Data protection policy

Last updated: September 7, 2024

Effective Date 03-Oct-2022

Action Media Solutions SAS takes its obligations under the General Data Protection Regulation (Regulation (EU) 2016/679) and Data Protection Act 2018 very seriously and strives for the highest standards. 

Definitions

• Affiliate means an entity that controls, is controlled by or is under common control with a party, where \”control\” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.

• Account means a unique account created for You to access our Service or parts of our Service 

• Automated Decision-Making (ADM): when a decision is made which is based solely on automated processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not automated processing.
• Accountability Principle means that controllers will be responsible for, and be able to demonstrate compliance with the GDPR which requires the controller to implement appropriate technical and organizational measures to ensure and be able to demonstrate that data processing is performed in accordance with the GDPR, and review and update those measures where necessary.
• Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The personal data processing principles do not apply to anonymized data as it is no longer personal data.
• Breach A “breach” is any incident, or potential incident, likely to result in unauthorised disclosure, damage, destruction or loss of Personal Data.
• Consent: Consent is given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
• Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
• Country refers to: France

• Company (referred to as either \”the Company\”, \”We\”, \”Us\” or \”Our\” in this Agreement) refers to Action Media Solutions, 2 Quater Rue Benoit Oriol 42400 St Chamond.

• Content refers to content such as text, images, or other information that can be posted, uploaded, linked to or otherwise made available by You, regardless of the form of that content.

• Data Processing Agreement means an agreement that forms part of the master agreement between a controller and a processor to reflect the parties\’ agreement with regard to the processing of personal data, in accordance with the requirements of Data Protection Laws.

• Data Protection impact assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the processing of personal data.
• Data controller: The organisation or individual that determines the purpose and means of data processing.
• Data processor: An organisation or individual that processes data on behalf of a data controller.
• Data Protection Legislation “Data Protection Legislation” refers to both the General Data Protection Regulations (2018) and the Data Protection Act (2018).
• Data Subject “Data subject” means an individual who is the subject of the personal data.
• Data Protection Impact Assessment “Data Protection Impact Assessment” means a formal assessment of the impact of processing on the individual including the risks and any impact on their rights and freedoms.

• Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.

• Feedback means feedback, innovations or suggestions sent by You regarding the attributes, performance or features of our Service.

• GDPR means the General Data Protection Regulation, being Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. 

• Gillick Competence – whether or not a child is capable of giving the necessary consent will depend on the child’s maturity and understanding and the nature of the consent required. The child must be capable of making a reasonable assessment of the advantages and disadvantages of the treatment proposed, so the consent, if given, can be properly and fairly described as true consent.\” (Gillick v West Norfolk, 1984)
• Information Commissioner The Information Commissioner oversees the implementation of Data Protection Legislation.
• International organization means an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
• Lead supervisory authority: The supervisory authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data; it is responsible, among others, for receiving the data breach notifications, to be notified on risky processing activity and will have full authority as regards to its duties to ensure compliance with the provisions of the EU GDPR;

• Orders mean a request by You to purchase Products from Us.

• Privacy statement A “privacy statement” is a document informing the data subject of the legal basis, purposes of processing etc.
• Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
• Personal data: Any data relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Processing: Any operation/set of operations which performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and ‘process’ and ‘processed’ shall be construed accordingly.
• Privacy Notices: separate notices setting out information that may be provided to data subjects when the Company collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals or they may be stand-alone, one-time privacy statements covering processing related to a specific purpose.

• Products refer to the products or items offered for sale on the Service.

• Promotions refer to contests, sweepstakes or other promotions offered through the Service.

• Service refers to the Website.

• Staff Unless otherwise applicable, all references to staff include all current, past and prospective staff, full time, part time staff and Members of the Board of Governors as well as agency workers, temporary workers and contractors.

• Special Category Data “Special Category data” consists of personal data relating to:
  
  • ethnic origin,
  • physical and mental health (including, for example, details of the reasons for an individual’s sick leave),
  • sex life,
  • genetics
  • biometrics (where used for ID purposes)
  • religion or belief,
  • political opinion
  • Trade Union membership.
  • Greater protections are required when processing this data. Criminal conviction data should be treated with similar care.
• Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
• Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
• Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.
• Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
• Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR;

• Terms and Conditions (also referred as \”Terms\”) mean these Terms and Conditions that form the entire agreement between You and the Company regarding the use of the Service.

• Third-party Social Media Service means any services or content (including data, information, products or services) provided by a third-party that may be displayed, included or made available by the Service.

• Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

• Website refers to YSP Publishing, accessible from yspweb.com

• You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Purpose, Scope and Users

Action Media Solutions SAS, hereinafter referred to as the “Company”, strives to comply with applicable laws and regulations related to Personal Data protection in countries where the Company operates.  The Company takes its responsibilities with regard to the management of the requirements of the General Data Protection Regulation (GDPR) very seriously. This Policy sets forth the basic principles by which the Company processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while processing personal data.

This Policy applies to the Company and its directly or indirectly controlled wholly-owned subsidiaries conducting business within the European Economic Area (EEA) or processing the personal data of data subjects within EEA.

The users of this document are all present or future employees, permanent or temporary, and all contractors working on behalf of the Company.

The Company is committed to a policy of protecting the rights and privacy of individuals (including staff, clients and others) in accordance with all Data Protection laws.

This policy ensures that the Company, our employees, associates, volunteers and (where applicable) subcontractors:

• Comply with Data Protection Law and follow good practice.
• Protect the rights of all data subjects.
• Are open and transparent about how we process personal data.
• Protect ourselves from the risks of a data breach.

The policy applies to all personal data processed regardless of where the data is stored and regardless of who the data subject is. 
 
As a matter of good practice, it is expected that other agencies and individuals working with Us (and have access to personal data) will have read and comply with this policy. A failure to comply with this policy may result in disciplinary action.
 
The Company needs to process certain information about its staff, clients and other individuals it has dealings with for a range of purposes and to comply with contractual and legal obligations. Clients and staff have the right to confidentiality and therefore information that identifies individuals should be shared only when there are clear and valid reasons for doing so. Whether personal information is collected and used on paper or electronically, it must be processed in accordance with the law.
 
 
 

General Data Protection Regulation

The Company is responsible for complying with the GDPR and its Data Protection Principles.

There are six lawful bases for the processing of personal data. At least one of the following must apply whenever The Company processes personal data:

• Consent: the individual has given clear consent to process their personal data for a specific purpose.
• Contract: the processing is necessary for a contract with the individual, or because they have asked for specific steps before entering into a contract.
• Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
• Vital interests: the processing is necessary to protect someone’s life.
• Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
• Legitimate interests: the processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Any special category data (sensitive types of personal data as defined in Article 9(1) of the GDPR) must further be processed only in the line with one of the conditions specified in Article 9(2).
Where the processing is based on consent, the data subject has the option to easily withdraw their consent.
Where electronic direct marketing communications are being sent, the recipient should have the option to opt out in each communication sent, and this choice should be recognized and adhered to by us.
 

Data protection principles

There are six data protection principles defined in Article 5 of the GDPR. These require that all personal data be:
 

• processed in a lawful, fair and transparent manner.
• collected only for specific, explicit and limited purposes (‘purpose limitation’).
• adequate, relevant and not excessive (‘data minimisation’).
• accurate and kept up-to-date where necessary.
• kept for no longer than necessary (‘retention’).
• handled with appropriate security and confidentiality.

We are committed to upholding the data protection principles. All personal data under our control must be processed in accordance with these principles.

Our principles

The Company focuses pro-actively on compliance with data protection regulations and in addition, adheres to its own principles:

• The Company staff are kept up-to-date and trained on data protection regulations and best practices for the safe handling of personal data.
• The Company only deals with reputable organisations, and where there might be any grounds for suspicion it is alert to avoid being involved in what might be the improper use of personal data.
• The Company adopts best practice in the administration and security of its computer systems and keeps up-to-date with technical developments and emerging risks to network integrity.
• The Company monitors its computers systems and the personal data that they hold, which includes the access to and use of that data by its staff in order to ensure that only relevant data is accessible for the roles of individual staff, there is no misuse and that data is not put at risk.

The Company regards the lawful and correct treatment of personal information as very important to its successful operations, as it maintains confidence between those with whom it deals. To this end The Company will:
 
1.    Hold the minimum personal information necessary to enable it to perform its business
 
2.    Comply with both the law and good practice in the handling of personal data
 
3.    Treat all information about individuals, with respect and with regard to personal privacy
 
4.    Be open with individuals about how their personal data is collected, used and stored.
 
5.    Provide appropriate training and guidance to staff on the obligations under the Act
 
6.    Interpret the Act, and associated regulations, with regard to the relevant directives of the European Commission. In all cases the Company will have regard to the interests of the individual subject of the personal data and their rights (as set out on The Company Privacy Statement).
 
7.    Apply the data protection principles as the foundation for information management in the organisation.
 
Data Subject Rights
 
The GDPR includes the following rights for individuals:

• The right to be informed that is the right to be told how their personal data is used in clear and transparent language.
• The right of access to the personal data which is processed and information about how it is being used.
• The right to rectification if personal data is inaccurate or incomplete.
• The right to be forgotten or erased in certain circumstances where there is no reason for the Company to continue to process the data.
• The right to restrict further processing of personal data.
• The right to data portability of personal data between different service providers.
• The right to object to certain types of processing
• The right to purpose limitation. The right to limit the extent of the processing of their personal data.
• The right not to be subject to decisions based solely on automated decision-making, including profiling.

Individuals have a right to make a ‘subject access request’ to gain access to personal information
that the Company holds about them. This includes:

•  Confirmation that their personal data is being processed
•  Access to a copy of the data
•  The purposes of the data processing
•  The categories of personal data concerned
•  Who the data has been, or will be, shared with
•  How long the data will be stored for, or if this isn’t possible, the criteria used to determine this period
•  The source of the data, if not the individual
•  Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual

Subject access requests must be submitted in writing.
They should include:

•  Name of individual
•  Correspondence address
•  Contact number and email address
•  Details of the information requested

If staff receive a subject access request they must treat the request or, if they have concerns, forward it to their direct reports. 
 
When responding to requests, we:
 

• May ask the individual to provide 2 forms of identification
• May contact the individual via phone to confirm the request was made
• Will respond without delay and within 1 month of receipt of the request. We may require further time (up to a maximum of 2 further months) if the request for information is complex – in this case, we will inform the data subject accordingly
• Will provide the information free of charge

If the request is unfounded or excessive, we may refuse to act on it, or charge a reasonable fee
that takes into account administrative costs.
A request will be deemed to be unfounded or excessive if it is repetitive or asks for further copies of
the same information.
When we refuse a request, we will tell the individual why, and tell them they have the right to
complain.
 

In addition to the right to make a subject access request and to receive information when we are collecting their data about how we use and process it  individuals also have the right to:

• Withdraw their consent to processing (if the lawful basis is consent of the data subject)
• Ask us to rectify, erase or restrict processing of their personal data, or object to the processing of it (in certain circumstances)
• Prevent use of their personal data for direct marketing
• Challenge processing which has been justified on the basis of public interest
• Request a copy of agreements under which their personal data is transferred outside of the European Economic Area
• Object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement, that might negatively affect them)
• Prevent processing that is likely to cause damage or distress
• Be notified of a data breach ( in certain circumstances)
• Make a complaint to the relevant authorities
• Ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances)

Individuals should submit any request to exercise these rights:

• By visiting this page on our website: yspweb.com/contact

• By email: [email protected]

Reporting a personal data breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

All members of staff should be vigilant and able to identify a suspected personal data breach. A breach could include:

• loss or theft of devices or data, including information stored on USB drives or on paper
• hacking or other forms of unauthorised access to a device, email account, or the network
• disclosing personal data to the wrong person, through wrongly addressed emails, or bulk emails that inappropriately reveal all recipients email addresses
• alteration or destruction of personal data without permission

The GDPR requires that we report to the Supervisory Authority any personal data breach where there is a risk to the rights and freedoms of the data subject. Where the Personal data breach results in a high risk to the data subject, they also have to be notified unless subsequent steps have been taken to ensure that the risk is unlikely to materialize, security measures were applied to render the personal data unintelligible (e.g. encryption) or it would amount to disproportionate effort to inform the data subject directly. In the latter circumstances, a public communication must be made or an equally effective alternative measure must be adopted to inform data subjects so that they themselves can take any remedial action.

We have put in place procedures to deal with any suspected personal data breach and will notify data subjects or the Supervisory Authority where we are legally required to do so.

If you know or suspect that a personal data breach has occurred, you should immediately follow the instructions in the personal data breach procedure. You must retain all evidence relating to personal data breaches in particular to enable Us to maintain a record of such breaches, as required by the GDPR.

Personal Data Breach Procedure

This procedure should be followed in the event of a breach of personal data. If you need guidance, please contact your immediate reports.

The scope of this data breach policy encompasses all personal and sensitive data our Company holds. This data breach policy applies to everyone at our company – including employees, temporary or casual staff, consultants, suppliers, contractors, freelance workers or other data processors who are storing or processing data on the behalf of our Company.

The purpose of this data breach policy is to contain all data breaches and to minimise the risks associated with any breaches. It also outlines the actions that should be taken in the event of a breach to ensure data is secure and to prevent further breaches. 

This procedure standardises the Company-wide response to any reported personal data breach incident, and ensure that they are appropriately logged and managed in accordance with best practice guidelines and the General Data Protection Regulation and all relevant data protection law.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorization; or if the data is made
unavailable and this unavailability has a significant negative effect on individuals.

How to report a data breach 

All employees who access, manage or use data in any way are responsible for reporting a data
breach or any other type of security incident. This report should be made immediately to the
employee’s line manager, using the data breach reporting form.
This report must include full details of the incident or breach, when it occurred, who the data
relates to and how. It must also include details about the individual reporting the incident.
If a data breach or a data security incident occurs outside of normal company hours, or a data
breach or data security incident is discovered outside of normal company hours, it must be
reported as soon as possible.
Any violation of this data breach policy could result in disciplinary action procedures taking
place for company employees.

All information users are responsible for reporting actual, suspected, threatened or potential information security incidents, which include personal data breaches. Any notifiable breach must be reported to the Supervisory Authority without undue delay, but not later than 72 hours after the Company is aware of it, so prompt reporting is essential.

Managers are responsible for bringing this policy to the attention of members of staff in their area, including new staff.

Data breach containment and data recovery 

All necessary steps must be immediately carried out to minimize the effects of any data
security breach or data security incident. This process of containment should begin with an
initial assessment designed to establish the severity of the incident. The initial assessment
should also include analyzing whether there is any way to recover the lost data and mitigate
further risks associated with the incident.
Your initial assessment should include the following information: 

• The data involved 
• Whether the data involved is sensitive in nature 
• The individuals affected 
• The security measures that are in place to protect the data 
• What has happened to the data 
• Whether the data involved could be used in an illegal or otherwise inappropriate way 
• Any perceived wider consequences associated with the breach or incident

Further steps to take

• Please try and rectify or contain the breach as best you can. 
• Where individuals have received the personal data of others in error, they should be apologized to, be asked to delete the material without sharing it further, and be asked to confirm the deletion of the material.
• If appropriate (high risk to the data subject), the data subject should be apologized to and notified of the nature of the data breach.

All data breaches and data security incidents, both suspected and verified, must be recorded,
to assist in further analysis and to help prevent further breaches. 

If there has been clear negligence or intent with regard to any breach of the Data Protection Policy by members of staff, the Company will consider the circumstances and decide how best to handle the next steps. Where a staff member has been negligent without mitigation, this will be dealt with in accordance with the Company\’s disciplinary procedures. 

This procedure will be revised and improved upon regularly.

Approved: 04 October 2022

International Transfers

In accordance with the Legislation, the Company may not transfer personal data to countries outside of the European Economic Area (EEA) (the European Union Member States along with Iceland, Liechtenstein and Norway) unless the country or territory has an adequate level of protection for personal data.

There are however a number of non-EEA countries recognised by the European Commission to have adequate level of personal data protection (“approved countries”). Transfer of information to these countries will not breach the Data Protection Legislation. 

The Company may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. These adequate safeguards may be provided for by:

• a legally binding agreement between public authorities or bodies;
• binding corporate rules (agreements governing transfers made between organisations within in a corporate group);
• standard data protection clauses in the form of template transfer clauses adopted by the Commission;
• standard data protection clauses in the form of template transfer clauses adopted by Supervisory Authority and approved by the Commission;
• compliance with an approved code of conduct approved by the Supervisory Authority;
• contractual clauses agreed authorised by the Supervisory Authority

The legislation permits that a transfer, or set of transfers, may also be made where the transfer is:

• made with the individual’s informed consent;
• necessary for the performance of a contract between the individual and organizationtion or for pre-contractual steps taken at the individual’s request;
• necessary for the performance of a contract made in the interests of the individual between the controller and another person;
• necessary for important reasons of public interest;
• necessary for the establishment, exdefense or defence of legal claims;
• necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or
• made from a register which under EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).

Record Keeping

The GDPR requires Us to keep full and accurate records of all our data processing activities. You must keep and maintain accurate corporate records reflecting our processing, including records of data subjects’ Consent and procedures for obtaining Consents, where Consent is the legal basis of processing.

These records should include, at a minimum, the name and contact details of the Company as Data Controller and the DPO, clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period and a description of the security measures in place.

Records of personal data breaches must also be kept, setting out:

1. the facts surrounding the breach

2. its effects; and

3. the remedial action taken

Data security

The legislation requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organizational measures are used.

All staff are responsible for ensuring personal data are kept securely and accessible only to those who need to use it. Appropriate security measures are to be taken to prevent accidental loss of, or damage to, personal data. This will mean the use of passwords or encryption for electronic documents and keeping papers under lock and key.

The transport of personal data in any format (laptop, hard copy, memory stick etc.) should be avoided as far as possible. This applies especially to special categories data, large volumes of personal data, or information which could cause particular harm or distress if lost. Only in exceptional circumstances should this information be transported outside of the Company premises. Staff who do so should always ensure that it is kept with them at all times. Staff should:

• Where possible use remote login to their Company account to access information as an alternative to transporting data.
• Only carry the minimum amount of personal data (e.g. avoid carrying the whole file if only one document is needed).
• It is the Company\’s intention that all mobile devices (laptops, smartphones, tablets) and external storage media (USB sticks, external hard drives, DVDs, CDs, etc.) used to transport personal data and special categories data outside the Company will be secured by deploying strong encryption.

When working remotely staff should:

• Use secure remote access facilities (VPN) instead of carrying work home;
• Never save documents containing personal data to a personal PC;
• Consider that the means of connection may not always be secure.

Sharing of Personal Data

In the absence of Consent, a legal obligation or other legal basis of processing, personal data should not generally be disclosed to third parties unrelated to the Company.

Further, without a warrant, the police have no automatic right of access to records of personal data, though voluntary disclosure may be permitted for the purposes of preventing/detecting crime or for apprehending offenders. You should seek written assurances from the police that the relevant exemption applies. If you need guidance, please contact your direct reports.

No subject data will be given over the telephone unless the identity of the caller is verified. If the caller is unknown to the organization, we will take a name and number and verify the caller\’s identity before disclosing service user information.

If a fax contains confidential information, ensure someone is at the receiving end waiting for it.

Data Retention Policy

The Company shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed.
When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.
 
Where The Company processes data on the basis of an individual’s consent, once consent has been withdrawn, our systems will be updated immediately and the personal data will be removed from use (as defined within the request for the withdrawal of consent) and will be deleted. For the performance of contracts, a defined period for the retention of data will be agreed with the data controller.
 
Staff should regularly review their records to ensure that the documents they hold are destroyed within the relevant destruction time limit in accordance with the Records Retention Schedule.
 

Accountability

Although all staff in the Company have a responsibility to adhere to Our Data Protection Policy, the CEO has ultimate accountability for the Company\’s compliance with Data Protection Law and is the person empowered to evaluate data protection policies and the implementation of those policies. The heads of departments have day-to-day responsibility for developing, implementing, and monitoring the policy.
 

Training and guidance

The Company is committed to providing staff with the knowledge and skills they need to fulfill their responsibilities with regard to Data Protection. 
 

Contact

If you have any questions about this document, you can contact your direct reports or email us at [email protected].