Privacy and Personal Data Protection Policy

In its daily activities, DOUBIA S.A. uses a variety of data relating to identified individuals, including data related to:

• Existing and former employees or external collaborators with a cooperation contract
• Suppliers
• Customers
• Users of the websites of DOUBIA S.A.
• Other interested parties
•  

The purpose of this policy is to describe the relevant legislation and to present the steps that DOUBIA S.A. follows to ensure its compliance with it.

 

This control applies to all systems, people and processes of DOUBIA S.A. including board members, service managers, employees, customers, suppliers, vendors, partners, subcontractors and other third parties who have access to DOUBIA S.A. systems.

1. Privacy and Personal Data Protection Policy

 

1.1 The General Data Protection Regulation

The General Data Protection Regulation 679/2016 (GDPR) is one of the most important pieces of legislation, which determines the way in which Doubia S.A. performs activities related to data processing. In the event of a breach of the GDPR, which is designed to protect the personal data of everyone in the European Union, significant fines are likely to be imposed. It is the policy of DOUBIA SA to ensure that compliance with the GDPR and other relevant legislation is clear and can be demonstrated at any time.

 

1.2 Definitions

A total of 26 definitions are contained in the GDPR, of which the most relevant definitions for this policy are listed below:

 

Personal Data is defined as:

any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

 

‘Processing’ is defined as:

any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

“‘Controller of processing” means:

the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its appointment may be provided for by Union or Member State law.

 

1.3 Principles Governing the Processing of Personal Data

There are some basic principles on which the GDPR is based.

 

These are set out below:

1. Personal Data must be :

(a)  submitted lawfully and fairly in a transparent manner in relation to the data subject (“lawfulness, objectivity and transparency”);

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest or scientific or historical research purposes or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) (“purpose limitation”),

(c) are appropriate, relevant and limited to what is necessary for the purposes for which they are processed (“data minimisation”),

(d) accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure the prompt erasure or rectification of personal data which are inaccurate in relation to the purposes of the processing (“accuracy”),

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, provided that the personal data will be processed only for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Article 89(1) and provided that the appropriate technical and organisational measures required by this Regulation to safeguard the rights and freedoms of the data subject are implemented (‘storage period limitation’),

(f) processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

 

2. The (processing) controller shall bear the responsibility and be able to demonstrate compliance with paragraph 1 (“accountability”).

Doubia SA must ensure that it complies with all these principles, both in its current processing operations and when introducing new processing methods, such as new information systems.

 

1.4 Individual Rights

 

The data subject also has rights in relation to the GDPR. These include:

1. The right to information
2. The right of access
3. The right to rectification
4. The right of deletion
5. The right to restriction of processing
6. The right to data portability
7. The right to object
8. Rights related to automated decision-making about the individual and profiling.

 

Each of the rights of natural persons is supported by appropriate procedures of Doubia S.A. These procedures ensure that the necessary actions take place within the timeframes indicated in the GDPR.

 

These schedules are presented in Table 1.

 

Request of the Data Subject	Timetable
The right to information	At the time the data are collected (if collected by the data subject) or within one month (if not collected by the data subject)
The right of access	One month
The right to rectification	One month
The right of deletion	Without undue delay
The right to restriction of processing	Without undue delay
The right to data portability	One month
The right to object	At the time of receiving an objection
Rights related to automated decision-making about the individual and profiling.	Not Defined

 

TABLE 1 – TIMETABLES FOR DATA SUBJECTS’ REQUESTS

 

1.5 Consent

Unless necessary for reasons permitted by the GDPR, explicit consent must be obtained from the data subject for the collection and processing of its data. In the case of children under the age of 16, parental/guardian consent must be obtained. Data subjects must be informed of their rights – in relation to their personal data – such as the right to consent, at the time when their consent is obtained. Information concerning the rights of data subjects should be easily accessible, free of charge, and written in a clear manner.

 

If the personal data is not collected directly from the data subject, then this information should be provided within a reasonable period of time after the data is obtained and certainly not later than one month.

 

1.6 Data protection from the design stage

 

DOUBIA S.A. has adopted the principle of data protection from the design stage and will ensure that the definition and design of all new or significantly modified systems that collect or process personal data will take due consideration of information security and data protection issues, including the carrying out of one or more data protection impact assessments (DPIAs).

 

The data protection impact assessment includes:

 

• How the personal data are processed and for what purposes
• An assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
• Assessment of the risks to which individuals are exposed as a result of the processing of their personal data
• The selection of the necessary measures to address the risks identified and demonstrate compliance with the law.
• The use of techniques such as data minimisation and pseudo-identification should be considered, in cases where their application is appropriate and possible.

 

1.7 Transfer of Personal Data

Transfers of personal data outside the European Union should be carefully examined before the transfer takes place, in order to ensure that it is done in accordance with the framework set by the GDPR.  This depends in part on the judgment of the European Commission, as well as on the adequacy of the security applied to the personal data in the country receiving the data, which may change over time.

 

International data transfers within organisations should be subject to legally binding agreements that provide rights to the data subjects.

 

1.8 Data Protection Officer

The GDPR requires the appointment of a Data Protection Officer (DPO) if the organisation is a public authority, performs large-scale processing or processes particularly sensitive categories of data on a large scale. The DPO must have an appropriate level of knowledge and may either come from within the organisation or be an external partner.

 

Based on these criteria, we consider that the appointment of a Data Protection Officer is not necessary in DOUBIA S.A..

 

1.9 Infringement notification

It is the policy of DOUBIA S.A. to inform all those required in the event of a breach involving personal data in a fair and proportionate manner. In line with the GDPR, when it is known that a breach has taken place that is likely to result in the rights and freedoms of individuals being compromised, the Personal Data Protection Authority (PDPA) will be informed within 72 hours. This will be done in accordance with DOUBIA SA’s Information Security Incident Management Procedure.

 

Under the GDPR, the respective PDPA has the authority to impose a range of fines of up to 4 percent of annual global turnover or twenty million euros, whichever is greater, for a breach of the Regulation.

 

1.10 Implementation of compliance with the GDPR

 

The following actions have been taken to ensure that Doubia SA complies in all cases with the accountability principle of the GDPR:

 

• The lawful basis for the processing of personal data is clear and unambiguous.
• All staff involved in the management of personal data understand their responsibilities, and follow best data protection practices.
• All staff are trained in data protection.
• The obligations regarding consent are complied with.
• There are channels available through which data subjects who wish to exercise their rights in relation to their personal data have this opportunity.
• Regular reviews of procedures relating to personal data are carried out.
• Data protection from the design stage is adopted for all new systems and processes or in major changes to existing ones.
• In the document describing the actions, which take place in a processing is recorded:
  • The name of the organisation and the relevant details
  • The purposes of the processing of personal data
  • The categories of individuals and personal data processed
  • The categories of recipients of the personal data
  • The agreements and mechanisms under which the personal data are transferred to countries outside the European Union, including details of the measures taken
  • the period of retention of personal data
  • The appropriate technical and organisational measures implemented.

 

These actions will be reviewed on a regular basis as part of the Privacy Program management review process.