Data Policy

Introduction

In its daily business operations, ZANAE uses data related to identified individuals, such as:

  • Current, former and prospective employees or external partners with a collaboration agreement
  • Suppliers
  • Customers

The purpose of this policy is to describe the relevant legislation and outline the steps ZANAE follows to ensure compliance.

This policy applies to all systems, personnel, and processes of the company, including board members, directors, employees, customers, suppliers, partners, and other third parties with access to ZANAE’s systems.

The following policies and procedures are related to this document:

  • Data Protection Impact Assessment Procedure
  • Personal Data Mapping Procedure
  • Information Security Incident Response Procedure
  • Roles and Responsibilities concerning the General Data Protection Regulation (GDPR)
  • Logging and Data Protection Policy
  • Personal Data Protection Policy

General Data Protection Regulation (GDPR)

The General Data Protection Regulation 679/2016 (known as GDPR) is one of the most important pieces of legislation governing how ZANAE performs data processing activities. A violation of this regulation, which is designed to protect the personal data of individuals within the European Union, may result in significant fines. It is ZANAE’s policy to ensure that compliance with the GDPR and other relevant regulations is clear and demonstrable at all times.

Definitions

GDPR includes a total of 26 definitions, of which the most relevant to this policy are outlined below:

  • Personal Data: Any information concerning an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, through reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, psychological, economic, cultural, or social identity.
  • Processing: Any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure, or destruction.
  • Data Controller: The natural or legal person, public authority, agency, or other body that determines, alone or jointly with others, the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its appointment may be provided for by Union or Member State law.

Principles Governing the Processing of Personal Data

GDPR is based on certain fundamental principles:

  • Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently concerning the data subject.
  • Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Data Minimization: Data collected must be adequate, relevant, and limited to what is necessary.
  • Accuracy: Personal data must be accurate and, where necessary, kept up to date.
  • Storage Limitation: Data should be kept in a form that permits identification of data subjects for no longer than necessary.
  • Integrity and Confidentiality: Data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
  • Accountability: The data controller must be able to demonstrate compliance with these principles.

ZANAE ensures compliance with these principles in both current and future processing operations, including the introduction of new processing methods such as new IT systems.

Individual Rights

Data subjects have significant rights under GDPR, including:

  • Right to Information
  • Right of Access
  • Right to Rectification
  • Right to Erasure
  • Right to Restriction of Processing
  • Right to Data Portability
  • Right to Object
  • Rights related to Automated Decision-Making and Profiling

Each of the rights of natural persons is supported by appropriate company procedures. These procedures ensure that the necessary actions take place within the timeframes indicated in the GDPR.

These timeframes are presented in Table 1.

Data Subject Request

Timeframe
Right to Information At the time of data collection (if collected from the data subject) or within one month (if not collected from the data subject)
Right of Access One month
Right to Rectification One month
Right to Erasure Without undue delay
Right to Restriction of Processing Without undue delay
Right to Data Portability One month
Right to Object At the time an objection is received
Rights related to Automated Decision-Making and Profiling Without undue delay

 

Table 1 – Timeframes for Data Subject Requests

 

 

Legal Basis for Processing

There are five alternative ways to establish the lawfulness of processing personal data under the GDPR. ZANAE’s policy is to determine and document the appropriate legal basis for processing in accordance with the Regulation. The available options are summarized in the following sections.

Consent

Unless necessary for a reason permitted under the GDPR, ZANAE will always obtain explicit consent from a data subject before collecting and processing their data. Transparent information about the use of personal data will be provided to data subjects at the time of consent collection, explaining their rights, including the right to withdraw consent. This information will be presented in an accessible format, in clear language, and free of charge.

If personal data is not collected directly from the data subject, this information will be provided within a reasonable timeframe, and no later than one month after obtaining the data.

Contract Performance

When personal data is collected and processed for the performance of a contract with the data subject, explicit consent is not required. This typically applies when the contract cannot be fulfilled without the necessary personal data, such as providing an address for delivery.

Legal Obligation

If personal data must be collected and processed to comply with national or European legislation, explicit consent is not required. This may include employment and tax-related information or other legal obligations imposed on the company.

Vital Interests of the Data Subject

If personal data is required to protect the vital interests of the data subject or another natural person, this can serve as a lawful basis for processing. ZANAE will maintain reasonable and documented evidence whenever this reason is used as a legal basis for processing personal data.

Legitimate Interest

If the processing of specific personal data is in ZANAE’s legitimate interest and does not significantly affect the rights and freedoms of the data subject, this may be used as the legal basis for processing. The reasoning behind this decision will be documented.

Security of Your Personal Data

We recognize the importance of protecting personal data and implement appropriate technical and organizational measures to ensure its security. However, data transmission over the internet can never be 100% secure. While we take reasonable steps to protect your personal information, we cannot fully guarantee the security of data transmitted via our website.

To safeguard stored information, we have implemented security measures, including data encryption technology and firewalls, to prevent unauthorized access. Users are encouraged to report any suspected data breach or illegal behavior contrary to our terms of use to ZANAE’s Data Protection Officer using the contact details provided on our website. ZANAE is committed to addressing such issues and cooperating with regulatory authorities if necessary.

Links to Third-Party Websites

Our company cannot assume responsibility for how third-party websites linked to our own handle personal data protection and processing. Users should review the privacy policies of those websites before using them.

Data Protection by Design

ZANAE has adopted the principle of data protection by design. This means that when designing any new system—or significantly modifying an existing one—that collects or processes personal data, security and data protection measures will be incorporated from the outset. This includes conducting one or more Data Protection Impact Assessments (DPIAs) as needed.

The Data Protection Impact Assessment (DPIA) includes:

  • The manner and purpose of personal data processing.
  • An evaluation of whether the proposed data processing is necessary and proportionate to its intended purpose(s).
  • An assessment of risks to individuals due to the processing of their personal data.
  • The selection of appropriate measures to address identified risks and ensure compliance with legal requirements.

Techniques such as data minimization and pseudonymization are considered where applicable and feasible.

Transfer of Personal Data

The transfer of personal data outside the European Union (EU) is carefully reviewed before it takes place to ensure compliance with GDPR requirements. This assessment considers:

  • The adequacy of data protection in the recipient country, as determined by the European Commission.
  • The security measures in place for safeguarding the transferred data, which may evolve over time.

Breach Notification

ZANAE is required to notify affected individuals in a fair and proportionate manner in the event of a personal data breach.

In line with GDPR, if a breach is likely to compromise individuals’ rights and freedoms, ZANAE will inform the Data Protection Authority (DPA) within 72 hours. This will be done in accordance with the Information Security Incident Management Procedure.

Under the GDPR, the DPA has the authority to impose fines of up to 4% of the global annual revenue or €20 million, whichever is higher, for non-compliance.

GDPR Compliance Measures

ZANAE has implemented the following actions to ensure compliance with GDPR’s accountability principle:

  • Clearly defining and documenting the legal basis for data processing.
  • Appointing a Data Protection Officer (DPO) responsible for overseeing data protection within the organization.
  • Ensuring all personnel involved in data management understand their responsibilities and follow best practices.
  • Providing data protection training for all employees.
  • Complying with consent obligations where required.
  • Offering data subjects mechanisms to exercise their rights over their personal data.
  • Conducting regular reviews of data protection procedures.
  • Implementing data protection by design in new systems and significant changes to existing ones.

Processing documentation includes:

  • Organization name and relevant details.
  • The purposes of personal data processing.
  • Categories of data subjects and processed data.
  • Categories of data recipients.
  • Agreements and mechanisms for transferring personal data outside the EU, including implemented safeguards.
  • Data retention periods.
  • Technical and organizational security measures in place.

These compliance measures are regularly audited as part of ZANAE’s Data Protection Program review process.

Policy Updates

ZANAE reserves the right to modify or update sections of this Privacy Policy without prior notice. Users are encouraged to review the Privacy Policy before using the website to stay informed about the latest version.

Last Updated: November 2024