Why is it so necessary for a company to have clear and updated internal data protection policies?

Such instruments not only provide the data subject with the certainty that its personal data will be treated, used and handled in a safe manner, under specific procedures and security measures, but also allows the company to have an internal policy to be used and known by all the employees and different parties involved in the data collection and processing.

A policy should provide an employee with the actions to be taken, when for instance, there is a possible data security breach.

According to Costa Rican law, a data protection policy should describe how personal data must be collected, handled, used, treated and stored by a company in order to meet the company’s data protection standards, and to comply with all the applicable laws and regulations.

The purpose of an internal data protection policy is for the company to have an internal document covering all the requirements, specifics, formalities and procedures to ensure that it, and particularly its personnel, will follow and comply with: (i) good and customary practices in data collection and protection; (ii) protecting the rights of employees, directors, shareholders, customers, partners or any other individual or third party considered to be a data subject as per the company’s personal data bases; (iii) the required transparency on how it stores, manages and processes personal data; and (iv) all procedures to protect itself from the risk of a data security breach.

Everyone who works for or with the company, shall be directly responsible for ensuring data is collected, processed, stored and handled appropriately and in line with the company’s data protection policy.

Personal Data may include customers, suppliers, employees and other individuals or information considered as personal data provided by third parties with which the company has a relationship with or may need to contact. For instance, the company may directly or indirectly receive or obtain personal data related with any of its customers in reason of their business relationship or in preparation of such possible business relationship. Personal Data can include names, occupation or position of individuals, domicile or postal addresses, email addresses, telephone numbers, or any other type of information relating to individuals.

Data protection policies need to be updated, appropriate and customized to the company’s size, culture and to the specific characteristics of its operation and data processing. Such policies shall be applicable to all “personal data” regardless of whether such data is processed or stored electronically, on paper or on other materials. To comply with the currently applicable Costa Rican data protection law (Data Protection Law Number 8968 – denominated “Law for the Protection of People Against the Treatment of their Personal Data” and its Regulations), personal data must be collected, treated and used fairly and according to the applicable data protection regulations and principles.

Personal data needs to be stored safely and not disclosed unlawfully, specifically indicating who will have access to such data or to who it might be disclosed or transferred.

Tags: , , ,