GDPR POLICY

GDPR POLICY

Data Protection Policy 2025-2026

1. INTRODUCTION AND SCOPE

This Data Protection Policy outlines how DBaaS Ltd ("the Company", "we", "us", "our") complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This policy applies to all personal data processing activities conducted by DBaaS Ltd and governs how we collect, use, store, and protect personal data.

2. DEFINITIONS

• Personal Data: Any information relating to an identified or identifiable natural person (data subject).
• Data Subject: An identified or identifiable natural person whose personal data is processed by DBaaS Ltd.
• Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• Data Controller: The entity that determines the purposes and means of processing personal data.
• Data Processor:An entity that processes personal data on behalf of the data controller.
• Consent: Freely given, specific, informed, and unambiguous indication of the data subject's wishes.

3. DATA PROTECTION PRINCIPLES

DBaaS Ltd processes personal data in accordance with the following principles:

3.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and transparently. We inform data subjects about our processing activities through clear privacy notices.

3.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes only. We do not process data for purposes incompatible with the original collection purpose.

3.3 Data Minimization

We collect and process only personal data that is adequate, relevant, and limited to what is necessary for the specified purposes.

3.4 Accuracy

We maintain accurate and up-to-date personal data. We take reasonable steps to ensure inaccurate data is erased or rectified without delay.

3.5 Storage Limitation

We retain personal data for no longer than necessary for the purposes for which it was collected, unless a longer retention period is required by law.

3.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure the security of personal data against unauthorized access, loss, destruction, or damage.

3.7 Accountability

We demonstrate compliance with these principles and maintain records of our processing activities.

4. LAWFUL BASIS FOR PROCESSING

DBaaS Ltd processes personal data based on one or more of the following lawful bases:

• Consent: The data subject has given clear consent for processing their personal data for specific purposes.
• Contract: Processing is necessary for performing a contract with the data subject or taking pre-contractual steps.
• Legal Obligation: Processing is necessary to comply with legal obligations.
• Vital Interests: Processing is necessary to protect someone's life.
• Public Task: Processing is necessary to perform a task in the public interest.
• Legitimate Interests: Processing is necessary for legitimate business interests, provided these don't override the data subject's rights.

5. TYPES OF PERSONAL DATA COLLECTED

5.1 Customer Data

• Contact information (name, email, phone number, address)
• Business information (company name, job title, industry)
• Account credentials and authentication data
• Payment and billing information
• Usage data and system logs
• Communication records

5.2 Employee Data

• Personal identification information
• Employment history and qualifications
• Performance and disciplinary records
• Payroll and benefits information
• Health and safety records
• Training records

5.3 Website Visitors

• IP addresses and device information
• Cookies and tracking technologies
• Browsing behavior and preferences
• Contact form submissions

6. DATA SOURCES

We collect personal data from:

• Directly from data subjects (forms, communications, account creation)
• Automated collection (website analytics, system logs)
• Third-party sources (business partners, public databases)
• Employees and contractors
• Service providers and vendors

7. DATA PROCESSING PURPOSES

7.1 Service Delivery

• Providing database-as-a-service solutions
• Customer account management
• Technical support and maintenance
• Performance monitoring and optimization
• Service customization and improvements

7.2 Business Operations

• Contract management and billing
• Marketing and communications
• Legal compliance and regulatory reporting
• Risk management and fraud prevention
• Business analytics and insights

7.3 Human Resources

• Employee recruitment and onboarding
• Payroll and benefits administration
• Performance management
• Training and development
• Health and safety compliance

8. DATA SHARING AND TRANSFERS

8.1 Internal Sharing

Personal data may be shared within DBaaS Ltd on a need-to-know basis for legitimate business purposes.

8.2 Third-Party Sharing

We may share personal data with:

• Service providers and subprocessors
• Business partners and affiliates
• Legal and regulatory authorities
• Professional advisors (lawyers, accountants, auditors)
• Potential buyers in case of business transfer

8.3 International Transfers

When transferring personal data outside the UK/EEA, we ensure appropriate safeguards are in place:

• Adequacy decisions
• Standard contractual clauses
• Binding corporate rules
• Certification schemes

9. DATA RETENTION

9.1 Retention Periods

• Customer data: Retained for the duration of the service relationship plus 7 years for legal and audit purposes
• Employee data: Retained for the duration of employment plus 7 years
• Marketing data: Retained until consent is withdrawn or legitimate interest expires
• Financial records: Retained for 7 years as required by law
• System logs: Retained for 12 months unless required for security investigations

9.2 Secure Disposal

At the end of retention periods, personal data is securely deleted or anonymized using industry-standard methods.

10. DATA SUBJECT RIGHTS

Under GDPR, data subjects have the following rights:

10.1 Right of Access

Data subjects can request confirmation of processing and access to their personal data.

10.2 Right to Rectification

Data subjects can request correction of inaccurate or incomplete personal data.

10.3 Right to Erasure

Data subjects can request deletion of personal data in certain circumstances.

10.4 Right to Restrict Processing

Data subjects can request limitation of processing in specific situations.

10.5 Right to Data Portability

Data subjects can request their data in a structured, commonly used format.

10.6 Right to Object

Data subjects can object to processing based on legitimate interests or for direct marketing.

10.7 Rights Related to Automated Decision-Making

Data subjects have rights regarding automated decision-making and profiling.

10.8 Exercising Rights

To exercise these rights, contact our Data Protection Officer at dpo@dbaas.com. We will respond within one month of receiving a valid request.

11. TECHNICAL AND ORGANIZATIONAL MEASURES

11.1 Technical Measures

• Encryption of data at rest and in transit
• Access controls and authentication systems
• Regular security updates and patches
• Intrusion detection and monitoring systems
• Secure backup and recovery procedures
• Data pseudonymization and anonymization

11.2 Organizational Measures

Measures include:

• Data protection training for all staff
• Clear roles and responsibilities
• Regular security audits and assessments
• Incident response procedures
• Vendor management and due diligence
• Privacy by design and default principles

12. DATA BREACH MANAGEMENT

12.1 Breach Detection

We maintain systems to detect, investigate, and report data breaches promptly.

12.2 Notification Requirements

• Supervisory authority: Within 72 hours of becoming aware of a breach likely to result in risk
• Data subjects: Without undue delay if the breach is likely to result in high risk to their rights

12.3 Breach Response Team

• Data Protection Officer
• IT Security Manager
• Legal Counsel
• Communications Lead

13. PRIVACY BY DESIGN AND DEFAULT

We implement privacy by design and default by:

• Conducting Data Protection Impact Assessments (DPIAs)
• Implementing privacy-enhancing technologies
• Minimizing data collection and processing
• Ensuring privacy settings are set to the most privacy-friendly option by default
• Regularly reviewing and updating privacy practices

14. THIRD-PARTY PROCESSORS

We conduct thorough due diligence on all third-party processors, including:

14.1 Due Diligence

• Security and privacy assessments
• Contractual compliance reviews
• Regular audits and monitoring

14.2 Processor Agreements

All third-party processors must sign data processing agreements that include:

• Clear processing instructions
• Confidentiality obligations
• Security requirements
• Sub-processor provisions
• Data subject rights facilitation

15. COOKIES AND TRACKING

15.1 Cookie Policy

Our website uses cookies and similar technologies. We provide clear information about:

• Types of cookies used
• Purposes of cookie usage
• Cookie consent mechanisms
• How to manage cookie preferences

15.2 Analytics and Tracking

We use analytics tools to understand website usage. Personal data collected through these tools is processed in accordance with this policy.

16. CHILDREN'S DATA

   Policy:

DBaaS Ltd does not knowingly collect personal data from children under 16 without appropriate parental consent. If we become aware that we have collected such data, we will take steps to delete it promptly.

17. POLICY UPDATES AND CHANGES

17.1 Regular Review

This policy is reviewed annually and updated as necessary to reflect:

• Changes in legislation
• New business activities
• Technological developments
• Best practice evolution

17.2 Change Notification

Significant changes to this policy will be communicated to data subjects through:

• Email notifications
• Website announcements
• Updated privacy notices

18. TRAINING AND AWARENESS

18.1 Employee Training

All employees receive regular data protection training covering:

• GDPR requirements
• Company policies and procedures
• Data handling best practices
• Incident reporting

18.2 Specialized Training

Employees with specific data protection responsibilities receive additional specialized training.

19. COMPLIANCE MONITORING

19.1 Regular Audits

We conduct regular internal audits to ensure compliance with this policy and GDPR requirements.

19.2 Key Performance Indicators

We monitor compliance through various KPIs including:

• Data subject request response times
• Breach response times
• Training completion rates
• Audit findings resolution