Privacy by Design and by Default Policy
Introduction and Scope This policy is applicable to all Agile personnel. According to Article 23 of the GDPR, Agile is obligated to implement appropriate technical and organizational measures (taking into account the costs and nature of the processing, the risks for individuals, etc.), such as pseudonymization, to ensure compliance with the principles outlined in the GDPR and adequate protection of the rights of data subjects. These measures may vary depending on the type of processing activities carried out, and it is essential that they are clear not only at the beginning but throughout the entire duration of the processing by Agile personnel during the life cycle of the system/software. This obligation will be referred to as "Privacy by Design".
Among the minimum requirements, there should be a prohibition on making personal data available to an indefinite number of individuals without their involvement (hereinafter referred to as "Privacy by Default").
This policy aims to provide guidance on the approach Agile should take to ensure compliance with Privacy by Design and Privacy by Default.
For any questions, please contact Agile's Compliance Team at the following email: firstname.lastname@example.org.
Definitions of terms used in this policy:
Data Subject: Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Special Categories of Personal Data: These are the so-called "sensitive" data, which reveal racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, health data, or data concerning a person's sex life or sexual orientation. The GDPR (Article 9) also includes genetic data, biometric data, and data concerning criminal convictions and offenses in this category.
Data Relating to Criminal Convictions and Offenses: These are the so-called "judicial" data, which can reveal the existence of certain judicial measures subject to inclusion in criminal records (such as final criminal convictions, probation, prohibition or obligation to reside, alternative measures to detention) or the status of suspect or accused. The GDPR (Article 10) includes data relating to criminal convictions and offenses or related security measures within this notion.
Data Protection Impact Assessment (DPIA): Assessment of the impact of personal data processing on specific operations and/or systems, as regulated by Article 35.
Principles of Processing: Refers to Article 5 of the GDPR, which governs the principles of processing.
The Compliance Team will annually verify the possibility of integrating this Policy in light of any regulatory changes or improvements in technical measures.
Privacy by Design - General Principles
The principles of Privacy by Design are as follows:
Proactive use instead of reactive use of adoptable measures. The aim should be to anticipate, identify, and prevent privacy-related incidents before they occur.
Privacy protection rules must always be present and considered as defaults within business activities. Personal data must be automatically protected in any company system, without requiring any action from the individual to protect their privacy.
Privacy must be integrated and embedded in the design of systems and business practices.
Security should be end-to-end throughout the entire lifecycle of personal data. Personal data should be kept secure and destroyed when no longer necessary.
Visibility and transparency should be maintained. Stakeholders should always be assured that business practices and technologies are effectively operating according to predetermined objectives and subject to periodic checks.
Respect for user privacy through the adoption of predefined protection standards and user-friendly options during the software development phase.
Technical and Organizational Measures
Agile's objective is to implement appropriate technical and organizational measures in order to:
Appropriately implement the Principles of Personal Data Protection.
Integrate the necessary precautions within the processing of personal data to achieve the aforementioned objective.
During their activities, Agile personnel will consider the available technical and organizational measures, the cost of implementation, the nature of the measures, the purpose, context, and objectives of the processing, as well as the risks and severity to which the rights and freedoms of individuals are exposed during processing.
In cases where the processing is considered to pose a high risk to individuals, a Data Protection Impact Assessment (DPIA) must be conducted in accordance with Agile's procedures.
Privacy by Default Agile aims to apply technical and organizational measures to ensure that, by default, only the necessary personal data is used in relation to the following activities:
Calculating the number of personal data collected.
Assessing the extent of personal data processing.
Determining the retention period of personal data.
Assessing the accessibility of personal data.
Data Protection by Design
Agile's objective is to always consider the impact that processing may have on individuals and to adopt proportionate technical and organizational measures to ensure that:
The Principles of Processing are effectively implemented.
Risks to the rights and freedoms of individuals are effectively minimized.
Agile personnel should continuously exercise controls to ensure the security of systems and personal data and to avoid the risk of possible data breaches resulting from unauthorized remote logins.
Personal data should only be uploaded to systems, devices, and/or software that comply with Agile's policies and applicable laws. The use and retention period of data should be minimized.
Regular checks and improvements, where possible, should be conducted by Agile personnel.
Personnel should not proceed with the purchase or deployment of new systems or software without first evaluating their impact on personal data protection, especially if such acquisition and subsequent use may pose a risk to individuals.
For the procurement of supplies and services, regardless of the contract value, personnel cannot approve the contract without first conducting a review with the assistance of the Compliance Team to assess the level of personal data protection.
Examples of Risk Mitigation Techniques
Examples of techniques that can be implemented to comply with the objectives of this procedure include, but are not limited to: employee awareness through training provided by the DPO, making personnel aware of possible scams such as emails from fake accounts, regular deletion of materials containing personal data, irreversible anonymization of data, transparency towards data subjects through privacy policies, and limitation of access to personnel where possible.