This document describes how Agile manages the administration of the systems, in compliance with the Provision of the Guarantor for the protection of personal data of 27-11-2008, published in the Official Gazette no. 300 of 24-12-2008.
The list of company System Administrators is checked and updated by the Compliance Team on the relevant GDPR Register, when needed or at least on annual basis. Circle leaders are responsbile to assess the opportunity to appoint a S.A. under a specific activity.
To better understand the purpose of this procedure, we report here an abstract of the preliminary considerations of the Guarantor for the protection of personal data that gives a perfect definition of "system administrator".
<< With the definition of "system administrator" are generally identified, in the computer field, professional figures aimed at the management and maintenance of a processing plant or its components. For the purposes of this provision, however, are also considered such other comparable figures from the point of view of the risks related to data protection, such as database administrators, administrators of networks and security equipment and administrators of complex software systems.
The system administrators so widely identified, although not ordinarily in charge of operations that involve an understanding of the application domain (meaning of data, format of representations and semantics of functions), in their usual activities are, in many cases, concretely "responsible" for specific work phases that may involve high criticality in relation to data protection.
Technical activities such as data recovery, network flow organization, storage media management and hardware maintenance, in many cases, imply an effective ability to act on information that should be considered to all effects as a personal data treatment; this, even when the administrator does not consult the information "in plain text".
... omissis ...
the typical functions of the administration of a system are mentioned in the said Attachment B of the D.Lgs. 196/2003 "Code for the treatment of personal data", in the part in which it provides the obligation for the owners to ensure the custody of the confidential components of the authentication credentials. Most of the tasks provided for in the same Attachment B typically fall to the system administrator: from the creation of security copies (data backup and recovery operations) to the custody of credentials and the management of authentication and authorization systems. >>
This document is intended for system administrators, also after appointment as external data processor under the GDPR.
The purpose of this procedure is to identify the organizational measures that will facilitate an easier knowledge, in the Company, of the existence of certain technical roles, of the responsibilities connected to such tasks and, in some cases, of the identity of the individuals who operate as system administrators in relation to the various services and databases.
This is in order to pay attention to the risks and critical issues involved in the appointment of system administrators, given the particular capacity of action of system administrators and the fiduciary nature of their duties.
2. RELEVANT LEGISLATION
In the Official Gazette no. 300 of December 24, 2008 was published the provision issued of the Guarantor for the Protection of Personal Data on November 27, 2008 concerning:
"Measures and expedients prescribed for Controllers of processing carried out using electronic instruments with regard to the attributions of system administrator functions - November 27, 2008".
With this measure the Guarantor for the protection of personal data,
Pursuant to art. 154, paragraph 1, lett. h) of the Code, in signaling to all holders of personal data processing, carried out with electronic instruments, the particular criticality of the role of system administrators, draws the attention of the same holders on the need to evaluate with particular attention the assignment of technical functions properly corresponding or similar to those of system administrator, database administrator or network administrator, where such functions are exercised in a context that technically make it possible for them, even accidentally, to acces personal data. This, taking into consideration the opportunity or otherwise of such attribution and the concrete modalities on the basis of which the assignment is carried out, together with the technical, professional and conduct qualities of the person identified;
pursuant to art. 154, paragraph 1, lett. c) of the Code, prescribes the adoption of the following measures for owners of personal data processing subject to the application of the Code and carried out with electronic instruments, including in the judicial and police forces (art. 46 and 53 of the Code), except for those carried out in the public and private sectors for administrative-accounting purposes that pose fewer risks for those concerned and have been the subject of simplification measures introduced by law (art. 29 d.l. June 25, 2008, no. 112, conv, with amendments, with Law no. 133 of August 6, 2008; art. 34 of the Code; Garante Order of November 6, 2008):
a. Assessment of subjective characteristics
The attribution of the functions of system administrator must take place after evaluation of the characteristics of experience, capacity and reliability of the designated person, who must provide appropriate guarantees of full compliance with current provisions on treatment, including the security profile.
Even when the functions of system administrator or similar are attributed only within the framework of a designation as a processor pursuant to art. 30 of the Code, the owner and the manager must, however, follow evaluation criteria equivalent to those required for the designation of managers pursuant to art. 29.
b. Individual designations
The designation as system administrator must be individual and bear the analytical list of the areas of operation allowed according to the authorization profile assigned.
c. List of System Administrators
The identification data of natural persons who are system administrators, with the list of functions assigned to them, must be reported in the security policy document or, in cases where the owner is not required to draw it up, noted in any case in an internal document to be kept up to date and available in case of investigation by the Guarantor.
If the activity of system administrators also indirectly concerns services or systems that process or allow the processing of personal information of workers, public and private owners are required to make known or make know the identity of system administrators within their organizations, according to the characteristics of the company or service, in relation to the various computer services to which they are assigned. This, using the information provided to interested parties pursuant to art. 13 of the Code as part of the working relationship that binds them to the owner, or through the technical specifications in the provision of the Guarantor n. 13 of March 1, 2007 (in G.U. March 10, 2007, n. 58) or, alternatively, through other means of internal communication (eg, corporate intranet, service orders to internal circulation or bulletins). This is without prejudice to cases in which such forms of publicity or awareness are incompatible with other legal provisions governing a specific sector.
d. Outsourcing services
In the case of outsourced system administration services, the Controller must directly and specifically retain, for any eventuality, the identification details of the natural persons responsible as system administrators.
e. Verification of activities
The work of system administrators must be the subject, at least once a year, of a verification activity by the Controllers, in order to check its compliance with the organizational, technical and security measures concerning the processing of personal data provided for by the regulations in force.
f. Access registration
Appropriate systems must be adopted to record logical access (computer authentication) to processing systems and electronic archives by system administrators. The access logs must be complete, unalterable and their integrity must be verifiable in order to achieve the purpose for which they are required. Access log must include time references and a description of the event that generated them and must be retained for an appropriate period of time, no less than six months;
- provides that the measures and precautions referred to in point 2 of this provision are to be introduced, for all processing operations that have already commenced or will commence within thirty days of the date of publication of this provision in the Official Gazette, as soon as possible and in any case within, and no later than, the period of time that it is reasonable to establish as one hundred and twenty days from the same date; for all other processing operations that will commence after the aforementioned period of thirty days from publication, the measures and precautions must be introduced prior to the commencement of data processing.
3. MEASURES ADOPTED BY AGILE
The application of the regulations to Agile's current structure leads to a distinction between two different types of systems:
A) Agile's corporate systems and used by Agile for its own business and corporate purposes;
B) Customer business systems managed and/or used by Agile;
3.1 Systems Administrator sub A)
Agile has appointed Paolo Platter and Andrea Firpo as System Administrators for its systems.
It has also been decided that all Systems in category A) shall always be the primary responsibility of the Company Directors, and/or of one or more individuals who shall be identified on the basis of their competencies, fiduciary relationship, the role covered in the company organizational chart and against specific written acts of delegation that shall cover the provisions of point 3.2 below.
3.2 Systems Administrator sub B)
When Agile takes on an assignment from a customer, the assumption of the position of System Administrator must be assessed in accordance with the Compliance Check Procedure [link], and involves the following actions:
- as indicated by the Compliance Check Procedure, for each individual new client must be indicated in the appropriate field of the "contract form" [link]:
the recurrence of the conditions to be considered System Administrators within the scope of the service provided, to be carried out with the intervention of the Internal Technical Compliance and/or with the assistance of the DPO;
where applicable, the staff members involved (who must also be chosen on the basis of an assessment of their actual ability to hold the position of AdS as provided for in art. 4 below)
any additional technical elements or notes regarding the above issues.
within 5 days from the drafting of the "contract form" and in any case no later than the start of the activities, the Internal Compliance Department sends to the staff members identified as AdS the appointment document below (ANNEX A), together with the "vademecum" (ANNEX B);
within the following 3 days, the Internal Compliance Department must verify receipt and request any non-fulfilment;
in the event of refusal or non-receipt of the appointment letter duly countersigned by the staff concerned, the Internal Compliance Department shall inform the Company's Directors for the necessary measures (including the replacement of the persons allocated to the particular activity).
3.3 Maintenance and updating of the "AdS Register".
The Company has kept a specific register of appointments to the AdS, saved on the Sharempoint Complaince (the "AdS Register"), together with further detailed information on the System of reference.
At the time of the appointment of each new AdS as provided above, the Internal Compliance Department will ensure the timely updating of the AdS Register.
The Internal Compliance and the Internal Technical Compliance, on at least a six-monthly basis, will jointly verify the regular maintenance and updating of the AdS Register.
The work of the System Administrator is subject, at least once every six months, to verification by Internal Technical Compliance, by means of questionnaires, in order to check its compliance with the organizational, technical and security measures regarding the processing of personal data provided for by the regulations in force, verifying the effective application of the provisions of art. 4 below.
With regard to the measures and precautions prescribed for the holders of treatments carried out with electronic instruments in relation to the attribution of the functions of system administrator, pursuant to the provision of the Guarantor for the protection of personal data of November 27, 2008, the following actions were put in place:
a. Assessment of subjective characteristics
The attribution of the functions of System Administrator must take place after evaluation of the characteristics of experience, capacity and reliability of the designated person, who provides sufficient guarantee of full compliance with current provisions on treatment, including the security profile.
b. Individual designations
The appointment as System Administrator is individual and contains an analytical list of the areas of operations allowed on the basis of the authorization profile assigned, as described in the first part of this paragraph.
c. Outsourced Services
In the case of outsourced system administration services, the owner directly and specifically keeps, for any eventuality, the identification details of the natural persons appointed as System Administrators.
d. Access Registration
Suitable systems have been adopted for recording access to processing systems and electronic archives by System Administrators for Systems Sub A).
For Systems Sub B), methods for recording access to processing systems and electronic archives are provided by customers.