+44 207 183 3221  ·  info@etindex.com   

Level 39, One Canada Square, Canary Wharf, London E14 5AB

Engaged Tracking (ET) Index Ltd (trading as 'Engaged Tracking') ©2019. Company registration number: 08876852.

  • LinkedIn Social Icon
  • Twitter

LEGAL

DATA POLICY BREACH

  1. Scope

    1. This procedure applies in the event of a personal data breach under Article 33 of the GDPR – Notification of a personal data breach to the supervisory authority – and Article 34 – Communication of a personal data breach to the data subject.

    2. The GDPR draws a distinction between a ‘data controller’ and a ‘data processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility. Each organisation should establish whether it is data controller, or a data processor for the same data processing activity; or whether it is a joint controller.

 

  1. Responsibility

    1. All users (whether Employees/Staff, contractors or temporary Employees/Staff and third party users) of Engaged Tracking (ET) Index Ltd. are required to be aware of, and to follow this procedure in the event of a personal data breach.

    2. All Employees/Staff, contractors or temporary personnel are responsible for reporting any personal data breach to the Data Protection Officer.

 

  1. Procedure – Breach notification data controller to supervisory authority

    1. Engaged Tracking (ET) Index Ltd. determines if the supervisory authority need to be notified in the event of a breach.

    2. Engaged Tracking (ET) Index Ltd. assesses whether the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach, by conducting regular impact assessments (including data breach).

    3. If a risk to data subject(s) is likely, Engaged Tracking (ET) Index Ltd. reports the personal data breach to the supervisory authority (in the UK it is the ICO) without undue delay, and not later than 72 hours.

    4. If the data breach notification to the supervisory authority is not made within 72 hours, Engaged Tracking (ET) Index Ltd.’s Data Protection Officer submits it electronically with a justification for the delay.

    5. If it is not possible to provide all the necessary information at the same time Engaged Tracking (ET) Index Ltd. will provide the information in phases without undue further delay.

    6. The following information needs to be provided to the supervisory authority:

      1. A description of the nature of the breach.

      2. The categories of personal data affected.

      3. Approximate number of data subjects affected.

      4. Approximate number of personal data records affected.

      5. Name and contact details of the Data Protection Officer.

      6. Consequences of the breach.

      7. Any measures taken to address the breach.

      8. Any information relating to the data breach.

    7. The Data Protection Officer notifies the supervisory authority, the ICO.

    8. In the event the supervisory authority assigns a specific contact in relation to a breach, these details are recorded in the Internal Breach Register.

    9. The breach notification is made by our DPO.

 

  1. Procedure – Breach notification data controller to data subject

    1. If the personal data breach is likely to result in high risk to the rights and freedoms of the data subject, Engaged Tracking (ET) Index Ltd. notifies those/the data subjects affected immediately.

    2. The notification to the data subject describes the breach in clear and plain language, in addition to information specified in clause 3.6 above.

    3. Engaged Tracking (ET) Index Ltd. takes measures to render the personal data unusable to any person who is not authorised to access it using (we use encryption).

    4. The data controller takes subsequent measures to ensure that any risks to the rights and freedoms of the data subjects are no longer likely to occur.

    5. If the breach affects a high volume of data subjects and personal data records, Engaged Tracking (ET) Index Ltd. makes a decision based on assessment of the amount of effort involved in notifying each data subject individually, and whether it will hinder the Engaged Tracking (ET) Index Ltd.’s ability to appropriately provide the notification within the specified time frame. In such a scenario a public communication or similar measure informs those affected in an equally effective manner.

    6. If Engaged Tracking (ET) Index Ltd. has not notified the data subject(s), and the supervisory authority considers the likelihood of a data breach will result in high risk, Engaged Tracking (ET) Index Ltd. will communicate the data breach to the data subject.

    7. Engaged Tracking (ET) Index Ltd. documents any personal data breach(es), incorporating the facts relating to the personal data breach, its effects and the remedial action(s) taken.