The purpose of this policy is to set out the principles of data protection that we follow in our work and to provide a managed framework for fulfilling our business needs, accountability and legal responsibilities.
Data protection is the process of protecting data and involves the relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy and the political and legal underpinnings surrounding that data. It aims to strike a balance between individual privacy rights while still allowing data to be used for business purposes.
Introduction
The General Data Protection Regulation (GDPR) harmonizes data protection laws in the EU that are fit for purpose in the digital age. By introducing a single law, the believes that it will bring better transparency to help support the rights of individuals and grow the digital economy.
The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people or that collect and analyze data tied. Even organizations outside Europe need to be compliant, or otherwise face significant penalties.
The primary objective of the GDPR is to give citizens back control of their personal data. From an economic standpoint, the GDPR aims to simplify the regulatory environment for international business by unifying the regulation.
The Data Protection Policy provides one of the necessary framework conditions for cross-border data transmission among the companies. It ensures the adequate level of data protection prescribed by the European Union Data Protection Directive and the national laws for cross-border data transmission, including in countries that do not yet have adequate data protection laws.
Data Protection, GDPR and Information Security
What does data protection, privacy and security mean for us?
We protect the things we really care about. And that’s why managing data in a safe way is a top priority at eQuadriga.
For us, data protection, privacy and security are about more than sets of rules or regulations on these areas are ingrained into our culture and are at the core of how we deliver trusted insights.
We’re experts in dealing with sensitive information and know just how much today’s consumers value the security of their personal data. Our customers trust us with their personal information and their privacy. And protecting that information and respecting their privacy is fundamental to maintaining that trust. Our privacy and security programs govern how we collect, use and manage employee, client and customer information.
Everyone within our organization is responsible for demonstrating compliance when it comes to data protection, privacy and security – not because of the law, but because our company philosophy demands this attitude and commitment.
What are we doing about it?
We have a dedicated organization that maintains and monitors compliance and ensures all employees understand the importance of protecting the confidential data organization is manages.
We ensure a secure environment to protect the confidentiality, integrity and availability of information. We do this by implementing a broad range of security technologies such as network security and access controls. We make sure that all our solutions are designed and developed with security in mind from the very start. We maintain a strong information security management program to ensure a proven policy and compliance structure, a comprehensive security awareness program and a solid risk management framework.
Cyber security attacks pose a significant risk to our business, infrastructure and data assets. Remaining vigilant in preparing against these threats, defending against them and planning for the future, are essential elements of our strategy.
Our Data Protection organization reports directly to the management. This is so our clients, partners, and authorities always have a strong point of access for clarifying any issues on data protection.
Data Protection Officer (DPO)
DPO’s role in managing organizational data protection and overseeing GDPR compliance in Data Protection, our series on the fundamentals of information security.
DPO Roles and Responsibilities
As per Art. 39 GDPR Tasks of the data protection officer
1.The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority of Customer.
(e) to act as the contact point for the supervisory authority of Customer on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any Supervisory Authorities (SAs) that oversee activities related to data.
- DPO establishes compliance strategy, standards and policy
- Establish records and document processing activities of personal data
- Conduct Privacy Impact Assessment (PIA) for High Risk processing activities
- Review customer contracts
Goals
All information security measures try to address at least one of three goals:
- Protect the confidentiality of data
- Preserve the integrity of data
- Promote the availability of data for authorized use
These goals form the confidentiality, integrity, availability, the basis of all security programs. Information security professionals we are create policies and procedures (often referred to as governance models) must consider each goal when creating a plan to protect a computer system.
Integrity Models
Integrity models keep data pure and trustworthy by protecting system data from intentional or accidental changes. Integrity models have three goals:
- Prevent unauthorized users from making modifications to data or programs
- Prevent authorized users from making improper or unauthorized modifications
- Maintain internal and external consistency of data and programs
An example of integrity checks is balancing a batch of transactions to make sure that all the information is present and accurately accounted for.
Availability Models
Availability models keep data and resources available for authorized use, especially during emergencies or disasters. Information security professionals usually address three common challenges to availability:
- Loss of information system capabilities because of natural disasters (fires, floods,
storms, or earthquakes) or human actions (bombs or strikes) - Equipment failures during normal use
Some activities that preserve confidentiality, integrity, and/or availability are granting access only to authorized personnel, building software defensively, and developing a disaster recovery plan to ensure that the business can continue to exist in the event of a disaster or loss of access by personnel.
Principles for the handling of personal data
Personal data is information about a living individual (the data subject), who is identifiable from that information or who could be identified from that information combined with other data which the organization either holds or is likely to obtain. This includes names, contact details, photographs, salary, attendance records, student marks, sickness absence, leave, dates of birth, marital status, personal email address, online identifiers, IP addresses etc. Furthermore, any expression of opinion or any intentions regarding a person are also personal data.
The GDPR covers all personal data processed by the organization, irrespective of whether these data are held by individual members of staff in their own separate files (including those held outside the organization e.g. by staff working at home) or in Faculty/Service area records or centrally by the organization.
Fairness and legality When processing personal data, we respect the personal rights of the persons concerned and protect them accordingly. Personal data is collected and processed by eQuadriga only in a legal and fair manner.
Restriction to a specific purpose When processing personal data, we have used only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.
Transparency The data subject must be informed of how his/her data is being handled. When the data is collected, the data subject must either be aware of, or informed of:
- The identity of the Data Controller
- The purpose of data processing
- Third parties or categories of third parties to whom the data might be transmitted.
Data reduction and data economy Before processing personal data, we must determine whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data must be used. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.
Deletion Personal data that is no longer needed after the expiration of legal or business process-related periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.
Factual accuracy up-to-datedness of Personal data on file must be correct, complete, and – if necessary – kept up to date. We have taken Suitable steps to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.
Confidentiality and data security Personal data is subject to data secrecy. We have treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction
Data Protection Directive (Employee data)
Data processing for the employment relationship
In employment relationships, personal data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating an employment relationship, the applicants’ personal data can be processed. If the candidate is rejected, his/her data must be deleted in observance of the required retention period, unless the applicant has agreed to remain on file for a future selection process. Consent is also needed to use the data for further application processes or before sharing the application with other Group companies. In the existing employment relationship, data processing must always relate to the purpose of the employment agreement if none of the following circumstances for authorized data processing apply.
If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws must be observed. In cases of doubt, consent must be obtained from the data subject. There must be legal authorization to process personal data that is related to the employment relationship but was not originally part of performance of the employment agreement. This can include legal requirements, collective regulations with employee representatives, consent of the employee, or the legitimate interest of the company.
Data processing pursuant to legal authorization
The processing of personal employee data is also permitted if national legislation requests, requires or authorizes this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the employee that merit protection must be taken into consideration.
Collective agreements on data processing
If a data processing activity exceeds the purposes of fulfilling a contract, it may be permissible if authorized through a collective agreement. Collective agreements are pay scale agreements or agreements between employers and employee representatives, within the scope allowed under the relevant employment law. The agreements must cover the specific purpose of the intended data processing activity and must be drawn up within the parameters of national data protection legislation.
Consent to data processing
Employee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. Involuntary consent is void. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In certain circumstances, consent may be given verbally, in which case it must be properly documented. In the event of informed, voluntary provision of data by the relevant party, consent can be assumed if national laws do not require express consent. Before giving consent, the data subject must be informed in accordance of this Data Protection Policy.
Data processing pursuant to legitimate interest
Personal data can also be processed if it is necessary to enforce a legitimate interest of the equadriga. Legitimate interests are generally of a legal (e.g. filing, enforcing or defending against legal claims) or financial (e.g. valuation of companies) nature. Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the employee merit protection. Before data is processed, it must be determined whether there are interests that merit protection. Control measures that require processing of employee data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The justified interests of the company in performing the control measure (e.g. compliance with legal provisions and internal company rules) must be weighed against any interests meriting protection that the employee affected by the measure may have in its exclusion and cannot be performed unless appropriate. The legitimate interest of the company and any interests of the employee meriting protection must be identified and documented before any measures are taken. Moreover, any additional requirements under national law (e.g. rights of co- determination for the employee representatives and information rights of the data subjects) must be considered.
Processing of highly sensitive data
Highly sensitive personal data can be processed only under certain conditions. Highly sensitive data is data about racial and ethnic origin, political beliefs, religious or philosophical beliefs, union membership, and the health and sexual life of the data subject. Under national law, further data categories can be considered highly sensitive or the content of the data categories can be filled out differently. Moreover, data that relates to a crime can often be processed only under special requirements under national law.
The processing must be expressly permitted or prescribed under national law. Additionally, processing can be permitted if it is necessary for the responsible authority to fulfil its rights and duties in the area of employment law. The employee can also expressly consent to processing.
If there are plans to process highly sensitive data, the Chief Officer Corporate Data Protection must be informed in advance.
Automated decisions
If personal data is processed automatically as part of the employment relationship, and specific personal details are evaluated (e.g. as part of personnel selection or the evaluation of skills profiles), this automatic processing cannot be the sole basis for decisions that would have negative consequences or significant problems for the affected employee. To avoid erroneous decisions, the automated process must ensure that a natural person evaluates the content of the situation, and that this evaluation is the basis for the decision. The data subject must also be informed of the facts and results of automated individual decisions and the possibility to respond.
Telecommunications and internet
Telephone equipment, e-mail addresses, intranet and internet along with internal social networks are provided by the company primarily for work-related assignments. They are a tool and a company resource. They can be used within the applicable legal regulations and internal company policies. In the event of authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable.
There will be no general monitoring of telephone and e-mail communications or intranet/internet use. To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the eQuadriga network that block technically harmful content or that analyse the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and internal social networks can be logged for a temporary period. Evaluations of this data from a specific person can be made only in a concrete, justified case of suspected violations of laws or policies of the eQuadriga. The evaluations can be conducted only by investigating departments while ensuring that the principle of proportionality is met. The relevant national laws must be observed in the same manner as the Group regulations.
Rights of the data subject
Every data subject has the following rights. Their assertion is to be handled immediately by the responsible unit and cannot pose any disadvantage to the data subject.
1. The data subject may request information on which personal data relating to him/her has been stored, how the data was collected, and for what purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected.
2. If personal data is transmitted to third parties, information must be given about the identity of the recipient or the categories of recipients.
3. If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.
4. The data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
5. The data subject generally has a right to object to his/her data being processed, and this must be considered if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
Personal Data Breaches
If a personal data breach is identified. All individuals who access, use or manage the organization information are responsible for following these guidelines and for reporting any data protection breaches that come to their attention.
A personal data breach can occur for several reasons some examples of these include:
- Loss or theft of data or equipment on which data is stored;
- Inappropriate access controls allowing unauthorised use;
- Equipment failure;
- Unauthorised disclosure (e.g. email sent to incorrect recipient or document posted to the wrong address or personal information posted onto the website without consent)
- Human error;
- Unforeseen circumstances such as a fire or flood;
- Hacking attack;
- ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it.
The consequences of a personal data breach could be physical, material or moral damage to individuals such as loss of control over their personal data, identity theft or fraud, financial loss, damage to the reputation, or any other economic or social disadvantage to the individual concerned.
Suppliers and other contractors
Data processing for a contractual relationship
Personal data of the relevant prospects, customers and partners can be processed in order to establish, execute and terminate a contract. This also includes advisory services for the partner under the contract if this is related to the contractual purpose. Prior to a contract during the contract initiation phase personal data can be processed to prepare bids or purchase orders or to fulfil other requests of the prospect that relate to contract conclusion. Prospects can be contacted during the contract preparation process using the information that they have provided. Any restrictions requested by the prospects must be complied with.
Data processing pursuant to legal authorization
The processing of personal data is also permitted if national legislation requests, requires or allows this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions. Reliability of data processing Collecting, processing and using personal data is permitted only under the following legal bases. One of these legal bases is also required if the purpose of collecting, processing and using the personal data is to be changed from the original purpose.
Processing of highly sensitive data
Highly sensitive personal data can be processed only if the law requires this or the data subject has given express consent. This data can also be processed if it is mandatory for asserting, exercising or defending legal claims regarding the data subject. If there are plans to process highly sensitive data, the Chief Officer Corporate Data Protection must be informed in advance.
Automated individual decisions
Automated processing of personal data that is used to evaluate certain aspects (e.g. credit-worthiness) cannot be the sole basis for decisions that have negative legal consequences or could significantly impair the data subject. The data subject must be informed of the facts and results of automated individual decisions and the possibility to respond. To avoid erroneous decisions, a test and plausibility check must be made by an employee.
User data and internet
If personal data is collected, processed and used on websites or in apps, the data subjects must be informed of this in a privacy statement and, if applicable, information about cookies. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible and consistently available for the data subjects.