Personal Data Policy CWT
1.Background and Purpose
Circular Water Technologies (hereinafter “CWT”) processes personal data in its operations. This policy has been developed and adopted by the Board in order to ensure that CWT processes personal data in a legal and correct manner, taking into account the individual’s right to personal data protection. The policy explains CWT ‘s attitude regarding the protection of personal data and establishes instructions for how these are to be handled.
To the extent that the General Data Protection Regulation ((EU) 2016/679) (hereinafter “the GDPR”) establishes additional requirements, it shall be applied in addition to this policy. If any part of this policy is in conflict with the GDPR, the GDPR shall apply in place of the part concerned.
“Personal data” as used in this policy means any information relating to an identified or identifiable natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Data subject” as used in this policy means an identifiable natural person whose personal data are subject to processing.
2.Policy
CWT shall comply with the GDPR and conduct its activities in a way that respects individuals’ right to data protection. In this respect, the following applies to CWT’s processing of personal data:
- Lawfulness, fairness and transparency. Collection, use and other processing of personal data must take place in a lawful, fair and transparent manner in relation to the data subject. CWT shall facilitate the exercise of data subject rights, such as the right to access and erasure of data, in accordance with the GDPR.
- Purpose limitation. Personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes. CWT shall ensure that there are routines for deletion or de-identification of personal data whose processing is no longer necessary for its original purposes.
- Processing only on legal basis. Personal data shall only be processed if there is a legal basis for the processing.
- Storage limitation. CWT shall only store personal data for as long as it is necessary to meet the business’ established needs for processing. When storage is no longer necessary for these reasons, the company shall delete, restrict processing of or anonymise the personal data in question.
- Privacy notices. CWT shall, in accordance with the GDPR, provide information on the processing of personal data to the data subjects.
- Access to personal data. CWT shall provide data subjects and the competent Supervisory Authority with access to personal data in accordance with the GDPR.
- Objections to processing. CWT shall ensure that the data subject can object to processing carried out on the basis of a public or legitimate interest or for direct marketing purposes and shall accept such a request when appropriate.
- Data portability. In cases where personal data are processed on the basis of consent or a contract, and the processing is carried out by automated means such as in an IT system, CWT shall, at the request of the data subject,
- provide the data subject with their personal data in a structured, commonly used and machine-readable format and not in any way hinder the data subject from transferring their personal data to another organisation; and
- transfer the personal data directly from CWT to another organisation, provided that it is technically feasible.
- Data minimisation and accuracy. Personal data shall be adequate, relevant and limited to what is necessary for the purposes of the processing and shall be kept up to date. Incorrect information must be rectified or, where appropriate, erased, either on CWT’s own initiative or at the request of the data subject.
- Use of data processors. CWT may assign third parties as data processors, meaning that they will have access to and process personal data on behalf of CW. CWT shall always ensure that the data processors meet the requirements of this Personal Data Policy as well as requirements that follow from the GDPR. CWT shall in particular enter into data processing agreements with data processors in order to be able to set requirements for how personal data may be processed.
- Transfer of personal data outside of the EU/EEA. CWT shall comply with the restrictions for the transfer of personal data to recipients outside of the EU/EEA set by the GDPR.
- Integrity and confidentiality. CWT shall evaluate risks in relation to the processing of personal data and take appropriate technical and organisational measures to protect the personal data. The measures shall ensure an adequate level of confidentiality and security. CWT shall in particular protect the protection of personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
- Privacy by design. CWT shall ensure that IT systems and processes are designed with the requirements of the GDPR in mind from the outset.
- Privacy by default. CWT shall ensure that personal data are only processed where necessary for each specific purpose and that IT systems and processes meet the requirements of the GDPR by default. In particular, CWT shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons. Data protection shall be the rule, not the exception.
3. Implementation and Communication
The board of CWT is responsible for ensuring that this Personal Data Policy is complied with. All employees shall be aware of CWT ‘s attitude regarding the protection of personal data and must cooperate with the employer in order for the policy to be complied with. Suppliers and other partners are expected to follow this Personal Data Policy insofar as they process personal data on behalf of CWT.
Violations of this policy may result in disciplinary and/or legal action. All employees and partners are obliged to immediately report suspected violations of this Personal Data Policy to their immediate supervisor/manager or, for partners, to CWT s CEO.
4.Review and Audit
This policy shall, upon request and in accordance with applicable law, be made available to the competent Supervisory Authority for the processing of personal data.