Data Protection Policy
Purpose
This Data Protection Policy establishes Grayphite's commitment to protecting personal data, respecting individual privacy rights, and ensuring compliance with applicable data protection laws, including the European Union General Data Protection Regulation (GDPR). This policy defines the framework for the lawful collection, processing, storage, sharing, retention, and protection of personal data across Grayphite's operations.
Scope
This policy applies to all Grayphite employees, contractors, consultants, board members, suppliers, service providers, and third parties who access, process, manage, or store personal data on behalf of Grayphite.
This policy applies to:
All information systems and business applications
Physical and electronic records
Cloud platforms and hosted environments
Customer, employee, vendor, and partner information
Internal and external data processing activities
Cross-border data transfers
Third-party processing arrangements
Policy Principles
Grayphite processes personal data in accordance with applicable legal, regulatory, and contractual obligations and adheres to the following principles:
1. Lawfulness, Fairness, and Transparency
Personal data shall be processed lawfully, fairly, and transparently. Individuals shall be informed about how their data is collected, used, stored, shared, and protected through clear privacy notices and appropriate communication channels.
2. Purpose Limitation
Personal data shall be collected only for specified, explicit, and legitimate business purposes and shall not be processed in a manner incompatible with those purposes.
3. Data Minimization
Grayphite shall collect and process only personal data that is adequate, relevant, and limited to what is necessary for the intended business purpose.
4. Accuracy
Grayphite shall take reasonable steps to ensure that personal data remains accurate, complete, and up to date. Inaccurate or outdated data shall be corrected or deleted without undue delay.
5. Storage Limitation
Personal data shall be retained only for as long as necessary to fulfill business, legal, regulatory, or contractual obligations. Secure deletion and disposal procedures shall be followed when retention periods expire.
6. Integrity and Confidentiality
Personal data shall be protected against unauthorized access, disclosure, alteration, loss, destruction, or misuse through appropriate technical and organizational safeguards.
Security measures may include:
Access controls
Encryption and pseudonymization
Secure backups
Logging and monitoring
Vulnerability management
Secure disposal procedures
7. Accountability
Grayphite shall maintain documented evidence of compliance with data protection requirements, including policies, procedures, records of processing activities, risk assessments, and audit evidence.
8. Sensitive Personal Data
Grayphite does not knowingly collect, store, process, or transmit sensitive personal data unless explicitly required by law, contractual obligation, or approved business necessity supported by appropriate legal basis and enhanced safeguards.
9. Lawful Basis for Processing
Grayphite shall identify, document, and maintain an appropriate lawful basis before processing personal data. Processing may be based on:
Consent
Contractual necessity
Legal obligation
Protection of vital interests
Public interest
Legitimate business interests
Where consent is used:
Consent shall be explicit, informed, freely given, and unambiguous
Individuals may withdraw consent at any time
Consent records shall be maintained for audit purposes
10. Individual Rights
Grayphite recognizes and supports individuals' rights under applicable privacy regulations, including:
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights related to automated decision-making and profiling
Requests relating to individual rights shall be handled through documented procedures within applicable legal timeframes.
11. Data Protection Impact Assessments
Grayphite shall conduct Data Protection Impact Assessments (DPIAs) for new systems, processes, technologies, or changes that may introduce privacy risks.
DPIAs shall evaluate:
Purpose of processing
Data flows
Risks to individuals
Proportionality and necessity
Security and privacy controls
Compliance obligations
12. Privacy by Design and Default
Privacy and data protection controls shall be integrated into systems, applications, business processes, and technologies from design through retirement, with privacy-preserving settings enabled by default where applicable.
13. Data Inventory and Mapping
Grayphite shall maintain an inventory of personal data processing activities, including:
Categories of personal data
Categories of data subjects
Processing purposes
Retention periods
Recipients and transfers
Security measures
Third-party processors
14. Third-Party Processing and Data Sharing
Any third party processing personal data on behalf of Grayphite shall operate under documented contractual agreements that define:
Processing scope
Security requirements
Confidentiality obligations
Regulatory compliance responsibilities
Incident reporting obligations
15. International Data Transfers
Transfers of personal data outside approved jurisdictions shall be subject to appropriate safeguards, contractual protections, and legal transfer mechanisms consistent with applicable regulations.
16. Personal Data Breach Management
Grayphite shall maintain documented procedures for identifying, reporting, investigating, and responding to personal data breaches.
Where required by law:
Relevant supervisory authorities shall be notified within applicable regulatory timelines, including 72 hours where required under GDPR
Affected individuals shall be notified without undue delay where risks are identified
All personnel must promptly report suspected data breaches through established incident reporting procedures.
17. Training and Awareness
All personnel with access to personal data shall receive mandatory privacy and data protection training during onboarding and periodically thereafter.
Training includes:
Data protection obligations
Privacy principles
Secure handling of personal data
Incident reporting responsibilities
Regulatory and contractual obligations
Governance
The implementation and oversight of this policy is governed by Grayphite's Information Security and Privacy Management function.
Grayphite shall designate authorized personnel to fulfill privacy governance responsibilities, including:
Data Controller responsibilities
Data Processor responsibilities
Privacy Officer or equivalent privacy oversight role
Regulatory compliance monitoring
Privacy incident management
DPIA review and approval
Data subject request management
Audit and compliance reporting
Senior management shall review data protection risks, compliance status, incidents, and improvement initiatives on a regular basis.
Continuous Improvement
Grayphite continuously reviews and enhances its privacy controls, governance framework, operational procedures, and technical safeguards to address evolving regulatory requirements, business changes, emerging technologies, and security threats.
Continuous improvement activities include:
Periodic policy reviews
Internal audits and self-assessments
Privacy risk assessments
Incident reviews and lessons learned
Regulatory monitoring
Updates to training, tools, and operational controls
Contact
For questions regarding Grayphite's security and compliance practices, please contact: security@grayphite.com
