Purpose and Scope
FART SA and henceforth referred to as the “Organisation”, is committed to complying with the applicable laws and regulations regarding the protection of personal data in the countries where it operates, in this case the nLPD Switzerland.
This policy defines the fundamental principles according to which the organisation processes the personal data of its customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its departments and employees in the processing of personal data.
This policy applies to the organisation and its subsidiaries (directly or indirectly) that conduct business within Switzerland, the European Economic Area or process personal data of data subjects in this area.
The addressees of this procedure are all employees, temporary or permanent
The principles of nLPD
The data protection principles outline basic responsibilities (accountability) for organisations that process personal data. “the data controller is responsible for compliance with these principles and must be able to demonstrate that its processing operations comply with these principles”.
Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly and transparently in relation to the data subject.
Purpose limitation
Personal data must be collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. If possible to reduce risks to data subjects, the organisation must apply anonymisation or pseudonymisation to personal data.
Accuracy
Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate, in relation to the purposes for which they are processed, are erased or rectified in a timely manner.
Limitation of storage period
Personal data must be kept for a period no longer than is necessary for the purposes for which the data are processed.
Integrity and confidentiality
Taking into account the state of technology and other available security measures, the costs of implementation, and the likelihood and severity of risks to personal data, the organisation must use appropriate technical or organisational measures to process personal data in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage.
Responsibilities
The data controller is responsible for compliance with these principles and must be able to demonstrate that its processing operations comply with them.
Collection
The organisation must seek to collect as little personal data as possible. If personal data is collected by a third party, the controller must ensure that the personal data is collected in accordance with the law.
Use, storage and disposal
The organisation must maintain the accuracy, integrity, confidentiality and relevance of personal data according to the purpose of processing. Adequate security mechanisms must be used to protect personal data from being stolen or misused and to prevent personal data breaches. the Data Controller is responsible for compliance with the requirements listed in this section.
Disclosure to third parties
Whenever the organisation uses a third party provider or business partner to process personal data on its behalf, the Data Controller must ensure that this party provides adequate security measures to safeguard personal data in relation to the associated risks. For this purpose, a compliance questionnaire must be used.
The supplier or business partner shall process personal data only to fulfil its contractual obligations to the organisation or on the organisation’s instructions and not for any other purpose. When the organisation processes personal data jointly with an independent third party, the organisation shall explicitly specify the respective responsibilities in the respective contract or in any other legally binding document, such as the supplier’s Data Processing Agreement.
Cross-border transfer of personal data
Appropriate safeguards, including the signing of a data transfer agreement as required by the European Union, must be used before transferring personal data from the Swiss Confederation and the European Economic Area (EEA) and, if necessary, authorisation must be obtained from the data protection authority. The entity receiving the personal data must comply with the personal data processing principles set out in the Cross-Border Data Transfer Procedure.
Data subjects’ access rights
When acting as a data controller, the organisation is required to provide data subjects with a reasonable access mechanism that allows them to access their personal data and must allow them to update, correct, delete or transmit their personal data, if appropriate or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.
Data portability
Data subjects have the right to receive, upon request, a copy of the data they have provided, in a structured format, and to transmit such data to another data controller free of charge. the data controller is responsible for ensuring that such requests are processed within one month, are not excessive, and do not affect the personal data rights of other persons.
Right to be forgotten
Upon request, the data subject has the right to obtain from the organisation, the deletion of his or her personal data. When the organisation acts as data controller, the data controller must take the necessary actions (including technical measures) to inform third parties who use or process that data to comply with the request.
Organisation and responsibility
The responsibility for ensuring the proper processing of personal data rests with everyone who works within the organisation or on its behalf and has access to the personal data it processes.
The Board of Directors makes decisions and approves the organisation’s general data protection strategies.
The Data Protection Advisor DPO (internally or externally appointed) or any other employee identified as the contact person for the PIMS Privacy Management System, is responsible for managing the data protection programme and developing and promoting end-to-end data protection procedures.
The person responsible for this document is the Data Controller, who is responsible for checking it and, if necessary, updating it, at least annually.
