1. Introduction
This is a procedures and policies manual of ConextQA. It is significantly detailed and comprehensive, which lays down every aspect of the company’s policies and procedures for data protection. This manual gives the employees of ConextQA a thorough understanding of the different procedures and also an insight into navigating the policies.
1.1 Object and Scope
This manual sets out how we seek to protect personal data and ensure that our personnel understands the rules governing their use of personal data to which they have access in the course of their work. In particular, the manual sets out certain basic principles that we and our employees and hired consultants must follow when processing personal data (Clause 4) and contains instructions on what our employees and consultants shall consider in this regard. This manual applies to all employees & consultants.
1.2 Data Protection Framework
General Data Protection Regulation, i.e., the GDPR Framework, is used to help our organization ensure that all the personal data collected by us in the course of our operations is properly protected and used responsibly for the right and relevant purposes and period.
2. Data Protection Principles
Article 5 of the General Data Protection Regulation (GDPR) sets out key principles for Data Protection. They are-
2.1 Lawfulness, fairness, and transparency
Each processing activity requires a legal basis. ConextQA will only collect, process, and share personal data fairly, lawfully, and for specified purposes. Typically, we process personal data when it is necessary
- for the performance of a contract with the data subject or to fulfill a request from the data subject, or
- to comply with a legal or regulatory obligation.
Personal data may also be processed when it is necessary for the purposes of a legitimate interest, including such as to maintain our operational security and to manage risks.
If a certain data process requires the prior consent of the data subject, we will obtain such consent before carrying out the relevant processing activity and document the same. We will record the legal basis relied upon for each processing activity in the records of processing activities.
2.2 Purpose Limitation
Organizations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.
This means that:
- it must be clear from the outset why personal data is collected and what is intended to be done with it;
- comply with documentation obligations to specify the purposes;
- comply with the transparency obligations to inform individuals about the purposes; and
- Ensure that if personal data is disclosed or used for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent.
2.3 Data Minimisation
Personal data shall be adequate, relevant, accurate, up-to-date, and limited to what
is necessary in relation to the purposes for which it is collected. It must not be processed in a manner incompatible with those purposes. Therefore, in addition to the deletion routines, we shall ensure that we use reliable sources when collecting the data, and we will not collect excessive data.
2.4 Accuracy
The accuracy of personal data is integral to data protection.
For this we:
- take reasonable steps to ensure the accuracy of any personal data;
- ensure that the source and status of personal data are clear;
- carefully consider any challenges to the accuracy of information; and
- consider whether it is necessary to periodically update the information.
Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
2.5 Storage Limitation
Organizations need to delete personal data when it’s no longer necessary.
- We have defined how long personal data is kept. This will depend on the purposes for holding the data.
- A policy setting standard retention periods, wherever possible, to comply with documentation requirements.
- We also periodically review the data you hold and erase or anonymize it when we no longer need it.
- We keep personal data for longer if it is for public interest archiving, scientific or historical research, or statistical purposes.
Good practice around storage limitation – with clear policies on retention periods and erasure – is also likely to reduce the burden of dealing with queries about retention and individual requests for erasure.
2.6 Integrity and Confidentiality (Security)
To ensure appropriate integrity, confidentiality, and security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, ConextQA has implemented certain security measures, including requirements on data protection by design and default, which we are required to comply with. Those security measures shall be applied in the procurement, development,
production and maintenance of systems (whether operated internally or procured as a service).
2.7 Accountability
We shall implement, comply with and apply this Manual and the Personal Data Protection Policy. Further, we shall carry out the training, monitoring, auditing, and other compliance activities related to the areas of data privacy, as described in this Manual.
3. Responsibilities
3.1 Managers or Department Heads
ConextQA believes that to be compliant with the mandates of GDPR, efforts must be undertaken at every level of the company. Each manager of a department must assess the data issues and risks that are relevant to their individual department. The manager must assess what data exists; whether it is permitted for use; filter out (including deletion of) data that is over-broad or otherwise not permitted, and ensure procedures to identify and eliminate processes that make ConextQA prone to risks.
3.2 Employees
Employees of ConextQA must ensure adherence to all principles of data processing as enshrined under the GDPR. They must undergo training and must have knowledge about new and existing technology and processes related to data and security.
4. Data Protection Guidance
ConextQA is responsible for and must be able to demonstrate compliance with the data protection principles by effectively implementing measures.
4.1 Record of data processing activities (ROPA)
ConextQA documents all personal data that is stored and processed. Hence, ConextQA maintains a record of all data processing activities involving personal data as per the legal requirement given under Article 30 of GDPR. Such records are updated regularly. ConextQA is responsible for maintaining the Processing Records of the processing activities taking place.
4.2 Transparent information
ConextQA attempts to maintain complete transparency and hence notifies data subjects in full disclosure regarding the processing of their personal data. ConextQA provides all relevant information in a concise, clearly written, and easily understandable format, which makes it easy to find. If ConextQA is in receipt of personal data about data subjects, we will notify them of this fact via a privacy statement or notification.
4.3 Data management
Collect
Personal data is only collected to achieve the processing purpose (data minimization). ConextQA has established the purpose applicable for every processing activity and will not collect any data that is not necessary or relevant for achieving such purpose.
Use
Personal data will not be used for any other purpose (purpose limitation), and we will only process personal data if there is a legal basis to do so (lawfulness of processing). In order to be lawful, the processing operations of ConextQA must be based on one of the following conditions:
- Consent of the data subject (e.g., opting to receive a newsletter and other forms of direct marketing);
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract (e.g., processing of employees’ data for the performance of the employee contract);
- Processing is necessary for compliance with a legal obligation (Tax authority requires ConextQA to provide certain personal information about employees and clients);
- Processing is necessary to protect the vital interests of a data subject or another person (e.g., the personal data of an employee is needed to be released to a medical practitioner to preserve life);
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of a request by an official authority to the controller;
- Necessary for the purposes of legitimate interests pursued by the controller or a third party and does not unduly affect the interests or fundamental rights and freedoms of data subjects.
Delete
Personal data will not be stored for a period longer than necessary. ConextQA would delete the personal data in one of the following conditions:
- The purpose for which the data was collected is no longer a consideration;
- The data subject has withdrawn their consent, which was the legal basis for processing;
- No overriding legitimate interest to continue with the processing;
- The data subject has objected to their data being processed for direct marketing purposes;
- If the data subject’s data was processed unlawfully;
- To comply with a legal ruling or obligation.
4.4 Employee awareness
ConextQA acknowledges that accountability is of high regard. Hence, to guarantee the same, ConextQA aims to appropriately train its employees to ensure compliance with GDPR mandates and to inform them of the consequences of non-compliance.
4.5 Data subject rights
Under GDPR, the data subjects have been given several rights, which have to be protected as follows:
- Request access to personal data: Data subject has the right to access, update or delete the information we have. They can access, update, or request the deletion of their personal data.
- Request correction of the personal data: Data subjects have the right to have any incomplete or inaccurate information about them corrected.
- Object to processing of personal data: Data subjects can object to our processing of their personal data. They also have the right to object where we are processing personal data for direct marketing purposes.
- Request erasure of personal data: Data subjects have the right to ask us to delete or remove their personal data when we no longer need the data for the purpose we collected it for.
- Request the transfer of personal data: We should provide to the data subject or to a third party they have chosen their personal data in a structured, commonly used, machine-readable format.
- Withdrawal of consent: Data subjects have the right to withdraw their consent to the usage of personal data whenever they wish to.
4.6 Direct Marketing
ConextQA can use the personal contact information of data subjects (name, surname, email, company name, job title, country of residence) to send direct marketing communications.
Such data can be collected from publicly available sources or through a third party with whom the data subject or their company has agreed onward sharing.
ConextQA relies on its legitimate interest to inform the data subjects about its products and services. However, the data subjects have the right to object to such processing as mentioned above, and in this case, the personal data of such data subjects should no longer be used for direct marketing purposes.
ConextQA must also ensure that the third-party sub-contractors engaged in marketing our campaigns also commit to complying with our policies and applicable privacy laws.
4.7 Third-party disclosure
ConextQA can share the personal data of data subjects with third-party vendors, consultants, and other service providers who perform tasks on our behalf. We may be required to disclose information in response to valid requests by public authorities based on our legitimate interest or legal obligation. Further, if ConextQA is acquired, or goes out of business, or enters bankruptcy, or goes through some other change of control, personal data may be one of the assets acquired by a third party.
4.8 Data transfers
ConextQA cannot transfer the personal data of data subjects to third parties or to third countries when such transfers are cross-border. However, in certain circumstances, ConextQA can transfer data cross-border, which are as follows:
- the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection;
- the data exporter puts in place appropriate safeguards; or
- a derogation or exemption applies.
In such cases, transfer mechanisms such as BCRs and Codes of Conduct, etc., are important considerations.
4.9 Data breach notification
A personal data breach is a security breach that can lead to accidental or deliberate loss, destruction, corruption, unauthorized disclosure, or alteration of personal data that can cause material or non-material damages to individuals. A data breach must be reported to the supervisory authority within 72 hours.
4.10 Privacy by design and Privacy by default
ConextQA acknowledges that privacy by design and privacy by default are important requirements as given under Article 25 of GDPR. To comply with the same, ConextQA ensures that every action undertaken related to processing of personal data of data subjects is in consideration of data protection and privacy at every step; and that the strictest privacy settings are applied to every product, without requiring any inputs at a later stage.
4.11 Data Protection Impact Assessment (DPIA)
ConextQA aims to minimize risks to data subjects. DPIA is a systematic method of assessing and documenting relevant data processing activities in order to ensure such protection for data subjects. It determines the risks of processing activities and identifies opportunities to mitigate or eliminate those risks.
Article 35 of GDPR mandates that data conducting a DPIA in certain circumstances. A data protection impact assessment (DPIA) shall be conducted if specific processing of
personal data (as carried out or intended) is likely to result in a high risk to the rights and
freedoms of natural persons (as typically indicated by the general risk assessment
documented in the Processing Records). ConextQA shall be responsible for performing DPIAs on the data processing activities carried out.
4.12 Security
ConextQA implements appropriate technical, organization, and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Appropriate steps must be undertaken to maintain the same at every step.
4.13 Updating the Data Privacy Documents and Records
- Policies are reviewed each year. Updated versions are to be adopted by the Company’s Board of Directors where deemed necessary or appropriate.
- Routines are reviewed each year.
- Records are reviewed each year for records on the group level and by the department heads for records made on the business unit level. If there are special events in between the reviews, such as a Data Breach, implementation of a new IT system, or a decision to broaden the scope of the business or the purposes for which the data is processed, the records shall be updated in connection with that event. The records shall be updated and correct at all times.