SECTION 7: PRIVACY AND DATA PROTECTION

               Purpose: To define the policies whereby EQA (Ireland) demonstrate transparency and accountability
               in the processing of personal data, with focus on safeguarding the rights of the data subject.
               Scope: All activities under the control of EQA (Ireland) in which personal data is being processed. All
               other activities of data processing which EQA (Ireland) undertake

               Method:

               7.1 General
             •  EQA (Ireland) is an independent Certification Body that provides services in auditing and
                 certification activities, for which the processing of personal data sourced from prospective, existing
                 and past clients is necessary to fulfil accreditation requirements from the Irish National
                 Accreditation Board (INAB), in addition to requirements from the Private Security Authority (PSA)
                 towards maintaining status as an approved certification body.

               In providing these services, EQA (Ireland) subcontract the services of assessors and technical experts
               for which, towards meeting INAB requirements, EQA (Ireland) retain records of competence.

               To ensure the delivery of these services, EQA (Ireland) employ staff and consequently retain the
               minimum detail of human resource records required to demonstrate compliance with applicable
               legislation.

             •  For the purposes of this policy, definitions of ‘personal data’, data ‘processing’, data
               ‘controller’, data ‘processor’, ‘third party’, ‘consent’, and ‘personal data breach’, given in Article 4
               (‘Definitions’) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
               2016, referred to as the General Data Protection Regulation, or GDPR, apply.

             •  In striving to continually improve its policy, processes and procedures related to data protection,
                 EQA (Ireland) may refer to the guidelines, opinions and other resources as published by the
                 Article 29 Working Party, as established by Article 29 of the EU Directive 95/46/EC.

             •  ‘Risk’ is defined as a scenario describing an event and its consequences, estimated in terms of
                 severity and likelihood.

             •  ‘Risk management’ is defined as the coordinated activities to direct and control the
                 organisation within the above scope and with regard to risk.

             •  ‘Sensitive personal data’ is defined as any personal data revealing racial or ethnic origin, political
                 opinions, religious or philosophical beliefs, or trade union membership, and the processing of
                 genetic data, biometric data for the purpose of uniquely identifying a natural person, data
                 concerning health or data concerning a natural person's sex life or sexual orientation (as per
                 Article9
               (1) (‘Processing of special categories of personal data’) of the GDPR).

                   •  In establishing this Data Protection Policy, EQA (Ireland) refer to the seven key principles as set
                       out in Article 5 (‘Principles relating to processing of personal data’) of the GDPR; they being
                       (in summary):

                   •  Lawfulness, fairness and transparency;
                   •  Purpose limitation;
                   •  Data minimisation;
                   •  Accuracy;
                                                                                             Page 66  of 85