1        Statement of intent

1.1     Goal of the data protection policy
It is of great importance that information and data we may store or use to fulfil our contractual obligations is done in accordance with applicable legal requirements and data protection laws.

We are committed to the lawful and correct treatment of personal information.

1.2     Related documents
This policy should be read in conjunction with the Privacy policy and any other policies that relate to personal data.

2        Principles of Data protection

2.1     Committment
The organisation is committed to processing personal data in accordance with the responsibilities under Data protection laws, including GDPR.

2.2     Lawful, fair and transparent
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals.

We must have legitimate grounds for collecting and using the personal data and be transparent about how we intend to use the personal data. We must further give data subjects appropriate and fair processing notices when we collect personal data. We need to ensure that individual’s personal data is only used and processed as they would reasonably expect.

2.3     Lawful purposes
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with such purposes. We must be clear about why we are collecting personal data and what we intend to do with it.

We may however process the personal data for archiving or statistical purposes since such purposes and compatible with the initial purposes.

We may also anonymize the personal data and use such data for research. Once personal data is anonymized, it does no longer constitute personal data.

2.4     Data minimization
Personal data shall be adequate, relevant and limited to what is necessary in relation to purposes they were collected for.

We only process personal data that is relevant in relation to the specific registered person.

2.5     Accuracy
Personal data shall be accurate and kept up to date. We must ensure that inaccurate personal data is erased or corrected without delay.

2.6     Storage and archiving
Personal data may only be stored as long as it is necessary for the purposes of which the personal data was collected. After that, the personal data may be kept in a form that does not allow identification of the data subject.

We will consider the purpose in deciding how long to retain the personal data. We will also securely delete, update, archive and anonymize the information accordingly.

2.7     Security and breach
Personal data must be processed in a manner that ensures security of the data. We shall futher secure that the personal data is protected against unauthorized or unlawful processing and against accidental loss, destruction, disclosure or damage.

3        Data collection

3.1     Gaining consent
We will ensure that the personal data is collected in accordance with this policy and applicable data protection laws.

The rules and principles for collection shall apply regardless if the data is collected in person, in telephone, electronically or by completing a form or questionnaire.

When collecting data, we will ensure that there is a processing notice in place and that the registered person understands why the information is needed, what it will be used for and who the data may be shared with and why.

The registered person must also understand that he or she has the possibility to agree to share the data and cancel his or her approval at any time. We will further ensure that the consent is provided explicitly and that the registered person has enough information to give informed consent. Consent shall be provided by active choice electronically (accept button), by e-mail or otherwise in writing.

4        Data storage

4.1     Secure storage
Personal information shall be stored securely. Information may only be accessed by authorized personnel.

5        Security policy and responsibilities of the company

5.1     Data protection goals
We have defined and documented our data protection goals in a data protection policy.

Such policies are based on the data protection principles and are reviewed annually.

We have following data protection practices:

Data encryption: All data transfers that enter or leave our environments are encrypted and any sensitive data is encrypted at rest.

Frequent back-ups: All of our Production instances have volumes snapshots performed every night. All databases have full backups nightly and transaction log backups every 10 mins.

Access authorization: Access to all environments is authenticated and all users must have Multi-factor Authentication enabled. Access to to environments is roles dependent.

5.2     Roles and responsibilities
Data protection goals are managed by data protection team that consist of IT infrastructure management team members and members of the management team.

We will restrict and monitor access to sensitive data, use transparent data collection routines, train employees in privacy and security measures, build secure networks to protect online data from attacks, establish procedures for reporting incidents and communicate how we handle data.

The data protection team has the responsibility to continuously improve the data protection management and to ensure that employees and consultants are properly trained and are aware of the procedures to report any incidents and proposals for improvement.

5.3     Data protection breach reporting procedure
In the event of breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data, we will promptly assess the risk to individuals rights and freedoms and if appropriate report it to supervisory authorities.

6        Data access and accuracy

6.1     Retention, archiving and destruction
We will ensure that the personal data is stored securely using modern software that is kept up-to-date.

Access to personal data shall be limited to employees who need access. We will have appropriate security measures to avoid unauthorised sharing of information.

When personal data is deleted is will be dome safely such that the data is irrevocable.

6.2     Disclosure of information
We will share personal data with others only if it necessary for intended purposes.

The registered will be made aware how and with whom their information will be shared through use of clear processing notices located on the website.

7        Existing technical and organizational measures

7.1     Guideline for the rights of data subjects
We shall fulfill our obligations towards registered persons by informing them which of their personal data is collected, how we will process their data and who has access to their information.

We will have procedures for handling lost, corrupted and compromised data.

We shall always process personal data in accordance with the rights of registered persons under applicable data protection laws.

The registered has a right to; access a copy of the information comprised in their personal data, object to processing that is likely to cause damage, prevent processing for direct marketing, object to decisions being taken by automated means, have accurate data rectified, blocked, erased or destroyed. The registered has also right to claim compensation for damages caused by breach of applicable data protection laws.

7.2     Subject access request procedure
Upon receiving a request from a registered person for access to his or hers personal data, we will extract that data and provide to the requestor.

7.3     Physical security
Data is not stored physically.

Information is transferred via secure digital means.

While using mobile devices, data is secured via multi-factor authentication methods.

7.4     Data back-up
Data will be backed-up in anonymized format.

7.5     Information transfer and Communications security
Information shall be transferred in a secure manner. If information is transferred to countries outside EU/EES, then we ensure that such country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to processing of personal information.

In doing so, we observe the fact that European Commission has decided that certain countries have an adequate level of protection of personal data.

Our communications are secured using technology that requires MFA supported by strict data sharing policies enforced on our internal technology infrastructure.

7.6     Sub-processors

We will perform regular inspections and evaluation of data processing performed by our sub-processors to ensure that personal data is processed in accordance with applicable data laws and this data protection policy.

8        Documentation
We will perform regular inspections and evaluation of data processing performed by our sub-processors to ensure that personal data is processed in accordance with applicable data laws and this data protection policy.

8.1     We shall ensure that, when necessary or deemed suitable, our efforts and needs are documented by internal and external inspections.