The data protection policy lays the foundation for procedures and guidelines concerning data protection which further specify the provisions laid down in the policy and guide their application in practice.
Data protection is closely linked to information security. The principles concerning information security are defined in Emergy’s information security policy.
The right to personal data protection is a fundamental right for everyone.
Emergy has a risk-based approach to data protection. The management of data protection risks is part of Emergy’s risk management process. To ensure the effective implementation of data protection, Emergy conducts data protection risk assessments during the planning phase of personal data processing and as part of its annual risk assessment. In addition, data protection impact assessments are always conducted in situations specifically determined by the law and official guidelines. The results of the abovementioned assessments are used in determining technical and organizational measures to reduce the risk level of personal data processing throughout the life cycle of the data. At the same time, Emergy ensures compliance with the requirements of data protection legislation.
Emergy ensures that the data subjects’ rights are implemented in accordance with the EU General Data Protection Regulation by informing the data subjects about the processing of data and by determining procedures and guidelines for situations where data subjects wish to exercise their rights.
Emergy ensures the implementation of data protection by documenting personal data processing practices and by issuing related instructions. Through training and communication, Emergy ensures its employees’ sufficient data protection competence. New employees are systematically provided with induction training on data protection. This is particularly highlighted in positions that involve personal data processing and carrying out processes to implement data subjects’ rights.
As a data controller, Emergy can outsource personal data processing to a service provider. Emergy only cooperates with such personal data processors that comply with good processing practices by means of appropriate technical and organizational measures, meet the requirements of the EU General Data Protection Regulation, and can ensure the implementation of data subjects’ rights. Emergy concludes written agreements with personal data processors in accordance with the law.
Emergy aims to protect personal data from data breaches – that is, accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to data. Emergy has determined the process to be applied in connection with data breaches. Everyone has an obligation to report any suspected or detected data breaches without delay, in accordance with separate instructions.
If data protection is suspected to have been compromised, the issue is investigated immediately. Representatives of the business unit in question, the information security and risk management teams, and a Data Protection Officer will participate in the investigation as necessary. Emergy documents all data breaches in compliance with legal requirements and reports confirmed data breaches to the data protection authorities as required. In the event of a data breach, Emergy also immediately informs the person whose data protection is compromised, when required by the EU General Data Protection Regulation.