Login

Privacy and Data Handling Policy

1 Purpose

To establish clear guidelines for collecting, processing, storing, retaining, and sharing personal and sensitive data while ensuring compliance with data protection laws.

2 Scope

Covers all forms of personal data handled by Tribird AS, including electronic, paper-based, and verbal data.

3 Data Privacy Principles

  • Lawfulness and Transparency: Process data in a fair and lawful manner.
  • Purpose Limitation and Minimization: Collect and use personal data strictly for legitimate, clearly defined purposes and only to the extent necessary.
  • Accuracy and Storage Limitation: Keep data accurate and retain it only as long as needed.
  • Integrity and Confidentiality: Protect data from unauthorized access and breaches.
  • Accountability: Maintain compliance and conduct regular reviews of data handling practices.

4 Data Handling Procedures

4.1 Data Collection

  • Consent and Lawful Basis: Collect personal data only on a lawful basis and with necessary consent when required.
  • Data Inventory: Maintain an up-to-date record of the personal data collected and its processing purposes.

4.2 Data Processing and Use

  • Purpose Specification: Clearly define and document the reasons for processing personal data.
  • Restricted Processing: Use the data solely for its stated purposes.

4.3 Data Storage and Retention

  • Secure Storage: Ensure all personal data is stored securely using encryption and access controls as needed.
  • Retention for Order Shipments:
    • Retention Period: Retain Personally Identifiable Information (PII) associated with order shipments for 31 to 90 days after the shipment date.
    • Data Masking: After the retention period, perform data masking to remove sensitive PII while retaining non-identifiable data for analysis or audit purposes.
  • Secure Disposal: Dispose of personal data securely when it is no longer required.

4.4 Data Transmission

  • Encryption: Encrypt sensitive data in transit using industry-standard protocols.
  • Secure Channels: Transmit data only over secure, authorized channels.

4.5 Data Access and Sharing

  • Access Controls: Limit access to personal data using role-based controls.
  • Third-Party Sharing: Ensure any sharing of personal data is done under strict contractual obligations and secure transmission methods.
  • Data Anonymization: Where possible, anonymize or pseudonymize data to further protect privacy.

5 Roles and Responsibilities

  • Executive Management: Oversee data protection efforts and allocate resources.
  • Data Protection Officer (DPO): Monitor compliance, handle data subject requests, and serve as the primary contact for privacy issues.
  • Department Managers: Ensure adherence to this policy within their teams.
  • All Employees: Follow the policy and report any data protection issues.

6 Data Subject Rights

Data subjects have rights to access, correct, delete, restrict processing, and receive data in a portable format. They may also lodge complaints with supervisory authorities.

7 Incident Response and Breach Management

  • Detection and Reporting: Immediately report any suspected data breaches.
  • Investigation and Mitigation: Conduct thorough investigations and take corrective measures.
  • Notification: Notify affected data subjects and regulatory bodies as required.

8 Training and Auditing

  • Employee Training: Provide regular training on data privacy and handling procedures.
  • Internal Audits: Regularly audit data handling practices to ensure compliance.

9 Policy Review and Updates

This policy is a living document and will be reviewed at least annually or when significant changes occur. All updates require executive management approval.