DATA PROTECTION POLICY
Vital Aims Tech Solutions (“the Company”) recognizes the importance of safeguarding personal data and respecting individuals’ privacy rights. This Data Protection Policy outlines our commitment to protecting personal data in accordance with various data protection laws and regulations, which may include but are not limited to:
- The General Data Protection Regulation (GDPR) in Europe
- The California Consumer Privacy Act (CCPA) in the United States
- The Personal Data Protection Act (PDPA) in Singapore
- The Privacy Act in Australia
This policy establishes the framework for how we collect, process, store, and manage personal data responsibly and in compliance with these laws.
1 Overview
- The Company (Vital Aims Tech Solutions) takes the security and privacy of your data seriously. We need to gather and use information or ‘data’ about you as part of our business and to manage our relationship with you. We intend to comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security. We have a duty to notify you of the information contained in this policy.
- This policy applies to current and former employees, workers, volunteers, apprentices and consultants. If you fall into one of these categories then you are a ‘data subject’ for the purposes of this policy. You should read this policy alongside your contract of employment (or contract for services) and any other notice we issue to you from time to time in relation to your data.
- The Company has measures in place to protect the security of your data in accordance with our Data Security Policy.
- The company will hold data in accordance with our Data Retention Policy. We will only hold data for as long as necessary for the purposes for which we collected it.
- The Company is a ‘data controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data.
- This policy explains how the Company will hold and process your information. It explains your rights as a data subject. It also explains your obligations when obtaining, handling, processing or storing personal data in the course of working for, or on behalf of, the Company.
- This policy does not form part of your contract of employment (or contract for services if relevant) and can be amended by the Company at any time. It is intended that this policy is fully compliant with the 2018 Act and the GDPR. If any conflict arises between those laws and this policy, the Company intends to comply with the 2018 Act and the GDPR.
2 Data Protection Principles
Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must:
- be processed fairly, lawfully and transparently;
- be collected and processed only for specified, explicit and legitimate purposes;
- be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
- be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
- not be kept for longer than is necessary for the purposes for which it is processed; and
- be processed securely.
We are accountable for these principles and must be able to show that we are compliant.
3 How We Define Personal Data
- ‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymized data.
- This policy applies to all personal data whether it is stored electronically, on paper or on other materials.
- This personal data might be provided to us by you, or someone else (such as a former employer, your doctor, or a credit reference agency), or it could be created by us. It could be provided or created during the recruitment process or during the course of the contract of employment (or services) or after its termination. It could be created by your manager or other colleagues.
4 How We Define Processing
‘Processing’ means any operation which is performed on personal data such as:
- collection, recording, organization, structuring or storage;
- adaption or alteration;
- retrieval, consultation or use;
- disclosure by transmission, dissemination or otherwise making available;
- alignment or combination; and
- restriction, destruction or erasure.
This includes processing personal data which forms part of a filing system and any automated processing.
6 How Will We Process Your Personal Data?
The Company will process your personal data (including special categories of personal data) in accordance with our obligations under the 2018 Act.
7 We Will Use Your Personal Data For:
- performing the contract of employment (or services) between us;
- complying with any legal obligation; or
- if it is necessary for our legitimate interests (or for the legitimate interests of someone else). However, we can only do this if your interests and rights do not override ours (or theirs). You have the right to challenge our legitimate interests and request that we stop this processing. See details of your rights in section 12 below.
- We can process your personal data for these purposes without your knowledge or consent. We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.
RESPONSIBILITIES:
EMPLOYEES
All employees are responsible for ensuring the proper handling of personal data in their day-to-day activities. They must adhere to this policy and report any data protection concerns to the Data Protection Officer or DPO in short form.
How Should You Process Personal Data For the Company?
Everyone who works for, or on behalf of, the Company has some responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy and the Company’s Data Security and Data Retention policies.
The Company’s Data Protection Officer/Data Protection Manager / Data Protection Officer (DPO) is responsible for reviewing this policy and updating the Board of Directors on the Company’s data protection responsibilities and any risks in relation to the processing of data. You should direct any questions in relation to this policy or data protection to this person.
You should only access personal data covered by this policy if you need it for the work you do for, or on behalf of the Company and only if you are authorized to do so. You should only use the data for the specified lawful purpose for which it was obtained.
- You should not share personal data informally.
- You should keep personal data secure and not share it with unauthorized people.
- You should regularly review and update personal data which you have to deal with for work. This includes telling us if your own contact details change.
- You should not make unnecessary copies of personal data and should keep and dispose of any copies securely.
- You should use strong passwords.
- You should lock your computer screens when not at your desk.
- Personal data should be encrypted before being transferred electronically to authorized external contacts. Speak to IT for more information on how to do this
- Consider anonymizing data or using separate keys/codes so that the data subject cannot be identified.
- Do not save personal data to your own personal computers or other devices.
- Personal data should never be transferred outside the European Economic Area except in compliance with the law and authorization of the Data Protection Officer Muhammad Zohaib.
- You should lock drawers and filing cabinets. Do not leave paper with personal data lying about.
- You should not take personal data away from Company’s premises without authorization from your line manager or Data Protection Officer Data Protection Officer Muhammad Zohaib.
- Personal data should be shredded and disposed of securely when you have finished with it.
- You should ask for help from our Data Protection Officer/Data Protection Manager if you are unsure about data protection or if you notice any areas of data protection or security we can improve upon.
- Any deliberate or negligent breach of this policy by you may result in disciplinary action being taken against you in accordance with our disciplinary procedure.
- It is a criminal offence to conceal or destroy personal data which is part of a subject access request (see below). This conduct would also amount to gross misconduct under our disciplinary procedure, which could result in your dismissal.
CONTRACTORS AND THIRD PARTIES
Contractors and third parties engaged by the Company are also responsible for adhering to this policy and for ensuring the proper handling of personal data in their activities on behalf of the Company. They must comply with applicable data protection laws and regulations and report any data protection concerns to the DPO.
DATA PROTECTION OFFICER (DPO)
The Company has appointed a Data Protection Officer Muhammad Zohaib, who is responsible for overseeing data protection matters, ensuring compliance with applicable laws, conducting regular audits or reviews of data processing activities, and acting as a point of contact for data subjects and regulatory authorities.
DATA COLLECTION AND PROCESSING
LAWFUL PROCESSING
The Company will only collect and process personal data when it has a lawful basis to do so, including but not limited to:
- The consent of the data subject
- Contractual necessity
- Legal obligation
- Legitimate interests
- The protection of vital interests
TRANSPARENCY
Data subjects will be informed of the purposes for which their data is collected and processed, including the lawful basis for processing, at the point of data collection or before, and their rights in relation to their data.
CONSENT
Where consent is required for processing personal data, the Company will obtain explicit and freely given consent from data subjects. Consent will be obtained through clear and easily accessible means, and records of consent will be maintained.
DATA SECURITY:
DATA BREACH RESPONSE
A data breach is defined as any unauthorised access, disclosure, or acquisition of personal data that compromises its confidentiality, integrity, or availability.
We have robust measures in place to minimize and prevent data breaches from taking place. Should a breach of personal data occur (whether in respect of you or someone else), then we must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals then we must also notify the Information Commissioner’s Office within 72 hours.
In the event of a data breach, the Company will promptly:
- Assess and mitigate the impact of the breach
- Notify affected data subjects in a timely manner, providing details of the breach and actions they can take to protect themselves
- Notify relevant regulatory authorities where required by applicable law
DATA SUBJECT RIGHTS
- Data subjects have the following rights regarding their personal data:
- Right to Access: Data subjects can request access to their personal data.
- Right to Rectification: Data subjects can request corrections to their personal data.
- Right to Erasure: Data subjects can request the deletion of their personal data.
- Right to Data Portability: Data subjects can request the transfer of their personal data.
- Right to Object: Data subjects can object to the processing of their personal data.
- Right to Restriction of Processing: Data subjects can request the restriction of processing under certain circumstances.
To exercise these rights, data subjects can contact the Data Protection Officer at the contact information provided below.
CONTACT INFORMATION
Data subjects can contact the Data Protection Officer Muhammad Zohaib at:
APPROVAL AND EFFECTIVE DATE
This Data Protection Policy was approved by Our Data Protection Officer Muhammad Zohaib and is effective from 24th October 2024.