GDPR Policy

1. Introduction

This policy informs how Anuyat has established measures to maintain compliance with the EU General Data Protection Regulation also known as the GDPR policy.

2. Definition Personal Data:

Information linked to an identifiable person, such as name, ID number, location, or online identifiers. Data collected includes phone numbers, email addresses, education, finances, certificates, skills, marital status, job title, CVs, etc. It includes individual’s colleagues, consumers, business contacts, etc. The data can include factual, behavioural opinions, or information influencing personal/business matters. Personal data can be stored in electronic records, emails, structured paper files and archives.

3. Why do we collect a user’s personal data

For business-related activities relating to service provision, marketing, and administrative tasks, Anuyat gathers and handles individual information. This includes personal data associated with our customers, suppliers, business contracts, employees, and other individuals with whom our organization maintains contact or may require communication.

4. How do we process personal data?

The processing of personal data entails to various actions like obtaining, recording, holding, amending, retrieving, using, disclosing, sharing, erasing, and destroying. Additionally, it also involves the process of transmission or transfer of personal data to third parties.

5. How we protect personal information?

To guarantee the security of personal data, business operations, and individual rights, adherence to data protection regulations is important. Anuyat operates as a data controller as defined by data protection law that signifies our authority in determining the purposes and methods of personal data usage. This policy explains our protocols for aligning with data protection law and outlines our responsibilities while processing personal data throughout the course of our employment. Our employees who regularly handle user’s personal data will receive specialized training on data protection procedures. This training will satisfy the requirements stated in this policy.

In addition to this policy, other policies will be enforced, influencing our approach to personal data and data protection. We anticipate full compliance from all employees with our Electronic Communications Policy, as applicable.

6. Whom does this policy apply?

This policy is compliant to present, past, and potential staff members, including employees, workers, volunteers, apprentices, and consultants. Individuals falling within these classifications are referred to as ‘data subjects’ within the context of this policy. It is advisable to review this policy in alongside

employment or service agreement and any other communications issued by the Company regarding data-related matters.

7. Who is responsible for Data Protection at Anuyat?

Anuyat has appointed a Data Protection Officer (DPO) responsible for supervising, guiding, and managing the compliance of Anuyat to this policy and data protection regulations. Each department head is accountable for ensuring that all personnel within their department/team fully comply with this policy and data protection laws. Every employee at Anuyat holds a shared responsibility for safeguarding personal data and ensuring its lawful processing.

8. Data Protection Obligations

Anuyat is responsible to ensure and provide evidence of compliance to data protection regulations. To ensure the proper handling of personal data, it is vital for Anuyat employees to observe both data protection law and any relevant company policies, guidelines, or instructions. The fundamental obligations under data protection law, along with the expected employee compliance, are given below,

1. Processing personal data fairly and transparently –

Personal data should be processed lawfully and transparently. – Legal grounds for processing, including consent, must be clearly demonstrated. – Transparency requirements involve providing clear information about data usage.

2. Handling sensitive data with care –

Certain data categories (sensitive) require additional legal grounds for processing.

3. Specified, explicit, and legitimate processing –

Personal data should only be processed for legitimate purposes tied to business operations.

4. Adequate, relevant, and limited data usage –

Data must be relevant and limited to what is necessary for intended purposes.

5. Ensuring data accuracy and updates –

Personal data accuracy must be maintained; employees must update changes.

6. Appropriate data retention –

Personal data should be retained only as long as necessary and in line with company policies.

7. Maintaining data security –

Ensuring data security and compliance is a shared responsibility. – Security measures include adherence to Electronic Communications Policy.

8. Careful data sharing and disclosure –

Data sharing follows principles of necessity, internally and externally. – Third-party service providers (processors) must comply with data protection.

10. Ensuring secure data transfers –

Personal data transfers outside the EEA require assessment and safeguards.

11. Prompt reporting of data breaches –

Data breaches are addressed promptly to mitigate risks and maintain records. – High-risk breaches are reported to the ICO and affected parties.

12. Authorized use of profiling and automated decision-making – Profiling and automated decisions require authorized use and safeguards.

13. Integrating data protection into operations –

Data protection is integrated into all operations involving personal data

14. Individual rights and requests –

Individuals have rights regarding their data, including access, correction, withdrawal of consent, deletion, objection, and data portability.

15. Record keeping for compliance –

Data processing activities are recorded and retained to demonstrate compliance.

16. Training for data protection compliance –

Employees receive training on data protection laws and policies. – Role-specific training is provided as needed, with ongoing updates.

9. Policy departures

Under the data protection law, a few highly restricted exemptions allow for deviations from certain clauses of this policy. Our personnel will receive precise guidance if any exemptions apply to their roles. If a situation arises where we believe it may be necessary to deviate from this policy, a consultation with the Data Protection Officer will be conducted before any actions are taken.