Personal data processing policy
- Basic principles relating to the processing of personal data,
note: Article 5 of GDPR, “the data controller shall be responsible for, and be able to demonstrate compliance with the principles”
1.1. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject,
1.2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed for other purposes.
1.3. Data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are requested. According to the company's capability and the level of personal data used, “Anonymisation” and “Pseudonymisation” techniques shall be applied (see Annex I), for improved control and risk reduction.
1.4. The PD used by the company shall be accurate, establishing the appropriate measures for the verification and maintenance thereof if they have to be amended.
1.5. Storage period of the data for no longer than the purpose for which they were obtained, and complying with the laws authorising the request thereof.
1.6. In order to maintain the integrity and confidentiality of PD, the company, taking into account the cost of implementation and the seriousness of the risks detected in the COMPANY, shall use the technology and systems available to ensure appropriate security of the PD, and ensuring there is no unauthorised or unlawful processing, accidental loss, destruction or damage of the PD.
1.7. The COMPANY shall verify that data controllers are proactive with these principles, and are able to demonstrate this.
- Principles for implementation of PD in the company's activity. Guidelines for appropriate processing of PD.
In order to demonstrate compliance with personal data requirements and principles (GDPR), the company must establish data protection as part of its activity. Data processing in the business activity must be expressly authorised by the person in charge of data protection (data protection officer).
2.1. Notice to data subjects.
At the time of or before the collection of PD, and for any activities carried out by the company which require PD processing, data subjects must be properly informed about the type of personal data collected, the purpose of the processing, the method of processing the data, the rights of the data subject with regard to their personal data, the retention period, potential international data transfers (if any), if the data shall be shared with third parties, and the security measures applied by the company to protect such data. This information shall be provided to the data subject through a privacy notice. (Note 1 a different privacy notice for the different processing of data). (Note 2: for confidential personal data, make sure the notice expressly indicates the purpose for which such sensitive data are collected.)
2.2. Choice and consent of the data subject:
The data protection officer must keep a record of the consents and make the options for such consents easily available to the data subjects, and also inform about and warrant the withdrawal of consent at any time. (Note, for children under the age of 16, parental consent must be obtained prior to data collection). The company's data protection officer must ensure that requests for correction, amendment or destruction of records are processed within a reasonable time frame, recording and ensuring that such requests are properly maintained. Personal data collected shall only be processed for the purpose for which they were initially collected; for any other type of processing or use, the consent of the data subject must be clearly and explicitly re-requested. Any request in this respect must indicate the initial purpose and new purposes, together with the reason for the change. All these requests, the relevant collections, good practices and industry personal data protection standards are responsibility of the company's data protection officer.
2.3. Data collection:
The company shall endeavour to collect as little personal data as possible. If the PD were collected from a third party, the data protection officer must ensure that they were legally collected.
2.4. Use, retention and deletion.
The purpose, methods, limited storage period and the retention period of personal data must be consistent with the information contained in the privacy notice. The company shall maintain the decision, integrity, confidentiality, and ownership of the PD, according to the purpose of the processing. The company shall use the appropriate security measures to safeguard personal data against theft, misuse or abuse and avoid security breaches thereof.
2.5. Disclosure to third parties
When the company uses a supplier or partner to process the PD on its behalf, it must ensure that these data processors shall provide the appropriate security measures and confidentiality for the processing commissioned (requested or contracted). The company shall contractually demand (under contract) the provision of the adequate levels of protection at data level, and the supplier's fulfilment of its obligations following the company's guidelines, undertaking not to use the data for other purposes. The company's responsibilities and the responsibilities of the third party (data processor) must be explicitly indicated.
2.6. International personal data transfers (outside the EU).
If the company needs to transfer PD outside the European Economic Area (EEA), the appropriate safeguards must be requested and used, including the signature of a data transfer agreement, and where necessary, obtain the relevant authorisation from the competent data protection authority. The company shall ensure that the entity receiving the personal data complies with the processing principles established by the EU.
2.7. Right of access of data subjects.
A reasonable mechanism shall be provided to data subjects to enable them to access, update, rectify, erase, or transmit their personal data, where applicable or when required by law. This process or mechanism shall be detailed in a data subject access request document.
2.8. Data portability.
Data subjects (owners) shall have the right to receive, upon request, a copy of the data provided to the company, structured in such a manner to enable the transmission of the data to the controller at no cost. The company's data protection officer shall ensure that these requests are processed within one month, and that the personal data rights of data subjects are not affected.
2.9. Right to be forgotten.
Upon request, data subjects shall have the right to have their personal data, which at that time were given to the company, erased. The company shall establish the necessary measures in order to inform third parties of the use or processing of the data to comply with the request.
- Response to data security breaches
When the company detects a breach of personal data security, even if there is no actual confirmation of such a breach, the data controller in charge of the internal investigation of the offence takes the appropriate measures, in due time and proper form, in accordance with the breach of security policy. If there is also a risk for the rights and freedoms of the data subjects whose data have been breached, the company shall without undue delay, no later than 72 hours after having become aware of the breach, notify the personal data breach to the data protection authorities.
- Audit and proactive responsibility and liability.
The audit department (legal or similar) is responsible for establishing the monitoring that it deems appropriate in all the departments and areas in which this policy is implemented.
Employees who violate this policy may face disciplinary measures and be subject to civil and criminal liability in accordance with their conduct and violation of laws or regulations.
- Conflicts with legislation.
The aim of this personal data policy is to obey and help to enforce laws and regulations in the place where they have been adopted, and accordingly, in the countries in which the company operates. In the event of a conflict in relation to the applicable laws or regulations, the latter shall apply.
This document and all the records related thereto shall be valid from the date of approval thereof by the company's senior management. The company's management is the owner of this document, and if necessary, it shall be reviewed and updated, at least once a year.