Data Breach Management Policy

Last Updated: 08.01.2025

1. Purpose and Scope

This policy outlines Nova Education’s procedures for identifying, responding to, and managing data breaches. It ensures compliance with GDPR Article 33 and 34, and other relevant German and EU regulations.

The policy applies to all Nova Education employees, contractors, and third-party vendors who handle or process personal data on behalf of Nova Education.

2. Definitions

• Data Breach: Any security incident resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
• Data Controller: Nova Education, responsible for determining the purposes and means of data processing.
• Data Processor: Third parties processing data on behalf of Nova Education (e.g., Stripe, Adobe Sign).
• Supervisory Authority: The relevant regulatory body for GDPR compliance in Germany (e.g., Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit).

3. Responsibilities

• Data Protection Officer (DPO):
  • Oversees the breach response process.
  • Ensures timely reporting to supervisory authorities and affected individuals.
• IT Department:
  • Investigates the breach source.
  • Secures systems to prevent further unauthorized access.
• All Employees:
  • Immediately report suspected or confirmed breaches to the DPO via [email protected].

4. Identifying a Data Breach

Breaches may include:

1. Unauthorized Access: Unpermitted access to personal data by internal or external parties.
2. Data Loss: Accidental deletion of personal data without backup.
3. Data Theft: Malicious exfiltration of sensitive data (e.g., by hackers).
4. Physical Loss: Lost or stolen devices containing personal data.

5. Reporting Procedures

5.1 Internal Reporting

• All employees and contractors must report breaches immediately to the DPO via [email protected].
• Reports must include:
  1. Description of the incident.
  2. Type of data involved.
  3. Number of affected individuals.
  4. Steps already taken to mitigate the issue.

5.2 Notification to Supervisory Authority

• Breaches must be reported to the relevant authority within 72 hours of detection.
• The report will include:
  • Nature of the breach.
  • Categories and approximate number of affected individuals.
  • Potential consequences of the breach.
  • Measures taken or proposed to address the breach.

5.3 Notification to Affected Individuals

If a breach poses a high risk to the rights and freedoms of affected individuals:

• Notifications will be sent promptly, including:
  • A description of the incident.
  • Steps individuals should take to protect themselves.
  • Nova Education’s contact information for further inquiries.

6. Mitigation and Remediation

1. Immediate Actions:
   • Restrict access to compromised systems.
   • Deploy security patches or updates.
   • Secure physical and digital backups.
2. Long-term Measures:
   • Conduct post-incident reviews to identify vulnerabilities.
   • Update security policies and training programs.

7. Record Keeping

All breach incidents must be documented, including:

• Description of the incident.
• Root cause analysis.
• Steps taken to mitigate the breach.
• Communication records with authorities and affected individuals.
• Measures implemented to prevent recurrence.

Documentation is retained for 5 years to comply with regulatory requirements.

8. Training and Awareness

• All employees will receive annual training on recognizing and responding to data breaches.
• Specific breach management protocols will be part of onboarding for new hires.

9. Testing and Review

• This policy will be reviewed and updated annually or after any significant data breach.
• Regular audits will be conducted to ensure the effectiveness of breach response procedures.

10. Contact Information

For questions or concerns related to this policy, contact:

• Email: [email protected]