Data Governance and Protection Policy

1)

Purpose, Scope and Users

Sensory Technologies, strives to comply with General Data Protection Regulation (GDPR). This Policy sets forth the basic principles by which Sensory Technologies processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while processing personal data.

This Policy applies to Sensory Technologies and its directly or indirectly controlled wholly-owned subsidiaries conducting business within the European Economic Area (EEA) or processing the personal data of data subjects within EEA.

The policy supports decision-making by establishing guiding principles:

  • On how Sensory Technologies will protect privacy and the confidentiality of personal information.
  • Establishes policies about how Sensory Technologies manages privacy protection in order to achieve privacy compliance and a culture of privacy protection.
  • Identifies core privacy responsibilities for personnel to foster co-ordination among divisions and teams in protecting privacy.

Sensory Technologies maintains a comprehensive set of privacy and data protection policies that are subordinate and complementary to the Data Governance and Protection Policy. The subordinate policies define privacy roles, responsibilities, accountabilities and requirements for the protection of personal and sensitive personal data.

Sensory Technologies believes that protecting privacy effectively involves not only complying with applicable privacy requirements but also having a strong culture of privacy protection. This Data Governance and Protection Policy mandates the Company Privacy Protection Program. The Privacy Protection Program comprises comprehensive safeguards for personal data and programs, practices, processes, tools and techniques to protect privacy proactively.

The users of this document are all employees, permanent or temporary, and all contractors working on behalf of The Company.

2)

GDPR Guiding Principles Regarding Personal Data Processing

The data protection principles outline the basic responsibilities for organizations handling personal data.

2.1. Lawfulness, Fairness and Transparency

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

2.2. Purpose Limitation

Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

2.3. Data Minimization

Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Company must apply anonymization or pseudonymization to personal data if possible to reduce the risks to the data subjects concerned.

2.4. Accuracy

Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.

2.5. Storage Period Limitation

Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.

2.6. Integrity and confidentiality

Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of personal data risks, the Company must use appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.

2.7. Accountability

Data controllers must be responsible for and be able to demonstrate compliance with the principles outlined above.

3)

Privacy Protection Program

Sensory Technologies shall maintain a Privacy Protection Program that comprises comprehensive and aligned safeguards for Personal Data and programs, practices, processes, tools and techniques that enable it to:

  • protect individuals’ privacy and the confidentiality of their Personal Data and Sensitive Personal Data proactively and respect their privacy preferences;
  • Comply with its privacy requirements, particularly those derived from its Enabling Regulation, from GDPR, HIPAA, PIPEDA, PHIPA and the Regulations made under those Acts, and from its policies.

The Privacy Protection Program shall include processes, practices, tools and techniques to:

  • Build privacy and security protection into the design and operation of the programs, operations and services, including business practices, systems and physical design and infrastructure;
  • Safeguard Personal Data and Sensitive Personal Data throughout its lifecycle;
  • Achieve, monitor, assess and enforce privacy compliance;
  • Identify and manage privacy risks proactively;
  • Train personnel about protecting privacy;
  • Develop and implement privacy and data protection policies, practices and standards;
  • Manage, investigate and respond to privacy- and security- related incidents, breaches, complaints and inquiries;
  • Conduct data risk assessment/privacy risk assessments as appropriate.

4)

Organization and Responsibilities

Sensory Technologies policies and practices shall:

  • Protect privacy and the confidentiality of Personal Data and Sensitive Personal Data while achieving its business interests and objectives (e.g. effectively facilitating the delivery of services and programs and realizing value for money);
  • Ensure that Sensory Technologies policies and practices that protect individuals’ privacy and the confidentiality of their Personal Data and Sensitive Personal Data are comprehensive, aligned and complementary.
  • Comply with its policies and practices that protect individuals’ privacy and the confidentiality of Personal Data and Sensitive Personal Data.
  • Enter into signed, written agreements with third party providers that include appropriate privacy requirements prior to the third parties providing services or goods to the Agency.

The key areas of responsibilities for processing personal data lie with the following organisational roles:

The Board of Directors makes decisions about, and approves the Company’s general strategies on personal data protection.

The Data Protection Officer (DPO)/Chief Privacy Officer, is responsible for managing the personal data protection program and is responsible for the development and promotion of end-to-end personal data protection policies.

The DPO monitors and analyses personal data laws and changes to regulations, develops compliance requirements, and assists business departments in achieving their Personal data goals.

5)

Managing Data Subject Rights

Sensory Technologies shall put in place process and procedures to manage requests from the Data Controller for data subject rights such as consent management and data access & transfer requests. The Enterprise Privacy policy and the relevant procedures provide detailed information on managing rights of the individuals on collection, use and disclosure of their Personal Data.

6)

Appendix I: Definitions

The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation:

Personal Data/Personal Information: Any information relating to an identified or identifiable natural person ("Data Subject") who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive Personal Data/Personal Health Information: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

In the context of the Canadian and USA regulatory landscape, portion of this definition corresponds to the definition of ‘Personal Health Information’.

Data Controller: The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor/Electronic Service Provider: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.

In the context of the Canadian and USA regulatory landscape, portion of this definition corresponds to the definition of ‘Electronic Service Provider’.

Processing: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.

Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The personal data processing principles do not apply to anonymized data as it is no longer personal data.

Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymization reduces, but does not completely eliminate, the ability to link personal data to a data subject. Because pseudonymized data is still personal data, the processing of pseudonymized data should comply with the Personal Data Processing principles.

Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;

Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR;

Lead supervisory authority: The supervisory authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data; it is responsible, among others, for receiving the data breach notifications, to be notified on risky processing activity and will have full authority as regards to its duties to ensure compliance with the provisions of the EU GDPR;

Each “local supervisory authority” will still maintain in its own territory, and will monitor any local data processing that affects data subjects or that is carried out by an EU or non-EU controller or processor when their processing targets data subjects residing on its territory. Their tasks and powers include conducting investigations and applying administrative measures and fines, promoting public awareness of the risks, rules, security, and rights in relation to the processing of personal data, as well as obtaining access to any premises of the controller and the processor, including any data processing equipment and means.

“Main establishment as regards a controller” with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

“Main establishment as regards a processor” with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

Group Undertaking: Any holding company together with its subsidiary.

Privacy Commissioner: A regulatory authority who is responsible for enforcing privacy and data protection legislation in Canada.

7)

Appendix II: Reference

  • EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Personal Information Protection and Electronic Documentation Act (PIPEDA)
  • Personal Health Information Protection Act (PHIPA)
  • Data Governance and Protection Policy
  • Consent Management Procedure
  • Breach Management Procedure
  • Privacy Impact Assessment Procedure
  • Privacy Operations
  • Privacy Communication
  • Privacy Data Retention
  • Information Security Policy
  • Acceptable Use Policy
  • Information Classification and Handling
  • Logical Access Control
  • Operational Security
  • Encryption Standard
  • Network Security
  • Logging Monitoring and Auditing
  • Physical Security Standard
  • Third Party Services Delivery