GDPR Policy - OneTech

GROUP DATA PROTECTION POLICY
1.
Purpose and Legal Framework
1.1.
Onetech Group Limited, together with its subsidiaries and affiliated companies (collectively referred to as the “Group”), is committed to conducting business with the highest standards of integrity across all its global operations.
1.2.
To fulfil its business objectives, the Group must collect and use certain information about individuals. These may include customers, suppliers, business contacts, employees (the “Employees”), principals, and others with whom the Group has a relationship or may need to communicate.
1.3.
This Data Protection Policy (the “Policy”) outlines how personal data must be collected, handled, and stored to comply with applicable laws and the Group’s data protection standards.
1.4.
This Policy ensures that the Group:
(a)
complies with applicable protection laws and follows best practice;
(b)
protects the rights of Employees, customers, business partners and other data subjects;
(c)
is transparent about how it collects, stores and processes individuals’ data; and
(d)
mitigates the risks associated with data breaches and unauthorized access.
1.5.
This Policy shall be read in conjunction with the Group’s Code of Business Ethics and Conduct, Whistleblowing Policy, Anti-Money Laundering Policy and Anti-Bribery and Corruption Policy.
2.
Applicable Data Protection Framework
2.1.
The Group adheres to Regulation (EU) 2016/679 (General Data Protection Regulation) (hereinafter “GDPR”), applicable national data protection legislation of the Republic of Cyprus, and any other data protection laws applicable to the Group by operation of law.
2.2.
The GDPR principles require that personal data must:
i.
be processed lawfully, fairly and transparently;
ii.
be collected for specific, legitimate purposes;
iii.
be adequate, relevant, and limited to what is necessary;
iv.
be accurate and kept up to date;
v.
not be kept longer than necessary;
vi.
be processed in accordance with the rights of data subjects;
vii.
be protected by appropriate technical and organizational measures; and
viii.
transfers outside the EEA shall take place only where appropriate safeguards are in place in accordance with Chapter V of the GDPR.
2.3.
For the purposes of the GDPR, the Group entities may act as data controllers, joint controllers or processors, depending on the nature of the processing activity.
2.4.
For the purposes of this Policy, the terms “personal data”, “processing”, “data subject”, “controller”, “processor”, “recipient”, “personal data breach”, “special categories of personal data” and “supervisory authority” shall have the meaning given to them in the GDPR.
3.
Scope of the Policy
3.1.
This Policy applies to the entire Group, including personal data processed electronically, on paper or in any other form.
3.2.
It applies to personal data that the Group holds in relation to identifiable individuals including:
(a)
Names;
(b)
Postal Addresses;
(c)
Email Addresses;
(d)
Telephone numbers (business and personal);
(e)
Health, Finance, and other sensitive data (especially processed by HR); and
(f)
Any other information that can identify an individual.
4.
Data Protection Risks
4.1.
This Policy aims to mitigate risks, including:
(a)
Confidentiality breaches: Unauthorized disclosure of information.
(b)
Failure to respect Data Subject rights, subject to lawful restrictions permitted under the GDPR or other applicable law.
(c)
Reputation Damage: Loss or theft of data by external attacks or internal mishandling.
4.2.
Special categories of personal data, including health data and criminal-related data, are processed only where strictly necessary and in accordance with Articles 9 and 10 of the GDPR, with enhanced safeguards.
5.
Lawful Bases for Processing
5.1.
The Group processes personal data only where a lawful basis exists under Article 6 of the GDPR, including performance of a contract, compliance with legal obligations, legitimate interests, consent where required, protection of vital interests, or tasks carried out in the public interest where applicable.
5.2.
The Group applies data protection by design and by default in accordance with Article 25 of the GDPR.
6.
Roles and Responsibilities
6.1.
The Legal Department/designated data protection function is responsible for overseeing compliance with this Policy.
7.
General Staff Guidelines
7.1.
The only people able to access data covered by this Policy should be those who specifically need it for their work (on a “need-to-know” basis).
7.2.
Data should not be shared informally. When access to sensitive data is required, Employees must request it from their line managers.
7.3.
The Group provides training to all Employees to help them understand their responsibilities when handling data.
7.4.
Employees should keep all data secure, by taking sensible precautions and following the guidelines below:
(a)
Strong passwords must be used in all devices used to access the Group’s information and they should never be shared.
(b)
Personal data should not be disclosed to unauthorized people, either within the Group or externally.
(c)
Data should be regularly reviewed and updated if it is found to be out of date and if no longer required, it should be deleted and disposed of in a secure manner.
(d)
Employees are encouraged to request help from their line manager or the Legal Department / Group Legal Director, if they are unsure about any aspect of data protection.
8.
Data Storage
8.1.
These rules describe how and where data must be safely stored. Questions about storing data safely can be directed to the Legal Department / Group Legal Director.
8.2.
When data is stored on paper, it should be kept in a secure place where unauthorized people cannot see it.
8.3.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
(a)
When not required, the paper or files should be kept in a locked drawer or filing cabinet.
(b)
Employees should make sure paper, and printouts are not left where unauthorized people could see them, i.e., on a printer or open on top of an Employee’s desk when the Employee is absent.
(c)
Data printouts should be shredded and disposed of securely when no longer required.
(d)
Departments processing sensitive data i.e., Finance, HR, Legal and IT, must have their doors locked when the office is unattended.
8.4.
When data is stored electronically, it must be protected from unauthorized access, accidental deletion, and malicious hacking attempts:
(a)
Data must be protected by strong passwords that are changed regularly (suggested period every 3 months) and never shared between employees.
(b)
If data is stored on removable media (like a CD, DVD, PenDrive, etc.), these should be kept locked away securely when not being used.
(c)
Encrypted pen drives (USB sticks) shall be distributed by IT department upon request.
(d)
Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing service.
(e)
Servers containing personal data must be sited in a secure location, away from general office space and doors are to be always locked.
(f)
Data must be backed up frequently. Those backups should be tested regularly, in line with the Group’s standard backup procedure.
(g)
Data should never be saved directly to laptops or other mobile devices like tablets or smartphones.
(h)
All servers and computers containing data must be protected by approved security software and firewalls.
8.5.
Personal data shall be retained only for as long as necessary for the purposes for which it is processed and in accordance with applicable legal, regulatory, contractual and operational requirements. Where appropriate, the Group shall maintain retention schedules and secure deletion procedures.
9.
Data Use
9.1.
Personal data is of no value to the Group unless necessary for the normal conduct of business. The Group does not sell or use personal data for purposes other than those necessary for the conduct of its business relationships. However, personal data may be at increased risk when it is legitimately accessed and used, and therefore requires heightened safeguards.
(a)
When working with personal data, Employees must ensure the screens of their computers are always locked when left unattended.
(b)
Personal data should not be shared informally. It should never be sent by email, even internally, unless it has been encrypted.
(c)
Data must be encrypted before being transferred electronically. Guidance on secure data transfers may be obtained from the Legal Department / Group Legal Director or designated data protection function.
(d)
Personal data shall not be transferred outside the EU/EEA unless appropriate safeguards are in place in accordance with GDPR.
(e)
Employees should not save copies of the personal data in their own computers.
(f)
Always access and update the original source of any data.
10.
Data Accuracy
10.1.
The law requires the Group to take reasonable steps to ensure data is kept accurate and up to date.
10.2.
It is very important that personal data is accurate, and the Group shall put great effort to ensure data accuracy. The Group may periodically request Employees to review and update their personal data.
10.3.
It is the responsibility of all employees who work with the data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
(a)
Data will be held in as few places as necessary. Staff must not create any unnecessary files or records.
(b)
Staff will take every opportunity to ensure data is updated. For instance, by confirming a customer’s detail when they call or communicating from time to time requesting an update.
(c)
The Group will make it easy for data subjects to update the information the Group holds about them. For instance, via the Group’s website, as well as by e-mail messages.
(d)
Data must be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the databases.
(e)
Relevant business functions are responsible for ensuring that marketing databases are maintained in compliance with applicable data protection requirements.
11.
Subject Access Requests
11.1.
Subject to the conditions and limitations set out in the GDPR and applicable law, data subjects may have the right to:
(a)
be informed about the processing of their personal data;
(b)
access their personal data;
(c)
request rectification of inaccurate or incomplete data;
(d)
request erasure of personal data;
(e)
request restriction of processing;
(f)
object to processing (including for direct marketing);
(g)
data portability (where applicable); and
(h)
withdraw consent at any time where processing is based on consent (without affecting the lawfulness of processing before withdrawal).
11.2.
If an individual contacts the Group requesting this information, this is called a “subject access request”.
11.3.
Subject access requests from individuals should be made by email, addressed to the data protection designated person.
11.4.
Individuals will not be charged per subject access request. The data controller will aim to provide the relevant information within one (1) month of receipt of the request, subject to extensions permitted under applicable law.
11.5.
The Group shall take reasonable steps to verify the identity of any individual making a subject access request before disclosing personal data, in accordance with GDPR and applicable guidance.
11.6.
Certain Data Subject rights may be restricted where permitted by law, including in connection with legal obligations, whistleblowing reports, anti-money laundering compliance or the protection of the rights of others.
11.7.
Data subjects have the right to lodge a complaint with the competent supervisory authority, and to seek a judicial remedy, in accordance with the GDPR and applicable national law.
12.
Personal Data Breaches
12.1.
Any actual or suspected personal data breach must be reported immediately to the Legal Department / Group Legal Director. The Group shall assess without undue delay whether notification to the competent supervisory authority is required and, where required, shall make such notification without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR, and shall notify affected data subjects where required under Article 34 of the GDPR. All personal data breaches shall be documented, including the facts relating to the breach, its effects and the remedial action taken, in accordance with Article 33 of the GDPR.
13.
International Transfers
13.1.
Transfers of personal data outside the EEA shall only occur where lawful transfer mechanisms are in place, including adequacy decisions, Standard Contractual Clauses or other safeguards permitted under GDPR, and, where required, additional technical and organisational measures to ensure an essentially equivalent level of protection.
14.
Disclosing Information for Other Reasons
14.1.
In certain circumstances, the GDPR allows personal data to be disclosed, for example, to law enforcement agencies without the consent of the data subject.
14.2.
Under these circumstances, the Group will disclose the requested data. However, relevant Group entity acting as data controller will ensure the request is legitimate, seeking assistance from the Board and from the Group’s legal advisers when necessary, including where disclosure is required in connection with anti-money laundering obligations, whistleblowing investigations or other statutory duties.
15.
Governance and Accountability
15.1.
The Group maintains records of processing activities and carries out data protection impact assessments where required by GDPR.
15.2.
Where required, the Group shall appoint a Data Protection Officer or designate an appropriate data protection function in accordance with Article 37 of the GDPR.
15.3.
The Group adopts the principle of accountability and is able to demonstrate compliance with GDPR through appropriate documentation, policies, procedures and controls.
16.
Providing Information
16.1.
The Group aims to ensure that individuals are aware that their data is being processed, and that they understand:
(a)
how the data is being used; and
(b)
how to exercise their rights.
16.2.
To this end, the Group has one or more privacy notices, setting out in detail how personal data relating to individuals is processed, including the purposes of processing, categories of data, retention periods and applicable rights.
16.3.
This Policy is reviewed periodically by the Legal Department /Group Legal Director.
16.4.
This Policy is a statement of the Group’s data protection principles and governance framework and does not create contractual rights or obligations, nor does it override or replace applicable legal requirements.

Name	Domain	Purpose	Expiry	Type
_GRECAPTCHA	www.google.com	---	6 months	---
gridcookie	onetech.global	---	53 years	---
wpl_user_preference	onetech.global	WP GDPR Cookie Consent Preferences	1 year	HTTP

Name	Domain	Purpose	Expiry	Type
_ga	onetech.global	Google Universal Analytics long-time unique user tracking identifier.	2 years	HTTP
_gid	onetech.global	Google Universal Analytics short-time unique user tracking identifier.	1 days	HTTP
_gat_gtag_UA_163723773_1	onetech.global	---	Session	---