1. Introduction

1.1 The European Union General Data Protection Regulation 2016 (‘GDPR’) and the Mauritius Data Protection Act 2017 (‘DPA’) have been enacted to further protect the rights and freedoms of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.

1.2 Security and Property Protection Agency Co Ltd (‘SPPA’) is a wholly owned subsidiary of Caudan Development Ltd (‘CDL’). CDL is listed on the Stock Exchange of Mauritius.

1.3 SPPA has its registered office situated at 8th Floor, Dias Pier Building, Le Caudan Waterfront, Port Louis, Mauritius and its administrative headquarters situated at Old Post Office Road, St Pierre 81406, Mauritius.

SPPA’s other contact details are as follows:

Email address: info@caudansecurity.com

Telephone Number: +230 403 5000

Facsimile Number: +230 433 2022

1.4 Although established, based and domiciled in Mauritius, SPPA has expanded its business activities beyond the jurisdiction of Mauritius including but not limited to parts of the European Union.

1.5 For the purpose of the present document, the following words and/or expressions are understood to have the following meaning:

‘Personal data’ any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Sensitive and/or Special categories of personal data’ personal data evealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

‘Data Controller’ the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

‘Data Processor’ the natural or legal person, public authority, agency or other body who process personal data for and on behalf of the Data Controller.

‘Data Subject’ the person whose personal data is processed by the Data Controller

‘Processing’ any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‘Profiling’ any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior. This definition is linked to the right of the Data Subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.

‘Third party’ a natural or legal person, public authority, agency or body other than the Data Subject, the Data Controller, the Data Processor and persons who, under the direct authority of the Data Controller or the Data Processor, are authorised to process personal data.

‘Supervisory Authority’ the independent public authority responsible for the enforcement of the GDPR and the DPA and the regulation and supervision of data processing. In Mauritius, a Data Protection Office, headed by the Data Protection Commissioner, has been established under the DPA.

1.6 The GDPR and the DPA apply to the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.

1.7 The DPA will apply to all Data Controllers and Data Processors that areestablished in the Republic of Mauritius who process the personal data of Data Subjects.

1.8 The GDPR will apply to all Data Controllers and Data Processors that are established in the European Union and the United Kingdom who process the personal data of Data Subjects, in the context of that establishment. It will also apply to Data Controllers and Data Processors outside of the European Union and the United Kingdom that process personal data in order to offer goods and services, or monitor the behavior of Data Subjects who are resident in the European Union and the United Kingdom.

1.9 In the light of the definitions of ‘Data Controller’ and ‘Data Processor’ setout in paragraph 1.6 above and in view of the matters set out in paragraph 1.5 above, SPPA is a Data Controller and a Data Processor under both the GDPR and the DPA.

2. Policy statement

2.1 The Board of Directors and management of SPPA are committed to compliance with all relevant laws in respect of personal data including the GDPR and the DPA for the protection of the rights and freedoms of individuals whose information SPPA collects and processes in the course of its activities.

2.2 SPPA’s compliance with the GDPR and the DPA is described by this General Data Protection Policy as supplemented by the other documents namely:

2.2.1 SPPA’s Training Policy;

2.2.2 SPPA’s Employment (Privacy) Notice;

2.2.3 SPPA’s Recruitment (Privacy) Notice;

2.2.4 Supplier Privacy Agreements entered into by SPPA with its suppliers;

2.2.5 Distributor Privacy Agreements entered into by SPPA with its distributors;

2.2.6 SPPA’s General Privacy Notice;

2.2.7 SPPA’s Data Inventory;

2.2.8 SPPA’s Retention of Records Procedure;

2.2.9 SPPA’s Retention of Records Schedule;

2.2.10 SPPA’s Information Security Policy;

2.2.11 SPPA’s Access Control (Rules and Rights) Procedure;

2.2.12 SPPA’s Access Control Policy;

2.2.13 SPPA’s Consent Procedure Notice;

2.2.14 SPPA’s Data Subject Consent Form;

2.2.15 SPPA’s Subject Access Request Procedure;

2.2.16 SPPA’s Subject Access Record;

2.2.17 SPPA’s Website User Privacy Policy;

2.2.18 SPPA’s Physical Entry Controls and Secure Areas Notice; and

2.2.19 Non-Disclosure Agreements entered into by SPPA with third parties.

2.3 The GDPR, the DPA, this General Data Protection Policy and the documents referred to in paragraph 2.2 above shall apply to all of SPPA’s personal data processing functions, including those performed on customers’, potential customers’, clients’, potential clients’, employees’, suppliers’, distributors’, contractors’ and other stakeholders’ and/or partners’ personal data, and any other personal data SPPA processes from any source.

2.4 Any breach of the GDPR, the DPA, this General Data Protection Policy and/or any of the documents referred to in paragraph 2.2 above by an employee or préposé of SPPA will be dealt with under SPPA’s disciplinary policy. And should such a breach appear to give rise to a criminal offence, the matter will be reported as soon as possible to the appropriate authorities. Furthermore, SPPA will report any breach to the relevant data protection supervisory authority and also inform the Data Subject whose data has been breached.

2.5 Partners and any third parties working with or for SPPA, and who have or may have access to personal data, will be expected to have read, understood and undertaken to comply with this General Data Protection Policy. No third party may access personal data held by SPPA without having first entered into a data confidentiality or privacy agreement with SPPA, which imposes on the third-party obligations no less onerous than those to which SPPA is committed. In that respect, SPPA has implemented third-parties’ agreements as Supplier Privacy Agreements and Distributor Privacy Agreements.

2.6 In order to foster a data protection and privacy culture amongst its stakeholders, SPPA will provide ongoing and appropriate training so as to further protect the rights and freedoms of data subjects. In that respect, SPPA has elaborated and implemented a Training Policy.

3. Responsibilities and roles

3.1 SPPA is both a Data Controller and a Data Processor under both the GDPR and the DPA.

3.2 Top Management and all those in managerial or supervisory roles throughout SPPA are responsible for developing and encouraging good information handling practices within SPPA.

3.3 Furthermore, the Board of Directors of SPPA has appointed a Data Protection Officer whose identity and contact details are as follows:

Data Protection Officer

Postal address: Caudan Security Services Headquarters

Old Post Office Road

St Pierre 81406

Mauritius

Email address: dpo@caudansecurity.com

Telephone No.: +230 403 5000

Facsimile No.: +230 433 2022

3.4 SPPA’s Data Protection Officer is accountable to the Board of Directors of SPPA for the management of personal data within SPPA and for ensuring that compliance with data protection legislation and that good practice can be demonstrated. This accountability includes:

3.4.1 the development and implementation of the GDPR, the DPA and this General Data Protection Policy; and

3.4.2 security and risk management in relation to compliance with this General Data Protection Policy.

3.5 SPPA’s Data Protection Officer, who the Board of Directors of SPPA considers to be suitably qualified and possessing all the relevant expertise, has been appointed to also take responsibility for SPPA’s compliance with this General Data Protection Policy on a day-to-day basis and, in particular, has direct responsibility for ensuring that SPPA complies with the GDPR and the DPA.

3.6 SPPA’s Data Protection Officer has specific responsibilities in respect of procedures such as the Data Subject request and is the first point of call for
Data Subjects seeking clarification on any aspect of data protection compliance.

3.7 Notwithstanding the role and responsibilities of SPPA’s Data Protection Officer, compliance with data protection legislation is the responsibility of all
employees and préposés of SPPA who process personal data for and on behalf of SPPA.

3.8 Employees and préposés of SPPA are responsible for ensuring that any personal data about them and supplied by them to SPPA is accurate and up- to-date. The rights and freedoms of employees and prospective employees of SPPA under both the GDPR and DPA are more specifically dealt with in SPPA’s Employment (Privacy) Notice and Recruitment (Privacy) Notice respectively.

4. Data protection principles

All processing of personal data will be conducted by SPPA in accordance with the data protection principles as set out in the GDPR and the DPA.

SPPA therefore undertakes to comply with the following principles:

4.1 Lawfulness, fairness and transparency

4.1.1 SPPA will at all times:

(a) identify a lawful basis before processing personal data and inform Data Subjects of the same prior to the processing of their personal data; and

(b) act fairly and transparently towards Data Subjects by making available to the latter, as far as reasonably practicable, all relevant information pertaining to the intended processing of their personal data whether the personal data is obtained directly from the Data Subjects or from other sources.

4.1.2 The information that SPPA will provide to the Data Subjects includes:

(a) the contact details of SPPA and of its Data Protection Officer;

(b) the specific and explicit purpose(s) for which the personal data is needed as well as the legal basis for the processing of the same;

(d) the existence of the Data Subjects’ rights to request access, rectification, erasure or to object to the processing; and

(e) the recipients or categories of recipients of the personal data, where applicable;

(f) SPPA’s obligations to report to the relevant supervisory authority, possible breaches of data protection rules and principles and inform the concerned Data Subjects of the same; and

(g) where applicable, whether SPPA intends to transfer personal data to a recipient in a third country and the level of protection afforded to the personal data in that third country.

4.1.3 All such information will be readily available in SPPA’s policies, procedures and notices referred to in paragraph 2.2 above.

4.2 Purpose limitation

4.2.1 SPPA shall at all times ensure that where personal data is obtained for a specified purpose, the said data will not be used for another purpose that differs from the purpose initially notified to the Data Subject in SPPA’s policies, procedures and notices referred to in paragraph 2.2 above.

4.2.2 SPPA shall, in the said policies, procedures and notices, define upfront what the personal data will be used for and limit the processing to only what is necessary to meet that purpose.

4.3 Data minimization

4.3.1 SPPA shall at all times ensure that the personal data it processes is adequate, relevant and limited to what is necessary for the processing.

4.3.2 SPPA will not collect from the Data Subject information that is not strictly necessary for the purpose for which it is obtained as explained in SPPA’s policies, procedures and notices.

4.3.3 All data collection forms (electronic or paper-based), including data collection requirements in new information systems, will include a fair processing statement via a links provided in the present General Data Protection Policy.

4.3.4 Through Data Protection Impact Assessments (‘DPIAs’), SPPA will every year ensure that all data collection methods are reviewed by either an internal audit or external expert to ensure that collected data continues to be adequate, relevant and not excessive.

4.4 Accuracy

4.4.1 Data that is stored by SPPA will be reviewed and updated as necessary. No data will be kept unless it is reasonable to assume that it is accurate.

4.4.2 All SPPA staff are trained in the importance of collecting accurate data and maintaining it.

4.4.3 It is also the responsibility of the Data Subject to ensure that data held by SPPA is accurate and up to date. Data Subjects will from time to time be requested by SPPA to fill-in forms and check-lists which will include a statement that the data contained therein is accurate.

4.4.4 Employees of SPPA are required to notify SPPA promptly of any changes in circumstances to enable personal records to be updated accordingly. It is the responsibility of SPPA to ensure that any notification regarding change of circumstances is recorded and acted upon.

4.4.5 SPPA is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, considering the volume of data collected, the speed with which it might change and any other relevant factors.

4.4.6 On at least an annual basis, SPPA will review the retention dates of all the personal data processed by it and contained in its Retention of Records Procedure and its Retention of Records Schedule, by reference to its Data Inventory, and will identify any data that is no longer required. This data will be securely deleted/destroyed.

4.4.7 SPPA’s Data Protection Officer is responsible for responding to requests for rectification from Data Subjects within one month. This can be extended to a further two months for complex requests. If SPPA decides and is justified in law not to comply with the request, SPPA’s Data Protection Officer will respond to the Data Subjects to explain SPPA’s reasoning and justification and inform them of their rights to complain to the supervisory authorities if they so wish.

4.4.8 SPPA’s Data Protection Officer is responsible for making appropriate arrangements, where third-party organizations may have been passed inaccurate or out-of-date personal data, to inform them that the information is inaccurate and/or out of date and is not to be used; and for passing any correction to the personal data to the third party where this is required.

4.5 Storage limitation

4.5.1 Personal data will always be kept by SPPA in a form such that the Data Subject can be identified only as long as is necessary for processing.

4.5.2 Where personal data is retained beyond the processing date, it will be encrypted and/or pseudonymized in order to protect the identity of the Data Subject.

4.5.3 Personal data will be retained in line with SPPA’s Retention of Records Procedure. Once its retention date is passed, it will be securely destroyed as set out in the Retention of Records Procedure save and except if the further storage and retention of the data is necessary for SPPA’s legitimate interests (such as defending itself in possible legal proceedings) and/or for SPPA to comply with a legal obligation.

4.6 Integrity and confidentiality

4.6.1 SPPA will at all times process personal data in a manner that ensures appropriate security of the said data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

4.6.2 In that respect, SPPA’s Data Protection Officer will carry out a risk assessment considering all the circumstances of SPPA’s controlling or processing operations.

4.6.3 In determining appropriateness, SPPA’s Data Protection Officer will also consider the extent of possible damage or loss that might be caused to individuals (e.g. staff or customers) if a security breach occurs, the effect of any security breach on SPPA itself, and any likely reputational damage including the possible loss of customer/stakeholder/commercial partner trust.

4.6.4 When assessing appropriate technical measures, SPPA’s Data Protection Officer will consider the following:

(a) password protection;

(b) automatic locking of idle terminals;

(d) virus checking software and firewalls;

(e) role-based access rights including those assigned to temporary staff;

(f) encryption of devices that leave SPPA’s premises such as laptops;

(g) privacy enhancing technologies such as pseudonymisation and anonymisation; and

(f) identifying appropriate international security standards relevant to SPPA.

4.6.5 When assessing appropriate organisational measures, SPPA’s Data
Protection Officer will consider the following:

(a) the appropriate training levels throughout SPPA in line with SPPA’s Training Policy;

(b) measures that consider the reliability of employees (such as references etc.);

(c) the inclusion of data protection in employment contracts and/or the implementation of an Employment (Privacy) Notice;

(d) identification of disciplinary action measures for data breaches by SPPA’s employees;

(e) monitoring of SPPA staff for compliance with relevant security standards as set out in SPPA’s security documents such as its Information Security Policy;

(f) physical access controls to electronic and paper-based records;

(g) adoption of a clear desk policy;

(h) storing of paper-based data in lockable and fire-proof filing cabinets;

(i) restricting the use of portable electronic devices outside of the workplace;

(j) restricting the use of employees’ own personal devices being used in the workplace;

(k) adopting clear rules about passwords;

(l) making regular backups of personal data and storing the media off-site; and

(m) the imposition of contractual obligations on the importing organisations to take appropriate security measures when ransferring data outside Mauritius and/or the European Union.

4.6.6 These controls have been selected on the basis of identified risks to
personal data, and the potential for damage or distress to individuals
whose data is being processed.

4.6.7 SPPA’s compliance with this principle is more fully contained in its
Information Security Policy.

4.7 Accountability and compliance

4.7.1 SPPA will at all times promote good governance and demonstrate its accountability in respect of data protection principles.

4.7.2 In addition to strictly adhering to the transparency requirements, SPPA will, to the best of its abilities, explicitly and publicly demonstrate that it scrupulously complies with the data protection principles and all the applicable data protection laws including the GDPR and the DPA.

4.7.3 Not only does SPPA ensure through its Training Policy that its staff is appropriately trained and knowledgeable in the treatment of personal data, but in order to further buttress its determination at affording the best possible protection to the rights and freedoms of Data Subjects, SPPA has implemented all the relevant data protection policies such as this General Data Protection Privacy as well as all the necessary technical and organisational measures in
line with the GDPR and the DPA.

4.7.4 SPPA intends to carry out regular DPIAs as well as reviews of its policies, procedures, notices, technical and organisational measures and to update the same in order to always better safeguard the rights and freedoms of Data Subjects.

4.7.5 In that respect, SPPA encourages its customers, stakeholders, commercial partners and the public at large to provide and to communicate to it regular and relevant feedbacks on the manner in which it treats and protects personal data.

4.7.6 All such feedbacks are to be addressed to SPPA’s Data Protection Officer whose contact details are set out at paragraph 3.3 above.

5 . Data subjects’ rights

5.1 SPPA wishes to most unequivocally inform Data Subjects at large that they have the following rights regarding data processing, and the data that recorded by SPPA about them:

5.1.1 to make subject access requests regarding the nature of information held and to whom it has been disclosed;

5.1.2 to prevent processing likely to cause damage or distress;

5.1.3 to prevent processing for purposes of direct marketing;

5.1.4 to be informed about the mechanics of automated decision-taking process that will significantly affect them;

5.1.5 not to have significant decisions that will affect them taken solely by automated process;

5.1.6 to sue for compensation if they suffer damage by any contravention
of the GDPR and/or the DPA;

5.1.7 to act to rectify, block, erase, including the right to be forgotten, or destroy inaccurate data;

5.1.8 to request the supervisory authorities to assess whether any provision of the law has been contravened;

5.1.9 to have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another Data Controller; and

5.1.10 to object to any automated profiling that is occurring without consent.

5.2 SPPA will further ensure that Data Subjects may exercise the aforesaid rights as follows:

5.2.1 Data Subjects may make data access requests; and

5.2.2 Data Subjects have the right to complain to SPPA in relation to the processing of their personal data, the handling of a request and appeals on how complaints have been handled by SPPA.

6. Consent

6.1 SPPA understands ‘consent’ to mean that it has been explicitly and freely given, and is a specific, informed and unambiguous indication of the Data Subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The Data Subjects can withdraw their consent at any time.

6.2 As and when required as per either the GDPR or the DPA, consent requests will be separate from other terms and conditions and will not be a precondition of signing up to a service unless it is necessary for that service.

6.3 When requesting Data Subjects to give their consent to a particular processing operation, SPPA will not use pre-ticked opt-in boxes. Only unticked opt-in boxes or similar active opt-in methods will be used.

6.4 Furthermore, SPPA will at all times give Data Subjects granular options to consent separately to different types of processing wherever appropriate.

6.5 Also, SPPA will always keep records of consents given by Data Subjects in order to show what they have consented to, including what they were told, and when and how they consented.

6.6 SPPA also understands ‘consent’ to mean that the Data Subject has been fully informed of the intended processing and has signified his or her agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.

6.7 At no point in time will SPPA imply that consent has been given. Consent will not be inferred from non-response to a communication.

6.8 For the processing of Sensitive Personal Data or Special Categories Personal Data, SPPA will invariably request and obtain explicit written consents of Data Subjects prior to processing the same unless an alternative legitimate basis for processing exists under either the GDPR or the DPA.

7. Security of data

7.1 All the employees of SPPA are responsible for ensuring that any personal data that SPPA holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by SPPA to receive that information. In that respect, SPPA has entered into confidentiality agreements such as Non-Disclosure Agreements with its employees.

7.2 All personal data will be accessible only to those employees of SPPA who need to use it. All personal data will be treated by SPPA with the highest security and will be kept:

in a lockable room with controlled access; and/or
in a locked drawer or filing cabinet; and/or
if computerised, password protected; and/or
stored on (removable) computer media which are encrypted.

7.3 Upmost care will be taken to ensure that PC screens and terminals at SPPA are not visible except to authorised employees of SPPA.

7.4 Manual records will not be left where they can be accessed by unauthorised personnel and will not be removed from business premises without explicit authorisation. As soon as manual records are no longer required for day-to-day client support, they will be stored in secure archiving.

7.5 Personal data will only be deleted or disposed of in line with SPPA’s Retention of Records Procedure. Manual records that have reached their retention date will be shredded and disposed of. Hard drives of redundant PCs will be removed and immediately destroyed before disposal.

7.6 As the processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal data, SPPA staff will, in exceptional circumstances and only for the legitimate interests of SPPA’s business, have to be specifically authorised to process data off-site.

8. Disclosure of data

8.1 SPPA will ensure that personal data is not disclosed to unauthorised third parties without the consent of the Data Subject concerned save and except if the information is required for one or more of the following purposes:

(a) the furtherance of the legitimate interests of SPPA and its business activities;

(b) the safeguard national security and public interest;

(d) the assessment or collection of tax duty;

(e) the discharge of regulatory functions imposed by law upon SPPA;

(f) the compliance by SPPA with regulatory frameworks and other obligations imposed by law;

(g) the defence by SPPA of legal proceedings brought against SPPA;

(h) the prevention of serious harm to a third party; and

(i) the protection of the vital interests of an individual.

8.2 All requests to provide data for one of the reasons set out in paragraph 8.1 above must be supported by appropriate written evidence and/or paperwork and all such disclosures must be specifically authorised by SPPA.

9. Retention and disposal of data

9.1 SPPA will not keep personal data in a form that permits identification of Data Subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.

9.2 SPPA may store data for longer periods if the personal data will be processed solely for:

(a) archiving purposes in the public interest;

(b) scientific or historical research purposes or statistical purposes;
and/or

subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the Data Subjects concerned.

9.3 Where personal data needs to be disposed of, SPPA will do so securely in accordance with the principle set out in paragraph 4.6 above, thereby protecting the rights and freedoms of Data Subjects.

10. Data transfers

10.1 As a rule, personal data lawfully collected by SPPA from a particular jurisdiction (‘the Original Jurisdiction’) shall not be transferred to a jurisdiction other than the Original Jurisdiction (‘Other Jurisdiction’) unless SPPA is satisfied that there is an appropriate level of protection for the fundamental rights and freedoms of the Data Subjects in the Other Jurisdiction similar to the level of protection afforded in the Original Jurisdiction (hereinafter referred to as the ‘Adequacy Test’).

10.2 In carrying out the Adequacy Test, SPPA will consider of the following factors:

(a) the nature of the information being transferred to the Other Jurisdiction;

(b) the data protection laws of the Original Jurisdiction and the data protection laws, codes of practice and international obligations if any, of the Other Jurisdiction;

(d) the security measures that are to be taken as regards the data in the Other Jurisdiction; and

(e) whether the data protection supervisory authority of the Original Jurisdiction approves or prohibits such transfer of data to the Other Jurisdiction.

10.3 Should SPPA not be satisfied by the level of data protection afforded in the Other Jurisdiction after carrying out the Adequacy Test, SPPA will not transfer the data to the Other Jurisdiction unless:

(a) the Data Subject concerned has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers for the Data Subject due to the absence of appropriate safeguards;

(b) the transfer is necessary for the performance of a contract between the Data Subject concerned and SPPA or the implementation of pre-contractual measures taken at the Data Subject’s request;

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject concerned between SPPA and another natural or legal person;

(d) the transfer is necessary for important reasons of public interest;

(e) the transfer is necessary for the establishment, exercise or defence of legal claims involving and/or impacting on SPPA; and/or

(f) the transfer is necessary in order to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent.

11. Information asset register/data inventory

11.1 SPPA has established a data inventory and data flow process as part of its approach to address risks and opportunities throughout its GDPR and DPA compliance project.

11.2 SPPA’s data inventory and data flow relate to:

(a) its business processes that use personal data;

(b) its sources of personal data;

(d) the categories of personal data it processes;

(e) its data processing activities;

(f) the documents it uses for its compliance with the GDPR and DPA;

(g) the recipients and potential recipients of the personal data it processes;

(h) the roles of its Data Protection Officer and other employees are responsible for all data protection issues; and

(i) any data transfers.

11.3 SPPA is aware of risks associated with the processing of particular types of
personal data and the level of risks to individuals associated with the processing of their personal data.

11.4 Consequently, DPIAs will be carried out every year in relation to the processing of personal data by SPPA, and in relation to processing undertaken by other organisations on behalf of SPPA.

11.5 SPPA shall manage the risks identified by the DPIAs in order to reduce the
likelihood of a non-conformance with this General Data Protection Policy.

11.6 Where a type of processing, in particular using new technologies and considering the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons, SPPA shall, prior to the processing, carry out a DPIA of the impact of the envisaged processing operations on the protection of personal data. A single DPIA may address a set of similar processing operations that present similar high risks.

11.7 Where, as a result of a DPIA it is clear that SPPA is about to commence processing of personal data that could cause damage and/or distress to Data Subjects, the decision as to whether or not SPPA may proceed must be escalated for review to its Data Protection Officer and/or its Board of Directors as the case may be. The latter shall, if there are significant concerns, either as to the potential damage or distress, or the quantity of data concerned, escalate the matter to the supervisory authority.

Ownership and Authorisation

Security and Property Protection Agency Co Ltd is the owner of this document.

This document and all other related documents referred to herein may, from time to time, be reviewed in line with any changes in the law.

This General Data Protection Policy has been duly approved by the Board of Directors of Security and Property Protection Agency Co Ltd on 19th February 2020.

By order of the Board of Directors of Security and Property Protection Agency Co Ltd.

Made in good faith on 19th February 2020 at Old Post Office Road, St Pierre 81406,
Republic of Mauritius.