The entire Management and Board of <<organisation name>>, located at Address, is committed to maintaining compliance with all relevant GDPR and local laws with respect to personal data collected, as well as protection of the “rights and freedoms” of the data subject. This GDPR compliance policy is also described by other relevant policies such as the information security policy, along with related <<organisation name>>’s processes and procedures.

The GDPR and <<organisation name>>’s data protection policy applies to all personal data processing functions, including those performed on customers’, clients’, employees’, suppliers’ and partners’ personal data, and any other personal data that <<organisation name>> processes from any source. This policy also applies to all Employees/Staff and third parties of <<organisation name>>.

<<organisation name>>’s Data Protection Officer, name of DPO, is responsible for reviewing and updating the register of processing annually in the light of any changes to <<organisation name>>’s operations and activities, and to any additional requirements identified by means of data protection impact assessments. This register needs to be available on the supervisory authority’s request.

Partners and any third parties working with or for <<organisation name>>, and who have or may have access to personal data, will be expected to have read, understood, and to comply with this policy. No third party may access personal data held by <<organisation name>> without having first entered into a data confidentiality agreement, which imposes on the third-party obligations no less onerous than those to which <<organisation name>> is committed, and which gives <<organisation name>> the right to audit compliance with the agreement.

Any breach of the GDPR will be dealt with under <<organisation name>>’s disciplinary procedure and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.