Velocity Privacy Policy

2. Data protection principles

There are several principles under data protection law which must be satisfied while processing Personal Data. In the following section you will find a description of how we aim to achieve compliance with these principles:

• Accountability: We are responsible for ensuring and must be able to demonstrate that the key principles and rules of Data Protection Law are met.
• Lawfulness, Fairness and Transparency: Personal Data may only be processed lawfully, fairly and in a transparent manner. This means we must inform Data Subjects on how and why we process their data (transparency) that the processing must match the description given to the Data Subjects (fairness) and that the processing uses one of the legal bases set forth in data protection law (lawfulness).
• Purpose Limitation: We must specify exactly what the Personal Data we collect will be used for (prior to collecting them) and limit the processing of that Personal Data to only what is necessary to meet the specified purpose.
• Data Minimization: The Personal Data we collect shall be adequate, relevant and limited only to what is necessary for the purposes for which they are processed.
• Accuracy: We have processes in place to ensure that Personal Data is accurate and kept up to date.
• Storage Limitation: Personal Data shall be kept in such a way which enables us to identify the Data Subject for no longer than is necessary for the purposes for which the Personal Data are processed.
• Security/Integrity and Confidentiality: We use appropriate technical and organizational measures to protect the integrity and confidentiality of Personal Data, including protection against unauthorized or unlawful processing, and against accidental loss, destruction or damage.

a. Accountability

Monitoring

There are significant implications for Personal Data Breaches or non-compliance with our legal responsibilities under data protection law. It is our responsibility to process all Personal Data in accordance with our legal obligations and the principles of Data Protection.

If we do not meet the accountability requirements of data protection law, there is not only a risk of non-compliance, but also a significant risk to our reputation.

We assess compliance with this policy in two regards:

1. Compliance in relation to the protection of Personal Data in general
2. The effectiveness of Data Protection measures related to our operational practices

We do reviews on a regular basis and follow the rules of the PDAC Cycle (Plan-Do-Act-Check) for the control and continuous improvement of our processes. This is to establish that an adequate level of compliance is being achieved.

Personal data breach reporting

It is our responsibility to report a personal data breach to the appropriate supervisory authority within 72 hours, if required by law (this is counted from the time we became aware of the incident).

When it is suspected that a Personal Data Breach has taken place for which we are responsible (as Controllers) it must be investigated internally by the Data Protection Officer (DPO) and the incident response team. If the incident results in a risk for Data Subjects, it must be reported to the applicable supervisory authority within 72 hours of becoming aware of the incident.

Training

All Employees must complete Data Protection training relevant to their position.

The Human Resources team is responsible for ensuring that new employees are trained as part of onboarding, and all employees are retrained annually on Data Protection or whenever there is a substantial change in the law or our policy and procedure, whichever is more frequent.  Velocity Quality is responsible for maintaining training records and storing the most up-to-date training materials and documents.

Responsibility

Each Employee who handles Personal Data has a responsibility to handle and process the Personal Data in line with this policy and applicable data protection law.

There are positions in Velocity with specific areas of responsibility:

• Company Leadership is ultimately responsible for ensuring that we meet our legal obligations.
• The Velocity Privacy Officer has overall responsibility for ensuring compliance with Data Protection Law.
• The Privacy Team has overall responsibility for the day-to-day implementation of this policy and for:
  • Reviewing all Data Protection procedures and policies on a regular basis
  • Arranging Data Protection training and advice for all staff members and those included in this policy
  • Responding to Data Subjects who wish to know which Personal Data are being held on them by us
  • Checking and approving with third parties that handle our Personal Data and contracts or agreements regarding Processing
  • Maintaining a Record of Processing Activities incl. regular reviews and approvals
• The Head of Information Technology is responsible for:
  • Ensuring that all systems, services and equipment used for storing data meet acceptable security standards
  • Performing regular checks and scans to ensure security hardware and software is functioning properly
  • Evaluating any third-party services Velocity is considering using to retain or process Personal Data

Overview over processing activities

Data protection law stipulates broad requirements regarding the documentation and proof of compliance with Data Protection obligations. A key element in this regard is the overview over processing activities as set forth in data protection law. We demonstrate data protection compliance through documentation in the Foxondo application[1].

“Privacy by design”

We seek to structure internal processes to have Data Protection principles embedded into every stage of processing activities. “Privacy by design” means that, both before and during any processing activity we carry out, we must implement appropriate technical and organizational measures to integrate safeguards into the processing. This is important to protect Data Subjects and meet the requirements of data protection law.

We always aim to implement appropriate technical and organizational measures both at the time of determination of the means for processing and at the time of the processing itself to ensure the principle of Data Minimization is met.

To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, a pre–Data Protection Impact Assessment (DPIA) check must be completed before starting a project (a preliminary, shorter Data Protection Impact Assessment). Depending on the outcome, a full DPIA might be legally required.

b. Lawfulness, fairness and transparency

We are responsible for understanding the context in which the Personal Data processing occurs as part of our day-to-day operations. We want to ensure that this is done fairly and in line with the law, and that we can clearly describe this to Data Subjects. We will always process Personal Data lawfully, fairly, and transparently in accordance with the Data Subject's rights.

Our third-party suppliers/contractors that process Personal Data on our behalf also have obligations of data protection. As such, we are legally required to:

• only engage the services of third-party suppliers/contractors who can demonstrate compliance with data privacy law, e.g. GDPR;
• put in place prescribed contractual arrangements with third party suppliers/contractors which meet the requirements of data privacy law, e.g. GDPR; and
• demonstrate to the data protection authorities that we have complied with these legal obligations.

Personal data collection and notification

We may only collect Personal Data where it is necessary for lawful purposes or explicitly allowed. We will only collect Personal Data from Data Subjects if one of the following statements applies:

• We are required to do so by an obligation imposed on us by law, e.g. EU or applicable local law.
• The processing is necessary to do so for business purposes and for our organization to enter into or perform its contractual obligations with Data Subjects.
• The processing is in our (reasonable) legitimate interests and the data subjects do not have more important conflicting interests.
• The individuals consented. This consent needs to be freely given and to be gathered according to applicable data protection law, e.g. Art. 7 GDPR.
• The data processing is in the vital interest of the data subject or another person.

When we collect personal data, we provide Data Subjects with information regarding the processing of their personal data free of charge in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This includes information on third parties to which their personal data is disclosed to and the purpose for which this happens.

As far as Personal Data will be transferred from GDPR territory to the USA within the Velocity Group, this will include information that

• Velocity is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC);
• Velocity is obliged to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to your organization and following the procedures and subject to conditions set forth in Annex I of Principles;
• Velocity is required to disclose personal information in response to lawful by public authorities, including to meet international security or law enforcement requirements;
• Velocity is liable in cases of onward transfers to third parties;

 

c. Purpose limitation: Processing for limited purposes

Personal Data collected for one purpose may not usually be used for a different purpose. We aim to only process Personal Data for purposes specifically permitted under data protection law. We inform the Data Subjects of those purposes.

d. Data minimization: Adequate, relevant, and non-excessive processing

Every processing should only use as much Personal Data as is required to successfully accomplish a particular purpose. We will always seek to collect Personal Data to the extent that it is required for the specific purpose notified to the Data Subject, and do not collect Personal Data which we do not need.

e. Accuracy: Ensuring that personal data is accurate

We aim to ensure that our systems and processes for identifying inaccurate information are robust and to act quickly to update or erase any inaccurate Personal Data. We endeavor to ensure that the Personal Data we hold is accurate and kept up to date. The Data Subjects may ask that we correct inaccurate Personal Data relating to them.

f. Storage limitation: Timely processing and data retention

We aim to not keep the Personal Data of Data Subjects for any longer than is necessary in accordance with applicable law. We take all required steps to destroy or erase all Personal Data from our systems (electronic/paper-based) which is no longer required.

All employees must ensure that they are familiar with the deletion concept/retention policy.

g. Security/integrity and confidentiality: Security of personal data

We should always make sure that all Personal Data held by us are subject to a level of security that is appropriate for the potential risk. We take appropriate security measures against unlawful and unauthorized processing of Personal Data, and against the accidental loss of, or damage to, Personal Data in line with our Information Security policy. Security procedures include (but are not limited to):

• Entry controls – Visitors cannot access facilities without assistance from employees and are not permitted in locations where personal data are stored unless escorted.
• Secure lockable desks and cupboards – desks and cupboards are kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
• Access controls – Data stored on a computer is protected by strong passwords and identification technologies.
• Retention location controls – Data is never saved directly to mobile devices such as laptops, tablets, or smartphones (but to centralized servers).
• Methods of disposal – paper documents are disposed of in locked boxes and shredded by a licensed and bonded shredding service. Digital storage devices are wiped using a full data overwrite or physically destroyed when they are no longer required.
• Equipment – data users ensure that individual monitors do not show confidential information to passers-by and that they log off from or lock their PC when it is left unattended.