1. Introduction

This is a procedures and policies manual of ConextQA. It is significantly detailed and comprehensive, which lays down every aspect of the company’s policies and procedures for data protection. This manual gives the employees of ConextQA a thorough understanding of the different procedures and also an insight into navigating the policies.

1.1 Object and Scope 

This manual sets out how we seek to protect personal data and ensure that our personnel understands the rules governing their use of personal data to which they have access in the course of their work. In particular, the manual sets out certain basic principles that we and our employees and hired consultants must follow when processing personal data (Clause 4) and contains instructions on what our employees and consultants shall consider in this regard. This manual applies to all employees & consultants.

1.2 Data Protection Framework

General Data Protection Regulation, i.e., the GDPR Framework, is used to help our organization ensure that all the personal data collected by us in the course of our operations is properly protected and used responsibly for the right and relevant purposes and period.

2. Data Protection Principles 

Article 5 of the General Data Protection Regulation (GDPR) sets out key principles for Data Protection. They are-

2.1 Lawfulness, fairness, and transparency

Each processing activity requires a legal basis. ConextQA will only collect, process, and share personal data fairly, lawfully, and for specified purposes. Typically, we process personal data when it is necessary 

Personal data may also be processed when it is necessary for the purposes of a legitimate interest, including such as to maintain our operational security and to manage risks. 

If a certain data process requires the prior consent of the data subject, we will obtain such consent before carrying out the relevant processing activity and document the same. We will record the legal basis relied upon for each processing activity in the records of processing activities. 

2.2 Purpose Limitation

Organizations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.

This means that:

2.3 Data Minimisation

Personal data shall be adequate, relevant, accurate, up-to-date, and limited to what 
is necessary in relation to the purposes for which it is collected. It must not be processed in a manner incompatible with those purposes.  Therefore, in addition to the deletion routines, we shall ensure that we use reliable sources when collecting the data, and we will not collect excessive data.

2.4 Accuracy

The accuracy of personal data is integral to data protection. 

For this we:

Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.

2.5 Storage Limitation

Organizations need to delete personal data when it’s no longer necessary.

Good practice around storage limitation – with clear policies on retention periods and erasure – is also likely to reduce the burden of dealing with queries about retention and individual requests for erasure.

2.6 Integrity and Confidentiality (Security)

To ensure appropriate integrity, confidentiality, and security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, ConextQA has implemented certain security measures, including requirements on data protection by design and default, which we are required to comply with. Those security measures shall be applied in the procurement, development, 
production and maintenance of systems (whether operated internally or procured as a service).

2.7 Accountability

We shall implement, comply with and apply this Manual and the Personal Data Protection Policy. Further, we shall carry out the training, monitoring, auditing, and other compliance activities related to the areas of data privacy, as described in this Manual.

3. Responsibilities

3.1 Managers or Department Heads 

ConextQA believes that to be compliant with the mandates of GDPR, efforts must be undertaken at every level of the company. Each manager of a department must assess the data issues and risks that are relevant to their individual department. The manager must assess what data exists; whether it is permitted for use; filter out (including deletion of) data that is over-broad or otherwise not permitted, and ensure procedures to identify and eliminate processes that make ConextQA prone to risks.

3.2 Employees

Employees of ConextQA must ensure adherence to all principles of data processing as enshrined under the GDPR. They must undergo training and must have knowledge about new and existing technology and processes related to data and security.

4. Data Protection Guidance

ConextQA is responsible for and must be able to demonstrate compliance with the data protection principles by effectively implementing measures. 

4.1 Record of data processing activities (ROPA)

ConextQA documents all personal data that is stored and processed. Hence, ConextQA maintains a record of all data processing activities involving personal data as per the legal requirement given under Article 30 of GDPR. Such records are updated regularly. ConextQA is responsible for maintaining the Processing Records of the processing activities taking place.

4.2 Transparent information

ConextQA attempts to maintain complete transparency and hence notifies data subjects in full disclosure regarding the processing of their personal data. ConextQA provides all relevant information in a concise, clearly written, and easily understandable format, which makes it easy to find. If ConextQA is in receipt of personal data about data subjects, we will notify them of this fact via a privacy statement or notification.

4.3 Data management

Collect

Personal data is only collected to achieve the processing purpose (data minimization). ConextQA has established the purpose applicable for every processing activity and will not collect any data that is not necessary or relevant for achieving such purpose.

Use

Personal data will not be used for any other purpose (purpose limitation), and we will only process personal data if there is a legal basis to do so (lawfulness of processing). In order to be lawful, the processing operations of ConextQA must be based on one of the following conditions:

Delete

Personal data will not be stored for a period longer than necessary. ConextQA would delete the personal data in one of the following conditions:

4.4 Employee awareness

ConextQA acknowledges that accountability is of high regard. Hence, to guarantee the same, ConextQA aims to appropriately train its employees to ensure compliance with GDPR mandates and to inform them of the consequences of non-compliance. 

4.5 Data subject rights

Under GDPR, the data subjects have been given several rights, which have to be protected as follows:

4.6 Direct Marketing

ConextQA can use the personal contact information of data subjects (name, surname, email, company name, job title, country of residence) to send direct marketing communications.

Such data can be collected from publicly available sources or through a third party with whom the data subject or their company has agreed onward sharing.

ConextQA relies on its legitimate interest to inform the data subjects about its products and services. However, the data subjects have the right to object to such processing as mentioned above, and in this case, the personal data of such data subjects should no longer be used for direct marketing purposes. 

ConextQA must also ensure that the third-party sub-contractors engaged in marketing our campaigns also commit to complying with our policies and applicable privacy laws. 

4.7 Third-party disclosure

ConextQA can share the personal data of data subjects with third-party vendors, consultants, and other service providers who perform tasks on our behalf. We may be required to disclose information in response to valid requests by public authorities based on our legitimate interest or legal obligation. Further, if ConextQA is acquired, or goes out of business, or enters bankruptcy, or goes through some other change of control, personal data may be one of the assets acquired by a third party.

4.8 Data transfers

ConextQA cannot transfer the personal data of data subjects to third parties or to third countries when such transfers are cross-border. However, in certain circumstances, ConextQA can transfer data cross-border, which are as follows:

In such cases, transfer mechanisms such as BCRs and Codes of Conduct, etc., are important considerations.

4.9 Data breach notification

A personal data breach is a security breach that can lead to accidental or deliberate loss, destruction, corruption, unauthorized disclosure, or alteration of personal data that can cause material or non-material damages to individuals. A data breach must be reported to the supervisory authority within 72 hours. 

4.10 Privacy by design and Privacy by default 

ConextQA acknowledges that privacy by design and privacy by default are important requirements as given under Article 25 of GDPR. To comply with the same, ConextQA ensures that every action undertaken related to processing of personal data of data subjects is in consideration of data protection and privacy at every step; and that the strictest privacy settings are applied to every product, without requiring any inputs at a later stage. 

4.11 Data Protection Impact Assessment (DPIA)

ConextQA aims to minimize risks to data subjects. DPIA is a systematic method of assessing and documenting relevant data processing activities in order to ensure such protection for data subjects. It determines the risks of processing activities and identifies opportunities to mitigate or eliminate those risks.

Article 35 of GDPR mandates that data conducting a DPIA in certain circumstances. A data protection impact assessment (DPIA) shall be conducted if specific processing of 
personal data (as carried out or intended) is likely to result in a high risk to the rights and 
freedoms of natural persons (as typically indicated by the general risk assessment 
documented in the Processing Records). ConextQA shall be responsible for performing DPIAs on the data processing activities carried out.

4.12 Security

ConextQA implements appropriate technical, organization, and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Appropriate steps must be undertaken to maintain the same at every step. 

4.13 Updating the Data Privacy Documents and Records