Data Protection and Privacy Policy

ISO/IEC 27001:2013 Certified: ESICIA LTD maintains an Information Security Management System (ISMS) compliant with ISO 27001:2013 standards.

1. Purpose

The purpose of this policy is to ensure data protection and privacy as required by contractual clauses with the organization's customers, vendors, and other third parties as well as to establish standards of compliance with global and domestic data privacy laws.

Furthermore, ESICIA Limited takes its responsibilities with regard to the management of the requirements of Information security management (ISMS based on ISO 27001:2013) very seriously. This policy sets out how the organization manages those responsibilities.

ESICIA Limited obtains, uses, stores, and otherwise processes personal data relating to current staff and customers, potential staff and customers, former staff and customers, contractors, and contacts, collectively referred to in this policy as data subjects. When processing personal data, the Organization is obliged to fulfill individuals' reasonable expectations of privacy by complying with ISO 27001 standards and other relevant data protection legislation.

This policy therefore seeks to ensure that we:

  1. Are clear about how personal data must be processed and the organization's expectations for all those who process personal data on its behalf;
  2. Comply with the data protection law and with good practice;
  3. Protect the organization's reputation by ensuring the personal data entrusted to us is processed in accordance with data subjects' rights;
  4. Protect the organization from risks of personal data breaches and other breaches of data protection law.

2. Scope

This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g. on an employee's own device) and regardless of the data subject. All staff and others processing personal data on the organization's behalf must read it. A failure to comply with this policy may result in disciplinary action or termination of the contract.

All staff are responsible for ensuring that all organization staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls, and training to ensure that compliance.

3. Accountability

ESICIA Limited must implement appropriate technical and organizational measures in an effective manner to ensure compliance with data protection principles. The organization is responsible for and must be able to demonstrate compliance with, the data protection principles.

We must therefore apply adequate resources and controls to ensure compliance including:

  1. Appointing a suitably qualified representative;
  2. Implementing privacy by design when processing personal data and completing a Data Protection Impact Assessment (DPIA) where processing presents a high risk to the privacy of data subjects;
  3. Integrating data protection into our policies and procedures, in the way personal data is handled by us and by producing required documentation such as Privacy Notices, Records of Processing, and records of Personal Data Breaches;
  4. Training staff on compliance with Data Protection Law and keeping a record accordingly;
  5. Regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement efforts.

4. Responsibilities

4.1 Organization's Responsibilities

As the Data Controller, the organization is responsible for establishing policies and procedures in order to comply with data protection law.

4.2 Network and Security Department Responsibilities

The Network & Security department is responsible for:

  • Advising the organization and its staff of its obligations under data protection and privacy policy;
  • Monitoring compliance with this Regulation and other relevant data protection laws;
  • Providing advice where requested on data protection impact assessments;
  • Having due regard to the risk associated with processing operations, taking into account the nature, scope, context, and purposes of the processing.

4.3 Staff Responsibilities

Staff members who process personal data about customers, staff, or any other individual must comply with the requirements of this policy. Staff members must ensure that:

  • All personal data is kept securely;
  • No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorized third party;
  • Personal data is kept in accordance with the organization's retention schedule;
  • Any queries regarding data protection are promptly directed to the Information Security team;
  • Any data protection breaches are swiftly brought to attention;
  • Where there is uncertainty around a data protection matter, advice is sought.

4.4 Third-Party Data Processors

Where external companies are used to process personal data on behalf of the organization, responsibility for the security and appropriate use of that data remains with the organization. Where a third-party data processor is used:

  • A data processor must be chosen that provides sufficient guarantees about its security measures;
  • Reasonable steps must be taken that such security measures are in place;
  • A written contract establishing what personal data will be processed and for what purpose must be set out;
  • A data processing agreement must be signed by both parties.

5. Personal Data Protection Principles

When you process personal data, you should be guided by the following principles, which are set out in the ISO 27001 Standard:

  1. Lawfulness, fairness, and transparency: Processed lawfully, fairly, and in a transparent manner;
  2. Purpose limitation: Collected only for specified, explicit, and legitimate purposes;
  3. Data minimization: Adequate, relevant, and limited to what is necessary;
  4. Accuracy: Accurate and where necessary kept up to date;
  5. Storage limitation: Not kept longer than necessary;
  6. Security, integrity, and confidentiality: Processed in a manner that ensures its security using appropriate technical and organizational measures.

6. Data Subjects' Rights

Data subjects have the following rights in relation to the way we handle their personal data:

  1. Where the legal basis of our processing is Consent, to withdraw that consent at any time;
  2. To ask for access to the personal data that we hold;
  3. To prevent our use of personal data for direct marketing purposes;
  4. To object to our processing of personal data in limited circumstances;
  5. To ask us to erase personal data immediately when applicable;
  6. To ask us to rectify inaccurate data or to complete incomplete data;
  7. To restrict processing in specific circumstances;
  8. The right not to be subject to decisions based solely on automated processing;
  9. To prevent processing that is likely to cause damage or distress;
  10. To be notified of a personal data breach which is likely to result in high risk;
  11. To make a complaint to the Network and Security department;
  12. In limited circumstances, receive or ask for their personal data to be transferred to a third party.

7. Data Classification

The organization's data classification is as follows:

CONFIDENTIAL

Highly sensitive internal documents which could seriously damage the organization if lost or made public. Information classified as Confidential has very restricted distribution and must be protected at all times. Security at this level is the highest possible. Examples include impending mergers or acquisitions, corporate plans, or designs.

INTERNAL USE

Information not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management but is unlikely to result in financial loss or serious damage to credibility. Examples include internal memos, minutes of meetings, and internal project reports. Security at this level is controlled but normal.

PUBLIC

All information meant for public use. Their disclosure will not adversely impact ESICIA Limited, its employees, its stakeholders, its business partners, and/or its customers. Examples include newsletters, annual reports, published financial statements, etc. Security at this level is minimal.

8. Contact Us

If you have any questions or concerns about our Data Protection and Privacy Policy, please contact us:

  • Email: info@esicia.com
  • Phone: +250 78-830-1700
  • Address: KACYIRU, Ubumwe House, 3rd floor, Kigali, Rwanda
PCI DSS ISO Certified

Last updated: December 2024

Terms of Service Create Account Back to Home