DATA PROCESSING SECURITY POLICY

PURPOSE

The purpose of this policy is to establish the necessary measures and responsibilities of Zenisof employees in fulfilling obligations related to guaranteeing and protecting the fundamental rights and freedoms of individuals, especially the right to private, family, and personal life, concerning the processing of personal data.

SCOPE

This policy applies to all Zenisof employees involved in processing personal data and, where applicable, to authorized third parties.

TERMS AND DEFINITIONS

  • ANSPDCP - National Authority for the Supervision of Personal Data Processing
  • Personal data - Any information relating to an identified or identifiable individual; an identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identification number or to one or more factors specific to their physical, physiological, psychological, economic, cultural, or social identity.
  • Anonymous data - Data that, due to its origin or specific processing method, cannot be associated with an identified or identifiable person.
  • Controller - Any natural or legal person, private or public, including public authorities, institutions, and territorial structures, that determines the purposes and means of personal data processing. If the purpose and means of processing are determined by a legal act, the controller is designated by that legal act.
  • Data Security Officer - The person responsible for ensuring the proper functioning of the information protection system containing personal data and for drafting, implementing, and monitoring compliance with the data security policy.
  • Personal data processing - Any operation or set of operations performed on personal data by automated or non-automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, blocking, deletion, or destruction.
  • Storage - The retention of collected personal data on any type of medium.
  • User - Any person acting under the authority of the controller or an authorized party with recognized access rights to personal data databases.

REFERENCES

  • Law No. 677/2001 on the protection of individuals regarding the processing of personal data and the free movement of such data, with amendments and updates.
  • The Ombudsman’s Order No. 52/2002 regarding the approval of minimum security requirements for personal data processing.
  • ANSPDCP Decision No. 90/2006 on establishing cases where personal data processing does not require notification.
  • ANSPDCP Decision No. 100/2007 on establishing cases where personal data processing does not require notification.
  • ANSPDCP Decision No. 132/2011 on conditions for processing personal identification numbers and other personal data with general applicability.

GENERAL RULES

Zenisof has adopted appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. For this purpose, Zenisof has designated responsible individuals to ensure compliance with the provisions of Law No. 677/2001.

Zenisof has implemented secure data storage measures to ensure an adequate level of protection and security in compliance with legal requirements. To meet legal obligations and maintain the security of data and information, the company has established and implemented organizational and technical measures, including:

  • User identification and authentication
  • Access control
  • Data collection procedures
  • Computer and access terminal security
  • Access file management
  • Employee training

SPECIFIC PROCEDURES

User Identification and Authentication

To access personal data, users must authenticate in Zenisof's IT systems using unique and non-transferable credentials assigned through an identity management process governed by security policies.

Each user has a unique identification code (username), which is never assigned to multiple users or shared. Unused accounts are deactivated and deleted after a set period, as determined by Zenisof's policy.

All user accounts must include an authentication method, such as a password. Passwords must be sufficiently complex and are not displayed in plain text. They are periodically updated according to Zenisof's security policies, and users must change them only through authorized processes.

The system automatically locks a user’s access after multiple incorrect authentication attempts. Users are required to keep their credentials confidential and are held accountable for their security.

Access Control

Users are permitted to access only the personal data necessary for their job duties. Different levels of access are defined based on functionality (administration, input, processing, storage) and actions performed on personal data (read, write, delete).

The IT support department may have controlled access to personal data to resolve technical issues.

Data Collection and Modification

Zenisof designates authorized users for collecting and entering personal data. Any modification of personal data must be performed only by designated users.

The system records who modified the data, along with the date and time of the change. Deleted or modified data must be stored to ensure traceability.

Computer and Terminal Security

Computers and other terminals used to access personal data must be located in restricted-access areas. If this is not possible, computers must be kept in lockable rooms. If personal data appears on a screen and remains inactive for a specific period, the session is automatically closed.

Servers hosting personal data are strictly controlled and accessed based on security rights.

Mobile storage devices (USB, external drives, CDs/DVDs) containing personal data cannot be removed from company premises without prior management approval.

Access File Management

Zenisof maintains logs of all data access activity. Attempts at unauthorized access are also recorded.

Access logs are kept for at least two years to be used as evidence if needed. If an investigation extends beyond this period, logs are retained until deemed necessary.

Employee Training

Employees are trained on their obligations under Law No. 677/2001, security measures, and the risks associated with processing personal data. Users are reminded of their confidentiality responsibilities and warned through on-screen messages during work activities.

Users must log out from their workstation when leaving their desk.

Data Printing and Manual Processing

Printing personal data is restricted to authorized users only.

Documents containing personal data must be stored in locked cabinets or desks. If used for specific tasks, documents must be promptly returned or secured after use.

DATA SUBJECT RIGHTS

Right to be Informed

Before collecting personal data, Zenisof provides clear information on:

  • The purpose of data processing
  • The rights of data subjects, including access, intervention, and objection
  • Any legal requirements for data collection

Right of Access

Individuals may request free access once per year to confirm whether their personal data is being processed.

Right to Rectification and Erasure

Individuals can request corrections or deletion of their personal data if processing is unlawful or inaccurate.

Right to Object

Individuals may object to the processing of their data for legitimate reasons, except where legal provisions state otherwise.

Right to Seek Legal Redress

Individuals may seek judicial remedies if their data protection rights are violated.

DATA DISCLOSURE

Personal data may be disclosed to Zenisof's authorized representatives or other public/private entities only in the following cases:

  1. With the explicit consent of the data subject
  2. If required by law

Data requests must include identification details, purpose, and legal justification. Requests failing to meet these criteria will be denied.

Before sharing personal data, Zenisof ensures data accuracy and informs recipients of any updates or restrictions on further processing.

FINAL PROVISIONS

For additional information, please contact ZENI SOF - FZCO at [email protected].

COMPANY DETAILS

Company Name: ZENI SOF - FZCO
Tax Registration Number (TRN): 104287909600001
Registered Address: DSCO-IFZA, IFZA Properties, Dubai Silicon Oasis, Dubai, Dubai

Contact Number: +971529348102