Privacy and Data Handling Policy
Purpose
To establish clear guidelines for collecting, processing, storing, retaining, and sharing personal and sensitive data while ensuring compliance with data protection laws.
Scope
Covers all forms of personal data handled by Tribird AS, including electronic, paper-based, and verbal data.
Data Privacy Principles
- Lawfulness and Transparency: Process data in a fair and lawful manner.
- Purpose Limitation and Minimization: Collect and use personal data strictly for legitimate, clearly defined purposes and only to the extent necessary.
- Accuracy and Storage Limitation: Keep data accurate and retain it only as long as needed.
- Integrity and Confidentiality: Protect data from unauthorized access and breaches.
- Accountability: Maintain compliance and conduct regular reviews of data handling practices.
Data Handling Procedures
Data Collection
- Consent and Lawful Basis: Collect personal data only on a lawful basis and with necessary consent when required.
- Data Inventory: Maintain an up-to-date record of the personal data collected and its processing purposes.
Data Processing and Use
- Purpose Specification: Clearly define and document the reasons for processing personal data.
- Restricted Processing: Use the data solely for its stated purposes.
Data Storage and Retention
- Secure Storage: Ensure all personal data is stored securely using encryption and access controls as needed.
- Retention for Order Shipments:
- Retention Period: Retain Personally Identifiable Information (PII) associated with order shipments for 31 to 90 days after the shipment date.
- Data Masking: After the retention period, perform data masking to remove sensitive PII while retaining non-identifiable data for analysis or audit purposes.
- Secure Disposal: Dispose of personal data securely when it is no longer required.
Data Transmission
- Encryption: Encrypt sensitive data in transit using industry-standard protocols.
- Secure Channels: Transmit data only over secure, authorized channels.
Data Access and Sharing
- Access Controls: Limit access to personal data using role-based controls.
- Third-Party Sharing: Ensure any sharing of personal data is done under strict contractual obligations and secure transmission methods.
- Data Anonymization: Where possible, anonymize or pseudonymize data to further protect privacy.
Roles and Responsibilities
- Executive Management: Oversee data protection efforts and allocate resources.
- Data Protection Officer (DPO): Monitor compliance, handle data subject requests, and serve as the primary contact for privacy issues.
- Department Managers: Ensure adherence to this policy within their teams.
- All Employees: Follow the policy and report any data protection issues.
Data Subject Rights
Data subjects have rights to access, correct, delete, restrict processing, and receive data in a portable format. They may also lodge complaints with supervisory authorities.
Incident Response and Breach Management
- Detection and Reporting: Immediately report any suspected data breaches.
- Investigation and Mitigation: Conduct thorough investigations and take corrective measures.
- Notification: Notify affected data subjects and regulatory bodies as required.
Training and Auditing
- Employee Training: Provide regular training on data privacy and handling procedures.
- Internal Audits: Regularly audit data handling practices to ensure compliance.
Policy Review and Updates
This policy is a living document and will be reviewed at least annually or when significant changes occur. All updates require executive management approval.