Policy of Trade Company KENDY LTD. on Protection of Natural Persons in relation to the Processing of Their Personal Data
PREAMBLEThis policy on protection of natural persons in relation to the processing of personal data is an expression of KENDY LTD.’s unconditional will to carry out its business in full compliance with the policy on protection of natural persons in relation to the processing of personal data implemented by the European Union as well as with the provisions of national legislation, by finding the balance between natural persons’ rights and freedoms and its commercial, financial and legal interest for the successful performance of the company’s core business as well as other activities related to the core business and carried out in cooperation with other controllers and/or processors of personal data.
This document contains practical provisions and clarifications on the application of the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, hereinafter referred to as “GDPR” or the “Regulation”, the relevant provisions of the Personal Data Protection Act, the delegated legislation on the implementation thereof, the guidelines of the Personal Data Protection Commission and the European Data Protection Board.
I. INFORMATION ABOUT KENDY LTD.
1.1. Trade company KENDY LTD. acts as a controller of personal data of its employees and of the natural persons being representatives of the legal entity customers of the Company as well as with respect to other natural persons with whom it has relationships upon and on the occasion of which it is necessary and/or required to process data.
1.2. Trade company KENDY LTD. acts as a processor of personal data with respect to personal data of natural persons received from third parties (legal entities; public administration; public registers, other natural persons who are not customers of the Company etc.) upon and on the occasion of Company’s direct activity and/or on the grounds of contract and/or by virtue of other reason permitted by the Regulation.
1.3. The Company’s core business is to manufacture and sell vitamins, food additives, packaged foods, spices and drinks.
II. BASIC PRINCIPLES OF KENDY LTD.’S OPERATIONS UPON
PERSONAL DATA PROCESSING
The Company via its members and/or employees and/or workers shall process personal data upon the existence of and/or compliance with the conditions stipulated in article 6 of GDPR by ensuring the highest possible level of protection and security of the data being processed and by providing data subjects with access to the information stipulated in article 13 and/or the one related to the powers of the subject under article 15 of the Regulation.
2.2. Principle of “purpose limitation”:
The Company via its members and/or employees and/or workers shall process personal data for specified, explicitly stated in the notification under article 13 and legitimate purposes and shall not allow further processing in a manner incompatible with such purposes.
2.3. Principle of “data minimisation”:
The Company via its members and/or employees and/or workers shall process only such personal data that are adequate, relevant and limited to what is necessary in relation to the specific purposes of processing.
2.4. Principle of “accuracy”:
The Company via its members and/or employees and/or workers shall keep the personal data being stored and processed by them up to date with the information in their knowledge as in line with such information they shall take all reasonable and necessary measures to ensure that data that are inaccurate are erased or rectified without delay having regard to the purposes of processing.
2.5. Principle of “storage limitation”:
The Company via its members and/or employees and/or workers shall process personal data for a period of minimum duration as per the purposes for which such data have been received and as per the period specified in advance or the statutory period, and if there is no such period, as soon as the purposes for which the data are processed are achieved.
2.6. Principle of “integrity and confidentiality”:
The Company via its members and/or employees and/or workers shall process the data in a manner that ensures appropriate and sufficient security using appropriate technical or organisational measures, including ones with respect to the form, which ensure protection, including but not limited to, protection against unauthorised or unlawful processing and against accidental loss, destruction or damage of the personal data being processed.
2.7. Principle of “accountability”
The Company via its members and/or employees and/or workers shall keep special records, databases and documentation to demonstrate compliance with the principles of processing of personal data stated above.
III. MAIN CATEGORIES OF PERSONAL DATA AND PURPOSES OF THEIR PROCESSING3. For the needs of its operations the Company adopts the contents of the term “personal data” as specified in article 4 item 1 of the Regulation, and namely: any information regardless of its volume, nature and form, that enables the identification of any natural person (data subject), including but not limited to: name, identification number (personal identification number [EGN], alien’s personal number [LNCh], official number from the register of the National Revenue Agency or another number enabling the identification of the person), location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
4. The Company shall, through its operations, accomplish at least the following purposes:
4.1. to maintain employment relations with its employees;
4.2. to maintain the company relations with and among the members;
4.3. to maintain contractual relations with natural persons being customers/principals and/or natural persons representing customers/principals upon and on the occasion of the performance of the core business and/or the accompanying operations of the Company;
4.4. to maintain partner relations, contractual and/or informal, with third parties for the performance of the core business and/or any of the accompanying operations, including but not limited to: accountants, tax administration, Registration Agency; Office of Occupational Medicine; Head Inspectorate of Labor, Banks, Insurance Companies and insurance brokers, notaries public, etc.
5. In order to achieve the aforesaid purposes the Company shall process at least the following categories and specific types of data subject to the conditions specified below:
5.1.1. GENERAL DATA:
i) names – for employment contracts, for participation in advertising games, for receipt of goods, for powers of attorney, etc.;
ii) address – permanent, current, for correspondence for the needs of a specific relationship (sending awards to winners) and/or for the needs of a specific contract; e-mail;
iii) telephone numbers – personal, office, one at which the subject has agreed to receive calls;
iv) personal identification number [EGN]/ alien’s personal number [LNCh];
v) employment record book from previous employer: for information about the length of service, for the annual leave used and for the taxable income for the year of appointment;
vi) diplomas, certificates relevant to the position;
vii) personal bank accounts: for payment of remuneration;
viii) video surveillance for the purpose of protection of Company’s property, security of employees and equipment as well as to ensure the fulfilment of the hygiene requirements for Company’s manufacturing;
iх) handwriting – signature and filling out in person the data provided by the subject;
х) Curricula vitae (CV) – when applying for a job and/or taking up one’s duties.
5.1.2. These data, in whole or separate types, shall be processed on the grounds stipulated in the Regulation as they shall be most often processed on the following grounds (i) explicit and unambiguous consent on part of data subject; (ii) performance and/or preparation of a contract to which the subject is a party or has stated (s)he wants to be a party, as such statement may also be made orally; (iii) in pursuance of a legal obligation of the controller (e.g. identification under the Measures Against Money Laundering Act);
5.2. SPECIAL (SENSITIVE) DATA:
5.2.1. In pursuance of the requirements of the Labour Code and the requirements and applicable standards applicable to the security and safety of Company’s manufacturing KENDY LTD. shall process sensitive data about health condition of its employees and/or workers, which are contained in the following sources of information:
i) the card of preliminary medical examination: for information upon taking up one’s duties;
ii) health record book – for those employed in manufacturing;
iii) sick note – in case of temporary unfitness for work due to sickness;
iv) Disability Assessment Medical Commission/National Disability Assessment Medical Commission decisions.
5.2.2. Regardless of the above the data defined as special in article 9 paragraph 1 of the Regulation shall be processed by the Company only where at least one of the following conditions exists:
i) there is an explicit consent given by the subject in which the purpose/purposes of processing is/are stated and such consent suffices to lift an express statutory prohibition of the processing of such data (regardless of whether in EU law or by virtue of a national legal rule);
ii) the subject is not mentally and/or physically able to give consent and the processing is necessary for the protection of his/her or another natural person’s vital interests;
iii) the processing, including of data related to sentences and violations or the security measures related thereto is necessary for the performance of the tasks assigned to the subject by the company such as establishment, exercise or defence of legal claims and other suchlike;
5.2.3. In the event that the special data being processed are made public by the data subject himself/herself the Company shall be free to process them freely in pursuance of the tasks and/or functions assigned to it by a customer and/or state authority.
5.2.4. Where necessary the processing of sensitive data for the purposes of social protection, or employment relations with the specific subject, as well as for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, the provision of treatment or other health or social care, the Company shall ensure that the processing is made by an employee who is under the obligation to keep professional secrecy (a designated HR employee)).
5.3. The Company shall not keep copies of documents except in cases explicitly stated by the law and after the subject’s unambiguous consent or in pursuance of the processing assigned to it by another controller by means of documented order on the latter’s responsibility.
5.4. The processing of data related to subjects who have not provided them in person shall be made subject to the notification requirements of article 14 of the Regulation, or the reservation allowed by paragraph 5 of the same article. 5
IV. TECHNICAL AND ORGANISATIONAL MEASURES TO
ENSURE SECURITY AND PROTECTION OF PERSONAL DATA OF NATURAL PERSONS
6.1. Data shall be stored on paper which, if necessary for the performance of the work assigned to the Company and/or in pursuance of a legal provision, may be delivered to third parties, both by means of a copy of the respective paper medium and/or electronically subject to the conditions of such kind of processing, including by abiding by the applicable technical security measures.
6.2. The protection of data on paper copy as well as on electronic medium against unlawful access, damage, loss or destruction shall be ensured by means of a series of internally regulated technical and organisational measures as we shall store the information with us, it shall be saved physically and on our own servers at data storage centres on the territory of KENDY LTD..
6.3. The Company guarantees that the personal data accessible to it upon or on the occasion of its direct activity and/or its relations with third parties shall be processed solely for the achievement of a specific purpose out of those stated above as well as such data shall not be generally accessible as their security may be affected only in case of a malicious intervention of a natural person against which there are adequate protection measures in place. In case of a violation against the security and protection of personal data the Company shall be obliged to timely notify Personal Data Protection Commission and the affected data subject where there are grounds for that.
6.4. The Company undertakes to ensure the highest possible level of protection of the correspondence with the data subject and/or with third parties on the occasion of the specific subject where such correspondence contains such type and kind of information and data that are related to the individualized subject or set up conditions for his/her individualization.
6.5. In the cases where there are premises for notification regarding the use of his/her data by a third party with whom the Company does not have immediate relations, formal or not, the correspondence shall be made by courier service at the address known to the controller.
6.6. The Company has designated a Data Protection Officer (DPO) who carries out overall control of Company’s policies, practices and accountability upon and on the occasion of the protection of natural persons who have relations with KENDY LTD. in relation to the processing of their data. DPO shall carry out his/her activity under the highest level of independence from the Company, guaranteed objectivity of judgments and recommendations and subject to strict observance of the tasks assigned to him/her by the law.
PROTOCOL OF RELATIONS, ACCOUNTABILITY AND CONTROL:
7.1. A Data Protection Employee (DPE) shall be designated who shall have an employment relationship with KENDY LTD., perform other functions and have the following obligations and competences:
7.1.1. to keep the following records in electronic form as per the sample forms approved by the manager:
* a Record of personal data of those employed under a full-time employment contract and/or under a commission contract (part-time employment contract) being processed by the Company, in which the information that is known to the employer shall be recorded, especially where it is information about sensitive data (illness, physical peculiarities, etc.);
* a Record of customers specifying the names of the natural persons whose data are processed by the Company (regardless of whether they are immediate customers or representatives of customers) and the number of the file where personal data can be found;
* a Record of data security breaches in which at least the following information shall be recorded: (i) what the breach consists in and a brief description of the circumstances surrounding its discovery; (ii) date of discovery of the breach; (iii) date of notification to the supervisory authority; (iv) the natural person who has processed the data and on behalf of whom (controller/processor); (v) a description of the measures taken to limit the consequences of such breach;
* a Record of inquiries and requests by personal data subjects and, respectively, the measures taken and the answers given by the Company;
7.1.2. DPE shall carry out periodic inspections of the files of those employed under full-time employment contracts as well as the other documents containing personal data and shall see to the observance of the principles, in particular the target processing of data without unnecessary information; a record of the inspection containing the findings made and/or the recommendations and instructions issued shall be made and a copy thereof shall be submitted to the manager and the affected employees who work with the respective file and the other copy shall be filed with a designated record on paper;
7.1.3. DPE shall demand from the IT specialist to carry out at least once per month inspections of the technical condition of data security measures, including but not limited to: a record of the inspection shall be made and signed by the IT and by the data protection employee and a copy thereof shall be filed on paper;
7.1.4. DPE shall report his/her activity regarding the control of personal data processing quarterly in writing to the Manager or the Data Protection Officer.
7.2.1. Arrangements have been set up and maintained at the Company where any person who has contact with personal data on behalf of the Company, including but not limited to: employees, members, lawyers, accountants, IT specialists, etc., processes only and solely such personal data that are directly related to the task assigned to such person and, as an exception, after explicit assignment and/or by substitution, such person also processes data related to the task of another colleague.
7.2.2. The employees who have the right to process personal data, including the volume thereof (the specific types of data), shall be determined by order of the manager and the purposes for which the individual employee may carry out processing shall be explicitly stated in such order.
7.2.3. The Company shall keep files on paper regarding each of its employees/workers and/or customer as such file shall not contain more information, and personal data, respectively, than necessary for the performance of the Company’s core business and accompanying operations. Data which the customer has given his/her unambiguous consent to be processed shall also be stored in the files.
7.3.1. Data transfer between individual employees at the Company shall be carried out as per the allocation of functions and tasks among them as the technical means for such transfers shall be the office e-mail addresses.
7.3.2. Data transfer to other controllers and/or processors of data shall be carried out by the employee in charge of the respective type of data and relationships as per the organisational and technical mechanism agreed in a special contract with the other controller.
7.3.3. With respect to each stage of data processing the Company shall maintain such technical solutions and organisational measures that prevent the personal data being processed from being accessible to unlimited number of persons and ensure that only those personal data are processed that are necessary for each specific purpose upon each specific processing.
7.3.4. The Company shall define the duration of the periods of storage of personal data as the longer of the period defined in the applicable statutory act or the period necessary for the achievement of the specific purpose for which the data is processed.
7.4. In the opinion of the Company, in view of the protection of the interests of the subject and/or an interest of public importance, the personal data may continue to be stored even after the expiration of the periods under item 7.6.1., a notice of which shall be given to the subject who is free to make use of his/her right to objection and/or restriction of processing, and/or rectification, and/or erasure, if the premises for that exist.
7.5. Reports shall be made of each action regarding the processing of data, including with respect to the video surveillance and in the cases of destruction , in particular minutes shall be taken, in an appropriate form, in hard copy and/or in soft copy, including entries into the relevant record, if applicable.
IMPACT ASSESSMENT8.1. The Company undertakes to regularly make an Impact Assessment of the operations envisaged for the data processing with respect to their security.
8.2. In case of technical or organisational innovations the Assessment shall precede the application thereof.
8.3. In case of increased risk for data security, or for the subjects’ rights and freedoms, respectively, the Company undertakes to request to immediately consult with PDPC regarding the necessary measures to limit such risk.
8.4. Regardless of the aforesaid, the Company undertakes to make an Impact Assessment of each processing operation that is defined as one being subject to mandatory assessment by PDPA and/or by PDPC.
V. MECHANISMS BY WHICH THE COMPANY ENSURES
THE RIGHTS OF THE DATA SUBJECTS GRANTED BY GDPR:
9.1.1. The Company shall provide, against subject’s signature, an information form as per a sample form (appendix 1), approved by the Manager, which shall contain at least the following information: (i) the name, company ID number [EIK], contact details of the Company; (ii) what data will be requested from the subject and for what purpose, and, respectively, for what reason, as well as whether the data will be subject to transfer to third parties and for what purpose; (iii) for what period the data will be processed; (iv) the places where there is video surveillance on the site; (v) a brief description of the rights of the subjects, including the right to file a complaint to the supervisory authority; (vi) Forms of consent and withdrawal of consent as per a sample approved by the manager (appendix 2 and 3) shall be attached to the notification.
9.1.2. In case that for the fulfilment of the legitimate purposes of the Company and/or for the protection of its claims it is necessary that the subject’s data be used even after the fulfilment of the purposes for which they have been collected and/or after the expiration of the period for which they are expected to be stored, before the Company resumes the processing thereof it shall provide again the information stated above to the subject. In the event that the Company is unable to demonstrate that such notification has reached the subject it shall discontinue the use of the data.
9.2. Regarding the subject’s Right to be notified that his/her personal data are being used
In the cases where the Company processes personal data which it has not received from the subject of such data, it shall be give the subject a notification specifying at least the information under item 9.1.1. of this document. No notification shall be required in the cases where the subject already has such information and/or has given his/her consent and/or where the notification involves a disproportionate effort, generally speaking, or where the processing is required by the law.
9.3. Regarding the subject’s Right to receive confirmation whether any data related to him/her are being processed:
а) The Company shall accept written inquiries, in inquirer’s own words, with explicitly stated address for receipt of the response, submitted in person by the subject or his/her representative under power of attorney or according to the law (if the subject is a child or another incapable person);
b) The inquiries shall be recorded in the relevant record;
c) The Company shall respond to the subject within a period not longer than one month as from the date of recording of the inquiry; the response shall be sent to the address stated by the subject.
9.4. Regarding the subject’s Right to receive the data related to him/her as well as to have the same transferred to another controller (data portability):
9.4.1. The Company shall accept written requests to transmit data of the subject provided by him/her and/or the transmission thereof to another controller, in subject’s own words, submitted by the subject in person or via his/her representative under power of attorney or according to the law (if the subject is a child or an incapable person for another reason); The request must contain an explicit reference to the address to which the data shall be transmitted and/or the address at which the subject shall receive a notification that his/her data are ready for transmission; The request shall also specify the volume of data to be transmitted as in case that no specification is contain the controller shall transmit all data, which are available to him and which meet the requirements on portability stated below in accordance with the provisions of article 20, paragraph 1 of the Regulation.
9.4.2. The requires shall be recorded in the relevant record;
9.4.3. The Company undertakes to deliver to the subject the data stored for him/her in a structured, commonly used and machine-readable format as soon as technologically possible where the data is processed on the grounds of consent, including cases concerning sensitive data or in pursuance of an obligation under a contract to which the specific subject is a party.
9.4.4. The Company undertakes, without undue delay, to transmit the data about the specific subject, which are stored and are subject to transmission, within the volume requested by him/her, to the controller named in the request. The Company has the right to request confirmation of the receipt from both the third party and the subject himself/herself.
9.5. Regarding the subject’s Right to request rectification of the data related to him/her:
9.5.1. The Company shall record the request at the Record of inquiries as after the rectification is made the Company shall notify the subject at the e-mail address specified in the request.
9.5.2. The Company undertakes to make the rectification as soon as technologically possible as per the information stated in the rectification request. Where the rectification request is based on information in an official document the Company has the right to request such document for verification.
9.6. Regarding the subject’s Right to request restriction of processing
9.6.1. The request shall be recorded in the relevant Record as the Company shall notify the subject of its decision and/or actions at the e-mail address specified in the request.
9.6.2. In case that the premises for restriction of the processing* exist the Company undertakes to restrict, if only [sic!] to continue to store the data and not to use them without the subject’s explicit consent except for establishment and defence of legal claims or protection of the rights of another natural person, or for important reasons of public interest; shall notify the customer of its decision and/or action.
9.7. Regarding the Right to be forgotten:
9.7.1. The Company undertakes to delete data from its own database, regardless of whether the data is in hard copy and/or in soft copy, without undue delay, the personal data specified by the subject if at least one of the following conditions exists:
i) the outcome for which the data were initially collected has been achieved;
ii) the subject withdraws his/her consent to the processing and there is no reason for the processing to continue on some other legitimate basis;
iii) the subject objects to the processing, which may not be justified by the existence of legal grounds for continuation of the processing which override the interest of the subject or which are necessary in relation to the establishment, exercise or defense of legal claims.
iv) the processing is unlawful.
9.7.2. The Company undertakes to take reasonable actions to notify the persons engaged in processing on its behalf and/or third parties, independent controllers to whom the Company has transferred the subject’s personal data in full or in part, that the subject has wished to be forgotten. The Company shall take all possible care to make sure and to confirm to the subject that the erasure is a fact.
9.7.3. The Company does not undertake to ensure satisfaction of the Right to be forgotten in cases where processing is necessary for administering the right of freedom of expression on behalf of the Company and the right of information, as well as for compliance with a legal obligation imposed on the Company by the applicable law and/or where the processing is necessary for the establishment, exercise or defence of legal claims.
9.7.4. An entry concerning the deletion or refusal to delete shall be made into the relevant record. The refusal to delete shall be well-reasoned and shall be delivered to the address specified in the request. The subject has the right to report to PDPC.
9.8. Regarding the Right to object to the processing of personal data:
9.8.1. The Company shall record each objection in the relevant record and shall consider it in terms of the grounds related to the specific condition of the specific subject as stated in the objection.
9.8.2. In case that the premises for that exist the Company shall discontinue the further processing as soon as possible. In case that there are convincing statutory grounds for continuation of the processing which are claimed by the Company to be overriding the rights of the subject and/or the processing is necessary for the defence of a legal claim, the Company shall temporarily restrict the processing for the period until an agreement is reached with the subject or PDPC delivers a decision.
9.9. Regarding the subject’s Right to object to the processing for the purposes of direct marketing and/or individual automated decision-making
9.9.1. In case that the subject opposes it the Company undertakes not to process his/her data for the needs of direct marketing and/or the profiling related thereto.
9.9.2. The Company shall, by the time of the first contact to a specific subject at the latest, notify him/her in an explicit, clear and accurate manner, separately from the remaining due information, that the subject has the right to refuse his/her personal data to be used for the purposes of direct marketing and/or profiling to that end.
9.9.3. The Company shall not carry out actions that directly affect its employees, customers and partners and which result from automated processing and/or profiling unless there is an explicit consent to that on part of the specific subject.
VI. MECHANISMS OF PROTECTION IN CASE OF
PERSONAL DATA SECURITY BREACH AND/OR OTHER TYPE OF VIOLATIONS
а) shall take measures, technical and/or organisational, to limit the consequences and to prevent the same breach from occurring in the future; simultaneously with that (s)he
b) shall note it in the Record of breaches;
c) shall, within 72 hours, notify PDPC unless the breach poses a threat for the rights and freedoms of the natural persons whose data have been affected;
d) if there are premises for that** it shall inform the subject whose data have been affected by the breach.
11.1. In case that a data subject feels (s)he is affected by the Company’s activity concerning the processing of his/her personal data, the Company shall be ready to hear the complaints and if possible and/or if the complaint is well-founded, to reach an agreement with the subject and to take adequate measures to discontinue the actions about which the subjects complains, unless in cases where such measures would result in a violation of rights and freedoms of third parties, in a violation of a statutory obligation of the Company and/or in the Company being unable to fulfil its legitimate purposes.
11.2. The provisions of item 11.1. do not repeal the right of each data subject to file a complaint at PDPC in case that (s)he thinks that the processing of personal data concerning him/her is made in violation of the applicable statutory documents. A complaint may also be filed to a supervisory authority in another member state.
11.3. Every data subject has the right to effective judicial redress and, respectively, the right to receive just compensation both against the decisions of PDPC, which concern him/her and which are binding upon him/her and against the actions of the Company related to processing of data, which have affected the subject and which constitute a violation of the applicable legal rules.
VII. RELATIONS WITH
OTHER CONTROLLERS AND/OR PROCESSORS OF DATA
12.2. The relations of the Company with the processors of personal data shall be settled by an explicit contract unless in cases where the relations with the specific processor of personal data are based on a specific legal provision.
VIII. TRANSITIONAL AND FINAL PROVISIONS13.1. Until the Regulation comes into force the Company shall revise the personal data being processed and stored by taking actions to delete and/or destroy such parts of the data, or, respectively, documents, in which such data are contained, for which there is no explicit consent and/or legal basis and/or legal interest on part of the Company and/or another ground stipulated in the Regulation.
13.2. For those data, which are necessary for the successful performance of the advertising, marketing and commercial activity of the Company and for which there is no explicit reason for the continuation of their processing the Company shall send an explicit notification to the respective data subjects instructing them that they may object to the use in whole and/or request restriction of processing, or, respectively, rectification or erasure. The notifications shall be sent to the electronic or postal addresses known to the company by an express request for confirmation of the receipt of the notification. With respect to the subjects for whom there are no data that they have received the notification, the procedure of erasure and destruction of paper media shall apply.
14.1. Each data subject concerned as well as third party controllers and/or processors of personal data ma contact the Personal Data Protection Employee at the following e-mail address: firstname.lastname@example.org, for any matters related to the operating activity regarding the protection of data security.
14.2. The Personal Data Protection Officer of the Company is: (specify a name or a company name; contact details)
15.1. For any matters not settled in this document the Company undertakes to apply the relevant provisions of the Regulation, Personal Data Act, Guidelines of the working group under article 29, Opinions of PDPC as well as other applicable statutory acts.
15.2. The Company expresses its will to find, in a well-intended and mutually satisfying manner, a solution to any disputed matter that any natural person needs to be settled, regardless of such person’s grounds and relations with the Company (a customer, an employee, a partner, etc.)
16. Company’s policy on protection of natural persons in relation to the processing of their personal data is subject to periodic updating in view of any relevant amendment of the applicable statutory acts regardless of its rank and/or its author.
This Policy was approved by the General Meeting of Members and was brought to the knowledge of those employees of the Company who process personal data on behalf of the Company in pursuance of its business.
** No communication shall be sent to the subject if one of the following conditions has been fulfilled: the data concerned are encrypted; or where the measures taken by the Company ensure that it is unlikely that there will be any actual consequences for the subject; or where the personal notification of each subject concerned would involve efforts which are disproportionate to the problem and thus the Company will make a public disclosure in order to ensure the effective notification of all subjects concerned.