1. Purpose
Auxanova Business Services FZCO (“Auxanova” or “the Company”) is committed to protecting the privacy and personal data of individuals and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR). This policy sets out the principles, responsibilities, and measures governing the processing of personal data by the Company.
2. Scope
This policy applies to all personal data processed by Auxanova Business Services FZCO, whether relating to employees, clients, partners, vendors, or any other individuals. It covers all forms of data processing, including collection, storage, use, sharing, retention, and disposal of personal data.
3. Data Protection Principles
Auxanova processes personal data in accordance with Article 5 of the GDPR. Personal data shall be:
- Lawful, fair, and transparent – processed in a manner that is lawful, fair, and clear to the individuals concerned.
- Purpose-limited – collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Data-minimised – adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
- Accurate – kept accurate and, where necessary, up to date, with reasonable steps taken to rectify or erase inaccurate data without delay.
- Storage-limited – retained only for as long as necessary to fulfil the purposes for which it was collected.
- Secure – processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage through appropriate technical and organisational measures.
4. Governance and Responsibility
- Overall responsibility for compliance with this policy rests with the designated Responsible Person.
- This policy shall be reviewed at least annually and updated as required to reflect legal, regulatory, or operational changes.
5. Lawful, Fair, and Transparent Processing
- Auxanova shall maintain a Register of Processing Activities (Register of Systems) documenting all personal data processing activities.
- The Register shall be reviewed at least once a year.
- Individuals have the right to access their personal data. Any data subject access requests received by Auxanova shall be handled promptly and in accordance with applicable legal requirements.
6. Lawful Basis for Processing
Auxanova shall process personal data only where a valid lawful basis exists, including:
- Consent
- Performance of a contract
- Compliance with a legal obligation
- Protection of vital interests
- Performance of a task carried out in the public interest
- Legitimate interests
The applicable lawful basis for each processing activity shall be recorded in the Register of Processing Activities.
Where consent is relied upon: – Clear evidence of opt-in consent shall be maintained. – Individuals shall have the right to withdraw consent at any time. – Systems and processes shall ensure that withdrawal of consent is promptly and accurately reflected.
7. Data Minimisation
Auxanova shall ensure that personal data collected and processed is limited to what is strictly necessary for the stated purposes and lawful basis.
8. Data Accuracy
- Reasonable steps shall be taken to ensure that personal data is accurate and complete.
- Where appropriate, data shall be reviewed and updated to ensure continued accuracy.
9. Data Retention and Archiving
- Auxanova shall implement and maintain data retention and archiving policies for each area where personal data is processed.
- Retention periods shall be defined based on legal, contractual, and business requirements.
- Personal data shall not be retained for longer than necessary.
- Retention and archiving practices shall be reviewed at least annually.
10. Data Security
Auxanova shall implement appropriate technical and organisational security measures, including:
- Secure storage of personal data using up-to-date software and systems
- Restricted access to personal data on a need-to-know basis
- Measures to prevent unauthorised disclosure or access
- Secure deletion or destruction of personal data when no longer required
- Regular backups and appropriate disaster recovery arrangements
11. Personal Data Breaches
In the event of a personal data breach involving accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data:
- Auxanova shall promptly assess the risk to the rights and freedoms of affected individuals.
- Where required, the breach shall be reported to the relevant supervisory authority within the applicable timeframes.
- Affected clients or data owners shall be informed as necessary.
- Appropriate corrective and preventive actions shall be taken to mitigate impact and prevent recurrence.
12. Policy Review
This Data Protection Policy shall be reviewed annually or sooner if required by changes in applicable laws, regulations, or business operations.