Data Protection Policy
1. Introduction and background
The purpose of this Policy is to outline how Fenchurch Faris Ltd. has established measures to maintain compliance with the EU General Data Protection Regulation (hereinafter referred to as the “GDPR. This policy is specific to FFL employees and the processing and holding of personal data of data subjects residing in the EU or UAE.
The Policy contains two components:
Measures to re-enforce accountability and governance; and measures to demonstrate the protection of information rights of the data subject.
1.1. Policy principles
1.1.1. This policy requires that personal data shall be:
- Processed lawfully, fairly, and in a transparent manner in relation to individuals.
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes.
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organizational measures required by the GDPR and Data Protection Law in order to safeguard the rights and freedoms of individuals; and
1.1.2. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures. “The controller shall be responsible for, and be able to demonstrate, compliance with the principles”.
2. Accountability and governance
This Policy outlines comprehensive but proportionate governance measures designed to achieve and maintain compliance with data protection laws. These measures have been designed to minimize the risk of breaches and uphold the protection of personal data.
This section on accountability and governance considers:
- Roles and responsibilities: the responsibilities of the Board, Data Protection Officer (DPO), information owners, and general employees.
- Documentation: FFL’s requirements in respect of documenting processing.
- Data protection by design and default: FFL’s requirements for Data Protection Impact Assessments (DPIA).
- Lawful basis for processing: FFL’s Policy on determining the basis for processing.
- Security: “IT Security Policy” and “Information Security Policy” measures are designed to protect information confidentiality, integrity, and availability.
- Contracts: the measures that should be in place to ensure contractual relationships and maintain data protection compliance. International transfer: Oversight measures for the international transfer of data; and
- Data breaches: Principles for detecting and responding to data breaches.
- Compliance and report: Ensure compliance and reporting with all data protection regulations FFL is implementing.
- Training and awareness: FFL’s plan for employee data protection training and awareness during a financial year
- Consent withdrawal: Procedures for data subjects to request consent withdrawals as required.
- Validity of consents: Appropriate and proportionate measures to assess the ongoing validity of the consent.
2.1. Roles and responsibilities
2.1.1. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance. FFL has comprehensive but proportionate governance measures.
2.1.2. FFL has defined “ADD NAME OF DPO” as the Data Protection Officer (“DPO”), 2.1.3. The DPO’s responsibilities include, but are not limited to:
- Informing and advising FFL and its employees about their obligations to comply with the GDPR, Data Protection Law, and other data protection laws.
- Monitoring compliance with the data protection laws, including managing internal data protection activities, advising on data protection impact assessments; training staff and conducting internal audits; and
- Acting as the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers, etc.).
2.1.4. The DPO reports to the Management of the relevant entity on a quarterly basis.
2.1.5. The Board is to provide an ongoing Governance framework for GDPR and Data Protection Law compliance. Reporting lines are put in place to ensure that summarized data protection compliance information is reported and that the Board’s ongoing support is demonstrable.
2.1.6. Any Data breach that happens within FFL is immediately escalated.
2.1.7. Employees are obligated to report any breach to the DPO of the Company or their Line Manager as soon as they are aware of it.
2.2.1. The GDPR and Data Protection Law contains explicit provisions about documenting FFL’s processing activities. FFL maintains records for processing purposes, data sharing, and retention.
2.3. Data protection by design and default
2.3.1. Under the GDPR and Data Protection Law, FFL has a general obligation to implement technical and organizational measures to show that FFL has considered and integrated data protection into processing activities.
2.4. Lawful basis for processing
2.4.1. Under the GDPR and Data Protection Law, there are six available lawful bases for processing. FFL has documented the relevant lawful basis for processing.
2.4.2. At least one of these must apply whenever FFL processes personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; and
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
2.5.1. The data protection laws require personal data to be processed in a manner that ensures its security. This includes protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. It requires that appropriate technical or organizational measures are used.
2.5.2. FFL has defined and implemented an “IT Security Policy” and “Information Security Policy” and supporting management system to maintain effective and proportionate security.
2.6.1. The data protection laws diligence and clarity in entering into third-party relationships. Whether FFL is a processor or controller, there are mandatory requirements relating to the contracts that are in place.
2.6.2. Whenever FFL acts as a controller a written contract must be in place with the processors. Standards to be applied to the contracts as defined by the related regulators.
2.6.3. Whenever FFL acts as a processor, FFL must only act on the documented instructions of a controller (as specified in a valid written contract). Standards to be applied to the contracts as defined by the related regulators.
2.6.4. On an annual basis, the DPO will review third-party relationships to determine the risk posed by processing. This will be documented in the “Third Party Processor List” maintained by Compliance
Data Protection Policy Team.
2.6.5. Based on the review, the DPO will determine the most appropriate means to validate that contractual obligations in relation to data processing are being adhered to.
2.6.6. The DPO will present this revision, and the results of compliance, to the Compliance Team at least annually.
2.7. International transfers
2.7.1. The GDPR and Data Protection Law imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organizations. These restrictions are in place to ensure that the level of protection is not undermined.
2.7.2. FFL may transfer personal data where the organization receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. Adequate safeguards may be provided by:
- A legally binding agreement between public authorities or bodies.
- Standard data protection clauses in the form of template transfer clauses adopted by the Commission.
- Standard data protection clauses in the form of template transfer clauses are adopted by a supervisory authority and approved by the Commission.
- Compliance with an approved code of conduct approved by a supervisory authority.
- Certification under an approved certification mechanism as provided for in the GDPR and Data Protection Law.
- Contractual clauses agreed to authorized by the competent supervisory authority; or
- Provisions are inserted into administrative arrangements between public authorities or bodies authorized by the competent supervisory authority.
2.7.3. When asked by an Authority to provide data, exercise reasonable caution, and assess the impact of the proposed transfer. Also, try to get appropriate written and binding assurance from the requesting authority that it will respect the right of the data subject.
2.7.4. Ad-hoc requests for the international transfer of data must be submitted to the DPO once for each function, and type of document.
2.7.5. Regular international data transfers are covered through an internal Servicer Level Agreement that includes contractual clauses safeguarding the transfer.
2.7.6. The DPO must record requests for international transfers received.
2.7.7. The DPO will consider the DPIA in relation to this transfer and the appropriate means of adopting safeguards.
2.8. Data breaches
2.8.1. A personal data breach means a breach of security leading to the destruction, loss, alteration, and unauthorized disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
2.8.2. Organizations will introduce a duty on all third parties to report certain types of data breaches to the Data Protection Policy relevant supervisory authority. In some cases, organizations will also have to report certain types of data breaches to the individuals affected.
2.8.3. The DPO must be notified of all breaches of this Policy as soon as possible.
2.8.4. The DPO must record breaches and work with the information owner to consider the likely impact of the breach.
2.8.5. Where a breach is considered notifiable the DPO must immediately inform the Compliance Team.
2.8.6. A notifiable breach has to be reported by the DPO to the relevant supervisory authority within 72 hours of FFL becoming aware of it. The notification must contain:
- The nature of the personal data breach includes, where possible.
- The categories and an approximate number of individuals concerned.
- The categories and an approximate number of personal data records concerned.
- The name and contact details of the data protection or other contact point for more information. • A description of the likely consequences of the personal data breach; and
- A description of the measures taken or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
2.8.7. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, FFL will notify those concerned directly.
2.8.8. All employees must be trained to recognize and escalate breaches.
2.8.9. A detailed Data Breach Procedure is implemented.
2.9. Compliance and reporting
2.9.1. Monitoring compliance with the Data Protection Policy is a key role of the DPO’. The DPO must also report compliance to the Compliance Team.
2.9.2. The DPO is responsible for developing a compliance monitoring plan for this Policy.
2.9.3. The compliance monitoring plan should be submitted to the compliance Team for approval at least annually.
2.9.4. Progress to deliver the plan, exceptions noted, breaches and near misses, and updates on progress to address material deviations from compliance with the Policy must be reported by the DPO to the Compliance Team at least quarterly.
2.10. Training and awareness
2.10.1. Employee awareness of data protection matters, and their role to protect the privacy of data subjects, is core to FFL’s compliance program.
2.10.2. Employees must be trained on the requirements of this Policy at least annually through the annual Compliance Training and the induction training for new joiners.
Data Protection Policy
2.11. Consent withdrawal
2.11.1. As a data controller, FFL is responsible under the GDPR for administering withdrawal of consent from the data subject under advisement from the DPO.
2.11.2. Withdrawal of consent by the data subject means an indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies withdrawal of consent to the processing of personal data relating to him/her.
2.11.3. FFL processes a data subject’s consent withdrawal to the processing of his or her personal data once notified. Relevant information should be sent to email@example.com.
2.11.4. The DPO will inform the relevant process owner of this change so that processing can be stopped.
2.11.5. The data subjects’ rights to be erased are also automatically applied when the data subject has withdrawn consent and no other conditions for processing apply.
2.12. Validity of consents
2.12.1. As per data protection laws, FFL implements appropriate and proportionate measures to assess the ongoing validity of the consent.
2.12.2. Review consents to check that the relationship, the processing, and the purposes have not changed.
3. Individual rights
- The data protection laws provide the following rights for individuals:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erase.
- The right to restrict processing.
- The right to data portability.
- The right to object; and
- Rights in relation to automated decision-making and profiling.
3.1. Right to be informed
3.1.1. The right to be informed encompasses FFL’s obligation to provide ‘fair processing information, typically through a Privacy Notice.
Data Protection Policy
3.1.2. FFL maintains a Privacy Notice and publishes this publicly.
3.2. Right of access
3.2.1. Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
3.2.2. Under the GDPR, individuals will have the right to obtain:
- Confirmation that their data is being processed.
- Access to their personal data; and
- Other supplementary information – this largely corresponds to the information that should be provided in a Privacy Notice.
3.2.3. All requests from subjects for access to their data should be submitted to the DPO. The DPO must log the request and will:
- Consider whether the request is manifestly unfounded or excessive.
- Request copies of information held from information owners within FFL.
- Review the information to ensure it does not impair the privacy of another data subject. • Consider whether the request warrants a fee (if it requires a significant amount of data) and • Respond to the original request.
3.2.4. A response to the request must be provided without delay and at the latest within one month of receipt. In the event the request is particularly complex or numerous, the period of compliance can be extended by a further two months. If this is the case, the DPO must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
3.2.5. Performance against the response target of one month must be reported by the DPO. 3.3. Non-discrimination
3.3.1. Under the Employment Law, unlawful discrimination against an employee is divided into three separate categories:
3.3.2. direct discrimination: less favorable treatment of one of the protected classes.
3.3.3. indirect discrimination: the application of neutral provisions, criteria, or practices (“PCP”) that put employees of a particular protected class at a disadvantage not faced by others who do not share that particular class. For example, a requirement for all staff to be on-site on a Friday lunchtime would disproportionately affect Muslims as Friday prayers take place at that time.
3.3.4. harassment: unwanted treatment or conduct which has the purpose or effect of creating an intimidating, hostile, degrading, humiliating, or offensive workplace.
3.3.5. FFL does not tolerate discrimination against employees in any form.
3.3.6. FFL has a grievance policy in place that aims to ensure that employees are treated justly and fairly.
3.3.7. A detailed straightforward process for dealing with complaints of discrimination, sexual harassment, and Data Protection Policy vilification can be reported.
3.3.8. Whistleblowing in place for any discrimination act reporting