Data protection policy

Giftrix – Huuray A/S

1.Introduction
1.1. This data protection policy is the overall data security and data protection policy of Huuray A/S (hereinafter referred to as “us”, “we” or “our”).

2. Purpose of the policy
2.1. The purpose of the data protection policy is to support the 10 data security standards, the General Data Protection Regulation (2016), the Data Protection Act (2018), the general statutory duty of confidentiality and all other relevant national legislation. We recognise data protection as a fundamental right and embrace the principles of data protection by design and by default.
2.2. this policy covers
2.2.1. Our data protection principles and commitment to comply with general law and legislation.
2.2.2. procedures for data protection by design and by default.

3. Scope
3.1. This policy covers all data that we process either in paper or digital form, including special categories of data.
3.2. This policy applies to all employees, including temporary employees and contractors.

4. Principles
4.1. we will be open and transparent to the users of our services.
4.2. we will establish and maintain policies to ensure compliance with the Data Protection Act 2018, the Human Rights Act 1998, the common law duty of confidentiality, the General Data Protection Regulation and all other relevant legislation.
4.3. we will establish and maintain policies for controlled and appropriate sharing of service user and staff information with other agencies, taking into account all relevant legislation and citizen consent.
4.4. where consent is required for the processing of personal data, we will ensure that informed and explicit consent is obtained and documented in clear, accessible language and in an appropriate format. The individual may withdraw their consent at any time through processes that have been explained to them and which are described in our Record Keeping Policy: Procedures for Withdrawal of Consent. We ensure that withdrawing consent is as easy as giving it.
4.5. we will conduct/order deletion as required by annual audits of our compliance with legal requirements.
4.6. we recognise our responsibility to ensure that personal data shall be:
4.6.1. processed lawfully, fairly and in a transparent manner;
4.6.2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
4.6.3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
4.6.4. accurate and up-to-date;
4.6.5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”)
4.6.6 Processed in a manner that ensures appropriate security of the personal data.
4.7. we uphold the personal data rights set out in the GDPR;
4.7.1 The right to be informed;
4.7.2. the right of access;
4.7.3. the right to rectification;
4.7.4. the right to erasure;
4.7.5. the right to restrict processing;
4.7.6. the right to data portability;
4.7.7. the right to object;
4.7.8. rights in relation to automated decision-making and profiling.
4.8. due to our size, we have decided that we are not required to have a Data Protection Officer (DPO) as we do not process special categories of data on a large scale. Nevertheless, we have appointed an employee to be our Data Security and Protection Lead to ensure that each individual’s data rights are respected and that there are the highest levels of data security and protection in our organisation. The Data Security and Protection Lead will report to the highest level of management in the organisation. We will support the Data Security and Protection Lead with the necessary resources to fulfil their duties and ensure that they can maintain their expertise.
4.9. we will review our data security and protection policy once a year.

5. Data protection by design and by default
5.1. We shall implement appropriate organisational and technical measures to uphold the principles outlined above. We will integrate the necessary security measures into any data processing to fulfil legal requirements and to protect the data rights of individuals. This implementation will consider the nature, scope, purpose and context of any processing and the risks to the rights and freedoms of individuals caused by the processing.
5.2. we shall uphold the principles of data protection by design and by default from the beginning of any data processing and during the planning and implementation of any new data process.
5.3. all new systems used for data processing will have data protection built in from the beginning of the system change.
5.4. All existing data processing has been registered in our inventory of processing activities. Each process has been risk assessed and is reviewed annually.
5.5. we ensure that by default, personal data is only processed when necessary for specific purposes and that individuals are therefore protected from privacy risks.
5.6. in all processing of personal data, we use the minimum amount of identifiable data necessary to complete the work for which it is required and we only retain the data for as long as necessary for the purposes of the processing or any other legal requirement to retain it.

6. Responsibilities
6.1. Our designated Data Security and Protection Lead is Ronnie Gasseholm (CTO). The Lead’s main responsibilities are:
6.1.1. to ensure that the rights of individuals with regard to their personal data are upheld in all cases and that data collection, sharing and storage is in accordance with the issued guidelines.
6.1.2. to define our data protection policy and procedures and all related policies, procedures and processes and to ensure that there are sufficient resources to support policy requirements.
6.1.3. to review the data security and data protection policy annually and to maintain compliance with applicable legislation.
6.1.4. Oversee information management to ensure compliance with legislation, guidelines and the organisation’s procedures and work with senior management.

7. Approval
7.1. This policy has been approved by the undersigned and will be reviewed at least once a year.

Rune Eirby Poulsen, CEO – Huuray A/S

Copenhagen, Denmark
Approval date: 6 June 2022
Review date: 5 January 2023

Policy for the handling and transfer of data

Contents

  1. Introduction
  2. Definition of personal, sensitive and confidential information
  3. Scope of the policy
  4. Secure storage of personal and sensitive information
  5. Taking information out of the office
  6. Sharing information – the decision to do so
  7. Sharing information electronically – how can I do it securely?
  8. Using emails to share data
  9. Using other methods to transfer data
  10. Checking information before it is sent
  11. Portability of data
  12. Data security breaches
  13. Governance of data

  1. Introduction

1.1 Huuray collects and uses a wide range of personal and sensitive information to perform its functions and provide services. Everyone who works for or represents Huuray must protect the personal and sensitive data that they use and be aware of their obligations. If we do not take adequate care of the data we handle and it is lost, stolen, inappropriately disclosed or otherwise misused, it can have a serious impact on the company.

1.2 There are many occasions where the transfer of data is required between departments, third-party service providers, government agencies and commercial organisations to perform business functions. It is important that any transfer is done in a manner that is appropriate for the type of data being transferred.

1.3 This Policy is designed to ensure that personal, sensitive and confidential information is handled securely, and specifically its storage and transfer, by setting clear standards of practice to maintain good security and ensure Huuray complies with its legal obligations.

2. Definition of personal, sensitive and confidential information

Personal Data Data that relates to a living individual who can be identified from the data, directly or indirectly. This includes, but is not limited to

  • Names, addresses and dates of birth
  • Reference numbers such as employee and social security numbers
  • Personal financial information such as bank details
  • Descriptive or biographical information about an individual
  • Photographs or other images
    Sensitive data Special categories of personal data that we need to be particularly careful about handling, such as
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic and biometric data
  • Physical and mental health
  • Sexuality and sexual life
  • Criminal convictions and offences
    Business sensitive data Information that should not be disclosed for political or economic reasons, e.g. information about contract tenders.
    Confidential data Other information that could potentially be misused, such as official forms or headed paper.

3 Scope of application

3.1 This Policy applies to anyone who handles or transfers Huuray information, including

  • Employees
  • Contractors
  • Agency staff
  • Suppliers
  • Huuray’s agents and partners

3.2 All personal, sensitive and confidential information as defined in section 2 is covered by the policy.

4 Secure storage of personal and other sensitive information

4.1 It is against Huuray’s policy to collect and store personal and sensitive data using mobile devices, removable media or apps that are not part of the company.

4.2 Paper records, mobile devices and removable media containing personal and sensitive information must be stored securely in office premises. This includes keeping them in locked cabinets when not in use and ensuring that keys are not accessible to unauthorised persons.

4.3 Storage of personal and sensitive data in paper records should be minimised where possible.

4.4 Pen drives and portable hard drives may only be used in exceptional circumstances and only using devices provided by Huuray’s IT department.

4.5 Personal and other sensitive data must not be left unattended where anyone can access it, such as on desks, window sills, corridors, printers and photocopiers.

4.6 Personal and other sensitive information must not be downloaded or transferred to work on a non-company-issued device, such as your own home computer or mobile phone.

4.7 All IT equipment used to process personal or sensitive information must be password or PIN protected and must never be left visible on a screen when unattended.

4.8 Personal and other sensitive data must never be uploaded/stored in a cloud storage facility (third-party website) not provided by Huuray, unless we have a data sharing agreement with the third party and the transfer of data has been authorised by the relevant Information Asset Owner/Assistant Director (DPO). Advice from IT on potential security risks must be sought and reported to the DPO prior to authorisation.

  1. Taking information out of the office

5.1 Personal or other sensitive information must not be taken out of the office unless it is absolutely necessary to do so in order to perform your Huuray duties and only with the authorisation of the relevant DPO.

5.2 When paper files and Huuray-approved mobile devices or removable media containing personal or other sensitive information are taken out of the office, they must be stored securely, transported safely and never left unattended where they can be accessed by unauthorised persons, such as in vehicles or in areas accessible to the public.

5.3 Paper records containing personal or sensitive information may only be taken home with the authorisation of the relevant DPO. Paper records containing personal or other confidential data must be stored securely and separately from valuable items such as laptops. Records must be kept of what information is taken off-site, when it is taken, by whom and when it is returned.

5.4 Paper records should not be kept in the home any longer than necessary and should be returned to the office at the earliest opportunity.

5.5 If you need to take data with you on an authorised Huuray mobile device or removable media, do not upload more data than necessary, keep it only as long as necessary and delete the data from the device immediately when access is no longer required.

5.6 Family members or other unauthorised persons must not have access to personal information in any format that is taken home.

  1. Sharing information – The decision to do so

6.1 Personal, sensitive and other confidential data should not be shared unless:

  • You have appropriately documented information sharing protocols (information sharing/processing agreement) in place with the agency or individual where information is regularly shared with them.
  • The owner of the information assets has authorised the data sharing.
  • The privacy statement for your service area covers data sharing/processing
  • You have ensured that the data is only provided on a need-to-know basis.
  • You have the right to share the information, it does not belong to another organisation/third party, and you only share the data that is necessary and no more.

6.2 Before you send information to anyone, it’s important that you make sure it’s appropriate and authorised. Whether the requester is internal or external, don’t assume that someone is entitled to the information just because they’ve told you they need it.

6.3 Make sure you don’t provide more information than is needed for the stated purpose. Don’t send an entire document or spreadsheet because it’s easier when only a section or certain columns are needed.

6.4 Personal data should not be provided to any external organisation if anonymised or statistical information can be used as an alternative.

6.5 Use of personal data for training purposes should always be anonymised unless you have permission from the data subject.

6.6 For system testing, you should only use personal data if it is necessary to do so and there are adequate security measures in place, and no testing should be performed on live databases that have access to live sensitive data.

  1. Sharing information electronically – how can I do it securely?

7.1 There are a number of solutions for securely sharing personal and sensitive data that offer different benefits. These methods include:

  • Secure email – Egress or Trusted Organisations
  • File encryption software (7zip with 256bt encryption) ESET
  • Company Pendrive

7.2 How to share data securely using these different methods is explained in this document. Before deciding on a particular data transfer method (or combination of methods), you should first consider;

  • Where the data will be transferred to – internally or externally
  • Should the data be encrypted at rest or only in transit?
  • Sensitivity of the data – is the data highly sensitive (even if it’s just 1 record)?
  • The volume of data – and are there many records containing personal data
  • The size of the data file being transferred – a large file size can cause problems for both sender and recipient.

7.3 Important – You can only send information that is necessary for the stated purpose, so you should ensure that you remove or edit any unnecessary data before the transfer.

7.4 You may only use the company authorised messaging services to communicate Huuray’s business and no personal data should be shared when doing so. Messaging services are not a substitute for emails and should only be used for questions or messages that need to be communicated immediately.

7.5 Important – If you are unable to send personal or other sensitive information securely via an electronic transfer option, see section 9 for other approved transfer methods.

  1. Using emails to share data

Limit, compress and protect the data to be delivered

8.1 When sharing data via email, there are important steps you can take to protect an individual’s right to privacy. It’s good practice to think about how to include as little personal information as possible in an email, which should also include information provided in the body of an email.

8.2 Where possible, users should try to use limited data or reference data about the person(s), such as ID numbers.

8.3 You should also consider the amount, document size and/or sensitivity of the information being sent. If the information is attached to an email and you feel additional security is needed, you can also encrypt and password protect the attachment. Make sure you don’t give the password in the same way you send the document.

8.4 Please seek advice from the IT department if you are unsure about 7zip file compression or encryption software and how to access it.

Internal emails

8.5 Emails to people who also use the same Huuray network as us are secure. The data does not leave our network, which is protected from others by firewalls and other security measures. However, this does not protect data from being sent to the wrong recipient.

the data is sent to the wrong recipient, so care must be taken when selecting or entering a recipient’s recipient’s email address.

8.6 Distribution lists should never be used to communicate personal and sensitive information, and such information should only be sent to generic or team email accounts if they have been authorised by the DPO for this purpose.

External emails

8.7 You should always use email encryption on emails to external addresses when the content of your email or attachments in it contains personal data, confidential information or business sensitive content. When an email leaves the protection of the Huuray network on its way to an external email address, it travels over the internet, which is an insecure network. This means that someone with the knowledge and ability to intercept your email can read its content.

8.8 Distribution lists should never be used to communicate personal and sensitive data.

8.9 When sending emails to multiple recipients, use the BCC field so that any personal email addresses are not visible.

  1. Using other methods to transfer data

9.1 When a secure electronic transfer method is not available, one of the following methods can be considered:

  • Internal mail
  • Postal mail
  • Courier
  • Manual delivery/collection Internal mail
    9.2 All documents or portable media such as DVDs, CDs, etc. containing personal or other sensitive data that are transferred using Huuray’s internal mail service must always be sent in a sealed envelope to a named recipient. If it is considered inappropriate for anyone other than the recipient to view personal data in a document
    personal information in a document, the envelope must be clearly labelled “Confidential – addressee
    addressee only”.

9.3 If it is necessary to send a large amount of paperwork, such as one or more files, a robust, tamper-proof envelope should be used.

9.4 If information is deemed to pose a reasonably high risk of loss or misplacement, hand-deliver it to the receiving department whenever possible.

Mail

9.5 We routinely send letters containing personal and sensitive information to our customers. But even though it is routine, care must still be taken to ensure that the information is correctly addressed to a named recipient and that the information is not accidentally sent to the wrong recipient. Mail that goes to the wrong recipient is a danger to the person whose information is being sent. It also puts Huuray at risk of violating our responsibilities under the DPA.

9.6 When sending personal or sensitive data by post, clearly mark the envelope with a return address in case of misdelivery.

9.7 When the information to be sent is special category personal data, the following should always be considered when deciding which means of transmission is appropriate:

  • The precise nature of the information, its sensitivity, confidentiality or value.
  • The harm or distress that could be caused to individuals if the data is lost or accessed by unauthorised persons.
  • The effect that any loss would have on Huuray
  • The urgency of providing the information, taking into account the effect of not sending the data or any delay in sending it.

9.8 If it is considered appropriate to send special category personal data by standard postal services, the following steps must be taken

  • The envelope in which the data is to be sent must be clearly addressed to a named recipient.
  • The address should be carefully checked and, where appropriate, the recipient should be contacted directly to confirm that the address is correct and up to date.
  • The information must be sent via a traceable method, such as registered mail, unless the DPO has authorised standard mail as appropriate.
  • Delivery should be verified as soon as possible and any problems should be reported immediately to your line manager.
  • Returned shipments must not be resent to the same address without further checks to confirm that the address is correct and current.

Courier

9.9 When using a courier to transport personal information, ensure they are known and trusted to operate within appropriate security standards. Before handing over documents or portable media, make sure they are who they say they are and ask for an appropriate form of identification and a signature to acknowledge receipt.

Manual delivery/collection

9.10 Where it is not considered appropriate to transmit personal data by standard postal services or courier, the data must be delivered personally to the recipient or an agreement must be made for the data to be collected and a record kept which includes:

  • A brief description of the information provided
  • When it was provided
  • The recipient’s name and contact details, their designation if applicable, and signature.

9.11 As with courier collections, before handing over documents or portable media, you should ensure that the recipient is who they claim to be and seek an appropriate form of identification.

  1. Checking data before it is sent

10.1 When special category personal data or personal data that could otherwise cause damage or distress if disclosed to a third party is sent outside Huuray in any format, the sender should consider having the information verified by another person before sending it. Please note that this does not transfer responsibility for ensuring that the correct information has been obtained in the first place.

The person sending the information is responsible for:

  • Ensuring that the email or postal address to which the information is sent is correct and up to date.
  • Ensuring that when information is delivered in paper form, a named recipient of the information is clearly indicated.
  • Clearly labelling the envelope/package with a return address in case of misdelivery.
  • Ensure that no information about third parties is included by mistake, either in a letter/email or an attached document (or if a spreadsheet has multiple spreadsheets).

The person checking the information is responsible for:

  • Verifying that the email or postal address to which the information is sent is correct by referencing an appropriate source and ensuring that any discrepancies are raised with the sender.
  • Where the information is provided in paper form, verify that the correct named recipient of the information has been provided.
  • Check that no information about third parties has been mistakenly included, either in a letter/email or in attached documents.
  • To record that they have checked the email, letter and/or attachments.
  1. Data portability

11.1 Where personal data is processed on the basis of consent and by automated means, data subjects may request to have their personal data transferred directly from one controller to another, where technically feasible.
11.2 If you receive a request from a data subject to transfer their personal data in a portable form or to another organisation, please contact the DPO for advice on how to proceed.

  1. Data security breaches

12.1 Data breaches include both confirmed and suspected incidents.
12.2 An Incident for the purposes of this Policy is an event or action that may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to Huuray’s information assets and/or reputation.
12.3 An Incident includes, but is not limited to, the following:

  • loss or theft of confidential or sensitive data or equipment where such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device or paper record);
  • theft of equipment or failure;
  • system failure;
  • unauthorised use of, access to or modification of data or information systems;
  • attempts (failed or successful) to gain unauthorised access to information or IT system(s);
  • unauthorised disclosure of sensitive/confidential data
  • website defacement.
  • hacker attacks.
  • unforeseen circumstances such as fire or flood.
  • human error.
  • ‘blagging’ crimes where information is obtained by deceiving the organisation that holds it.
    Reporting an incident

12.4 Any person who accesses, uses or manages Huuray’s information is responsible for immediately reporting data breaches and information security incidents to the DPO (at rg@huuray.com) and our IT department (at tech@huuray.com).
12.5 If the breach occurs or is discovered outside normal working hours, it must be reported as soon as practicable.
12.6 The report must contain complete and accurate information about the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to individuals, the nature of the information and how many people are involved.

Containment and recovery

12.7 The DPO will first determine if the breach is still occurring. If so, appropriate steps will be taken immediately to minimise the impact of the breach.
12.8 The DPO will conduct an initial assessment in collaboration with relevant staff to determine the severity of the breach and who will lead the investigation of the breach as the lead investigating officer (this will depend on the nature of the breach; in some cases it may be the DPO).
12.9 The Lead Investigating Officer (LIO) will determine if there is anything that can be done to recover any losses and limit the damage the breach may cause.
12.10 The LIO will establish who needs to be notified as part of the initial containment and will inform the police where appropriate.
12.11 Expert advice may be sought to resolve the incident quickly.
12.12 The LIO, in co-operation with the relevant employee(s), will determine what actions need to be taken to ensure resolution of the incident.

Investigation and risk assessment

12.13 The LIO will conduct an investigation immediately and, to the extent possible, within 24 hours of the breach being discovered/reported.
12.14 The LIO will investigate the breach and assess the risks associated with it, such as the potential negative consequences for individuals, how serious or significant they are and how likely they are to occur.
12.15 The study must take into account the following:

  • the type of data involved;
  • its sensitivity;
  • the protections in place (e.g. encryption);
  • what has happened to the data (e.g. has it been lost or stolen);
  • whether the data could be used for something illegal or inappropriate;
  • data subjects affected by the breach, the number of people involved and the potential
  • impact on those data subjects;
  • whether there are wider consequences of the breach.
    Notification

12.16 The LIO and/or DPO, in consultation with relevant colleagues, will determine whether to notify the Danish Data Protection Authority of the breach, and if so, notify them within 72 hours of becoming aware of the breach, where possible.
12.17 Each incident will be assessed on a case-by-case basis, but the following should be considered:

  • whether the breach is likely to result in a high risk of adversely affecting the rights and freedoms of individuals under data protection law;
  • whether notification will help the individuals concerned (e.g. can they act on the information to mitigate the risk?
  • whether notification will help prevent unauthorised or unlawful use of personal data;
  • whether there are any legal/contractual requirements for notification;
  • the dangers of over-notification. Not all incidents warrant notification and over-notification can lead to disproportionate queries and work.
    12.18 Individuals whose personal data has been affected by the incident and where it has been deemed likely to result in a high risk of adversely affecting their rights and freedoms will be informed without undue delay. The notification will include a description of how and when the breach occurred and what data is involved. Specific and clear advice will be given on what they can do to protect themselves and what measures have already been taken to mitigate the risk. Individuals will also be provided with a way to contact Huuray for further information or to ask questions about what has happened.
    12.19 The LIO and/or DPO must consider notifying third parties such as the police, insurance companies, banks or credit card companies and labour unions. This would be appropriate if illegal activity is known or believed to have occurred or if there is a risk that illegal activity may occur in the future.
    12.20 Any personal data breach will be recorded, regardless of whether reporting was required.

Evaluation and response

12.21 Once the initial incident has been contained, the DPO will conduct a full review of the causes of the breach, the effectiveness of the response(s) and whether changes need to be made to systems, policies and procedures.
12.22 Existing controls will be reviewed to determine if they are adequate and if corrective actions need to be taken to minimise the risk of similar incidents occurring.
12.23 The review will consider:

  • where and how personal data is held and where and how it is stored;
  • where the greatest risks lie, including identifying potential weaknesses in existing security measures;
  • whether the transmission methods are secure; sharing the minimum necessary amount of data;
  • employee awareness;
  • implementing a data breach plan and identifying a group of individuals responsible for
  • responding to reported breaches.
    12.24 If deemed necessary, a report recommending any changes to systems, policies and procedures will be presented to Huuray’s senior management.

13, Management of data

13.1 All data handled at Huuray must comply with the policies described in the Data Protection Policy and the Data Handling and Transfer Policy.
13.2 Failure to comply with these policies as an employee of Huuray may result in the termination of your employment contract.
13.3 It is of the utmost importance that Huuray’s data policies are followed and fulfilled.
13.4 These policies will always be available in the most updated version, for all employees, in our online Elev.io platform.

Rune Eirby Poulsen
CEO – Huuray A/S