In its current activity, GASPECO L&D uses certain identifiable personal data:
- Current, former and future employees;
- Website users;
- Other stakeholders or interested groups.
During its data collection and use process, this company is the subject of legal regulations and audits focused on how these activities are performed and how personal data is protected.
The purpose of this policy is to establish the relevant legislative framework and to describe the steps taken by GASPECO L&D in order to be in line with the legislation.
This policy applies to all systems, persons and processes involved in company’s infrastructure, including the administration members, directors, employees and third parties that have access to the GASPECO L&D system.
The general data protection regulation (GDPR) is a standard that influences how GASPECO L&D uses, processes and stores personal data. When breaches are found, fines are consistent as GDPR is intended to secure the personal data of individuals in the EU area.
The strategy of GASPECO L&D is to guarantee that alignment to and consistency with GDPR and other regulations are clear and verifiable.
Personal data: any information relating to an identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person etc.;
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
As per GDPR 2016 version, 7 were established for personal data processing and how companies should relate to these principles (Section II, Article 5.1)
5.1. Personal data must be:
a. Processed legally, correctly and transparently regarding the data subject;
b. Collected for specifically identified and legitimate purposes and not processed in a manner that is inconsistent with this purpose. Subsequent processing for archiving in public, scientific, historical or statistic interest must be consistent with the initial purpose (“scope limitations”) – Article 89(1);
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”)
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”) Article 89(1);
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. (“integrity and confidentiality”);
5.2. The controller shall be responsible for everything stated in paragraph 5.1, and be able to demonstrate compliance with the regulation (“accountability”)
Each GASPECO L&D employee involved in collection, storage and processing of data shall be liable as per laws in force.
Employees must ensure that:
Any request for access to personal data must be redirected to the management, to information and safety management supervisors.
GDPR provides the following individual rights:
Unless otherwise provided by GDPR, an explicit consent must be acquired from subjects for which data collection and processing is intended. In case of children under the age of 16, the consent must be acquired from parents. Subjects must receive a transparent notice concerning the purpose and method of data processing. Also, subjects must be informed on their rights. Such notification must be accessible, in clear language and free of charge.
Even if data is not acquired directly from the subject, the notice must be provided in a reasonable time interval that does not exceed one calendar month.
The organization must define the DPO function, which is mandatory as per GDPR if the organization is a public authority, if it performs large scale monitoring activities or if it processes personal data on large scale.
DPO must be properly trained and it may be an internal or external resource of the company.
Based on the above criteria, GASPECO L&D must appoint a DPO.
The GASPECO L&D policy is to adopt a correct behavior on actions required for notification of third parties on any personal data breaches. As per GDPR, if a breach is found that may have a potential risk for the individual rights and freedoms, the Data Protection Authority must be notified within 72 hours. This process shall be managed as per the Procedure for response to security incidents.
The following measures were taken to align GASPECO L&D to the GDPR requirements and to the liability arising thereunder:
- the legal grounds for personal data processing were brought to the knowledge of personnel clearly and without any ambiguity;
- A data protection officer (DPO) was appointed;
- The personnel involved in personal data processing understood its responsibilities to provide a proper data protection;
- Data protection training and documentations were provided to the entire personnel;
- The rule on consent is complied with;
- Procedures are in place that allow data subjects to exercise the rights set forth in GDPR, and an efficient management of requests for this purpose;
- Procedures related to personal data are reviewed periodically;