IT Security Policy
Refurb® is part of Egiss A/S.
Egiss A/S ("Egiss, "Refurb", "our" or "we") wants to be an attractive company for employees, business partners and customers. This must be achieved, among other things, through our work with efficiency and quality in our IT security: An essential prerequisite for our employees, business partners and customers to find us attractive is that we constantly ensure that we have an appropriate and sufficiently high level of IT security. The IT security level must meet the requirements of legislation, including the Danish Personal Data Act and the European Personal Data Regulation.
A data-safe environmental footprint on our common earth
We are set in the world to create commercial gain while reducing environmental impact through product life extension and value recovery on used IT equipment.
Field of application
The IT security policy applies to electronic data processing (collection, storage and deletion) of goods, company information and personal data in Refurb.
Personal data and responsibility
Refurb processes several layers of personal data – data from our customers, business partners, suppliers and employees. We process all personal data legally, fairly and in a transparent manner. We continuously work to ensure that all personal data is correct, up-to-date and that incorrect personal data and information no longer needed is corrected or deleted. The management at Egiss has the ultimate responsibility for IT security and the processing of personal data. For more detailed insight, read more in our Privacy Policy here.
Safety measures
Only employees with a work-related need for access to electronic data processing, including registered personal data, have access physically or through IT systems with rights management. This is ensured by our internal IT system, which only the management and IT administrators have access to make changes to - and thus, only the management and IT administrators are entitled to assign areas of responsibility to the relevant employees.
In addition, the following safety measures are followed in daily work:
- All computers have passwords, and these must not be left unlocked.
- We have a "clear desk policy", i.e. that unsupervised personally sensitive data must not be left on desks or elsewhere and that employees must lock their computers when leaving them.
- Computers are only delivered after firewall and antivirus software have been installed in advance.
- Firewalls, antivirus programs and operating systems on both computers and servers are continuously updated via the internal IT system.
- Personal information is deleted in a responsible manner when phasing out and repairing IT equipment.
- Backup: We make backups on servers located in the EU.
- Monitoring: We continuously monitor the IT infrastructure to be able to act on potential illegal intrusions.
- External electronic storage media never contain personal data.
- Physical folders are kept in locked offices or locked cupboards. Personal information in physical folders is deleted by shredding.
- All employees are instructed in the processing and protection of personal data - both upon and continuously throughout employment.
Awareness of IT security
A high IT security awareness and appropriate behaviour by all our employees are among the most critical security measures. It is thus our aim that there is a high awareness of security everywhere in the company. Therefore, upon employment and continuously throughout the employment relationship, employees are trained and made aware of conditions related to maintaining an appropriate and sufficiently high level of IT security and correct processing of personal data.
IT preparedness
We prepare, maintain and continuously test contingency plans that ensure emergency operation, escalation, re-establishment and resumption of normal function in the event of major breakdowns in our IT systems.
Egiss contacts the Danish Data Protection Authority as soon as possible and within 72 hours if there is a breach of personal data security in the company. If the security breach entails a high risk for those registered, these will also be informed as soon as possible and within 72 hours.