Data Protection Policy

The data protection policy lays the foundation for procedures and guidelines concerning data protection which further specify the provisions laid down in the policy and guide their application in practice.

Data protection is closely linked to information security. The principles concerning information security are defined in Emergy’s information security policy.

Principles Concerning Personal Data Protection

The right to personal data protection is a fundamental right for everyone.

  • Emergy plans its personal data processing in advance. The processing is lawful, fair, and transparent, and personal data are processed for a specific purpose in accordance with a legal basis laid down by law.
  • Emergy processes data only to the extent and for as long as it is necessary for the specified purpose of use.
  • Emergy aims to ensure the accuracy of the data used, and the data are updated from the person themselves or from reliable sources. When the data are no longer necessary for their purpose of use, the data are erased appropriately.
  • Personal data protection also refers to everyone’s right to have access to the data collected about them, as well as the right to have any inaccurate personal data rectified and any unnecessary data erased.

Ensuring Data Protection

Emergy has a risk-based approach to data protection. The management of data protection risks is part of Emergy’s risk management process. To ensure the effective implementation of data protection, Emergy conducts data protection risk assessments during the planning phase of personal data processing and as part of its annual risk assessment. In addition, data protection impact assessments are always conducted in situations specifically determined by the law and official guidelines. The results of the abovementioned assessments are used in determining technical and organizational measures to reduce the risk level of personal data processing throughout the life cycle of the data. At the same time, Emergy ensures compliance with the requirements of data protection legislation.

Emergy ensures that the data subjects’ rights are implemented in accordance with the EU General Data Protection Regulation by informing the data subjects about the processing of data and by determining procedures and guidelines for situations where data subjects wish to exercise their rights.

Emergy ensures the implementation of data protection by documenting personal data processing practices and by issuing related instructions. Through training and communication, Emergy ensures its employees’ sufficient data protection competence. New employees are systematically provided with induction training on data protection. This is particularly highlighted in positions that involve personal data processing and carrying out processes to implement data subjects’ rights.

As a data controller, Emergy can outsource personal data processing to a service provider. Emergy only cooperates with such personal data processors that comply with good processing practices by means of appropriate technical and organizational measures, meet the requirements of the EU General Data Protection Regulation, and can ensure the implementation of data subjects’ rights. Emergy concludes written agreements with personal data processors in accordance with the law.

Procedure When Data Protection is Compromised

Emergy aims to protect personal data from data breaches – that is, accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to data. Emergy has determined the process to be applied in connection with data breaches. Everyone has an obligation to report any suspected or detected data breaches without delay, in accordance with separate instructions.

If data protection is suspected to have been compromised, the issue is investigated immediately. Representatives of the business unit in question, the information security and risk management teams, and a Data Protection Officer will participate in the investigation as necessary. Emergy documents all data breaches in compliance with legal requirements and reports confirmed data breaches to the data protection authorities as required. In the event of a data breach, Emergy also immediately informs the person whose data protection is compromised, when required by the EU General Data Protection Regulation.