SECURITY POLICY OF PERSONAL DATA PROCESSING OF NEW POST INTERNATIONAL MLD LLC

This Policy of Personal Data Processing (hereinafter the ‘Policy’) was developed and approved by NEW POST INTERNATIONAL MLD LLC, IDNO 1014600029674 with registered legal address on 3 Barbu Lautaru str., Chisinau municipality, Republic of Moldova (hereinafter the ‘Operator’), a company that exists and operates in accordance with the legislation of the Republic of Moldova, in order to comply with the provisions of Law no. 133 of 8 July 2011 on personal data protection and the requirements for cryptographic processing and ensuring security of personal data during their processing in the personal data information systems, approved by Government Decision no. 1123 of 14 December 2010, as well as to comply with the provisions of other regulations related to personal data protection of the persons concerned, regarding the following:

1
SCOPE
1. 1.1
  This Policy is an internal act, which is mandatory for the Operator, employees and representatives of the Operator. The Operator shall communicate the content of this Policy to all its employees by displaying it. The content of this Policy shall be placed in the view of the Customers of the Operator by making it available on the web-site https://novapost.com/uk-md/.
2. 1.2
  This Policy applies and is mandatory for all operational activities of the Company that involve processing of personal data, but not limited to: processing of data about Employees, Customers/providers/subcontractors; processing of data through video surveillance means and within the accounting records.
3. 1.3
  The employees and representatives of the Operator shall process personal data, subject to the principles and rules set forth in this Policy, for legitimate purposes.

2
PURPOSE
1. 2.1
  This Policy was developed to define the requirements and the procedure for Personal Data protection against unauthorized leaks and to comply with Personal Data processing rules, in order to ensure protection of the private life of subjects.
2. 2.2
  The accounting and timekeeping system, data about employees, customers and providers, as well as any other data processed in accordance with this Policy, shall be kept on the servers of the Operator. The data are transferred across the border in Ukraine to the Company "NEW POST" LLC, based on the concluded Personal Data Transfer Agreement.
3. 2.3
  The data managed within this system shall be kept on the servers of the Operator to be stored on the servers located at the registered address of the Data Importer in order to achieve the purposes of data storage and recovery as a result of collecting the information generated following the conclusion of contracts with customers, as well as for statistical purposes. The data shall be stored on the servers for as long as necessary under the concluded contract. If the cross-border contract is terminated, suspended or it is not possible for the Data Exporter to store the data outside the jurisdiction of the Republic of Moldova other way, then the Operator shall temporarily suspend the data transfer. In any case of termination, the parties to the cross-border transfer agreement shall retain their rights and obligations with respect to the transferred personal data. The data are transferred across borders to Ukraine.
4. 2.4
  The Personal Data recorded in this record system shall be stored on the servers of the Operator, which are located outside the Republic of Moldova. In this regard, the Operator concluded a Cross-Border Personal Data Transfer Agreement with the authorised foreign Operator, which shall regulate in details the conditions and details of the personal data transfer, the rights and obligations of the data importer and exporter. In particular, the Data Importer is obliged to process personal data only under the conditions and subject to the instructions of the data exporter.
5. 2.5
  The following data categories shall be subject to transfer: Personal data refer to the following data categories: surname, name and patronymic; sex, signature, electronic signature, personal state identification number (IDNP); date and place of birth; citizenship, data from civil status documents, personal health insurance code (CPAM), mobile phone, home/residence address, telephone/fax, e-mail, profession, position, professional training – diplomas – education, family status, data of family members, economic or financial situation, amount of gross salary, bonuses, increments, supplements, incentives, data from the medical leave certificate, bank data, image, data from the driver's licence, disciplinary sanctions, personal social insurance code (CPAS), personal health insurance code, data from registration certificates, workplace.
6. 2.6
  The Data Subject shall be informed about the data transfer and his/her rights. The cross-border data transfer is subject to the express consent of the Data Subject. The consent to the cross-border transfer shall be included in the Individual Employment Contract, in the form of express consent. The sample consent to cross-border data transfer is attached to this Policy. The postal invoice, through which the Customers’ data are processed, is attached to this Policy.
7. 2.7
  Both the data exporter and the data importer shall ensure strict respect of the rights of the data subject. In this regard, data subjects shall be provided, directly or through a third party, with the personal information about them, if an organisation holds it, except for the requests that are clearly abusive. The sources of personal data shall not be identified whenever impossible, through reasonable efforts, or if the rights of persons other than the individual would be violated. Data Subjects shall be able to have their personal information corrected, with subsequent modifications, or deleted if they are inaccurate or processed against these principles. If there are good reasons to question the legitimacy of the request, the organisation may ask for additional reasons before proceeding with the correction, modification or deletion. Any correction, modification or deletion shall not be notified to the third parties, to which the data were disclosed, if this involves a disproportionate effort. A person shall also be able to object against processing their personal data, if there are well-founded and legitimate reasons related to his/her personal situation. The burden of proof of any refusal lies on the data importer, and the data subject may always challenge a refusal at the authority.

3
CATEGORIES OF SUBJECTS AND CATEGORIES OF DATA
1. 3.1
  The Operator, in connection with its activity, processes personal data of its employees (current employees, job candidates), as well as data related to natural persons: partners, sub-contractors and other providers of goods and services of the Operator subject to the limits established by law (‘Subjects’).
2. 3.2
  The categories of personal data processed by the Operator are presented in Annex 1 hereto.
3. 3.3
  The Operator shall process personal data using manual and/or automatic means, subject to legal requirements and the conditions that ensure security, confidentiality and respect for the rights of the subjects.

4
GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING
1. 4.1
  Personal data shall be processed:
  
  a) correctly and according to the legal provisions – the personal data shall be processed in strict accordance with the legislation on personal data protection. This implies that before collecting, using and disclosing personal data, the processing shall expressly result from a legal right or obligation;
  b) for determined, explicit and legitimate purposes, and subsequently they shall not be processed for incompatible purposes – any processing of personal data shall be carried out for well-determined, explicit and legitimate, adequate and relevant purposes that are not excessive in relation to the purpose, for which they are collected and subsequently processed. The accumulated information is intended for use by the Operator and its partners for legitimate purposes and can be shared, depending on the need, with the following recipients: co-contracting parties, public notaries, courts, legal and financial consultants, including lawyers, providers of goods and services, public institutions, banking institutions, public registries, as well as other types of directly targeted recipients.
  c) confidentiality – the employees of the Operator, who are trained in the area of personal data processing, are obliged to respect the confidentiality of personal data processed by the Operator, based on the law and/or the relevant contracts.
  d) consent – any processing of personal data of the Subjects can only be carried out if they provided their consent to the processing, with the exceptions set by law.
  e) protection of the Subjects – the subjects have the right of access to the data about them that are processed by the Operator, the right of intervention with respect to the data, the right of opposition and the right not to be subject to an individual decision, as well as the right to address to the National Centre for Personal Data Protection or the court for the defence of any rights guaranteed by law, which were violated. The limitation of these rights may be admitted in the cases provided for by law.
  f) security – personal data security measures shall be established in such a way as to ensure an adequate level of security of the personal data processed by the Operator.
  g) adequate, relevant and not excessive – any processing of personal data shall correspond to the purpose, for which they were collected, and shall be relevant and not excessive in the context of the purpose pursued. To comply with these requirements, the operator applies the principle of personal data minimization, which consists in collecting only that information, which is strictly necessary for the performance of provided services. Assessment of compliance with these requirements shall be carried out from time to time and when necessary.
  h) accurate and up-to-date – the categories of data processed by the operator shall be established exhaustively, and only truthful data shall be processed. The operator shall check the processed personal data from time to time, by comparing the processed data with those held by data subjects.
  i) for a period that shall not exceed the duration necessary to achieve the purposes for which they are collected and subsequently processed – personal data shall be stored only during the existence of civil relations and/or for the express term established by the special legislation, under which personal data are processed.

5
RIGHTS OF DATA SUBJECTS
1. 5.1
  If personal data are collected directly from the subject of these data, in accordance with Art. 12 of the Law on personal data protection, the person needs to be provided with the following information, unless he/she already has the respective information on:
  
  a) the identity of the operator or, as the case may be, the person authorised by the operator (name, legal address, IDNO (state registration number), registration number entered into the Record Register of Personal Data Operators);
  b) the specific purpose of processing the collected personal data;
  c) the recipients or categories of recipients of personal data;
  d) the existence of the rights to information and access to the collected data; the right of intervention in respect of data (in particular the right to correct, update, block or delete personal data, the processing of which is against the law due to their incomplete or inaccurate nature) and the right of opposition, as well as the conditions under which these rights may be exercised; if the answers to the questions, with which the data are collected, are mandatory or voluntary, including the possible consequences of refusing to answer the questions through which the information is collected.
2. 5.2
  Data subjects are guaranteed the right of access and the possibility to get acquainted with the documents drawn up in order to verify the correctness of their drawing up, to challenge the failure to include or wrong inclusion of some data, as well as other errors committed when entering data about themselves. In this regard, the persons responsible for personal data processing shall ensure the access of the person only to the personal data that directly concern him/her, excluding the possibility of accessing personal data concerning other subjects, which are available in the personal files (other materials), except for the cases where the applicants achieve a legitimate interest that does not harm the interests or the fundamental rights and freedoms of the data subject.
3. 5.3
  The right to information shall be ensured by the operator of personal data (or the entities that ensure system maintenance and/or provide outsourced services of the operator) to all persons subject to processing.
4. 5.4
  In the event that the data subject obtains the right of intervention, inaccurate data shall be updated by correction or deletion, using only legal sources as a basis (identity documents, civil status documents, main state information resources, etc.), while the modification shall be carried out in all managed information and record systems.

6
APPLICATION, COMPETENCE AND ADDRESSES OF THE POLICY
1. 6.1
  This Policy applies to and is mandatory for all operational activities of the Company, and shall be brought to the attention of the employees and partners of the Operator and is mandatory for them.
2. 6.2
  The Responsible Person
  1. 6.2.1
    The Operator, through an order signed by the person with a management position, shall designate, from among its employees, a person responsible for the development, implementation and monitoring of fulfilment of obligations of personal data protection. The person responsible for personal data protection shall be the Administrator of the Company (the ‘Responsible Person’).
  2. 6.2.2
    Duties of the responsible person:
    
    a) performs the risk analysis related to information resources;
    b) provides for logical protection measures;
    c) ensures verification of the existence, updating and sufficiency of licences for information resources;
    d) ensures that records of the IT systems audit are kept, and that the IT systems are stored and accessible for inspection subject to internal regulations;
    e) defines the procedure whereby the users of the information system benefit from the right to access the information resources and manage them, and organises the control of the use of these resources;
    f) ensures that backup copies of the information resources are made and stored, as well as the information resources are updated if the operation of the information resources was disrupted or impossible due to the damage of the technical resources or for other reasons whatsoever;
    g) provides physical protection measures;
    h) participates in risk analysis, identifies threats to the information system related to technical resources and evaluates the likelihood of these threats;
    i) ensures that technical resources are recovered if damaged.
3. 6.3
  The Responsible Person shall provide the introduction of relevant data processing procedures, as well as the recording of hearings to record the Personal Data management documents.
4. 6.4
  The person responsible for Personal Data protection shall ensure that the employees are trained and their knowledge of personal data protection is evaluated.
5. 6.5
  The Responsible Person shall be involved in an appropriate and timely manner in all aspects of personal data protection.
6. 6.6
  The Operator shall support the Responsible Person in fulfilling his/her tasks, shall provide the resources required to allow the Personal Data Protection Officer to perform the tasks described above and shall provide access to the Personal Data and personal data processing documents, as well as the possibility to update special knowledge of the Personal Data Protection Officer.
7. 6.7
  The tasks of personal data protection of the Responsible Person are as follows:
  
  a) to inform and consult the employees who process personal data regarding their duties in accordance with the internal acts of the Operator and the regulatory acts on personal data protection;
  b) to supervise compliance with internal and external acts regulating personal data protection, including division of tasks, to inform and train employees involved in personal data processing;
  c) to provide advice, upon request, on the Impact Assessment on Personal Data protection, to participate in preparation of this assessment and supervise it;
  d) to develop and maintain the Register of Violations of Personal Data Protection;
  e) to cooperate with the competent Supervisory Authority and be the contact person of the Supervisory Authority in aspects of Personal Data protection, including prior discussions and other issues;
  f) to consult the Concerned Persons who contacted the Personal Data Protection Officer regarding personal data processing within the Company.
8. 6.8
  The personal data protection rights of the Responsible Person are as follows:
  
  a) to collect information to identify Personal Data processing processes, to analyse and verify compliance of the Personal Data processing with the internal acts, and to inform, provide advice and recommendations for Personal Data processing;
  b) to audit the Personal Data protection without providing prior notification;
  c) to familiarise him/herself with the Company's documents, technical and organisational requirements that affect Personal Data processing, as well as to receive timely information about security incidents and familiarise his/herself with the Security Incident Register;
  d) to participate in the adoption of resolutions, the subject of which is Personal Data protection, to familiarise him/herself with the relevant documents in order to provide his/her opinion and offer advice in this regard.

7
COMPONENTS OF INFORMATION SECURITY
1. 7.1
  The Operator is aware of the importance of information security and defines the components of information security and the requirements that the employees of the Operator shall meet in their daily work activities.
2. 7.2
  The information security is described by its confidentiality, integrity and accessibility. The Company make efforts to ensure that:
  
  - information is available only to persons authorised to receive it (confidentiality);
  - the information and its processing methods are correct and complete (integrity);
  - authorised users have access to information whenever necessary (accessibility).
3. 7.3
  The Company implements technical protection of Personal Data through physical and logical means of protection, by ensuring protection against the threat of Personal Data caused by physical impact and through the protection implemented by information technology tools (IT tools). By selecting the type of storage of Personal Data, the possibility of damage caused by fire, flood, explosion, as well as other Security incidents caused by nature, IT and people shall be taken into account.
4. 7.4
  Technical resources containing Personal Data, including desktop and laptop computers, hard drives, when not used, shall be stored in places that are not easily accessible to others (such as locked rooms or cabinets).

8
CLASSIFICATION OF PERSONAL DATA PROTECTION ACCORDING TO THEIR LEVEL, VALUE AND CONFIDENTIALITY, PERSONAL DATA PROCESSING REGISTER
1. 8.1
  As part of its activities, the Operator shall keep records of several personal data such as records of employees, trainers, trainees, partners of the Operator, accounting records, visitor records, etc., by entering them in the relevant registers. All these registers contain personal data. All registers, which contain personal data, shall be kept in protected places in strict accordance with these rules and shall be used exclusively for the purposes, for which they were created.
2. 8.2
  Record Registers
  
  a) The Operator shall draw up and maintains the Register, which shall be reviewed and supplemented on a regular basis in accordance with the effective Personal Data processing, including regular revisions of the terms of storage of Personal Data defined in the Register.
  b) The Register shall be maintained for the general registration of acts made with Personal Data within one or several purposes, including registration and control of recipients of Personal Data.
  c) If necessary, the Operator shall provide access to the Register to the competent Supervisory Authority.

9
SECURITY RULES AND PROCEDURES
1. 9.1
  Access to the premises:
  1. 9.1.1
    The management of the Operator shall be aware of the importance of information security and shall define the requirements that the employees of the Company shall meet in their daily work activities.
  2. 9.1.2
    9.1.2.The access to the premises/offices of the Operator or to the spaces where the information systems of personal data processed by the Operator are located, shall be restricted, subject to submission of badges or identification cards or access keys, and shall only be allowed to the employees of the Operator, partners and authorised visitors (‘Users’). The access of visitors shall be recorded in registers, which shall be kept for at least one year. When the term of storage expires, the registers shall be liquidated, and the data and documents contained in the register subject to liquidation shall be transmitted to the archive. Before providing physical access to personal data information systems, access competences shall be checked.
  3. 9.1.3
    Administration and monitoring of physical access shall be carried out at all points of access to personal data information systems, including actions shall be taken against violations of the access rules. The monitoring registers shall be kept for at least one year, at the end of which they shall be liquidated, and the data and documents from the register subject to liquidation shall be transmitted to the archive.
  4. 9.1.4
    Computers, servers, other access terminals shall be located in places with limited access for outsiders.
2. 9.2
  Administration of access accounts
  1. 9.2.1
    The access accounts of users, who process personal data, including their creation, activation, modification, revision, deactivation and deletion, shall be administered by the Operator. Automated support tools shall be used for administration. The action of the access accounts of temporary users, who process personal data, shall end automatically at the end of the set period of time (for each type of access account separately). The access accounts of inactive users, who process personal data, shall be automatically deactivated after a maximum period of three months. Automated tools of registration and information about creation, modification, deactivation and termination of access accounts shall be used.
  2. 9.2.2
    In the meeting spaces intended for the public, personal data processing activities shall be minimised as far as possible, and the means and equipment that provide access to the data processed by the Operator shall be secured.
  3. 9.2.3
    Computers, servers, other access terminals shall be located in places with limited access for outsiders.
3. 9.3
  Perimeter integrity
  1. 9.3.1
    The perimeter of the office of the Operator shall be concretely and clearly determined. The perimeter of the building or of the premises, where personal data processing tools are located, shall be physically intact. The external walls of the premises shall be strong, the entrances shall be locked.
4. 9.4
  Measures for protection of technical resources against emergencies (fires, floods):
  1. 9.4.1
    A modern fire extinguishing system was built to ensure protection of the data centre. Fire safety of the data centre shall be overseen by the Administrator.
  2. 9.4.2
    The computer, where information with a certain degree of confidentiality is stored, may not be connected to external networks of the local network, from which external networks can be accessed.
  3. 9.4.3
    The information about a special level of confidentiality is not transmitted through external networks.
  4. 9.4.4
    If computers that store information with a certain level of confidentiality are connected to the local network, the cables of the local network cannot cross the territory where the relevant physical protection against a threat to the computer system is not provided, and the network devices should be located in the premises with adequate physical protection against a threat to the computer system.
  5. 9.4.5
    Protection of customer data against unauthorised access shall be ensured by: 24/7 alarm systems and high-level surveillance systems.
5. 9.5
  Security audit
  1. 9.5.1
    User login/logout attempts shall be recorded in the system subject to the following parameters:
    
    a) date and time of attempted entry/exit;
    b) user ID;
    c) result of the entry/exit attempt – positive or negative one.
  2. 9.5.2
    The registration of attempts to start/end the work session of the application software and processes, intended for personal data protection, the registration of changes in the access rights of users and the status of access objects shall be also carried out subject to the following parameters:
    
    a) date and time of the start attempt;
    b) name/identifier of the application software or process;
    c) user ID;
    d) result of the start attempt – positive or negative one.
  3. 9.5.3
    Attempts to obtain access (to execute operations) shall be recorded for applications and processes intended for personal data processing, subject to the following parameters:
    
    a) date and time of the attempt to obtain access (to execute the operation);
    b) name (identifier) of the application or process;
    c) user ID;
    d) specifications of the protected resource (identifier, logical name, file name, number, etc.);
    e) type of requested operation (reading, recording, deletion, etc.);
    f) result of the attempt to obtain access (to execute the operation) - positive or negative one.
  4. 9.5.4
    Changes to the user's access rights (competences) and the status of the access objects shall be recorded, subject to the following parameters:
    
    a) date and time of the change of competences;
    b) ID of the administrator who made the changes;
    c) user ID and his/her competences or specification of the access objects and their new status.
  5. 9.5.5
    The registration of the exit from the information system containing personal data (electronic documents, data, etc.), the registration of changes to the access rights of subjects and the status of the access objects shall be carried out subject to the following parameters:
    
    a) date and time of exit;
    b) name of the information and ways to access it;
    c) specification of the equipment (device) that released the information (logical name);
    d) ID of the user who requested the information;
    e) volume of the issued document (number of pages, sheets, copies) and result of the issuance – positive or negative one.
6. 9.6
  Storage of audit data
  1. 9.6.1
    9.6.1. Constant monitoring and analysis of the security audit records in the personal data information systems shall be carried out in order to detect unusual or suspicious activities of the use of these information systems, and the report on the cases of detection of these activities shall be prepared. The duration of storage of the security audit results in the personal data information systems shall be 2 years in order to be able to use them as evidence in the event of security incidents, possible investigations or legal proceedings.

10
ANTIVIRUS
1. 10.1
  The Operator and the employees shall ensure protection against the penetration of malware (viruses) in the personal data protection software, as a measure that enables automatic and timely renewal of the means of protection against malware. At the same time, the Operator and the employees shall use technologies and means of detection of intrusions, which allow the monitoring of events in the personal data information systems and detection of attacks, including those that ensure identification of the attempts to use the information systems without authorization. The identification, registration and removal of deficiencies of the software intended for personal data processing, including the installation of corrections and renewal packages of this software, shall be ensured. The installation and removal of software, technical and technical software means used in personal data information systems shall be controlled and their records shall be kept. The software for personal data processing and the information containing personal data, which are accessed through public access systems, shall be secured by using the digital/mobile signature method.

11
BACKUP COPIES
1. 11.1
  The Operator shall ensure once a year the execution of backup copies of the information containing personal data and copies of the software used for the automated processing of personal data. The backup copies shall be kept in protected places, outside the area where this information is located. The backup copies shall be tested in order to verify the safety of the information carriers and the integrity of the information containing personal data. Backup copy recovery procedures shall be updated and tested on a regular basis to ensure their effectiveness.

12
INTERNAL VERIFICATIONS
1. 12.1
  At least once a year, the technical and/or organisational measures taken to detect malfunctions regarding the use of telecommunications systems in the personal data processing process and/or improvements, if necessary, shall be verified. Security controls shall be updated every time. Depending on the results of the Security Controls, the personal data Operator shall undertake measures to reorganise processes or change its infrastructure.

13
INTEGRITY OF THE EQUIPMENT
1. 13.1
  The Operator and its employees shall ensure the security of the electrical equipment used to maintain the functionality of personal data information systems, electrical cables, routers, switches, including their protection against damages and unauthorised connections. Network cables, through which personal data processing operations are carried out, shall be protected against unauthorised connections or damages.
2. 13.2
  Disconnection on demand shall take place in exceptional situations, breakdowns or force majeure, and the possibility of disconnecting electricity supply to personal data information systems shall be ensured, including the possibility of disconnecting any information technology component.
3. 13.3
  The employees of the Operator shall disconnect the computers, access terminals and printers at the end of the work sessions.
4. 13.4
  Use of UPS: The Operator shall provide autonomous sources of short-term electrical energy supply, used for the correct termination of the work session of the system (component) in the event of disconnection from the main source of electrical energy.
5. 13.5
  Passwords
  The Operator and its employees shall comply with the following rules of ensuring information security in the case of choosing and using passwords:
  
  a) keeping passwords confidential;
  b) prohibition to write passwords on paper, if the security of their storage is not ensured, the passwords shall be kept coded, using the unilateral cryptographic algorithm (hash function);
  c) changing the passwords once every 3 months at most and every time there are signs of a possible compromise of the system or password;
  d) choosing quality passwords with a length of at least 8 symbols, which are not related to the user's personal information, do not contain consecutive identical symbols and are not entirely composed of groups of numbers or letters;
  e) disabling the automated password registration process (using saved passwords);
  f) enabling the users to choose and change individual passwords, including to activate the procedure for recording their wrong entries;
  g) the access is blocked after three wrong authentication attempts;
  h) at the time of entry, the passwords are not clearly reflected on the monitor;
  i) after the installation of the system, the standard user authentication information is changed;
  j) storage of the previous histories of users' passwords in hash form (for a period of one year) and prevention of their repeated use are ensured.
6. 13.6
  If the contract that regulates the relations between the Operator and the user was terminated, suspended or amended, and the new tasks do not require access to personal data, or the user's access rights were modified, or the user misused the codes received in order to cause damages, was absent for a long period, the identification and authentication codes shall be revoked or suspended. The inactive user account (inactivity for a maximum period of 2 months) shall be deactivated;
7. 13.7
  The access to the security functions of the personal data information systems and their data shall be granted only to the responsible person.
8. 13.8
  The users of the personal data information systems shall be provided only with those rights/competences, which are necessary for them to achieve the objectives set for them. The users' rights to access the personal data information systems shall be reviewed on a regular basis to ensure that rights of unauthorised access were not granted (at most every six months) and after any change in user status. The access to information and resources shall be granted subject to the ‘need to access to the information’ principle. The systems shall be designed with minimum information for activity. The users shall be provided with the lowest level of access necessary to perform their job duties.
9. 13.9
  Securing remote access: All methods of remote access to the personal data information systems of the Operator shall be secured using VPN, encryption, coding, as well as other securing methods, and shall be documented, subject to monitoring and control by the Operator. Each method of remote access to personal data information systems shall be authorized by the manager of the Operator and/or the responsible person of the Operator designated by the manager according to this Policy and shall be allowed only to the Users, for whom the respective access is necessary for the achievement of the established professional objectives.
10. 13.10
  Access to electronic devices (mobile phones, tablets, laptops, etc.): The use of portable and mobile equipment that allows access to the personal data information systems of the Operator shall be authorised by the manager of the Operator or by the responsible person designated by the manager.

14
INTERNET AND E-MAIL ACCESS
1. 14.1
  E-mail systems and the Internet are fast and efficient means of communication and gathering of information. Both types of connections belong to the Operator and are made available to its employees as effective means of communication and information, which shall be used in the course and for the purpose of carrying out the professional activity. The wireless Internet networks (wi-fi) managed by the Operator shall be protected by password. The access to such password can be provided by the manager of the Operator.
2. 14.2
  To ensure the security of the computer network, and also to prevent improper use of the Internet access, a series of traffic data shall be retained automatically (without human intervention), continuously and for any computer located in the local network of the Operator. As a rule, this information shall be stored for a period of several weeks or months, after which it shall be definitely deleted by overwriting. Traffic data shall not be retained for the purpose of monitoring the employees of the Operator. However, the Operator may analyze the existing records at a given time regarding a certain employee, while the visitor shall notify him/her about both the performance of the analysis concerned and its reasons.
3. 14.3
  Beware of attachments. E-mails are the main means, whereby viruses can get into the local network, which is why the entire workforce as well as any person who shall obtain access to the information resources of the Operator shall be careful when opening attachments, especially if their origin is unclear / unsafe / suspicious or the file extension is .exe.
4. 14.4
  About private messages. Electronic messages and documents attached to them that are used by the employees of the Operator using service messages are not private as long as they are created and/or stored on the service computer. A backup copy of all e-mails sent to or received from professional addresses, as a rule, shall be kept on the server of the Operator.
5. 14.5
  About free e-mails. The Internet offers many free electronic communication options, such as @gmail.com, @yahoo.com, @mail.ru, etc. The Operator warns that these electronic communication systems do not meet the personal data protection requirements. The employees of the Operator shall refrain from transmitting personal data of the Subjects through such communication systems. The Operator assures that it created a corporate electronic communication system, which is protected in strict compliance with these rules and the Law on personal data protection.

15
PROCEDURE FOR STORAGE AND DESTRUCTION OF PERSONAL DATA, INFORMATION MEDIA
1. 15.1
  The information media of the data centre, in which the data of the Subjects are stored and that is damaged or worn, shall be kept in a secure location in the data centre after its disconnection from the data centre software.
2. 15.2
  The data of the Subjects shall be destroyed when the term of their storage is defined in accordance with the applicable legislation, the Internal Regulation of the Operator and is established within the term of validity of the Register.
3. 15.3
  The personal data shall be stored in electronic and paper files. Electronic and paper files containing Personal Data shall be stored for the time period defined by the Register.
4. 15.4
  The access to the spaces/perimeter, where the information and personal data record systems are located, is restricted, and is only allowed to the persons who have the necessary authorization according to the institutional security policy/approved departmental regulations.
5. 15.5
  It is prohibited to store and keep the electronic format of personal data, structured in record systems, in computers connected to the Internet, which are not provided with special technical and software protection means and do not have installed licensed software, antivirus software, software security control systems, systems ensuring the regular performance of safety copies and the audit.
6. 15.6
  Introduction of personal computers or information carriers in the institutional security perimeter and their use for service purposes is prohibited. Moreover, the access to the available computers is protected/restricted by creating user profiles, and the administrator rights are entrusted only to the person responsible for implementing the designated security policy within the Company.
7. 15.7
  Storage of personal data on a magnetic, optical, laser, paper or other information media, on which the document is created, fixed, transmitted, received, stored or otherwise used and which allow reproducing it, shall be ensured by placing them in safes or cabinets with lock. Unauthorised removal of personal data carriers from the security perimeter of the Operator is prohibited.
8. 15.8
  The Company shall review the storage conditions of the Personal Data defined by the Register as necessary, but however at least once every 2 (two) years.
9. 15.9
  In the course of evaluating the terms of storage of Personal Data, the Company shall consider at least the following aspects:
  
  a) Personal Data are stored at least until they are necessary to achieve the purpose of the processing;
  b) The conditions for storing Personal Data are in line with the period of storages defined by legislation in accordance with the purpose of storing Personal Data;
  c) Personal Data are stored as long as the Company needs to keep evidence in the event of a legal claim and/or litigation;
  d) Personal Data cannot be deleted from documents if they affect the legal force of the document.

16
DATA PERIOD OF STORAGE
1. 16.1
  The Personal Data processed during the activity of the Operator shall be kept for the entire contractual period (employment of the employee, provision of the service/ purchase of materials, etc., by/to the Operator), as well as for the period necessary to achieve the purposes, for which they were collected or to protect the legitimate interests of the Operator, its affiliated units and/or its employees and members.
2. 16.2
  After the expiration of the legal/contractual period of storage, the Personal Data and/or documents on electronic carrier or on paper shall be destroyed, anonymized or transferred to state archives in specific situations. Each Person Responsible for the Personal Data processing shall be responsible for deletion or anonymization.
3. 16.3
  Upon termination of the relations that are the basis of the processing of data of the Subjects by the Operator, the personal data carriers shall be transferred to the archive of the Operator and kept for the duration of the following periods of storage:
  
  - personal data about or obtained from partners and contractors: 5 years from termination of the established relations;
  - personal data of the employees: 75 years from the termination of individual employment contracts.
4. 16.4
  The period of storage may be different from the indicated one, if another period of storage is indicated in the indicator of standard documents and of their periods of storage for organisations and enterprises of the Republic of Moldova. In such case, the data shall be kept for the period indicated in the indicator of standard documents. In case of litigation, the data shall be processed for the entire duration necessary to defend the legitimate interests of the Operator and its associated persons.

17
DELETION AND DESTRUCTION OF PERSONAL DATA
1. 17.1
  The information, which contains personal data and is no longer necessary to achieve the processing purposes defined by the Company and the storage of which is not provided for by applicable legislation, should be destroyed. Electronic information shall be destroyed so that it is not possible to restore the information files. Written information (on paper) shall be destroyed in such a way that it cannot be restored.
2. 17.2
  The transfer (alienation) of computer devices to third parties is prohibited, if they contain Personal Data. The above prohibition should also be complied with in cases where IT devices are transferred for use. If an IT device needs repair under warranty, before it is delivered for repair, the security of the Personal Data contained in it shall be ensured.
3. 17.3
  The Personal Data that became incomplete, outdated, falsified, illegally processed or that are no longer necessary to achieve the purpose of processing Personal Data defined by the Company shall be immediately corrected, updated or deleted.
4. 17.4
  At the end of the Personal Data processing process and/or at the end of their period of storage, if the Personal Data are not anonymous, the Company or the Authorised Person shall delete the Personal Data from the Information System so that they can be never recovered.
5. 17.5
  Paper documents containing Personal Data or their copies shall be destroyed in accordance with the procedure defined by the legislation after processing of the data and/or the end of the period of storage, if they are not transferred to the archive.
6. 17.6
  If no longer needed for use, the technical resources containing personal data (USB, CD, HDD, etc.) shall be transferred to the Information Technology Department of the Company, which shall destroy the technical resources centrally, so that it is not possible to restore the stored information and delete it.
7. 17.7
  Deletion of the Personal Data shall be recorded (documented) by drawing up a certificate on the destruction of Personal Data if necessity, by not allowing the inclusion in the relevant certificate of information about the relevant Personal Data that were destroyed.

18
SECURITY INCIDENT MANAGEMENT AND RECORDING
1. 18.1
  The person involved in the Personal Data processing who found a threat shall immediately notify the Responsible Person and the Personal Data Protection Officer of the Company of any threat related to the Personal Data processing, including those described below, by using the telephone number established by the Company in this purpose and/or the e-mail address:
  
  - if a threat to technical resources, including IT resources (such as interruption of electricity supply, liquids or particles, damage caused by physical impact, fire or flood, loss or theft of computers and other technical means) was discovered etc.);
  - if a threat to information resources was discovered (for example, Third Parties found out the access password, unauthorised access to Personal Data, including the loss of USB data carriers, CDs, as well as an email containing Personal Data was sent to unintended recipients, interruptions in the operation of the IT System, unauthorised deletion or correction of Personal Data;
  - if any type of threat to the Personal Data on paper was found (such as too high humidity in the premises, fault of the lock of a cabinet or doors in the premises, failure of the alarm, third-party access to documents, loss of documents etc.).
2. 18.2
  In the event of a threat, the Person involved in Personal Data processing is obliged to ensure the security of the Information System subject to his/her competences and authorization, until the arrival of the Responsible Person.
3. 18.3
  Upon receipt of information about the occurrence of a Security Incident, the person responsible for the investigation of the Security Incident shall:
  
  - determine which persons in the Company should be notified about the possible Security Incident, in order to immediately limit the impact of the Security Incident, to minimise the consequences, to put an end to the Security Incident, to prevent the recurrence of the Security Incident;
  - evaluate the measures to be taken to end the Security Incident (if it did not end), to limit the negative impact of the Security Incident on the Data Subject, to minimise possible losses and to start their immediate implementation;
  - determine whether it is necessary to report the Security Incident to the police (if it has the characteristics of a crime) or to the authorities authorised by law;
  - evaluate the risk caused by the Security Incident to the private life of natural persons by evaluating the following aspects:
  
  a) Were the Personal Data affected during the Security Incident?
  b) What the Personal Data were affected?
  c) How sensitive are the data involved in the Security Incident, are they Special Category data?
  d) Who are the people who can be/are affected as a result of the Security Incident, including which is the number and categories of affected people?
  e) How and why did the Security Incident occur?
  f) If the data were lost or stolen, can the Third Party learn anything about the person from the relevant data?
  g) What will be the impact/consequences of the Security Incident on the involved people, including could the physical safety of these people be threatened, the material losses caused, the damage to the reputation caused or the moral damages caused?
  h) If the data were lost or stolen, were the data anonymized, codified, password protected or otherwise secured?
  i) If the data were stolen or lost, could they be used for criminal purposes?
  j) What will be the impact/consequences of the Security Incidents on the Company, including could the security of the Company and/or the Data Subject be threatened, cause material damage (sanctions from the administrative authorities, requests from the Data Subject, damage to the reputation)?
  k) What are the identities and contact persons of the Data Subject affected by the Security Incident to be able to contact them if necessary?
4. 18.4
  The Operator of personal data shall inform the National Centre for Personal Data Protection in writing about the detected security incidents.
5. 18.5
  The Security Incident Notification to the Supervisory Authority shall contain the following information:
  
  - information about and a brief description of the Security Incident;
  - categories of Data Subjects involved in the Security Incident, the approximate number of affected Data Subjects (the scope of the affected Personal Data);
  - the surname, name and contact details of the Personal Data Protection Officer or a reference to another contact person, from whom the Data Subject could obtain additional information;
  - the consequences caused by or the possible consequences of a security incident;
  - the measures taken or planned by the Company to mitigate the possible negative consequences of a Security Incident and to prevent such Security Incidents in the future;
  - other information, if this is provided for by the applicable legislation in force in the case of a special notification, as well as other information deemed necessary by the Company;
  - the person responsible for recording Security Incidents shall evaluate each received notification regarding a Security Incident and, if this incident should be considered a violation of Personal Data protection and may cause a high risk to the rights and liberties of individuals, the Responsible Person shall notify of the Security Incident the Data Subject involved in the Security Incident.

19
VIDEO SURVEILLANCE
1. 19.1
  The Operator shall use a video surveillance system subject to admissible parameters.
2. 19.2
  Privacy: It is understood and accepted that there is a legitimate expectation of a certain degree of privacy of the employees at the workplace, but this right shall be balanced with the legitimate rights and interests of the Operator, in particular the right to effectively manage its activity and the right to protect themselves from third-party liability that the team members may incur.

20
MARKING OF DOCUMENTS
1. 20.1
  All information that is intended to be disclosed, and that contains personal data, is to be marked by including the registration number from the Record Register of Personal Data Operators according to the Annex 2.

21
RESPONSIBILITY FOR ENSURING THE SECURITY OF PERSONAL DATA AS WELL AS INFORMATION WITH LIMITED ACCESSIBILITY
1. 21.1
  The Operator of personal data, the person authorised by the operator, third parties as the case may be, signatories of Annex no. 1, for non-compliance with the provisions of the Security Policy, shall bear civil liability (Civil Code), contraventional liability (Art. 741 of the Code of Offences) and criminal liability (Art. 177, 178, 180 of the Criminal Code).

22
FINAL PROVISIONS
1. 22.1
  This Security Policy shall be supplemented by the provisions of the legislation in force.
2. 22.2
  The amendment and completion of this Security Policy shall be carried out in the manner established for its approval.
3. 22.3
  he content of the Security Policy shall be reviewed and updated annually, to reflect any changes to the requirements of the activities of the Operator, IT risks or important threats to the Information Systems.

External Data Protection Officer:
Privacy GmbH
Hamburg, Germany,
Neuer Wall 50, 20354
Email: dpo@novapost.com

Annex 1

to the Security Policy of Personal Data Protection
within the activities of NEW POST INTERNATIONAL MLD LLC

CATEGORIES of Personal Data

1
Personal data, which directly or indirectly identify a natural person, in particular by reference to an identification number (personal code), one or several specific elements of his/her physical, physiological, psychological, economic, cultural or social identity, are divided into two categories: ordinary and special ones.
2
The ordinary category is the information that discloses:

1) surname and name;
2) sex;
3) date and place of birth;
4) citizenship;
5) IDNP (personal identity number);
6) image;
7) family status;
8) military status;
9) personal data of family members;
10) data from the driver's licence;
11) data from the registration certificate;
12) economic and financial situation;
13) data on owned assets;
14) bank details;
15) signature;
16) data from civil status documents;
17) pension file number;
18) personal social insurance code (CPAS);
19) health insurance code (CPAM);
20) telephone/fax number;
21) mobile phone number;
22) (home/residence) address;
23) e-mail address;
24) profession and/or workplace;
25) professional training – diplomas – education;
3
Special categories of personal data are data that reveal the racial or ethnic origin of the person, their political, religious or philosophical beliefs, social affiliation, data on health or sexual life, as well as those related to criminal convictions, coercive procedural measures or contraventional sanctions. The operator does not process special categories of personal data.

Annex 2

to the Security Policy of Personal Data Protection
within the activities of NEW POST INTERNATIONAL MLD LLC

1
Sample warning marking:
Attention! The document contains personal data processed within the record in the Register of Personal Data Operators www.registru.datepersonale.md. Subsequent processing of these data can only be carried out under the conditions provided for by Law no. 133 of 08.07.2011 on personal data protection.
2
Sample video surveillance marking:
Pursuant to the authorization of the National Centre for Personal Data Protection of the Republic of Moldova, New Post International LLC supervises the video area:
A complaint regarding personal data processing through this record system can only be filed to the National Centre for Personal Data Protection of the Republic of Moldova after submitting a request to the concerned personal data operator in advance.

Sample: Form of the consent to the cross-border transfer of personal data:

In accordance with the provisions of Law 133 of 07/08/2011 on personal data protection, NEW POST INTERNATIONAL MLD LLC headquartered on 3 Barbu Lautaru str., Chisinau municipality, state identification number – tax code 1014600029674 (the ‘Company’, the ‘Operator’) collects and processes some personal data that refer to you. These data are any information related to an identified or identifiable natural person.
Collected data are subject to cross-border transfer, and are stored on the servers of the Operator located in Ukraine, being processed by "NEW POST" LLC registered in accordance with the legislation of Ukraine, registration number 31316718, headquartered on 03026, Kyiv, Stolichne shose, 103, building 1, floor 9, e-mail: dpo@novapost.com, as Data Importer. The Data Importer processes the data in the amount and conditions established by the Personal Data Transfer Agreement between the Operator and the Data Importer.
To comply with the legislation in force and for the purpose of a good collaboration between the Company and the data subject (the ‘Subject’), he/she hereby provides his/her free, unconditional, express and conscious consent, and confirms the following:

1
Hereby, the data subject agrees to the cross-border transfer by the Company of his/her personal data that include all or several of the following categories: surname, name and patronymic; sex, signature, electronic signature, personal state identification number (IDNP); date and place of birth; citizenship, data from civil status documents, personal health insurance code (CPAM), mobile phone, home/residence address, phone/fax, e-mail, profession, position, professional training – diplomas – education, family status, data of family members, economic or financial situation, amount of the gross salary, awards, increments, supplements, incentives, data from the medical leave certificate, bank data, image, data from the driver's license, disciplinary sanctions, personal social insurance code (CPAS), personal health insurance code, data from registration certificates, workplace, others: medical leave certificate, amount of the gross salary, awards, increments, incentives, supplements.
2
The data subject hereby accepts and consents to the cross-border transfer of his/her personal data by the Company for the following purposes:

a) execution of contracts between the Subject and the Company;
b) other situations related to the contractual relationship that the data subject has or shall have with the Company.
3
The data subject consents and accepts that his/her personal data may be transferred by NEW POST INTERNATIONAL MLD LLC , under the law.
4
The data subject hereby consents and accepts that this consent is valid for a period of five years, and may be renewed for successive periods of five years. The consent to personal data processing can be withdrawn at any time before the expiration of the term, by means of a written, dated and signed request submitted at the office address of the Operator.
5
The data subject confirms the knowledge of the provisions of the Law on personal data protection (No. 133 of 8 July 2011), acknowledging that in relation to the processing of his/her data by the Company, he/she has the following rights, as established by law:
- 5.1
  The right to obtain information on the identity of the operator or the person authorised by the operator, the purpose of processing the collected data, as well as additional information regarding the recipients of personal data;
- 5.2
  The right of access to his/her personal data;
- 5.3
  The right to intervene on personal data;
- 5.4
  The right of opposition;
- 5.5
  The right not to be subject to an individual decision;
- 5.6
  Access to justice.
  
  To exercise these rights, the data subject is entitled to submit a written, dated and signed request at the legal office of the Operator.
6
The data subject, in accordance with Art. 17 of the Law on electronic commerce (no. 284 of 22 July 2004), consents to the processing of his/her personal data and expresses his/her consent to receive commercial information in electronic format.

Consent

I declare that I have been fully informed about the processing of personal data by the Company and I have fully read, agree with and accept all the clauses of the Consent Form regarding the cross-border transfer of personal data. I have been made aware of the Company's documents regarding the personal data security, including the Company's order regarding personal data protection. I understand that the Company may receive, collect, combine, organise, use, store, process, transfer and disclose personal data about me as provided in this Consent Form. I declare that I understand and agree that personal data may be collected, processed, used, transferred or disclosed and that the Company reserves the right to carry out these activities when it deems necessary and personal data may be transferred other entities both inside and outside the Republic of Moldova, as provided above in this Consent Form.

Name: ________________________________
Date _____________________ Signature

More

SECURITY POLICY OF PERSONAL DATA PROCESSING OF NEW POST INTERNATIONAL MLD LLC

Send

Receive

International delivery

For business

More

Language