** FREE PREVIEW VERSION **

[organization logo]

[organization name]

PERSONAL DATA PROTECTION POLICY

Code:

Version:

Date of version:

Created by:

Approved by:

Confidentiality level:

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement.
 [organization name] [confidentiality level]

Change history
Date Version Created by Description of change

dd.mm.yyyy 0.1 EUGDPRAcadem Basic document outline

y

Table of contents
1. PURPOSE, SCOPE AND USERS................................................................................................................. 4

2. REFERENCE DOCUMENTS....................................................................................................................... 4

3. DEFINITIONS.......................................................................................................................................... 4

4. BASIC PRINCIPLES REGARDING PERSONAL DATA PROCESSING...............................................................6

4.1. LAWFULNESS, FAIRNESS AND TRANSPARENCY..................................................................................................6
4.2. PURPOSE LIMITATION.................................................................................................................................6
4.3. DATA MINIMIZATION.................................................................................................................................6
4.4. ACCURACY................................................................................................................................................7
4.5. STORAGE PERIOD LIMITATION......................................................................................................................7
4.6. INTEGRITY AND CONFIDENTIALITY..................................................................................................................7
4.7. ACCOUNTABILITY.......................................................................................................................................7

5. BUILDING DATA PROTECTION IN BUSINESS ACTIVITIES..........................................................................7

5.1. NOTIFICATION TO DATA SUBJECTS................................................................................................................7
5.2. DATA SUBJECT’S CHOICE AND CONSENT.........................................................................................................7
5.3. COLLECTION.............................................................................................................................................7
5.4. USE, RETENTION, AND DISPOSAL..................................................................................................................7
5.5. DISCLOSURE TO THIRD PARTIES....................................................................................................................8
5.6. CROSS-BORDER TRANSFER OF PERSONAL DATA...............................................................................................8
5.7. RIGHTS OF ACCESS BY DATA SUBJECTS...........................................................................................................8
5.8. DATA PORTABILITY.....................................................................................................................................8
5.9. RIGHT TO BE FORGOTTEN............................................................................................................................8

6. FAIR PROCESSING GUIDELINES............................................................................................................... 9

6.1. NOTICES TO DATA SUBJECTS........................................................................................................................9
6.2. OBTAINING CONSENTS................................................................................................................................9

7. ORGANIZATION AND RESPONSIBILITIES............................................................................................... 10

8. GUIDELINES FOR ESTABLISHING THE LEAD SUPERVISORY AUTHORITY..................................................11

8.1. NECESSITY TO ESTABLISH THE LEAD SUPERVISORY AUTHORITY..........................................................................11
Personal Data Protection Policy ver [version] from [date] Page 2 of 5

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement.
 [organization name] [confidentiality level]

8.2. MAIN ESTABLISHMENT AND THE LEAD SUPERVISORY AUTHORITY......................................................................11

8.2.1. Main Establishment for the Data Controller................................................................................11
8.2.2. Main Establishment for the Data Processor.................................................................................12
8.2.3. Main Establishment for Non-EU Companies for Data Controllers and Processors......................12

9. RESPONSE TO PERSONAL DATA BREACH INCIDENTS.............................................................................12

10. AUDIT AND ACCOUNTABILITY.............................................................................................................. 12

11. CONFLICTS OF LAW.............................................................................................................................. 13

12. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT...........................................................13

13. VALIDITY AND DOCUMENT MANAGEMENT.......................................................................................... 14

1. Purpose, Scope and Users

Personal Data Protection Policy ver [version] from [date] Page 3 of 5

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement.
 [organization name] [confidentiality level]

[Name of the Company], hereinafter referred to as the “Company”, strives to comply with applicable
laws and regulations related to Personal Data protection in countries where the Company operates.
This Policy sets forth the basic principles by which the Company processes the personal data of
consumers, customers, suppliers, business partners, employees and other individuals, and indicates
the responsibilities of its business departments and employees while processing personal data.

This Policy applies to the Company and its directly or indirectly controlled wholly-owned subsidiaries
conducting business within the European Economic Area (EEA) or processing the personal data of
data subjects within EEA.

The users of this document are all employees, permanent or temporary, and all contractors working
on behalf of The Company.

2. Reference Documents
 EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing Directive 95/46/EC)
 [relevant national law or regulation for GDPR implementation]
 [other local laws and regulations]
 Information Security Policy
 Employee Personal Data Protection Policy
 Data Retention Policy
 Data Protection Officer Job Description
 Guidelines for Data Inventory and Processing Activities
 Data Subject Access Request Procedure
 Data Protection Impact Assessment Guidelines
 Cross Border Personal Data Transfer Procedure
 [information security policies]
 Breach Notification Procedure

3. Definitions
The following definitions of terms used in this document are drawn from Article 4 of the European
Union’s General Data Protection Regulation:

Personal Data: Any information relating to an identified or identifiable natural person ("Data
Subject") who can be identified, directly or indirectly, in particular by reference to an identifier such
as a name, an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person.

Sensitive Personal Data: Personal data which are, by their nature, particularly sensitive in relation to
fundamental rights and freedoms merit specific protection as the context of their processing could

Personal Data Protection Policy ver [version] from [date] Page 4 of 5

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement.
 [organization name] [confidentiality level]

create significant risks to the fundamental rights and freedoms. Those personal data include personal
data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade
union membership, genetic data, biometric data for the purpose of uniquely identifying a natural
person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Data Controller: The natural or legal person, public authority, agency or any other body, which alone
or jointly with others, determines the purposes and means of the processing of personal data.

** END OF FREE PREVIEW **

To download full version of this document click here:

https://advisera.com/eugdpracademy/documentation/personal-data-protection-policy/

Personal Data Protection Policy ver [version] from [date] Page 5 of 5

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement.