third-party service providers and vendors (“Service Provider”).

All existing Service Providers are subject to data security evaluation and had to sign secure personal data processing contracts with Fitek committing to implement all the relevant technical and organizational means to ensure compliance with GDPR.

Fitek from time to time audits service providers to track the fulfilment of the secure personal data processing requirements.

Data Subject’s Privacy

Fitek values protection of Data Subject’s rights, therefore is committed to making sure Data Subjects can exercise their rights effectively and free of charge.

Fitek will ensure each Data Subject request to be reviewed in a timely fashion.

Right to Information

Data Subject can request information on what kind of his / her data and for what they purpose are processed by Fitek. Data Subject can request such information by contacting Fitek via phone +371 67 066 500 or email office.lv@fitek.com.

Right to Data Portability

Fitek ensures Data Portabilityin a manner that if Data Subject is willing to transfer his / her personal data to another service provider, Fitek will provide those data in a structured, commonly used, and machine-readable format.

Right to Erasure (“Right to be forgotten”)

Data Subject is entitled to request Erasure of data by contacting Fitek via phone +371 67 066 500 or email office.lv@fitek.com. Fitek will delete those data in a timely manner, unless there is a legal requirement that prohibits such request to be fulfilled.

Right to Object

Data Subject is entitled to object to processing of his / her personal data. Right to Objectcan be exercised by contacting Fitek via {phone / email / online form}. Upon receipt of the request Fitek ceases the processing, unless there is a legal ground for such processing.

Privacy Awareness

All employees of Fitek that are involved in the personal data processing passes data privacy trainings.

In addition, all employees follow internal Data Protection Policy.

As well all the employees engaged in personal data processing have signed proper NDAs.

During initial employee onboarding, employees take privacy training that includes information on how to protect personal information and reduce the risk of a privacy breach.

Fitek ensures continuous training for its employees and emphasizes the importance of a data privacy to its customers and service providers.

Fitek requires all persons, involved in designing the product and / or implementing new features to the services, have a detailed knowledge of system vulnerability, malware, and other security related topics. Fitek encourages security and privacy by designfor its systems and services.

Fitek organizes audits that review compliance practice against the applicable rules and regulations and Good Industry Practice.

Breach notification

To comply with GDPR Fitek has developed a process for notification of the personal data breach.

Data Minimization Principle and Retention Period

Fitek (by the means of system configuration) ensures that private data processing is minimized to what is necessary for the operational purposes.

Information Security

Fitek has significantly improved its Information Security Policy and Information Security Management System with respect to the following controls: operational security, access control, and physical security. Fitek has reviewed its processes and procedures in accordance with the ISO 27001 requirements.

Fitek applies number of technical and organizational measures to protect its data from unauthorized access, alteration, use, disclosure, or destruction.

Access Control

To manage the access to its data Fitek has applied the access controls to ensure that:

  • access to information systems is controlled through processes that address authorization, modification of information system privileges
  • access is strictly limited to appropriate individuals on a need to knowand least privilegebasis
  • access revocation due to resignation, termination, or transfer, is conducted in a timely manner
  • users of Fitek information systems (a) are accountable for all actions performed under their User ID and (b) are responsible for protecting and managing the confidentiality of their passwords and log-in credentials
  • connections to Fitek information systems from remote or mobile computing facilities, use multifactor authentication
  • access to documents and removable media containing sensitive information is controlled.
Physical Access Control

To restrict the access to premises that may contain personal data processing equipment, Fitek is using, without limitation, the following:

  • Alarm systems
  • Automatic access control system. 
Operational Security

Fitek has applied security standards on production information systems, routine system operations, segregation of duties, malware protection, backup and recovery, monitoring and logging, protecting sensitive media, system configuration, and maintenance activities, to ensure:

  • prevention of unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities
  • correct and secure operation of Fitek information systems and to minimize the risk of systems failures
  • protection and maintenance of theintegrity and availability of software, information, and information processing environment
  • necessary arrangements (e.g. people, processes, technology) needed to log, review logs, and follow up security events, system usage, and performance.
Secure Data Transmission

Fitek integrates with different services and tools using APIs. Fitek protects information transmitted over the network without compromising the security of the data.

Conclusion

The goal of Fitek is to have the Information Security, which includes organizational and technical measures to ensure that data security is sufficient to protect the business against all types of threats, whether internal, external, deliberate, or accidental. Safeguard measures include information confidentiality, integrity, availability, and traceability.

Fitek want its customers and partners to have confidence that their data are protected and are processed in accordance with the personal data protection rules and regulations.