1.1. Facility access control

The purpose of facility access control is to prevent unauthorized individuals from gaining access to the facility where personal data is processed. Facility access control is carried out primarily using the following measures: 

1. Reception desk in the office building, with receptionists on duty every business day from 8:00 a.m. to 4:00 p.m.; outside business hours, the office building is protected by a contracted security service.

2. Controlled access to business premises: 

• All external visitors are required to schedule a visit and register at the reception desk upon arrival by providing their name, surname, telephone number and the reason for their visit. When departing, visitors are required to notify the reception desk. 
• The doors to the offices of 2Mobile are locked at all times. Visitors must ring the bell to be admitted to the offices. 

3. Video surveillance of the office building: 

• Office building video surveillance covers the areas of the reception desk, stairwells and the parking garage. 
• Video surveillance is operated by the building manager.

4. Key and access card management 

• Each employee has their own access card used for entering the office building. The office is locked with a key that every employee has. It is not possible to make a duplicate key without the card. 
• Lockers are locked and access to keys is restricted to certain employees only.
• If an individual's employment is terminated, they must return the access card and key. 

1.2. Computer access control

The purpose of computer access control is to prevent unauthorized persons from using computer systems for processing personal data. Computer access control is carried out primarily using the following measures: 

1. Windows Defender provides firewall and intrusion detection system functionalities.

2. Windows Defender antivirus software is installed on all workstations by default. Windows automatically deploys regular security library and system updates. 

3. Automated software updates (e.g. operating system, anti-virus software, browsers) are enabled by default.

4. Each employee has their own password-protected workstation. Each employee has their own password for accessing individual systems and applications.

5. Employees are required to lock workstations when not using them. 

6. The screensaver password is set to lock the computer automatically after 3 minutes if the employee fails to lock the workstation.

7. Every tool we use for our business has a secure login that requires a unique username, password, and two-factor authentication (OTP, MFA, 2FA).

8. Minimum password requirements and password management:

• Passwords must be longer than 8 characters and contain upper and lower case letters, numbers and special characters.
• Passwords must be changed at least once every 3 months.
• Employees are prohibited from lending passwords or using group passwords.

9. In the event of a suspected security threat, the administrator sends a request to all employees to immediately change their password for a specific tool.

10. Monitoring the security vulnerabilities of critical systems: The administrator is responsible for monitoring the status of providers of cloud-based tools. If security vulnerabilities are identified, we take action according to the instructions communicated by the tool provider (e.g. the administrator sends a request to all users of a specific tool to change their passwords).

11. In the event of termination of employment, the individual's access to all systems will be terminated.

1.3. Data access control

Data access control includes measures to ensure that users of data processing systems can access data on the basis of the access permissions granted and that data are not subject to unauthorized reading, copying, modification or deletion during processing, use and storage. Data access control is carried out primarily using the following measures:

1. Access to systems containing personal data is based on user accounts. Employees must obtain permission to access data and are assigned a specific segment of the system they can access. Access is only possible with a combination of username, password and MFA.

2. Employees can only access the data they need to perform their work tasks and on a need-to-know basis. Only the CEO and system administrator are granted general access rights.

3. Data from storage media (e.g. computers that have been written off) is permanently erased before they are written off.

1.4. Separation control

Separation control includes measures to ensure that data collected for different purposes is processed separately. Separation control is carried out primarily using the following measures:

1. By separating the development, test and production environments at the customer's request. 

2. Cloud tools allow a logical separation of customers.

2.1. Transmission control

Transmission control includes measures for ensuring personal data cannot be subject to unauthorized reading, copying, modification or erasure during electronic transmission or storage. Transmission control is carried out primarily using the following measures: 

1. Documents are protected with passwords.

2. VPN tunnels are used when connecting to remote partner environments.

3. Firewall and anti-virus protection as described in section 1.2.

2.2. Input control

Input control includes measures that make it possible to go back and check and establish whether the personal data entered into data processing system has been modified or removed (input control) and by whom. Input control is carried out primarily using the following measures: 

1. We provide a basic audit trail for personal data processing (entry, erasure, modification) using the following features: Windows Activity History, Windows App History, browser history review, Event Viewer tool, Azure Admin Portal and reviewing e-mail or access to e-mail inbox (limited to the administrator).

2. Employees can only access the data they need to perform their work tasks on a need-to-know basis. 

3. Access to systems containing personal data is based on user accounts.

Availability control includes measures for ensuring data is protected against accidental destruction or loss. Data availability control is carried out primarily using the following measures: 

1. All documents are stored in the cloud in the tools we use for our work on a daily basis. Cloud tool providers provide secure data storage. Access to the cloud tools is provided on the basis of user accounts that support MFA, OTP and 2FA.

2. A smoke and fire detection system is installed in the building.

3. Firewall and anti-virus protection as described in section I./2.

4. In the event of a security threat or breach, the administrator sends a threat notification to all employees using shared communication channels and may require all employees to reset their passwords. 

4.1 Employees and other collaborators

1. Recruitment procedures are set up for careful selection of employees (for example, a detailed CV is required along with a job interview with additional questions).

2. Employees who process or have access to personal data sign a written statement to ensure confidentiality when it comes to personal data processing.

3. Employees know how to identify social engineering attacks.

4. Employees adhere to a password policy.

5. Employees comply with the clean-screen, clean-desk policy.

6. Employees are trained to raise awareness about security and privacy:

• Every new employee must complete the “Varni v Pisarni” webinar available at https://www.varnivpisarni.si/ within 7 days of starting employment and save the received certificate on their device.
• All employees are required through Wizer (https://www.wizer-training.com/) once a year to complete "Security Annual Training", which covers all current trends in corporate security. The administrator can see whether all employees have completed their training and employees also receive e-mail reminders to complete the training.

7. Employees are familiar with the controller’s instructions and are required to comply and their compliance is regularly checked. Controllers have the contractual right to perform inspections and audits.

8. We have processes in place to carefully select service providers and monitor their performance. We have concluded appropriate data processing contracts with sub-processors, which include appropriate technical and organizational security measures and the right to perform reviews and audits.

4.2 Auditing technical and organisational measures

1. We review the effectiveness of technical and organisational measures at least once a year. Where weaknesses are identified, we introduce new measures or adapt existing ones.

2. Software development is based on the principle of "data protection by design and by default", ensuring that the right to privacy is taken into account during the development and design of products, services and applications.

4.3 Actions in the event of a personal data breach

1. If we become aware of a personal data breach, we will notify the controller in writing without undue delay and at the latest within 24 hours of becoming aware of the breach. The written notification will include:

• the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the types and approximate number of personal data records;
• the likely consequences of a personal data breach;
• the measures that the controller should undertake or that we propose the controller takes to address the personal data breach, as well as, where appropriate, measures to mitigate any adverse effects of the breach. 

2. The notification will be sent by email to the address of the Data Protection Officer of the controller or to another contact person if the controller does not have a designated Data Protection Officer.