Risk Management and Control Measures Policy

This policy outlines the Risk Management and Control Measures implemented by Marfeel. It is developed in accordance with Article 35.7 of the General Data Protection Regulation (GDPR) and reflects Marfeel’s commitment to ensuring the privacy and security of personal data.

1. Overview of Risk Management Approach

Marfeel has carried out a detailed risk analysis to assess potential impacts on the rights and freedoms of individuals. Each processing activity has been evaluated for inherent risk, with controls assessed to calculate the residual risk.

2. Implemented Technical and Organizational Measures

To mitigate identified risks, Marfeel has implemented a set of control measures, including but not limited to:

  • Hosting exclusively within the European Union, using Google Cloud Platform (GCP), with encrypted data storage
  • Pseudonymization and anonymization of personal data when applicable
  • Role-based access control with restricted visibility for scoped data
  • Use of secure protocols (e.g., HTTPS, SFTP) for all data transfers
  • Logging and audit trails for critical systems
  • Staff training on data protection principles
  • Signed confidentiality agreements for all staff with access to scoped data
  • Data Processing Agreements with all subprocessors

3. Monitoring and Continuous Review

Marfeel regularly reviews its implemented measures to ensure that residual risk remains within acceptable levels. This includes continuous monitoring of subprocessors, regular security audits, and updates to privacy practices in line with technological developments and regulatory changes.

4. Accountability and Governance

Responsibility for risk management rests with the Data Protection Officer (DPO) and the Director of System Operations. These roles ensure that control measures are implemented effectively and that Marfeel remains compliant with GDPR and aligned with best practices in data protection.