Nordic Telecom (NTC) Service compliance with GDPR
General Data Protection Regulation (GDPR) is applicable when a person may be identified directly or indirectly from the user data.
NTC-Service is using a caller (A-subscriber, later Customer) phone number when the NTC Customer company (later Company) is not able to answer the call attempts. Unanswered calls are forwarded to the NTC-Service for further processing.
NTC as a Service provider is under the GDPR. Therefore, also NTC´s internal processes, practices, management systems, data protection procedures etc. are compliant with GDPR.
The NTC-Service
- The NTC-Service is compliant with GDPR.
- To further enhance the privacy and confidentiality of the user data, the A-subscriber number will automatically be anonymized from the Service after 76 days. The anonymization irreversibly destroys the Customer identity. The customer may at any time request to invoke his/her right to be forgotten privileges. This request should be provided to NTC by the Company.
- If the stored A-subscriber number is registered under the name of someone else than the caller, there are no means for NTC or Company to identify the caller.
- NTC will allocate user names and passwords to nominated employees to allow them access to the Service. Employees’ personal access rights will authorize and limit them to the particular services designated to them.
- The Company must also comply with GDPR and it is responsible for the manner which authorizes employees to handle the personal data in the NTC -Service.
- Only authorized NTC employees are allowed to have access to the databases containing Customer identity or data.
- Transfer of the Customer data to any other systems is not possible or appropriate.
Nordic Telecom’s processes and practices
- NTC is using the IT Governance toolkit (www.itgovernence.eu) to document the GDPR compliance.
GDPR Policies and Procedures
Data Protection Policy – GDPR DOC 1.0
Training Policy – GDPR DOC 1.1
Privacy Procedure – GDPR DOC 2.1
Subject Access Request Procedure – GDPR DOC 2.2
Retention of Records Procedure – GDPR DOC 2.3
Data Protection Impact Assessment Procedure – GDPR DOC 2.4
Personal Data Breach Notification Procedure – GDPR DOC 2.5
Transfers of Personal Data to Third Countries or International Organisations Procedure -GDPR DOC 2.6
Data Portability Procedure – GDPR DOC 2.6A
Consent Procedure – GDPR DOC 2.7
Withdrawal of Consent Procedure -GDPR DOC 2.7A
Managing Sub Contract Processing – GDPR DOC 2.8
Complaints Procedure – GDPR DOC 2.9
Privacy Notice – GDPR REC 4.1
Privacy Notice Register – GDPR REC 4.1A
Subject Access Request Record – GDPR REC 4.2
Rationale for a DPO – GDPR REC 4.3
Data Protection Officer (DPO) Job Description – GDPR REC 4.3A
Data Protection Job Descriptions Responsibilities – GDPR REC 4.3B
Data Protection Impact Assessment (DPIA) Tool – GDPR REC 4.4
Internal Breach Register & Breach Notification Form – GDPR REC 4.5
Data Subject Consent Form – GDPR REC 4.6
Data Subject Consent Withdrawal Form – GDPR REC 4.6A
Parental Consent Form – GDPR REC 4.7
Parental Consent Withdrawal Form – GDPR REC 4.7A
Audit Checklist for Compliance – GDPR REC 4.8
Retention and Disposal Schedule – GDPR REC 4.9
Scope Statement – GDPR REC 4.10
PIMS and GDPR Objectives Record – GDPR REC 4.11
Management System Standard Documents
Information Security Policy – GDPR DOC 5.2
Competence Procedure – GDPR DOC 7.2
Communication Procedure – GDPR DOC 7.4
Document Control Procedure – GDPR DOC 7.5.3
Operational Control Procedure – GDPR DOC 8.1
Monitoring, Measurement, Analysis, Evaluation Procedure – GDPR DOC 9.1
Internal Audit Procedure – GDPR DOC 9.2
Data Protection Policy Review Procedure – GDPR DOC 9.3
Nonconformity and Corrective Action Procedure – GDPR DOC 10.1
Continual Improvement Procedure – GDPR DOC 10.2
Risk Assessment Procedure – RM-GDPR DOC 6.1.2
Contact with Authorities Work Instruction – GDPR-C DOC 6.1.3
Wireless Notebook Computer Security Procedure – GDPR-C DOC 6.2.1
Information Classification Procedure – GDPR-C DOC 8.2
Access Control Policy – GDPR-C DOC 9.1.1
Access Controls Rules and Rights Procedure -GDPR-C DOC 9.1.2
Individual User Agreement – GDPR-C DOC 9.2.1A
User Access Management – GDPR-C DOC 9.2.3
Physical Entry Controls and Security Areas – GDPR-C DOC 11.1.2
Secure Disposal of Storage Media – GDPR-C DOC 11.2.7
Managing Third Party Service Contracts – GDPR-C DOC 15.1.2
External Parties – Information Security Procedure – GDPR-C DOC 15.2.2
Reporting Information Security Weaknesses and Events Procedure – GDPR-C DOC 16.1.2-3
Responding to Information Security Reports – GDPR-C DOC 16.1.5
Collection of Evidence Procedure – GDPR-C DOC 16.1.7
Control of Records Procedure – GDPR-C DOC 18.1.3
Competence Matrix – GDPR REC 7.2
Monitor and Measurement Register – GDPR REC 9.1
Audit Schedule – GDPR REC 9.2.1
Audit Lead Report Sheet – GDPR REC 9.2.2
Management Review Record – GDPR REC 9.3
Corrective Action Report – GDPR REC 10.1.1
Nonconformance Report – GDPR REC 10.1.1A
Nonconformance Report Log – GDPR REC 10.1.1B
Schedule of Authorities and Key Suppliers – GDPR-C REC 6.1.3
Log of Requests to Remove Information Assets from Site – GDPR-C REC 8.3.1
Log of Information Assets for Disposal – GDPR-C REC 11.2.7
Schedule of Information Security Event Reports -GDPR-C REC 16.1.2-3A
Information Security Weaknesses and Events Checklist -GDPR-C REC 16.1.2-3B
2. User data is not transferred outside EU/ETA, the servers and databases are physically located in Finland.
3. The NTC -Service security against malicious access attempts registers failed attempts. Access to the system will be locked after 5 consecutive attempts using the wrong password. The user name can be unlocked by NTC upon customer request. An investigation into the reason for locking the username will be initiated upon a Company request.
4. To avoid possible data breaches, server and firewall log files are reviewed daily to identify the abnormalities in the traffic. The abnormalities are reported in accordance with GDPR, and the Customer and supervisory authority are notified within 72 hours.
5. The NTC-Service has integration to 3rd parties’ systems over the NTC proprietary API interface which is secured with https protocol. The 3rd parties are typically CRM or ERP providers.
Enquiries and additional information from aspa@nordictelecom.fi