Data & Information Security policy

Data protection statement

Data Protection Statement effective from 25 May 2018

Codec would like to take this opportunity to advise you of our policies and your rights under GDPR in relation to your data and please do not hesitate to contact us if you have any queries.

1. Who we are and why we collect your information

We may use your personal information to update you on product updates, newsletters, invitations to events and information which may interest you. Where we do so, Codec-dss Limited is the data controller. Our contact details are as follows: Codec, Hyde House, 65 Adelaide Road, Dublin 2.

Where we use your information for this purpose we do so in our legitimate interest to connect with our customers and potential customers. You have the right to object to this at any time.

2. Third parties

We may share your personal information with third party service provides that perform services and functions on our behalf  such as our accountants, IT service providers, printers, and other business advisors, marketing companies who carry out marketing campaigns on our behalf and providers of security and administration services.

3. Storage periods

We will retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purpose of satisfying any legal, accounting or reporting requirements.

4. Transfers outside of the European Economic Area

We may transfer your personal data outside of the European Economic Area. These countries do not always afford an equivalent level of privacy protection and in such circumstances we will take specific steps, in accordance with data protection law, to protect your personal information.

5. Your rights

You have several rights under data protection law in relation to how we use your personal information. You have the right, free of charge, to:

  1. request a copy of the personal information we hold about you
  2. rectify any inaccurate personal information we hold about you
  3. erase personal information we hold about you
  4. restriction of processing of your personal information
  5. object to our use of your personal information for our legitimate interests
  6. receive your personal information in a structured, commonly used and machine readable format and to have that data transmitted to another data controller.

These rights are in some circumstances limited by data protection legislation. If you wish to exercise any of these rights please contact us using the contact details set out above.  We will endeavour to respond to your request within a month.  If we are unable to deal with your request within a month we may extend this period by a further two months and we will explain why.

You also have the right to lodge a complaint to the office of the Data Protection Commission.

Codec access request policy

You have a right to be given a copy of your Personal Data held by Codec or a member of the Codec Group of companies on request, subject to certain exceptions.

How do I request a copy of my personal data?

There is no particular form that you must use for your request. However, we recommend that you provide as much detail as possible in your correspondence with us so that we can deal with your query promptly and efficiently. You may find it helpful to complete the Access Request Form , however it is not mandatory to do so.

You may be asked to provide proof of identification and / or additional information in order to validate your identity when making such a request. Please note that we have the right to require that you identify yourself before we will respond to any access request.

If you make a request by email, the information requested will be provided to you in electronic form (where possible), unless you request otherwise.  If you wish to receive the information in a particular format (eg, paper copy or electronic where possible) this should be stated in your request.

Who Do I Send My Request to?

You can send your request to:

  • Fiona Daly, Codec-dss Ltd, Hyde House, Adelaide Road, Dublin 2
  • by email at

How long will it take for Codec to respond to my access request?

Once we have received your request and are satisfied as to your identity, address and / or email address (as relevant) we will respond to you within one month. This period may be extended in exceptional circumstances and we will inform you within one month where the extended period applies to you, along with an explanation of the reasons for the extension.


Our obligations in relation to access requests vary depending on whether we act as a controller or a processor in relation to your Personal Data.

Where we act as a controller in relation to your Personal Data, Codec will process your access request. Where Codec acts as a processor, we will pass your request to the controller who will process your request.

Your Other Rights

For information in relation to your other rights under applicable data protection laws see our Website Privacy Statement.

If you are not satisfied with the outcome of your access request you have the right to lodge a complaint to the Data Protection Commission at

Download Codec Access Request Policy Form

Information Security Policy

1. Purpose, scope and users

The aim of this top-level Policy is to define the purpose, direction, principles and basic rules for information security management.

This Policy is applied to the entire Information Security Management System (ISMS), as defined in the ISMS Scope Document.

Users of this document are all employees of the company, as well as relevant external parties.

2. Reference documents

  • ISO/IEC 27001 standard, clauses 5.2 and 5.3
  • ISMS Scope Document
  • ISMS Context Spreadsheet
  • Risk Assessment and Risk Treatment Methodology
  • Statement of Applicability

3. Basic information security terminology

Confidentiality – characteristic of the information by which it is available only to authorized persons or systems.

Integrity – characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.

Availability – characteristic of the information by which it can be accessed by authorized persons when it is needed.

Information security – preservation of confidentiality, integrity and availability of information.

Information Security Management System – part of overall management processes that takes care of planning, implementing, maintaining, reviewing, and improving the information security.

4. Managing the information security

4.1. Objectives and measurement

General objectives for the information security management system is to create a better market image and reduce the damage caused by potential incidents.  We have defined a set of measurable service and security objectives aligned to our strategy and risks and these are documented within our Scope Document.

We will measure the fulfillment of all the objectives; the measurement will be performed at least once a year and will analyze and evaluate the measurement results and report them as input materials for the Management review.

4.2. Information security requirements

This Policy and the entire ISMS is be compliant with legal and regulatory requirements relevant to the organization in the field of information security, as well as with contractual obligations.

A detailed list of all our interested parties and our compliance obligations to them has been documented within our Scope Document.

4.3. Information security controls

The process of selecting the controls is defined in the Risk Assessment Process.

The selected controls and their implementation status are listed in the Statement of Applicability.

4.4. Business continuity

Business continuity management is prescribed in the Business Continuity Management Policy.

4.5. Responsibilities

Responsibilities for the ISMS are the following:

  • The Information Security Manager is responsible for ensuring that the ISMS is implemented and maintained according to this Policy, and for ensuring all necessary resources are available
  • The Information Security Officer is responsible for operational coordination of the ISMS as well as for reporting about the performance of the ISMS
  • Senior Management review the ISMS at least once a year or each time a significant change occurs and prepare minutes from that meeting. The purpose of the management review is to establish the suitability, adequacy and effectiveness of the ISMS.
  • The Information Security Officer, together with assistance from Human Resources will implement information security training and awareness programs for employees
  • the protection of integrity, availability, and confidentiality of assets is the responsibility of the owner of each asset – of which is detailed within our Asset Register.
  • all security incidents or weaknesses must be reported to the Information Security Manager and can be either raised internally or through the service Desk.
  • The Information Security Manager will define which information related to information security will be communicated to which interested party (both internal and external), by whom and when
  • The Information Security Officer is responsible for adopting and implementing the Training and Awareness Plan, which applies to all persons who have a role in information security management

4.6. Policy communication

Information Security Officer must ensure that all employees of the company, as well as appropriate external parties are familiar with this Policy. External party communication is done through the NDA process.

5. Support for ISMS implementation

Senior Management ensure that ISMS implementation and continual improvement will be supported with adequate resources in order to achieve all objectives set in this Policy, as well as satisfy all identified requirements.

6. Validity and document management

This document is valid as of March 12th, 2019.