Privacy Policy

4.1 Roles and Responsibilities

Data Protection Officer (DPO)

The Data Protection Officer (DPO) is responsible for overseeing the company’s data protection strategy and its implementation to ensure compliance with GDPR requirements. The specific responsibilities of the DPO include:

• Monitoring compliance with GDPR and other data protection laws, including internal data protection activities, training, and audits.
• Providing advice regarding Data Protection Impact Assessments (DPIAs) and monitoring their performance.
• Cooperating with and acting as the contact point for supervisory authorities.
• Informing and advising employees on their data protection obligations.
• Handling data subject requests and ensuring timely responses to data subject access requests (DSARs).
• Keeping the company’s data protection documentation up to date.

Compliance Committee

The Compliance Committee supports the CPO and DPO in implementing and maintaining the privacy program. It is composed of representatives from key departments such as IT, HR, Legal, and Compliance. Responsibilities include:

• Reviewing and approving privacy policies and procedures.
• Assisting in the development and delivery of privacy training and awareness programs.
• Evaluating and approving DPIAs and other privacy-related assessments.
• Addressing and resolving privacy issues and incidents.

IT Department

The IT Department plays a crucial role in ensuring data security and supporting data privacy initiatives. Their responsibilities include:

• Implementing and maintaining technical and organizational measures to protect personal data.
• Conducting regular security assessments and audits.
• Managing access controls and ensuring that only authorized personnel can access personal data.
• Responding to and mitigating data breaches and other security incidents.

Human Resources Department

The Human Resources Department is responsible for managing personal data of employees and job applicants. Their specific responsibilities include:

• Ensuring that employee data is collected, processed, and stored in compliance with GDPR.
• Providing privacy training and awareness to employees.
• Managing data subject requests related to employee data.
• Ensuring that personal data is retained only for as long as necessary for employment purposes and legal compliance.

Legal and Compliance Department

The Legal and Compliance Department ensures that all data processing activities comply with GDPR and other relevant data protection laws. Their responsibilities include:

• Reviewing contracts and agreements to ensure they include necessary data protection clauses.
• Providing legal advice on data protection matters.
• Monitoring changes in data protection laws and updating policies and procedures accordingly.

4.2 General Principles

Gant Travel’s processing of personal data shall be guided by the following general principles.

4.2.1 Fairness and Legitimacy

Personal data should be processed in a fair and legitimate manner. This means that Gant Travel will only process personal data where a legitimate basis exists and that data subjects should be provided with easily understandable information related to the collection and processing of their data.

Consent is the preferred legitimate basis for processing personal information. However, if obtaining freely given, fully informed consent is not possible, the circumstances should always be documented.

Under certain circumstances, one or more of the following legitimate bases may be used in addition to, or in lieu of consent.

• Performance of a contract;
• Compliance with a legal obligation to which Gant Travel is subject;
• Protecting the vital interests of a data subject;
• Pursuing Gant Travel’s legitimate interests.

When evaluating the legitimate bases applicable to a particular processing operation, special consideration should be given to the vulnerability of the data subject and the sensitivity of the personal data to be collected and processed, noting that what may be considered as ordinary personal information in one context could be considered as highly sensitive in another.

4.2.2 Information

Gant Travel should provide data subjects with the following information, in an easily understandable manner, when collecting personal data, or as soon thereafter as possible:

• The legitimate basis for which the data will be processed;
• The intended use of the data;
• The importance of providing accurate, complete information and providing any relevant updates to the information already provided;
• The parties that the personal data might be shared with and where they reside;
• How the data will be stored and when and under what circumstances it will be deleted;
• That data subjects may withdraw consent where consent was the legitimate basis relied upon for processing; and
• Who to contact at Gant Travel should they have questions about their personal data.

The information listed above may not be provided when Gant Travel is aware or can assume that the data subject already has, or has access to the relevant information, and where the provision of such information would be impractical in relation to the benefit to the data subject.

Additionally, the above information may not be provided when Gant Travel’s legitimate interest in the non-disclosure of such information outweighs the data subject’s rights. In case of any doubt, the DPO may be consulted for guidance.

In addition to this Policy, Gant Travel has privacy statements on its websites and other electronic communications. These privacy statements shall be reviewed for information more specific to the collection and use of personal data in the context of the relevant website or process.

4.2.3 Purpose Specification

Personal data should be collected and processed for a specified purpose and may typically only be processed for other purposes that are compatible with the original purpose. Gant Travel may process personal data for additional incompatible purposes where a legitimate basis exists and after considering the rights of the data subjects and weighing the benefits of such further processing against any potential risks.

4.2.4 Data Quality and Minimization

Personal data collected should be adequate, relevant, accurate, and not excessive considering the specified purpose for which the data was collected. All reasonable steps should be taken to ensure that personal data is updated, when necessary. When inaccurate personal data is identified, it should be corrected or deleted without undue delay.

4.2.5 Data Retention and Disposal

Personal data, whether stored on paper or electronically, should be kept no longer than is necessary to fulfill the specified purpose for which the data is processed.

Retention schedules should be maintained by Legal and implemented by each Gant Travel office, division, department, or team, based on the anticipated continuing need for the relevant personal data and in accordance with the Information and Data Classification Policy. The DPO may be consulted for guidance regarding retention.

Personal data should be disposed of in accordance with any applicable Gant Travel policy. The Legal Department should be consulted for assistance with secure disposal and electronic file deletion.

4.2.6 Confidentiality and Security

All stages of personal data processing shall be done so that it ensures the appropriate security and confidentiality of personal data. Personal data must be kept secure and protected against data breaches.

It is particularly important to review the adequacy of any security measures during the design phase of any project that involves the processing of personal data to ensure that adequate security is in place throughout the project.

Gant Travel shall routinely review data security measures and upgrade them, as necessary, to ensure an adequate level of data protection with respect to the degree of sensitivity of the personal data.

4.2.7 Management of Personal Data

Gant Travel will make reasonable efforts to ensure that the personal data provided is reflected accurately and completely. Gant Travel will also put in place reasonable security arrangements to ensure that the personal data provided is adequately protected and secure.

Appropriate security arrangements will be taken to prevent any unauthorized access, collection, use, disclosure, copying, modification, leakage, loss, damage, and/or alteration of the personal data provided.

4.2.8 Storing of Personal Data

Gant Travel will safeguard the confidentiality of the identified personal data. Gant Travel holds personal data in secure computer storage facilities and takes steps to protect the personal data from misuse, loss, unauthorized access, modification, or disclosure.

4.2.9 Handling of Personal Data / Sensitive Data

To ensure compliance with data protection, Gant Travel will:

• Collect and process appropriate data only to the extent required to fulfil operational or legal requirements, and restrict access to those who need it for their work.
• Take appropriate technical and organizational security measures to safeguard personal data.
• Ensure all personnel handling personal data are appropriately trained and supervised.
• Regularly review and audit internal data handling processes and perform an annual privacy audit.
• Ensure data sharing is governed by a written agreement defining scope and limits.
• Ensure any disclosure of personal data follows approved procedures.
• Require third parties and vendors to adhere to this policy and enforce equivalent obligations on subcontractors.
• Monitor third-party privacy controls and conduct routine vendor risk assessments.
• Conduct periodic reviews of third-party compliance with this policy.
• Ensure a dedicated person is accountable for data privacy compliance, with the CIO empowered to evaluate policy implementation.
• Ensure employees can access their personal data and understand how long it is retained.
• Delete employee personal data at the time of offboarding and issue a deletion certificate.
• Ensure all authorized processors of personal data are bound by confidentiality obligations that survive employment or contractual relationships.

4.2.10 End Users’ Consent

• Corporate customers represent and warrant that they have collected and will handle all end-user content in compliance with applicable data protection laws, including obtaining all required consents from data subjects.
• If a corporate customer requests Gant Travel to share data with a third party, a Data Retention Agreement (DRA) must be in place. Without such an agreement, Gant Travel will not process or share the data with third parties.

4.3 Personal Data Protection and Privacy Training

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. Employees who handle personal data of other employees or customers must receive training to ensure that they handle it appropriately.

Gant Travel will ensure that its relevant employees (including affiliates or subsidiaries’ employees) and any third party acting as a sub-processor on Gant Travel’s behalf receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection, and confidentiality of Personal Data.

Data Protection and Privacy awareness training is part of the hiring and onboarding process, and all personnel must acknowledge the Data Classification and Protection Policy during onboarding.

Gant Travel will roll out training across all personnel covering data protection and privacy policy, keep a record of the training, and provide update and refresher training at least once a year to help personnel understand their responsibilities.

4.4 Data Security and Privacy Controls

Data security is kept appropriate to the risks to individuals if data was lost, stolen, or disclosed to unauthorized people. Organizations may consider the state of the art, costs, and the nature, scope, and context of processing to determine what is appropriate to the risks involved.

Security covers organizational and technical measures.

Gant Travel shall implement appropriate organizational and technical measures designed to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access, or use.

• All data is stored using data-at-rest encryption, and access to project data is provided based on project manager request and department head approval.
• All data transfers are encrypted at all levels.
• Backups are created and scheduled at the time of provisioning, with periodic replication to secondary storage and regular monitoring.
• All backup shares and production servers are protected with Antivirus and EDR (Endpoint Detection and Response).
• Production and non-production environments are completely separated.

The security and privacy controls listed above shall be reviewed and revised annually to reflect changing regulations, security requirements, emerging threats and vulnerabilities, and the availability of modern technologies.

4.5 Data Privacy Compliance Program

Data privacy is one of Gant Travel’s top priorities. Gant Travel acts as a processor when it receives personal data on behalf of, on instructions from, and under the authority of its clients acting as controllers.

It is the responsibility and liability of clients to implement effective measures and demonstrate compliance of processing activities, even when processing is carried out by Gant Travel as a data processor.

As a processor, Gant Travel shall:

• Maintain GDPR standards.
• Maintain a written record of processing activities carried out on behalf of each controller.
• Implement adequate safeguards for cross-border data transfers.
• Notify the controller without undue delay upon becoming aware of a personal data breach and take immediate steps to identify and remediate the cause.
• Delete all personal data received from the client after the end of service provision, unless retention is required by applicable law.
• Extend protections of this policy to any retained personal data and limit further processing to legally required purposes.
• Inform clients in advance of any outsourced processing activities and disclose vendor identities.
• Ensure vendors provide equivalent technical and organizational safeguards as defined in this policy.

4.6 Data Subject Rights

4.6.1 Data Subject Rights

Gant Travel will ensure that a formal mechanism is in place to allow data subjects to exercise their rights by submitting a corresponding request.

4.6.1.1 Information on Processing

Data subjects have the right to request information regarding whether their personal data has been, is being, or will be processed by Gant Travel, and the specific purposes of such processing.

4.6.1.2 Access to and Correction of Personal Data

Data subjects have the right to review their personal data for accuracy, completeness, and relevance. Inaccurate or incomplete data will be corrected in a timely manner.

4.6.1.3 Objection to Processing

Data subjects may object to the processing of their personal data at any time. If justified, Gant Travel shall cease processing for the purposes related to the objection.

4.6.1.4 Request for Deletion

Data subjects may request permanent deletion of their personal data. Where justified, secure deletion procedures shall be followed.

4.6.2 Modalities of Requests Regarding Personal Data

Requests to exercise data subject rights should be made in writing to the DPO whenever possible and must clearly explain the request with sufficient reasoning and evidence.

Requests must include contact details and documentation verifying the identity or authority of the requester. Additional information may be requested if necessary.

Gant Travel staff shall facilitate such requests when data subjects are unable to contact the DPO directly.

4.6.3 Responses to Requests

Timely responses shall be provided in an understandable manner. Requests may be limited or refused in circumstances including:

• Abusive or fraudulent requests.
• Unclear or unsupported requests.
• Requests that place individuals at risk.
• Requests involving disproportionate effort.
• Requests conflicting with Gant Travel’s legitimate interests.
• Processing required for archiving, statistical purposes, or freedom of expression.
• Processing required to comply with legal obligations or legal claims.

4.7 Commitments

4.7.1 Data Protection Impact Assessments and Privacy Impact Assessments

Gant Travel shall provide reasonable assistance to controllers with DPIAs or prior consultations as required by EU Data Protection Legislation.

DPIAs and PIAs shall be conducted for the following processing activities:

• Profiling of individuals using personal data.
• Automated decision-making processes.
• Systematic monitoring of individuals in public spaces.
• Large-scale processing of data.
• Processing special categories of GDPR personal data.
• Merging data collected via various processes.
• Collecting data belonging to incapacitated persons.
• Using modern technologies to process data.
• Transferring data outside the EU/EEC.
• Limiting the rights of data subjects during processing.

DPIAs/PIAs shall be conducted for processing activities that are likely to result in a high risk to the rights and freedoms of individuals. The DPIA/PIA process includes:

• Identifying and assessing privacy risks.
• Implementing measures to mitigate identified risks.
• Documenting the assessment and outcomes.

4.7.2 Data Breach Response Plan

The Information Security Coordinator (ISC) shall support and coordinate the implementation and enforcement of Information Security and Data Protection Policies.

The Information Security Management Forum (ISMF) shall provide management direction and support for data protection initiatives and data breach management.

A data breach occurs when personal information is subjected to unauthorized access or disclosure, or where information is lost and unauthorized access or disclosure is likely to occur.

A data breach is categorized as a Major Incident and handled under the Incident Management Policy. Incident management plans are tested and updated annually to ensure effectiveness.

The ISC shall oversee data breach response efforts, including containment, remediation, investigation, breach notification compliance, and prevention of recurrence, as required by applicable law.

In the event of an incident or breach involving Client Personal Data, Gant Travel shall:

• Inform the Client immediately.
• Investigate the incident or breach.
• Provide the Client with a remediation plan.
• Remediate the effects of the incident or breach.
• Cooperate with the Client and any other investigating parties.

4.7.3 To Build the Data Privacy Compliance Program, Gant Travel Shall:

• Monitor and enforce applicable data protection laws and regulations.
• Implement and maintain controls to protect against unauthorized access to data.
• Track changes in business requirements and privacy laws and ensure compliance.
• Periodically update the Privacy Compliance Program.
• Promote awareness of privacy risks, safeguards, and rights.
• Continuously monitor personal data usage and maintain complete audit trails.
• Periodically review vendor contracts for compliance.
• Oversee critical vendors with access to PII and monitor regulatory compliance.
• Review and update contractual obligations as required by law.
• Maintain incident and data breach management procedures.
• Implement internal controls to detect cyber threats promptly.
• Conduct periodic cyber simulations.
• Ensure only the minimum necessary personal data is processed.
• Maintain records of processing activities.
• Use this policy to manage legal risk and compliance.
• Maintain records of Individual Privacy Rights requests and inform clients.
• Prevent sharing or disclosure of client data without express consent.
• Limit use of client data to legally and contractually approved purposes.

4.8 Personal Data Transfers

Personal data transfers are a necessary part of Gant Travel’s operations but involve risks of misuse or unauthorized disclosure.

4.8.1 Transfers to Third Parties

Transfers of personal data to third parties must comply with the general principles of this policy and be supported by adequate safeguards and a written agreement.

At a minimum, transfer agreements shall require third parties to:

• Use personal data only for purposes specified by Gant Travel.
• Return or destroy personal data at the end of services or upon request.
• Implement appropriate security safeguards, including access controls and encryption.
• Not perform onward transfers without Gant Travel’s consent.
• Subcontract work only with Gant Travel’s approval.
• Promptly notify Gant Travel of any security incidents or breaches.

Special consideration shall be given to the legal enforceability of agreements in relevant regions.

4.8.2 Transfers to Investigative Bodies or Governmental Authorities

Gant Travel may transfer personal data to investigative bodies or governmental authorities under legally valid circumstances.

Such transfers may occur only if:

• The request is received through official channels and is legally valid.
• The transfer is necessary for investigation, prevention, or prosecution purposes.
• The transfer assists the requesting authority.
• The data transferred is strictly limited to what is necessary.
• The transfer does not disproportionately interfere with individual rights.

The DPO shall be consulted before entering into any agreement for such data transfers.

4.9 Lawful Basis and Transparency

Appropriate written agreements with clients shall clearly define personal data processing requirements, including:

• The purposes of processing.
• The types of personal data processed.
• Who has access to the data, including third parties and their locations.
• The security measures used to protect the data.
• Data retention and deletion timelines.