GDPR Policy

Auxanova Business Services FZCO

1. Purpose

This GDPR Policy outlines how Auxanova Business Services FZCO (“Auxanova”, “the Company”, “we”, “our”, or “us”) ensures compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR). The policy defines the principles, roles, responsibilities, and controls governing the processing of personal data.

This policy complements Auxanova’s Data Protection Policy, Privacy Policy, and jurisdiction-specific notices, including the California Privacy Notice.

2. Scope

  • All personal data processed by Auxanova
  • All employees, contractors, consultants, and third parties acting on behalf of Auxanova
  • All systems, applications, platforms, and processes involving personal data

Personal data may relate to clients, prospects, website visitors, employees, vendors, partners, and other identifiable individuals.

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
  • Data Subject: The individual to whom personal data relates.
  • Controller: The entity determining the purposes and means of processing.
  • Processor: An entity processing personal data on behalf of a controller.
  • Supervisory Authority: An independent public authority established by an EU Member State.

4. GDPR Principles

Auxanova processes personal data in accordance with Article 5 of the GDPR:

  • Lawful, Fair, and Transparent: Processing is lawful, fair, and transparent.
  • Purpose Limitation: Data is collected for specified and legitimate purposes.
  • Data Minimisation: Data is adequate, relevant, and limited to necessity.
  • Accuracy: Data is accurate and kept up to date.
  • Storage Limitation: Data is retained only as long as necessary.
  • Integrity and Confidentiality: Data is protected against unauthorised access or loss.
  • Accountability: Auxanova can demonstrate compliance with GDPR principles.

5. Lawful Bases for Processing

  • Consent
  • Performance of a contract
  • Compliance with a legal obligation
  • Protection of vital interests
  • Public interest tasks
  • Legitimate interests balanced against data subject rights

The lawful basis for each processing activity is documented in Auxanova’s Register of Processing Activities (RoPA).

6. Data Subject Rights

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right to withdraw consent
  • Right to lodge a complaint with a supervisory authority

Requests are handled without undue delay and within statutory timeframes.

7. Consent Management

  • Consent is freely given, specific, informed, and unambiguous
  • Records of consent are maintained
  • Withdrawal of consent is as easy as granting consent

8. Data Protection by Design and by Default

  • Privacy embedded into systems and processes
  • Access limited to what is strictly necessary
  • Security controls applied from the outset

9. Security of Processing

  • Access controls and authentication mechanisms
  • Secure storage and encrypted transmission where appropriate
  • Regular backups and disaster recovery procedures
  • Staff training and confidentiality obligations
  • Ongoing risk assessments and security reviews

10. Data Retention and Deletion

Personal data is retained only for as long as necessary and deleted or anonymised in accordance with retention schedules.

11. Data Processors and Third Parties

  • Processing governed by GDPR-compliant written agreements
  • Appropriate security measures required
  • Sub-processing permitted only with safeguards

12. International Data Transfers

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable
  • Other lawful GDPR-recognised transfer mechanisms

13. Personal Data Breaches

  • Prompt risk assessment
  • Supervisory authority notified within 72 hours where required
  • Affected individuals informed where high risk exists

14. Training and Awareness

Employees and relevant personnel receive appropriate GDPR and data protection training.

15. Policy Review and Updates

This GDPR Policy is reviewed at least annually and updated to reflect legal, regulatory, or operational changes.

16. Contact Details

Auxanova Business Services FZCO
Email: info@auxanova.com