Purpose, scope and users
Tango StarStrike Ltd, hereinafter referred to as the “Organization” or the “Company”, strives to comply with applicable laws and regulations relating to the protection of personal data in the countries in which the Company operates. This policy sets out the basic principles by which the Company processes the personal data of users, customers, suppliers, business partners, employees and others, and sets out the responsibilities of business departments and employees during the processing of personal data.
This Policy applies to the Company and its directly or indirectly controlled wholly owned subsidiaries that operate within the European Economic Area (EEA) or process the personal data of a data subject in the EEA.
The users of this document are all employees, permanent or temporary, and all contractors working on behalf of the Organization.
2. Basic principles relating to the processing of personal data
The Data Protection Principles outline key responsibilities for organisations processing personal data. Article 5(2) of the EU GDPR states that “the controller shall be responsible for and be able to demonstrate compliance with the principles.”
2.1.Legality, Integrity and Transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
2.2. Restriction of Purpose
Personal data must be collected for specified, explicit and legitimate purposes and not processed in a way that is incompatible with those purposes.
2.3. Data Minimization
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. The Company must apply anonymisation or pseudonymisation of personal data where possible to reduce the risks to the data subjects concerned.
Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.
2.5. Limitation of Storage Periods
Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.
2.6. Integrity and Confidentiality
Taking into account the state of technology and other available security measures, the cost of implementation, the likelihood, and the severity of the risks associated with personal data, the Company must use appropriate technical or organizational measures to process personal data in a manner that ensures adequate security of personal data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized access or disclosure.
Data controllers must be compliant and able to demonstrate compliance with the principles set out above.3.Building Data Protection into Business Processes. In order to demonstrate compliance with the Data Protection Principles, the Organizationmust build data protection into its business activities/processes.
3.1. Notification of the Data Subject
See the section below on Fair Processing Guidelines
3.2. Choice and Consent of the Data Subject
See the section below on Fair Processing Guidelines
The company should aim to collect the least amount of personal data possible. If personal data is collected by a third party, the data controller must ensure that the personal data is collected lawfully.
3.4. Use, Storage and Removal
The purposes, methods, storage limitations and retention period of personal data must be consistent with the information contained in the privacy notice. The company must maintain the accuracy, integrity, confidentiality and relevance of the personal data based on the purpose of the processing. Adequate safeguards designed to protect personal data must be used to prevent the theft or misuse of personal data and to prevent personal data breaches. The data controller is responsible for compliance with the requirements listed in this section.
3.5. Disclosure to Third Parties
Where a company uses the services of a supplier or business partner (third party) to process personal data on its behalf, the data controller must ensure that this supplier will provide security measures to protect the personal data that are adequate to the risks involved. For this purpose, a questionnaire must be used in accordance with the GDPR by the processor. The Company must contractually require the supplier or business partner to provide the same level of data protection. The supplier or business partner must only process personal data necessary for it to perform its contractual obligations to the Company or on the Company’s instructions and not for any other purpose. Where the Company processes personal data jointly with an independent third party, the Company must explicitly specify its respective responsibilities and the third party in the relevant contract or other legally binding document, such as the Supplier Data Processing Agreement.
3.6. Cross-border transfer of personal data
Adequate safeguards, including the signing of a data transfer agreement as required by the European Union, must be in place before personal data is transferred outside the European Economic Area (EEA) and, where necessary, authorisation must be obtained from the relevant data protection authority. The undertaking receiving the personal data must comply with the principles for the processing of personal data set out in the cross-border data transfer procedure
3.7. Right of Access by Data Subjects
When acting as a data controller, the data controller is responsible for providing data subjects with a mechanism that allows them to have reasonable access to their personal data and must allow them to update, rectify, erase or transmit their personal data if applicable or required by law. The access mechanism will be further described in the data subject access request procedure.
3.8. Data portability
Data subjects have the right to obtain on request a copy of the data they have provided to us in a structured format and to transmit this data to another controller free of charge. The data controller is responsible for ensuring that these requests are processed within one month, are not excessive and do not affect the personal data rights of others.
3.9. The Right to be Forgotten
Upon request, data subjects have the right to obtain from the Company the erasure of their personal data. Where the Company acts as Data Controller, the Data Controller must take the necessary action (including technical measures) to inform the third parties who use or process that data (the Data Processor) to comply with the request.
4.Guidelines for Fair Processing
Personal data must only be processed with the express permission of the data controller. The company must decide whether to carry out a Data Protection Impact Assessment for each data processing activity, in accordance with the Data Protection Impact Assessment Guidelines.
4.1.Notices to Data Subjects
At the time of collection or prior to the collection of personal data for any type of processing, including but not limited to the sale of products, services or marketing activities, the data controller is responsible for properly informing data subjects of the following: the data and personal information provided by data subjects is used by otpusnise.com for the services it provides. Also, otpusnise.com uses this data and information to improve its website, to avoid or prevent fraud or abuse to the detriment of the SITE, and to enable third parties to perform technical support, logistics and other services for the SITE. This information is provided via a Privacy Notice. Where personal data is shared with a third party, the data controller must ensure that data subjects have been notified of this via a Privacy Notice. Where personal data is transferred to a third country in accordance with the Cross Border Data Transfer Policy, the Privacy Notice must reflect this and clearly identify where and which personal data is being transferred. Where sensitive personal data is collected, the data controller must ensure that the privacy notice explicitly states the purpose for which that sensitive personal data is collected.
4.2 Obtaining Consent
Where the processing of personal data is based on the data subject’s consent or on other lawful grounds, the data controller shall be responsible for maintaining such consent. The data controller is responsible for providing consent to data subjects who must give their consent and must inform and ensure that their consent (where consent is used as a lawful basis for processing) may be withdrawn at any time. Where personal data records are required to be rectified, amended or destroyed, the data controller must ensure that these requirements are processed within a reasonable time. The data controller must also record the requests and keep a log of them. Personal data must only be processed for the purposes for which it was originally collected. If the Company wishes to process the personal data collected for another purpose, the Company must seek the consent of its data subjects. Any such request must include the original purpose for which the data was collected as well as the new or additional purpose(s). The request must also include the reason for the change of purpose(s). The Data Protection Officer is responsible for ensuring compliance with the rules in this paragraph. Now and in the future, the data controller must ensure that collection methods are in accordance with relevant laws, good practice and industry standards. The Data Controller is responsible for creating and maintaining a register of privacy notices.
5. Organization and Responsibilities
The responsibility for ensuring appropriate processing of personal data rests with anyone who works for or with the Company and has access to the personal data processed by the Company. The main roles and positions responsible for processing personal data are the following organisational roles: data controller, secretary. The Data Protection Officer (DPO) for the management of the data protection programme and responsible for the development and promotion of data protection policies. The Data Controller is responsible for:
- Ensuring all systems, services and equipment used to store data meet acceptable security standards.
- Perform regular checks and scans to ensure that hardware and security software are functioning properly.
- The data controller is responsible for:
- Approval of all data protection declarations attached to messages, emails and letters.
- Respond to any data protection queries from journalists or media.
- Where necessary, work with the Data Protection Officer to ensure that marketing initiatives comply with data protection principles.
The Secretary is responsible for:
- Improving staff awareness of consumer data protection.
- Organising data protection expertise and awareness training for staff working with personal data
- End-to-end employee data protection. This should ensure that employees’ personal data is processed on the basis of the employer’s legitimate business purpose and need
The Registrar is responsible for handing over data protection responsibilities to providers and for raising providers’ levels of awareness of data protection, as well as lowering the personal data requirements of third parties they use. The Procurement/Supply Department must ensure that the Company reserves the right to audit suppliers.
6. Audit and Accountability
The Secretary and Data Controller are responsible for checking/auditing how well business departments are implementing this policy. Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.