Page 65 - EQA Employee Handbook
P. 65

7.4. Towards ensuring the adequate training of staff, EQA (Ireland) has produced this policy outlining
               the management of data protection within the organisation. In addition, all new staff are informed
               of this policy during formal Staff Induction, as per the Staff Induction Checklist.

               7.5. EQA (Ireland) staff are advised of their due diligence in:

                   •  receiving, verifying and relaying data access requests to senior management;
                   •  identifying and reporting data breaches to the Chief Executive or, in his place, at least one
                       other member of senior management.

               7.6. All documents referenced within this policy are listed in Table 1 of Appendix A.

               7.4 Personal Data Inventory
               7.4.1. Towards meeting the requirements of Article 30 (‘Records of processing activities’) of the
               GDPR the ‘EQA Personal Data Inventory’ document is maintained. The document is populated with
               the following details:
                   •  The party that is subject to data processing;
                   •  Description of the particular personal data which is being processed;
                   •  The justification for why the personal data is being held;
                   •  The manner in which the personal data was or is obtained;
                   •  The justification for why the personal data was gathered;
                   •  The stated retention period for the personal data;
                   •  The known security measures in place to secure the personal data;
                   •  The basis of bases upon which the personal data is shared with third parties, if applicable;
                   •  The legal basis or bases upon which processing of the personal data is justified.
               7.4.2. Towards meeting the requirements of Article 30 of the GDPR, ‘EQA Personal Data Inventory:
               Third Parties’ document is maintained. The document is populated with the following details:

                   •  The third party with whom the personal data is shared;
                   •  Description of the particular personal data which is shared;
                   •  The justification for why the personal data is shared;
                   •  The corresponding data processing activities undertaken by the third party;
                   •  The known security measures in place during the transfer of the personal data;
                   •  The known security measures in place with the third party;
                   •  The basis or bases upon which EQA (Ireland) assess or ensure the security of personal data
                       with the third party.

               7.4.3.The ‘EQA Personal Data Inventory’ and the ‘EQA Personal Data Inventory: Third Parties’
               documents are reviewed at least once per annum as part of the Annual Data Protection Risk
               Assessment.

               7.5 Third Party Contracts
               7.5.1.If EQA (Ireland) as a data controller uses any third party as a data processor, there shall be
               contract between both parties setting out the subject-matter and duration of the data processing,
               the nature and purpose of the data processing, the type of personal data and categories of data
               subjects, and the obligations and rights of the data controller, as per the requirements of Article 28
               (‘Processor’) of the GDPR.





                                                                                             Page 64 of 79
   60   61   62   63   64   65   66   67   68   69   70