1. Principles of Data Protection

The Entity is dedicated to processing data in line with the GDPR’s requirements.

According to Article 5 of the GDPR, personal data must be:

  • Processed in a way that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, as well as accidental loss, destruction, or damage, by employing appropriate technical or organizational measures.
  • Processed lawfully, fairly, and transparently in relation to individuals.
  • Collected for specific, unambiguous, and lawful goals, and not further processed in a way that contradicts those purposes. Further processing for public interest archiving, scientific or historical research, or statistical reasons shall not be deemed incompatible with the original purposes.
  • Adequate, relevant, and restricted to what is required in regard to the purposes for which they are processed.
  • Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified as soon as possible, taking into account the purposes for which they are processed.
  • Processed in a way that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing as well as accidental loss, destruction, or damage, using appropriate technical or organizational measures.

2. Provisions in General

This policy covers all of the Entity’s personal data processing activities.

The Entity’s continued compliance with this policy is the responsibility of the Responsible Person.

This policy will be reviewed at least once a year.

3. Legal, Fair, and Transparent Processing

The Entity must keep a Register of Systems to guarantee that its data processing is legal, fair, and transparent.

The Register of Systems must be reviewed at least once a year.

Individuals have the right to access their personal information, and any requests made to the Entity will be responded to promptly.

4. Legitimate Objectives

Consent, contract, legal obligation, vital interests, public task, or legitimate interests are all legal bases on which the Entity may process data.

The Entity must record the appropriate legal basis in the Register of Systems.

When consent is used as a legal basis for processing personal data, proof of opt-in consent must be stored with the personal data.

Individuals should have the ability to revoke their consent when communications are made to them based on their consent, and systems should be in place to ensure that such revocation is appropriately reflected in the Entity’s systems.

6. Data Minimization

Personal data must be adequate, relevant, and limited to what is essential for the purposes for which they are processed.

7. Accuracy

The Entity must take reasonable steps to ensure the accuracy of personal data.

Steps must be taken to ensure that personal data is kept up to date if appropriate for the lawful basis on which the data is processed.

8. Retrieval and Archiving

The Entity shall implement an archiving policy for each area in which personal data is processed and assess this process annually to ensure that personal data is preserved for no longer than is necessary.

The archiving policy will consider what data should/must be retained, for how long, and why.

9. Safety and Security

The Entity must ensure that personal data is stored safely and securely using up-to-date software.

Personal data should only be accessible to those who require it, and sufficient security should be in place to prevent unauthorized information sharing.

When personal data is removed, it should be done securely so that it cannot be recovered.

Appropriate disaster recovery and backup systems must be in place.

10. Breach of Contract

In the event of a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, the Entity shall assess the risk to people’s rights and freedoms as soon as possible. If necessary, the breach will be reported to the appropriate authority and the ultimate owner of the data to take the necessary corrective action.