1. Introduction
The Nunatak Group GmbH hereby adopts this Policy on Data Protection and Information Security for our company.
As a company, we process a wide range of (personal) data in order to fulfil our duties and obligations towards our clients, contractual partners, service providers and other stakeholders.
In doing so, we process data with varying levels of protection requirements. The security of information processing and the protection of personal data play an essential role in our company. This policy is intended to present the strategy, organisation and objectives of data protection and information security in our company in a clear and concise manner.
2. Scope
This policy obliges all employees of The Nunatak Group GmbH to comply with the obligations set out herein.
Employees and external business partners will be informed as necessary of any changes relevant to them by The Nunatak Group GmbH .
3. Objectives
Cybersecurity and Product Security
The Nunatak Group GmbH is committed to ensuring the security of its services, which may be exposed to potential risks from cyber attacks. The company has implemented appropriate technical and organisational measures to increase the resilience of its systems, networks and data and to minimise the impact of security incidents. The company ensures that its services are developed and provided in compliance with applicable legal requirements and standards for cybersecurity. The company also promotes the secure development of its services by incorporating security aspects in all phases of the consulting cycle.
Employees
The Nunatak Group GmbH is committed to raising the awareness and competence of its employees in the areas of data protection and information security. The company conducts regular training and awareness-raising measures to inform employees about potential threats and protective measures. The company fosters a culture of responsibility and trust in which employees actively contribute to improving data protection and information security practices.
Complexity
The Nunatak Group GmbH acknowledges that data protection and information security represent complex and dynamic challenges encompassing both physical and digital aspects. The company pursues a holistic and risk-based approach to address the various dimensions of security, such as hardware, software, networks, data, people, processes and organisation. The company monitors and evaluates the constantly evolving security landscape and existing and emerging threats and vulnerabilities.
4. Organisation of Data Protection and Information Security
To achieve the objectives of this policy, a Data Protection Officer has been appointed by the management. The Data Protection Officer also advises the management on the planning and implementation of Information Security within the company. In this capacity, he reports directly to the management on an as-needed basis, but at least once a year.
The Information Security Officer shall be involved in all projects at an early stage in order to take security-relevant aspects into account as early as the planning phase.
In the area of personal data processing, care shall be taken to ensure the early involvement of the Data Protection Officer in the planning and introduction of new processes in which personal data is also processed. The same applies to changes to existing processes. The same applies to projects and changes in order to take security-relevant aspects into account as early as the planning phase.
A management system exists within the company for the areas of information security and data protection. A continuous improvement process has been implemented with the aim of coordinating the individual measures in these areas so that the objectives of this policy are achieved.
A Data Protection and Information Security Team ("Data Protection Team" – DPT) has been established to support and assist in the planning, implementation and evaluation of data protection and information security within the company. The DPT plans the policies required to implement the objectives of this policy, coordinates them with the management, regularly reviews their effectiveness and makes adjustments where necessary. In the event that the DPT disagrees on matters relating to the planning, implementation, evaluation or adjustment of policies, or in the assessment of factual or legal issues, the DPT shall present this to the management. The management shall then decide and, where necessary, initiate measures.
Company policies are made binding by the management so that they must be observed by the respective addressees of the policy and violations may be sanctioned where applicable.
5. Measures
A Risk Management Framework has been established in order to ensure the security of data and information. This means that the DPT regularly conducts risk analyses to identify and assess potential threats and vulnerabilities to confidentiality, integrity and availability. Based on the results of the risk analyses, the DPT shall determine and implement appropriate measures to reduce or eliminate the risks. The measures are selected in accordance with the principle of necessity and proportionality, i.e. they shall be appropriate, effective and efficient without causing disproportionate disadvantages or costs. The Information Security Officer reviews the effectiveness of the measures and monitors whether they achieve the defined objectives and whether they need to be adapted to changed circumstances or new requirements.
The measures for implementing this policy may take the form of technical and organisational measures. These also include policies, operational regulations or operational instructions. These must be followed by all employees.
6. Responsibilities
Senior Management assumes overall responsibility for Information Security and data protection within the company.
The Data Protection Officer is the point of contact for data protection and information security within the company. He advises, monitors and supports the management and employees with regard to the processing of personal data within the company. His duties arise from the data protection regulations (GDPR, BDSG, etc.) and additional legal requirements (NIS2, AI Act) in the area of information security.
The Data Protection and Information Security Team supports the Data Protection Officer in the planning, coordination and implementation of data protection and information security within the company. This team meets at regular intervals to ensure the continuous improvement process.
IT Administration implements the policies and other requirements relating to data protection and information security within its area of responsibility. It coordinates measures that have an impact on information security with the Information Security Officer. It carries out technical measures in coordination with the management and contributes to the optimisation of information security through improvement proposals.
Line managers with personnel responsibility are responsible for ensuring that the technical and organisational measures for information security are implemented with respect to the persons working within their area of responsibility.
All employees contribute to ensuring data protection and information security through their conduct. They are obliged to comply with this policy and the policies on data protection and information security. In order to ensure data protection and information security within the company, every employee is obliged to report disruptions, security incidents and emergencies in the area of information security immediately and directly to the Data Protection Officer.
Project or process owners must consult the Data Protection Officer on all projects that affect the processing of personal data in order to ensure compliance with data protection regulations. Furthermore, all project or process owners are obliged to consult the Data Protection Officer on all projects that have an impact on information security within the company.
Suppliers, external service providers and other contractors shall be required by separate agreements to comply with the applicable requirements regarding data protection and information security if they process data on behalf of the company or have the possibility of gaining knowledge of personal data or information classified as non-public by the company.
7. Sanctions
A violation of this policy may constitute a breach of employment contract obligations and may be sanctioned accordingly.
For suppliers, external service providers and other contractors, contractual penalty provisions shall be agreed in cases of particular risk.
8. Download
