Privacy Policy

1. Introduction

EUROFREIGHT LOGISTICS LTD and affiliated entities (here after “company acronym”, “we”, “our”, “us”, “the Company”) endeavours to meet leading standards for data protection and privacy. This Privacy policy applies to all Personal Data we Process regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subject.

While our reasons are founded in ethical and corporate responsibility, our privacy practices as outlined in this policy facilitate the establishment of the following:

• Competitive Advantage: Our emphasis on protecting the privacy of customers, vendors, and employees distinguishes us from our competitors.
• Good Corporate Citizenship: A sound privacy policy is emblematic of reliable corporate citizens that respect data subjects’ privacy.
• Business Enablement: Since Eurofreight uses significant volumes of personal information, privacy notices become a prerequisite to building enduring business relationships.
• Legal Protection: Appropriate privacy notices offer an opportunity to eliminate allegations of unlawful usage of personal information.
• Comply with the General Data Protection Regulation (GDPR): failure to comply with the provisions of the GDPR may expose Eurofreight to potential fines of up to EUR20 million or 4% of total worldwide annual turnover, whichever is higher.

This document (together with Related Policies and Privacy Guidelines) is an internal document and cannot be shared with third parties, clients or regulators without prior authorisation from the DPO.

1. Purpose

This Policy defines requirements to help ensure compliance with laws and regulations applicable to Eurofreight collection, storage, use, transmission, disclosure to third parties and retention of Personal and special categories of personal data (also referred to as personal and sensitive personal information respectively in this policy). 

1. Scope

This policy is applicable to all Eurofreight employees, contractors, vendors, interns, customers, and business partners who may receive personal information from Eurofreight, have access to personal information collected or processed by or on behalf of Eurofreight, or who provide information to Eurofreight.

This policy covers the treatment of personal information gathered and used by Eurofreight for lawful business purposes. This policy also covers the personal information we share with authorized Third Parties or that Third Parties share with us.

1. Objective

The main objectives of the Data Privacy Policy are:

• To ensure that all the personal information in Eurofreight custody is adequately protected against threats to maintain its security. 
• To ensure that Eurofreight employees are fully aware of the contractual, statutory or regulatory implications of any privacy breaches. 
• To limit the use of personal information to identified business purposes for which it is collected.
• To create an awareness of privacy requirements to be an integral part of the day to day operation of every employee and ensure that all employees understand the importance of privacy practices and their responsibilities for maintaining privacy.
• To make all the employees aware about, the processes that need to be followed for collection, lawful usage, disclosure/ transfer, retention, archival and disposal of personal information.
• To ensure that all third parties collecting, storing and processing personal information on behalf of Eurofreight provide adequate data protection.
• To ensure that applicable regulations and contracts regarding the maintenance of privacy, protection and cross border transfer of personal information are adhered to. 

1. Accountability and Management 
   1. A Data Privacy Policy shall be developed and maintained to document the privacy principles and practices followed by Eurofreight. (Refer: Appendix A – Privacy principles)
   2. A privacy organization shall be defined for governance of data privacy initiatives. (Refer: Appendix B – Privacy organization structure)
   3. A Data Privacy Officer (DPO) shall be appointed (or DPO function) to process complaints and requests for information related to Eurofreight privacy practices.
   4. Implementing Privacy by Design when Processing Personal Data and completing DPIAs where Processing presents a high risk to rights and freedoms of Data Subjects;
   5. Establish procedures for the identification and classification of personal information.
   6. Eurofreight Privacy Policy statement shall be made available on Eurofreight internal portal.
   7. The Data Privacy Policy shall be communicated to Eurofreight internal personnel.
   8. Procedures shall be established for disciplinary and remedial action for violations of the Data Privacy Policy.
   9. Changes or updates to the Data Privacy Policy shall be communicated to Eurofreight internal personnel when the changes become effective.
   10. Establish procedures for performing mandatory registration with regulatory bodies.
   11. Risk Assessment is to be carried out on a periodic basis to ensure risks to personal information are identified and mitigated.
   12. The potential impact on data privacy is assessed when new processes involving personal information are implemented, or when significant changes are made to such processes. (Refer: Appendix C – Privacy Impact Assessment guidelines)

1. Privacy Notice and Transparency 
   1. Appropriate notice shall be provided to data subjects at the time personal information is collected. 
   2. When Eurofreight is the Data Controller for PII data it must provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. Such information must be provided through appropriate Privacy Notices or Fair Processing Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.
   3. The privacy notice or policies and other statements to which they are linked shall provide as full information as is reasonable in the circumstances to inform an individual how their personal information will be used so that Eurofreight use is fair and lawful.  The following information should be considered for inclusion in a notice (as is appropriate in individual circumstances):
      1. Purposes for which personal information is collected, used and disclosed;
      2. Choices available to the individual regarding collection, use and disclosure of personal information, wherever applicable;
      3. Period for which personal information shall be retained as per identified business purpose or as mandated by regulations, whichever is later;
      4. That personal information shall only be collected for the identified purposes;
      5. Methods employed for collection of personal information, including ‘cookies’ and other tracking techniques, and third party agencies;
      6. That an individual’s personal information shall be disclosed to Third Parties only for identified lawful business purposes and with the consent of the individual, wherever possible;
      7. That an individual’s personal information may be transferred within Eurofreight entities, globally as per requirement, for business purposes with adequate security measures required by law or as per guidance of provided by industry leading practices;
      8. Consequences of withholding or withdrawing consent to the collection, use and disclosure of personal information for identified purposes;
      9. Data subjects are responsible for providing Eurofreight with accurate and complete personal information, and for contacting the entity if correction of such information is required;
      10. Process for an individual to view and update their personal information records;
      11. Process for an individual to register a complaint or grievance with regard to privacy practices at Eurofreight;
      12. Contact information of person in charge of privacy practises and responsible for privacy concerns with address at Eurofreight;
      13. Process for an individual to withdraw consent for the collection, use and disclosure of their personal information for identified purposes; and
      14. That explicit consent is required to collect, use and disclose personal information, unless a law or regulation specifically requires or allows otherwise. 
   4. Data subjects shall be provided a Privacy Notice in case any new purpose is identified for using or disclosing personal information before such information is used for purposes not previously identified.
   5. When Personal Data is collected indirectly (for example, from a third party or publically available source), you must provide the Data Subject with all the information required by the GDPR as soon as possible after collecting/receiving the data. You must also check that the Personal Data was collected by the third party in accordance with the GDPR and on a basis which contemplates our proposed Processing of that Personal Data.

1. Choice and Consent
   1. A Data Controller must only process Personal Data on the basis of one or more of the lawful bases set out in the GDPR, which include Consent.
   2. A Data Subject consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. 
   3. If Consent is given in a document which deals with other matters, then the Consent must be explicit from those other matters.
   4. A Data Subjects must be easily able to withdraw Consent to Processing at any time and withdrawal must be promptly honoured. 
   5. Consent may need to be refreshed if there is intention to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first consented.
   6. Explicit consent shall be obtained from data subjects at the time of collection of personal information or as soon as practical thereafter.
   7. Explicit consent shall be obtained from data subjects for the collection, use and disclosure of their personal information, unless a law or regulation specifically requires or allows otherwise. A record is maintained of explicit consent obtained from data subjects.
   8. Consent shall be obtained from data subjects before their personal information is used for purposes not previously identified.
   9. Unless we can rely on another legal basis of Processing, Explicit Consent is usually required for Processing Sensitive Personal Data, for Automated Decision-Making and for cross border data transfers. Usually we will be relying on another legal basis (and not require Explicit Consent) to Process most types of Sensitive Data. Where Explicit Consent is required, you must issue a Fair Processing Notice to the Data Subject to capture Explicit Consent.
   10. Eurofreight must maintain evidence on types of Consent and keep records of all Consents captured so that the Company can demonstrate compliance with Consent requirements.
   11. Requests for consent should be designed to be appropriate to the age and capacity of the data subject to consent for themselves and to the particular circumstances (e.g. children who are not older than 16th, vulnerable data subjects unable to understand and consent for themselves).
   12. Organisation should establish communication guidelines to notify other data controllers (with whom PII was shared) for rectification/deletion/restricting of personal data of data subject.
   13. Organisation should document guidelines for managing directories of subscribers to electronic services which include the following:

• Guidelines for obtaining consent from the end users.
• What information is to be provided to the data subject at the time of data collection (purpose, search functions, right to object and information how personal data can be rectified or deleted).

1. Collection of Personal Information
   1. The collection of personal information shall be limited to the minimum requirement for lawful business purposes.
   2. The GDPR allows Processing for specific purposes, some of which are set out below:

1. The Data Subject has given his or her Consent;
2. The Processing is necessary for the performance of a contract with the Data Subject;
3. To meet our legal compliance obligations;
4. To protect the Data Subject’s vital interests;
5. To pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The purposes for which we process Personal Data for legitimate interests need to be set out in applicable Privacy Notices or Fair Processing Notices; or
6. [OTHER GDPR PROCESSING GROUNDS]: identify and document the legal ground being relied on for each Processing activity [in accordance with the Company’s guidelines on Lawful Basis for Processing Personal Data].

1. Methods of collecting personal information shall be reviewed by management to ensure that personal information is obtained:
   1. Fairly, without intimidation or deception, and
   2. Lawfully, adhering to laws and regulations relating to the collection of personal information.
2. Management shall confirm that Third Parties from whom personal information is collected:
   1. Use fair and lawful information collection methods, and
   2. Comply with the Eurofreight Data Privacy Policy and their contractual obligations with respect to the collection, use and transfer of personal information on behalf of Eurofreight
3. Data subjects shall be notified if additional information is developed or acquired about them.

1. Data Minimization
   1. Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

1. Limiting Use, Disclosure and Retention
   1. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
   2. Personal information retention shall be only for the duration necessary to fulfil the identified lawful business purposes or as prescribed by law.
   3. Guidelines and procedures shall be developed for the retention and disposal of personal information. These shall address minimum and maximum retention periods, and modes of storage.
   4. Upon the expiration of identified lawful business purposes or withdrawal of consent, Eurofreight shall either securely erase or anonymize the data subjects’ personal information. Data is anonymized to prevent unique identification of an individual.

1. Data Subject Rights and Requests
   1. The organisation should ensure that it has established the following:
   2. The organization has established mechanism for data subjects to raise requests related to their rights (access/rectification) electronically (especially where personal data are processed by electronic means).
   3. Organization has established following related to right of access and rectification: 
      1. Documented process and mechanism for provisioning access to personal data and rectification.
      2. Identified mandatory information to be provided to data subject
      3. Guidelines for administrative fees can only be charged to data subject for subsequent PI access
      4. Personal Data to be provided in electronic form unless requested otherwise
      5. Track the received requests from data subjects and respond within 1 month with appropriate response
   4. Assessments are performed regularly – and at least annually – of whether the rectification of personal data has been performed correctly and without undue delay.
   5. Organization has established following related to right of deletion: 
      1. Policies and procedures to process/respond to PI deletion requests from data subjects within 1 month
      2. Documented the Personal data deletion guidelines considering the grounds for deletion and the applicable exceptions
   6. Organization has established guidelines for restrictions of data processing which address: 
      1. Documented grounds which are compared with criteria for restricting mentioned in the data subject request and a formal sign-off process to ensure that appropriate decisions are taken and implemented for a defined period of time
      2. Process to inform data subject prior to lifting the restriction of processing of personal data
   7. Organization has implemented mechanism to inform data subjects if it alters, restricts the processing of or removes personal data.
   8. Organization has established guidelines to process data portability requests from data subjects. The guidelines are compliant with data portability considerations.
   9. Organization has established means for data subject to object online.

1. Transfer Limitation
   1. Eurofreight shall limit data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined
   2. Eurofreight may only transfer Personal Data outside the EEA if one of the following conditions applies:

(a)  The European Commission has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects’ rights and freedoms;

(b)  appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPO;

(c)  The Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks; or

(d)  the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.

1. Disclosure to Third Parties 
   1. Where reasonably possible, management shall ensure that third parties collecting, storing or processing personal information on behalf of Eurofreight have:
      1. Signed agreements to protect personal information consistent with Eurofreight Data Privacy Policy and information security practices or implemented measures as prescribed by GDPR;
      2. Signed non-disclosure agreements or confidentiality agreements which includes privacy clauses in the contract; and
      3. Established procedures to meet the terms of their agreement with Eurofreight to protect personal information.
   2. Personal information may be transferred outside European Union (EU) jurisdiction from where Eurofreight operates for storage or processing where any of the following apply:
      1. The individual has given consent to the transfer of information
      2. The transfer is necessary for the performance of a contract between the individual and Eurofreight, or the implementation of pre-contractual measures taken in response to the individual’s request.
      3. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between Eurofreight and a third party.
      4. The transfer is necessary or legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
      5. The transfer is required by law
      6. The transfer is necessary in order to protect the vital interests of the individual.
      7. The transfer is made under a data transfer agreement.
      8. The transfer is otherwise legitimised by applicable law.
   3. Remedial action shall be taken in response to misuse or unauthorized disclosure of personal information by a third party collecting, storing or processing personal information on behalf of Eurofreight

1. Security Practices for Privacy
   1. Eurofreight information security policy and procedures shall be documented and implemented to ensure reasonable security for personal information collected, stored, used, transferred and disposed by Eurofreight. 
   2. Eurofreight shall comply with all applicable aspects of Eurofreight Information Security Program or comply with the administrative, physical and technical safeguards implemented and maintained in accordance with the GDPR and relevant standards to protect Personal Data.
   3. Information asset labelling and handling guidelines shall include controls specific to the storage, retention and transfer of personal information.
   4. Management shall establish procedures that maintain the logical and physical security of personal information.
   5. Management shall establish procedures that ensure protection of personal information against accidental disclosure due to natural disasters and environmental hazards.
   6. Incident response protocols are established and maintained in order to deal with incidents concerning personal data or privacy practices. (Refer: Appendix D – Data breach response guidelines)
   7. Eurofreight must maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows: (a) Confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it.

(b)  Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed.

(c)  Availability means that authorised users are able to access the Personal Data when they need it for authorised purposes.

1. Quality of Personal Information
   1. Eurofreight may perform additional validation procedures to ensure that personal information collected is accurate and complete for the business purposes for which it is to be used.
   2. Eurofreight shall ensure that personal information collected is relevant to the business purposes for which it is to be used.

1. Privacy Monitoring and Enforcement
   1. Procedures shall be established for recording and responding to complaints/ grievances registered by data subjects.
   2. Each complaint regarding privacy practices registered by data subjects shall be validated, responses documented and communicated to the individual.
   3. Annual privacy compliance review shall be performed for identified business processes and their supporting applications.
   4. A record shall be maintained of non-compliances identified in the annual privacy reviews. Corrective and disciplinary measures shall be initiated and tracked to closure, guided by Eurofreight management.
   5. Procedures shall be established to monitor the effectiveness of controls for personal information and for ensuring corrective actions, as required.
   6. Any conflicts or disagreements relating to the requirements under this policy or associated privacy practices shall be referred to the Data Privacy Officer for resolution.

1. Personal Identifiable Information (PII) of Eurofreight employee

Data protection laws govern the use of personally identifiable information.  This term means any data relating to a living individual who can be identified using that data.  Eurofreight may hold the following types of sensitive and non-sensitive PII:

• names, addresses, telephone numbers and other personal contact details;
• gender, date of birth, physical or mental health or condition;
• marital status, next of kin, racial or ethnic origin, sexual orientation, religious, philosophical, political or similar beliefs;
• national insurance or social insurance number, immigration status, trade union membership;
• personnel records including training, appraisal, performance and disciplinary information, and succession planning;
• bank details, salary, bonus, benefits and pension details and other financial information; and
• criminal offences committed (or allegedly committed) including any proceedings and sentencing in relation to any such criminal offence.

1. Staff data processing activities

Personal information about individuals may only be processed for a legitimate purpose. Eurofreight may undertake a number of activities with an individual employee’s personal information including, but not limited to:

• salary, benefits and pensions administration;
• health and safety records and management;
• security vetting, criminal records checks and credit checks and clearances (where applicable and allowed by law);
• confirming information on résumés, CVs and covering letters, providing reference letters and performing reference checks;
• training and appraisal, including performance evaluation and disciplinary records; 
• staff management and promotions;
• succession planning;
• equal opportunities monitoring; 
• any potential change of control of a group company, or any potential transfer of employment relating to a business transfer or change of service provider;
• other disclosures required in the context of staff employment;
• promoting or marketing of Eurofreight, its products or services;
• provision of staff or business contact information to customers and agencies in the course of the provision of Eurofreight’s services;
• CCTV monitoring for security reasons;
• compliance with applicable procedures, laws, regulations, including any related investigations to ensure compliance or of any potential breaches;
• establishing, exercising or defending Eurofreight’s legal rights;
• disclosures to other companies in the Eurofreight group of companies, including companies in other countries to the extent permitted by law, including for the following purposes: as required in connection with the duties of the employee; legal compliance; audit; group level management; in connection with the fulfilment of customer and partner contracts;
• any other reasonable purposes in connection with an individual’s employment or engagement by Eurofreight;
• providing and managing use of services provided by third parties, such as company provided mobile phones, company credit cards and company cars and billing for such services.

1. Eurofreight may also collect and process personal information about your next of kin, so they can be contacted in an emergency or in connection with use of a company car provided by Eurofreight.  Their personal information will also be processed in accordance with the data protection laws and as described in the policy.
2. In order to fulfil the purposes set out above, Eurofreight may disclose personal information to contractors and suppliers that provide services to Eurofreight and who may assist in the processing activities set out above and also to law enforcement agencies, regulatory bodies, government agencies and other third parties as required by law or for administration/taxation purposes, to the extent local law allows and requires.
3. Eurofreight may disclose your personal information to third parties for the purposes of establishing and managing your employment relationship.  For example, Eurofreight may disclose some of your personal information to:

• benefits providers (for example, pension and insurance providers);
• payroll and data processing suppliers and other service providers who assist us in   establishing or managing your employment relationship with us;
• insurance claims and medical related service providers; and
• parties requesting an employment reference.

1. Eurofreight shall take appropriate measures to ensure that its contractors and suppliers also process personal information in a compliant way and such measures may include a data processing agreement.
2. Eurofreight may transfer personal information to other group companies, partners, suppliers, law enforcement agencies and to other organisations in all cases that are located outside of the country where you are based for the purposes of:

• HR administration (for example, staff recruitment); 
• payroll processing for employees working outside the country where they are based;
• employee relocation;
• security clearances;
• visa applications;
• taxation and registrations for employees working outside the country where they are based;
• fulfilling Eurofreight’s legal requirements; 
• fulfilling customer contracts for the provision of Eurofreight’s services;
• overseas legal proceedings;
• Outsourcing Eurofreight functions.

1. The laws of some jurisdictions may not be as protective as the laws in the country in which you are based.  Eurofreight may transfer your personal information across provincial or national borders to fulfil any of the above purposes, including to service providers located in countries who may be subject to applicable disclosure laws in those jurisdictions, which may result in that information becoming accessible to law enforcement and national security authorities of those jurisdictions.

1. Record Keeping (Privacy Register)
   1. Eurofreight shall keep full and accurate records of all data Processing activities.
   2. Eurofreight must keep and maintain accurate corporate records reflecting Processing including records of Data Subjects’ Consents and procedures for obtaining Consents.
   3. These records should include, at a minimum, the name and contact details of the Data Controller, clear descriptions of the Personal Data types, Data Subject types, processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place. 

1. Retention of records
   1. Eurofreight has a statutory duty to keep certain records for a minimum period of time.  In other cases Eurofreight shall not keep personal information for longer than is necessary or as may be required by applicable law. 

1. Data Privacy Impact Assessments (DPIA)
   1. The organisation should conduct Data Privacy Impact Assessment (DPIA) for its business activities for which the processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons”. A DPIA is a process designed to describe the processing, assess its necessity and proportionality, and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them.
   2. The firm should assess all its business processes and define which of them are high-risk. For the purpose of the assessment it should use appropriate risk criteria to help on the factual identification of high-risk business processes. (ie. criteria as set in the Article 29 of GDPR PIA evaluation).
   3. The organisation should choose a methodology for the implementation of its DPIAs. The DPIA should be compliant with the minimum features described in Annex 2 in Article 29 of GDPR on performing DPIA.
   4. The company should continuously review and re-assess its business activities as certain changes could increase or decrease their risk.
      
      
2. Data Flow Management 
   1. For all high-risk business procedures as defined in the Privacy Impact Assessment.
   2. Organisation should define guidelines for data mapping. Data mapping addresses below mentioned:

• Documenting the data processing activities.
• Type of personal data used for each processing activity along with personal data storage location.
• The organisation should identify and document data flows specific to how personal information is moving through the underlying systems and software within the organization (including third party operations).

1.  Monitoring
   
   
   1. Eurofreight’s IT and communications systems are intended to promote effective communication and working practices within our organisation.  
   2. For business reasons, and in order to carry out legal obligations in our role as an employer, use of Eurofreight’s systems on whatever platform including the telephone (mobile and fixed) and computer systems (including email and internet access), and any personal use of them, is monitored. If you access services by the use of passwords and login names on Eurofreight’s IT and communication systems, this might mean that your personal access details are seen by Eurofreight.
   3. Monitoring is only carried out if and to the extent permitted or as required by law and as necessary and justifiable for business purposes.  The resulting log files may be used so that instances of attempted misuse and other security events can be detected, and that information is available to support any subsequent investigation. To the extent permitted by law and, where breaches of this and other Eurofreight policies or applicable law are found, action may be taken under the disciplinary procedure.
   4. The employees are informed that the telephone system used by the Company allows identification of all dialled numbers and received calls.
   5. Eurofreight reserves the right to retrieve the contents of messages, check searches which have been made on the internet, require the immediate return of devices supplied by Eurofreight and access data stored on such devices for the following purposes (this list is not exhaustive):

• to monitor whether the use of the e-mail system or the internet is legitimate and in accordance with this policy (and employees acknowledge that the Company can use software to monitor the identity of senders and receivers of emails);
• to find lost messages or to retrieve messages lost due to computer failure; 
• to assist in the investigation of wrongful acts; or
• to comply with any legal obligation.

1. If evidence of misuse of Eurofreight’s IT systems is found, Eurofreight may undertake a more detailed investigation in accordance with Eurofreight’s disciplinary procedures, involving the examination and disclosure of monitoring records to those nominated to undertake the investigation and any witnesses or managers involved in the disciplinary procedure.  If necessary, such information may be handed to the police in connection with a criminal investigation. Investigations and disclosure of information to the relevant authorities shall be carried out only to the extent permitted by law.
   
   
2. CCTV
   1. Some of Eurofreight’s buildings and sites use CCTV systems to monitor their exterior and interior 24 hours a day for security reasons. This data is recorded. Use of CCTV and recording of CCTV data is only carried in accordance with Eurofreight approved guidelines. 
   2. Eurofreight shall take reasonable efforts to alert the individual that the area is under electronic surveillance.

1. Reporting Data Privacy Breach:
   1. The GDPR requires Data Controllers to notify any Personal Data Breach to the Cyprus Data Protection regulatory authority and, in certain instances, the Data Subject.
   2. Eurofreight shall put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where is legally required to do so.
   3. Where there is a suspicion of a Personal Data Breach occurrence, the DPO, the information technology or security department should be notified immediately and should follow the Eurofreight SECURITY INCIDENT RESPONSE PLAN.  All evidence relating to the potential Personal Data Breach should be preserved.

Read More