1. Purpose
This GDPR Policy outlines how Auxanova Business Services FZCO (“Auxanova”, “the Company”, “we”, “our”, or “us”) ensures compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR). The policy defines the principles, roles, responsibilities, and controls governing the processing of personal data.
This policy complements Auxanova’s Data Protection Policy, Privacy Policy, and applicable jurisdiction-specific notices (including the California Privacy Notice).
2. Scope
This policy applies to: – All personal data processed by Auxanova – All employees, contractors, consultants, and third parties acting on behalf of Auxanova – All systems, applications, platforms, and processes that involve personal data
Personal data may relate to clients, prospects, website visitors, employees, vendors, partners, and other identifiable individuals.
3. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- Data Subject: The individual to whom personal data relates.
- Controller: The entity that determines the purposes and means of processing personal data.
- Processor: An entity that processes personal data on behalf of a controller.
- Supervisory Authority: An independent public authority established by an EU Member State.
4. GDPR Principles
Auxanova processes personal data in accordance with Article 5 of the GDPR. Personal data shall be:
- Lawful, Fair, and Transparent
Processed in a lawful manner, fairly, and with transparency toward data subjects. - Purpose Limitation
Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. - Data Minimisation
Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. - Accuracy
Accurate and, where necessary, kept up to date. Inaccurate data shall be corrected or erased without delay. - Storage Limitation
Kept in a form that permits identification of data subjects for no longer than necessary. - Integrity and Confidentiality
Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. - Accountability
Auxanova is responsible for, and able to demonstrate, compliance with these principles.
5. Lawful Bases for Processing
Auxanova processes personal data only where at least one lawful basis applies: – Consent – Performance of a contract – Compliance with a legal obligation – Protection of vital interests – Performance of a task carried out in the public interest – Legitimate interests, balanced against the rights of the data subject
The applicable lawful basis is documented in Auxanova’s Register of Processing Activities (RoPA).
6. Data Subject Rights
Auxanova respects and facilitates the exercise of GDPR data subject rights, including: – Right of access – Right to rectification – Right to erasure (“right to be forgotten”) – Right to restrict processing – Right to data portability – Right to object to processing – Right to withdraw consent at any time – Right to lodge a complaint with a supervisory authority
Requests shall be handled without undue delay and within statutory timelines.
7. Consent Management
Where processing is based on consent: – Consent must be freely given, specific, informed, and unambiguous – Records of consent shall be maintained – Withdrawal of consent shall be as easy as giving consent
8. Data Protection by Design and by Default
Auxanova implements data protection by design and by default by: – Embedding privacy considerations into systems and processes – Limiting data access to what is strictly necessary – Applying appropriate security controls from the outset
9. Security of Processing
Auxanova implements appropriate technical and organisational measures, including: – Access controls and authentication mechanisms – Secure storage and encrypted transmission of data where appropriate – Regular backups and disaster recovery procedures – Staff training and confidentiality obligations – Ongoing risk assessments and security reviews
10. Data Retention and Deletion
Personal data is retained only for as long as necessary to fulfil its purpose or comply with legal and contractual requirements.
Auxanova maintains retention and archiving schedules and ensures secure deletion or anonymisation of data when no longer required.
11. Data Processors and Third Parties
Where Auxanova engages third-party processors: – Processing is governed by written agreements compliant with Article 28 GDPR – Processors are required to implement appropriate security measures – Sub-processing is permitted only with appropriate safeguards
12. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), Auxanova ensures appropriate safeguards, including: – Standard Contractual Clauses (SCCs) – Adequacy decisions where applicable – Other lawful transfer mechanisms recognised under GDPR
13. Personal Data Breaches
Auxanova maintains procedures to detect, report, and investigate personal data breaches.
In the event of a breach: – Risks to data subjects shall be assessed promptly – The relevant supervisory authority shall be notified within 72 hours where required – Affected individuals shall be informed where there is a high risk to their rights and freedoms
14. Training and Awareness
All employees and relevant personnel receive appropriate data protection and GDPR awareness training.
15. Policy Review and Updates
This GDPR Policy is reviewed at least annually and updated as necessary to reflect legal, regulatory, or operational changes.
16. Contact Details
For questions relating to this GDPR Policy or the processing of personal data, please contact:
Auxanova Business Services FZCO
Email: info@auxanova.com