GDPR Compliance Policy

1. Introduction

Dashhosted is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR). This policy outlines how we collect, process, store, and protect personal data in compliance with GDPR requirements.

This policy applies to all personal data processed by Dashhosted, regardless of whether it is stored electronically, on paper, or in any other format.

2. Definitions

For the purpose of this policy, the following terms are defined as:

• Personal Data: Any information relating to an identified or identifiable natural person ('data subject').
• Data Controller: The entity that determines the purposes and means of processing personal data (in this case, Dashhosted).
• Data Processor: An entity that processes personal data on behalf of the Data Controller.
• Data Subject: A natural person whose personal data is processed.
• Processing: Any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

3. Data Protection Principles

Dashhosted adheres to the following principles when processing personal data:

• Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and in a transparent manner.
• Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
• Data Minimization: Personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
• Accuracy: Personal data is accurate and, where necessary, kept up to date.
• Storage Limitation: Personal data is kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed.
• Integrity and Confidentiality: Personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
• Accountability: Dashhosted is responsible for and can demonstrate compliance with these principles.

4. Lawful Basis for Processing

Dashhosted will only process personal data when one of the following lawful bases applies:

• Consent: The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
• Legal Obligation: Processing is necessary for compliance with a legal obligation to which Dashhosted is subject.
• Vital Interests: Processing is necessary to protect the vital interests of the data subject or another natural person.
• Public Interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Dashhosted.
• Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by Dashhosted or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

5. Rights of Data Subjects

Dashhosted respects the rights of data subjects and provides mechanisms for them to exercise the following rights:

• Right to Information: Data subjects have the right to be informed about the collection and use of their personal data.
• Right of Access: Data subjects have the right to obtain confirmation as to whether their personal data is being processed, and, if so, access to that personal data.
• Right to Rectification: Data subjects have the right to have inaccurate personal data rectified or completed if it is incomplete.
• Right to Erasure ('Right to be Forgotten'): Data subjects have the right to request the deletion or removal of personal data in specific circumstances.
• Right to Restrict Processing: Data subjects have the right to request the restriction or suppression of their personal data.
• Right to Data Portability: Data subjects have the right to obtain and reuse their personal data for their own purposes across different services.
• Right to Object: Data subjects have the right to object to the processing of their personal data in certain circumstances.
• Rights Related to Automated Decision Making and Profiling: Data subjects have rights related to automated individual decision-making and profiling.

To exercise any of these rights, data subjects may contact Dashhosted using the contact information provided in Section 10 of this policy.

6. Data Security

Dashhosted implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data where appropriate.
• Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• Measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• Procedures for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
• Staff training on data protection and security practices.

7. Data Breaches

In the event of a personal data breach, Dashhosted will:

• Notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
• Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
• Document all breaches, including the facts relating to the breach, its effects, and the remedial action taken.

8. Data Protection Impact Assessments

Dashhosted will carry out Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in a high risk to the rights and freedoms of individuals, particularly when using new technologies.

The DPIA will include:

• A systematic description of the envisaged processing operations and the purposes of the processing.
• An assessment of the necessity and proportionality of the processing operations in relation to the purposes.
• An assessment of the risks to the rights and freedoms of data subjects.
• The measures envisaged to address the risks and demonstrate compliance with the GDPR.

9. International Data Transfers

Dashhosted may transfer personal data to countries outside the European Economic Area (EEA) only if one of the following conditions applies:

• The country has been deemed to provide an adequate level of protection for personal data by the European Commission.
• Appropriate safeguards are in place, such as binding corporate rules, standard contractual clauses, or an approved code of conduct.
• The data subject has explicitly consented to the proposed transfer after being informed of the possible risks.
• The transfer is necessary for the performance of a contract between the data subject and Dashhosted or for the implementation of pre-contractual measures.
• The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between Dashhosted and another natural or legal person.
• The transfer is necessary for important reasons of public interest, for the establishment, exercise, or defense of legal claims, or to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent.