SECURITY POLICY
ON PERSONAL DATA PROTECTION WITH REGARD TO THEIR PROCESSING WITHIN INFORMATION SYSTEMS MANAGED BY THE COMPANY
«INFOTURISM GRUP» SRL (LLC)

Preamble
There are implemented principles provided in international documents – Universal Declaration of Human Rights, Convention for the Protection of Human Rights and Fundamental Freedoms, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and the national ones – Constitution of the Republic of Moldova, Law on personal data protection, Law on access to information, Requirements regarding the ensuring of security of personal data with regard to their processing within information systems of personal data approved by the Government Decision No. 1123 of 14 December 2010, Regulation to the Register of personal data operator approved by the Government Decision No. 296 of 15 May 2012 and other legislative/normative documents in the field while processing personal data within a company.

Introduction
The company’s, «INFOTURISM GRUP» LLC, registered office is in the Republic of Moldova, Chisinau City, 24 A. Pushkin Str.
The Policy has been approved by the mentioned company’s management, who acts in compliance with the legislation.
This Policy has been approved, inclusively that the operator complies with the Moldovan Government Decision No.1123 of 14 December 2010 “on the approval of the Requirements regarding the ensuring of security of personal data with regard to their processing within information systems of personal data” and the Law of the Republic of Moldova No.133 of 08.07.2011 “on the protection of personal data”.

DEFINITIONS
For the purpose of this Security Policy, the following definitions shall be used:

personal data – any information relating to an identified or identifiable natural person (‘data subject’). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

special classes of personal data – data revealing the racial or ethnic origin of an individual, his/her political, religious or philosophic opinions, social identity, data regarding his/her health condition or sexual life, and data referring to criminal sentences, administrative sanctions or restrictions;

data controller – the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national laws or regulations;

processor – a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

authentication – verification of the identifier assigned to the access subject, confirmation of authenticity;

security control – actions undertaken by the company’s management in order to ensure the appropriate level of security of personal data within the information systems and/or registers held;

temporary files – data or information on durable medium created for a limited period of time, till the tasks for which these designed have been launched;

identification – assigning an identifier to access subjects and objects and/or comparing of the identifier provided with the list of identifiers assigned;

integrity – certitude, non-conflicting and topicality of information containing personal data, its protection from being destroyed and non-authorised modification;

means of cryptographic protection of information containing personal data — technical means, program and technical and applicative means, systems and sets of systems implementing algorithms of cryptographic conversion of information containing personal data, designed to ensure the integrity and confidentiality of information when processed, stored or transferred through communication means;

protection level – level of security proportional to risk that the processing implies against the respective personal data, and against rights and freedoms of those persons, developed and updated appropriately to the level of development of technologies and costs for implementing these measures;

personal data security policy – a document developed by the data operator – Infoturism Grup LLC, which precisely describes the security measures and protection features selected to secure data, by taking into consideration potential threats for personal data processed and real risks that these are exposed to;

security area — area which is in fact a passing obstacle provided by means of physical and/or technical control of access;
person in charge of personal data security policy — a person in charge of appropriate operation of the complex system of protection of information containing personal data and in charge of development, implementation and monitoring of observance of requirements of the security policy by the personal data holder;
protection of information against non-deliberate actions — measures directed to prevent non-deliberate actions caused by user’s errors, breakdown of technical and applicative means, natural phenomena or other that do not directly intend to modify information, but lead to distortion, destruction, copying, blocking of access to information, and to its loss, destruction, or failure of the medium of information containing personal data;

personal data carrier – any magnetic, optic, laser, paper medium or other information medium on which the document is created, saved, sent, received, kept or otherwise is used and allows its reproduction;

data restore – procedures to restore/pre-establish personal data as they were before to be lost or destroyed;

information technology – all methods, proceedings and means of processing or transmitting information containing personal data and rules on its implementation;

user – a person who acts under the authority of personal data holder, having the recognized right to access the information systems of personal data;

work session — period lasting from the moment the computer has been started and use of information resource, or from the moment that information resource has been started till it has closed down;

information system of personal data – all interdependent information resources and technologies, methods and staff designed to store, to process and to supply information containing personal data;

processing of personal data – any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

storage – storage of personal data on any type of medium;

personal data registration system – any series of structured personal data accessible under some specific criteria, either a centralized, decentralized one or distributed based on specific operational or geographic criteria;

the data subject’s consent – any manifestation of free will, express and unconditional written or electronic according to the requirements of the electronic document through which the subject of personal data accepts to process his personal data;
depersonalization of data – modification of data so that details referring to personal or material circumstances do not allow their assignment to an identified or identifiable natural person or to allow their assignment only during an investigation that shall involve incommensurate costs in time, means and manpower.

Goals of the Security Policy
The Policy’s main goals are the availability, integrity and confidentiality of all information, including personal data processed by Infoturism Grup LLC, both at manual processing and information technology systems and processes. Security is an essential component of optimal development of processes based on IT at Infoturism Grup LLC. The observance of this policy shall lay the basis for an appropriate IT security. It includes requirements and rules for the protection of all information, including personal data, IT systems and processes against natural influences, human and technical errors, and against deliberate actions that might cause pecuniary and non-pecuniary damages, or might result in breaches of law. Provided that the IT safety cannot be exclusively granted by some technical systems, this Policy also covers the organizational and legal issues and of any other type.

Infoturism Grup LLC shall protect personal data both of participants in process/visitors and of its staff.

The Regulation to this Policy shall be considered the minimum standard by Infoturism Grup LLC, including the company’s staff. Under this Regulation, all employees of Infoturism Grup LLC are to observe strictly the provisions of Policy and the internal regulations on the protection of personal data and IT systems developed by the mentioned company.

Instructions on hierarchy and responsibilities of person in charge of the Security Policy
The data collector, based on specifics of its work, by this Security Policy, shall transpose the procedures and measures necessary to ensure the appropriate level of protection of personal data in the managed registration systems.

The personal data security policy shall be reviewed at least once a year following the modifications and re-assessment of competences of entity that is under the responsibility of managers, to appoint the person/persons who is/are to adjust clauses of this document.

The Security Policy shall be mandatorily acknowledged, under signature, to all employees in charge of processing personal data, before being provided with access to processing data, including operating modifications as the need to ensure an appropriate level of security of data has arisen.

The person in charge of implementing and monitoring the observance of provisions of data security policy shall be appointed based on the job description and/or the internal order, who will be provided with sufficient resources (time, human resources, equipment and budget) and shall have free access to information necessary to fulfil his duties within the limits of this policy.

The person appointed, regardless of duties carried out during the monitoring, implementation/observance of provisions of the security policy, shall be subordinated to the director of Infoturism Grup LLC or the interim director.

The person in charge of the personal data security policy shall clearly define the responsibilities referring to the security of processing data (prevention, surveillance, detection and processing), and their operation beyond pressure due to personal interests or other circumstances.

This person shall define clearly the responsibilities and processes of management of data security, by integrating them in the organizational chart and general functioning, shall work out technical and organizational measures necessary for the management of data security, shall elaborate the procedures of classification of information containing personal data, so that to be possible to draw up a classification and all data that are processed to be located, regardless of the type of data carrier, shall train people involved in data processing that they fulfil their duties and assume the responsibility for the data security, including their confidentiality.

Means falling under the data protection principles
Personal data protection at Infoturism Grup LLC (as data processor) is granted through more technical and organizational measures of preventing illegal processing of data.
Under protection, through specific means/methods, shall undergo all managed information resources of the processor that include personal data, kept on:
– magnetic, optical, laser medium or other electronic information medium, information bulks and databases;
– information systems, networks, operation systems, database management systems and other applications, telecommunication systems, including means of developing and multiplying documents and other technical means for information processing.

Measures of data protection shall be undertaken:
to prevent information leakage by excluding unauthorised access to it;
to prevent destruction, non-authorised modification, copying, and blocking of data in the telecommunication networks and information resources;
not to disclose limited accessibility information to third parties;
to optimize information resources both on paper and electronic ones.

Protection of data processed in information systems shall be made through the following methods:
preventing unauthorised connections to telecommunication networks and intercepting through technical means of personal data transmitted via these networks;
excluding unauthorized access to processed data,
preventing special technical and program actions, which condition the destruction, modifications of data or failure in the work of technical and program set of actions,
preventing deliberate and/or non-deliberate actions by internal and/or external users, and other members of the data controller/persons authorised by the controller, which condition the destruction, modifications of data or failure in the work of technical and program set of actions,
preventing the leakage of information containing personal data sent through liaison channels, is to be granted by using the coding of that information and by using VPN,
preventing the destruction, modification of data or failure in functioning of the soft designed for processing personal data, this is to be ensured based on the method of using special technical and program protection means, including licenced programs, antivirus programs, organizing the system of control of soft security and making regular safety copies,
preventing the leakage of information containing personal data by carrying out the internal audit of information system on a continuous-basis.
establishing the exact order of access to information containing personal data processed by the information systems and registration systems set out both for internal users and external users.
Organizational and technical procedures that are to be observed by Infoturism Grup LLC when processing personal data
General measures for information security management
Where the information carrier on paper and electronic (digital) ones that contain personal data are not used temporary, they shall be kept in safes or locked metal cabinets.
Computers, access terminals and printers shall be disconnected when work session finished.
It is ensured the security of points of mail delivery/receipt and the security against unauthorized access to fax and copying devices.
It is ensured the security and physical access to means of representation of information containing personal data meant to prevent its visualization by unauthorized persons.
Devices for processing data, information containing personal data or softs designed to process such data may be taken out from the security area if a written authorization by the management issued.
All programs used in the computer system shall meet the authorization requirements.
It is forbidden to install programs of type Shareware or freeware, without the approval of the computer system’s administrator.

Security of the physical environment and information technologies used during the data processing
Access to premises/offices/rooms or places where the information systems of personal data are installed is restricted, being allowed only to persons authorized appropriately, pursuant to the list or appropriate signs (badges, ID cards).
Physical access shall be managed and monitored to all access points to the information systems of personal data, including actions taken where the access regime violated.
The security area of Infoturism Grup LLC is in fact the rooms where the personal data are processed/stored.
The area of the building or rooms where the data processing means are located shall be upright from physical point of view, the rooms’ external walls shall be resistant, and entrances shall be equipped with locks and signal light.
The location of data processing means shall comply with the need to ensure their security against unauthorized access, theft, fire, flood and other possible risks.
Doors and windows shall be locked if no member in the room.
Computers, servers, and other access terminals shall be located in places with restricted access for foreign persons.
Access to the security area of the building of Infoturism Grup LLC, where personal data are processed/stored with unauthorized photo/video equipment is forbidden, by taking into consideration the need to ensure the regime of security and confidentiality of processing of data, set out in Articles 29 and 30 of the Law on the protection of data, as well as point 26 of the Requirements.
Use of photo, video, audio equipment or other devices for recording shall be allowed only by a special authorization issued by the management.

Users’ identification and authentication
Users of the information systems of personal data and processes executed on their behalf shall identify and authenticate themselves.
All users (including staff providing technical support, network administrators, programmers and database administrators) have a personal ID (User’s ID) that does not include the data of the accessibility level by the user.
To confirm the user’s ID, passwords, special physical access devices with memory (token) or cards with microprocessors, biometric authentication means based on single and individual data of a person, shall be used.
Where the user’s contract of employment / labour relations are ceased, suspended or changed and new tasks do not need access to personal data, or the user’s access rights have been changed, or the user made abuse of codes provided intending to commit a harmful act, has been absent for a long period, the identification and authentication codes shall be revoked or suspended by the IT administrator.

Equipment identification and authentication
It shall be ensured the possibility to identify and authenticate the equipment used during data processing by keeping this information for a longer period.

Management of users’ identifiers
The management of users’ identifiers shall include:
sole identification of each user,
verification of authenticity of each user.

Use of passwords when ensuring the information security
There shall be observed the rules on ensuring the information security where passwords selected and use include:
keeping password confidential,
prohibiting to put down passwords, where their security is not provided,
changing passwords every time features of an eventual discrediting of the system or password observed,
selecting quality passwords of minimum 8 symbols, which are not related to personal data of a user, do not contain consecutive identical symbols and are not made integrally from groups of numbers or letters,
changing passwords within 3 months,
de-activating the automated registration process (by using saved passwords).

Control over the access management
The regular control of actions by users to assess the correctness and compliance of operations and actions undertaken via the data information systems shall be made.

Remote access
All methods of remote access to the information systems of personal data shall be secured (be using VPN, encryption, codification etc.), and documented, monitored and checked.
Each method of remote access to information systems of personal data shall be authorized by persons in charge of Infoturism Grup LLC and shall be allowed only to users that need it in order to execute the objectives set.

Limiting the use of wireless technologies
Wireless access to information systems of data shall be limited to maximum possible, documented, monitored and checked.
Wireless access to information systems of data shall be allowed only in case of use of cryptographic means of protection of information.
The use of wireless technologies shall be authorized by the responsible persons of Infoturism Grup LLC.

Energy Security
The electrical equipment is used to maintain the information systems of data, electrical cables functional, and is insured from damages and unauthorized connections, by installing them in special niches.
Where an emergency, failure or force majeure event happens, there is the possibility to disconnect the information systems of data from power supply, including the possibility to disconnect any IT component.
There are implemented automated systems for detecting and signalling fires in rooms where the information systems of data and means for data processing are located.

Checking the installation and uninstallation of IT components.
Program means, technical means and program technical ones used in the information systems of data shall be verified and recorded.
Information containing personal data and saved on the data carrier shall be destroyed physically or shall be transcribed, and shall be destroyed by safe methods, by avoiding using standard methods of destruction.

Data Disclosure
a) The disclosure of electronic data included in the registration systems, via the communication networks or on any other digital store medium is to be ensured by encrypting this information or by examining possibility to use a bilateral connection via a VPN secured channel. Wireless access to data registration systems shall be allowed only to authorized users. Each request of disclosure by transmitting data electronically shall be examined individually based on technical possibilities provided by the recipient and controller, and in compliance with organizational and technical measures implemented by parties. Where the communication networks present a risk for the confidentiality and security of data, the traditional methods of transmission (receipt acknowledgment letter, personal handing over, etc.) shall be used.
b) The disclosure through transmission of data via the communication networks that do not meet the Requirements, (for instance: sending information by personal e-mail of type @gmail.com, @mail.ru, @yahoo.com, etc.) is prohibited.
c) There are prohibited operations of disclosure of data between Infoturism Grup LLC and other entities located on the left bank of Nistru River that refuse to comply with the laws of Moldova, based on the fact that presently there is no possibility to carry out any effective control in that region of the country, including as regards the compliance of data processing with the provisions of the Law on data protection.
d) The procedure of disclosure, by transmitting data on paper and/or on digital medium outside the Republic of Moldova, is to be regulated through an institutional normative act / bilateral agreement, by taking into consideration the need to ensure an appropriate level of protection of data.
e) The cross-border transmission of data shall be made in strict compliance with provisions of Article 32 of the Law on data protection, especially in cases when an international treaty under which this transmission made does not include guarantees regarding the protection of rights of data subjects.
f) Amount and types of data collected for purposes of keeping records by Infoturism Grup LLC shall be limited to the minimum in order to achieve the goals declared.
g) Access to the information systems managed by Infoturism Grup LLC, provided to the General Prosecutor’s Office (as the case may be regional/specialised offices), Interior Ministry, National Anticorruption Centre, etc., shall be allowed only in cases where a request addressed in line with Articles 15 and 212 of the Code of Criminal Procedure.
It is explained that, under Article 157 of the Code of Criminal Procedure, any type of documents (written, audio, video, electronic etc.) provided by natural persons or legal entities, if these exposed or circumstances important for the case certified, (including information stored in the audit of the information and registration systems), may be requested by the criminal investigation body during the criminal investigation or during the criminal trial. Respectively, there shall be respected the provisions of Article 214 of the Code of Criminal Procedure, which reads that official information with limited access cannot be administered, used and spread without need during the criminal trial. Persons whom the criminal investigation body or the court ask to communicate or to provide the official information with limited accessibility (including data controller) have the right to be confident that the respective data are collected for that criminal trial and, on the contrary, to refuse to communicate or to provide data. Persons whom the criminal investigation body or the court ask to communicate or to provide the official information with limited accessibility have the right to receive prior from the persons requesting that information a written explanation note confirming the need for such supply of data.
It should be taken into consideration the fact that, under Article 8 of the Law on access to information, data considered as official information with limited accessibility, the access to such information shall be made in line with the law on data protection.
Where the lawyer or empowered person request to get acquainted with the personal file of client, he is to be informed in written of the obligations assumed under Article 15 of the Code of criminal procedures, Articles 29 and 30 of the Law on data protection, including the liability set out in Article 741 of the Administrative Code.

Rights of data subjects
Where data are collected directly from subjects, pursuant to Article 12 of the Law on data protection, that person shall be supplied with following information, except for situation when he already knows that information:
regarding the identity of controller or, if appropriate, the identity of person authorized by the controller (name, address, IDNO, registration number in the Register of data controller);
regarding the concrete purpose of processing of data collected;
regarding the recipients and categories of recipients of data;
existence of rights to information and access to data collected; to change data (especially to correct, to update, to block or to delete data the processing of which counters against the law due to that they are incomplete or inaccurate) to oppose, as well as conditions under which these rights may be exercised; if answers to questions based on which data are collected are mandatory or voluntary, including possible consequences if refuse to answer the respective questions.
b) Data subjects are granted the right to access and the possibility to get familiarized with documents drawn-up in order to check if these were drawn up correctly, to contest the non-inclusion or incorrect inclusion of some data and other errors committed when writing down data of that person. In this context, persons in charge of data processing shall provide that person with access only to his/her data, being excluded the possibility to consult data of data subjects included in their files (other documents), except for cases when applicants fulfill one of their legitimate interests that does not harm the interests or rights and fundamental freedoms of data subjects.
c) The right to information is guaranteed by the data controller (or entities ensuring the maintenance of system or provide the controller’s outsourced services) to all persons undergoing the processing.
d) Where the data subject does not exercise the right to intervene, the inexact data will be updated by correction or deletion, as ground being used only the legal sources (identity cards, marital status documents, state information resources etc.) the change is to be made in all information and registration systems managed.

Storage, maintenance and destruction of data processed
a) Access to areas/rooms where the information and registration systems of data are located is restricted, being allowed only to persons authorized under the company’s security policy/department regulations approved.
b) Storage and maintenance of electronic data structured in the registration systems, in computers connected to internet, are not equipped with special technical and program protection means, and have no licenced programs, antivirus programs installed, no system to check the soft security, to make back-up copies and audit – is prohibited.
c) Introduction in the company’s security area and use of personal computers or of data carriers for work purposes are forbidden. Moreover, access to the company’s computers is protected/restricted by creating users’ profiles, and the administrator’s rights are provided only to person responsible for the implementation of security policy of Infoturism Grup” LLC.
d) Storage of data on magnetic, optic, laser medium, on paper or other medium, on which the document is created, saved, transmitted, received, kept or otherwise used and which allows is reproduction, shall be ensured by their placing in safes or locked metal cabinet. Unauthorized taking out of data carriers from the security area of processor is forbidden.

Audit of managed information systems
The user’s attempts to enter/exist the system are registered under the following parameters:
– date and time of entry/exist;
– User’s ID;
– result of entry/exist – positive or negative.

Protection against harmful programs (viruses)
Protection against infiltration of harmful programs into softs created to process data is granted via the licenced anti-virus programs.

Testing the functional possibilities of granting the security of information systems of data
The testing of correct functionality of security functions of the information systems of data (automatically when switching on the system and monthly at a request by an authorized user) shall be conducted.

Security incident management
Staff in charge of operation of information systems of data at least once a year participates in trainings regarding responsibilities and duties when undertaking the management and action to security incidents.
Infoturism Grup LLC staff shall inform immediately the management of the incidents violating the security of the information systems of data.
Processing of incidents means finding, analysing, preventing the development of, removing and re-establishment of security.
Till the date of 31 January, annually, the controller shall inform, in written form, the National Centre for Data Protection of the Republic of Moldova of the security incidents found.
Where a security incident produced at the Infoturism Grup LLC, the person in charge shall undertake the necessary measures in order to find the source, shall analyse it and shall remove its causes, by informing within 72 hours from its occurrence, the National Centre for Data Protection of the Republic of Moldova.
During inspections carried out by the National Centre for Data Protection of the Republic of Moldova, it shall be provided with necessary support and access to data relevant for the inspection subject.”

Responsibility for ensuring security of data and limited accessibility information
Data processor, person authorized by the processor, third persons, where appropriate, signers, shall be held civilly liable (Civil Code), administratively liable (under Article 741 of the Administrative Code) and criminally liable (under Articles 177, 178, 180 of the Criminal Code) for non-observing the provisions of the Security Policy.