Data Protection Policy

Last updated 21 March 2026

1. Purpose

This Data Protection Policy outlines how the organization collects, uses, stores, and protects personal data in compliance with applicable data protection laws and regulations. It ensures that personal data is handled responsibly, securely, and transparently.

2. Scope

This policy applies to all employees, contractors, and third parties who process personal data on behalf of the organization. It covers all systems, processes, and activities involving personal data.

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual.

  • Processing: Any operation performed on personal data (e.g., collection, storage, use, disclosure).

  • Data Subject: The individual to whom the personal data relates.

  • Controller: The entity that determines the purposes and means of processing personal data.

  • Processor: A party that processes personal data on behalf of the controller.

4. Principles of Data Protection

The organization adheres to the following principles:

  • Lawfulness, fairness, and transparency

  • Purpose limitation

  • Data minimization

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality

  • Accountability

5. Lawful Basis for Processing

Personal data will only be processed when there is a valid legal basis, including:

  • Consent

  • Contractual necessity

  • Legal obligation

  • Vital interests

  • Public task

  • Legitimate interests

6. Data Collection and Use

  • Personal data must be collected for specified, explicit, and legitimate purposes.

  • Only data necessary for the intended purpose should be collected.

  • Data subjects must be informed about how their data will be used.

7. Data Storage and Retention

  • Personal data must be stored securely.

  • Data should not be retained longer than necessary.

  • Retention schedules must be defined and followed.

8. Data Security

The organization implements appropriate technical and organizational measures, including:

  • Access controls

  • Encryption

  • Regular security assessments

  • Staff training

9. Data Subject Rights

Data subjects have the right to:

  • Access their data

  • Rectify inaccurate data

  • Erase data (right to be forgotten)

  • Restrict processing

  • Data portability

  • Object to processing

Requests must be handled promptly and in accordance with legal requirements.

10. Data Breach Management

  • All data breaches must be reported immediately.

  • The organization will assess risks and notify relevant authorities and affected individuals where required.

11. Third-Party Processing

  • Third parties must comply with data protection requirements.

  • Contracts must include data protection clauses.

  • Due diligence must be conducted before engaging processors.

12. International Data Transfers

  • Personal data transferred outside the jurisdiction must be protected by appropriate safeguards.

13. Responsibilities

  • Management is responsible for ensuring compliance.

  • Employees must follow this policy and report any concerns.

  • A Data Protection Officer (if applicable) oversees compliance.

14. Training and Awareness

Regular training will be provided to ensure employees understand their responsibilities.

15. Policy Review

This policy will be reviewed regularly and updated as necessary.