Floating Image

Data Protection Policy

Uncategorized August 2, 2025

Secure Handling of Personal Information

Document Version: 1.0
Effective Date: August 2025
Last Updated: August 2025
Policy Owner: Data Protection Officer
Review Cycle: Annual

1. Purpose and Scope

1.1 Purpose

This Data Protection Policy establishes UIS’s commitment to protecting personal information and ensuring compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy legislation.

1.2 Scope

This policy applies to all UIS employees, contractors, third-party service providers, and any individual or entity that processes personal data on behalf of UIS.

1.3 Policy Statement

UIS is committed to maintaining the highest standards of data protection and privacy. We recognize that personal data is a valuable asset that must be protected through appropriate technical, organizational, and administrative safeguards.

2. Definitions

Personal Data/Information: Any information relating to an identified or identifiable natural person, including but not limited to names, identification numbers, location data, online identifiers, and factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.

Data Subject: The identified or identifiable natural person to whom personal data relates.

Data Controller: The entity that determines the purposes and means of processing personal data.

Data Processor: The entity that processes personal data on behalf of the data controller.

Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

3. Data Protection Principles

UIS adheres to the following fundamental data protection principles:

3.1 Lawfulness, Fairness, and Transparency

  • Personal data must be processed lawfully, fairly, and transparently
  • Clear and accessible privacy notices must be provided
  • Processing must have a valid legal basis

3.2 Purpose Limitation

  • Personal data must be collected for specified, explicit, and legitimate purposes
  • Data cannot be processed for purposes incompatible with the original collection purpose

3.3 Data Minimization

  • Personal data collection must be adequate, relevant, and limited to what is necessary
  • Only data essential for the stated purpose should be collected and processed

3.4 Accuracy

  • Personal data must be accurate and kept up to date
  • Inaccurate data must be corrected or erased without delay

3.5 Storage Limitation

  • Personal data must be kept only as long as necessary for the processing purposes
  • Clear retention schedules must be established and followed

3.6 Integrity and Confidentiality

  • Personal data must be processed securely using appropriate technical and organizational measures
  • Protection against unauthorized processing, loss, destruction, or damage is mandatory

3.7 Accountability

  • UIS must demonstrate compliance with data protection principles
  • Records of processing activities must be maintained

4. Legal Basis for Processing

UIS processes personal data only when one or more of the following legal bases apply:

  • Consent: The data subject has given clear, specific, and informed consent
  • Contract: Processing is necessary for contract performance or pre-contractual measures
  • Legal Obligation: Processing is required to comply with legal obligations
  • Vital Interests: Processing is necessary to protect vital interests of the data subject or another person
  • Public Task: Processing is necessary for tasks carried out in the public interest
  • Legitimate Interests: Processing is necessary for legitimate interests, provided these do not override data subject rights

5. Data Subject Rights

UIS recognizes and facilitates the following data subject rights:

5.1 Right to Information

  • Transparent information about data processing activities
  • Clear privacy notices at the point of data collection

5.2 Right of Access

  • Individuals can request copies of their personal data
  • Information about processing purposes, categories, and recipients

5.3 Right to Rectification

  • Correction of inaccurate or incomplete personal data
  • Prompt action to update records

5.4 Right to Erasure (“Right to be Forgotten”)

  • Deletion of personal data when legally permissible
  • Consideration of legitimate grounds for retention

5.5 Right to Restrict Processing

  • Limitation of processing in specific circumstances
  • Marking of restricted data

5.6 Right to Data Portability

  • Provision of personal data in structured, machine-readable format
  • Direct transmission to another controller when feasible

5.7 Right to Object

  • Objection to processing based on legitimate interests or direct marketing
  • Cessation of processing unless compelling legitimate grounds exist

5.8 Rights Related to Automated Decision-Making

  • Protection against solely automated decision-making
  • Right to human intervention and explanation

6. Security Measures

6.1 Technical Safeguards

  • Encryption: Data encryption in transit and at rest using industry-standard protocols
  • Access Controls: Role-based access controls and multi-factor authentication
  • Network Security: Firewalls, intrusion detection systems, and secure network architectures
  • Data Backup: Regular, secure backups with tested recovery procedures
  • System Monitoring: Continuous monitoring for security incidents and anomalies

6.2 Organizational Safeguards

  • Staff Training: Regular data protection and security awareness training
  • Clear Policies: Documented procedures for data handling and incident response
  • Regular Audits: Periodic security assessments and compliance reviews
  • Vendor Management: Due diligence and contractual protections for third-party processors
  • Incident Response: Defined procedures for breach detection, response, and notification

6.3 Physical Safeguards

  • Facility Security: Controlled access to facilities containing personal data
  • Equipment Protection: Secure disposal of hardware and storage media
  • Clean Desk Policy: Protection of physical documents and workspaces

7. Data Retention and Disposal

7.1 Retention Schedules

  • Personal data is retained only for as long as necessary for the processing purposes
  • Specific retention periods are defined based on legal requirements and business needs
  • Regular reviews ensure timely deletion of expired data

7.2 Secure Disposal

  • Secure deletion procedures for electronic data using certified methods
  • Physical destruction of paper documents and storage media
  • Certificate of destruction obtained from disposal vendors

8. International Data Transfers

8.1 Transfer Mechanisms

  • Adequacy decisions recognized by relevant data protection authorities
  • Standard Contractual Clauses (SCCs) or approved codes of conduct
  • Binding Corporate Rules (BCRs) where applicable
  • Explicit consent for transfers in specific circumstances

8.2 Transfer Safeguards

  • Assessment of destination country privacy laws and practices
  • Implementation of additional safeguards where necessary
  • Regular monitoring of transfer arrangements

9. Third-Party Data Processing

9.1 Vendor Selection

  • Due diligence assessment of data protection capabilities
  • Evaluation of security measures and compliance status
  • Reference checks and security certifications review

9.2 Contractual Requirements

  • Data Processing Agreements (DPAs) with all processors
  • Clear definition of processing purposes and restrictions
  • Security obligations and incident notification requirements
  • Rights to audit and monitor compliance

10. Data Breach Management

10.1 Incident Detection

  • Continuous monitoring systems for breach detection
  • Clear reporting channels for suspected incidents
  • Rapid escalation procedures

10.2 Incident Response

  • Immediate containment and assessment of the breach
  • Documentation of incident details and impact
  • Risk assessment and mitigation measures
  • Notification to authorities within 72 hours where required
  • Communication to affected data subjects when necessary

10.3 Post-Incident Activities

  • Root cause analysis and lessons learned
  • Implementation of corrective measures
  • Review and update of security procedures

11. Privacy Impact Assessments

11.1 When Required

  • New processing activities with high privacy risks
  • Changes to existing processing that increase risk
  • Use of new technologies or systematic monitoring

11.2 Assessment Process

  • Identification of processing activities and data flows
  • Risk assessment and impact evaluation
  • Consultation with Data Protection Officer
  • Implementation of risk mitigation measures

12. Governance and Accountability

12.1 Data Protection Officer (DPO)

  • Independent oversight of data protection activities
  • Advisory role on compliance matters
  • Point of contact for data protection authorities
  • Training and awareness coordination

12.2 Data Protection Committee

  • Cross-functional oversight of data protection initiatives
  • Policy development and review
  • Incident response coordination
  • Compliance monitoring and reporting

12.3 Training and Awareness

  • Mandatory data protection training for all staff
  • Role-specific training for data handlers
  • Regular updates on regulatory changes
  • Awareness campaigns and communications

13. Monitoring and Compliance

13.1 Regular Assessments

  • Annual compliance audits and assessments
  • Monitoring of data protection metrics and KPIs
  • Review of policies and procedures
  • Gap analysis and improvement recommendations

13.2 Documentation and Records

  • Maintenance of processing activity records
  • Documentation of compliance measures
  • Retention of consent records and legal basis determinations
  • Incident logs and response documentation

14. Policy Review and Updates

This policy is reviewed annually or following significant changes in:

  • Applicable data protection laws and regulations
  • UIS business operations or technology systems
  • Industry best practices and standards
  • Incident response experiences and lessons learned

All updates must be approved by the Data Protection Committee and communicated to relevant stakeholders.

Document Control:

  • Approved by: Principal
  • Approval Date: May 2025
  • Next Review Date: May 2025
  • Version History: 1.1.1

This policy is subject to applicable laws and regulations. In case of conflicts between this policy and legal requirements, the legal requirements shall prevail.

Leave a Comment