CLIENT DATA POLICY

UPDATED APRIL 2018

INTRODUCTION

We (hSenid Business Solutions) hold personal data about our employees, clients, suppliers (such as
AWS, Amazon hSenid Services,) and other entitles/persons, including those we transact with for a
variety of business purposes – some on behalf of our clients.

This Policy sets out how hSenid seeks to protect data belonging to the clients and their staff (and other
parties like the clients’ consultants, contractors, etc) and ensure that all stakeholders understand the rules
governing their use of personal data to which they have access in the course of their
work/employment.

hSenid is committed to protecting the rights and freedom of data subjects and safely and securely
processing their data in accordance with all legal obligations wherever applicable. Any laws relating
to data protection that may come into effect in the future shall automatically apply to the said data
(hereinafter referred to as “Personal Data”).

DEFINITIONS

BUSINESS PURPOSES The purposes for which Data may be used by us:

Personnel, implementation, administrative, financial, regulatory, payroll and business

development purposes and partner management Which include :

o Compliance with our legal, regulatory and corporate governance obligations

and good practice.
o Gathering information as part of investigations by regulatory bodies or
in connection with legal proceedings or requests.
o Ensuring that business and operational policies are adhered to (such as policies
covering email and internet use)
o Operational reasons, such as recording transactions, training and quality
control, ensuring the confidentiality of commercially sensitive information,
security vetting, credit scoring and checking.
o Investigating complaints.
o Marketing our business.
o Improving services.
o Implementation, commissioning of projects/solutions and providing support.
o Enrolling and managing business partners

1
PERSONAL DATA ‘Personal Data’ means any information relating to an identified or identifiable natural
person. An identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person, and things that can be assigned to a person like telephone number,
credit card or bank account, insurance policy number, vehicle registration number.

Personal Data hSenid gathers may include: clients' phone number, email address,
educational background, financial and pay details, details of certificates and diplomas,
education and skills, marital status, nationality, job title, and CV. (Refer to the scope of
data in order to get broad idea)

As per international standards, since Personal Data includes “any information,” one
must assume that the term “personal data” should be as broadly interpreted as
possible.
Any data elements belonging to the clients
DATA SUBJECTS

Special categories of data include information about a client's racial or ethnic origin,
political opinions/affiliation, religious or similar beliefs, trade union membership
SPECIAL CATEGORIES
(or non-membership), physical or mental health or condition, criminal records,
OF PERSONAL DATA
or related proceedings, and genetic and biometric information —any use of special
categories of personal data should be strictly controlled in accordance with this Policy.
As a “Data Controller”, hSenid is bound to act as a natural or legal person, alone or
DATA CONTROLLER jointly with others in determining the processing of Personal Data, where the
purposes and means of such processing are determined by data protection policy.

As a “Data Processor”, hSenid is bound to act as a natural or legal person,

DATA PROCESSOR
on behalf of the client

A data owner is an hSenid who is accountable for a data asset and is bound by the
DATA OWNER
obligations in this Policy.

SUB PROCESSOR Third party (entity or legal person) who uses data on behalf of hSenid
‘Processing’ means any operation or set of operations which is performed
on Personal Data or on sets of Personal Data, whether or not by automated means,
such as collection, recording, organization, structuring, storage, adaptation
PROCESSING
or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or
destruction.
DATA PROTECTION The data protection officer ensures, in an independent manner, that an organization
OFFICER (DPO) applies the laws protecting client’s Personal Data.

SUPERVISORY The supervisory authority of our organization shall for the time being be the CEO
AUTHORITY of the company as the DPO – which authority he may delegate to designated Officer.

2
SCOPE OF DATA

Scope of data covers selected client Personal Data – natural persons: identification data, particularly a
name, surname, address, date of birth, national identification number, personal contact data, in written,

electronic, verbal or other form, telephone or electronic communication, business and organizational
links to entrepreneurs, contact links, salary related data characterizing client’s solvency and credibility,
including appropriate documents for their assessment.

e.g., client’s financial statements, data describing business and marketing characteristics of the client,
data provided by the client, data on administrators services and products usage, data on access and
usage of hSenid pages (including data provided by the client, place and time of usage), data on payment
and other financial operations and other financial indicators and statements.

All data of the client – legal person, especially identification data, financial statements and other data
characterizing the client’s solvency and credibility and appropriate data for their assessment.

OBJECTIVES OF THIS POLICY

 To ensure that client sensitive data hSenid identifies are prevented from unauthorized access
and that action is taken to eliminate such violation of integrity and confidentiality of the client’s
organization and its’ staff/stakeholder related data.

 To implement rules relating to the protection of natural persons with regard to the processing of
personal data and rules relating to the client’s personal data.

The DPO has overall responsibility for the day-to-day implementation of this Policy. You should
contact him or his nominee for further information about this policy if necessary:

THE PRINCIPLES

hSenid will make every effort possible in every aspect to comply with these principles. The Principles
are:

1. Lawful, fair and transparent

Data collection must be fair, for a lawful purpose and hSenid must be open and transparent about
how the data will be used.

3
 2. Limited for its purpose

Data can only be collected for a specific authorized purpose.

3. Data minimization

Any data collected must be necessary and not excessive for the purpose for which it is collected.

4. Up-to-date

The data hSenid holds must be up to date.

5. Retention

hSenid cannot store data longer than necessary.(The duration of data retention must be agreed
between the hSenid and client during the consent stage)

6. Integrity and confidentiality

The data hSenid hold must be kept safe and secure, and retrievable as and when required.

To comply with data protection laws and the accountability and transparency principle of data security,
hSenid and its staff must demonstrate compliance. You are responsible for understanding your
particular responsibilities to ensure that hSenid meets the following data protection obligations:

• Fully implement all appropriate technical and organizational measures.

• Maintain up to date and relevant documentation on all processing activities.

• Conducting data protection impact assessments (monitor and control of accessibility of data,

user privileges etc.)

• Implement measures to ensure privacy by design and default, including:

 Data minimization (determine who sees and what)

 Transparency (visibility of what is happening with the data set referred by hSenid
staff for any business purpose
 Allowing authorized employees to monitor processing
 Creating and improving security and enhanced privacy procedures on an
ongoing basis (Use of data protection audit results and non-conformities)
 Maintain real time detailed records of data revisions/alterations, with logs pertaining to
electronic data
 Careful and diligent disposal of unnecessary data after use (whether in printed form or
otherwise)
 Avoidance of inadvertent exposure of data to staff in general or unauthorized persons
(whether in printed form or otherwise).
4
  Prevention of accidental data loss

OUR PROCEDURES

FAIR AND LAWFUL PROCESSING

hSenid must process client personal data fairly and lawfully in accordance with client’s rights under the
first aforementioned Principle. This generally means that hSenid should not process personal data
unless the client whose details hSenid is processing has expressly consented in writing to such
processing.

If hSenid cannot apply a lawful basis (explained below), our processing shall not be deemed to
conform to the first principle and will be unlawful. Data owners have the right to have any data
unlawfully processed erased.

CONTROLLING VS. PROCESSING DATA

hSenid is classified as a data controller and data processor.

As a data processor, hSenid must comply with our contractual obligations and act only on the
documented instructions of the data controller. If hSenid at any point determine the purpose and
means of processing without the instructions of the controller, hSenid shall be considered a data
controller and therefore breach our contract with the controller and have the same liability as the
controller. As a data processor, hSenid must:

• Not use a sub-processor without written authorization of the data owner.

• Co-operate fully with the DPO or his nominee or other supervisory authority.
• Ensure the security of the processing.
• Keep accurate records of processing activities.
• Notify the controller (DPO) immediately of any Personal Data breaches.

If you are in any doubt about how hSenid handles data, contact the DPO for clarification.

LAWFUL BASIS FOR PROCESING DATA

hSenid has established a lawful basis for processing data. It is our responsibility to verify the lawful
basis of any data you are working with and ensure all of your actions comply with such lawful basis. At
least one of the following conditions must apply whenever hSenid process personal data:

1. Consent

Where hSenid holds recent, clear, explicit, and defined consent for the client’s data to be processed for
a specific purpose. (Obtaining confirmation from the data owner prior to use of such data)

2. Contract

Where the processing is necessary to fulfil or prepare a contract for the client (for which purpose hSenid
would generally execute a Nondisclosure Agreement with the client)

3. Legal obligation

Where hSenid has a legal obligation to process the data determined by the contract.

5
4. Vital interests

Where methods of processing the data is necessary to protect the client’s sensitive data.

5. Ethical publicity

Where prior consent is sought from the data owner with respect to use of information for publicity,
business development or any other activity resulting in data being exposed to the public.

SPECIAL CATEGORIES OF PERSONAL DATA

WHAT ARE SPECIAL CATEGORIES OF PERSONAL DATA?

Previously known as “sensitive personal data”, this means data about a client that is more
sensitive, due to which it requires added protection. This type of data could create higher
significant risks to a person’s fundamental rights and freedoms, for example by putting them at
risk of discrimination. The special categories include information about client.

1. Dependent data
2. Emergency data
3. Qualifications

4. Bank details
5. Passport details
6. Attachments
7. Permanent Address
8. Contact address
9. Date of birth
10. NIC & Issue date
11. Race

12. Nationality
13. Blood Group
14. Civil Status
15. Gender
16. Married date
17. Divorced date
18. Details of compensation
19. Any User Defined Function (UDF marked as Privacy Data)

6
In most cases where hSenid process special categories of personal data hSenid will require the data
subject's explicit consent to do this unless exceptional circumstances apply or hSenid may be required
to do this by law (e.g. to comply with legal obligations). Any such consent will need to clearly identify
what the relevant data is, why it is being processed and to whom it will be disclosed/exposed.

The condition for processing special categories of personal data must comply with the company
data protection policy. If hSenid do not have a lawful basis for processing special categories of data
that processing activity must not commence, or if commenced must cease.

RESPONSIBILITIES

OUR RESPONSIBILITIES

• Ensuring the dual control internally prior to sharing any information belonging to the client or
it’s employees.
• Analyzing and documenting the type of personal data hSenid holds.
• Checking procedures to ensure that they cover all the rights of the clients.
• Identifying the lawful basis for processing data.
• Ensuring consent procedures as described by this Policy.
• Implementing and reviewing procedures to detect breaches of the Policy and
investigate personal data breaches.
• Store data in safe, secure and conveniently retrievable ways.
• Assess the risk that could be posed to employee rights and freedoms should data be
compromised.
• Reviewing all data protection procedures and policies on a regular basis, data protection
training and advice for all staff members and those included in this policy at the induction and
as per a regular schedule. This should include all new recruits too.
• Answering questions on data protection from staff, board members and other stakeholders.
• Responding to individuals such as clients and employees who wish to know which data
relating to them is being held by hSenid.
• Checking and approving with third parties who handle the client’s data for any contracts or
agreement regarding data processing.
• Ensure all systems, services, software and equipment meet acceptable security standards.
• Checking and scanning security hardware and software regularly to ensure they are
functioning properly.
• Addressing data protection queries from clients, target audiences or media outlets.
• Coordinating with the DPO to ensure that all marketing initiatives adhere to the company’s Client
Data Policy.
• Fully understand your data protection obligations

• Check that any data processing activities you are dealing with comply with our Policy and are
justified.
• Do not use data in any unlawful way.
• Do not store data incorrectly, be careless with it or otherwise do anything that may
cause us to breach data protection laws and our policies through your actions.
• Comply with this Policy at all times.

7
 • Raise any concerns, notify any breaches or errors, and report anything suspicious or
contradictory to this Policy or our legal obligations without any delay.

ACCURACY AND RELEVANCE

hSenid will ensure that any Personal Data is accurate, adequate, relevant and not excessive, given
the purpose for which it was obtained. hSenid will not process Personal Data obtained for one
purpose for another unrelated purpose unless the client concerned has agreed to this or would
otherwise reasonably be expected to know this.

The client may ask that hSenid to correct inaccurate data relating to them. If you believe that
information is inaccurate you should record the fact that the accuracy of the information is disputed
and inform the DPO.

DATA SECURITY

You must keep Personal Data secure against loss or misuse. Where other organizations process
Personal Data as a service on our behalf, the DPO will establish what, if any, additional specific data
security arrangements need to be implemented in contracts with those third-party organizations.

STORING DATA SECURELY

• In cases when data is stored on printed paper, it should be kept in a secure place where
unauthorized personnel cannot access it.
• Printed data should be shredded when it is no longer needed, and waste paper containing data
should never be kept lying exposed to others.
• Data stored on a computer should be protected by strong passwords that are changed
regularly.
• Data stored on CDs or backups must be encrypted or password protected and locked away
securely when they are not being used.
• The DPO must approve any cloud or any other location to store data
• Servers containing personal data must be kept in a secure location, (Cloud backups)
• Data should be regularly backed up in line with the company’s backup procedures
• Data should never be saved directly to mobile devices such as laptops, tablets or smartphones
• All possible technical measures must be put in place to keep data secure

DATA RETENTION

hSenid must retain client personal data for no longer than is necessary. What is necessary will depend
on the circumstances of each case, taking into account the reasons that the Personal Data was
obtained, but should be determined in a manner consistent with our data retention guidelines.

(The duration of data retention must be agreed between the hSenid and client during the consent stage)

8
 RIGHTS OF DATA PROCESSOR AND CONTROLLER

Clients have rights to their data, which hSenid must respect and comply with, to the best of our ability.
hSenid must ensure that clients can exercise their rights in the following ways:

1. Right to be informed

• Providing privacy notices which are concise, transparent, intelligible and easily accessible,
conspicuous, free of charge, that are written in clear and plain language.
• Keeping a record of how hSenid uses personal data to demonstrate compliance with the
need for accountability and transparency.

2. Right of access

• Enabling client’s authorized person to access their data.

• Allowing clients to be aware of and verify the data protection policy of the processing activities

3. Right to rectification (if data being maintained by hSenid)

• hSenid must rectify or amend the data of the client if requested in the event it is
inaccurate or incomplete as intimated by the client.
• This can be with permission from the DPO or relevant person.

4. Right to erasure/removal

• hSenid employee must delete or remove client’s data since there is no compelling reason to retain
data.

5. Right to data portability (if only requested by the data owner)

• hSenid must provide client with client data so that client can reuse it for their own purposes or
across different services upon authorization by both parties
• hSenid must provide it in a commonly used, machine-readable format, and send it directly
to the requested party only.
 hSenid should provide data as mentioned above only to authorized persons after
verifying their authority to receive such data.

7. Right to object

• hSenid must respect the right of client to object to data processing based on legitimate
interest or the performance of a public interest task.
• hSenid must respect the right of client to object to direct marketing, including profiling.
• hSenid must respect the right of client to object to processing their data for scientific and
historical research and statistics.

9
PRIVACY NOTICES

WHEN TO PROVIDE A PRIVACY NOTICE

A privacy notice must be provided at the time the data is obtained directly from the data subject. If
the data is not obtained directly from the data subject, the privacy notice must be provided within a
reasonable period of having obtained the data, but not later than 24 hours from obtaining the data.

The privacy notice must be provided at the latest when the first communication takes place.

If disclosure to another recipient is envisaged, then the privacy notice must be provided prior to the
data being disclosed.

WHAT TO INCLUDE IN A PRIVACY NOTICE

Privacy notices must be concise, transparent, intelligible, conspicuous and easily accessible. They are
provided free of charge and must be written in clear and plain language.

The following information must be included in a privacy notice to all data subjects:

• Identification and contact information of the data controller and the data protection officer.
• The purpose of processing the data and the lawful basis for doing.
• The legitimate interests of the controller or third party, if applicable.
• The right to withdraw consent at any time, if applicable.
• The category of the personal data (only for data not obtained directly from the data subject)
• Any recipient or categories of recipients of the personal data.
• Detailed information of any transfers to third countries and safeguards in place.
• The retention period of the data or the criteria used to determine the retention period,
including details for the data disposal after the retention period
• The right to lodge a complaint with the DPO, and internal complaint procedures
• The source of the personal data, and whether it came from publicly available sources (only for
data not obtained directly from the data subject)
• Whether the provision of personal data is part of a statutory or contractual requirement or
obligation and possible consequences for any failure to provide the data (only for data
obtained directly from the data subject).

SUBJECT ACCESS REQUESTS

WHAT IS A SUBJECT ACCESS REQUEST?

Client has the right to receive confirmation that its data is being processed, access to its Personal Data
and supplementary information, which means the information should be provided with a privacy notice.

HOW HSENID DEALS WITH SUBJECT ACCESS REQUESTS

hSenid must provide the client with a copy of the information the request, This must occur
immediately, and within 12 hours hSenid endeavors to provide data subjects access to their
information in commonly used electronic formats, and where possible, provide direct access to the
information through a remote accessed secure system.

10
 If complying with the request is complex or numerous, the deadline can be extended by mutual
agreement, but the client must be informed within one working day. You must obtain approval from
the DPO before extending the deadline.

hSenid can refuse to respond to certain requests, and can, in circumstances where the request is
manifestly unfounded or excessive, charge a fee. hSenid can request the client to specify the
information they are requesting.

DATA PORTABILITY REQUESTS

hSenid must provide the data requested in a structured, commonly used and machine-readable
format. This would normally be a CSV file, although other formats are acceptable. hSenid must
provide this data either to the client who has requested it, or to the data controller they have
requested it be sent to. This must be done free of charge and without delay and no later than two
working days from the request being received by hSenid. This can be extended based on complex
or numerous requests, but the employee must be informed of the extension within one working day
and you must first obtain express permission from the DPO.

RIGHT TO ERASURE

WHAT IS THE RIGHT TO ERASURE?

hSenid has a right to have its data erased and for processing to cease in the following
circumstances:

• Where the Personal Data is no longer necessary in relation to the purpose for which it was
originally collected and / or processed
• Where consent of client is withdrawn
• Where the client objects to processing and there is no overriding legitimate interest for
continuing the processing
• Where the Personal Data was unlawfully processed or otherwise in breach of data protection
laws
• To comply with a legal obligation

Personal Data must be retained safely for the purposes of evidence or where retention is mandated by
any law or where such Personal Data is subject to a civil or criminal investigation.

HOW HSENID DEAL WITH THE RIGHT TO ERASURE WITHOUT CONSENT

hSenid can only refuse to comply with a right to erasure in the following circumstances:

• To comply with a legal obligation on hSenid

• At the end of the contract between hSenid and client, DPO can authorize to remove the data
after the lapse of the stipulated time period agreed between the client and hSenid

If Personal Data that needs to be erased/removed has been passed onto other parties or recipients,
they must be contacted and informed of their obligation to discard the data.

11
THE RIGHT TO OBJECT

Clients have the right to object to their data being used on grounds relating to their particular
situation. hSenid must cease processing unless:

• hSenid has legitimate grounds for processing which override the interests, rights and
freedoms of the client.
• The processing relates to the establishment, exercise or defense of legal claims.

hSenid must always inform the client of its right to object at the first point of communication, i.e. in the
privacy notice. hSenid must offer a way for clients to object online.

THIRD PARTIES

USING THIRD PARTY CONTROLLERS AND PROCESSORS

As a data controller and data processor, hSenid must have written consents in place with any third
party data controllers and data processors that hSenid uses. This consent must contain our and their
liabilities, obligations and responsibilities.

As a data controller, hSenid must only appoint processors who can provide sufficient guarantee that the
rights of data subjects will be respected and protected.

As a data processor, third party data processors and controllers must only act on the documented
instructions of a controller. hSenid acknowledge our responsibilities as a data processor and hSenid
will protect and respect the rights of data subjects.

CONSENTS

Our consent must comply with the standards set out by the DPO and, where possible, Our consent
with data processors must set out the subject matter and duration of the processing, the nature and
stated purpose of the processing activities, the types of personal data and categories of data subject,
and the obligations and rights of the controller.

At a minimum, our consent must include terms that specify:

• Acting only on written instructions
• Those involved in processing the data are subject to a duty of confidence
• Appropriate measures will be taken to ensure the security of the processing
• Sub-processors will only be engaged with the prior consent of the controller and under a
written contract
• The controller will assist the processor in dealing with subject access requests and allowing
data subjects to exercise their rights under data security policy.
• The processor will require that the controller meets its data security policy.
• Obligations in relation to the security of processing, notification of data breaches and
implementation of data protection impact assessments
• Delete or return all Personal Data at the end of the relevant contract, unless hSenid is
authorized to retain such data after expiry or termination of the contract.
• Submit to regular audits and inspections and provide whatever information necessary for the
controller and processor to meet their legal obligations.
• Nothing will be done by either the controller or processor to infringe on the Client Data Policy. .
12
 CRIMINAL OFFENCE DATA

CRIMINAL RECORD CHECKS

hSenid Human Resources Department may inquire and verify employee profiles through local
authority report, police report, previous employment in order to verify whether employee has a clear or a
positive history related to his/her character and employment.

AUDITS, MONITORING AND TRAINING

DATA AUDITS

Regular data audits to manage and mitigate risks will inform the Data Register. The Data Register
contains information on what data is held, where it is stored, how it is used, who is responsible and
any further regulations or retention timescales that may be relevant. You must conduct a regular data
audit as defined by the DPO and normal procedures.

MONITORING

Everyone must observe this Policy. The DPO has overall responsibility for this Policy. hSenid will
keep this Policy under review and amend or change it as required. You must notify the DPO of any
breaches of this Policy. You must comply with this policy fully and at all times. This Policy is
deemed as incorporated into your contract of employment and violation of this Policy shall amount
to violation of the terms and conditions of your employment at hSenid.

TRAINING

You will receive adequate training on provisions of this Policy specific to your role. You must complete
all training as requested. If you move role or responsibilities, you are responsible for requesting new
data protection training relevant to your new role or responsibilities.

If you require additional training on data protection matters, contact the DPO.

Not having received necessary awareness/training shall NOT absolve you from liability for violating the
Policy.

REPORTING BREACHES

Any breach of this Policy must be reported as soon as practically possible. This means that as soon as
you have become aware of a breach you have a legal obligation to report any data breaches to the
DPO within 48 hours.

All members of hSenid staff have an obligation to report actual or potential data protection
compliance failures. This allows us to:

• Investigate the failure and take remedial steps if necessary.

• Maintain a register of compliance failures.
• Notify the DPO of any compliance failures that are material either in their own right or as
part of a pattern of failures.

13
Any member of staff who fails to notify of a breach, or is found to have known or suspected a breach
has occurred but has not followed hSenid the correct reporting procedures will be liable to disciplinary
action.

FAILURE TO COMPLY

hSenid takes compliance with this Policy very seriously. Failure to comply puts both the
organization and you at risk.

The importance of this Policy means that failure to comply with any requirement may lead to
disciplinary action under our disciplinary procedures, which may even lead to dismissal from
employment.

If you have any questions or concerns about anything in this Policy, do not hesitate to contact the
DPO.

14