Purpose
To ensure [Organisation] processes personal data lawfully, fairly and transparently, and upholds the rights of data principals.
Scope
Applies to all processing of personal data by [Organisation], its employees and its processors.
Principles
- Personal data is collected for specified, lawful purposes with a valid basis (e.g. consent).
- Only the data necessary for the purpose is collected and retained.
- Data principals can exercise access, correction, completion and erasure rights.
- Records of processing activities (RoPA) are maintained.
- Processors are bound by agreements and assessed for adequate safeguards.
- Retention is time-bound and data is securely erased when no longer needed.
Breach handling
Personal-data breaches are managed under the Incident Response Policy and reported within applicable regulatory timelines.
Review
Reviewed annually and whenever processing activities or regulations change.
Template provided by CyberSigma for adaptation. Replace bracketed placeholders and tailor to your environment before adopting. This is guidance, not legal advice.
