SECTION 7: PRIVACY AND DATA PROTECTION

               Purpose: To define the policies whereby EQA (Ireland) demonstrate transparency and accountability
               in the processing of personal data, with focus on safeguarding the rights of the data subject.
               Scope:  All activities under the control of EQA (Ireland) in which personal data is being processed. All
               other activities of data processing which EQA (Ireland) undertake

               Method:

               7.1 General
               7.1.1. EQA (Ireland) is an independent Certification Body that provides services in auditing and
               certification activities, for which the processing of personal data sourced from prospective, existing
               and past clients is necessary to fulfil accreditation requirements from the Irish National Accreditation
               Board (INAB), in addition to requirements from the Private Security Authority (PSA) towards
               maintaining status as an approved certification body.

               In providing these services, EQA (Ireland) subcontract the services of assessors and technical experts
               for which, towards meeting INAB requirements, EQA (Ireland) retain records of competence.

               To ensure the delivery of these services, EQA (Ireland) employ staff and consequently retain the
               minimum detail of human resource records required to demonstrate compliance with applicable
               legislation.

               7.1.2. For the purposes of this policy, definitions of ‘personal data’, data ‘processing’, data
               ‘controller’, data ‘processor’, ‘third party’, ‘consent’, and ‘personal data breach’, given in Article 4
               (‘Definitions’) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
               2016, referred to as the General Data Protection Regulation, or GDPR, apply.

               7.1.3. In striving to continually improve its policy, processes and procedures related to data
               protection, EQA (Ireland) may refer to the guidelines, opinions and other resources as published by
               the Article 29 Working Party, as established by Article 29 of the EU Directive 95/46/EC.

               7.1.4. ‘Risk’ is defined as a scenario describing an event and its consequences, estimated in terms of
               severity and likelihood.
               7.1.5. ‘Risk management’ is defined as the coordinated activities to direct and control the
               organisation within the above scope and with regard to risk.

               7.1.6. ‘Sensitive personal data’ is defined as any personal data revealing racial or ethnic origin,
               political opinions, religious or philosophical beliefs, or trade union membership, and the processing
               of genetic data, biometric data for the purpose of uniquely identifying a natural person, data
               concerning health or data concerning a natural person's sex life or sexual orientation (as per Article 9
               (1) (‘Processing of special categories of personal data’) of the GDPR).

               7.1.7. In establishing this Data Protection Policy, EQA (Ireland) refer to the seven key principles as set
               out in Article 5 (‘Principles relating to processing of personal data’) of the GDPR; they being (in
               summary):

                   •  Lawfulness, fairness and transparency;
                   •  Purpose limitation;
                   •  Data minimisation;
                   •  Accuracy;



                                                                                             Page 61 of 79