Data Protection Policy

1. Overview

This policy establishes InContext Solutions' commitment to protecting personal data in compliance with the General Data Protection Regulation (EU 2016/679) and applicable data protection legislation. It defines the legal framework under which personal data is processed, the rights of data subjects, and the governance structures that ensure ongoing compliance.

This policy applies to all processing of personal data carried out by InContext Solutions, whether relating to employees, clients, partners, or other individuals. It covers data processed electronically, in structured filing systems, and through automated decision-making.

2. Legal Framework and Lawful Processing

Applicable Legislation

InContext Solutions processes personal data in accordance with:

• General Data Protection Regulation (GDPR) — EU Regulation 2016/679
• Applicable national data protection laws in jurisdictions where InContext operates
• Privacy and Electronic Communications Regulations where applicable to direct marketing and electronic communications

Lawful Bases for Processing

All processing of personal data must be justified under one of the following lawful bases as defined by GDPR Article 6:

• Consent — The data subject has given clear, informed consent for processing for one or more specific purposes.
• Contract — Processing is necessary for the performance of a contract with the data subject, or to take pre-contractual steps at their request.
• Legal Obligation — Processing is necessary to comply with a legal obligation to which InContext Solutions is subject.
• Vital Interests — Processing is necessary to protect the vital interests of the data subject or another individual.
• Public Task — Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
• Legitimate Interests — Processing is necessary for the legitimate interests of InContext Solutions or a third party, except where such interests are overridden by the rights and freedoms of the data subject.

Documentation of Lawful Basis

The lawful basis for each processing activity must be identified and documented in the Records of Processing Activities before processing begins. Where consent is relied upon, records of consent must be maintained including when and how consent was obtained.

3. Data Subject Rights

InContext Solutions recognizes and upholds the following rights of individuals whose personal data is processed:

Right to Be Informed

Individuals have the right to be informed about the collection and use of their personal data. InContext Solutions provides clear, transparent privacy information at the point of data collection, including the purposes of processing, retention periods, and with whom data will be shared.

Right of Access

Individuals may submit a Subject Access Request (SAR) to obtain confirmation that their data is being processed and to receive a copy of their personal data. Requests are fulfilled free of charge unless manifestly unfounded or excessive.

Right to Rectification

Individuals have the right to have inaccurate personal data corrected and incomplete data completed. InContext Solutions will action rectification requests without undue delay.

Right to Erasure

Also known as the "right to be forgotten," individuals may request the deletion of their personal data where:

• The data is no longer necessary for the purpose it was collected
• Consent has been withdrawn and no other lawful basis applies
• The individual objects to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

This right is not absolute and is subject to exemptions where processing is necessary for legal obligations, public interest, or the establishment, exercise, or defense of legal claims.

Right to Restrict Processing

Individuals may request restriction of processing where they contest the accuracy of data, object to processing pending verification, or where processing is unlawful but the individual opposes erasure.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Right to Object

Individuals have the right to object to processing based on legitimate interests or public task grounds. InContext Solutions will cease processing unless compelling legitimate grounds are demonstrated that override the individual's interests, rights, and freedoms.

Rights Related to Automated Decision-Making

Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Where automated decision-making is employed, individuals are informed and provided the right to obtain human intervention, express their point of view, and contest the decision.

Handling Requests

All data subject requests should be directed to the Data Protection Lead. Upon receipt:

1. The identity of the requester is verified
2. The request is logged and acknowledged
3. The appropriate action is taken within the statutory timeframe
4. The outcome is documented and communicated to the individual

4. Data Protection Impact Assessments

When a DPIA Is Required

A Data Protection Impact Assessment must be conducted before commencing any processing activity that is likely to result in a high risk to the rights and freedoms of individuals. This includes:

• Large-scale processing of special category data
• Systematic and extensive profiling with significant effects
• Large-scale systematic monitoring of publicly accessible areas
• Processing involving new technologies where the impact on individuals is not yet well understood
• Any processing identified as high-risk through the organization's risk assessment processes

DPIA Process

Each DPIA will:

1. Describe the processing — Nature, scope, context, and purposes of the proposed processing activity
2. Assess necessity and proportionality — Evaluate whether the processing is necessary and proportionate to the purpose
3. Identify risks — Assess risks to the rights and freedoms of data subjects
4. Define mitigations — Identify measures to address and reduce identified risks to an acceptable level

Consultation

Where a DPIA indicates that processing would result in a high risk that cannot be sufficiently mitigated, the supervisory authority must be consulted before processing begins.

Documentation

All DPIAs are documented, reviewed by the Data Protection Lead, and retained as evidence of compliance. DPIAs are reviewed when the nature, scope, or context of processing changes.

5. Records of Processing Activities

In accordance with GDPR Article 30, InContext Solutions maintains a Record of Processing Activities (ROPA) that documents:

• Name and contact details of the controller and, where applicable, the Data Protection Lead
• Purposes of processing for each activity
• Categories of data subjects and categories of personal data processed
• Recipients to whom personal data has been or will be disclosed, including third countries or international organizations
• International transfers and the safeguards in place for transfers outside the EEA
• Retention periods for each category of data, or the criteria used to determine retention
• Security measures — A general description of the technical and organizational security measures applied

The ROPA is maintained by the Data Protection Lead, updated as processing activities change, and made available to supervisory authorities upon request.

6. Special Category Data

Definition

Special category data includes personal data revealing:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data used for identification
• Health data
• Data concerning sex life or sexual orientation

Additional Conditions for Processing

Processing special category data requires both a lawful basis under Article 6 and an additional condition under GDPR Article 9. Applicable conditions include:

• Explicit consent from the data subject
• Employment, social security, or social protection law obligations
• Vital interests where the data subject is incapable of giving consent
• Substantial public interest with a basis in law
• Health or social care purposes with appropriate safeguards

Enhanced Protections

Special category data is subject to enhanced security measures including:

• Access restricted to authorized personnel with a documented business need
• Encryption at rest and in transit
• Separation from general personal data where practicable
• Additional audit logging of access and modifications

For the classification framework applied to all data types, refer to the Data Management Policy.

7. Breach Notification

Definition

A personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This includes device loss or theft, unauthorized access, misdirected communications, and ransomware attacks affecting personal data.

Notification to Supervisory Authority

Where a breach is likely to result in a risk to individuals' rights and freedoms, InContext Solutions will notify the relevant supervisory authority within 72 hours. The notification will include:

• The nature of the breach, including categories and approximate number of data subjects and records affected
• The name and contact details of the Data Protection Lead
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

Notification to Affected Individuals

Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, InContext Solutions will notify those individuals without undue delay. The notification will describe the nature of the breach, its likely consequences, and the measures taken in response.

Documentation

All personal data breaches are documented regardless of whether they are reported to the supervisory authority. Documentation includes the facts of the breach, its effects, and the remedial actions taken. This record enables the supervisory authority to verify compliance.

For the operational incident response process including containment, eradication, and recovery procedures, refer to the Security Incident Response Policy.

8. Data Protection Governance

Data Protection Lead

InContext Solutions designates a Data Protection Lead responsible for:

• Monitoring compliance with data protection legislation and this policy
• Advising the organization on data protection obligations
• Overseeing Data Protection Impact Assessments
• Acting as the point of contact for data subjects exercising their rights
• Cooperating with supervisory authorities
• Coordinating data protection training across the organization
• Managing breach notification procedures

The Data Protection Lead operates with appropriate independence and reports directly to senior management on data protection matters.

Accountability

InContext Solutions demonstrates compliance through:

• Maintaining Records of Processing Activities
• Conducting and documenting DPIAs
• Implementing appropriate technical and organizational measures
• Providing regular data protection training to staff
• Reviewing and updating policies on an annual basis

9. International Data Transfers

Personal data must not be transferred outside the European Economic Area (EEA) unless adequate safeguards are in place. Permitted transfer mechanisms include:

• Adequacy decisions — Transfers to countries recognized by the European Commission as providing adequate data protection
• Standard Contractual Clauses (SCCs) — EU-approved contractual terms between the data exporter and importer
• Binding Corporate Rules — For intra-group transfers approved by the relevant supervisory authority

Before any international transfer, InContext Solutions assesses the data protection framework of the recipient country and ensures appropriate supplementary measures are applied where necessary.

For third-party vendor data protection requirements, refer to the Vendor Onboarding Policy.

10. Training and Awareness

All employees receive data protection training as part of their induction and on an ongoing basis thereafter. Training covers:

• Data protection principles and individual rights
• Recognizing and reporting personal data breaches
• Secure handling of personal data
• Responsibilities under this policy

Staff with specific data protection responsibilities (including those handling Subject Access Requests, special category data, or breach reporting) receive additional specialized training. Training completion is recorded and monitored.

Revision History