The GDPR (General Data Protection Regulation) is the new legal framework of data protection law across the European Union and is in effect starting from 25th May 2018. It will replace the Data Protection Directive, in force in the EU since 1995 and will be integrated with national laws about privacy. The aim of the new regulation is to harmonize the data protection strategy in all EU countries by implementing a set of common rules.
Data protection at Enter
The focus on personal data protection is not a new hype at Enter. Since the beginning of its activity as telecommunications operator a internet service provider, Enter delivered all the processes and tools necessary to ensure the correct management and storage of the personal data specific to this scope. As a Cloud Provider, the company designed from the beginning its services around the principles of high reliability, information security, business continuity, making customer data its core business. The advent of the GDPR has been welcomed as an opportunity to further refine and strengthen the company's services and processes.
Enter offers cloud services both in its own data center in Milan, and in two european data center in Frankfurt and Amsterdam. The data are processed and stored strictly in Europe. Since 2016, Enter is acknowledged as a provider of Cloud infrastructure for the European Community.
When dealing with hosting and cloud services, it is important to distinguish between the security of personal data hosted by customer and the security of infrastructure that hosts personal data.
Security of personal data into customer applications:
the customer implements and manages the applications hosted on the cloud infrastructure reserved to him and defines application security measures. Enter provides some tools to support the customer in his personal data protection monitoring and management.
Cloud Infrastructure security:
Enter is committed to ensuring the maximum level of security of its infrastructure, implementing information systems security policies and responding to the needs of several legal frameworks and certifications (PCI-DSS, ISO / IEC 27001 and ISO27017 and ISO27018 certificates).
Enter as data controller
This is the case when Enter collects data for billing, managing accounts receivable, sales prospecting, commercial management and similar. It is also the case when Enter collects personal data on its own employees. The direct processing of customer data takes place according to the principles of privacy that the GDPR further remarked:
- informed consent
- purpose limitation
- data minimization
- limitation of conservation
- right to data portability
- privacy by design
Enter as data processor
Every time the customer stores personal data on Enter infrastructure, Enter commits to:
- process personal data exclusively for the purposes of correct provision of services
- abstain from any profiling activity
- do not transfer data outside the EU
- inform the customer of any sub-processor who may process personal data
- implement high security standards to guarantee the availability, confidentiality and confidentiality of the services provided
- notify as soon as possible in case of data breach
Enter implements a full set of security measures, in continuous improvement, in order to guarantee an adequate level of security for data and services hosted on its infrastructure:
- physical security measures, to prevent unauthorized parties from accessing the infrastructures on which the customer's data are stored
- PCI-DSS certified datacenter
- supervision of the property datacenter and 24-hour availability service
- physical and / or logical segregation of customer environments, to keep separate customer data separate
- Fire prevention, anti-flooding, air conditioning and video surveillance systems constantly active and subjected to regular maintenance
- Authorization management to guarantee access to premises and data only to those who need them and only within their activities
- redundant infrastructure at each critical point, to ensure data availability and integrity
- network devices to protect services from unauthorized access or attack / denial of service attempts
- accountability and control of the operations of system administrators according to current regulations
- periodic vulnerability assessment to identify and correct any vulnerabilities or malfunctions
- Incident Management and Data Breach Management processes reviewed and enhanced
Data Protection Officer (DPO)
The Data Protection Officer (DPO), as required by Art. 37 of the GDPR, can be contacted by email at the following address: firstname.lastname@example.org.