Policy brief & purpose
Our Data Protection company policy refers to the company’s commitment to treating information of
employees, customers, stakeholders or other interested parties with the utmost care and
With this policy, we ensure that the company behaves fairly and morally concerning the
gathering, storing and handling of data. This process will be carried out with transparency and
respect towards the rights of individuals who entrust it with their information.
This policy applies to all parties (employees, job candidates, customers, suppliers etc.) who provide
any amount of information to the company. The policy will be followed by all employees of the
company and its subsidiaries as well as contractors, consultants, partners and any other external
entity. Generally, it refers to anyone in close collaboration with the company or acts on its
behalf and may need occasional access to data.
The company will need to obtain and process information of people that will serve its business
purposes. The information may refer to any offline or online information that makes a person
identifiable such as names, addresses, usernames and passwords, digital footprints, photographs,
social security numbers, financial data etc.
The company commits to collecting this information transparently and only with the full
cooperation and knowledge of interested parties. Once this information is available to the company,
the following rules are mandatory:
The data will be collected fairly and for lawful purposes only
The data will be processed by the company within its legal and moral boundaries
The data will not be stored for more than the specified amount of time
The data will be accurate and kept up-to-date
The data will not be distributed to any party other than the ones agreed upon by the owner of the data (exempting legitimate requests from law enforcement authorities)
The data will not be transferred to organizations, states or countries that do not have adequate data protection policies
The data will not be communicated informally.
The data will be protected against any unauthorized or illegal access by internal or external parties
In addition to ways of handling the data, the company has direct obligations towards people to
To whom the data belongs. Specifically, the company must:
Let people know which of their data is collected
Inform people about how their data will be processed
Inform people about who has access to their information
Allow people to request the modification, erasing, reduction or correction of the data contained in the company’s databases
Have provisions in cases of lost, corrupted or compromised data
To exercise data protection the company is committed to:
Develop transparent data collection procedures
Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)
Build secure networks to protect online data from cyberattacks
Include contract clauses or communicate statements on how data will be handled
Inform individuals of the amount of time that their data will be preserved
Declare its data protection provisions publicly (e.g. on website)
Ensure all concerned parties have read the policy and adhere to it
Train employees in online privacy and security measures
Restrict and monitor access to sensitive data
Establish clear procedures for reporting breach of privacy or data misuse
Disciplinary Consequences. All principles described in this policy must be strictly followed. A
breach of data protection guidelines will invoke disciplinary and possibly legal action.
Where consent is required for the processing of personal data we will ensure that informed and explicit consent will be obtained and documented in clear, accessible language and in an appropriate format. The individual can withdraw consent at any time through processes which have been explained to them and which are outlined in our Record Keeping Policy: Withdrawal of Consent procedures. We ensure that it is as easy to withdraw as to give consent.
1.1. We acknowledge our accountability in ensuring that personal data shall be:
1.1.1. Processed lawfully, fairly and in a transparent manner;
1.1.2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
1.1.3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
1.1.4. Accurate and kept up to date;
1.1.5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
1.1.6. Processed in a manner that ensures appropriate security of the personal data.
1.2. We uphold the personal data rights outlined in the GDPR;
1.2.1. The right to be informed;
1.2.2. The right of access;
1.2.3. The right to rectification;
1.2.4. The right to erasure;
1.2.5. The right to restrict processing;
1.2.6. The right to data portability;
1.2.7. The right to object;
1.2.8. Rights in relation to automated decision making and profiling.