Information Security and Data Protection Policy
ElringKlinger AG relies heavily on information and telecommunications technology when it comes to its performance under contractual agreements. The necessary processes, information, and systems are of substantial value to the company and play a key role in meeting its corporate mission. In order to protect those values, the Management Board has decided to introduce an Information Security Management System (ISMS) based on the principles of the ISO 27001 standard and a Data Protection Management System (DPMS). The aim is to run the ISMS and DPMS as an integrated management system.
- The fundamental goal of information security activities is to provide suitable support for the business of ElringKlinger AG and protect the relevant corporate assets from risks in all essential subdivisions/departments. The corporate assets requiring protection include:
▪ Intellectual property of ElringKlinger AG
▪ Intellectual property of customers and partners
▪ Special planning and management knowledge
▪ Knowledge and skills of employees
▪ Personal data of employees, partners and customers
▪ Brands of ElringKlinger AG or the reputation of the company and other material assets
- It is also the goal of ElringKlinger AG to adhere to all statutory data protection and information security requirements, thus reducing any risk to the rights and freedoms of affected individuals to an acceptable level and ensuring the right to informational self-determination is preserved at all times.
- All employees of ElringKlinger AG are responsible for taking data protection and information security measures and ensuring an appropriate level of awareness. The employees and all individuals working on behalf of ElringKlinger AG are obliged to comply with the laws and preserve company secrets. The Management Board of ElringKlinger AG is responsible for compliance with data protection and information security regulations and provision of the necessary compliance resources. The Group Information Security Officer (GISO) and Group Data Protection Officer (GDPO) are responsible for compiling and implementing the relevant information security and data protection guidelines and measures, in consultation with the relevant works coordinators.
- Compliance with data security and IT security guidelines ensures the confidentiality, availability, and integrity of data in all networks, systems, and other data carriers. The security of any data processing will be maintained throughout all phases and data back-ups and – where required by law – archiving must occur on a regular basis. Disposal and deletion of information must also be dealt with securely and in compliance with data protection law. ElringKlinger AG will take suitable technical and organizational measures to ensure this. Any contractual partners involved in order processing must follow and implement the instructions of ElringKlinger AG. When processing personal data or confidential information, all contractual partners must comply with the relevant standards, such as EU-DSGVO, ISO 27001, VDA-TISAX, or similar.
- Limitations on access to information must be ensured by an authorization process. Any access that occurs must be documented to ensure evidence is provided of conformity with data protection laws. Personal data and documents marked as (strictly) confidential must be secured to the latest technical standard during all processing steps.
- The relevant corporate assets must be protected against Acts of God (natural disasters), fire, water, and theft. Information security risks must be assessed on a regular basis and appropriate counter measures taken as soon as possible to address any acute risk situation.
- A Continuous Improvement Program (CIP) has the goal of running a sustainable, stable, and efficient ISMS und DPMS. ElringKlinger AG’s information security measures are based on that CIP in order to consolidate the level of security and ensure the necessary measures are taken to address the need for information security.