GDPR POLICY
GDPR POLICY
Data Protection Policy 2025-2026
1. INTRODUCTION AND SCOPE
This Data Protection Policy outlines how DBaaS Ltd ("the Company", "we", "us", "our") complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This policy applies to all personal data processing activities conducted by DBaaS Ltd and governs how we collect, use, store, and protect personal data.
- Effective Date: January 1, 2025
- Review Date: December 31, 2026
- Policy Owner: Data Protection Officer
- Document Version: 2.0
2. DEFINITIONS
- Personal Data: Any information relating to an identified or identifiable natural person (data subject).
- Data Subject: An identified or identifiable natural person whose personal data is processed by DBaaS Ltd.
- Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
- Data Controller: The entity that determines the purposes and means of processing personal data.
- Data Processor:An entity that processes personal data on behalf of the data controller.
- Consent: Freely given, specific, informed, and unambiguous indication of the data subject's wishes.
3. DATA PROTECTION PRINCIPLES
DBaaS Ltd processes personal data in accordance with the following principles:
3.1 Lawfulness, Fairness, and Transparency
We process personal data lawfully, fairly, and transparently. We inform data subjects about our processing activities through clear privacy notices.
3.2 Purpose Limitation
We collect personal data for specified, explicit, and legitimate purposes only. We do not process data for purposes incompatible with the original collection purpose.
3.3 Data Minimization
We collect and process only personal data that is adequate, relevant, and limited to what is necessary for the specified purposes.
3.4 Accuracy
We maintain accurate and up-to-date personal data. We take reasonable steps to ensure inaccurate data is erased or rectified without delay.
3.5 Storage Limitation
We retain personal data for no longer than necessary for the purposes for which it was collected, unless a longer retention period is required by law.
3.6 Integrity and Confidentiality
We implement appropriate technical and organizational measures to ensure the security of personal data against unauthorized access, loss, destruction, or damage.
3.7 Accountability
We demonstrate compliance with these principles and maintain records of our processing activities.
4. LAWFUL BASIS FOR PROCESSING
DBaaS Ltd processes personal data based on one or more of the following lawful bases:
- Consent: The data subject has given clear consent for processing their personal data for specific purposes.
- Contract: Processing is necessary for performing a contract with the data subject or taking pre-contractual steps.
- Legal Obligation: Processing is necessary to comply with legal obligations.
- Vital Interests: Processing is necessary to protect someone's life.
- Public Task: Processing is necessary to perform a task in the public interest.
- Legitimate Interests: Processing is necessary for legitimate business interests, provided these don't override the data subject's rights.
5. TYPES OF PERSONAL DATA COLLECTED
5.1 Customer Data
- Contact information (name, email, phone number, address)
- Business information (company name, job title, industry)
- Account credentials and authentication data
- Payment and billing information
- Usage data and system logs
- Communication records
5.2 Employee Data
- Personal identification information
- Employment history and qualifications
- Performance and disciplinary records
- Payroll and benefits information
- Health and safety records
- Training records
5.3 Website Visitors
- IP addresses and device information
- Cookies and tracking technologies
- Browsing behavior and preferences
- Contact form submissions
6. DATA SOURCES
We collect personal data from:
- Directly from data subjects (forms, communications, account creation)
- Automated collection (website analytics, system logs)
- Third-party sources (business partners, public databases)
- Employees and contractors
- Service providers and vendors
7. DATA PROCESSING PURPOSES
7.1 Service Delivery
- Providing database-as-a-service solutions
- Customer account management
- Technical support and maintenance
- Performance monitoring and optimization
- Service customization and improvements
7.2 Business Operations
- Contract management and billing
- Marketing and communications
- Legal compliance and regulatory reporting
- Risk management and fraud prevention
- Business analytics and insights
7.3 Human Resources
- Employee recruitment and onboarding
- Payroll and benefits administration
- Performance management
- Training and development
- Health and safety compliance
8. DATA SHARING AND TRANSFERS
8.1 Internal Sharing
Personal data may be shared within DBaaS Ltd on a need-to-know basis for legitimate business purposes.
8.2 Third-Party Sharing
We may share personal data with:
- Service providers and subprocessors
- Business partners and affiliates
- Legal and regulatory authorities
- Professional advisors (lawyers, accountants, auditors)
- Potential buyers in case of business transfer
8.3 International Transfers
When transferring personal data outside the UK/EEA, we ensure appropriate safeguards are in place:
- Adequacy decisions
- Standard contractual clauses
- Binding corporate rules
- Certification schemes
9. DATA RETENTION
9.1 Retention Periods
- Customer data: Retained for the duration of the service relationship plus 7 years for legal and audit purposes
- Employee data: Retained for the duration of employment plus 7 years
- Marketing data: Retained until consent is withdrawn or legitimate interest expires
- Financial records: Retained for 7 years as required by law
- System logs: Retained for 12 months unless required for security investigations
9.2 Secure Disposal
At the end of retention periods, personal data is securely deleted or anonymized using industry-standard methods.
10. DATA SUBJECT RIGHTS
Under GDPR, data subjects have the following rights:
10.1 Right of Access
Data subjects can request confirmation of processing and access to their personal data.
10.2 Right to Rectification
Data subjects can request correction of inaccurate or incomplete personal data.
10.3 Right to Erasure
Data subjects can request deletion of personal data in certain circumstances.
10.4 Right to Restrict Processing
Data subjects can request limitation of processing in specific situations.
10.5 Right to Data Portability
Data subjects can request their data in a structured, commonly used format.
10.6 Right to Object
Data subjects can object to processing based on legitimate interests or for direct marketing.
10.7 Rights Related to Automated Decision-Making
Data subjects have rights regarding automated decision-making and profiling.
10.8 Exercising Rights
To exercise these rights, contact our Data Protection Officer at dpo@dbaas.com. We will respond within one month of receiving a valid request.
11. TECHNICAL AND ORGANIZATIONAL MEASURES
11.1 Technical Measures
- Encryption of data at rest and in transit
- Access controls and authentication systems
- Regular security updates and patches
- Intrusion detection and monitoring systems
- Secure backup and recovery procedures
- Data pseudonymization and anonymization
11.2 Organizational Measures
Measures include:
- Data protection training for all staff
- Clear roles and responsibilities
- Regular security audits and assessments
- Incident response procedures
- Vendor management and due diligence
- Privacy by design and default principles
12. DATA BREACH MANAGEMENT
12.1 Breach Detection
We maintain systems to detect, investigate, and report data breaches promptly.
12.2 Notification Requirements
- Supervisory authority: Within 72 hours of becoming aware of a breach likely to result in risk
- Data subjects: Without undue delay if the breach is likely to result in high risk to their rights
12.3 Breach Response Team
- Data Protection Officer
- IT Security Manager
- Legal Counsel
- Communications Lead
13. PRIVACY BY DESIGN AND DEFAULT
We implement privacy by design and default by:
- Conducting Data Protection Impact Assessments (DPIAs)
- Implementing privacy-enhancing technologies
- Minimizing data collection and processing
- Ensuring privacy settings are set to the most privacy-friendly option by default
- Regularly reviewing and updating privacy practices
14. THIRD-PARTY PROCESSORS
We conduct thorough due diligence on all third-party processors, including:
14.1 Due Diligence
- Security and privacy assessments
- Contractual compliance reviews
- Regular audits and monitoring
14.2 Processor Agreements
All third-party processors must sign data processing agreements that include:
- Clear processing instructions
- Confidentiality obligations
- Security requirements
- Sub-processor provisions
- Data subject rights facilitation
15. COOKIES AND TRACKING
15.1 Cookie Policy
Our website uses cookies and similar technologies. We provide clear information about:
- Types of cookies used
- Purposes of cookie usage
- Cookie consent mechanisms
- How to manage cookie preferences
15.2 Analytics and Tracking
We use analytics tools to understand website usage. Personal data collected through these tools is processed in accordance with this policy.
16. CHILDREN'S DATA
Policy:
DBaaS Ltd does not knowingly collect personal data from children under 16 without appropriate parental consent. If we become aware that we have collected such data, we will take steps to delete it promptly.
17. POLICY UPDATES AND CHANGES
17.1 Regular Review
This policy is reviewed annually and updated as necessary to reflect:
- Changes in legislation
- New business activities
- Technological developments
- Best practice evolution
17.2 Change Notification
Significant changes to this policy will be communicated to data subjects through:
- Email notifications
- Website announcements
- Updated privacy notices
18. TRAINING AND AWARENESS
18.1 Employee Training
All employees receive regular data protection training covering:
- GDPR requirements
- Company policies and procedures
- Data handling best practices
- Incident reporting
18.2 Specialized Training
Employees with specific data protection responsibilities receive additional specialized training.
19. COMPLIANCE MONITORING
19.1 Regular Audits
We conduct regular internal audits to ensure compliance with this policy and GDPR requirements.
19.2 Key Performance Indicators
We monitor compliance through various KPIs including:
- Data subject request response times
- Breach response times
- Training completion rates
- Audit findings resolution
These technologies are used to allow you to share pages and content that you find interesting on our website through third party social and other networking websites.