1. Principles of data protection

The Entity is dedicated to processing data in line with the GDPR's requirements.

According to Article 5 of the GDPR, personal data must be:

• processed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, as well as accidental loss,

• destruction, or damage, by employing appropriate technical or organisational measures."

• processed lawfully, fairly, and transparently in relation to individuals;

• collected for specific, unambiguous, and lawful goals, and not further processed in a way that contradicts those purposes; further processing for public interest archiving, scientific or historical research, or statistical reasons shall not be deemed incompatible with the original purposes;

• adequate, relevant, and restricted to what is required in regard to the purposes for which they are processed;

• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified as soon as possible, taking into account the purposes for which they are processed;

• processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing as well as accidental loss, destruction, or damage, using appropriate technical or organisational measures.

2. Provisions in general

• This policy covers all of the Entity's personal data processing.

• The Entity's continued compliance with this policy is the responsibility of the Responsible Person.

• At least once a year, this policy will be reviewed.

3. Processing that is legal, fair, and transparent

• The Entity must keep a Register of Systems to guarantee that its data processing is legal, fair, and transparent.

• At least once a year, the Register of Systems must be reviewed.

• Individuals have the right to access their personal information, and any requests made to the Entity will be responded to promptly.

4. Legitimate objectives

• Consent, contract, legal obligation, vital interests, public task, or legitimate interests are all legal bases on which the Entity may treat data.

• In the Register of Systems, the Entity must record the proper legal foundation.

• When consent is used as a legal basis for processing personal data, proof of opt-in consent must be stored with the personal data.

• Individuals should have the ability to revoke their consent when communications are made to them based on their consent, and systems should be in place to guarantee that such revocation is appropriately reflected in the Entity's systems.

6. Minimization of data

• Personal data must be adequate, relevant, and limited to what is essential for the purposes for which they are processed, according to the Entity.

7. Precision

• The Entity must take reasonable steps to ensure the accuracy of personal data.

• Steps must be taken to ensure that personal data is kept up to date if appropriate for the lawful basis on which data is processed.

8. Retrieval / archiving

• The Entity shall implement an archiving policy for each area in which personal data is processed and assess this process annually  to ensure that personal data is preserved for no longer than is necessary.

• What data should/must be retained, for how long, and why will be considered in the archiving policy.

9. Safety and security

• The Entity must ensure that personal data is stored safely and securely using up-to-date software.

• Personal data should only be accessible to those who require it, and sufficient security should be in place to prevent unauthorised information sharing.

• When personal data is removed, it should be done in a secure manner so that it cannot be recovered.

• Appropriate disaster recovery and backup systems must be in place.

10. Breach of contract

• In the event of a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, the Entity shall assess the risk to people's rights and freedoms as soon as possible and, if necessary, report the breach to the appropriate authority and ultimate owner of the data to take the necessary corrective action.