DATA PROTECTION POLICY
Dietiker AG is committed to best practice, and all activities are carried out in line with relevant legislation. This includes but is not limited to the EU Data Protection Directive 95/46/EC, and the forthcoming EU General Data Protection Regulation (“GDPR”).
Data Protection Principals
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects to comply with the forthcoming EU General Data Protection Regulation (“GDPR”).
- Appropriate technical and organizational measures shall be taken against unauthorized and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Although all employees have a responsibility for adhering to our Data Protection Policy, the Senior Management have day-to-day responsibility for developing, implementing and monitoring the data protection policy. This ensures the policy is effectively managed and coordinated.
Education and awareness
All employees are briefed on their data protection responsibilities upon appointment, with training updates at regular intervals or when required. Specialist training for employees with specific duties, such as marketing, information security and database management, is provided.
To ensure the processing of data is fair Dietiker AG are transparent about how it intends to use the data. As good practice, the company includes privacy notices on any forms used to collect data.
Personal data is not processed in any manner that is ‘incompatible’ with its specified purpose.
Responding to access requests
Personal data is processed in accordance with individual rights under the EU Data Protection GDPR.
Individual requests are recognized and responded to by the Data Protection Officer within statutory timescales. This includes the right of access. Responding to Access Requests Policy.
Data quality and accuracy
Dietiker AG ensures that the personal data it holds is of sufficient quality to make decisions about individuals. Data is not collected without a legitimate business reason and collects only the minimum required to meet the purposes for which it is needed and which are specified in the privacy notice. All personal data held is accurate and, where necessary, kept up-to-date. Regular reviews of information are carried out to identify and correct inaccurate records, remove irrelevant ones and update out-of-date ones.
Retention and disposal
Dietiker AG ensures that personal data is not kept for longer than is necessary. Checks are carried out to identify which records or data sets are held, and when they should be deleted or anonymized. Heads of Department are accountable for recording retention and disposal dates for information they hold. Data is disposed of securely.
Dietiker AG has an established Information Security Management System Policy which sets the standards
to be adhered to. In the unlikely event data and/or security is compromised, a Security Breach Procedure has been implemented and all staff are trained and aware of their responsibilities.
Dietiker AG ensures an adequate level of protection for any personal data processed by others on its behalf or transferred outside the European Economic Area. When determining whether to use an external provider, Dietiker AG requires proof of their adherence to Data Protection Legislation in the EU. New Supplier/Customer/Contractor Forms must be completed by all third parties, which request proof of their credentials and compliance requirements before Dietiker AG will consider engaging their services.
Privacy impact assessments
As required under The EU General Data Protection Regulation (GDPR), Dietiker AG ensures that any new projects or initiatives are privacy-proofed at the planning stage. Privacy considerations are an early part of all projects plans or initiatives that involve the processing of personal data. Privacy impact assessments (PIA) are conducted during the development, testing and delivery stages of any project to evaluate the origin, nature, particularity and severity of the risk to the rights and freedoms of natural persons before processing personally identifiable information. The PIA includes the measures, safeguards, and mechanisms envisaged for mitigating” the identified risks.