GDPR Privacy Policy

Protection Data Policy
INFORMATION TECHNOLOGY SERVICES DIVISION
VERSION 1.0

1. Overview

  • 1.1 This Policy The aim of this policy is to set forth the manner in which IELS will strive to ensure compliance with the General Data Protection Regulation 2016, as well as local legislation applicable to data protection (collectively referred to as “Data Protection Legislation”). The aim of Data Protection Legislation is to protect the rights and freedoms of natural persons (excluding, therefore, companies and similar legal persons) and to ensure that their personal data is not processed without their knowledge and, whenever possible, that it is processed with their consent. Schedule 1 to this policy explains a number of commonly used terms which are crucial to a proper and full understanding of the scope of Data Protection Legislation. Stakeholders are urged to familiarize themselves with these terms.
  • 1.2 Application of Data Protection Legislation and this policy Data Protection Legislation applies to the processing of personal data wholly or partly by automated means (e.g. by computer) and to the processing other than by automated means of personal data (e.g. paper records) that form part of a filing system or are intended to form part of a filing system. Personal data which does not fall within these parameters is therefore excluded from the scope of Data Protection Legislation and, therefore, outside the scope of this policy and other policies adopted by IELS which are of relevance to Data Protection.
  • 1.3 Review of policy IELS is committed to reviewing this policy, as well as other policies related to Data Protection Legislation, at least once every calendar year, with a view to ensuring that they adequately cater for IELS’s needs. Other events, such as legislative changes or court judgements, may lead to revisions of this policy. It is the responsibility of the Data Protection Officer to initiate reviews as required in accordance with this policy. Policy changes will be subject to acceptance by the General Manager of IELS.
  • 1.4 Availability of Policy This policy, as well as other policies related to Data Protection, are not restricted documents and shall be made available to all persons employed with IELS. Indeed, employees of the IELS are expected to be familiar with its contents, and the Data Protection Controller is to promote awareness of these policies. They may, at the discretion of the General Manager, be made available to persons outside of IELS, such as subcontractors and suppliers.

2. Commitment to policy

  • 2.1 IELS is committed to compliance with Data Protection Legislation, and the protection of the rights and freedoms of individuals whose information IELS collects and processes in accordance with Data Protection Legislation. The aim of this document is to outline the manner in which this will be done. Other documents regulate the manner in which compliance with certain specific aspects of Data Protection Legislation will be achieved. A list of all documents connected to or relevant to compliance with Data Protection Legislation is set forth in Schedule 2 attached to this policy. This Schedule may be updated or amended from time to time. It is the responsibility of Data Protection Controller to ensure that this Schedule is updated as required to reflect policies in force at any particular time.
  • 2.2 This policy, as well as the policies listed in Schedule 2 of this policy, apply to the processing of personal data by IELS. Personal data includes data held by IELS on clients, employees, and suppliers.
  • 2.3 This policy applies to all employees of IELS. A breach of this policy will be taken seriously, and may constitute grounds for the issuing of a warning or, in certain cases, grounds for dismissal. Employees should be aware the Data Protection Legislation imposes, in certain instances, criminal sanctions for breaches.
  • 2.4 In cases where IELS entrusts third parties with the processing of personal data, appropriate contractual arrangements must be in place to ensure that (i) the third party adheres to confidentiality obligations; (ii) requires the third party to comply with Data Protection Legislation; and (iii) allows IELS the right to audit the third party to ensure such compliance. The Data Protection Controller shall be responsible for effectively communicating this requirement to management within IELS as is required.

3. Responsibility for compliance

  • 3.1 Responsibility for compliance with Data Protection Legislation rests, ultimately, with the GENERAL MANAGER of IELS. However, the GENERAL MANAGER exercises its authority through, and has delegated responsibility to the Data Protection Officer. This notwithstanding, the management of IELS is expected to play an active role in ensuring compliance with Data Protection Legislation and is expected to be conversant with the essential requirements emerging from it. Management is expected to work hand in hand with the person or persons responsible for compliance with Data Protection Legislation.
  • 3.2 The person delegated with primary responsibility for promoting compliance with Data Protection Legislation shall be the Data Protection Officer. The Data Protection Officer shall respond directly to the General Manager.
  • 3.3 The Data Protection Controller shall be responsible, on a day-to-day basis, for the following:
  • 3.3.1 Promoting compliance within IELS with all policies related to Data Protection Legislation;
  • 3.3.2 Periodic review of the same policies;
  • 3.3.3 Security and risk management in relation to compliance with the policy;
  • 3.3.4 Creation of awareness within IELS of the requirements of Data Protection Legislation.

3.4 From time to time IELS shall organise internal or external training courses for employees. Employees are expected to attend such training as and when requested.

4. Fundamental Principles of Data Protection

Data Protection Legislation provides that the processing of personal data is to be carried out in compliance with a number of principles. IELS is committed to ensuring that it complies fully with these principles. The principles are listed and explained below. Each of the principles is of equal importance; no principle takes priority over the other.

  • 4.1 Principle 1: Personal data must be processed lawfully, fairly and transparently Lawfulness: This means that IELS must ensure that a lawful basis for processing exists, for example that the consent of the data subject has been obtained, the processing is required for the purposes of fulfilling contractual obligations, etc. This ensures that data is processed lawfully. GDPR Auto is to be utilised for the purposes of recording the lawful basis of processing. Fairness: This means that IELS has to make certain information, as detailed further in this policy, available to its data subjects. Transparency: This means that the data subject must know why his data is being processed. It also means that IELS is to provide data subjects with certain information. When dealing with data subjects, IELS will communicate with data subjects using language which is easy to understand, is clear, and is free of legal jargon. IELS will strive to use privacy notices which are detailed and specific, and which comply with the principle of transparency. A sample privacy notice for use by IELS is included in this policy. This notice will require customisation depending on its contextual use, and for this purpose users of the privacy notice are required to liaise with The Data Protection Controller. Information which must be provided to data subjects includes the following: • the identity and the contact details of IELS • the contact details of Data Protection Officer, if any; • the purposes of the processing for which the personal data is intended as well as the legal basis for the processing; • the period for which the personal data will be stored; • the existence of the rights to request access, rectification, erasure or to object to the processing, and the conditions for exercising these rights, such as whether the lawfulness of previous processing will be affected; • the categories of personal data concerned; • the recipients or categories of recipients of the personal data, where applicable; • where applicable, that the controller intends to transfer personal data to a recipient in a third country and the level of protection afforded to the data; • any further information necessary to guarantee fair processing.
  • 4.2 Principle 2: Personal data can only be collected for specific, explicit and legitimate purposes When obtaining personal data, the purpose for which the data is obtained must be specified. Personal data which is obtained for one purpose must not, according to Data Protection Legislation, be used for another purpose that differs from the purpose for which it was originally obtained. Schedule 3 of this policy sets out the processes to be followed for the purposes of ensuring compliance with this principle.
  • 4.3 Principle 3: Personal data must be adequate, relevant and limited to what is necessary for processing This means that IELS should not collect personal data which is not necessary for the purposes for which it is being obtained. IELS is aware that holding personal data, in effect, constitutes a risk and is therefore fully committed to ensuring compliance with this principle. Compliance with this principle requires both planning at the conceptual stage of any project entailing the collection of personal data, and ongoing review. It is the responsibility of persons driving projects to ensure that this principle is kept at the forefront of any project which will require the collection of personal data. Liaison with The Data Protection Controller is required in order to ensure that data collected does not exceed what is strictly required. The Data Protection Controller is required to review data collection sources on at least an annual basis to ensure compliance with this principle.
  • 4.4 Principle 4: Personal data must be accurate and kept up to date This means that personal data held must be subjected to periodic review and updated as necessary. GDPR Auto is to be utilized for the purposes of periodically checking with data subjects that data held is accurate and up to date. Data which is not accurate should – if not updated – be removed and securely destroyed. The Data Protection Controller is responsible for driving compliance with this principle. The Data Protection Controller is to ensure that appropriate procedures are in place to ensure that personal data is accurate and up to date. These procedures may vary depending on the nature of the personal data at issue, and other factors. Data subjects have a right to request that data held by IELS about them be rectified to ensure that it is accurate and up to date. These requests must be acted upon within one month in accordance with the policy applicable to Subject Access Requests. The Data Protection Controller is responsible for oversight of this process using, where applicable, the functionality available in GDPR Auto. The Data Protection Controller is to ensure that in cases where third parties have been given data which is not accurate or is not up to date, then these organisations will be informed of this and, if accurate and up to date information is obtained, will be passed on this information.
  • 4.5 Principle 5: Personal data should be stored in a way that the data subject can be identified only as long as is necessary for processing. This principle requires IELS to ensure that personal data is not kept longer than is necessary. When the purpose for which personal data is being processed is exhausted, then personal data is to be pseudoaonymized, anoymised or deleted. This principle also requires that data is not to be retained beyond what is strictly necessary. Retention periods for different types of data differ, and are established in a separate retention policy. It is the duty of The Data Protection Controller to then determine – liaising with other members of staff as necessary - whether deletion or anonymization is required, or whether there exists a circumstance justifying the retention of personal data beyond its retention period (e.g. the existence or threat of litigation, etc). Any such circumstances are to be recorded by The Data Protection Controller.
  • 4.6 Principle 6: Personal data must be processed in a secure manner This means that IELS is obliged to ensure that appropriate technical (e.g. password protection and firewalls) and organisation measures (training of staff and rules on use of personal devices) are in place to ensure that personal data is safe and secure. The Data Protection Officer will carry out a risk assessment taking into account all the circumstances of IELS processing operations. All company staff is required to follow policies in place to ensure compliance with this principle.
  • 4.7 Principle 7: Accountability This principle requires that IELS not only complies with the principle above, but is able to demonstrate that it does so.

5. Rights created by Data Protection Legislation

  • 5.1 Data Protection Legislation grants data subjects certain rights which IELS is obliged to uphold. These rights are a critical cornerstone of Data Protection Legislation and IELS is committed to upholding them in full.

6. Consent as a basis for processing Personal Data

  • 6.1 In many instances, IELS processes the personal data of data subjects on the basis of their consent. In order for consent to provide a proper legal basis for processing it must meet ALL of the following criteria:
  • 6.1.1 It must be explicit and must be freely given;
  • 6.1.2 It must be specific and informed;
  • 6.1.3 It must constitute an unambiguous confirmation of the data subject’s intentions. This can be either by a statement or by a clear unambiguous action. In other words, non-action or silence does not constitute consent.

6.2 In order for consent to form a proper basis of processing, it is also necessary to ensure that the data subject is fully aware of the intended processing that will happen with his data, and that he has agreed to this. Consent which is obtained as a result of pressure exerted on the data subject, or obtained in circumstances where the data subject will suffer some adverse effect if consent is not granted, is not valid consent.

6.3 Data subjects can withdraw their consent at any time.

6.4 For special categories of data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.

6.5 Special considerations apply in cases where IELS processes data of persons under the age of 16 years for the provision of online services to these persons. In these cases, the consent of the parents or legal guardians of these persons must also be obtained.

7. Data Security and Safety

  • 7.1 All employees of IELS have an important role to fulfil in order to ensure that personal data is kept safe. In particular, personal data should not be disclosed to third parties without prior consultation with The Data Protection Controller.
  • 7.2 Employees are required to follow such policies which may be in force from time to time regulating data security and safety.

8. Retention and disposal of data

  • 8.1 IELS has in place policies which regulate the duration for which personal data is to be kept. These are to be implemented strictly. In the event of personal data being kept beyond its retention period, this must be justified and reason justifying the extended retention recorded.
  • 8.2 Personal data may only be stored for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.
  • 8.3 Personal data, when disposed, must be disposed of securely.

9. International Data transfers

  • 9.1 Data Protection Legislation regulates the transfer of data to countries outside of the European Economic Area.
  • 9.2 The transfer of personal data outside of the European Economic Area is prohibited unless one of the following conditions applies:
  • 9.2.1 An adequacy decision exists: in other words, the European Commission has determined that a country outside the European Economic Area offers an appropriate level of protection. This list is updated from time to time and can be found at the following link http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
  • 9.2.2 A Privacy Shield applies: this may apply in cases of transfer of personal data to an entity in the United States. A transfer may be permitted if the entity is signed up to the Privacy Shield, details of which may be found at the link above.
  • 9.2.3 Binding corporate rules: if IELS has adopted binding corporate rules for the transfer of data outside the EU;
  • 9.2.4 Model contract clauses: if IELS has adopted model contract clauses approved by the relevant supervisory authority.

9.3 In the absence of any of the above, a transfer of personal data to a third country can only take place if:

  • 9.3.1 the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data existing due to the absence of an adequacy decision and appropriate safeguards;
  • 9.3.2 the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
  • 9.3.3 the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • 9.3.4 the transfer is necessary for important reasons of public interest;
  • 9.3.5 the transfer is necessary for the establishment, exercise or defence of legal claims; and/or
  • 9.3.6 the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

9.4 Personal Data transfers of the nature set forth in this paragraph are only to happen following consultation with the The Data Protection Controller.

Schedule 1 – Definitions

Personal data – any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data subject – any living individual who is the subject of personal data held by an organization.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyze or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior.

Schedule 2 – Privacy Policy

Purpose and Ownership

  • 1.1. The aim of this Schedule is to establish procedures which will assist IELS to ensure compliance with the principle that Personal Data can only be collected for specific, explicit and legitimate purposes.
  • 1.2. The Data Protection Controller is responsible for pro-actively promoting compliance with this procedure. However all employees are obliged to be conversant with it and to apply it in practice. It applies in all circumstances in which IELS collects personal data.
  • 1.3. The Data Protection Controller is responsible for ensuring that privacy notices are used as required and in accordance with this policy.
  • 2.3.7. the processing is necessary for reasons of substantial public interest, on the basis of law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  • 2.3.8. the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of law or pursuant to contract with a health professional and subject conditions and safeguards;
  • 2.3.9. the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of law
  • 2.3.10. the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Using Privacy Notices

  • 3.1. Privacy notices are a crucial tool in IELS’s efforts to comply with Data Protection Legislation. The primary aim behind privacy notices is to make data subjects aware of the reasons why their personal data is being collected, and how it will be used.
  • 3.2. An outline privacy notice is attached to this Schedule as Annex A. It is the responsibility of project drivers to ensure that projects entailing the processing of data make use of a privacy notice. Care is to be taken to ensure that the privacy notice is tailor-completed depending on the prevailing circumstances. Annex B contains a privacy policy for use on IELS’s website.
  • 3.3. The use of privacy notices is to be considered in all circumstances in which personal data will be processed. In cases where processing is based on the data subject’s consent, then the data subject should sign a separate privacy notice and a record of this retained. In other cases where, for example, processing is based on contract, then a privacy notice should be made available to the data subject and a signed copy obtained.
  • 4.1 In cases where personal data has been gathered from a source other than the data subject – and therefore the data subject is not aware of privacy notices – then IELS is obliged to provide the information contained in the privacy notice within not later than the following time frames:
  • 4.1.1 within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
  • 4.1.2 if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
  • 4.1.3 if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

4.2 However, if the clause 4.1 does not apply if

  • 4.2.1 If the data subject already has the information;
  • 4.2.2 If the provision of the above information proves impossible or would involve an excessive effort;
  • 4.2.3 If obtaining or disclosure of personal data is expressly identified by law; or
  • 4.2.4 If personal data must remain confidential subject to an obligation of professional secrecy regulated by law.