The purpose of this Policy is to outline how Fenchurch Faris Ltd. has established measures to maintain compliance with the EU General Data Protection Regulation (hereinafter referred to as the “GDPR. This policy is specific to FFL employees and the processing and holding of personal data of data subjects residing in the EU or UAE.
The Policy contains two components:
Measures to re-enforce accountability and governance; and measures to demonstrate the protection of information rights of the data subject.
1.1.1. This policy requires that personal data shall be:
1.1.2. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. “The controller shall be responsible for, and be able to demonstrate, compliance with the principles”.
This Policy outlines comprehensive but proportionate governance measures designed to achieve and maintain compliance with data protection laws. These measures have been designed to minimise the risk of breaches and uphold the protection of personal data.
This section on accountability and governance considers:
2.1.1. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR's emphasis elevates their significance. FFL has comprehensive but proportionate governance measures.
2.1.2. FFL has defined Klio Kalogeropoulou as the Data Protection Officer (“DPO”), 2.1.3. The DPO's responsibilities include, but are not limited to:
2.1.4. The DPO reports to the Management of the relevant entity on a quarterly basis.
2.1.5. The Board is to provide ongoing Governance framework for GDPR and Data Protection Law compliance. Reporting lines are put in place to ensure that summarised data protection compliance information is reported, and that the Board's ongoing support is demonstrable.
2.1.6. Any Data breach that happens within FFL is immediately escalated.
2.1.7. Employees are obligated to report any breach to the DPO of the Company or their line Manager as soon as they are aware of it.
2.2.1. The GDPR and Data Protection Law contains explicit provisions about documenting FFL's processing activities. FFL maintains records on processing purposes, data sharing and retention.
2.3.1. Under the GDPR and Data Protection Law, FFL has a general obligation to implement technical and organisational measures to show that FFL has considered and integrated data protection into processing activities.
2.4.1. Under the GDPR and Data Protection Law, there are six available lawful bases for processing. FFL has documented the relevant lawful basis for processing.
2.4.2. At least one of these must apply whenever FFL processes personal data:
2.5.1. The data protection laws require personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.
2.5.2. FFL has defined and implemented an “IT Security Policy” and “Information Security Policy” and supporting management system to maintain effective and proportionate security.
2.6.1. The data protection laws diligence and clarity in entering into third party relationships. Whether FFL is a processor or controller, there are mandatory requirements relating to the contracts that are in place.
2.6.2. Whenever FFL acts as a controller a written contract must be in place with the processors. Standards to be applied to the contracts as defined by the related regulators.
2.6.3. Whenever FFL acts as a processor, FFL must only act on the documented instructions of a controller (as specified in a valid written contract). Standards to be applied to the contracts as defined by the related regulators.
2.6.4. On an annual basis, the DPO will review third party relationships to determine the risk posed by processing. This will be documented in the “Third Party Processor List” maintained by Compliance
Data Protection Policy Team.
2.6.5. Based on the review, the DPO will determine the most appropriate means to validate that contractual obligations in relation to data processing are being adhered to.
2.6.6. The DPO will present this revision, and the results of compliance, to the Compliance Team at least annually.
2.7.1. The GDPR and Data Protection Law imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection is not undermined.
2.7.2. FFL may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals' rights must be enforceable and effective legal remedies for individuals must be available following the transfer. Adequate safeguards may be provided by:
2.7.3. When as asked by an Authority to provide data, exercise reasonable caution, and assess the impact the proposed transfer. Also try to get appropriate written and binding assurance from the requesting authority that it will respect the right of data subject.
2.7.4. Ad-hoc requests for international transfer of data must be submitted to the DPO once for each function, and type of document.
2.7.5. Regular international data transfers are covered through internal Servicer Level Agreement that include contractual clauses safeguarding the transfer.
2.7.6. The DPO must record requests for international transfer received.
2.7.7. The DPO will consider the DPIA in relation to this transfer and the appropriate means of adopting safeguards.
2.8.1. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
2.8.2. Organisations will introduce a duty on all third parties to report certain types of data breach to the
Data Protection Policy relevant supervisory authority. In some cases, organisations will also have to report certain types of data breach to the individuals affected.
2.8.3. The DPO must be notified of all breaches to this Policy as soon as possible.
2.8.4. The DPO must record breaches and work with the information owner to consider the likely impact of the breach.
2.8.5. Where a breach is considered notifiable the DPO must immediately inform the Compliance Team.
2.8.6. A notifiable breach has to be reported by the DPO to the relevant supervisory authority within 72 hours of FFL becoming aware of it. The notification must contain:
2.8.7. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, FFL will notify those concerned directly.
2.8.8. All employees must be trained to recognise and escalate breaches.
2.8.9. A detailed Data Breach Procedure is implemented.
2.9.1. Monitoring compliance with the Data Protection Policy is a key role of the DPO'. The DPO must also report compliance to the Compliance Team.
2.9.2. The DPO is responsible for developing a compliance monitoring plan for this Policy.
2.9.3. The compliance monitoring plan should be submitted to the compliance Team for approval at least annually.
2.9.4. Progress to deliver the plan, exceptions noted, breaches and near misses and updates on progress to address material deviations from compliance with the Policy must be reported by the DPO to the Compliance Team at least quarterly.
2.10.1. Employee awareness on data protection matters, and their role to protect the privacy of data subjects, is core to FFL's compliance programme.
2.10.2. Employees must be trained on the requirements of this Policy at least annually through the annual Compliance Training and the induction training for new joiners.
Data Protection Policy
2.11.1. As a data controller, FFL is responsible under the GDPR for administering withdrawal of consent from the data subject under advisement from the DPO.
2.11.2. Withdrawal of consent by the data subject means an indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies withdrawal of consent to the processing of personal data relating to him/her.
2.11.3. FFL processes a data subjects consent withdrawal to the processing of his or her personal data once notified. Relevant information should be sent to firstname.lastname@example.org.
2.11.4. The DPO will inform the relevant process owner of this change so that processing can be stopped.
2.11.5. The data subjects' rights to be erased also automatically applied when the data subject has withdrawn consent and no other conditions for processing apply.
2.12.1. As per data protection laws, FFL implements appropriate and proportionate measures to assess the ongoing validity of the consent.
2.12.2. Review consents to check that the relationship, the processing and the purposes have not changed.
3.1.1. The right to be informed encompasses FFL's obligation to provide ‘fair processing information', typically through a Privacy Notice.
Data Protection Policy
3.1.2. FFL maintains a Privacy Notice and publishes this publicly.
3.2. Right of access
3.2.1. Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
3.2.2. Under the GDPR, individuals will have the right to obtain:
3.2.3. All requests from subjects for access to their data should be submitted to the DPO. The DPO must log the request and will:
3.2.4. A response to the request must be provided without delay and at the latest within one month of receipt. In the event the request is particularly complex or numerous, the period of compliance can be extended by a further two months. If this is the case, the DPO must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
3.2.5. Performance against the response target of one month must be reported by the DPO. 3.3. Non-discrimination
3.3.1. Under the Employment Law, unlawful discrimination against an employee is divided into three separate categories:
3.3.2. direct discrimination: less favourable treatment on one of the protected classes.
3.3.3. indirect discrimination: the application of neutral provisions, criteria or practices (“PCP”) which put employees of a particular protected class at a disadvantage not faced by others who do not share that particular class. For example, a requirement for all staff to be on-site on a Friday lunchtime would disproportionately affect Muslims as Friday prayers take place at that time.
3.3.4. harassment: unwanted treatment or conduct which has the purpose or effect of creating an intimidating, hostile, degrading, humiliating or offensive workplace.
3.3.5. FFL does not tolerate discrimination of employees in any form.
3.3.6. FFL has a grievance policy in place that aims to ensure that employees are treated justly and fairly. 3.3.7. A detailed straightforward process for dealing with complaints of discrimination, sexual harassment, and
Data Protection Policy vilification can be reported.
3.3.8. Whistleblowing in place for any discrimination act reporting