top of page

 

Policy brief & purpose

Our Data Protection company policy refers to the company’s commitment to treating information of

employees, customers, stakeholders or other interested parties with the utmost care and

confidentiality.

With this policy, we ensure that the company behaves fairly and morally concerning the

gathering, storing and handling of data. This process will be carried out with transparency and

respect towards the rights of individuals who entrust it with their information.

Scope

This policy applies to all parties (employees, job candidates, customers, suppliers etc.) who provide

any amount of information to the company. The policy will be followed by all employees of the

company and its subsidiaries as well as contractors, consultants, partners and any other external

entity. Generally, it refers to anyone in close collaboration with the company or acts on its

behalf and may need occasional access to data.

Policy elements

The company will need to obtain and process information of people that will serve its business

purposes. The information may refer to any offline or online information that makes a person

identifiable such as names, addresses, usernames and passwords, digital footprints, photographs,

social security numbers, financial data etc.

The company commits to collecting this information transparently and only with the full

cooperation and knowledge of interested parties. Once this information is available to the company,

the following rules are mandatory:

The data will be collected fairly and for lawful purposes only

The data will be processed by the company within its legal and moral boundaries

The data will not be stored for more than the specified amount of time

The data will be accurate and kept up-to-date

  • The data will not be distributed to any party other than the ones agreed upon by the owner of the data (exempting legitimate requests from law enforcement authorities)

  • The data will not be transferred to organizations, states or countries that do not have adequate data protection policies

  • The data will not be communicated informally.

  • The data will be protected against any unauthorized or illegal access by internal or external parties

In addition to ways of handling the data, the company has direct obligations towards people to

To whom the data belongs. Specifically, the company must:

  • Let people know which of their data is collected

  • Inform people about how their data will be processed

  • Inform people about who has access to their information

  • Allow people to request the modification, erasing, reduction or correction of the data contained in the company’s databases

  • Have provisions in cases of lost, corrupted or compromised data

 

Actions

To exercise data protection the company is committed to:

  • Develop transparent data collection procedures

  • Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)

  • Build secure networks to protect online data from cyberattacks

  • Include contract clauses or communicate statements on how data will be handled

  • Inform individuals of the amount of time that their data will be preserved

  • Declare its data protection provisions publicly (e.g. on website)

  • Ensure all concerned parties have read the policy and adhere to it

  • Train employees in online privacy and security measures

  • Restrict and monitor access to sensitive data

  • Establish clear procedures for reporting breach of privacy or data misuse

 

Disciplinary Consequences. All principles described in this policy must be strictly followed. A

breach of data protection guidelines will invoke disciplinary and possibly legal action.

Appendix

Where consent is required for the processing of personal data we will ensure that informed and explicit consent will be obtained and documented in clear, accessible language and in an appropriate format. The individual can withdraw consent at any time through processes which have been explained to them and which are outlined in our Record Keeping Policy: Withdrawal of Consent procedures. We ensure that it is as easy to withdraw as to give consent. 

1.1.    We acknowledge our accountability in ensuring that personal data shall be:
1.1.1.    Processed lawfully, fairly and in a transparent manner;
1.1.2.    Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
1.1.3.    Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
1.1.4.    Accurate and kept up to date;
1.1.5.    Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
1.1.6.    Processed in a manner that ensures appropriate security of the personal data.
1.2.    We uphold the personal data rights outlined in the GDPR;
1.2.1.    The right to be informed;
1.2.2.    The right of access;
1.2.3.    The right to rectification;
1.2.4.    The right to erasure;
1.2.5.    The right to restrict processing;
1.2.6.    The right to data portability;
1.2.7.    The right to object;
1.2.8.    Rights in relation to automated decision making and profiling.
 

Data Protection 
bottom of page