Data Protection policy

1. Introduction and background 

The purpose of this Policy is to outline how Fenchurch Faris Ltd. has established measures to maintain  compliance with the EU General Data Protection Regulation (hereinafter referred to as the “GDPR. This policy is  specific to FFL employees and the processing and holding of personal data of data subjects residing in the EU or  UAE. 

The Policy contains two components: 

Measures to re-enforce accountability and governance; and measures to demonstrate the  protection of information rights of the data subject. 

1.1. Policy principles 

1.1.1. This policy requires that personal data shall be: 

  • Processed lawfully, fairly and in a transparent manner in relation to individuals. 
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is  incompatible with those purposes; further processing for archiving purposes in the public interest,  scientific or historical research purposes or statistical purposes shall not be incompatible with the  initial purposes. 
  • Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are  processed. 
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that  personal data that are inaccurate, having regard to the purposes for which they are processed,  are erased or rectified without delay. 
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the  purposes for which the personal data are processed; personal data may be stored for longer  periods insofar as the personal data will be processed solely for archiving purposes in the public  interest, scientific or historical research purposes or statistical purposes subject to implementation  of the appropriate technical and organisational measures required by the GDPR and Data  Protection Law in order to safeguard the rights and freedoms of individuals; and 

1.1.2. Processed in a manner that ensures appropriate security of the personal data, including protection  against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using  appropriate technical or organisational measures. “The controller shall be responsible for, and be able  to demonstrate, compliance with the principles”. 

2. Accountability and governance 

This Policy outlines comprehensive but proportionate governance measures designed to achieve and maintain  compliance with data protection laws. These measures have been designed to minimise the risk of breaches and  uphold the protection of personal data. 

This section on accountability and governance considers: 

  • Roles and responsibilities: the responsibilities of the Board, Data Protection Officer (DPO),  information owners and general employees. 
  • Documentation: FFL's requirements in respect of documenting processing. 
  • Data protection by design and default: FFL's requirements for Data Protection Impact  Assessments (DPIA). 
  • Lawful basis for processing: FFL's Policy on determining the basis for processing.
  • Security: “IT Security Policy” and “Information Security Policy” measures designed to protect  information confidentiality, integrity and availability. 
  • Contracts: the measures that should be in place to ensure contractual relationships maintaining  data protection compliance. International transfer: Oversight measures for international transfer of data; and 
  • Data breaches: Principles for detecting and responding to data breaches. 
  • Compliance and report: Ensure compliance and reporting with all data protection regulations  FFL is implementing. 
  • Training and awareness: FFL's plan for employee data protection training and awareness  during a financial year 
  • Consent withdrawal: Procedures for data subjects to request consent withdrawals as required. 
  • Validity of consents: Appropriate and proportionate measures to assess the ongoing validity of  the consent. 

2.1. Roles and responsibilities 


2.1.1. While the principles of accountability and transparency have previously been implicit requirements of  data protection law, the GDPR's emphasis elevates their significance. FFL has comprehensive but  proportionate governance measures. 

Policy requirements 

2.1.2. FFL has defined Klio Kalogeropoulou as the Data Protection Officer (“DPO”), 2.1.3. The DPO's responsibilities include, but are not limited to: 

  • Informing and advising FFL and its employees about their obligations to comply with the GDPR,  Data Protection Law and other data protection laws. 
  • Monitoring compliance with the data protection laws, including managing internal data protection  activities, advise on data protection impact assessments; train staff and conduct internal audits;  and 
  • Acting as the first point of contact for supervisory authorities and for individuals whose data is  processed (employees, customers etc.). 

2.1.4. The DPO reports to the Management of the relevant entity on a quarterly basis. 

2.1.5. The Board is to provide ongoing Governance framework for GDPR and Data Protection Law  compliance. Reporting lines are put in place to ensure that summarised data protection compliance  information is reported, and that the Board's ongoing support is demonstrable. 

2.1.6. Any Data breach that happens within FFL is immediately escalated. 

2.1.7. Employees are obligated to report any breach to the DPO of the Company or their line Manager as  soon as they are aware of it. 

2.2. Documentation 


2.2.1. The GDPR and Data Protection Law contains explicit provisions about documenting FFL's processing  activities. FFL maintains records on processing purposes, data sharing and retention.


2.3. Data protection by design and default 


2.3.1. Under the GDPR and Data Protection Law, FFL has a general obligation to implement technical and  organisational measures to show that FFL has considered and integrated data protection into  processing activities. 

2.4. Lawful basis for processing 

2.4.1. Under the GDPR and Data Protection Law, there are six available lawful bases for processing. FFL has documented the relevant lawful basis for processing. 

2.4.2. At least one of these must apply whenever FFL processes personal data: 

  • Consent: the individual has given clear consent for you to process their personal data for a specific  purpose. 
  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. 
  • Legal obligation: the processing is necessary for you to comply with the law (not including  contractual obligations). 
  • Vital interests: the processing is necessary to protect someone's life. 
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; and 
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate  interests of a third party unless there is a good reason to protect the individual's personal data  which overrides those legitimate interests. 

2.5. Security 

2.5.1. The data protection laws require personal data to be processed in a manner that ensures its security.  This includes protection against unauthorised or unlawful processing and against accidental loss,  destruction or damage. It requires that appropriate technical or organisational measures are used. 

Policy requirements 

2.5.2. FFL has defined and implemented an “IT Security Policy” and “Information Security Policy” and  supporting management system to maintain effective and proportionate security. 

2.6. Contacts 


2.6.1. The data protection laws diligence and clarity in entering into third party relationships. Whether FFL is a processor or controller, there are mandatory requirements relating to the contracts that are in  place. 

Policy requirements 

2.6.2. Whenever FFL acts as a controller a written contract must be in place with the processors. Standards  to be applied to the contracts as defined by the related regulators. 

2.6.3. Whenever FFL acts as a processor, FFL must only act on the documented instructions of a controller  (as specified in a valid written contract). Standards to be applied to the contracts as defined by the  related regulators. 

2.6.4. On an annual basis, the DPO will review third party relationships to determine the risk posed by  processing. This will be documented in the “Third Party Processor List” maintained by Compliance

Data Protection Policy Team. 

2.6.5. Based on the review, the DPO will determine the most appropriate means to validate that contractual  obligations in relation to data processing are being adhered to. 

2.6.6. The DPO will present this revision, and the results of compliance, to the Compliance Team at least  annually. 

2.7. International transfers 


2.7.1. The GDPR and Data Protection Law imposes restrictions on the transfer of personal data outside the  European Union, to third countries or international organisations. These restrictions are in place to  ensure that the level of protection is not undermined. 

2.7.2. FFL may transfer personal data where the organisation receiving the personal data has provided  adequate safeguards. Individuals' rights must be enforceable and effective legal remedies for  individuals must be available following the transfer. Adequate safeguards may be provided by: 

  • A legally binding agreement between public authorities or bodies. 
  • Standard data protection clauses in the form of template transfer clauses adopted by the  Commission. 
  • Standard data protection clauses in the form of template transfer clauses adopted by a supervisory  authority and approved by the Commission. 
  • Compliance with an approved code of conduct approved by a supervisory authority. 
  • Certification under an approved certification mechanism as provided for in the GDPR and Data  Protection Law. 
  • Contractual clauses agreed authorised by the competent supervisory authority; or 
  • Provisions inserted into administrative arrangements between public authorities or bodies  authorised by the competent supervisory authority. 

2.7.3. When as asked by an Authority to provide data, exercise reasonable caution, and assess the impact  the proposed transfer. Also try to get appropriate written and binding assurance from the requesting  authority that it will respect the right of data subject. 

Policy requirements 

2.7.4. Ad-hoc requests for international transfer of data must be submitted to the DPO once for each  function, and type of document. 

2.7.5. Regular international data transfers are covered through internal Servicer Level Agreement that  include contractual clauses safeguarding the transfer. 

2.7.6. The DPO must record requests for international transfer received. 

2.7.7. The DPO will consider the DPIA in relation to this transfer and the appropriate means of adopting  safeguards. 

2.8. Data breaches 


2.8.1. A personal data breach means a breach of security leading to the destruction, loss, alteration,  unauthorised disclosure of, or access to, personal data. This means that a breach is more than just  losing personal data. 

2.8.2. Organisations will introduce a duty on all third parties to report certain types of data breach to the 

Data Protection Policy relevant supervisory authority. In some cases, organisations will also have to report certain types of  data breach to the individuals affected. 

Policy requirements 

2.8.3. The DPO must be notified of all breaches to this Policy as soon as possible. 

2.8.4. The DPO must record breaches and work with the information owner to consider the likely impact of  the breach. 

2.8.5. Where a breach is considered notifiable the DPO must immediately inform the Compliance Team. 

2.8.6. A notifiable breach has to be reported by the DPO to the relevant supervisory authority within 72 hours  of FFL becoming aware of it. The notification must contain: 

  • The nature of the personal data breach including, where possible. 
  • The categories and approximate number of individuals concerned. 
  • The categories and approximate number of personal data records concerned. 
  • The name and contact details of the data protection or other contact point for more information. • A description of the likely consequences of the personal data breach; and 
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects. 

2.8.7. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, FFL will notify  those concerned directly. 

2.8.8. All employees must be trained to recognise and escalate breaches. 

2.8.9. A detailed Data Breach Procedure is implemented. 

2.9. Compliance and reporting 


2.9.1. Monitoring compliance with the Data Protection Policy is a key role of the DPO'. The DPO must also  report compliance to the Compliance Team. 

Policy requirements 

2.9.2. The DPO is responsible for developing a compliance monitoring plan for this Policy. 

2.9.3. The compliance monitoring plan should be submitted to the compliance Team for approval at least  annually. 

2.9.4. Progress to deliver the plan, exceptions noted, breaches and near misses and updates on progress  to address material deviations from compliance with the Policy must be reported by the DPO to the  Compliance Team at least quarterly. 

2.10. Training and awareness 


2.10.1. Employee awareness on data protection matters, and their role to protect the privacy of data subjects,  is core to FFL's compliance programme. 

Policy requirement 

2.10.2. Employees must be trained on the requirements of this Policy at least annually through the annual  Compliance Training and the induction training for new joiners.

Data Protection Policy 

2.11. Consent withdrawal 


2.11.1. As a data controller, FFL is responsible under the GDPR for administering withdrawal of consent  from the data subject under advisement from the DPO. 

Policy requirement 

2.11.2. Withdrawal of consent by the data subject means an indication of the data subject's wishes by  which he or she, by a statement or by a clear affirmative action, signifies withdrawal of consent  to the processing of personal data relating to him/her. 

2.11.3. FFL processes a data subjects consent withdrawal to the processing of his or her personal data  once notified. Relevant information should be sent to 

2.11.4. The DPO will inform the relevant process owner of this change so that processing can be  stopped. 

2.11.5. The data subjects' rights to be erased also automatically applied when the data subject has  withdrawn consent and no other conditions for processing apply. 

2.12. Validity of consents 


2.12.1. As per data protection laws, FFL implements appropriate and proportionate measures to assess  the ongoing validity of the consent. 

Policy requirement 

2.12.2. Review consents to check that the relationship, the processing and the purposes have not  changed. 

3. Individual rights 

  • The data protection laws provide the following rights for individuals: 
  • The right to be informed. 
  • The right of access. 
  • The right to rectification. 
  • The right to erase. 
  • The right to restrict processing. 
  • The right to data portability. 
  • The right to object; and 
  • Rights in relation to automated decision making and profiling. 
  • Non-discrimination 

3.1. Right to be informed 


3.1.1. The right to be informed encompasses FFL's obligation to provide ‘fair processing information',  typically through a Privacy Notice.

Data Protection Policy 

Policy requirements 

3.1.2. FFL maintains a Privacy Notice and publishes this publicly. 

3.2. Right of access 


3.2.1. Individuals have the right to access their personal data and supplementary information. The right of  access allows individuals to be aware of and verify the lawfulness of the processing. 

3.2.2. Under the GDPR, individuals will have the right to obtain: 

  • Confirmation that their data is being processed. 
  • Access to their personal data; and 
  • Other supplementary information - this largely corresponds to the information that should be  provided in a Privacy Notice. 

Policy requirements 

3.2.3. All requests from subjects for access to their data should be submitted to the DPO. The DPO must  log the request and will: 

  • Consider whether the request is manifestly unfounded or excessive. 
  • Request copies of information held from information owners within FFL. 
  • Review the information to ensure it does not impair the privacy of another data subject. • Consider whether the request warrants a fee (if it requires a significant amount of data) and •  Respond to the original request. 

3.2.4. A response to the request must be provided without delay and at the latest within one month of receipt.  In the event the request is particularly complex or numerous, the period of compliance can be  extended by a further two months. If this is the case, the DPO must inform the individual within one  month of the receipt of the request and explain why the extension is necessary. 

3.2.5. Performance against the response target of one month must be reported by the DPO. 3.3. Non-discrimination 


3.3.1. Under the Employment Law, unlawful discrimination against an employee is divided into three separate  categories: 

3.3.2. direct discrimination: less favourable treatment on one of the protected classes. 

3.3.3. indirect discrimination: the application of neutral provisions, criteria or practices (“PCP”) which put  employees of a particular protected class at a disadvantage not faced by others who do not share that  particular class. For example, a requirement for all staff to be on-site on a Friday lunchtime would  disproportionately affect Muslims as Friday prayers take place at that time. 

3.3.4. harassment: unwanted treatment or conduct which has the purpose or effect of creating an intimidating,  hostile, degrading, humiliating or offensive workplace. 

Policy requirements 

3.3.5. FFL does not tolerate discrimination of employees in any form. 

3.3.6. FFL has a grievance policy in place that aims to ensure that employees are treated justly and fairly. 3.3.7. A detailed straightforward process for dealing with complaints of discrimination, sexual harassment, and 

Data Protection Policy vilification can be reported. 

3.3.8. Whistleblowing in place for any discrimination act reporting