LAMDA DEVELOPMENT is increasingly interacting with various categories of individuals, including but not limited to employees, costumers, investors and other interested parties. It is therefore processing personal data from various categories of data subjects across the entire spectrum of its corporate and operational activities, particularly in the areas of:
- Human resources and training management,
- Video surveillance systems at the premises that the company manages,
- Customer communication and corporate communications management,
- Procurements, contracts and accounting management,
- IT systems and data center management.
In this context, LAMDA DEVELOPMENT is committed to comply with the applicable data protection law, to enhance and improve the lawfulness, fairness and transparency of its personal data processing operations, and to protect the rights of data subjects in an effective manner.
Purpose
This Declaration sets out the commitment of LAMDA DEVELOPMENT to the protection of natural persons with regard to the processing of their personal data in compliance with the General Data Protection Regulation (GDPR) and the generally applicable legal framework on privacy and the protection of personal data. LAMDA DEVELOPMENT ensures that:
- we communicate this Declaration of Commitment to all employees and persons working on our behalf;
- we communicate this Declaration of Commitment and the results of our implementing measures and actions to our Shareholders, third parties and to the general public, as appropriate;
- we develop, implement, review and systematically improve this Declaration of Commitment and our implementing measures and actions seeking for continual improvement;
- we publish this Declaration of Commitment on LAMDA DEVELOPMENT websites;
- we review this Declaration of Commitment on an annual basis to keep pace with applicable law developments.
- we make public the international or national data protection standards which our company identifies and/or to which it commits (for example GDPR).
Scope
This Declaration of Commitment applies to all LAMDA DEVELOPMENT organisational units and employees and concerns personal data processed by them in any format including paper and electronic records (including archived information) processed or stored in hard copy folders, information technology systems, software tools, platforms, applications and removable storage media. It also applies to all third parties processing personal data on behalf of LAMDA DEVELOPMENT.
Principles
LAMDA DEVELOPMENT collects personal data only for specified, explicit and legitimate purposes, and does not further process such data in a manner that is incompatible with such purposes. In addition, it takes reasonable steps to ensure that the personal data collected be accurate, updated, adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Personal data shall be processed lawfully, fairly and in a transparent manner. LAMDA DEVELOPMENT shall not process personal data absent a legal basis for the processing and it shall not process special categories of personal data or personal data relating to criminal convictions and offences unless it is necessary in strict compliance with the GDPR and applicable law.
LAMDA DEVELOPMENT shall take appropriate technical and organisational measures to ensure and to be able to demonstrate compliance with data protection rules and principles.
Declaration of Commitment Actions
To further implement and support this Declaration of Commitment in compliance with the applicable law, LAMDA DEVELOPMENT ensures that:
- it appoints its Data Protection Officer to monitor compliance with the GDPR and this Declaration and to act as the contact point for data subjects and the supervisory authority;
- it observes the lawfulness of processing and obtains data subject consent where necessary;
- it implements appropriate data protection procedures, indicatively on facilitating the exercise of data subject rights and on information security breach management;
- it handles effectively data subject requests for exercising their rights under articles 15-22 GDPR;
- it provides transparent information on personal data processing to various categories of data subjects via data protection notices;
- it maintains a central register (record of processing activities) for its processing operations;
- it uses technical and organisational measures to ensure appropriate data security, including the timely recovery of availability and access to personal data in case of a physical or technical incident, the anonymization of personal data, and the pseudonymisation and encryption of personal data;
- it notifies timely the supervisory authority and affected individuals of a personal data breach as applicable under the law;
- it carries out data protection impact assessments for high risk areas prior to the processing and consults with the supervisory authority where necessary;
- it takes measures to include data protection by design and by default in its procurements of new systems and services;
- it secures effective third party management and data processing agreements subject to appropriate safeguards with contractors carrying out processing on its behalf;
- it complies with rules on international transfers of personal data (outside the EU/EEA);
- it keeps personal data for no longer than is necessary for the purposes for which they are processed each time pursuant to predefined retention periods and/or in order to comply with legal and statutory requirements on data and records preservation; and
- it fosters a privacy and data protection culture across the organisation through awareness-raising and staff training.