Data Protection Policy
1. Introduction
SIA SQUALIO Group (its subsidiaries and affiliates, including each SQUALIO operating company under brand name “SQUALIO” - together, "SQUALIO") is committed to ensure the protection of Personal Data of its Customers, Employees, Business Partners and any other individual.
The Data Protection Policy (hereinafter, the "Policy") shows how SQUALIO process the personal data of clients, suppliers, employees and other categories of natural persons, namely describes the principles applicable to the personal data processing within SQUALIO.
SQUALIO's mission and objective is to observe privacy/data protection legal obligations and highest standards in all data processing instances, throughout the entire personal data life cycle.
The Policy is the document that provides a high-level guidance on SQUALIO's actions relating to personal privacy and data protection and it is the statement of the management of SQUALIO of the standards that need to be met.
2. Definitions
| Personal Data | Any information regarding an identified or identifiable natural person. |
| Data Subject | The natural person identified or identifiable through the personal data processing. An identifiable natural person is a person who can be identified, directly or indirectly, especially through referral to an identification element, such as a name, an identification number, localization data, an online identifier or one or more specific elements, characteristic to their physical, physiological, genetic, psychic, economic, cultural or social identity. |
| Processing | Any operation or set of operations performed on personal data or personal data sets, with or without the use of automatic means, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, usage, disclosure through transmittal, dissemination or making available through any other means, alignment or combination, restriction, erasure or destruction. |
| Recipient | The natural person or legal entity, public authority, agency or other organism to which (whom) the personal data is disclosed, regardless if it is a third party or not. |
| Data Protection Officer/Responsible | The person in SQUALIO responsible for meeting the demands regarding personal data protection, whether they were appointed as Data Protection Officer in the sense of the applicable data protection law or was only assigned certain tasks in this sense, if there is not a Data Protection Officer appointed. |
| Record of processing activities” or Personal Data Registry | Registry created by SQUALIO in order to keep the record of the processing activities performed by SQUALIO. |
| Processor/data importer | The natural person or legal entity, public authority, agency or other organism that processes personal data on behalf of the controller/operator. |
| Controller/operator | The natural person or legal entity, public authority, agency or other organism which, alone or together with others, establishes the purposes and means of the personal data processing. |
| Third party | A natural person or legal entity, public authority, agency or organism, other than: the data subject, the controller/operator, the processor and the people who, under the direct authority of the person mandated by the controller/operator, are authorized to process personal data. |
| SQUALIO group | All SQUALIO operating companies partially or wholly owned unless specifically excluded and operating under the brand name “SQUALIO”. |
3. Scope
SQUALIO processes personal data from several general purposes, which are listed in the record of personal data processing activities, under the form of a registry. This Policy applies to any Personal Data Processing that is done for or by SQUALIO.
This Policy shall be complied with by all employees, contractors, consultants, including all personnel affiliated with third parties who may have access to any SQUALIO resources.
4. Application of national law
The present Policy presents the principles applicable to personal data processing, which must be observed within SQUALIO, without replacing the legislation on data protection applicable in all countries where SQUALIO is established or does business in. The legislation prevails over this Policy, if it contains divergent provisions or additional conditions. In particular, any conditions regarding reporting and authorization existing in the legislation concerning data processing based in the national legislation must be observed.
5. Principles of data processing
Each personal data processing must observe the rights and freedoms of the data subject, in accordance with the principles stated below. These must be observed even when new data processing is initiated or when the existing ones are extended or diversified.
Personal data processing is fair and lawful, meaning SQUALIO has a legitimate business purpose (and, where required, a legal basis) for processing personal data. Where SQUALIO acts as a processor, it will generally rely on the controller to establish this legal basis.
Personal data processing is limited to the minimum necessary, meaning SQUALIO collects and retains the minimum amount of personal data necessary for the business purpose. Where SQUALIO acts as a processor, it must also process personal data only as directed by the controller.
SQUALIO is transparent with data subjects how and why their personal data will be processed. Where SQUALIO is a processor, this information is likely to be provided to the data subjects by the controller.
Personal data is processed in accordance with the rights of data subjects (e.g. to access, erase or correct personal data). Where SQUALIO acts as a controller, it must respect and observe any exercise of these rights, and where it is a processor it will be required to assist the controller in responding.
Personal data is accurate, up-to-date and complete. Where it acts as processor, SQUALIO will assist the controller to ensure this.
Personal data is kept secure, meaning SQUALIO applies appropriate security safeguards to personal data, including where processed by third parties. Where SQUALIO acts as a processor, it will be required to implement its own appropriate safeguards and provide assistance to the controller in doing the same.
Personal data is transferred internationally in accordance with applicable law.
SQUALIO is accountable and can demonstrate compliance with its obligations under applicable data privacy laws.
6. Rights of the data subject
Together with the principles mentioned above, SQUALIO keeps in mind and observes the rights of the data subject in all personal data processing according with the applicable law, which might include:
- Right to information and transparency - SQUALIO ensures that the data subject is informed with regard to the personal data processing;
- Right to access – SQUALIO observes the procedure in order to ensure the access of data subject s to information regarding their data processing.
- Right to rectification - Regardless of the grounds for the processing, the data subjects have the right to request SQUALIO to rectify or complete their data, as the case may be, on the basis of an additional statement.
- Right to restrict the processing - The data subjects can request SQUALIO to restrict the processing of the personal data concerning them.
- Right to erasure ("right to be forgotten") - The data subjects have the right to request and obtain the erasure of personal data in some cases;
- Right to data portability - The data subjects have the right to request SQUALIO to provide a copy of their personal data to the data subject or a Third Party in some cases.
- Right to oppose the processing/ Right to oppose the processing in direct marketing purposes: SQUALIO shall not make decisions about data subjects based solely on automated processing.
7. Disclosure of personal data. Assignees. Transfer to Third-Party Countries
Type and purposes of personal data disclosures
Personal data shall only be disclosed if the party that receives it is personally liable for the data it has received or only if the party that receives them will use it in accordance with the instructions obtained from the party that discloses it.
Personal data can be disclosed for allowed purposes, mentioned in SQUALIO's records, in view of the performance of SQUALIO's activity, for observing legal obligations or if there is consent from the data subject.
Processors/Data importers
In situations in which the processing will be performed by another natural person or legal entity in the name of SQUALIO, they will be a processor/data importer in the sense of the applicable law and must offer enough guarantees for the application of adequate technical and organizational measures for personal data protection, which it will process in the name of SQUALIO and by observing the rights of the data subjects.
Transfer of data to a third-party country
There is a transfer to another country when the personal data is transmitted, visualized or accessed by persons who are in another country.
If the personal data collected and stored by SQUALIO is transferred to a person situated in a different country than the one where SQUALIO has its registered office, the person who received the data must guarantee a personal data protection level equivalent to the level ensured by SQUALIO.
8. Contact points
For any inquiries on this Policy or other personal data processing matters, contact our Data Protection Officer via e-mail: dpo@squalio.com
9. Compliance
The Data Protection Officer is owner of this Policy. SQUALIO is committed to ensuring that this Policy is observed by all employees, contractors, consultants, including all personnel affiliated with third parties who may have access to any SQUALIO resources.
Compliance with this Policy is verified by various means, including reports from available business tools, internal and external audits, self-assessment, and/or feedback to the policy owner(s). SQUALIO monitors its compliance with this Policy on an ongoing basis. Any exceptions to this Policy requires the written approval of the Data Protection Officer.
Failure to comply with this Policy, including attempts to circumvent it may result in disciplinary actions, including termination, as allowed by local laws.
Violations of regulations designed to protect Personal Data may result in administrative sanctions, penalties, claims for compensation or injunctive relief, and/or other civil or criminal prosecution and remedies.
June 7th, 2023
