IID — Information. Intelligence. Data.

EL

PERSONAL DATA PROTECTION POLICY

1. PURPOSE

The purpose of this document is to define the company’s obligations, as well as its policy on privacy and the protection of personal data.

IID Management is committed to meeting the requirements of the General Data Protection Regulation (GDPR) and recognizes the protection of personal data as a priority. The establishment of an environment of security and trust, both internally and externally, is a core principle of IID, and all necessary resources will be allocated to ensure this objective.

2. SCOPE

This policy applies to the processing of personal data carried out by the company.

3. RESPONSIBILITIES

Responsibility for the implementation of this policy lies with the Data Protection Officer (DPO) and the Information Security Incident Response Team, as defined in the relevant internal procedures.

4. PRINCIPLES RELATING TO PROCESSING

The company ensures compliance with the fundamental principles of the GDPR, both in current processing activities and in the introduction of new processing methods, including new information systems.

Specifically, IID ensures compliance with the following principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

5. DATA SUBJECT RIGHTS

Data subject rights are supported through appropriate procedures that ensure actions are taken within the timeframes defined by the GDPR.

These rights include:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure (“right to be forgotten”)
  • The right to restriction of processing
  • The right to data portability
  • The right to object
  • The right to object to profiling

6. LAWFUL BASIS FOR PROCESSING

It is the company’s policy to identify and document the appropriate legal basis for each processing activity, in accordance with the GDPR.

7. DATA PROTECTION BY DESIGN

The company adopts the principle of data protection by design and ensures that all new or significantly modified systems that collect or process personal data are subject to appropriate privacy impact consideration.

Where processing activities are likely to result in high risk to the rights and freedoms of individuals, a Data Protection Impact Assessment (DPIA) will be conducted.

Techniques such as data minimization, pseudonymization, anonymization, and encryption are applied where appropriate and feasible.

8. CONTRACTS INVOLVING PERSONAL DATA PROCESSING

The company ensures that all activities involving the processing of personal data within the context of partnerships are governed by documented agreements, including the terms required by the GDPR and applicable legislation.

With each processor or subcontractor, a data processing agreement under Article 28 GDPR is executed, including, among others:

  • Scope and duration
  • Purpose of processing
  • Documentation of processing activities
  • Prior authorization for sub-processing
  • Provision of compliance documentation
  • Immediate notification of any data breach

Access rights for employees, contractors, and third parties are revoked or reassessed when no longer required or upon termination of contractual relationships.

9. TRANSFERS TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

Where personal data transfers outside the European Economic Area occur, they are carefully assessed to ensure compliance with GDPR requirements and applicable legislation. Such transfers depend, in part, on the adequacy decisions of the European Commission regarding the level of data protection in the recipient country.

10. OBLIGATIONS OF PROCESSORS

Where the company acts as a data processor, it ensures a clear understanding of its obligations under GDPR and applicable legislation.

All personnel comply with GDPR requirements, as well as IID policies and procedures governing personal data management.

11. PERSONAL DATA BREACH NOTIFICATION

The company adopts a fair and proportionate approach when determining the measures required to inform affected parties in the event of a personal data breach. This is carried out in accordance with the Incident Management Plan, which defines the procedures for:

  • Identification of the breach
  • Assessment and evaluation
  • Notification
  • Documentation

Where notification to data subjects is required, it is carried out without undue delay and no later than 72 hours from the identification of the breach.

12. ACCESS AND SECURITY OF PERSONAL DATA

It is company policy to ensure the application of security principles in the processing, storage, access, and use of personal data.

Personnel are bound by internal policies and procedures that safeguard data privacy. Compliance with these procedures is a legal obligation, and violations may result in sanctions.

Processes relating to personal data are reviewed periodically.

13. DATA PROTECTION OFFICER

The company has appointed a Data Protection Officer (DPO). Contact: [email protected]

To submit a data subject rights request, click here

From Archive to Intelligence

Your information is a strategic asset, and we give it "intelligence".

Consulting Request
Request a Quote