gdpr code of conduct example

The LUCY Code of Conduct for GDPR compliance

At LUCY Security, a lean GDPR Code of Conduct provides guidance in dealing with the General Data Protection Regulation. We’ll show you what we’ve done.

As a Swiss company following also EU law, we have taken the European-wide introduction of the General Data Protection Regulation as an opportunity to revise our data security processes and we have introduced a GDPR guideline for our employees.

Our GDPR code of conduct helps our employees to comply with the  new law and it is nothing more than a brief list of the elements that are important to us as a software company. We have deliberately dispensed with legal language and a detailed description. We wanted to create a well memorable guide to GDPR and not write a book! Attention: LUCY Security has further security policies, the GDPR guideline is not the only security policy in operation. Here comes our GDPR Code of Conduct:

GDPR – Fundamentals

Data protection is everybody’s business! Every LUCY employee is obliged to handle personal or customer data responsibly.

The customer data belongs to the customer! Finally, the customer determines what the (his) data is to be used for. He determines the purpose.

The term data subject is also to be understood in this guide as a synonym for customer or data owner.

The customer is the so-called controller, LUCY is the so-called data processor.

LUCY is liable for data protection violations of the personal data held or for breaches of the law.

There is a DPO (data protection officer) in the company and the management of LUCY Security is equally responsible for compliance with the Data Protection Act.

GDPR – The Guiding Principles

  1. The employees of LUCY Security develop software that corresponds to the “Security by Design” approach. Privacy and data protection are as important in software development as speed, stability and maintainability.
  2. The unsolicited use of (customers/persons) data for purposes other than the purpose of origin is prohibited.
  3. Customer instructions concerning data must always be given in writing and must be followed immediately by LUCY employees.
  4. The LUCY employee checks whether a customer instruction for his data is regular or exceptional. The implementation of exceptional instructions may be subject to a fee. The DPO will be happy to help in such cases.
  5. LUCY Security also takes over future changes in the GDPR legislation.
  6. Customer data must be kept safe (data security) and with integrity by LUCY employees and subcontractors.
  7. The provision of data to subcontractors requires the explicit consent of the customer. The subcontractors have the same duties as LUCY itself and they must grant the customer the same rights. The subcontractor must also be able to prove that he fulfils the GDPR requirements and fulfils the duties.
  8. LUCY Security has a duty of proof that customer data is secure.
  9. Data is encrypted and access to it is secured.
  10. Customer data may not be freely viewed. An anonymization or pseudonimization is to be chosen, so that the access to the data processing for the LUCY employees can take place virtually only in the technical sense.
  11. LUCY and its employees implement technical GDPR measures: Encryption, pseudonimization, backup & restore, secure physical and it access. Further additional measures are reserved.
  12. LUCY and its employees implement organizational protection measures: They keep an ongoing record of processing activities (link to the document “Record of Processing Activities”), they maintain and document the data processing processes. Additional measures reserved.
  13. Regular security checks of the technical measures are carried out at least every 24 months.
  14. LUCY regularly checks / audits the organizational measures (process execution, directories, documentation).
  15. The customer or the data subject can request access to their data. The LUCY employees must support him without delay and free of charge and allow him access.
  16. Data protection incidents must be reported to the customer within 48 hours. There is an information obligation with cause, number of records affected, how it was compromised, what are the consequences and what countermeasures were taken. Databreaches are reported using a standard LUCY form.
  17. In the event of data protection incidents, the incident mitigation must be initiated immediately.
  18. If LUCY audits the data processing (of customer data) by third parties (authorities), this must be reported to the customer immediately.
  19. Enforcement authorities may audit the data processing or even view data, but they must present an official legimitation.
  20. A possible publication of the data to the authorities or other external parties is always only possible via the DPO and its consent!
  21. If the customer requests that he wants his data back, then these are to be given back to him immediately. This is usually equivalent to the end of a contract. Residual budgets, remaining license terms will not be refunded to the customer.
  22. Upon return of the customer data, a receipt must be issued and the data must be irrevocably deleted by LUCY.
  23. The customer has the right to audit his customer data, he must announce this at least 3 days in advance.
  24. This is a non-exhaustive list of LUCY’s obligation to support the following data-related customer business requests:
    1. Information requests (Where and how is my data kept?)
    2. Data corrections
    3. Deletion requests (If this refers to data relating to customer installations of ‘LUCY Server’, this can lead to the end of the contract)
    4. Restrictions on data processing (This can lead to the end of the contract)
    5. Exercise of the right of data portability (export of LUCY Server user data, possibly further data records)
    6. Exercise of the right to object to data processing (enforces termination of contract) at LUCY Security
  25. We don’t transfer Datasets to other countries (Non-EU, Non-Switzerland)

Acknowledgements and Signatures

I agree that I have read and understood all paragraphs. I will follow the policies

Place & Date

Signature DPO of the company / Signature of the employee


It’s a GDPR Code of Conduct Example!

The above Code of Conduct for GDPR is a practical example of LUCY Security AG from Switzerland. All content is subject to change. All information is without guarantee and LUCY Security assumes no liability for the correctness and completeness of the contents.

A simply formulated GDPR employee guideline increases the security in the enterprise, we are absolutely convinced of it!

Let us know what you think! Thank you.

April 2018.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.