Data Protection Policy

1. Introduction

1.1 Background to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (2016) replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual Member States that were developed in compliance with Directive 95/46/EC.

Its purpose is to protect the rights and freedoms of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.

1.2 Definitions Used by the Organisation (Drawn from the GDPR)

• Material scope (Article 2): applies to processing of personal data wholly or partly by automated means (i.e. computer) and to paper-based processing that forms part of a filing system.

• Territorial scope (Article 3): applies to all controllers established in the EU, as well as controllers outside the EU offering goods/services or monitoring behaviour of EU residents.

1.3 Article 4 Definitions

• Establishment: the main place where data processing decisions are made.

• Personal data: any information relating to an identified or identifiable natural person.

• Special categories of personal data: includes racial or ethnic origin, political opinions, religion, trade union membership, genetic or biometric data, health, or sexual life/orientation.

• Data controller: entity determining purposes and means of processing.

• Data subject: any living individual whose data is held.

• Processing: any operation performed on personal data, whether automated or manual.

• Profiling: automated processing to evaluate personal aspects of a person.

• Personal data breach: accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

• Data subject consent: freely given, specific, informed, and unambiguous indication of agreement.

• Child: anyone under 16 years old (or 13, per Member State law).

• Third party: any entity other than the data subject, controller, or authorised processor.

• Filing system: any structured set of personal data accessible by specific criteria.

2. Policy Statement

2.1 Arthian Ltd and its Board of Directors are committed to compliance with all relevant EU and Member State laws in respect of personal data, protecting the rights and freedoms of individuals whose information it processes.

2.2 Compliance with the GDPR is implemented through this policy, the Information Security Policy, and other connected procedures.

2.3 This policy applies to all personal data processing functions including customers, clients, employees, suppliers, and partners.

2.4 It applies to all employees and relevant third parties. Breaches may lead to disciplinary or criminal action.

2.5 Partners and third parties must comply with this policy and sign agreements ensuring equivalent obligations and audit rights.

3. Responsibilities and Roles under GDPR

3.1 Arthian is a Data Controller under the GDPR.

3.2 Managers and supervisors must promote good data-handling practices.

3.3 The Data Protection Officer (DPO) is accountable for GDPR compliance, implementation, and security.

3.4 The DPO ensures Arthian complies with GDPR and oversees processing within each department.

3.5 The DPO manages Subject Access Requests and supports employee queries.

3.6 All employees share responsibility for compliance.

3.7 Arthian’s Training Policy outlines awareness and role-specific education.

3.8 Employees must ensure personal data they supply is accurate and current.

4. Data Protection Principles

All data processing must comply with the principles in Article 5 of the GDPR.

4.1 Lawfulness, Fairness, and Transparency

Personal data must be processed:

• Lawfully: a lawful basis must exist (e.g. consent).

• Fairly: individuals must be informed about how their data is used.

• Transparently: information must be clear and accessible.

👉 See Arthian Privacy Policy: https://www.arthian.eu/privacy_policy

Information provided to the data subject must include:

1. Controller identity and contact details

2. DPO contact details

3. Purpose and legal basis

4. Retention period

5. Rights (access, rectification, erasure, objection)

6. Data categories

7. Recipients

8. International transfers (if any)

9. Additional relevant information

4.2 Purpose Limitation

Data must be collected only for specific, explicit, and legitimate purposes and not used for incompatible ones.

4.3 Data Minimisation

Data collected must be adequate, relevant, and limited to what is necessary.

4.4 Accuracy

Data must be accurate and kept up to date; inaccurate data must be erased or rectified promptly.

4.5 Storage Limitation

Data must be stored only as long as necessary for processing purposes.

4.6 Integrity and Confidentiality

Data must be processed securely with technical and organisational safeguards (passwords, encryption, access control, backups, etc.).

4.7 Accountability

Arthian must demonstrate compliance through documented policies, DPIAs, and incident response plans.

5. Data Subjects’ Rights

Data subjects have the right to:

1. Access their data

2. Prevent processing causing harm

3. Prevent processing for marketing

4. Know about automated decisions

5. Avoid significant decisions made solely by automation

6. Claim compensation for GDPR breaches

7. Rectify, erase, or block inaccurate data

8. Complain to the supervisory authority

9. Receive data in a machine-readable format

10. Object to automated profiling

6. Consent

6.1 Consent must be freely given, specific, informed, and unambiguous.

6.2 It must be actively communicated, never implied by silence.

6.3 For sensitive data, explicit written consent is required.

6.4 For children under 16, parental or custodial consent must be obtained.

7. Security of Data

All employees must ensure data is:

• Stored securely (locked offices, encrypted devices, password-protected systems).

• Not left accessible to unauthorised persons.

• Properly destroyed once retention expires.

• Not processed off-site without authorisation.

8. Disclosure of Data

8.1 Personal data must not be disclosed to unauthorised parties (including family or friends).

8.2 Any disclosure must be authorised by the DPO.

9. Retention and Disposal

9.1 Data must not be kept longer than necessary.

9.2 Retention periods are defined by statutory obligations.

9.3 Data disposal must be secure and compliant with GDPR’s sixth principle.

10. Data Transfers

10.1 Export of data outside the EEA is prohibited unless adequate protection exists, such as:

• Adequacy Decision (approved country)

• Privacy Shield (for US organisations)

• Binding Corporate Rules

• Model Contract Clauses

• Explicit Consent or Legal Necessity

11. Information Asset Register / Data Inventory

11.1 Arthian maintains a detailed Data Inventory and Flow Register including:

• Data categories

• Sources

• Recipients

• Processing purposes

• Retention and disposal requirements

11.2 Arthian conducts Data Protection Impact Assessments (DPIAs) where required, manages risks, and escalates high-risk cases to the supervisory authority via the DPO.