Data Protection Policy
Our commitment to protecting personal data and ensuring compliance with data protection regulations
1. Overview
ASAT LABS is committed to protecting the personal data of all individuals with whom we interact. This Data Protection Policy outlines our approach to data protection and ensures compliance with applicable data protection laws and regulations.
This policy applies to all employees, contractors, partners, and third parties who process personal data on behalf of ASAT LABS. It establishes the framework for responsible data handling and demonstrates our commitment to privacy and data protection.
2. Data Protection Principles
We adhere to the following fundamental data protection principles:
- Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and in a transparent manner
- Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes only
- Data Minimization: We collect only data that is adequate, relevant, and limited to what is necessary
- Accuracy: Personal data is kept accurate and up to date
- Storage Limitation: Data is retained only for as long as necessary
- Integrity and Confidentiality: Appropriate security measures protect personal data
- Accountability: We are responsible for and can demonstrate compliance with these principles
3. Legal Basis for Processing
We process personal data only when we have a valid legal basis. Our legal bases include:
The individual has given clear consent for us to process their personal data for a specific purpose. Consent must be freely given, specific, informed, and unambiguous.
Processing is necessary for the performance of a contract with the individual or to take steps at their request before entering into a contract.
Processing is necessary for compliance with a legal obligation to which ASAT LABS is subject.
Processing is necessary for the purposes of legitimate interests pursued by ASAT LABS or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
4. Data Subject Rights
We respect and facilitate the following data subject rights:
All rights requests are handled within one month of receipt. We may extend this period by two further months where necessary, taking into account the complexity and number of requests.
5. Data Processing Activities
We maintain records of all data processing activities, including:
- Purpose of processing and legal basis
- Categories of data subjects and personal data
- Categories of recipients to whom data is disclosed
- International data transfers and safeguards
- Retention periods for different categories of data
- Security measures implemented to protect data
6. Data Retention
Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements.
- User Account Data: Retained while the account is active and for 12 months after account closure
- Financial Records: Retained for 7 years in accordance with tax and accounting regulations
- Marketing Data: Retained until consent is withdrawn or for 3 years of inactivity
- Legal Claims Data: Retained until the statute of limitations expires
Upon expiration of retention periods, personal data is securely deleted or anonymized.
7. Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:
- Encryption of personal data in transit and at rest
- Multi-factor authentication for system access
- Regular security assessments and penetration testing
- Access controls based on the principle of least privilege
- Employee training on data protection and security
- Incident response and disaster recovery plans
- Regular backups and secure backup storage
- Vendor security assessments and due diligence
8. Data Breach Procedures
In the event of a personal data breach, we have established procedures to:
- Detect and contain the breach immediately
- Assess the risk to individuals' rights and freedoms
- Notify the relevant supervisory authority within 72 hours where required
- Inform affected individuals without undue delay if there is a high risk to their rights
- Document all breaches, including facts, effects, and remedial actions taken
- Conduct post-incident reviews to prevent future breaches
All employees must report suspected data breaches immediately to the Data Protection Officer.
9. Third-Party Processing
When engaging third-party processors, we ensure:
- Written contracts are in place specifying processing activities and obligations
- Processors provide sufficient guarantees of appropriate security measures
- Processors only act on our documented instructions
- Processors assist with data subject rights requests and breach notifications
- Sub-processors are only engaged with our prior authorization
- Regular audits and assessments of processor compliance
10. Compliance and Audits
We demonstrate accountability through:
- Regular data protection impact assessments (DPIAs) for high-risk processing
- Annual internal audits of data protection practices
- Maintenance of comprehensive processing records
- Staff training and awareness programs
- Privacy by design and by default in all new projects
- Cooperation with supervisory authorities
11. Contact the DPO
For any questions about this Data Protection Policy, to exercise your rights, or to report a data protection concern, please contact our Data Protection Officer:
Email: legal@asatlabs.org
Phone: +256 7522 96146
Address: ASAT LABS, Gulu, Uganda
Acknowledgment
By clicking "I Agree" below, you acknowledge that you have read, understood, and agree to comply with this Data Protection Policy.
