General Data Protection Regulation (GDPR)

Introduction

The purpose of this article is to provide an introduction to how Antenor BMS complies with The General Data Protection Regulation (GDPR).

1.0 General

Antenor processes certain personal information on behalf of its customers by providing its software. The system will be used to store the information of the controller for the modules that the client has chosen to use. Users are normally registered with name and email as a unique user ID.  Name and email can be used by Antenor to send relevant and necessary system information.  The customer’s system administrator registers the user name and email and even gives the access they think the end user should have to the different parts of the software. The client responsible for treatment must use their own internal routines for the necessary information for users about the use of personal data in AMS and ABMS. 

NB! Modules for competence and personal injury may contain sensitive data and the customer must be careful when accessing these modules. Beyond these two modules, only user names are used by the system. Antenor is not responsible for the use of personal data in eg text fields. This must be regulated by internal routines of the individual customer.

2.0 Time boundary

Registrations are maintained as long as the customer is a user of the software. This is to document the necessary history (ref. Industry standards and legal requirements). Upon termination of the agreement, the customer has the right to extract the data that he / she wants, but can also ask Antenor for assistance. All history is deleted from Antenor’s databases at the earliest within 6 months and no later than 12 months unless otherwise agreed in writing.

 

3.0 Insight

The customer has full access to the system and access to himself and delete and / or archive documents in the system. Antenor will assist according to standard rates upon request. All assistance must be ordered in writing by the system administrator at the customer

4.0 Segmentation of data

Data is stored in customer-specific databases, which means that one customer’s data is completely independent of and separated from another customer’s data. This ensures that there is no danger of data being mixed between customers or customers affecting / being affected by other customers’ data.

5.0 Antenor employees’ access to system

Antenor employees have full access to the system due to service needs. Employees sign their own declaration of confidentiality and ethical guidelines that outline confidential processing of data in the system.

6.0 Subcontractors approval criteria

As of 01.07.2018, 2 subcontractors will be used: ProISP and Global Office.
Attached to this document is information about their Data Processor Agreements and SLAs.

ProISP:

1. Databehandleravtale: https://www.proisp.no/databehandleravtale/
2. Tjenesteavtale: https://www.proisp.no/tjenesteavtale/

7.0 Antenor’s backup routines

The automatic backup routine is configured by employees of Antenor AS, and runs from 01.07.2018 once per hour, 24/7. Should the system fail to make a backup, Antenor Support will notify you so that the situation can be dealt with immediately.

All backups are stored in the cloud on servers within the EU.

As of 01.05.2022 we store 7 daily, 4 weekly, 12 monthly and 1 annual backups on the above servers.

Restore from backup can be done either on specific files / folders, or full system. Alternatively, Antenor can download a backup to its local environment. It can then be uploaded to a server for restoration via FTP. This does not cause any downtime for the ABMS system server.

8.0 Acceptance Criteria

The following minimum criteria must be complied with by Antenor’s system suppliers:

Availability: Antenor guarantees 99% uptime.

Maximum response time: 1000 ms within Norway. Expect slightly higher in other parts of the world.

Physical security: Physical servers are expected to be in a locked server room, where only staff with operational needs has access. It is further expected that, if desired, Antenor can obtain a log of who has had access and when, and who has used their access and when.

Data security: It is expected that Antenor’s customers’ data is stored securely, behind a firewall, in a data environment that is well updated with current security routines and processes.

Data recovery: Subcontractors are expected to have good backup routines, or alternatively giving Antenor the opportunity to configure the backup routines. Furthermore, it is expected that subcontractors can assist in running a data restore should this be necessary.

Physical location: Norway

Data access: Only employees of subcontractors who have operational or supportive reasons for access should have access to Antenor’s and customers’ data.

Possibility of data transport: It should be easy to move data from one subcontractor to another, should Antenor want such a switch. All data shall, in relation to subcontractors, be owned by Antenor. Furthermore, copying and deletion of said data needs to be at the discretion of Antenor.

Process for identifying problems and solutions: Subcontractors are expected to have a support phone number. Furthermore, subcontractors are expected to have technicians available for identification and problem solving 24/7.

Agreement termination criteria: It is expected that no notice is required earlier than 30 days before any renewal of a subscription.

 
 

9.0 Overview module by module – standard available modules

Modul

Type of personal data

Basis for registration

Sensitivity/risk

Accessrigths

Necessary action to reduce access

 

NCR

Name of sender, processor and verifier

The sender must be notified of the processing of the case. The sender must know the name of who will receive and process the case and it is necessary that you also know who verifies the discrepancy. History must be maintained, including who has contributed with various activities

None

Everyone with access to the company’s NCR module. User access is arranged and controlled by the customer

None

 

Governing Documents

Name of process owner and who issued the document. Also, who is responsible in a process

Data is necessary to ensure clear responsibilities in a company.

History must be preserved, including who has contributed with various activities

None

Everyone with access to the company’s module for governing documents. User access is arranged and controlled by the customer

None

The ISO standard requires that a full history be maintained and that no documents can be deleted.

Risk Management

Participants in the risk process

Secure a history of who has participated in risk analyses, who has carried out measures and who has approved measures

None

Everyone with access to the company’s Risk Management module. User access is arranged and controlled by the customer

Ingen

Risk analyzes and the history t must not be deleted, including who has carried out and approved various measures. Current affairs in accordance with, eg accidents/incidents that require investigation

KPI Scorecard

None

 

None

 

 

 

Leverandørevaluering

None

 

None

 

 

 

Audit

Names of participants and interviewees

Secure a log of who has participated in the audit and who has given the necessary answers

None

Everyone with access to the company’s audit management module. User access is arranged and controlled by the customer

None

 

Customer satisfaction

None

 

None

 

 

 

Safety inspection

Names of participants on the Safety inspection

Secure a log of who has participated in the safety round

None

Everyone with access to the company’s safety inspection module. User access is arranged and controlled by the customer

None

 

Equipment Management

Equipment resbonsible

Ensure that the person responsible for equipment is notified and has an overview of what is to be carried out. History must be preserved, including who has contributed with various activities

None

Anyone with access to the company’s module for Eqm. User access is arranged and controlled by the customer

None

History must be taken care of as a result of documentation requirements in fm events

Competense

Name, next of kin, competence status of each individual

• Next of kin information is safeguarded with a view to emergency situations

• Personnel competence is safeguarded to ensure that the company has the competence it needs at all times

• Personal competence and personal development are measured over time

 

Competence must also be able to be documented and traced back in time

Average

As of January 2018, everyone with access to the module has access to all data. User access, on the other hand, is controlled by the customer.

Measures

The customer can limit access himself, but in order to increase the benefit of the system, additional access levels will be built in that ensure limited access

Process measurements

None

 

None

 

 

 

Personal injury

None, only data in relation to accidents

The standard form has no personal data, only general data

None

User access is arranged and controlled by the customer

 

 

Substance register

None

 

None

 

 

 

5s

None

 

None

 

 

 

Job safety Analysis

Name of participants

Logging the participants of JSA

None

Everyone with access to the company’s module for JSA. User access is arranged and controlled by the customer

 

 

environmental aspects

None

 

None

 

 

 

New modules and customer adaptations

Not applicable

In the case of new development and/or configurations of the standard, it must be ensured that personal data is safeguarded.

Average

 

Mesaures

Update development procedures and configuration procedures that ensure that one processes personal data in accordance with legal requirements.

 

Table of Contents