MField MEA Data Protection Policy (DDP)

1. Introduction

MField MEA is committed to protecting the personal data of our clients, employees, and partners. This Data Protection Policy outlines our approach to data protection and the procedures we follow to ensure compliance with relevant data protection laws, including GDPR.

2. Scope

This policy applies to all personal data processed by MField MEA, regardless of format or medium, and to all employees, contractors, and third parties who process personal data on our behalf.

3. Definitions

Personal Data:

Any information relating to an identified or identifiable natural person.

Processing:

Any operation performed on personal data, such as collection, storage, use, and destruction.

Data Subject:

The individual to whom personal data relates.

Data Controller:

The entity that determines the purposes and means of processing personal data.

Data Processor:

The entity that processes personal data on behalf of the Data Controller.

4. Data Protection Principles

1. Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and transparently.
2. Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
3. Data Minimization: Personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
4. Accuracy: Personal data is accurate and kept up to date. Inaccurate data is corrected or deleted promptly.
5. Storage Limitation: Personal data is kept in a form that permits identification of data subjects for no longer than necessary.
6. Integrity and Confidentiality: Personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
7. Accountability: We are responsible for and can demonstrate compliance with these principles.

5. Lawful Basis for Processing

MField MEA processes personal data based on one or more of the following lawful bases:

• Consent: The data subject has given clear consent for the processing of their personal data for a specific purpose.
• Contract: The processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
• Legal Obligation: The processing is necessary to comply with a legal obligation.
• Legitimate Interests: The processing is necessary for the purposes of legitimate interests pursued by MField MEA or a third party, provided those interests are not overridden by the data subject's rights and interests.

6. Data Subject Rights

Data subjects have the following rights regarding their personal data:

• Right to Access: The right to request access to their personal data.
• Right to Rectification: The right to request correction of inaccurate or incomplete personal data.
• Right to Erasure: The right to request deletion of their personal data, under certain conditions.
• Right to Restriction of Processing: The right to request restriction of processing of their personal data, under certain conditions.
• Right to Data Portability: The right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller.
• Right to Object: The right to object to the processing of their personal data, under certain conditions.
• Rights Related to Automated Decision-Making and Profiling: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects the individual.

7. Data Security

We implement appropriate technical and organizational measures to ensure the security of personal data, including:

• Encryption: Protecting data at rest and in transit using encryption.
• Access Controls: Restricting access to personal data to authorized personnel only.
• Physical Security: Ensuring physical security measures are in place to protect data storage facilities.
• Regular Audits: Conducting regular audits and assessments to identify and address security vulnerabilities.

8. Data Breach Management

In the event of a data breach, MField MEA will:

1. Identify and Contain: Identify and contain the breach to prevent further unauthorized access.
2. Assess the Impact: Assess the impact of the breach on data subjects and the organization.
3. Notify Authorities: Notify the relevant data protection authority if the breach is likely to result in a risk to the rights and freedoms of data subjects, within 72 hours of becoming aware of the breach.
4. Notify Data Subjects: Notify affected data subjects if the breach is likely to result in a high risk to their rights and freedoms.
5. Review and Improve: Review the incident to identify and implement measures to prevent future breaches.

9. Data Protection Officer (DPO)

MField MEA has appointed a Data Protection Officer responsible for overseeing data protection strategy and implementation to ensure compliance with data protection laws. The DPO can be contacted at khalid@mfieldmea.com.

10. Training and Awareness

We provide regular training on data protection and privacy to all employees who process personal data. This training ensures that staff understand their responsibilities and best practices for handling personal data securely.

11. Policy Review

This policy is reviewed annually and updated as necessary to reflect changes in our practices, legal requirements, or other factors. The most current version of this policy is available on our website and upon request.

12. Contact Us

If you have any questions or concerns about this Data Protection Policy or our data protection practices, please contact our Data Protection Officer at khalid@mfieldmea.com or call +212 661-247956.