Data Protection Policy Controls

1.0 Definitions

Data Breach

Data Breach: means a breach of security leading to the accidental or unlawful destruction, loss or alteration of – or to the unauthorized disclosure of, or access to – Personal data transmitted, stored or otherwise processed.

Data Controller

Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal data.

Data Processor

Data Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.

Data Subject(s)

Data Subject(s): means a natural person (i.e. an individual) who can be identified, directly or indirectly, in particular by reference to Personal data.

Data Transfer

Data Transfer: means any act that makes Personal data accessible, whether on paper, via electronic means or the internet, or any other method to any Third Party not linked in a way or another to Fincom Technologies.

Personal Data

Personal data: means any information relating to an identified or identifiable natural person. This may include an identifier such as a name or audio-visual materials, an identification number, location data or an online identifier; it may also mean information that is linked specifically to the physical, physiological, genetic, mental, economic, cultural or social identity of a Data Subject. The term also includes data identifying or capable of identifying human remains.

Processing

Processing: means any operation or set of operations – by automated and other means – that is performed upon Personal data or sets of Personal data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmitting, disseminating or otherwise making available, aligning or combining, or erasing.

Recipient

Recipient: means Third Party, public authority, agency or other body – that is, someone or something other than the Data Subject or Fincom Technologies – to which the Personal data is disclosed.

Sensitive Personal Data

Sensitive Personal data: means specific Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic Data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Third Party

Third Party: means a natural or legal person, public authority, agency or body other than the Data Subject or Fincom Technologies.

2.0 Purpose

Fincom Technologies Limited (hereafter referred to as ‘FINCOM’) is committed to safeguarding and protecting Personal data of private individuals. Fincom is aware of the risks involved, and of the importance of having appropriate data protection standards in place.

In the scope of its operations, Fincom needs to gather and use certain information about individuals. These can include board members, suppliers, business contacts, visitors at Fincom, employees and other people the company has a relationship with or may need to contact.

Safeguarding the Personal data of all these persons is an essential aspect of protecting people’s lives, integrity and dignity. The Processing of Personal data touches all areas of Fincom’s activity, whether operational or administrative.

This Policy describes the principles to be followed when Processing Personal data. It also describes how these principles should be implemented and what needs to be done in case of a Data Transfer and Personal data Breach event in order to comply with reporting requirements.

The aim of this Policy is to;

  • Comply with national data protection laws and regulations
  • Protect the rights of data subjects
  • Protect Fincom from the risks of Data Breach
  • Protect Fincom from undesired legal sanctions which may include hefty fines

3.0 Scope of The Policy

This Policy applies to Personal data processed by Fincom. It applies to: staff members of the Fincom, other Fincom stakeholders, anyone Processing Personal data under the name of Fincom or anyone using technology tools or systems provided by the Fincom.

Further, it also applies to Fincom as a Data Controller or Data Processor with respect to Personal data relating to Data Subjects.

This policy comprises the nationally accepted data protection principles. The relevant national law will take precedence in the event that it conflicts with this Policy or it has stricter mandatory requirements than this Policy.

The content of this Policy must however also be observed in the absence of corresponding national legislation.

4.0 Principles of Data Processing

4.1 Legitimate and Fair Processing

Fincom processes Personal data in a lawful and fair manner in relation to the Data Subject. Fincom only processes Personal data with respect to this Policy and applicable laws. In order to do so, Fincom ensures that a legal basis of Processing Personal data exists such as the following;

Fincom ensures that consent is obtained from the Data Subject prior to Processing Personal data. This consent is obtained in writing or electronically for the purposes of documentation and is valid only if given voluntarily. If, for any reason, the consent of the Data Subject is not given before Processing Personal data, it should be secured in writing as soon as possible after the beginning of the Processing. Fincom takes particular care in Processing Sensitive Personal data and will only do so with prior consent of the Data Subject.

For collection of data relating to children, prior consent of parent, guardian or any other adult person in authority will be needed to make decisions on behalf of the child.

Legitimate Interest

Fincom may process Personal data without express consent if it is necessary to enforce a legitimate interest of Fincom or a Third Party provided that interest is not overridden by the interests and rights of the individual. At Fincom, legitimate interest exists where there is a relevant and appropriate relationship between Fincom and the Data Subject such as where the data subject is staff etc.

Contractual Obligation

Fincom may process Personal data in order to enforce a contract entered into with the Data Subject or to comply with a contractual obligation.

In other cases, the Processing of Personal data may be necessary to comply with applicable law.

Public Interest

Fincom may process Personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in Fincom.

4.2 Transparency

Fincom is to process Personal data in a transparent manner.

Communications with the Data Subject must be in clear and plain language, easily accessible and easy to understand. Fincom Personal data users must provide the Data Subject with sufficient information about the data Processing when Personal data is obtained.

4.3 Restriction to a specific purpose

When collecting Personal data, Fincom Personal data users will determine the specific purpose(s) for which data is processed, and only process it for those purposes. All Personal data collected should be clearly documented including the purpose for collection.

4.4 Adequate and relevant data

The Personal data handled by Fincom must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed. This means that Fincom’s Personal data users should not process Personal data unless it is necessary to process it in order to achieve the purpose for which it was obtained.

4.5 Accuracy

Fincom’s Personal data users must ensure that Personal data kept on file is correct and kept up to date. Inaccurate or incomplete Personal data should be rectified or deleted. The exception to this principle would be the case when a legitimate interest exists to retain Personal data. Historical data, accurate at the time of collection can be kept for as long as it is required to be kept. Once historical data is no longer necessary it should be deleted.

4.6 Integrity and confidentiality

Fincom’s Personal data users must treat Personal data in a confidential manner. They must ensure that Personal data is securely stored with suitable company and technical measures to prevent unauthorized or illegal Processing.

4.7 Retention, destruction and archiving of data

Fincom keeps Personal data for as long as it is necessary to perform its activities and as is required by applicable law. Personal data not useful for Fincom anymore should be deleted in case it is not utilized for a period of 2 years, unless national legislation requires it to be retained for a certain period of time. Fincom will also delete Personal data if the Data Subject withdraws his or her consent for Processing unless another legal basis of processing the Personal data exists which prevents Fincom from deleting the Personal data.

Fincom may store Personal data for archiving purposes for a determined period compatible with applicable laws.

5.0 Rights of the Data Subjects

Fincom respects rights conferred to Data Subjects to ensure protection of Personal data. These rights include;

Right to receive information

At a minimum, Fincom’s Personal data users must provide the Data Subject with the following information when Personal data is being obtained;

  • The purpose of Data Processing
  • Third-parties to whom the data might be transmitted
  • The existence of this present Policy
  • The focal point for questions/concerns or complaints

This information should be communicated to the Data Subject even in cases where the Personal data was not obtained directly from the Data Subject.

Right to access

The Data Subject may request which Personal data relating to him or her has been collected and stored, how the Personal data was collected, and for what purpose.

Disclosure of Personal data should not be automatic. Fincom’s Personal data users must consider all the circumstances surrounding the request for access and any restrictions to access that may be applicable. Access to Personal data will only be given to the Data Subject if his or her identity can be verified.

Right to rectification

If Personal data is incorrect or incomplete, the Data Subject can request that it be corrected or supplemented. This will only be considered if the identity of the Data Subject can be verified. Upon verification of the allegation, Fincom will make the necessary change(s).

Right to erasure

The Data Subject may request his or her Personal data to be deleted if the Processing of such Personal data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the Data Processing has lapsed or has ceased to be applicable for other reasons.

However, the right to erasure does not apply, and Personal data will continue to be retained:

  • For the implementation of the Mission of Fincom
  • If it serves a public interest
  • For historical, statistical and scientific purposes
  • For the establishment, exercise or defense of legal claims
  • For other legitimate interests (legal and financial)

Right to Personal data portability

The Data Subject has the right to receive his or her Personal data in a structured, commonly used and machine-readable format and has the right to transfer such Personal data to another Data Controller provided the Processing was based on consent or was necessary for the performance of a contract and was carried out by automated means.

Where technically feasible the Data Subject may request Fincom to transfer his or her Personal data to another Data Controller.

Right to prevent processing of personal data for direct marketing

A data subject has the right to notify Fincom to stop processing his/her personal data for purposes of direct marketing.

Right to object

The Data Subject may object at any time, on compelling legitimate grounds relating to their particular situation, to the Processing of Personal data concerning them. Such objection will be accepted if the fundamental rights and freedoms of the Data Subject in question outweigh Fincom’s legitimate interests, or the public interest.

An objection to Personal data Processing does not apply if a legal, contractual or financial provision requires the Personal data to be processed.

Right to restriction of processing

The Data Subject has the right to restrict the Processing of his or her personal data where there exists a particular reason for the restriction. This means that the Data Subject can limit the way that an organization uses his or her Personal data. This may be because:

  • The accuracy of the Personal data is contested by the Data Subject
  • The Processing is unlawful and the Data Subject opposes the erasure of the Personal data and requests the restriction of their use instead
  • Fincom no longer needs the Personal data for the purposes of the Processing, but the Personal data is required by the Data Subject for the establishment, exercise or defense of legal claims;
  • The Data Subject has objected to the Processing pending the verification whether the legitimate grounds of Fincom override those of the Data Subject

Right not to take part in automated individual decision-making and profiling

The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

6.0 Fincom Commitments

6.1 Responsibility

It is the responsibility of Fincom management and Personal data users to ensure that Personal data processed for or on behalf of Fincom, is in compliance with this Policy.

It is the responsibility of Fincom Personal data users to ensure that Data Subjects:

  • Understand that Fincom is bound by this Fincom Data Protection Policy to protect Personal data of Data Subjects participating in Fincom work;
  • Consent to their Personal data being processed in the context of Fincom work;
  • Agree that their Personal data could be transferred to countries with laws that may not provide adequate level of protection as in their country
  • Are informed that they can contact Fincom in case of inquiries or complaints

Fincom Personal data users will ensure that Third Parties they allow to process Personal data;

  • Agree to use the Personal data they access only in the context of Fincom work;
  • Comply with this Policy and applicable laws. This is so even when the Fincom Personal data users provide access to Personal data to people within their network, Third Party or through social media and other online groups.
  • Understand that they remain bound by these obligations with regard to Personal data/work undertaken while they were part of Fincom even after their contribution to Fincom work ends.

6.2 Arrangements with partners

In particular, when Fincom collaborates with another entity in Processing Personal data, Fincom Personal data users will ensure that the responsibilities of all the parties concerned as described in this Policy or applicable law are outlined very clearly and set out in a contract or other legally binding arrangements.

6.3 Data protection by design and by default

In particular, while designing a database and drafting procedures for collecting Personal data, the principles of data Processing and the rights of data subjects stipulated in the present Policy must be taken into account and incorporated to the greatest extent possible.

6.4 Data security and storage

Fincom Personal data users is to process personal data in a manner that ensures an appropriate degree of security. This includes prevention of unauthorized access to or use of Personal data and the equipment used for data Processing. This relates in particular to access rights to databases, physical security, computer security and network security, the duty of discretion and the conduct of all Fincom Personal data users who have access to Personal data.

Fincom Personal data users undertake to store electronic equipment and Personal data safely. Fincom has implemented technical measures to ensure that Personal data stored electronically is protected from unauthorized access, accidental deletion and malicious hacking attempts. To the extent possible, Personal data should be stored on those systems and Fincom Personal data users should avoid keeping Personal data on personal devices and should protect by strong passwords access to any system used. In cases where Fincom Personal data users are using external tools not provided by Fincom to process Personal data, they undertake to ensure that appropriate technical and organizational measures to protect Personal data are implemented prior to processing it and should formally document such use and keep the documentation available for auditing purposes.

When Personal data is stored physically or when Personal data usually stored electronically has been printed it should be kept in a physically secure place where unauthorized people cannot see it .Documents containing Personal data should not be left where unauthorized people could access them and should be shredded and disposed of securely when no longer required.

In any case, when retention of Personal data is no longer necessary, all records should be securely destroyed.

6.5 End of relationship with Fincom

Individuals whose mandate, employment relationship or any other type of relationship with Fincom has ended, undertake to destroy any Personal data in their possession which this Policy applies to and will certify its destruction in writing (if required). For Fincom’s staff this will be done in accordance with Human Resource Manual.

6.6 Data Breaches

Any Personal data breach leading to the accidental or unlawful destruction, loss or alteration of – or to the unauthorized disclosure of, or access to – Personal data transmitted, stored or otherwise processed must always be reported.

In case of a data breach, Fincom will;

  • Establishing a team to investigate the Data Breach, and develop remedial plan
  • Informing the persons affected of the Data Breach without undue delay according to national regulations
  • Informing the relevant local authorities according to regulations

6.7 Data Transfer

6.7.1 External Data Transfer

Fincom ensures that Personal data is only transferred to organizations that ensure adequate level of protection. Should it be necessary to transfer Personal data to a Third Country that does not provide adequate level of protection, Fincom will ensure that it maintains appropriate safeguards such as entering into appropriate contractual clauses in order to safeguard Personal data.

When transferring Personal data to a Third Party, Fincom Personal data users must ensure that:

  • The Recipient will apply a protection level equivalent to or higher than this Policy
  • Appropriate safeguards are put in place where a Third Country does not provide adequate level of protection
  • Processing by the Recipient is restricted to the purpose authorized by Fincom and
  • Data Transfer is compatible with the reasonable expectations of the Data Subject

6.7.2 Data Transfer within Fincom’s systems

For the sake of clarification, Data Transfer within Fincom’s systems carried out between Fincom Personal data users is permitted and does not necessitate a written agreement provided the principles set out in this Policy are respected.

6.8 Documentation

In order to demonstrate compliance with this Policy, Fincom maintains records on the categories of data processing activities within its scope. Fincom’s Personal data users not using technology systems provided by Fincom should formally document and keep the documentation available for compliance purposes.

7.0 Implementation

Effective implementation of these guidelines is crucial to ensure that individuals are able to benefit from the policy.

8.0 Authorized Processing

Fincom Personal data users must not use Fincom’s Personal data for private or commercial purposes or disclose it to unauthorized persons.

9.0 Reporting of non-compliance

Allegations of non-compliance with this Policy should be reported to the Chief Executive Officer.

10.0 Communication of the policy

Fincom’s staff may consult with their department heads if unsure of any aspects of this Policy. Management will ensure practical communication and training regarding this policy from time to time.

11.0 Modification of the Policy

This Policy may be updated from time to time and any modifications to this Policy must be in writing and approved by the Chief Executive Officer.