1.1. The purpose of this Data Protection Policy is to protect personal data by design and by default and to ensure that data Processing is performed by the Company in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter – the "GDPR
", and to be able to demonstrate the lawfulness of such Processing.
1.2. The GDPR and this policy apply to all of the Company's Personal Data Processing functions, including those performed on customers', clients', employees', suppliers' and partners' Personal Data, and any other Personal Data the Company processes from any source.
1.3. The Company's Director is the Responsible Officer for reviewing the Record of Processing Activities annually in the light of any changes to the Company's activities and to any additional requirements identified by means of data protection impact assessments. This Record needs to be available on the supervisory authority's request.
1.4. This policy applies to all employees and interested parties of the Company such as outsourced suppliers. Any breach of the GDPR or this policy will be dealt with under the Company's disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.
1.5. Partners and any third parties working with or for the Company, and who have or may have access to Personal Data, will be expected to have read, understood and to comply with this policy. No third party may access Personal Data held by the Company without having first entered into a data confidentiality agreement which gives the Company the right to audit compliance with the agreement. 2. Definitions
" means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
" means any information relating to a Data Subject; "Processing"
means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. "Personal Data Breach"
means a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report Personal Data Breaches to the supervisory authority and where the breach is likely to adversely affect the Personal Data or privacy of the Data Subject.
"Record of Processing Activities
" means an internal electronic record of all the categories of Processing activities under the responsibility of the Responsible Person;
" means the Director of the Company; 3. Data protection principles
The Company is committed to Processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
4. Lawful, fair and transparent Processing
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further p
- Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
5. Lawful purposes
- To ensure its Processing of data is lawful, fair and transparent, the Company shall maintain a Record of Processing Activities.
- Data Subjects have the right to access their Personal Data and any such requests made to the Company shall be dealt with in a timely manner. The GDPR includes rules on giving private information to Data Subjects in Articles 12, 13, and 14. These are detailed and specific, placing an emphasis on making privacy notices understandable and accessible. The information must be communicated to the Data Subject in an intelligible form using clear and plain language. The Company's Privacy Notice is set out as Appendix A hereto.
6. Data minimization
- All data processed by the Company must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.
- The Company shall note the appropriate lawful basis in the Record of Processing Activities.
- The Company shall satisfy itself that Processing is necessary for the relevant purpose, and that there is no other reasonable and less-intrusive way to achieve that purpose.
- Where consent is relied upon as a lawful basis for Processing Personal Data, evidence of opt-in consent shall be kept with the Personal Data.
- Where communications are sent to Data Subjects based on their consent, the option for the Data Subject to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Company's procedures.
6.1 The Company shall ensure that Personal Data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
6.2 The Responsible Officer is responsible for ensuring that the Company does not collect information that is not strictly necessary for the purpose for which it is obtained.
6.3 All data collection forms (electronic or paper-based), including data collection requirements in new information systems, must include a fair Processing statement or link to privacy statement and approved by the Responsible Officer.
6.4 The Responsible Officer will ensure that, from time to time all data collection methods are reviewed by internal audit or external experts to ensure that collected data continues to be adequate, relevant and not excessive. 7. Accuracy
8. Archiving / removal
- The Company shall take reasonable steps to ensure Personal Data is accurate.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that Personal Data is kept up to date.
- Personal data will be retained in line with the Record of Processing Activities and, once its retention date is passed, it must be securely destroyed as set out in this procedure.
- The Responsible Officer shall review the Record of Processing Activities from time to time and consider what data should/must be retained, for how long, and why.
- The Responsible Officer must specifically approve any data retention that exceeds 5 (Five) years, and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation. This approval must be written.
- Where personal data is retained beyond the Processing date, it will be minimized and/or pseudonymised in order to protect the identity of the Data Subject in the event of a Personal Data Breach.
- When Personal Data is deleted this should be done safely such that the data is irrecoverable.
9.1 The Company shall ensure that Personal Data is stored securely using modern software that is kept-up-to-date.
9.2 Access to Personal Data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
9.3 Personal Data must be kept in a form such that the Data Subject can be identified only as long as is necessary for Processing.
9.4 Appropriate back-up and disaster recovery solutions shall be in place.
9.5 When assessing appropriate technical measures, the Responsible Officer will consider the following:
- Password protection;
- Automatic locking of idle terminals;
- Removal of access rights for USB and other memory media;
- Virus checking software and firewalls;
- Role-based access rights including those assigned to temporary staff;
- Encryption of devices that leave the Company's premises such as laptops;
- Security of local and wide area networks;
- Privacy enhancing technologies such as pseudonymisation and anonymisation;
- Identifying appropriate international security standards relevant to the Company.
9.6 When assessing appropriate organizational measures the Responsible Officer will consider the following:
- The appropriate training levels throughout the Company;
- Measures that consider the reliability of employees (such as references etc.);
- The inclusion of Data Protection in employment contracts;
- Identification of disciplinary action measures for Personal Data Breaches;
- Monitoring of staff for compliance with relevant security standards;
- Physical access controls to electronic and paper-based records;
- Adoption of a clear desk policy;
- Storing of paper-based data in lockable fire-proof cabinets;
- Restricting the use of portable electronic devices outside of the workplace;
- Restricting the use of employee's own personal devices being used in the workplace;
- Adopting clear rules about passwords;
- Making regular backups of personal data and storing the media off-site;
- The imposition of contractual obligations on the importing organisations to take appropriate security measures when transferring data outside the EU.
9.7 All employees of the Company are responsible for ensuring that any Personal Data that the Company holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by the Company to receive that information and has entered into a confidentiality agreement.
9.8 All Personal Data should be accessible only to those who need to use it. All Personal Data should be treated with the highest security and must be kept:
· in a lockable room with controlled access; and/or
· in a locked drawer or filing cabinet; and/or
· if computerised, password protected in line with corporate requirements; and/or
· stored on (removable) computer media which are encrypted in line with corporate requirements.
9.9 Care must be taken to ensure that PC screens and terminals are not visible except to authorised employees of the Company.
9.10 Manual records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit authorisation. As soon as manual records are no longer required for day-to-day client support, they must be disposed of securely.
9.11 Hard drives of redundant PCs are to be removed and immediately destroyed as required before disposal.
10. Data Subject's Rights
10.1 Data Subjects have the following rights regarding data Processing, and the data that is recorded about them:
10.1.1 To make requests regarding the nature of information held and to whom it has been disclosed;
10.1.2 To prevent Processing likely to cause damage or distress.
10.1.3 To prevent Processing for purposes of direct marketing.
10.1.4 To be informed about the mechanics of automated decision-taking process that will significantly affect them.
10.1.5 To not have significant decisions that will affect them taken solely by automated process.
10.1.6 To sue for compensation if they suffer damage by any contravention of the GDPR.
10.1.7 To take action to rectify, block, erase, including the right to be forgotten, or destroy inaccurate data.
10.1.8 To request the supervisory authority to assess whether any provision of the GDPR has been contravened.
10.1.9 To have Personal Data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.
10.1.10 To object to any automated profiling that is occurring without consent.11. Consent
11.1 The Company understands 'consent' to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject's wishes that, by statement or by a clear affirmative action, signifies agreement to the Processing of personal data relating to him or her.
11.2 The Data Subject can withdraw their consent at any time.
11.3 Consent cannot be inferred from non-response to a communication. The Company must be able to demonstrate that consent was obtained for the Processing operation.
11.4 In most instances, consent to process personal data is obtained routinely by the Company using standard consent documents e.g. when a new client signs a contract, or during induction for participants on the Company's programs, etc.12. Personal Data Breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, the Company shall promptly assess the risk to Data Subjects' rights and freedoms and if appropriate report this breach to the Office of the Commissioner for Personal Data Protection: http://www.dataprotection.gov.cy