Data Processing Policy and Procedures

Document Owner: Glowing.io

Effective Date: 027/09/2024

Version: 3

Document Approver: Daniel Loscheck

Table of Contents

Overview and Scope 3

Purpose 3

Scope 3

Data Protection Officer (DPO) 3

Data Accuracy 4

Data Security 6

Lawful Basis for Processing Personal Data 7

Special Categories of Personal Data 9

Personal Data Relating to Criminal Convictions and Offenses 10

Automated Decision-Making and Profiling 10

Personal Data Breaches 11

Joint Controllership 12

Data Processing Agreement (DPA) 12

Data Protection Impact Assessment (DPIA) 13

Data Transfers 13

Privacy Program Members 13

Annual Review 14

 

Overview and Scope

Glowing.io has established a formal personal data protection policy and supporting procedures related to the protection of personal data.

Purpose

This policy and supporting procedures are designed to provide Glowing.io with formalized internal guidelines relating to the processing of personal data. All documented procedures will be followed and adhered to for any personal data processing related activities within the Company.

Scope

This policy and supporting procedures cover all personal data processing activities within Glowing.io system components.

System components are defined as those that are owned, operated, maintained, and controlled by Glowing.io. The term “system components” refers to any application, server, and/or database that is involved in the processing of personal data.

Data Protection Officer (DPO)

Glowing.io has assigned Daniel Loscheck as the DPO. The DPO is responsible for overseeing compliance with established data processing policies and procedures. Specific responsibilities of the DPO include:

  • Ensuring that the organization complies with data protection laws, including the GDPR. This involves staying up to date with relevant regulations and assessing the Company’s practices against these laws.
  • Educating Company personnel on data protection laws and best practices to ensure that employees are aware of their data protection responsibilities.
  • Developing and maintaining data protection policies and procedures.
  • Serving as a point of contact for data subjects to exercise their rights for access, rectification, erasure, and data portability, and ensuring that data subject access requests are actioned appropriately.
  • Performing Data Protection Impact Assessments (DPIAs) where necessary.
  • Handling data subject inquiries and complaints regarding data protection practices.

Data Accuracy

Ensuring data accuracy is a fundamental aspect of responsible and compliant data processing. Glowing.io is committed to maintaining the accuracy, completeness, and currency of personal data. Glowing.io takes the following reasonable steps to ensure that personal data processed is accurate, complete, and up to date.

Data Validation During Collection

When personal data is collected from data subjects, the following automated steps will be implemented to ensure that the data is accurate and valid:

  • Automated edit checks within form fields
  • Pop-up confirmation of personal details prior to submission

Periodic Data Review

Glowing.io will perform a data validation review at least annually, to ensure that any automated collection validation mechanisms are performing as intended. Any issues identified will be escalated and an action plan implemented to remediate. If pervasive issues are identified related to data accuracy during this review, Glowing.io will contact data subjects to verify that their personal data is accurate.

Data Subject Access/Modification/Erasure/Portability Requests

Glowing.io acts as a data processor for any personal data obtained through our managed platform. Any requests from data subjects will be forwarded to the relevant data controller(s) to action. Glowing.io is not responsible for resolving such DSARs, and will only be responsible for forwarding requests to the relevant data controller(s). All DSARs will be documented and tracked within Jira and assigned an appropriate “Data Subject Access”, “Data Subject Modification”, “Data Subject Erasure”, or “Data Subject Portability” request identifier. Requests will be forwarded to the relevant data controller(s) within one week of receipt.

Data Subject Complaints

Data subjects have the right to lodge a complaint with a supervisory authority if they believe that their rights under the GDPR have been violated. Data subjects can contact the supervisory authority in their country or the one where the alleged infringement occurred. For a listing of all supervisory authorities within the EU, please visit the European Data Protection Board’s list of members.

Data Relevance

Glowing.io will only process personal data for the purpose that it is necessary and relevant. Excessive personal data not needed for processing purposes will be deleted or anonymized.

Data Security

Glowing.io will employ the following technical measures to ensure the security of any personal data that is processed:

  • Encrypting all personal data at rest using AES 256 bit encryption
  • Encrypting all personal data transmitted using TLS 1.2 at minimum
  • Encrypting all employee workstations where personal data is maintained
  • Utilizing an anti-malware solution on all employee workstations where personal data is maintained

Lawful Basis for Processing Personal Data

Any personal data that is processed must be done so under a lawful basis. Glowing.io will only process personal data based on the following lawful bases:

Consent

Glowing.io acts as a data processor and therefore relies on consent to be obtained from the data controller prior to processing personal data. Any requests from data subjects for consent withdrawal will be forwarded to the data controller for processing. Consent withdrawal requests will be documented and tracked within Jira, and assigned a “Consent Withdrawal” identifier. Requests will be forwarded to the data controller within two business days of receipt.

Contractual Necessity

Where data processing for the performance of a contract to which the data subject is a party or for pre-contractual measures is necessary, personal data will be processed accordingly. This lawful basis will be clearly defined within the Company’s posted Privacy Policy. If a contract addendum or termination takes place, the basis for processing the personal data of the data subject will be re-assessed and modified as needed.

Legal Obligation

Where data processing may be required to comply with legal obligations that the Company is subject to, personal data will be processed accordingly. This includes, but is not limited to, financial reporting and compliance with regulatory requirements. The Company will ensure that the personal data processed is only the minimum amount necessary to comply with the defined legal obligations.

Legitimate Interests

Personal data may be processed based on legitimate interests which allow the Company to pursue business objectives, only if these interests do not override the data subject’s interests, fundamental rights, and freedoms. A DPIA will be performed to determine the validity of the legitimate interests and their impact on data privacy compliance efforts. The DPIA will be documented and approved by the DPO.

Vital Interests

If situations arise whereby the processing of personal data is necessary to protect the safety, health, and/or well-being of an individual, the personal data will be processed accordingly. It is at the Company’ discretion to determine what constitutes a vital interest.

Public Task

Personal data may be processed in situations whereby it is necessary to perform a task carried out in the public interest, in the exercise of official authority vested in us as the data controller, or on behalf of data processors.

Consent of a Child

In situations where the processing of personal data is related to a data subject under the age of 16, data will only be processed if an appropriate parental or guardian authorization is obtained. Glowing.io operates as a data processor and therefore relies on appropriate parental or guardian authorization of children to be obtained from the data controller prior to processing personal data of data subjects under the age of 16.

The lawful bases documented above will be clearly defined within the Company’s posted Privacy Policy.

Special Categories of Personal Data

As part of Glowing.io’s service offering, there may be instances where special categories of personal data are required to be obtained for processing. These categories are:

  • Racial or ethic origin
  • Political opinions
  • Religious of philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health-related data
  • Data concerning a person’s sex life or sexual orientation

Prior to processing this data, explicit consent must be obtained from the data subject. Glowing.io operates as a data processor and therefore relies on explicit consent to be obtained by the data controller prior to processing such special categories of personal data.

Personal Data Relating to Criminal Convictions and Offenses

Glowing.io may process personal data related to criminal convictions and offenses only under the control of official authority or when the processing is authorized by Union or Member State law. Glowing.io will only process such data if it is necessary for the prevention or detection of crime, or the apprehension or prosecution of offenders, provided that we as a data controller OR data processor are authorized by Union or Member State Law, and will ensure appropriate authorization is obtained from official authorities within Member States to abide by Union or Member State Law.

Automated Decision-Making and Profiling

Automated Decision-Making

Automated decision-making and profiling processes are any processes that use algorithms, automated systems, or machine learning to make decisions or evaluate individuals without human intervention. Any automated decision-making mechanisms implemented will be compliant with relevant regulations. Specifically, data subjects have the right to understand the logic, significance, and potential consequences of automated decisions that affect them. Data subjects also have the right to request human intervention in the decision-making process. Information regarding any automated decision-making mechanisms that are active will be reflected in the Company’s posted Privacy Policy. Requests for human intervention in the decision-making process will be forwarded to the DPO at daniel@glowing.io after which they will be assessed for validity. All requests will be documented and tracked within Jira and assigned a “Human Intervention Request” identifier.  Any requests deemed to be invalid will be marked with an “Invalid” indicator. Valid requests will be actioned by an appropriate system owner ASAP, and the appropriate human decision(s) communicated to the data subject no later than two bussiness days of the request being received.

Profiling

Profiling involves the automated processing of personal data to evaluate certain aspects of an individual which can be used to analyze or predict behavior, preferences, interests, reliability, or location. Informed consent will be communicated to data subjects via the Company’s posted Privacy Policy prior to any profiling mechanisms being implemented. Any profiling mechanisms implemented will be compliant with relevant regulations. Specifically, data subjects have the right to object to profiling. Opt-out mechanisms will be provided to data subjects in situations related to profiling. Profiling mechanisms will be proportionate to the purposes that it serves. A DPIA will be performed prior to the implementation of any profiling mechanisms to determine their impact on data privacy compliance efforts. The DPIA will be documented and approved by the DPO.

Continuous Monitoring

Automated decision-making or profiling mechanisms will be continuously monitored to ensure that the processes are compliant with data protection requirements and best practices. Changes to automated algorithms in the automated decision-making or profiling mechanisms will follow the standard change control process and will be monitored and approved prior to implementation. An annual DPIA related to the automated decision-making or profiling process will be performed to help identify risks and measures to mitigate them.

Personal Data Breaches

In the event of a personal data breach, Glowing.io will communicate the breach to the applicable data controller ASAP after the breach is identified, unless the breach is determined to be immaterial in nature, in which case communication is not required. If the breach cannot be communicated within the timeframe noted above, Glowing.io will formally document and provide rationale for the delay.

Joint Controllership

Glowing.io may act as a joint controller with other parties, and will ensure that a formal contract is executed that clearly outlines each organization’s responsibilities with regards to complying with appropriate data protection laws and regulations prior to entering into a joint controllership agreement with another party.

Data Processing Agreement (DPA)

Prior to commencing with data processing activities, Glowing.io will ensure that a DPA is executed with the applicable data controller that outlines expected processing activities that our organization will adhere to, and will take appropriate efforts to ensure that the commitments defined within the DPA are achieved. Additionally, Glowing.io will only process personal data based on the explicit instructions outlined by the data controller in the DPA.

Data Protection Impact Assessment (DPIA)

Prior to initiating new data processing activities or modifying existing data processing activities involving personal data, Glowing.io will ensure that a DPIA is executed to identify and mitigate any risks associated with the new data processing activities. The DPIA will be performed by the DPO, or another appropriate privacy program representative and formally documented. If the results of the DPIA indicate that the nature of the new data processing activities pose risks to the organization that are at a level of criticality that are not acceptable or unable to be mitigated, Glowing.io will refrain from adopting the data processing activities. Additionally, Glowing.io shall consult the appropriate supervisory authority in situations where new data processing activities are deemed to be high risk prior to implementing the data processing activities.

Data Transfers

Prior to transferring personal data to countries outside of the EU or European Economic Area (EEA), Glowing.io will ensure that the personal data is appropriately protected and secured during transfer using the technical measures noted in Section 7 above. Additionally, Glowing.io will ensure that a legal basis is established for the transfer of personal data prior to initiating the transfer. This may include (but is not limited to) including a Standard Contractual Clause (SCC) within any active contract related to the data transfer that has been approved by the European Commission, and/or relying on Binding Corporate Rules (BCRs). Glowing.io will perform a DPIA prior to initiating the data transfer process, and assess the scope and risk of the data transfer. Any risks identified that cannot be adequately mitigated will be communicated to the affected data subject(s) and data importer(s) prior to initiation of the data transfer process.

Privacy Program Members

Prior to transferring personal data to countries outside of the EU or European Economic Area (EEA), Glowing.io will ensure that the personal data is appropriately protected and secured during transfer using the technical measures noted in Section 7

Annual Review

This policy and the procedures within will be reviewed and approved by the DPO at least annually and updated as necessary to align with data protection laws and best practices. Any changes affecting data subject rights, data processing procedures, or data protection processes will be communicated to data subjects and stakeholders through appropriate channels.