DATA PROTECTION POLICY

OVERVIEW

1. The Data Protection Policy (hereinafter – the Policies) applies to all staff, contractors, and users using any type of infrastructure provided by the Real Exchange (REX) Ltd.
2. The transmission of information across networks and the Internet increases the Company’s risk of exposure to accidental, or deliberate, unauthorised modification or disclosure of personal data.
3. The company is committed to respecting customers, suppliers and staff privacy and safeguarding of its personal data.
4. The company just retain its data for as long as is necessary and always treat it safely
5. We ask to other companies to process data on our behalf we always make sure that they following similar or higher standards than ourselves.

SCOPE

The purpose of this Policy is to:

• Supporting the standardization of the usage of data;
• Monitoring the management of internal data including staff;
• Defining the principles of data transfer;
• Ensure an adequate and legal management of data;
• Implementing the roles and responsibilities of data management.

PRINCIPLES AND REQUIREMENTS OF THE DATA PROTECTION POLICY

The company is committed to processing data in accordance with its responsibilities and under the regulatory requirements, such as GDPR and Maltese Laws. The Data Protection Policy include and is based on the following:

• Data is processed lawfully, fairly and in a transparent manner in relation to individuals;
• Data shall collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
• Data is used as adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• Internal data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
• Data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
• Data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

1. Data Protection Principle

The Data Protection Principle outlines the approach, methodology, requirements and responsibilities for preserving the confidentiality, integrity and availability of the Company information. This Principle covers the core data protection requirements that are to protect the following information/data assets properties:

Confidentiality (C) – to protect information/data assets from breaches, unauthorised disclosures, loss of or unauthorised viewing.

Integrity (I) – to retain the integrity of the information/data assets by not allowing it to be modified

Availability (A) – to maintain the availability of the information/data assets by protecting it from disruption and denial of service attacks.

Reputation – to protect the reputational loss can occur when any of the C, I or A properties are breached.

For the Company, the core properties are impacted, and the effect aggregated, when any data breach relates to customer personal and financial data

2. General Provisions

• This policy applies to all personal data processed by the company
• The Responsible Person shall take responsibility for the company’s ongoing compliance with this policy
• This policy shall be reviewed at least annually.
• Personal data must be processed lawfully, fairly and in a transparent manner;
• Personal data must always be processed in accordance with good practice;
• Personal data must only be collected for specific, explicitly stated and legitimate purposes;
• Personal data must not be processed for any purpose that is incompatible with that for which the information is collected;
• Personal data that are processed must be adequate and relevant in relation to the purpose of the processing;
• Personal data that are processed must be correct and, if necessary, up to date;
• All reasonable measures must be taken to complete, correct, block, or erase data to the extent that such data are incomplete or incorrect, having regard to the purposes for which they are processed;
• Personal data must not be kept for a period longer than is necessary, having regard to the purposes for which they are processed;
• Personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing, accidental destruction, loss or damage;
• Personal data must not be transferred to third countries that do not offer an adequate level of protection.
• To ensure its processing of data is lawful, fair and transparent, the Company shall maintain an inventory of Systems and shall be reviewed at least annually.
• All data processed by the company must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.
• Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
• Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the company’s systems.
• The company have an Information security incident management policy which includes the data breaches escalation process

3. Requirements for Physical Security of Data and Systems

• Users shall ensure that any sensitive and restricted information is not removed from site without prior approval and authorisation from the Management.
• Users shall ensure that mobile systems or devices are not used outside the premises of the Company without prior approval and authorisation from the Management.
• Mobile systems, devices or information shall be transported securely and kept with the individual at all times.
• Remote locations shall be secure to work in, i.e. not overlooked by unauthorised persons.
• Sensitive matters shall not be worked on in public places.
• Sensitive conversations, restricted or other sensitive information shall not be carried out in public. Secure email should be used or wait until you are back in the Company premises if possible.
• If left unattended in semi-controlled areas such as conference centres or customer offices, laptops shall be shut down and locked to a fixed point using a physical lock available from IT specialist.
• Restricted or other sensitive information shall be brought back to the Company premises for secure disposal.
• Precautions shall be taken to protect assets against opportunist theft.
• Mobile systems, devices or information shall never be left unattended in airport lounges, hotel lobbies, vehicles and similar areas as these areas are insecure.
• Mobile systems, devices or information shall be shut down and physically locked down or locked away when left in the office overnight.
• Users shall ensure that unauthorised persons (friends, family, associates, etc.) do not gain access to mobile systems, devices or information in their charge.
• Any loss, theft, misplacement or unauthorised access of systems, devices or information shall be reported immediately to the Management.
• The company shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
• Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
• When personal data is deleted this should be done safely such that the data is irrecoverable.
• When personal data is deleted this should be done safely such that the data is irrecoverable.
• Company adopts a strict clear desk policy

4. Requirements for Technical Security of Data and Systems

• Files containing sensitive/restricted data or other sensitive information shall be adequately protected e.g. encrypted and password protected
• All removable media shall be virus checked prior to use.
• Mobile devices shall have security options enabled, such as a pin numbers or a password.
• Automatic lock outs shall be enabled when IT equipment is left unattended.
• Users shall ensure that virus protection software or any other security measures put in place on devices are never disabled or bypassed.
• Users shall ensure that sensitive/restricted data or other sensitive information is stored on mobile systems or devices unless it is protected with approved encryption, and it is absolutely necessary to do so.
• Staff shall ensure that privately owned mobile systems or devices are not used for official business purposes.
• Users shall ensure that all data is classified according the internal data classification policy, defined by Information Security Department.
• The Company shall take reasonable steps to ensure personal data is accurate.
• Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
• To ensure that personal data is kept for no longer than necessary, the Company shall put in place an archiving policy for each department in which personal data is processed and review this process annually.
• The archiving policy shall consider what data should/must be retained, for how long, and why.

5. Contracts and confidentiality agreements requirements

• A formal contract between the Company and the outsourced provider or the supplier shall exist to protect both parties. The contract shall clearly define the types of information company and the purpose for so doing.
• A formal contract between the Company and the outsourced provider or the supplier shall exist to protect both parties. The contract shall clearly define the types of information company and the purpose for so doing.
• Any information received by the Company from the outsourced provider or the supplier which is bound by the contract or confidentiality agreement shall be protected by appropriate security classification and labelling.
• Upon termination of the contract, the confidentiality arrangements shall be revisited to determine whether confidentiality has to be extended beyond the tenure of the contract.
• Legal, regulatory and other third party obligations such as data protection/privacy laws, money laundering etc.

6. Access control requirements

• In order to prevent unauthorised access to sensitive data assets by users, outsourced providers, suppliers, sub-contractors or any third party, the company have a robust framework of accesses granted, review and revoke processes carried out by IT department which includes 2FA, authorization of access, data encryption, strong passwords, etc
• The Company shall ensure that all information assets handed over to the outsourced provider during the course of the contract (plus any copies made thereafter, including backups and archives) are duly retrieved or destroyed at the appropriate point on or before termination of the contract.
• The requirement for any access shall be defined in the contract
• Access shall be granted using the principle of ‘Least Privilege’. This means that every program and every user of the system should operate using the least set of privileges necessary to complete the job.
• Each user shall be identified by a unique user identity so that users can be linked to and made responsible for their actions. The use of group identities shall only be permitted where they are suitable for the work carried out (e.g. training accounts or service accounts).
• During their induction to the system each user should be given a copy of guidelines for staff on use of the system and their user login details, and should be required to sign to indicate that they understand the conditions of access.
• Records of user access may be used to provide evidence for security incident investigations.
• The aim is to have a properly designed and documented access control regime that will support the Technical administrator in the production and maintenance of access control lists which will allow only authorised users access only to the systems and information they require to carry out their role. This method is also referred to as ‘Least Privilege’ or ‘Need to Know’.
• Privilege access management shall be controlled through a formal process and only the minimum privileges shall be granted to carry out the role or task.

7. Compliance Requirements

• The Company is obliged to abide by all relevant Malta legislation. The requirement to comply with this legislation shall be devolved to employees and agents of The Company, who may be held personally accountable for any breaches of information security for which they may be held responsible.
• Audit is performed as part of the ongoing Audit Programme and the Company shall ensure appropriate evidence and records are provided to support these activities at least on an annual basis.
• In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the company shall promptly assess the risk and escalate to CEO, CRO and MLRO for further actions guidance. When appropriate and necessary the Company will inform regulator.
• There is zero tolerance for data breach as per our code of conduct.

8. Violation of the Policy

• Violation of this Policy may result in disciplinary action which may include termination of employment.
• Violation of this Policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with the Company.
• Employees, contractors and agents who violate this Policy may be subject to civil and criminal prosecution under the law of Malta.

9. Roles and responsibilities

• Board of Directors
  
  • Approve the current policy and ensure an appropriate implementation across the company
  • Define the strategical initiatives in different scenarios
  • Appointing the data coordinators including the DPO


• Data Protection Officer (DPO) – Will be the Chief Risk Officer
  • Report the incidents to the management within the agreed SLAs
  • Monitor compliance with the different regulations
  • Disseminate a culture of zero tolerance of data breaches
  • Provide information and advice throughout the organization


• Chief Compliance Officer
  • Training the staff on different compliance matters including data protection
  • Conduct regular assessments to ensure full adherence to the current policy
  • Serving as a point of contact between the company and the regulators


• Head of Cyber Security
  • Acting as accountable for information risk within the Company and advises the Management Board on the effectiveness of data issues across the Company
  • Acting as accountable for information risk within the Company and advises the Management Board on the effectiveness of data issues across the Company
  • Monitoring potential and actual data breaches with appropriate expertise
  • Communicating and promoting awareness of data protection
  • Approve and review the access to internal data
  • Define the data classification processes across the company


• CIO
  • Maintaining this policy updated, challenge and oversight role of the policy
  • Ensuring that the risks associated to data protection remains within risk appetite tolerances
  • Testing Business Continuity Plans associated to data risks
  • Identifying and meet confidentiality and data security based on laws and regulations
  • Ensuring confidentiality and data security requirements prior to receive data
  • Ensure that all staff is resourced and equipped to execute their tasks
  • Establishing and documenting rules for use of, access to, approval for use of, and removal of access to the Company internal data


• All staff including contractors
  • Ensuring full adherence to the current policy and adopt the best practices regarding data protection.
  • Reporting to DPO any suspected or actual data breaches.
  • Ensuring that they lock their screens whenever they leave their desks to reduce the risk of data breaches.
  • Keeping their passwords confidential and unique user identities shall not be shared.
  • Using solely data accesses for what was granted

DEFINITIONS

Company - Real Exchange (REX) Ltd.

GDPR – General Data Protection Regulation

IT assets – this term refers to IT resources and includes but are not limited to: equipment such as laptop/desktop computers, servers, printers, peripheral devices that connect or have access to the Company’s network, as well as USB keys, portable data drives, backup devices and CD/DVDs. This also includes hand held devices like mobiles, tablets, and smart phones. IT assets also include any other .

IT resources all the equipment, networks, hardware, software, documentation, programs, information, technical knowledge, expertise and other resources, including all information technology resources and computer systems, held, owned or used by or on behalf of the Company, employees or any of its respective Subsidiaries to the extent used in connection with the Company’s business as currently conducted and, in all material respects, as conducted during prior periods of business activities.

Personal data - Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive data – information that is protected against unwarranted disclosure. Access to sensitive data shall be safeguarded. Protection of sensitive data is required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations.

Restricted data – any data that is extremely sensitive and could cause extreme damage to the integrity, image or effective operation of the Company. Extreme damage includes loss of life, risks to public safety, substantial financial loss, social hardship and major economic impact.

Processing - any operation or set of operations which is performed on personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling - the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Recipient - a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Authoritities shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third Party - natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent of the data - means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Personal data breach - means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Genetic data - personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question .

Biometric data - personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Representative - natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.

DPO – Data Protection Officer.

CIO – Chief Information Officer.

Data Controller – Body or person who determines the purposes for which and the means by which personal data is processed .

Data processor – Body or person who processes personal data on behalf if data controller, as for example third party staff.