Our data privacy FAQ answers your basic questions

Data privacy FAQ

frequently asked questions

by data protection officers and works councils

CYBER ATTACKS: PHISHING

Cyber attacks are a major industrial, economic and social problem today. Studies show that more than 90% of targeted cyber attacks and 95% of spying attacks involve phishing or personalized spear phishing e-mails and an average of 10% of phishing attacks are successful.

Phishing are fake messages which are used by an attacker to try to get access to the systems or data of his victim. To do this, the attacker typically sends an e-mail with a fake sender, in which he attaches a corrupt file or a fake link. By clicking on such a link, it may already be too late: a prepared website can already infect a system during a visit.

IT-Seal simulates this type of attack on employees. This enables employees to make realistic experiences, to be trained and tested.

LEGAL

Social engineering simulations are generally only permitted if they are proportionate. Therefore, various measures must be taken, such as making the results anonymous.

IT-Seal takes all relevant steps in advance and supports you in your internal communication where necessary.

No. In order to ensure the protection of each employee, the results can only be viewed on a group basis. For this purpose, we use the defined employee groups by you in advance with a minimum size of 15 participants.

The transmission and use of data is permitted if there is a legitimate employer interest and there are no conflicting interests of the employee concerned that are worthy of protection. Therefore, the employer should not transmit any internally known data that a 'real' attacker could not easily discover. In addition, an agreement on commissioned data processing or transfer of functions must be concluded.

DATA PROTECTION

In accordance with legal requirements, the e-mail address of selected employees is transferred to IT-Seal as part of the initial collaboration.

The initial collaboration will only collect data on user response. This includes whether employees have clicked on a fake link or whether user data has been entered on a prepared website - the content of this data entry is not transferred. This data is stored in an abstracted (pseudonymised) form as described above. Whereby the assignment of the pseudonyms is deleted after the test is completed.

IT-Seal uses a computer centre in Frankfurt am Main with the highest security requirements.

As recent attacks have repeatedly shown, unfortunately no one is unhackable - not even us. However, as an IT security specialist, IT-Seal implements the most up-to-date security mechanisms and prepares intensively for possible security breaches (for concrete technical and organisational measures, we will be happy to provide you with a prepared agreement for the transfer of functions). Our database structures and processes are built in such a way that personal data is always stored separately (security by design). In addition, all personal data is deleted by default after the respective simulation is completed.

Yes, the contact details will be passed on request.

Yes, our processes and standards for data protection largely exceed the requirements of the previous legal requirements (e.g. deletion of personal data, risk assessment, data protection concept) and fulfil the requirements of GDPR.