GDPR POLICY

GDPR POLICY

Data Protection Policy 2025-2026

1. INTRODUCTION AND SCOPE

This policy outlines how DBaaS Ltd ("we") complies with GDPR and other data protection laws, applying to all personal data processing activities.

• Effective Date: Jan 1, 2025
• Review Date: Dec 31, 2026
• Policy Owner: Data Protection Officer
• Version: 2.0

2. DEFINITIONS

• Personal Data: Any info identifying a natural person.
• Data Subject: Person whose data is processed.
• Processing: Collection, storage, use, disclosure, destruction.
• Data Controller: Determines purpose & means of processing.
• Data Processor: Processes data on behalf of controller.
• Consent: Freely given, specific, informed, unambiguous.

3. DATA PROTECTION PRINCIPLES

• Lawfulness, Fairness, Transparency: Clear notices to data subjects.
• Purpose Limitation: Only for legitimate purposes.
• Data Minimization: Only necessary data collected.
• Accuracy: Maintain up-to-date data.
• Storage Limitation: Retain only as required.
• Integrity & Confidentiality: Technical & organizational security measures.
• Accountability: Maintain processing records.

4. LAWFUL BASIS

• Consent, Contract, Legal Obligation, Vital Interests, Public Task, Legitimate Interests

5. TYPES OF PERSONAL DATA

• Customer: Contact, credentials, payment, usage
• Employee: ID, employment, payroll, health, training
• Website Visitors: IP, cookies, browsing, contact forms

6. DATA SOURCES

• Direct from subjects, automated collection, third parties, employees, vendors

7. DATA PROCESSING PURPOSES

• Service Delivery, Business Operations, HR functions

8. DATA SHARING & TRANSFERS

• Internal need-to-know, third-party providers, international transfers via standard clauses or adequacy

9. DATA RETENTION

• Customer & Employee: +7 yrs, Marketing: until withdrawn, Financial: 7 yrs, Logs: 12 months

10. DATA SUBJECT RIGHTS

Access, Rectification, Erasure, Restrict Processing, Data Portability, Object, Automated Decisions. Contact DPO at dpo@dbaas.com.

11. TECH & ORG MEASURES

• Technical: Encryption, access control, updates, monitoring, backups, pseudonymization
• Organizational: Staff training, roles, audits, incident response, vendor management, privacy by design

12. DATA BREACH MANAGEMENT

• Detect, investigate, notify authority in 72 hrs, inform subjects, breach response team

13. PRIVACY BY DESIGN & DEFAULT

• DPIAs, privacy-enhancing tech, minimal collection, privacy-friendly defaults, periodic review

14. THIRD-PARTY PROCESSORS

• Security & compliance reviews, processor agreements, data subject rights coverage

15. COOKIES & TRACKING

• Types, purposes, consent, manage preferences, analytics in accordance with policy

16. CHILDREN'S DATA

No collection under 16 without consent; delete if found.

17. POLICY UPDATES

• Regular review: law, business, tech, best practices. Notification via email/website.

18. TRAINING & AWARENESS

• Employee GDPR training, incident reporting, role-specific training

19. COMPLIANCE MONITORING

• Audits, KPI monitoring for requests, breaches, training, audit resolution