DATA PROTECTION POLICY
This policy was last updated in January 2019.
As part of an organisation’s services, the need to gather and use
certain information about individuals may arise. These individuals can
include clients, vendors, employees and other people the organisation
has a relationship with or may need to contact. Therefore, the company
must strive to comply with applicable laws and regulations related to
data protection in countries where it operates.
The data protection policy ensures that companies comply with the EU
Global Data Protection Regulation (GDPR) and follow best practice;
protect the rights of staff, clients and partners; are open about how
individuals’ data are stored and processed; and protect themselves
from the risk of data breach.
This policy is designed to outline how DataPro has established
measures by which personal data must be collected and handled to
meet the company’s data protection standards and comply with GDPR.
APPLICATION OF POLICY
This policy applies to all DataPro directors, officers, clients, employees
(full and part time) and temporary workers. It is the responsibility of
each of us to ensure that we comply with these standards in our daily
Failure to comply with this policy, whether or not intentional, may lead
to disciplinary action (up to and including dismissal).
POLICIES AND PROCEDURES
DATA PROTECTION PRINCIPLES
Article 5 of the GDPR requires that personal data shall be:
• Processed lawfully, fairly and in a transparent manner in relation
• Collected for specified, explicit and legitimate purposes and not
further processed in a manner that is incompatible with those
purposes; further processing for archiving purposes in the public
interest, scientific or historical research purposes or statistical
purposes shall not be considered to be incompatible with the
• Adequate, relevant and limited to what is necessary in relation
to the purposes for which they are processed
• Accurate and, where necessary, kept up to date; every
reasonable step must be taken to ensure that personal data that
are inaccurate, having regard to the purposes for which they are
processed, are erased or rectified without delay
• Kept in a form which permits identification of data subjects for
no longer than is necessary for the purposes for which the
personal data are processed; personal data may be stored for
longer periods insofar as the personal data will be processed
solely for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes subject to
implementation of the appropriate technical and organisational
measures required by the GDPR in order to safeguard the rights
and freedoms of individuals
• Processed in a manner that ensures appropriate security of the
personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or
damage, using appropriate technical or organisational measures.
ROLES AND RESPONSIBILITIES
The CO is charged with:
• Informing and advising Management and employees about their
obligations to comply with the GDPR and other data protection
• Monitoring compliance with the GDPR and other data protection
laws, including managing internal data protection activities,
advise on data protection impact assessments; train staff and
conduct internal audits.
• Acting as the first point of contact for supervisory authorities
and for individuals whose data is processed (employees, clients
The Board’s responsibility is to provide effective governance over
DataPro’s affairs for the benefit of its shareholders and to balance
the interest of its diverse stakeholders, including its customers,
employees, international suppliers and communities.
Employees are obligated to fully comply with the policy and report any
data breach to the CO as soon as they are aware of it.
LAWFUL BASIS FOR PROCESSING DATA
The lawful bases for processing data are set out in Article 6 of the
GDPR. At least one of these must apply whenever DataPro processes
• The individual or client has given clear consent for the
processing of their personal data for a specific purpose.
• The processing is necessary for the performance of a contract
with the individual or client, or in order to take specific steps
before entering into a contract.
• The processing is necessary for compliance with a legal
• The processing is necessary to protect the vital interests of the
individual or client.
• The processing is necessary to perform a task in the public
interest or in the exercise of official authority
• The processing is necessary for legitimate interests or the
legitimate interests of a third party unless there is a good
reason to protect the individual’s personal data which overrides
those legitimate interests.
The GDPR requires personal data to be processed in a manner that
ensures its security. This includes protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage.
It requires that appropriate technical or organisational measures are
used. In this regard, DataPro has defined and implemented an
Information Security Policy to maintain effective security.
The GDPR requires diligence and clarity in entering into third party
relationships. Whenever DataPro acts as a controller, a written
contract must be in place with the processors. Whenever DataPro acts
as a processor, it must only act on the documented instructions of a
controller (as specified in a valid written contract).
In addition, the CO will review third party relationships on an annual
basis, to determine the risk posed by processing. Based on the
assessment, the CO will determine the most appropriate means to
validate that contractual obligations in relation to data processing are
being adhered to. The CO will then present the assessment, and the
results of compliance visits, to the Board at least annually.
DataPro shall transfer personal data where the organisation receiving
the personal data has been successfully vetted and the purpose of the request
established. Request for international transfer of data must be submitted to the CO
for each type of document. The CO must in turn record requests for international
transfer received and make available the necessary legally binding agreements.
A personal data breach means a breach of security leading to the
destruction, loss, alteration, unauthorised disclosure of, or access to,
In the event that a breach occurs, the CO must be notified as soon as
possible who in turn must record breaches and work with the employee
that reported the breach to consider the likely impact of the breach.
A notifiable breach has to be reported by the CO to the relevant
supervisory authority within 72 hours of DataPro becoming aware of it.
The notification must contain:
• The nature of the personal data breach
• The categories and approximate number of individuals concerned
• The categories and approximate number of personal data
• A description of the likely consequences of the personal data
• A description of the measures taken, or proposed to be taken, to
deal with the personal data breach
• The measures taken to mitigate any possible adverse effects
Where a breach is likely to result in a high risk to the rights and
freedoms of individuals or clients, DataPro will notify those concerned
The CO must also present an analysis of breaches and near misses to
the board at least annually.
SUBJECT ACCESS REQUESTS
All individuals and clients who are the subject of personal data held by
DataPro are entitled to:
• Ask what information the company holds about them and why
• Ask how to gain access to such information
• Be informed how to keep the information up to date
• Be informed how the company is meeting its data protection
COMPLIANCE WITH THE POLICY
It is the responsibility of the Compliance Officer to ensure thorough
compliance with this policy. However, employees have an obligation to
act with integrity and to ensure that they understand and comply with
the policy. Training will be provided to employees to support them in
complying with the policy. In addition, all employees will be required to
confirm that they have understood and complied with the policy