MATRIX RELOCATIONS GROUP – GDPR COMPLIANCE POLICY

1. Introduction

Matrix Relocations Group is dedicated to ensuring the confidentiality, integrity, and availability of all personal data we process, in compliance with the General Data Protection Regulation (GDPR). This policy sets out our commitment to data protection and individual rights and obligations in relation to personal data.

2. Definitions

2.1. “Personal data” means any information relating to an identified or identifiable individual.

2.2. “Processing” means any operation performed on personal data, such as collection, use, storage, disclosure, alteration, or destruction.

2.3. ”Data subject” is the individual whose personal data is processed.

3. Data Protection Principles

Matrix Relocations Group adheres to the following data protection principles:

3.1. Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and transparently, providing detailed information to data subjects about our data processing activities.

3.2. Purpose Limitation: We only process personal data for specified, explicit, and legitimate purposes, informing data subjects of these purposes at the time of data collection.

3.3. Data Minimization: We only collect personal data that is adequate, relevant, and necessary for the purposes for which it is processed.

3.4. Accuracy: We keep personal data accurate and up-to-date, rectifying inaccuracies promptly.

3.5. Storage Limitation: We only retain personal data for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

3.6. Integrity and Confidentiality: We protect personal data against unauthorized or unlawful processing, loss, destruction, or damage by implementing appropriate technical and organizational measures.

4. Legal Basis for Processing

4.1. We only process personal data when we have a legal basis to do so. This includes:

4.2. Consent: We have obtained clear, affirmative consent from the data subject.

4.3. Contract: The processing is necessary to fulfill a contract.

4.4. Legal Obligation: The processing is necessary to comply with a legal obligation.

4.5. Legitimate Interests: The processing is necessary for our legitimate interests or those of a third party.

5. Data Subject Rights

5.1. We respect the rights of data subjects as provided under GDPR, which include the right to access, rectification, erasure, restriction of processing, data portability, and objection to processing. Requests to exercise these rights can be sent to our Data Protection Officer.

6. Data Transfers

6.1.When transferring personal data outside the EU, we ensure compliance with GDPR provisions by:

Transferring data to countries recognized by the EU as providing an adequate level of data protection.

Implementing appropriate safeguards such as Standard Contractual Clauses approved by the EU.

7. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and its implementation to ensure GDPR compliance.

8. Breach Notification

In the event of a data breach, we will notify the relevant supervisory authority within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Data subjects will be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

9. Training and Awareness

We provide regular training to all staff members who process personal data, ensuring they understand their responsibilities in relation to data protection and GDPR compliance.

10. Policy Review

This policy will be reviewed at least annually or whenever there is a significant change in data processing activities or relevant legislation.

11. Contact

If you have any questions or concerns about this policy, please contact our DPO at matrixrelo.com.

12. Assessment and Management Of Personal Data Protection Requirements and Risks

12.1. Identifying Personal Data Protection Requirements

Our first step is to identify the personal data protection requirements that apply to Matrix Relocations Group. This involves:

Understanding the regulations, such as the General Data Protection Regulation (GDPR), and the specific obligations they impose.

Recognizing industry standards or guidelines which may provide a benchmark for data protection practices.

Identifying contractual obligations that may require specific data protection measures.

12.2. Data Mapping and Classification

An essential part of managing personal data protection requirements is knowing what data we have, where it is, how it’s being processed, and why. We achieve this through:

Data Mapping: We document all data flows within the organization, including inputs and outputs, data transfers, and interfaces with third parties.

Data Classification: We classify personal data based on sensitivity and risk levels to ensure appropriate protective measures.

12.3. Risk Assessment

Regular data protection risk assessments are crucial in identifying potential risks to personal data. These assessments involve:

Identifying Potential Risks: We identify risks, such as data breaches, data loss, or unauthorized access to personal data.

Evaluating Risks: We evaluate risks based on the likelihood of occurrence and potential impact on the individual and the organization.

Prioritizing Risks: Based on the risk evaluation, we prioritize risks that require immediate attention.

12.4. Implementing Risk Management Strategies

After identifying and prioritizing risks, we develop and implement risk management strategies. This involves:

Risk Mitigation: We apply necessary measures to minimize identified risks. For instance, implementing strong access controls, encryption, and regular backup procedures.

Risk Transfer: In some cases, we may decide to transfer the risk, such as through insurance.

Risk Acceptance: If a risk is low-level and the cost of mitigation outweighs the potential impact, we may choose to accept the risk, documenting our decision accordingly.

12.5. Developing Policies and Procedures

We develop and implement data protection policies and procedures to establish clear guidelines for how personal data should be handled in our organization.

12.6. Training and Awareness

We provide regular training and awareness sessions to ensure that all employees understand the personal data protection requirements and their responsibilities.

12.7. Monitoring and Auditing

Regular monitoring and auditing of our data processing activities ensure ongoing compliance with personal data protection requirements. We check:

Compliance with policies and procedures.

Whether risk management measures are effectively reducing risks.

How well individuals’ rights are being respected and facilitated.

Whether data breaches are effectively prevented, detected, and managed.

12.8. Continual Improvement

We continually improve our data protection practices based on the results of our monitoring and auditing, changes in law, and lessons learned from any data incidents.

13. Data Protection Impact Assessment (DPIA) is process in place with Matrix Relocations, designed to identify and minimize the data protection risks of a project. DPIA is required where a planned or existing processing operation “is likely to result in a high risk to the rights and freedoms of natural persons.”

Our steps for carrying out a DPIA:

13.1. Identification and Description of Processing Operations:

The first step is to describe the data processing operations, their purposes, and the data processing methods to be used. It is essential to define the scope of the project and understand what personal data will be involved.

13.2. Assessment of Necessity and Proportionality:

Assess the necessity of the data processing in relation to the purpose. This involves verifying whether the processing is limited to what is necessary in terms of the data used and the extent of the processing. It also includes checking whether less intrusive means could be used.

13.3. Identification and Assessment of Risks:

Identify the potential risks to the rights and freedoms of data subjects. It’s important to consider both the likelihood and the severity of any impact on data protection. We include potential risks from both within and outside Matrix Relocations.

13.4. Mitigation of Risks:

For each risk identified, devise measures to mitigate them. This could include, for example, enhanced security measures, restrictions on access to data, anonymization of data, or obtaining explicit consent where appropriate.

13.5. Consultation with the Data Protection Officer (DPO):

The DPO is involved throughout the DPIA process. They provide expertise on data protection issues and can help ensure compliance with the GDPR.

13.6. Consultation with Data Subjects or Their Representatives:

Where appropriate, seek the views of the data subjects or their representatives on the processing operation. This isn’t always required but could be useful in some cases.

13.7. Regular Review:

DPIAs aren’t just a one-off exercise and it is regularly reviewed and updated, particularly if the nature, scope, context or purposes of the processing change.

13.8. Consultation with Supervisory Authority:

If the DPIA identifies a high risk that cannot be mitigated, the relevant supervisory authority must be consulted. This consultation must take place prior to the processing.

14. The Rights of the Individuals (Data Subjects), which are clients of Matrix Relocations.

14.1. Right to Be Informed:

Data subjects have the right to be informed about the collection and use of their personal data. This is done through a privacy notice that is concise, transparent, intelligible, easily accessible, and in clear and plain language. This privacy notice is displayed at our website and includes the identity of Matrix, the purpose for processing, the recipients of the personal data, and other necessary details.

14.2. Right of Access:

Data subjects have the right to obtain confirmation that their data is being processed, access to their personal data, and other supplementary information. We have a system in place for handling such access requests (also known as Subject Access Requests, or SARs).

14.3. Right to Rectification:

Data subjects have the right to have inaccurate personal data rectified, or completed if it is incomplete. We have a system for modifying and updating the personal data it holds.

14.4. Right to Erasure (or ‘right to be forgotten’):

Data subjects have the right to have personal data erased in certain circumstances. Matrix has procedures in place to securely erase data when requested to do so.

14.5. Right to Restrict Processing:

Data subjects have the right to request the restriction or suppression of their personal data in certain circumstances. Matrix has systems in place to restrict access to certain data as needed.

14.6. Right to Data Portability:

Data subjects have the right to obtain and reuse their personal data across different services. The data is provided in a structured, commonly used, and machine-readable form. Matrix is able to accommodate these requests.

14.7. Right to Object:

Data subjects have the right to object to the processing of their personal data in certain circumstances. 

14.8. Rights in Relation to Automated Decision Making and Profiling:

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal or similarly significant effect. We allow human intervention in this processes.

Note to section 14: The procedures at this point and its subsections include, but are not limited to:

a. Receiving Requests: 

We have a clear and easily accessible method for individuals to submit requests for erasure. This  is made through the email address of the DPO ([email protected]), mentioned at our privacy notice and policy.

b. Identifying Requests:

Our staff is trained to recognize such requests. These requests can come in any form and don’t need to specifically mention the GDPR or the right  of the individual.

c. Verification of Identity: 

We verify the identity of the person making the request. This is important to prevent unauthorized deletions. 

d. Assessing the Request:

Not all requests for erasure must be complied with under the GDPR. There are certain exceptions where the right to erasure does not apply, such as when the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, or for the performance of a task carried out in the public interest or in the exercise of official authority. Therefore, we assess each request individually.

e. Locating and Erasing the Data:

When we decide that the request is valid, we locate and erase the personal data we hold on the individual. Depending on how your data is stored, this may involve deleting individual records or anonymizing the data so the individual can’t be identified.

f. Informing Third Parties:

If we disclosed the personal data to third parties, we inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort.

g. Responding to the Request:

We inform the individual that their data has been erased or explain why it hasn’t been if the right to erasure does not apply. We do this without undue delay and within one month of receipt of the request.

h. Record Keeping:

We keep a record of the request and your response for accountability purposes. 

It’s important to note that implementing a system to handle these requests involves both procedural steps and technical capabilities. Our data storage systems allow for the permanent deletion of data and our organization’s procedures cover the assessment and handling of erasure requests.

==================

Approval and Effective Date

==================

This GDPR Compliance Policy is approved by the Board of Directors and is effective as of January 1st, 2023.