Data Protection Policy

1. Aim of the Policy

At WISLACODE SOLUTIONS PROSTA SPÓŁKA AKCYJNA (hereafter, “we”, “our” or “the Company”), we are committed to safeguarding the privacy and personal data of our customers, employees, and all individuals whose data we handle. Our primary aim with this Data Protection Policy is to ensure that we adhere to the highest standards of data protection and privacy in all aspects of our operations. We understand the importance of trust and transparency in the digital age, and we are dedicated to upholding the rights and expectations of all data subjects.

This policy serves as a comprehensive framework that guides our team members in their day-to-day activities involving the processing of personal data. We are dedicated to complying with all relevant data protection laws, including but not limited to the General Data Protection Regulation (GDPR) and other applicable local regulations. Our aim is to establish and maintain the necessary controls, processes, and best practices to protect personal data from unauthorized access, disclosure, alteration, and destruction. Additionally, we are committed to fostering a culture of continuous improvement in data protection, regularly reviewing and enhancing our policies and practices to adapt to evolving privacy requirements and technology advancements.

By adhering to this policy, we aim to instill confidence in our customers, partners, and employees, assuring them that their personal data is handled with the utmost care, respect for their rights, and in full compliance with the law.

2. Abbreviations, Terms & Definitions

WISLACODE SOLUTIONS PROSTA SPÓŁKA AKCYJNA – a legal entity, resident of the Republic of Poland, KRS: 0001062722, NIP: 7011168327, REGON: 526639858, with an address at ul. Stefana Batorego 18/108, 02-591 Warsaw, Poland.

GDPR – Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

DPIA – Data Protection Impact Assessment, an assessment of the impact of the envisaged processing operations on the protection of personal data as outlined in Article 35 of the GDPR.

RoPA – Records of Processing Activities.

SCC – Standard Contractual Clauses, between controllers and processors for data transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 .

TIA – Transfer Impact Assessment, an assessment of the laws and regulations of a third country, outside of the EU/EEA as stated in clause 14 of the SCC.

Website – https://wislacode.com/.

Data Processing Agreement – an agreement between a  controller (our customer) and a data processor (Us).

Employees – internal Company’s employees as well as independent contractors working under direct Company’s authorization.

3. Scope

This Data Protection Policy applies to all activities and processes within the Company that involve the collection, storage, processing, or sharing of personal data. It encompasses all data processing activities carried out by our employees, contractors, and third-party service providers acting on our behalf. The scope of this policy extends to all types of personal data, whether collected from customers, employees, Website users, or any other data subjects with whom we interact.

Subject-matter-wise, this policy covers, but is not limited to, the following categories of personal data:

• Customer Data: Personal data collected and processed on behalf of our customers to deliver services and meet contractual obligations;
• Employee Data: Personal data collected from our employees and job applicants during the course of employment, recruitment, and HR-related activities;
• Marketing and Sales Data: Personal data collected through our marketing campaigns, sales activities, and communications, including cookies and tracking technologies;
• Third-Party Data: Personal data obtained from third-party sources, such as vendors, partners, affiliates or publicly available databases, when necessary for our legitimate business interests.

So that to ensure the compliance of the Company with the aim of the Data Protection Policy, the following controls are also included into the scope of this document:

• Data Security: Measures in place to protect personal data, including access controls, encryption, and incident response procedures;
• Data Subject Rights: Procedures for facilitating the exercise of data subject rights, including access requests, rectification, erasure, and data portability;
• Data Retention and Deletion: Guidelines for the retention and deletion of personal data in accordance with legal requirements and business needs;
• Data Sharing: Protocols for internal and external sharing personal data with third parties, ensuring their compliance with data protection principles;
• Training and Awareness: Ongoing training and awareness programs to educate employees and stakeholders about applicable data protection and privacy provisions.
• Policy Compliance: Mechanisms for monitoring and enforcing compliance with this policy, including reporting breaches and conducting audits as well as the position of Data Protection Officer.

This policy applies to all employees and individuals involved in the processing of personal data on behalf of the Company, and non-compliance may result in respective disciplinary action.

4. Principles Relating to Processing of Personal Data

Our commitment to data protection is underpinned by a set of fundamental principles that guide our every action when handling personal data. These principles serve as the cornerstone of our approach to data processing, ensuring that we not only meet regulatory requirements but also uphold the highest ethical standards. In this section, we outline the core principles that govern our data processing activities, providing transparency and clarity on how we collect, use, and safeguard personal data. By adhering to these principles, we demonstrate our unwavering dedication to respecting the privacy and rights of the individuals whose data we process.

          4.1. Lawfulness and Legal Basis

Lawfulness processing principle essentially requires that the processing of personal data must have a legitimate and lawful basis. Except for the legal basis we also have to ensure additional legal safeguards in the case of special categories of personal data including health data, racial or ethnic origin, and religious beliefs.

When processing the personal data of children, we must obtain parental or guardian consent, or adhere to lower age limits as defined by applicable local laws.

We also must be able to demonstrate their compliance with the principle of lawfulness. This includes maintaining records of the legal basis for each processing activity which is described in more details in section 10 of this Policy.

4.1.1. Legal Basis and Customer Data

When it comes to processing Customer Data, we recognize that the legal basis for processing such data may differ from the typical scenarios involving personal data. Since we process Customer Data on behalf of our customers using our tools and other applicable products and services, and in such cases, our actions are guided by the contractual agreements (e.g., Terms of Services) as well as by Data Processing Agreements we have with our customers. Therefore, processing Customer Data does not require legal basis in the context of applicable privacy and data protection regulations.

4.1.2. Legal Basis and Employee Data

We are committed to ensuring the protection and privacy of our employees’ personal data. To maintain compliance with applicable data protection regulations, we rely on several legal bases for processing employee personal data depending on the use case. These legal bases are essential to justify and govern the collection, use, and retention of personal data in our organization.

Before a formal employment relationship is established, we may process personal data for recruitment activities. This includes collecting and assessing candidate information to evaluate their suitability for the position. This processing is essential for us to make informed decisions about potential hires and to fulfill the necessary steps before entering into an employment contract. Therefore, within our operational recruitment activities we are relying on taking steps prior entering into an employment agreement (i.e. Article 6(1)(b) of GDPR).

In cases where a candidate’s application is not successful, we may seek their consent to retain their CV and other application materials in our recruitment database. This consent allows us to keep the candidate’s information on file for future job opportunities or for reference. Therefore, within our potential recruitment activities we are relying on the consent (i.e. Article 6(1)(a) of GDPR).

Once an employment relationship is established, we rely on the employment agreement as a legal basis for processing employee personal data. This includes the management of HR-related activities such as payroll, benefits administration, performance evaluations, and career development. Processing under the employment agreement is necessary to fulfill our obligations as an employer and to provide a conducive working environment for our employees. Therefore, within our HR operations we are relying on the performance of a contract to which an employee is a party (i.e. Article 6(1)(b) of GDPR).

Some HR matters are subject to government oversight and regulation. In such cases, we may process employee personal data to meet statutory requirements and to cooperate with government authorities. This processing is essential to ensure compliance with legal obligations and to facilitate government-dependent HR initiatives. Therefore, for statutory HR matters we are relying on our compliance with a legal obligation to which we are subject (i.e., Article 6(1)(c) of GDPR).

4.1.3. Legal Basis and Marketing & Sales Data

We seek consent from users for any marketing and sales activities, including email marketing, newsletters, and promotional offers. Users have the option to opt in or opt out of receiving marketing communications from us at any time. Therefore, within our marketing- and sales-related processing operations we rely on the consent as applicable legal basis (i.e., Article 6(1)(a) of GDPR).

4.1.4. Legal Basis and Third-Party Data

While most of our interactions with third parties involve legal entities, we acknowledge that some third parties and affiliates may be individuals whose personal data we process. In these situations, privacy and data protection regulations apply what consequently requires appropriate legal basis for such processing activities. In cases where personal data of individuals is processed among third parties and affiliates, we rely on the performance of a contract in the form of our Terms of Services (i.e., Article 6(1)(b) of GDPR).

          3.2. Transparency and Informing Obligations

Transparency and the duty of information are fundamental principles of our data protection practices. This section outlines our commitment to providing individuals with clear and comprehensive information regarding the processing of their personal data.

Data subjects have the right to be informed about the collection and processing of their personal data. We are committed to providing individuals with the necessary information to exercise their rights effectively. This includes details about the purposes of processing, the legal basis for processing, and any recipients of their data. This information will be provided at the point of data collection or as soon as possible afterward.

Individuals have the right to access their personal data held by the Сompany. We will provide data subjects with clear instructions on how to request access to their data, and we will respond promptly to such requests in accordance with applicable data protection laws (please see section 12 for further details on data subjects’ rights).

We will provide clear and accessible contact information for individuals to reach out to our Data Protection Officer or relevant department for inquiries, requests, or concerns regarding their personal data.

          4.3. Purpose Limitation

We collect and process personal data only for specific and well-defined purposes that have been communicated to the data subject at the time of data collection. These purposes may include, but are not limited to, providing services, fulfilling contractual obligations, complying with legal requirements, or other legitimate business activities.

Where personal data processing relies on the consent of the data subject, we will ensure that the purpose for which consent is obtained is clear and easily understandable. Data subjects will be provided with a clear opportunity to grant or withhold consent.

We will not process personal data for purposes that are incompatible with the original purposes for which the data was collected. In the event that a change in purpose is required, we will assess the compatibility of the new purpose with the original purpose and ensure that the data subject is informed of this change. If necessary, we will seek additional consent from the data subject.

          4.4. Data Minimization

We do not collect data that is excessive for the intended purpose. This ensures that we do not retain or process more data than required, reducing the potential impact on the privacy of data subjects.

Where processing relies on the consent of the data subject, we will ensure that the data subject is informed of the specific data required and the purposes for which it will be used. We will collect only the data that has been consented to and for the purposes explicitly agreed upon.

          4.5. Data Accuracy

Data accuracy begins at the point of data collection. It is the responsibility of our employees, contractors, and data collection processes to ensure that the data collected is accurate and complete to the best of their knowledge.

We encourage data subjects to inform us of any changes to their personal data to ensure its accuracy. We will provide a clear and accessible mechanism for data subjects to submit update requests (please see section 12 for further details).

Where applicable and necessary, we will implement verification procedures to confirm the accuracy of the data collected. This may include cross-referencing data against reliable sources or conducting periodic checks.

We will train our employees and contractors involved in data entry to minimize errors and inaccuracies during the data input process.

We will conduct regular reviews of stored personal data to identify and rectify inaccuracies, inconsistencies, or outdated information. This review process is crucial to maintaining data accuracy.

5. Privacy by Design and Privacy by Default

We emphasize both “Privacy by Design” and “Privacy by Default” principles in our approach to data protection.

Privacy by Design is a fundamental concept that underlines our commitment to ensuring that privacy considerations are at the core of our products, services, and systems. This means that, from the initial stages of planning and development, privacy is a primary consideration. Key elements of Privacy by Design at include:

• processing only needed minimum volume of customers’, users’ and employees’ personal data;
• implementing robust security measures to protect data at every stage of its lifecycle, from collection to disposal;
• ensuring transparency in how we collect, use, and process personal data, providing clear and concise privacy notices and consent mechanisms;
• establishing clear roles and responsibilities for privacy compliance so that ensure full Company’s accountability;
• regularly assessing the impact of data processing activities on privacy and reviewing our practices to ensure ongoing compliance with data protection laws and regulations.

Privacy by Default complements Privacy by Design by ensuring that data protection measures are automatically in place, offering users the highest level of privacy protection without requiring additional action on their part. Key elements of Privacy by Default at include:

• access to personal data is restricted to authorized personnel only, and data is only accessible on a need-to-know basis;
• whenever feasible, we use anonymization techniques to protect individual privacy while still achieving our business objectives;
• we use encryption to safeguard data both in transit and at rest, ensuring that data remains confidential and secure;
• data subjects’ control over their data is always a priority: we provide clear and easily accessible tools for managing their privacy preferences;
• clear and well-defined data retention policy is maintained so that to ensure that personal data is not stored longer than necessary and agreed on.

6. Deletion Routine

Data deletion is a crucial aspect of our data protection strategy. When personal data is no longer required for its original purpose, or when individuals withdraw their consent for its processing, we are committed to promptly and securely deleting that data. Our data deletion process includes the following key principles:

• we will delete personal data as soon as it is no longer necessary for the purpose for which it was collected or when the individual requests its removal, subject to any legal or regulatory obligations (timely removal);
• personal data is deleted securely to prevent unauthorized access, using industry-standard data wiping methods (secure erasure);
• we maintain an accurate inventory of personal data held, including its location and purpose, to facilitate efficient data deletion (data inventory);
• personal data stored in backups and archives is subject to the same deletion processes, ensuring that data is not inadvertently retained (backups and archives).

In cases where data no longer serves its original purpose but may be valuable for statistical or research purposes, we consider anonymization as an alternative to deletion. Anonymization involves the removal or alteration of personally identifiable information to prevent the identification of individuals while retaining the value of the data. Key aspects of our anonymization process include:

• anonymization is carried out by minimizing the data to the extent necessary, removing direct and indirect identifiers (data minimization);
• anonymization is performed using recognized techniques and standards to prevent re-identification (acceptable anonymization standards);
• we regularly review and assess anonymized data to ensure that it remains non-identifiable and to adjust methods if necessary (periodic review);
• anonymized data is subject to the same governance and access controls as identifiable data, ensuring its security and appropriate use (data governance).

7. Data Security

Data security is a foundational aspect of our commitment to safeguarding all data, particularly personal data, throughout its processing. We adhere to the principles of data security as outlined in applicable legislation, this policy, and further corporate policies on cybersecurity technical and organizational measures so that to ensure the confidentiality, integrity, and availability of processed personal data.

We continually enhance our security measures, aligning with industry best practices, and remain compliant with relevant data protection laws and regulations. Our robust data security measures are designed to protect data throughout its lifecycle, instilling trust and confidence among our customers, employees, users and partners.

8. Data Sharing

Data sharing is an essential aspect of our operations. We recognize the importance of sharing data both within our organization and with external partners while ensuring the privacy, security, and compliance of personal data. This section addresses our approach to data sharing, with a focus on inter-company data sharing, and our strategy for international data transfers under applicable privacy regulations.

          8.1. Inter-company Data Sharing

We adhere to the “need-to-know” principle when it comes to inter-company data sharing. This principle dictates that data is shared only with individuals or departments who require access for legitimate business purposes. This ensures that personal data is disclosed on a selective basis, minimizing the risk of unauthorized access.

In addition, we apply the “least privilege access” principle to inter-company data sharing, ensuring that employees are granted the minimum level of access required to perform their duties effectively. Access permissions are reviewed and granted based on the principle of least privilege, preventing unnecessary exposure of personal data.

Our approach to inter-company data sharing includes continuous user account management. This entails maintaining an accurate inventory of authorized users, regularly reviewing access rights, and promptly revoking access for individuals who no longer require it. Access rights are subject to periodic reviews to ensure they align with current job responsibilities.

          8.2. International Data Transfers

International data transfers under applicable privacy regulations involve sharing personal data with entities outside the European Economic Area (EEA). To ensure compliance, we employ the following strategies when sending personal data outside the EEA:

1. Standard Contractual Clauses (SCCs) + Transfer Impact Assessments (TIAs): When transferring data to countries without an adequate level of data protection, we use SCCs, approved by the European Commission, in our contracts to guarantee data protection standards. In addition to concluding SCC, we conduct assessments of the recipient country’s legal framework and prevailing conditions to assess any additional risks associated with data transfers; or
2. Adequacy Decision: Where applicable, we rely on adequacy decisions made by the European Commission, which recognize certain non-EEA countries as having an adequate level of data protection, allowing for data transfers without additional safeguards.

In exceptional circumstances not covered by the above mechanisms, we may utilize derogations as allowed by applicable privacy regulations:

1. Explicit Consent: When data subjects provide explicit and informed consent for a specific data transfer;
2. Necessity of Contract Performance: When a data transfer is necessary for the performance of a contract with the data subject or for pre-contractual measures taken at the data subject’s request;
3. Public Interest or Legal Claims: When data transfers are required for the establishment, exercise, or defense of legal claims or for reasons of substantial public interest; or
4. Protection of Vital Interests: When data transfers are essential for the protection of vital interests of the data subject or other individuals.
5. Data Protection Impact Assessments

Data Protection Impact Assessments (DPIAs) are a proactive and structured approach to identifying, assessing, and addressing potential data protection risks and concerns. This section outlines our approach to DPIAs within our organization.

DPIAs are conducted in the following circumstances:

1. When we plan to undertake new data processing activities or launch new projects or services that involve the processing of personal data – new projects and services.
2. When processing operations that are likely to result in a high risk to the rights and freedoms of individuals (this determination is based on the nature, scope, context, and purposes of the processing) – high-risk processing operations.

Our DPIA process involves the following key steps:

Data Mapping: identifying the personal data that will be processed, including its source, storage, and potential recipients.

1. Risk Assessment: evaluating the potential risks to individuals’ rights and freedoms, such as unauthorized access, data breaches, or privacy violations.
2. Necessity and Proportionality: assessing whether the data processing is necessary for the intended purpose and whether it is proportional to the objective.
3. Consultation: where necessary, consulting with relevant stakeholders, including data subjects and regulatory authorities.
4. Documentation: the DPIA process, findings, and any risk mitigation measures are documented and maintained for transparency and accountability.

After completing the DPIA, we implement necessary measures to mitigate identified risks. These measures may include enhanced security controls, data anonymization, or adjustments to data processing procedures. The DPIA is periodically reviewed to account for changes in data processing activities or new potential risks that may arise.

10. Records of Processing Activities

Records of Processing Activities (RoPA) serve as a repository of essential information regarding how personal data is processed within our organization, encompassing details such as the purpose, data categories, data subjects, recipients, data flows, legal basis, retention periods, security measures, and data subject rights.

These records are regularly updated to reflect changes in our data processing operations and ensure continuous alignment with data protection regulations. By maintaining these records, we aim to uphold transparency and accountability in our data processing practices, demonstrate compliance with legal requirements, and provide a valuable resource for our organization to meet its data protection responsibilities.

These records are maintained in written form (including electronic form possibility), ensuring accessibility and accuracy. As per regulatory requirements, we are committed to making these records available to the supervisory authority upon request, further emphasizing our dedication to transparency and regulatory.

11. Processing on Behalf

When we process personal data on behalf of our customers or partners, we act as a data processor, carrying out processing activities as directed by the data controller. Our processing services are designed to support the legitimate purposes of our customers while adhering to all relevant data protection laws and regulations.

Considered requirements regarding data controllers:

1. Data controllers are responsible for defining the purposes and means of processing. We require data controllers to provide clear and specific instructions for data processing activities, ensuring they are lawful and comply with data protection regulations (General Responsibility).
2. Data controllers are expected to conduct DPIAs when required, and we offer assistance in this process as necessary. This ensures that data processing activities are evaluated for potential risks to individuals’ rights and freedoms (DPIAs).
3. Data controllers should be prepared to facilitate data subjects’ rights and requests related to the processing of their personal data. We assist data controllers in responding to data subject requests promptly (Data Subject Rights).
4. Data controllers must ensure the confidentiality and security of the data they entrust to us for processing. We have security measures in place to protect personal data, but data controllers are expected to implement additional safeguards when necessary (Security and Integrity).

Considered requirements regarding data processors:

1. As a data processor, we commit to processing personal data strictly in accordance with the instructions provided by the data controller and within the bounds of the law (Controller’s Instructions).
2. We implement robust data security measures to protect personal data from unauthorized access, disclosure, alteration, and destruction. Data processors are also responsible for ensuring the confidentiality of the data they process (Security and Integrity).
3. We assist data controllers in fulfilling data subject requests and rights related to the data we process. This includes responding to data subject access requests and requests for data erasure, rectification, or restriction (Data Subject Rights).
4. Data processors must inform data controllers about any subcontractors involved in the processing activities and ensure that subcontractors meet the same data protection and security standards (Sub-Processors).
5. In the event of a data breach, we promptly notify data controllers and work together to assess the impact, take appropriate remedial actions, and notify the relevant authorities when required (Data Breach Notifications).
6. Data processors maintain records of processing activities as required by data protection regulations, ensuring transparency and accountability (RoPA).
7. Data Subjects’ Rights

Data subject rights are fundamental to our data protection approach, and we are dedicated to ensuring their fulfillment. This section outlines the rights of data subjects and our obligations in relation to them.

We have established processes for handling data subject requests promptly and within the legally required timeframes. Data subjects can submit their requests via the provided contact information, and we are committed to verifying their identity before processing any requests.

1. Right to Information and Transparency

Data subjects have the right to be informed about how their personal data is processed. We provide clear and concise information about data processing activities, including the purposes of processing, data categories, and any recipients of personal data.

2. Right of Access

Data subjects have the right to access their personal data. Upon request, we provide data subjects with a copy of the personal data we hold about them, along with information about how it is being processed.

3. Right to Rectification

Data subjects can request the correction of inaccurate or incomplete personal data. We promptly address such requests to ensure the accuracy of the data we hold.

4. Right to Erasure (Right to Be Forgotten)

Data subjects have the right to request the deletion of their personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected or when consent is withdrawn. We assess and, if appropriate, fulfill such requests, taking into account our legal obligations to retain data for specific periods.

5. Right to Restriction of Processing

Data subjects can request the restriction of processing in certain situations, such as when the accuracy of the data is contested or when processing is unlawful. We respect these requests and only process data in accordance with data subject instructions.

6. Right to Data Portability

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another data controller. We facilitate this right upon request, ensuring the portability of personal data.

7. Right to Object to Processing

Data subjects have the right to object to the processing of their personal data, including processing for direct marketing purposes. We respect such objections and cease processing, except when there are compelling legitimate grounds for processing that override the data subject’s interests, rights, and freedoms.

8. Rights Related to Automated Decision-Making and Profiling

We provide transparency about any automated decision-making processes and profiling that could significantly affect data subjects. We offer the right to challenge and seek human intervention in such cases.

9. Right to Lodge a Complaint

Data subjects have the right to lodge complaints with the relevant data protection authorities if they believe their data protection rights have been violated. We cooperate with these authorities and provide support during any investigations or audits.

13. Data Protection Incidents

We acknowledge that data protection incidents can transpire and are resolved through our structured incident response procedures. Data protection incidents encompass a variety of events, including data breaches, unauthorized access, or data loss, which may compromise the confidentiality, integrity, or availability of personal data.

With a designated incident response team, we promptly assess, classify, and contain incidents, taking necessary measures to mitigate the impact. In cases where data subjects’ rights and freedoms are at risk, we notify the affected individuals and relevant authorities in compliance with data protection regulations.

Our commitment to thorough investigation, documentation, remediation, and prevention underscores our continuous efforts to enhance data security and privacy. All incident-related records are meticulously maintained to ensure accountability, transparency, and regulatory compliance.

14. Awareness and Training

We promote a culture of data protection awareness throughout our organization. This includes:

• ensuring that all employees are aware of and have access to our data protection policies and procedures;
• ongoing communication to employees and stakeholders about the importance of data protection, the latest developments in data protection laws, and the potential risks and consequences of data breaches;
• encouraging all employees to promptly report any potential data protection incidents, thereby fostering a proactive approach to incident response.

We provide comprehensive training programs for our employees and stakeholders to ensure a high level of understanding and compliance with data protection principles. These programs include:

1. Onboarding Training: all new employees undergo data protection training during their onboarding process to familiarize them with our policies and best practices.
2. Ongoing Training: regular, organization-wide training is conducted to keep employees and stakeholders updated on evolving data protection regulations and the latest industry trends.
3. Role-Specific Training: tailored training programs for specific job roles that involve processing personal data, ensuring that employees are well-equipped to handle their responsibilities in compliance with data protection laws.

We evaluate the effectiveness of our awareness and training initiatives regularly, ensuring that employees and stakeholders are knowledgeable about data protection and compliant with our policies. Monitoring compliance is integral to our commitment to safeguarding personal data. We maintain records of all awareness and training activities conducted within our organization, including attendance records and certifications where applicable. These records support accountability and demonstrate our commitment to educating our workforce.

Our approach to awareness and training is iterative and adaptive. We continuously improve our training materials and methodologies to align with changes in data protection regulations and industry best practices. We are dedicated to staying current in the ever-evolving landscape of data protection.

15. Organization

This section outlines our data compliance organization and the role of the Data Protection Officer (DPO).

Our DPO plays a pivotal role in ensuring data protection and compliance within our organization. The DPO’s responsibilities include:

• Providing guidance and expertise on data protection matters to the organization, its employees, stakeholders and external partners (Advisory Role);
• Monitoring the organization’s compliance with data protection laws and regulations (Monitoring Compliance);
• Overseeing and assisting in conducting DPIAs to assess and mitigate risks associated with data processing activities (DPIAs);
• Serving as the primary point of contact for data protection inquiries, concerns, and communications with data subjects and supervisory authorities (Point of Contact);
• Fostering data protection awareness and providing training to employees and stakeholders (Training and Awareness);
• Collaborating with supervisory authorities and facilitating audits or investigations when required (Cooperation with Authorities);
• Maintaining records of processing activities, data breaches, and incident responses (Record Keeping);
• Assisting in handling data subject requests and ensuring timely responses (Data Subject Rights).

We are dedicated to continuous improvement in our data compliance organization, staying updated on evolving data protection laws and best practices. Our goal is to adapt and enhance our data protection practices to meet the changing landscape of data protection and privacy.

16. Amendments and Change Log

This Data Protection Policy is a living document that will evolve to meet the changing landscape of data protection and privacy. We will periodically review and amend this policy as necessary to reflect the latest developments in data protection.

To ensure transparency and accountability, a change log will be maintained, recording the date of each amendment, a summary of the change, and the name of the person responsible for the update. These records will be available for internal reference and to demonstrate our commitment to maintaining a current and robust Data Protection Policy.

It is important that all employees and stakeholders regularly check for updates to this policy and familiarize themselves with any changes. Your adherence to our policies and your commitment to data protection and privacy are essential to the success of our organization in safeguarding personal data.