The purpose of this policy is the company legal and regulatory requirements under the GDPR and the Data Protection Act 2018 and the rights of data subjects.

2.2 Scope

All employees and third-party users.

Personal Data as defined by GDPR.

2.3 Principle

Personal data is classified and treated as classification level Confidential, and all associated policies, controls and processes apply.

When SmartIT acts as a Person Implementing Rights under the Policy for the Exercise of Rights of Data Subjects of a MFG Group company, then after approving the request for exercise of rights, the DPO submits a ticket to SmartIT via the ticket system.

The types of data subject's rights under which SmartIT may play the role of a Person Implementing Rights (not required) are as follows:

Right to be informed
Right of access to personal data
Right to data portability
Right to rectification of personal data
Right to restriction of processing of personal data
Right to erasure of personal data

The DPO shall select the type of the ticket as ‘Application Support (Fix/Single Report)' and subtype as ‘FIX'. The response to the Request of the subject (customer, employee or other) or the details thereof in regard to the rights to be exercised, the data subject, statement of the legal advisors, as well as other details of the quality performance of the implementation of the request must be attached to the ticket.

The App Support Unit's employee processing the ticket shall verify if the necessary information to implement the ticket is available. If everything is available, the ticket shall be subject to implementation.

If any required information and approvals are missing, the DPO shall provide the necessary information and then proceed to the implementation of the ticket. The App Support Unit's employee shall proceed to its implementation and other SmartIT units are involved, if necessary.

Upon completion of the work related to the ticket and depending on the type of right to be exercised, the employee executing the ticket, receives system result, whether the execution was successful, and in case of unsuccessful one, the reason is described in the result. The result is provided to DPO.

When the ticket is implemented and checked, a reply shall be sent to the ticket system, and depending on the right to be exercised, the respective documents/reports, resulting files shall be attached and the ticket shall be closed. The results to be provided to the DPO for the different rights of the subjects are as follows:

Right to be informed - the result is in the form of a Report.
Right of access to personal data - the result is in the form of a Report.
Right to data portability - the result is in the form of a predefined file format.
Right to rectification of personal data - the result is a reply in the ticket saying that it is implemented.
Right to restriction of processing of personal data - the result is a reply in the ticket saying that it is implemented.
Right to erasure of personal data (anonymization of data) - the result is a reply in the ticket saying that it is implemented.

After implementing and receiving a reply in respect of the ticket, the DPO or a member of his/her team shall continue the activities related to fulfilling the request of the data subject in accordance with the Policy for the Exercise of Rights of Data Subjects of the respective company.

2.4 Data Protection Policy Statement

The company is classed as a Data Controller/Data Processor based on the context of the processes under the current UK Data Protection Act 2018. This policy confirms our commitment to protect the privacy of the personal information of our customers, clients, employees, and other interested parties. We have engaged in a programme of Information Security Management which is aligned to the international standard ISO27001 to ensure that the processes of personal information is conducted using best practice processes.

3 Legal Basis for Processing

Article 6 of the GDPR provides the legal basis under which Personal Data can be processed. Our legal basis for processing is documented in our Record of Processing Activities.

4 Data protection principles

The company is committed to processing data in accordance with its responsibilities under the General Data Protection Regulation (GDPR) and Data Protection Act 2018.

To ensure adequate protection of the data of the Company and its customers, the Company implement all necessary technical and organizational measures provided for in the Personal Data Protection Act and Regulation 2016/679. The Company has established structures to prevent abuse and security breaches, and has also appointed a Data Protection Officer who supports the processes of protecting and ensuring the security of data. In order to ensure maximum security in the processing, transfer and storage of your data, the Company may use additional protection mechanisms such as encryption, pseudonymization, etc.

Article 5 of the GDPR requires that personal data shall be:

4.1 Lawfulness, Fairness and Transparency

processed lawfully, fairly and in a transparent manner in relation to individuals.

We have reviewed and documented the data that we control and or process and determined the legal basis for processing. We provide privacy notices and inform data subjects of their rights as well as what processing takes place, by whom, for how long and why.

4.2 Purpose Limitation

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes.

We ensure we only process data for the purposes it has been collected and communicated and not for other reasons without the agreement and knowledge of the Data Subject(s).

4.3 Data Minimisation

adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

We ensure that data collected is not excessive and is appropriate to the purpose for which it was collected. We conduct Data Privacy Impact Assessments as part of our project lifecycle.

4.4 Accuracy

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay.

We ensure that data is reviewed and assessed for accuracy on a periodic basis and have implemented processes for the rectification and erasure of data without undue delay.

4.5 Storage Period Limitation

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.

We have implemented a data retention policy and data retention schedule in line with legal, regulatory and company needs.

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

We have implemented an information security management system in line with ISO 27001 the International Standard for Information Security. We have a culture of information security and assess security controls and requirements throughout the project life cycle.

5 Personal Information Classification and Handling

Personal data classification and handling is in line with the Information Classification and Handling Policy.

6 Personal Information Retention

Personal data is retained and destroyed in line with the Information Classification and Handling Policy, Asset Management Policy, and the Data Retention Schedule.

7 Personal Information Transfer / Transmit

Personal data is transferred in line with the Information Transfer Policy and employees ensure the appropriate level of security in line with the policy and company processes.

8 Personal Information Storage

Personal Information storage is in line with the Information Classification and Handling Policy, Physical and Environmental Security Policy, Cryptographic Control and Encryption Policy, Backup Policy, and the Data Retention Schedule.

9 Breach

In the event of a breach of the principles of the Data Protection Act 2018 employees inform their line manager, and /or a member of the Management Review Team and/or Senior Management and invoke the Incident Management Process. Breaches are assessed and where appropriate and required the Data Subjects and / or the Information Commissioners Office are informed without undue delay.

10 The Rights of Data Subjects

10.1 The right to be informed

Individuals have the right to be informed about how we use their Personal Data. This includes:

The name and contact details of our organisation.
The name and contact details of our representative (if applicable).
The contact details of our data protection officer (if applicable).
The purposes of the processing.
The lawful basis for the processing.

10.2 The right of access

Individuals have the right to access their personal data.
This is commonly referred to as subject access.
Individuals can make a subject access request verbally or in writing.
We have one month to respond to a request.
We cannot charge a fee to deal with a request in most circumstances.

10.3 The right to rectification

The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
An individual can make a request for rectification verbally or in writing.
We have one calendar month to respond to a request.
In certain circumstances we can refuse a request for rectification.

10.4 The right to erasure (the right to be forgotten)

The GDPR introduces a right for individuals to have personal data erased.
The right to erasure is also known as 'the right to be forgotten'.
Individuals can make a request for erasure verbally or in writing.
We have one month to respond to a request.
The right is not absolute and only applies in certain circumstances.
This right is not the only way in which the GDPR places an obligation on us to consider whether to delete personal data.
Once a year, the DPO shall submit a ticket to obtain a report of all subjects whose relationship with a given company in MFG group has ended before a certain number of years. The ticket shall be selected from ‘Application Support (Fix/Single Report) type and ‘Single Report' subtype.
On the basis of the report obtained, the DPO or a member of their team opens a ticket to erase (anonymize) the data of subjects which are provided a list attached to the ticket. The ticket shall be processed in accordance with the rules for the exercise of rights described in the previous paragraph 2.3 of this Policy.

10.5 The right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data.
This is not an absolute right and only applies in certain circumstances.
When processing is restricted, we are permitted to store the personal data, but not use it.
An individual can make a request for restriction verbally or in writing.
We have one calendar month to respond to a request.

10.6 The right to data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
The right only applies to information an individual has provided to a controller.

10.7 The right to object

The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
Individuals have an absolute right to stop their data being used for direct marketing.
In other cases where the right to object applies, we may be able to continue processing if we can show that we have a compelling reason for doing so.
We must tell individuals about their right to object.
An individual can make an objection verbally or in writing.

10.8 Rights in relation to automated decision making and profiling

Individuals have the right not to be subject to a decision when:

It is based on automated processing, and
It produces a legal effect or a similarly significant effect on them.

11 Definitions

To ensure the company understands its obligations to the protection of Personal Information, the following definitions apply and are based on current understanding of these terms within UK and European law, and specifically in Article 4 of GDPR.

11.1 Personal Data

Any information relating to an identified or identifiable natural person ("Data Subject") who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

11.2 Sensitive Personal Data

Personal Data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Sensitive Personal Data includes Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

11.3 Data Controller

The natural or legal person, public authority, agency, or any other body, which alone or jointly with others, determines the purposes and means of the processing of Personal Data.

11.4 Data Processor

A natural or legal person, public authority, agency, or any other body which processes Personal Data on behalf of a Data Controller.

11.5 Processing

An operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of the data.

11.6 Anonymization

Irreversibly de-identifying Personal Data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The Personal Data processing principles do not apply to anonymized data as it is no longer Personal Data.

12 Policy Compliance

12.1 Compliance Measurement

The information security management team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

12.2 Exceptions

Any exception to the policy must be approved and recorded by the Information Security Manager in advance and reported to the Management Review Team.

12.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

12.4 Continual Improvement

The policy is updated and reviewed as part of the continual improvement process.