IMPERIO or Company – Y.A.M IMPERIO ENTERPRISES LTD a company incorporated and validly existing in the Republic of Cyprus with registration no. HE141929 and having its registered office at 131 Gladstonos street, 3032 Limassol, Cyprus and any of its subsidiaries and/or affiliated companies.
Biometric Data – Personal Data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data
Consent – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;
Data Concerning Health – Personal Data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
Data Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Portability – the requirement for controllers to provide the Data Subject with a copy of his or her data in a format that allows for easy use with another controller (more info here).
Data Processor – a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.
Data Protection Officer – an expert on data privacy who works independently to ensure that IMPERIO is adhering to the policies and procedures set forth in the GDPR (Contact details: Skevi Hadjichralambous at firstname.lastname@example.org)
Data Protection Committee: it is a committee comprises of employees of IMPERIO and holds meetings once a month to report on current procedures and deficiencies observed as well as to suggest improvements, new procedures and measures for the processing of Personal Data.
Data Subject – a natural person whose Personal Data is processed by a controller or processor
Encrypted Data – Personal Data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access
GDPR – the Regulation (EU) 2016/679 (General Data Protection Regulation)
Genetic Data – Personal Data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question
Personal Data – any information relating to a natural person whose Personal Data is processed by a controller or processor (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Breach – breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Privacy Impact Assessment – a methodological tool used to identify and reduce the privacy risks of entities by analysing the Personal Data that are processed and the policies in place to protect the data
Processing – any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling – any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Recipient – a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Regulation – a binding legislative act that must be applied in its entirety across the Union
Supervisory Authority – Commissioner of Personal Data Protection – Address: 1 Iasonos str., 1082 Nicosia, P.O.Box 23378, 1682 Nicosia – Tel: +357 22818456, Fax: +357 22304565 – Email: email@example.com.
This policy describes how Personal Data is collected, handled, and stored to meet the Company’s data protection standard and to comply with GDPR. This Policy ensures that IMPERIO:
• Complies with the General Data Protection Regulation EU 2016/679 (“GDPR”).
• Protects the rights of Data Subjects.
• Protects itself from the risks of Personal Data Breach.
• in the course of its operation involving, among others, clients, prospective clients, suppliers, agents, contractors, consultants and experts, landlords
• from job applicants, employees, managers and directors,
• from other individuals that IMPERIO has a business relationship with or may need to contract.
IMPERIO may supplement or amend this Policy by additional policies and guidelines from time to time. Any new or modified policy is circulated to staff before being adopted. IMPERIO is responsible for ensuring compliance with the GDPR requirements outlined in this Policy. Non-compliance may expose IMPERIO to complaints, regulatory action, fines and/or reputational damage.
However, the relation between responsibility and key managerial position is as follows:
|Management||IMPERIO’s management is ultimately responsible for ensuring that the Company meets its legal obligations.|
|Data Protection Officer||The Data Protection Officer (DPO), is responsible for:
• Keeping IMPERIO’s management updated about data protection responsibilities, risks and issues.
5 General Guidelines
• The only personnel allowed to access data covered by this Policy are those who need it for professional reasons.
• The Company provides training to all employees to raise awareness and understanding about their responsibilities when handling data.
• Employees must keep all Personal Data secure, by taking sensible precautions and following the guidelines below.
• Personal Data must not be disclosed to unauthorised individuals, either within the Company or without.
• Personal Data must be regularly reviewed and updated if and to the extent they are determined to be out of date. If no longer required, such data are to be deleted and disposed of.
6 Company’s Principles
IMPERIO has adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of Personal Data:
6.1 Fair and Lawful Processing
IMPERIO processes Personal Data fairly, lawfully and in a transparent manner in accordance with Data Subjects’ rights.
This means, IMPERIO informs Data Subjects about what processing will be carried out (transparency), ensures the processing matches the description given to the Data Subject (fairness), and requires the processing to be for one of the purposes specified in the applicable GDPR regulation (lawfulness).
6.2 Data Purpose Limitation
IMPERIO ensures that any Personal Data it processes is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. IMPERIO processes Personal Data obtained for a specific purpose and does not process these data for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask IMPERIO to correct inaccurate Personal Data relating to them. If employees believe that Personal Data are inaccurate then they record the fact that the accuracy of the information is disputed and inform the DPO accordingly.
6.3 Data Minimisation
Personal Data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. IMPERIO does not store any Personal Data beyond what is strictly required.
6.4 Data Security
IMPERIO keeps Personal Data secure against loss or misuse. In case of data processing assignment to external parties, the DPO establishes what, if any, additional specific data security arrangements need to be implemented in contracts with the aforementioned parties.
6.5 Data Storage
• Personal Data relating to IMPERIO are stored only on IMPERIO’s approved devices and in a secure way.
• In cases where data are stored on paper, they are kept in a physically secure place where unauthorised personnel cannot access it.
• Printed data are shredded when they are no longer needed.
• Data stored on a computer are protected by strong passwords that are changed regularly.
• Data stored on CDs or memory sticks, are removed securely when they are not being used.
• All servers containing Personal Data are properly protected by security tools.
6.6 Data Use
IMPERIO uses Personal Data of its contacts for the following broad purposes:
• The general running and business administration of IMPERIO.
• To comply with obligations imposed by laws or regulations.
• To serve IMPERIO legitimate interests, to the extent that such interests are not overridden by the interests or fundamental rights and freedoms of data subjects.
The following general principles apply:
• When working with Personal Data, employees ensure the screens of their computers are always locked when left unattended.
• Personal data are not to be shared informally.
• Data, if necessary, will be encrypted before being transferred electronically.
6.7 Data Accuracy
• IMPERIO ensures data are kept accurate and up to date.
• Data are held in as few places as necessary. Staff does not create any unnecessary additional data sets.
• IMPERIO makes it easy for data subjects to update the information it holds about them. For instance, via “Data subject’s request form”.
• Data are updated as inaccuracies are discovered. For instance, if a Data Subject can no longer be reached on their stored telephone number, it is being removed from database.
7 Data Collection
Data Sources: Personal Data are collected from a data subject if one of the following conditions applies:
• The nature of the business purpose necessitates collection of the Personal Data.
• The collection is carried out under emergency circumstances in order to protect the vital interests of the Data Subject or to prevent serious loss or injury to another person.
Where it has been determined that notification to a Data Subject is required, privacy notice is given promptly. Where a need exists to request and receive the consent (as descripted immediately below) of an individual prior to the collection, use or disclosure of their Personal Data, IMPERIO is committed to seeking such consent.
7.1 Data Subject Consent
In certain cases, IMPERIO may collect Personal Data under the Data Subject’s consent. The Data Subject retains the right to revoke this consent at any time.
The DPO, in cooperation with the IT Department, established a system for obtaining and documenting data subject consent for the collection, processing, and/or transferring of their Personal Data which can be found here. The system includes provisions for:
• Determining what disclosures are made in order to obtain valid consent.
• Ensuring the request for consent is presented in a manner which is clearly distinguishable from any other matters, is made in an intelligible and easily accessible form, and uses clear and plain language.
• Ensuring the consent is freely given (i.e. is not based on a contract that is conditional to the processing of Personal Data that is unnecessary for the performance of that contract).
• Documenting the date, method and content of the disclosures made, as well as the validity, scope, and volition of the consents given.
• Providing a simple method for a Data Subject to withdraw their consent at any time.
8 Data processing
8.1 Conditions for Processing
IMPERIO does not process Personal Data unless it has identified a lawful basis for the processing, i.e. provided that at least one of the following requirements is met:
• the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child.
IMPERIO ensures any use of Personal Data is justified using at least one of the conditions for processing, and this is specifically documented. All staff who is responsible for processing Personal Data is aware of the conditions for processing. The conditions for processing are available to Data Subjects in the form of a privacy notice. Data are processed by the Company on a fair basis and data subjects are duly informed about such uses. IMPERIO provides ‘privacy notices’ to deliver explanations to individuals when information is collected about them – in effect stating, ‘how we use your data’.
The privacy notice is supplied to the individual at the time they provide IMPERIO with their Personal Data. IMPERIO, according to GDPR principles, provides information to individuals which is:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, and
- free of charge.
8.2 Special categories of data
IMPERIO processes special categories of data (also known as sensitive data) only under specific and limited circumstances, especially in relation to health data of employees, which are processed for the purpose of discharging obligations under employment, social security or social protection law. IMPERIO may also processes personal data such as clients’ criminal records for the purpose of property and clients’ management.
9 Data Retention
IMPERIO according to GDPR requirements minimises the retention of Personal Data such that data must be kept in a form that permits identification for no longer than necessary for the purposes for which the data are collected or processed.
IMPERIO retains Personal Data for no longer than is necessary. What is necessary depends on the circumstances of each case, taking into account the reasons that the Personal Data were obtained. IMPERIO’s obligation regarding data retention arises from local laws or regulations or from contracts with employees, external parties, agents and other providers.
The Company’s Personal Data retention policy dictates that any Personal Data should not be kept for no longer than reasonably necessary pursuant to the legal basis for the processing. Therefore, the largest volume of your Personal Data shall be retained for a period equal to the duration of your employment contract.
However, basic details of your employment relationship may need to be retained for a period after the termination of your employment contract, either to meet certain obligations imposed by law, or to serve needs of prudent management, or to establish, exercise or support our legal claims.
More specifically, data are retained in order to protect IMPERIO’s interests, preserve evidence, and generally conform to good business practices, for a period of time where IMPERIO sees fit. Reasons for data retention include:
• Accident investigation
• Security incident investigation
• Regulatory requirements
The record retention schedule is as follows:
|Record Type||Retention Period|
|Accounting and Finance||12 years|
|Contracts||Execution + 5 years|
|Electronic mail||12 years|
|Insurance records||7 years|
|Legal files and papers||10 years|
|Payroll documents||Termination + 12 years|
|Personnel records||Termination + 12 years|
|Tax records||7 years|
|Prospective clients’ records||18 months|
The retention period has been defined for all data categories needed. When the retention period is over, IMPERIO destroys the respective documents.
Each head of the department and the Data Protection Committee are responsible for enforcing the retention, archiving and destruction of documents and communicating these periods to the relevant personnel. Also, each head of the department and the Data Protection Committee are responsible for submitting exception requests to the process and receiving legal advice if necessary.
Physical or technical destruction is defined as sufficient when the information contained in the document become irretrievable.
Exceptions to all the above, are requested by the head of the department and/or the Data Protection Committee and approved by the Management.
If any information retained under this policy is stored in an encrypted format, IMPERIO takes appropriate measures to secure storage of the encryption keys. Encryption keys are retained as long as the data that the keys decrypt is retained.
10 Data Protection
IMPERIO adopts physical, technical, and organisational measures to ensure the security of Personal Data. This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks to which it is exposed by virtue of human action or the physical or natural environment.
The minimum set of security measures which has been adopted by IMPERIO is provided in the IMPERIO Data Protection Manual. Some high-level points of the Personal Data related security measures are provided below:
• Prevent unauthorised persons from gaining access to data processing systems in which Personal Data are processed.
• Prevent individuals entitled to use a data processing system from accessing Personal Data beyond their needs and authorisations.
• Ensure that Personal Data in the course of electronic transmission or during transport cannot be read, copied, modified or removed without authorisation.
• Ensure that access logs are in place to establish whether, and by whom, the Personal Data was entered into, modified on or removed from a data processing system.
• Ensure that in the case where processing is carried out by a data processor, the data can be processed only in accordance with the instructions of the data controller (Data Processing Agreement).
• Ensure that Personal Data is protected against undesired destruction or loss.
• Ensure that Personal Data collected for different purposes can and is processed separately.
• Ensure that Personal Data is not kept longer than necessary.
• Formed a Data Protection Committee to assist the DPO ensuring Company’s compliance under the GDPR.
11 Data Subject Requests Procedure – Protect Individual Rights
This procedure deals with the rights under GDPR whereby an individual can request access to their Personal Data. Data Subjects have access rights to their personal information irrespective of when the record was created. To exercise this right, an individual makes a written “Data subject’s request form” for information.
IMPERIO establishes a system to enable and facilitate the exercise of Data Subject rights related to:
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.
Data Subject’s access requests can be made by:
• The individuals themselves
• A representative nominated by the individual to act on their behalf such as solicitors or a relative, where there is valid consent by the individual granting this authority
• In certain situations, a person granted an attorney on behalf of an adult who is incapable of consent
This procedure applies to all requests for access to Personal Data held by IMPERIO.
11.1 Data Subject Requests
All individuals whose Personal Data are held by the Company are entitled to:
• Ask what information the Company holds about them and why.
• Ask how to gain access to it.
• Be informed how to keep it up to date.
• Be informed how the Company is meeting its data protection obligations.
If an individual contacts IMPERIO requesting this information, this is called a subject access request.
Subject access request from individuals are made by email or web-based “Data subject’s request form”, addressed to the DPO, who logs each request as it is received. The DPO can provide a standard request form, although individuals do not have to use this.
The DPO aims to provide the relevant Personal Data within 30 days of the receipt of the written request from the Data Subject.
The DPO always verifies the identity of anyone making a subject request before handling over any information. The DPO must be confident that the requestor is authorised to receive the information, whether this is the individual, legal guardian or law enforcement agent with appropriate jurisdiction. The DPO/designated individual records details of the identification check, along with the request, in the “Data Subject Request Log”.
This log is kept by IMPERIO of all requests for information under GDPR. This log is controlled and managed by the DPO. It includes a record of requests, actions and the employee who executed the request. This log also evidences a chain of responsibility in the event of a problematic handling of requests.
Any staff member who receives a request for information, which it believes to be a request for data under the GDPR, immediately forwards the request to the DPO.
The “Data subject’s request form” contains sufficient information to enable the DPO to locate the information requested as well as a copy of an identification document. The DPO checks that the “Data subject’s request form” fulfils the following criteria:
• Ensure full name, address and date of birth of data subject is provided.
• Ensure identification document is enclosed as per instructions.
• Ensure the form is signed and dated by the applicant.
• Ensure the additional agent’s authorisation is appropriate if someone else is acting on behalf of the Data Subject.
• Ensure the form provides enough data to identify where the records are being held.
• Records are not forwarded on to third parties but they are sent to the original applicant.
11.2 Request for Data Rectification
Data Subjects shall have the right to require IMPERIO to correct or supplement erroneous, misleading, outdated, or incomplete Personal Data. Once identification of the requestor has been confirmed, data on the individual is to be updated. IMPERIO confirms to the requestor, by email, that an update has occurred in line with information provided unless this proves impossible or involves disproportionate effort. The request is recorded in the Data Subject request log.
11.3 Request for Erasure
A Data Subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
IMPERIO is obligated to erase Personal Data where one of the following applies:
• Personal Data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the Data Subject withdraws consent and no other legal basis for processing exists;
• the Data Subject objects to the processing carried out on the grounds of the Data Controller’s legitimate interests and there are no other overriding legitimate grounds for the processing;
• the Personal Data has been unlawfully processed.
If the request to erase Personal Data has been received, identity has been confirmed, the request meets one of the above requirements and there is no legal contrary reason for processing, IMPERIO deletes the relevant data in its entirety. The request is recorded in the Data Subject request log.
Key steps in erasing data:
• the DPO is responsible for overseeing execution of the request;
• the request and evidence is recorded in the request log;
• data owner and DPO are responsible for locating all relevant Personal Data and deleting them from all locations;
• due diligence searches on all databases, mailing lists and general file stores etc., to be conducted to;
• ensure that data has been removed
• that any unmapped data is captured
• deletion is recorded in the request log;
• an email is sent to the Data Subject confirming that data has been removed and processing has therefore ceased, unless it proves impossible or involves disproportionate effort.
If IMPERIO cannot delete Personal Data, IMPERIO ensures that it:
• is not able, or does not attempt, to use the Personal Data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
• does not give any other organisation access to the Personal Data;
• surrounds the Personal Data with appropriate technical and organisational security; and
• commits to permanent deletion of the information if, or when, this becomes possible.
11.4 Right to Object to Processing
The data subject has the right to object at any time to processing of Personal Data when:
• Personal Data is processed for direct marketing purposes
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
In determining whether or not to approve an objection, IMPERIO considers whether or not there is compelling legitimate ground for continued processing. To continue processing those grounds override the rights and freedoms of the Data Subject or be necessary for the establishment, exercise or defense of legal claims.
When such grounds do not exist, the processing must cease immediately.
Data Subjects have the right not to be subject to a decision based solely on automated processing. An exception applies where it is necessary for entering into a contract between the Data Subject and the Company.
11.5 Request for Data Portability
Upon request and provided that the relevant requirements stipulated in Article 20 of GDPR are met, a Data Subject has the right to receive a copy of their data in a structured format. These requests are processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A Data Subject may also request that their data are transferred directly to another system. In this case, the transfer of the data is done for free.
If IMPERIO cannot respond fully to the request within 30 days, the DPO nevertheless provides the following information to the Data Subject, or their authorized legal representative within the specified time:
• An acknowledgement of receipt of the request.
• Any information located to date.
• Details of any requested information or modifications which are not provided to the Data Subject, the reason(s) for the refusal, and any procedures available for appealing the decision.
• An estimated date by which any remaining responses are provided.
• An estimate of any costs to be paid by the Data Subject (e.g. where the request is excessive in nature).
• The name and contact information of the contact person.
12 Transfers to Third Parties
IMPERIO transfers Personal Data to, or allows access by, third parties when it is assured that the information is processed legitimately and protected appropriately by the recipient. Where third party processing takes place, IMPERIO first identifies if, under applicable law, the third party is considered a Data Controller or a Data Processor of the Personal Data being transferred.
Where the third party is deemed to be a Data Controller, IMPERIO enters into, in cooperation with the DPO, an appropriate agreement with the Data Controller to clarify each party’s responsibilities in respect to the Personal Data transferred.
Where the third party is deemed to be a Data Processor, IMPERIO enters into, in cooperation with the DPO, an adequate processing agreement with the Data Processor. The agreement requires the Data Processor to protect the Personal Data from further disclosure and to only process Personal Data in compliance with IMPERIO instructions. In addition, the agreement requires the Data Processor to implement appropriate technical and organizational measures to protect the Personal Data as well as procedures for providing notification of Personal Data breaches.
The DPO conducts regular audits of processing of Personal Data performed by third parties, especially in respect of technical and organizational measures they have in place. Any major deficiencies identified are reported to and monitored by the IMPERIO management team.
13 Reporting Breaches
Any employee who suspects that a Personal Data breach has occurred due to the theft or exposure of Personal Data must immediately notify the DPO providing a description of what occurred. All members of staff have an obligation to report also actual or potential data protection compliance failures. This allows us to:
• Investigate the failure and take remedial steps if necessary
• Maintain a register of compliance failures
• Notify the Commissioner of Personal Data Protection of any compliance failures that are material either in their own right or as part of a pattern of failures within 72 hours
Notification of the incident can be sent to firstname.lastname@example.org
The DPO investigates all reported incidents to confirm whether or not a Personal Data breach has occurred. If a Personal Data breach is confirmed, the DPO follows the relevant authorised procedure based on the criticality and quantity of the Personal Data involved.
14 Data Processing Agreement
A data processing agreement is needed when:
• IMPERIO uses a Processor (a third party who processes Personal Data on behalf of the controller).
• A Processor employs another Processor.
By having an agreement in place with the required terms, IMPERIO:
• ensures the compliance with the GDPR;
• ensures the protection of the Personal Data of suppliers, contractors, and other parties; and
• makes clear to both parties their role in respect of the Personal Data that is being processed and there is evidence of this.
The agreement sets out what the Processor is expected to do with the Personal Data.
The agreement includes the following details about the processing:
• the subject matter;
• how long it is to be carried out for;
• what processing is being done;
• its purpose;
• the type of Personal Data;
• the categories of Data Subjects; and
• the obligations and rights of the Data Controller.
15 GDPR Training
• Ensure staff have adequate and up to date training on data protection and GDPR changes
• Provide training for all relevant staff.
All staff receives training on this policy. New joiners receive training as part of the induction process. Further training is provided at least every two years or whenever there is a substantial change in the law or our policy and procedure. Completion of training is compulsory.
Training is provided through an in-house seminar or by external providers with appropriate experience.
It covers at the minimum the following elements:
• Gain a good comprehension of the updated concepts and principles and the application of them in the General Data Protection Regulation (GDPR).
• Attain a thorough understanding of the current data protection legislation and the underlying principles.
• Understand the role of the Data Protection Officer (DPO) within the organization and the role he / she plays
• The need for, and proper use of, the forms and procedures adopted to implement this policy.
• The importance of limiting access to Personal Data, such as by using password protected screen savers and logging out when systems are not being attended by an authorized person.
• Securely storing manual files, print outs and electronic storage media.
• Any special risks associated with particular departmental activities or duties.
16 Monitoring of the Effectiveness of the Policy
More precisely, to confirm that an adequate level of compliance is being achieved by IMPERIO, the DPO carries out an annual data protection compliance audit for IMPERIO. Each audit, as a minimum, assesses compliance with policy in relation to the protection of Personal Data, including:
• The conformity of employees’ activities.
• The assignment of responsibilities.
• Raising awareness.
• Training of employees.
The DPO, in cooperation with key business stakeholders, devises a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time frame. Any major deficiencies identified are reported to and monitored by IMPERIO Management team.
17 Consequences of Failing to Comply