Security & Privacy Policy

Purpose

Code Line Solutions d.o.o. is a member of Edison Energy LLC.

Our Information Security Management System (ISMS) and Privacy Information Management System (PIMS) have implemented security and privacy management processes and measures related to scope of software development services.

Security policy

The purpose of establishing an ISMS is to protect information and information resources from all threats, whether internal or external, accidental or intentional, through the establishment, implementation, execution, monitoring, review, maintenance, and improvement of the System, compliant with the requirements of the international standard ISO / IEC 27001: 2013. ISMS was established on the analysis of internal and external factors important for the ability to achieve the desired objectives of the information security management system.

The company’s management has defined the Information Security Policy with the aim of uninterrupted business, protection of confidential information, and further successful development of the company, as well as achieving customer satisfaction with the services provided. Primarily, the interest is to meet the requirements of the user, namely those specified by the user, but also the requirements that the user has not expressed, but which are necessary for a defined or intended use which is generally known or which is a consequence of other regulations and normative acts.

The objectives of the Information security management system are:

• Compliance with legal and contractual obligations in the field of information security;
• Protection of confidentiality, integrity, and availability of information resources;
• Establishing roles and responsibilities for information security;
• Systematic establishment of risk management processes;
• Defining the monitoring procedure and reporting on important aspects of information security;
• Incident prevention for information security;
• Continual improvement of safety control measures while measuring effectiveness.

The Managing director approves and sets the rules of information security, as well as the Information Security Policy. ISMS management representative implements security measures through appropriate procedures and technical controls.

All employees are responsible for the implementation and consistent application of the Information Security Policy and established procedure within the Information Security Management System.

Management regularly (at least once a year) reviews the Information Security Policy in order to ensure its continued improvement, adequacy, and effectiveness.

Privacy policy

Our company collects and processes personally identifiable information (hereinafter PII) of its employees and potential employees to the extent necessary to comply with the law prescribed obligations. We process PII to enable us to provide consultancy and advisory services, to promote our services, to maintain our own accounts and records, and to support and manage our employees. This policy sets out our commitment to privacy protection and individual rights and obligations in relation to personal information.

Collection and processing of PII is done in a fair and legal manner with the undertaking of all necessary technical and organizational measures to protect PII  in order to prevent unauthorized access, alteration, destruction or loss of it.

All PII  is handled with great responsibility regardless of whether it is collected, recorded or used in electronic or hard-copy form, all in accordance with legal regulations, internationally recognized practices and standards and internal procedures and rules to protect the right to privacy and the protection of information with respect to processing PII relating to them.

We believe that it is of great importance that the collection and processing of PII is done by law prescribed manner and we have paid great attention to this segment of our business and complied it additionally with the international recognized standard ISO / IEC 27701: 2019, as well as legal and other obligations. PII  is always collected and processed with the consent and knowledge of the personal information owner where they are necessary and we have introduced the Privacy Information Management System (PIMS) with software development services scope, which is continuously improved and maintained. We protect processed PII  in administrative, technical and organizational terms. Additionally, introduced PIMS system ensures that we will comply with all legal and contractual obligations applicable to the business.

We will:

• Lawfully, fairly and in a transparent manner collect and process PII only for specified, explicit, and legitimate purposes.;
• Process PII only in cases where it is is adequate, relevant, limited and necessary to enforce the law obligations;
• Collect PII to the extent necessary to fulfill the above purpose and will not process a large  amount of PII ,
• Inaccurate personal information rectified or delete without delay;
• Provide very clear information to the PII owners on how those information will be used and who can use and process them all,
• Process only relevant and adequate PII and update it when necessary,
• Process PII in accordance with legal obligations,
• Store in a safe way all collected PII,
• Keep collecting PII only for the period of time necessary to fulfill the purpose in which the information was collected,
• Respect the rights of of PII owner defined within the applicable laws,
• Adopt appropriate measures to make sure that PII  is secure and protected against unauthorised or unlawful processing and accidental loss, destruction, or damage.
• Forward / inspect the records of collected PII only to legally authorized persons and persons which are registered as a our processor,
• Develop and implement PIMS so that this policy can be implemented,
• Determine the roles and responsibilities of our employees in order to continuously improve and maintain PIMS system.

This policy applies to all employees of our company. Any breach of legal obligations regarding collection and processing of PII or PIMS is considered a serious breach of duty and in that case, we acts in accordance with the legal framework and internal acts.

We will inform the PII owner about the possibility of insight/disclosure of third parties into the collected PII, who we have registered as a processor in order to achieve a specific purpose for which the information is collected.

The location where all collected PII is stored in electronic form is on-site server located in our Server room within the Security / privacy zones 3, while PII in hard-copy form is stored within the Security/ privacy zones 3 at the following location: Danijela Ozme 3, 71000 Sarajevo, Bosnia and Herzegovina.

In the context of the definitions given within ISO / IEC 22701: 2019, we have the role of both controller and processor of PII .

Our management, as well as each employee are responsible for the development and promotion of good practices in the management of PII within the company, and each employee undergoes training in accordance with their job position.

A Management representative for PIMS is responsible for management of records of PII within the company, as well as to ensure that compliance with the applicable laws and good practices is achieved. This responsibility includes the development and implementation of PIMS, as well as the management of security and risks, in order to achieve the aforementioned compliance.

All employees are responsible for the daily use of PIMS in order to comply with ISO / IEC 27701: 2019 standard, which process or control PII as part of their job position within our company. Also, all employees are responsible for the completeness and accuracy of the PII they hold and they update them when changes occur.

All employees who work with PII  regularly attend internal trainings, all in accordance with their job positions and new responsibilities.

Lawfull basis to collect PII info through web-site on Careers form during recruitment process is candidate consent, which is stored for 6 years (consent to contact lasts for 4 years, and consent is retained for additional 2 years) and after that all PII is anonymized. If you would like to revoke the consent in order to anonymize the personal information that you have filled in Careers form prior to 6 years term, please send a request to careers@edisonenergy.com and we will complete your request within 3 months’ time.

26.09.2023.