GDPR Compliance

Introduction to GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas.

At PPR GPT, we are committed to ensuring the security and protection of the personal information that we process, and to providing a compliant and consistent approach to data protection. This page details how we comply with the GDPR regulations.

Our Commitment to GDPR Compliance

We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognize our obligations in updating and expanding this program to meet the demands of the GDPR.

Our preparation and objectives for GDPR compliance have been summarized in this statement and include the development and implementation of new data protection roles, policies, procedures, controls, and measures to ensure maximum and ongoing compliance.

How We Comply with GDPR

1. Information Audit

We have conducted a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed, and if and to whom it is disclosed.

2. Policies and Procedures

We have implemented data protection policies and procedures to meet the requirements and standards of the GDPR, including:

• Data Protection – Our main policy and procedure document for data protection has been overhauled to meet the standards and requirements of the GDPR.
• Data Retention & Erasure – We have updated our retention policy and schedule to ensure that we meet the 'data minimization' and 'storage limitation' principles and that personal information is stored, archived, and destroyed compliantly and ethically.
• Data Breaches – Our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate, and report any personal data breach at the earliest possible time.
• International Data Transfers – Where we store or transfer personal information outside the EU, we have robust procedures and safeguarding measures in place to secure, encrypt, and maintain the integrity of the data.

3. Data Subject Rights

In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy-to-access information of an individual's right to access any personal information that PPR GPT processes about them and to request information about:

• What personal data we hold about them
• The purposes of the processing
• The categories of personal data concerned
• The recipients to whom the personal data has been/will be disclosed
• How long we intend to store their personal data
• If we did not collect the data directly from them, information about the source
• The right to have incomplete or inaccurate data about them corrected or completed
• The right to request erasure of personal data (where applicable)
• The right to restrict processing, object to processing, and the right to data portability

4. Consent Mechanisms

We have revised our consent mechanisms for obtaining personal data, ensuring that individuals have given clear consent to the processing of their data. We ensure that:

• Consent is freely given, specific, informed, and unambiguous
• We use clear language that is tailored to the age and capacity of the individual
• We obtain consent explicitly for data processing activities
• We keep detailed records of consent and provide easy ways for individuals to withdraw consent at any time

Data Protection Officer

We have designated a Data Protection Officer (DPO) to develop and implement our roadmap for complying with the GDPR. The DPO is responsible for:

• Informing and advising the company and its employees about their obligations to comply with the GDPR and other data protection laws
• Monitoring compliance with the GDPR and other data protection laws
• Managing data protection activities, including internal data protection activities, advising on data protection impact assessments, training staff, and conducting internal audits
• Being the first point of contact for supervisory authorities and individuals whose data is processed