The General Data Protection Regulation – more commonly referred to as GDPR – will apply to all organizations worldwide that process personal data of European Union (EU) citizens, effectively making it the first global data protection law.
This reflects the Data Protection Policy of Dedomena Artificial Intelligence, S.L. Dedomena is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.
Dedomena needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organization has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.
All data users must comply with the eight Data Protection Principles. The Principles define how data can be
legally processed. 'Processing' includes obtaining, recording, holding or storing
information and carrying out any operations on the data, including adaptation, alteration
use, disclosure, transfer, erasure, and destruction.
- 1. Personal data shall be processed fairly and lawfully.
- 2. Personal data shall be held only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or purposes.
- 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed.
- 4. Personal data shall be accurate and where necessary kept up to date.
- 5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
- 6. Personal data shall be processed in accordance with the rights of data subject under the DPA.
- 7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of the data.
- 8. Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The DPA defines both personal data and sensitive personal data. Data users must ensure that the necessary conditions are satisfied for the processing of personal data and in addition that the extra, more stringent, conditions are satisfied for the processing of sensitive personal data.
Personal data has a broad ranging definition and can include not only items such as home and work address, age, telephone, online identifier – eg an IP address – but also photographs and other images.
Sensitive personal data consists of racial/ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical (including genetic data, and biometric data that can be processed to uniquely identify an individual) or mental health or condition, sexual life and criminal record.
People, risks and responsibilities
The following roles imply the different persons responsible for the data protection policies inside Dedomena.
This policy applies to:
- ● The head office of Dedomena
- ● All branches of Dedomena
- ● All staff and volunteers of Dedomena
- ● All contractors, suppliers and other people working on behalf of Dedomena.
It applies to all data that the company holds relating to identifiable individuals, including all the information that technically falls under the General Data Protection Regulation.
This can include:
- ● Names of individuals
- ● Postal addresses
- ● Email addresses
- ● Telephone numbers
- ● …plus any other information relating to individuals
Data protection risks
This policy helps to protect Dedomena from some very real data security risks, including:
- ● Breaches of confidentiality. For instance, information being given out inappropriately.
- ● Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
- ● Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
Everyone who works for or with Dedomena has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
Board of Directors
- ● The board of directors is ultimately responsible for ensuring that Dedomena meets its legal obligations.
Data Protection Officer
- ● Keeping the board updated about data protection responsibilities, risks and issues.
- ● Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- ● Arranging data protection training and advice for the people covered by this policy.
- ● Handling data protection questions from staff and anyone else covered by this policy
- ● Dealing with requests from individuals to see the data Dedomena holds about them (also called ‘subject access requests’).
- ● Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
- ● Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- ● Performing regular checks and scans to ensure security hardware and software is functioning properly.
- ● Evaluating any third-party services, the company is considering using to store or process data. For instance, cloud computing services.
- ● Approving any data protection statements attached to communications such as emails and letters.
- ● Addressing any data protection queries from journalists or media outlets like newspapers.
- ● Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
General staff guidelines
- ● The only people able to access data covered by this policy should be those who need it for their work.
- ● Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
- ● Dedomena will provide training to all employees to help them understand their responsibilities when handling data.
- ● Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
- ● In particular, strong passwords must be used, and they should never be shared.
- ● Personal data should not be disclosed to unauthorized people, either within the company or externally.
- ● Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
- ● Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller.
When data is stored on paper, it should be kept in a secure place where unauthorized people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- ● When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- ● Employees should make sure paper and printouts are not left where unauthorized people could see them, like on a printer.
- ● Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorized access, accidental deletion, and malicious hacking attempts:
- ● Data should be protected by strong passwords that are changed regularly and never shared between employees.
- ● If data is stored on removable media (like a CD, DVD or USB flash disks), these should be kept locked away securely when not being used.
- ● Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing service.
- ● Servers containing personal data should be sited in a secure location, away from general office space.
- ● Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
- ● Data should never be saved directly to laptops or other mobile devices like tablets or smartphones.
- ● All servers and computers containing data should be protected by approved security software and a firewall.
Protection of test data
Test data must be selected carefully and must be protected.
Dedomena must avoid the use of real operation data that contain personal data or any other confidential information in their tests. In case information with personal or confidential data is used for the tests, all the sensitive content and details must be protected by removing or modifying them. (see ISO/IEC 29101)
The following rules should be used when operational data is used for tests:
- ● Apply the same access control policies to the test environments that the ones used on the operational environments.
- ● There should be an independent authorization each time the sensible operational data is copied to a test environment.
- ● The operational data should be deleted once the tests have finished.
- ● The copy of operational information should be registered.
The Acceptance Test systems usually require big volumes of test data that should be as real as possible and therefore this policy should be applied.
Personal data is of no value to Dedomena unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption, or theft:
- ● When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
- ● Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
- ● Personal data should never be transferred outside of the European Economic Area.
- ● Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
Subject access requests
All individuals who are the subject of personal data held by Dedomena are entitled to:
- ● Ask what information the company holds about them and why.
- ● Ask how to gain access to it.
- ● Be informed how to keep it up to date.
- ● Be informed how the company is meeting its data protection obligations.
If an individual contacts the company requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by email, addressed to the data controller at firstname.lastname@example.org The data controller can supply a standard request form, although individuals do not have to use this.
The data controller will always verify the identity of anyone making a subject access request before handing over any information.
Dedomena aims to ensure that individuals are aware that their data is being processed, and that they understand:
- ● How the data is being used
- ● How to exercise their rights
To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.
Please use our contact form or address your requests or questions to:
DEDOMENA ARTIFICIAL INTELLIGENCE S.L.
Calle Marie Curie 7, Edificio Beta, Planta 7, Ático 4
ZIP 28521, Rivas-Vaciamadrid, Madrid, Spain