GTOLAB LTD

COMPANY PRIVACY NOTICE

This Company Privacy Notice (hereinafter “Company Privacy Notice”) contains binding rules for employees and contractors (hereinafter referred to as “Employees”, “You”) of GTOLAB LTD, a company registered in accordance with the laws of the Republic of Malta, company number C 108005, having its registered address at 35 Second Floor, Triq L-Imdina, Attard, ATD 9038, Malta (hereinafter “GTOLAB”, “We”, “Us”, “Our”) regarding the procedures for using and Processing Personal Data.

Compliance with this Company Privacy Notice is mandatory for all Employees, provided that the agreement between GTOLAB and the Employee specifies the obligation to comply with the Company Privacy Notice.

Terminology

All terminology in this Company Privacy Notice is used in accordance with the Terms of Service, Privacy Notice, Employee Privacy Notice and Cookies Notice.

Principles of Data Processing

GTOLAB processes Personal Data according to the following principles:

  • Lawfulness, fairness, and transparency.Personal Data must be processed lawfully, fairly, and in a transparent manner.
  • Purpose limitation.Personal Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data minimization.Personal Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which They are processed.
  • Accuracy.Personal Data must be accurate and, where necessary, kept up to date.
  • Integrity and confidentiality.Personal Data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Personal Data Processing

Employees must process Personal Data in accordance with the actual versions of the Privacy Notice, Employee Privacy Notice, and Cookie Notice on the date of Processing.

Data Subject’s Rights and Enforcement

Rights

All Personal Data rights of Data Subjects are listed in the current versions of the Privacy Notice, Cookies Notice, and Employee Privacy Notice on the date of Processing.

Data Subject Request Form

Data Subjects can enforce the Personal Data rights through the Data Subject Request Form.

Personal Data Protection

Protection in General

GTOLAB protects Personal Data through technical and organizational measures. Measures of protection include:

  • HTTP connection with SSL and TLS certificates:An HTTP connection with SSL (Secure Sockets Layer) and TLS (Transport Layer Security) certificates is a secure method of establishing a connection between individuals and servers over the internet, encrypting the data transmitted between them to prevent eavesdropping, tampering, or forgery.
  • Training Employees in cybersecurity and data privacy via onboarding:GTOLAB provides onboarding and regular training to all Employees in cybersecurity and data privacy, covering topics such as password security, phishing awareness, social engineering attacks, and incident reporting.
  • Distribute Access to Personal Data:Employees are granted access to Personal Data on a need-to-know basis, ensuring they only access data necessary for their responsibilities.
  • Distribute Storing in Different Databases:This approach ensures that Personal Data is not stored in a single point of failure and improves data resilience while reducing the impact of potential breaches.
  • Safe Servers for Web Hosting and Data Storage:Secure servers equipped with robust measures such as firewalls, encryption, and backups are used to ensure operational continuity even during disruptions.
  • Strong password requirements:Passwords must be at least 12 characters long, include uppercase and lowercase letters, a number, and a symbol, and be unique for each account. Two-factor authentication is recommended.

Personal Data Deletion

GTOLAB retains and deletes Personal Data according to the following conditions, ensuring compliance with legal obligations:

  • Website Visit Data:Retained for optimizing Website performance, ensuring security, and conducting analytics. Deleted once these purposes are fulfilled, unless required for statutory retention obligations.
  • Account Data:Stored as long as necessary to maintain Accounts and fulfill contractual obligations. Deleted after account deactivation, unless needed for statutory retention or evidence purposes.
  • Purchase Data:Retained for processing transactions, fulfilling obligations, and complying with tax regulations. Deleted after obligations are met, unless required for statutory limitations.
  • Customer Support Data:Retained while addressing inquiries and providing support. Deleted after resolution, unless needed for legal purposes.
  • Employee Data:Retained for onboarding, legal obligations, and business optimization. Deleted after these purposes are fulfilled, unless required for statutory obligations.
  • Anonymization:Personal Data may be processed for internal purposes if anonymized, removing all identifiers and connections to Data Subjects.

Data Breach Notification

Response Team

If a Personal Data Breach is detected, a team consisting of specialists, including external specialists, and the management of GTOLAB must be established. The team should deal with eliminating the breach and minimizing any consequences. An authorized team member must alert the DPA and, if necessary, the impacted individuals. All breaches must be recorded and described.

Notifying the DPA

The DPA must be informed within 72 hours of the breach with the following details:

  • The nature of the Personal Data Breach.
  • Impacted individuals.
  • Contact details of the responsible person for further information.
  • The possible consequences of the breach.
  • Measures taken or proposed to address the breach.

Notifying the Data Subject

Impacted individuals must be informed if the breach risks violating their Personal Data rights. Notifications should include:

  • The nature of the Personal Data Breach.
  • Contact details of the responsible person for further information.
  • The possible consequences of the breach.
  • Measures taken or proposed to address the breach.
  • Steps to reduce risks of similar breaches.

Responsibilities of Employees

  • Employees must comply with the Company Privacy Notice, Privacy Notice, Terms of Service, Employee Privacy Notice, and Cookies Notice when handling Personal Data.
  • Employees must ensure the confidentiality of Personal Data they access during their duties and must not disclose it without proper authorization.
  • Employees should use strong passwords, enable two-factor authentication, and follow security measures provided by GTOLAB.
  • Employees must report any breaches or attempts of unauthorized access to the GTOLAB responsible person immediately.
  • Personal Data must only be used for official duties and not for any other purposes.
  • Employees are required to participate in regular training and advanced training on cybersecurity and data protection.

Miscellaneous

  • Effective date: This version of the Company Privacy Notice is valid from the Effective date.
  • Consent: Employees agree to comply with the Company Privacy Notice by signing employment, service agreements, or any other agreements referencing this notice. Compliance is required for the entire term of such agreements unless otherwise stated.
  • Severability: If any provision is deemed invalid or unenforceable, it will be replaced with a valid provision achieving the same purpose, while the remaining provisions remain in full force.
  • Changes: GTOLAB may update the Privacy Notice, effective upon written agreement by Employees.
  • Governing law and dispute resolution: This notice is governed by Maltese law. Disputes must be resolved through negotiations within 30 days, failing which they will be settled in Maltese courts.
  • Languages: This notice is available in English. If discrepancies exist, the English version prevails.