Data Protection Policy

1. Purpose
The purpose of this Data Protection Policy is to establish guidelines for the collection, storage,
processing, and protection of the Company’s data to ensure confidentiality, integrity, availability,
and privacy.

2. Scope
This policy applies to all employees, contractors and other entities handling any personal data
for the Company.

3. Data Collection

● The Company must maintain Records of Processing Activities to ensure it has a

comprehensive overview of its processing of personal data.
● Data must only be collected for legitimate business purposes with clearly documented
legal bases in compliance with applicable data protection regulations.
● Personal data collection must follow data protection laws such as the GDPR, CCPA, or
other relevant regulations.
● Individuals must be informed of the purpose of data collection and, where required,
provide consent before data is processed.
● Data subjects must be provided with clear options to access, correct, or delete their
personal data.

4. Data Storage and Security

● Data must be stored securely using access controls to prevent unauthorized access.
● All third-party vendors, including cloud storage providers, must comply with security and
compliance requirements aligned with Company policies.
● Personal data must be stored only for as long as necessary to fulfill its purpose and must
be deleted in accordance with the Data Retention & Disposal Policy and the retention
periods indicated in the Records of Processing Activities.
● Wherever feasible, personal data must be encrypted both at rest and in transit using
strong encryption algorithms (e.g., AES-256 for data at rest, TLS 1.2+ for data in transit).
● Encryption keys must be securely managed and stored separately from encrypted data.

5. Data Processing and Handling

● Access to data must be granted based on the principle of least privilege (PoLP).
● Data must be anonymized or pseudonymized where possible to minimize exposure.
● Any third-party processing of data must be governed by contractual agreements
ensuring compliance with this policy and applicable laws, including the implementation of
Data Processing Agreements (DPAs) as required by GDPR.
● Data subjects must be informed of their rights under GDPR, including the right to
withdraw consent, the right to be forgotten, and the right to data portability.

6. Data Breach Response

● Any unauthorized access or disclosure of data must be reported immediately to the

Information Security Team.
 ● A formal incident response plan must be in place to address data breaches, including
immediate containment, notification obligations and forensic investigation.
● Documentation of data breaches must include scope, impact, response actions, and
mitigation strategies.

7. Compliance and Monitoring

● Regular audits and assessments must be conducted to ensure compliance with this
policy and applicable regulations.
● Employees handling sensitive data must receive periodic training on data protection best
practices and GDPR compliance.
● Non-compliance with this policy may result in disciplinary action or legal consequences.

8. Policy Review and Updates

This policy must be reviewed and updated annually or as required by changes in regulations or
business needs. Any updates must be communicated to relevant stakeholders and employees