•  Storage limitation;
                   •  Integrity and confidentiality (security);
                   •  Accountability.

               7.2 Registration with the Data Protection Commissioner
                   •  As a certification body that undertakes data processing activities on behalf of The Private
                       Security Authority (PSA), EQA (Ireland) shall consider the registration requirements with
                       the Data Protection Commissioner as either a Data Controller or a Data Processor. These
                       registration requirements are detailed in the Guidance Notes for Registration on the
                       Data Protection Commissioner website
                       (https://www.dataprotection.ie/docs/Registration-Guidance/1050.htm).

                   •  For the purpose of completing registration with the Data Protection Commissioner, the role of
                     the ‘Compliance Person’ shall be fulfilled by the Chief Executive.

                  •  The responsibilities of the Compliance Person are as follows:

                   •  To review the activities of EQA (Ireland) in terms of the registration requirements and details
                       with the Data Protection Commissioner;
                   •  To register, amend registration or continue registration with the Data Protection
                       Commissioner as either a Data Controller or a Data Processor.

               7.3 Communication
                  •  EQA (Ireland) has defined the means of communication and communication pathways as
                     related to its activities of data processing, along with associated obligations and duties of
                     EQA (Ireland) and relevant third parties. Personal data is processed in a manner that ensures
                     appropriate security and confidentiality of the personal data.

                  •  In defining its internal and external communications, EQA (Ireland) has established various
                     policies, procedures, statements and forms. These documents are referenced in Appendix
                     A.

                  •  Details of the primary means of communication with interested parties, along with the
                     frequency of this communication, are documented within the Personal Data Inventory. In
                     particular:

                       7.3.1 Employees:
                       A Contract of Employment is signed and agreed with each employee of EQA (Ireland).

                       As part of staff induction, employees are informed of the structure and work of EQA
                       (Ireland), the roles and responsibilities within the organisation, and the various policies and
                       procedures, including the Data Protection Policy, as per the Staff Induction Checklist.

                       Employees are provided with a list of ‘Frequently Asked Questions’ (or ‘FAQ’) so as to
                       communicate their roles and responsibilities, with respect to data protection, in a practical
                       format. This FAQ is included in Appendix D.

                       7.3.2 Clients:

                       The EQA (Ireland) General Terms & Conditions, which the client acknowledges and accepts
                       prior to the undertaking of any audit activities, includes a Data Protection Privacy Policy,
                       with reference to the Privacy Statement on the EQA (Ireland) website. As per the General
                       Terms & Conditions, EQA (Ireland) “reserves the right to modify this Privacy Policy and its
                                                                                             Page 67  of 85