Ferrero’s Technical & Organizational Security Measures

1.1 Ferrero has implemented duly documented and regularly updated personal data protection policies.
1.2 Ferrero’s personal data protection procedures are formally documented, when required, periodically reviewed and substantiated with objective documents (e.g., minutes of meetings, lists, IT logs), which may demonstrate constant diligence and vigilance regarding the protection of personal data in the processing activities carried out.
1.3 Ferrero has appointed both a security officer and a data protection officer (DPO) responsible for coordinating and monitoring the security rules and procedures as well as data protection compliance.

2.1 Ferrero’s employees are aware of the procedures for data subjects to exercise their right of access, and for communicating requests to exercise data subjects’ rights to the data controller.
2.2 Ferrero maintains a general register where these requests, e.g., to exercise the right of access, are recorded.
2.3 Ferrero has appointed a person/function (the DPO) in charge of providing written explanations to the data controller regarding requests from data subjects.
2.4 Ferrero has set a deadline for communicating requests to the data controller.
2.5 Ferrero has a procedure to document, in writing, any refusals given to data subjects’ requests to exercise their rights to erasure, restriction of processing or data portability, and to share this documentation with the data controller.

3. PRIVACY POLICY (ART. 13 GDPR) (where applicable)
3.1 Ferrero’s employees and other persons responsible for offering privacy policies/personal data protection notices to data subjects and/or for collecting data subjects’ consent, also on behalf of the data controller, have been specifically trained regarding personal data protection rules.
3.2 Ferrero periodically check these employees or other persons’ behaviour, when dealing with data subjects.
3.3 When offering privacy policies/personal data protection notices to data subjects, Ferrero’s employees and other persons responsible are able to clearly inform those data subjects of their rights, either orally or in writing.
3.4 Ferrero keeps a record of all sources from which obtains personal data.

4.1 Ferrero has carried out formal appointments for all authorised persons, either individually or as part of homogenous categories.
4.2 All appointed authorized persons have received specific written instructions on how to process and protect personal data.
4.3 Ferrero keeps an updated list of authorized persons, and all authorized persons receive adequate personal data protection training and education. This training is properly being documented.
4.4 Access privileges granted to authorized persons are adequate and updated. Instructions given to authorized persons are updated. This is periodically confirmed.

5.1 New recruits are properly instructed before beginning to process personal data.
5.2 Employees’ integrity and reliability is assessed prior to entrusting them with activities involving access to personal data.
5.3 All authorized persons receive regular operational updates on security.
5.4 Ferrero distributes security guidelines to all authorised persons.
5.5 Ferrero keeps documentation to support and demonstrate training activities carried out.

6.1 Ferrero has defined a set of criteria and policies to clarify its posture and support for information security, as well as security controls regarding mobile devices and teleworking (such as telecommuting, remote access and virtual workplaces).
6.2 Ferrero has defined separate roles and responsibilities for information security and assigned them to the appropriate individuals, in order to avoid conflicts of interest and prevent any inappropriate activities.
6.3 Ferrero has entered into adequate agreements with sub-processor(s), which impose upon them to implement suitable technical and organisational security measures regarding personal data protection.

7.1 Information security responsibilities are considered, prior to hiring, when recruiting or selecting employees, contractors and temporary staff (e.g., by means of appropriate job vacancy descriptions or pre-employment screening) and included in employment or other services agreements (e.g., within terms and conditions of employment and in any other signed agreements which define roles and responsibilities related to security, by means of compliance obligations, etc.).
7.2 Ferrero’s managers are able to ensure, over the course of employment, that employees, contractors and temporary staff are made aware of and are instructed to comply with their information security obligations, and are informed about the possibility of being subject to formal disciplinary proceedings in the event of information security incidents which they may cause.
7.3 Ferrero has formal disciplinary proceedings in place which may be triggered in the event of information security incidents caused by employees, contractors and temporary staff.
7.4 When a person leaves Ferrero, or when there are any significant changes to roles and responsibilities, all aspects related to security are managed, by means of, e.g., obligations to return all corporate information and corporate equipment, updating of access rights/authorisations, and reminders to persons involved of their ongoing obligations regarding privacy, intellectual property, surviving contractual terms, and others, including ethical expectations upon them.
7.5 Authorised persons receives specific instructions on how to delete or destroy information contained in storage media before their re-use.

8.1 Ferrero has a complete inventory of all its information assets, and persons holding those assets are identified, in order to ensure accountability for those assets’ security. Ferrero has defined “acceptable use” policies for these assets.
8.2 Information storage media are managed, controlled, transported and disposed of in such a manner as to not compromise the contents of stored information.
8.3 Ferrero has an appropriate number of safe containers, adequately distributed and available to persons in charge of custody (even if temporary) of personal data in any form (paper, electronic or other).
8.4 Ferrero has implemented controls to avoid that documents containing special categories of personal data are left unattended, when entrusted to authorised persons and removed from their protected archives.
8.5 Authorised Persons have easy access to and use of paper document shredders.
8.6 Ferrero has implemented a suitable policy on usage, storage and destruction of paper documents.
8.7 Paper documents containing special categories of personal data are erased or – preferably – destroyed before re-use.

9.1 Ferrero’s organisational requirements in place on access control to information assets are clearly documented in an access control policy/procedure, and access to Ferrero’s Network and connections is restricted.
9.2 Users are made aware of their responsibilities regarding the maintenance of effective access control, such as selecting strong passwords and keeping them confidential.
9.3 Access to information is restricted in compliance with Ferrero’s access control policy/procedure, e.g., by means of secure login systems, password management, privileged access control and restriction of access to source codes.
9.4 Ferrero controls access to sensitive areas. Persons accessing these sensitive areas obtain prior authorisation to do so.
9.5 Sensitive areas are equipped with electronic access control tools, or otherwise subject to appropriate supervision.
9.6 Ferrero frequently reviews the access logs to the sensitive areas like servers rooms to spot unjustified accesses.

10.1 Ferrero has clearly defined physical perimeters and barriers, with physical access controls and internal procedures to protect its premises, offices, rooms, loading / unloading areas, etc., against unauthorised access (protection against fires, floods, earthquakes, bombs, etc.).
10.2 Ferrero can confirm that equipment and/or information is not taken off-premises without prior authorisation, and is suitably protected whether on or off premises.
10.3 Information contained in information storage media is destroyed, before disposing of or re-using those media.
10.4 Any unattended equipment is protected, and a specific space and clear control policy for that equipment exist.

11.1 Malware controls have been implemented and maintained.
11.2 Suitable backups are performed and maintained, in accordance with Ferrero’s backup policy.
11.3 Backup are tested. Results are documented and recorded.

12.1 Time-keeping systems are synchronised to ensure the temporal consistency of the tracking data.
12.2 Ferrero follows the principle of least privilege, allowing authorized access for users based on their job functions.

13.1 Ferrero can confirm that a vulnerability management process has been developed to identify security weaknesses using trusted external sources for vulnerability information, and assigning a risk classification to security vulnerabilities.
13.2 System components and software updates related to the remediation of known vulnerabilities are evaluated, to determine applicability, tested before installation if corresponds, and implemented in a timely manner.
13.3 Rules on software installation by users have been implemented, to prevent the creation of new vulnerabilities.
13.4 Ferrero has defined and implemented a penetration testing process at the application level and infrastructure level.

14.1 Security of Ferrero’s network and network services are protected, e.g., by means of network segregation.
14.2 Ferrero has implemented protection measures to control communications at the internal & external boundaries of the infrastructure.
14.3 Ferrero has implemented policies, procedures and agreements (e.g., non-disclosure agreements, Personal Data Processing agreements), regarding the transfer of information to/from third parties, including by means of electronic messaging.
14.4 Ferrero has implemented secure channels (e.g., encrypted protocols when connected to the corporate network, and/or VPN in case of remote connections) for communications between the information systems and the corporate network.

15.1 Ferrero analyses and specifies security control requirements, including for web applications and transactions.
15.2 Rules governing software security/ systems development are defined in accordance with Ferrero’s internal policy.
15.3 Changes are managed, performed, reviewed and approved (ideally through a tool) in a dedicated environment before being migrated into production.
15.4 Changes to the configuration of application parameters are authorized before implementation, and validated after being performed.
15.5 Software packages are not modified, and engineering principles on system security are respected.
15.6 The development, test and production environments are separated to avoid unauthorized access or changes to production systems and code repositories.
15.7 All test data are carefully selected, generated and controlled.

16.1 Ferrero has implemented policies, procedures, awareness-raising activities, etc., to protect organisational information that is accessible to IT outsourcers and other external suppliers (whether or not these may be sub-processors) across the entire supply chain. These are reflected in written agreements signed with these entities.

17.1 Ferrero has implemented responsibilities and procedures to manage (report, assess, respond to and learn from) information security events, incidents and vulnerabilities, including personal data breaches, in a coherent and effective manner, so as to allow timely reporting to the data controller, as well as the collection of suitable forensic evidence where required.

18.1 Ferrero has planned information security continuity, implemented, tested and reviewed as an integral part of its business continuity management systems.
18.2 Ferrero has sufficient redundancy, so as to meet availability requirements.

19.1 Ferrero has identified and documented its information security obligations towards authorities (including supervisory authorities) and other third parties, including regarding intellectual property, corporate or other records, privacy and encryption.

Last update: June 2018