GlassDollar Compliance Policy

Application

This policy applies to all employees, contractors, and vendors while doing business with GlassDollar and others who have access to European Union (EU) and the European Economic Area (EEA) data subject information (“personal data”) in connection with GlassDollar’s operating activities.

Policy

GlassDollar is committed to protecting the security, confidentiality, and privacy of its information resources including EU and EEA personal data in accordance with the requirements set forth in the General Data Protection Regulation (EU) 2016/679 (“GDPR”, “Regulation”) and respective national regulations. Personal data shall only be processed when there is a legal basis to do so, data shall be managed to ensure that security, confidentiality, and privacy are maintained, and data will be used only for authorized purposes. All employees and contractors of GlassDollar share the responsibility for safeguarding personal data to which they have access.

When performing commercial activities in support of GlassDollar products and services that impacts personal data, GlassDollar may engage in certain activities which may require it to receive, store, process, transmit, create, or access and use data which may trigger compliance requirements with the provisions applicable to GDPR. This policy and the GDPR Policies adopted hereunder are intended to support the mission of GlassDollar and to facilitate data processing activities that are important to GlassDollar by:

• Ensuring compliance with requirements imposed by GDPR and GlassDollar’s regulatory obligations
• Providing for the establishment of GDPR Policies that set forth, among other things, the required technical, physical, and administrative safeguards to maintain the security, confidentiality, and privacy of personal data
• Setting forth the roles and responsibilities necessary for GlassDollar to meet its obligations with respect to activities related to the processing of personal data in accordance with GDPR

Roles and Responsibilities

Policy Adoption

GlassDollar shall, in cooperation with relevant stakeholders, develop and adopt necessary and appropriate GDPR Policies, which will include, among other things, the technical, physical, and administrative safeguards required to ensure the confidentiality, integrity, and privacy of personal data, and protect personal data against reasonably anticipated threats or hazards and unauthorized uses or disclosures. All relevant GlassDollar stakeholders shall cooperate with GlassDollar in the development and implementation of the GDPR Policies.

The GlassDollar Information Security and Data Privacy Policies are a component of the GDPR Policies and implement controls which support GDPR compliance.

Responsible Person

Fabian Dudek, CEO, [email protected] has been assigned responsibility for overall oversight of GlassDollar’s GDPR compliance program.

Implementation

Data Protection

All personal data requires a legal basis for processing, and will be accessible on a strict need-to-know basis. Personal data is to be kept confidential and must be protected and safeguarded from unauthorized access, modification and disclosure.

• Storage and Transmission: Personal data must be encrypted, with strong cryptography, whenever stored on or transmitted by GlassDollar systems
• Disposal: Paper records must be securely shredded prior to disposal. Electronic media must be securely wiped, sanitized or physically destroyed prior to disposal or reuse
• Awareness Training: Relevant personnel will receive appropriate training on their information security and data privacy responsibilities with regard to GDPR and the handling of personal data as well as the Data Subject Access Request (DSAR) procedure
• GlassDollar will not transmit EU or UK PII to any third-party or vendor until an appropriate Data Protection Addendum has been fully executed by GlassDollar and the third-party.
• The company shall retain Record of Processing Activity in accordance with Article 30 of the GDPR. Records shall include:
  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Breach Notification

Notification of any reportable unauthorized use or disclosure of personal data will be sent to affected parties in accordance with the GDPR notification requirements and the Incident Response Policy.

Data Subject Access Requests (DSAR/SAR)

Subject to the exceptions noted below in this policy, GlassDollar will comply with any SAR concerning the following rights of the data subject:

• Access (a copy of the personal data undergoing processing)
• Rectification of personal data (correction of data stored or processed)
• Erasure (‘right to be forgotten’)
• Restriction of processing
• Notification regarding rectification or erasure
• Data portability (In the event of a Data Portability Request, GlassDollar will export the customers data in an industry standard format and make it internet accessible for download only by the data subject)
• Objection to processing (withdrawal of consent to processing)
• Automated individual decision-making, including profiling
• Do Not Sell requests under the CCPA

SAR when GlassDollar is the data controller:

• A SAR must be made on GlassDollar ’s privacy page https://www.glassdollar.com/privacy-policy. GlassDollar may provide an “interface” or self-service mechanism that the data subject is instructed to use to initiate the SAR process.
• A SAR can also be made using the email address [email protected].
• Where required, the data subject must provide reasonable evidence of their identity in the form of valid identification of identity, for example, email verification.
• When submitting the SAR via the interface, the data subject must identify the SAR type that is being requested, e.g., erasure.
• If a SAR is submitted by an agent, the submission must include the identification of the data subject.

SAR when GlassDollar is the data processor:

• The SAR must be submitted via the user interface in the GlassDollar Services.
• The controller must identify the SAR that is being requested.

SAR requirements:

• The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; GlassDollar will acknowledge any manual requests within 3 business days.
• GlassDollar has one month from the initial request date to complete the request. There are very limited circumstances in which an extension to that one month will be provided.
• The SAR application will be documented and can be audited using GlassDollar’s internal processes.

GlassDollar as the data processor

• Customers will be provided instructions on how to access the data through the user interface or APIs.
• To the extent the customer is unable to access the data or has issues with accessing the data, GlassDollar will assist the customer in accessing their data.
• GlassDollar will collect the data specified by the data subject and process according to the instructions provided by the data controller.
• GlassDollar will maintain a record of requests for data and of its receipt, including dates.

GlassDollar as the data controller

• Collect the data specified by the data subject
• Search all databases and all relevant filing systems (manual files) inGlassDollar, including all back up and archived files, whether computerised or manual, and including all email folders and archives. GlassDollar maintains a record that identifies where personal data in GlassDollar is stored.
• GlassDollar will maintain a record of requests for data and of its receipt accessible by GlassDollar ’s Data Protection Officer, and/or any other designated GlassDollar representatives. GlassDollar will also keep a record of processing to include dates.
• Provide data subjects an online mechanism to making request and all such requests will be logged.
• GlassDollar will acknowledge the SAR within five (5) days of the initial request and respond to any SAR within 25 (twenty five) working days of the initial request.
• SARs from employees or previous employees will be coordinated with HR and the employees’ current or previous departmental leadership.

SAR Exemptions

• GlassDollar may withhold information requested under SAR in accordance with Article 23 of the GDPR or any similar exemption under applicable law. Any such exemption must be reviewed and approved by the Data Protection Officer.

SAR Limits

Where permitted by law, such as Article 15 of the GDPR, for any further copies of personal data collected by GlassDollar that are requested by the data subject, GlassDollar may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format.

Data Subject Deletion Request

Purpose: To provide a clear, step-by-step process for executing a GDPR data deletion request in compliance with GDPR regulations.

Scope: This process applies to all cloud service providers and personnel responsible for executing GDPR data deletion requests.

Procedure:

1. Receive the deletion request: When a GDPR data deletion request is received, it should be assigned to a designated person or team responsible for executing the request.
2. Confirm the identity of the requester: Before proceeding with the deletion request, confirm the identity of the requester to ensure that the request is legitimate. This can be done by requesting additional information or documentation from the requester.
3. Identify the data to be deleted: Identify the specific data that needs to be deleted based on the information provided by the requester. This can include personal data, contact information, or other identifying information.
4. Locate the data: Locate the data to be deleted by searching the relevant databases or storage systems. This can include any backups or archives that may contain the data.
5. Delete the data: Once the data has been identified, delete the data using a secure deletion method that ensures the data cannot be recovered. This can include using a data shredder or overwriting the data multiple times to ensure complete deletion.
6. Confirm deletion: Confirm that the data has been deleted and is no longer accessible. This can include verifying that the data is no longer visible in the relevant databases or storage systems.
7. Update records: Update any relevant records or logs to reflect the deletion of the data. This can include creating an entry in a deletion log or updating the relevant databases or storage systems to indicate that the data has been deleted.
8. Notify the requester: Once the data has been deleted, notify the requester that their data has been deleted in accordance with their GDPR data deletion request.
9. Retain evidence of deletion: Retain evidence of the deletion of the data in case of future audits or requests for information. This can include keeping a record of the deletion log or other relevant documentation.

Compelled Disclosure

GlassDollar governs the compelled disclosure of customer Personally Identifiable Information pursuant to valid third-party legal demands for such information, such as court orders, search warrants, subpoenas, government investigations, and similar demands, and is incorporated by reference into GlassDollar’s Privacy Policy.

Upon receipt of legal demands for information, GlassDollar will immediately notify the Legal Counsel.  GlassDollar will investigate the demands, and if it is  determined at GlassDollar’s sole discretion that they are valid, we will search for and disclose the information that is specified and that we are reasonably able to locate and provide. We are unable to process overly broad or vague demands, and we will not disclose information that is not specifically demanded, except in response to follow-up demands.

GlassDollar may contact customers if we are compelled to disclose their information pursuant to valid legal demands for such information, but we are not required to do so, and in some instances, we may be legally prohibited from doing so.

All external communications with customers, regulators and law enforcement shall be approved by GlassDollar.

Enforcement

The CEO is responsible for the enforcement of this policy.

Employees who may have questions should contact the Security team ([email protected]) as appropriate.

Disciplinary Action

Failure to comply with any provision of this policy may result in disciplinary action, including, but not limited to, termination.

Reporting

All suspected violations or potential violations of this policy, no matter how seemingly insignificant, must promptly be reported either to GlassDollar’s Data Privacy Officer immediately, or via the incident reporting process at [email protected].

As long as a report is made honestly and in good faith, GlassDollar will take no adverse action against any person based on the making of such a report. Failure to report known or suspected wrongdoing of which you have knowledge may subject you to disciplinary action up to and including termination of employment.