Data Protection and Privacy Policy

The Data Protection and Privacy Policy (P17) sets forth a comprehensive framework for the protection of personal data and the implementation of privacy-by-design principles across the organization. This policy establishes the mandatory organizational and technical requirements necessary to comply with international standards and evolving regulatory frameworks, ensuring that personal data is handled in a lawful, secure, and transparent manner throughout its lifecycle. Coverage extends to all organizational units, personnel, and systems that process personal data, whether on physical or digital media, and includes cloud services, SaaS platforms, and mobile devices. The policy is explicit in its scope, clarifying that all employees, contractors, and third parties are subject to its requirements. All environments where personal data resides, production, development, test, or backup, are encompassed. The policy addresses not only the collection, storage, and use of personal data, but also the retention, disposal, cross-border transfers, and data subject rights handling. A central aim of the policy is to ensure compliance with leading regulations and standards: GDPR (Articles 5, 6, 12–23, 25, 28, 30, 32–34; Recital 78), EU NIS2, EU DORA, ISO/IEC 27001:2022 (Clauses 5.1, 6.1.3, 8.1, 10.1), ISO/IEC 27002:2022 (Controls 5.34, 8.10, 8.11), NIST SP 800-53 Rev. 5 (various controls), and COBIT 2019 (APO12, DSS01, DSS05, MEA). To this end, it mandates the assignment of roles and accountability structures: Executive Management ensures strategic oversight; the DPO orchestrates compliance processes, data subject rights enforcement, and interaction with supervisory authorities; and Security, Legal, Data Owners, and IT collaboratively implement technical and organizational safeguards, maintain registers, and manage breaches. The policy requires a formal Privacy Governance Framework integrated with the organization's ISMS for consistent enforcement. It delineates processes for maintaining privacy risk registers, conducting DPIAs for high-risk processing, and ensuring that privacy controls (from data minimization and pseudonymization to retention scheduling and secure disposal) are deeply embedded. Lawful processing and documented legal grounds are foundational, with explicit management of consent, data inventories, and cross-border data flows. Data subject requests are handled within set timelines and logged for traceability, and robust frameworks for breach management, exception handling, and third-party oversight are described in detail. Regular reviews, audit trails, and a requirement for annual (or ad-hoc) internal audits help ensure that the policy remains effective and responsive to regulatory change, audit findings, or major incidents. Each significant update must be approved by Executive Management and documented in the ISMS. This policy forms an integral part of the organization’s wider information security and risk management system, linking closely with complementary policies on incident response, risk management, classification, retention, data masking, and audit monitoring.