Incorpro GDPR Policy

1. Incorpro’s GDPR Policies

Six Core Principles

Incorpro shall at all times comply with its data protection obligations under the GDPR, in keeping with the six core principles of GDPR that personal data shall be:

1. Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency)
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Purpose Limitation)
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data Minimisation)
4. Accurate and where necessary kept up to date (Accuracy)
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (Storage Limitation)
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (Integrity and Confidentiality).

Based on these principles, for each piece or type of personal data we hold, the firm is able to demonstrate on demand (i.e. accountability):

• Why we are holding it;
• How we obtained it;
• The purpose/s we use it for;
• How long we will retain it;
• How secure it is in terms of its accessibility and data security; and
• On what basis we share it with any third parties.

Further points

In addition to the 6 core principles, the firm shall ensure that:

Training & Education

• There are sufficient levels of awareness of data protection in our organisation;
• Our staff are aware of their data protection responsibilities – including the need for confidentiality; and
• Data protection is included as part of the training programme for our staff and this training is regularly refreshed.

Co-ordination and Compliance

• It has been determined that a Data Protection Officer is not required and a Head of Privacy has been nominated.
• All staff are aware of their role in data protection compliance.
• Mechanisms are in place for formal review by the Head of Privacy within our organisation.
• We have an overall framework in place that demonstrates how we comply with GDPR.
• There is regular monitoring and auditing of our data protection framework for GDPR compliance.

2. Responsibilities and Reporting Lines

The firm has appointed a Head of Privacy who is responsible for compliance with GDPR and all personal data processing and data security within the firm. To contact the Head of Privacy, please email info@incorpro.ie.

Consideration of whether the firm needs to appoint a Data Protection Officer (DPO)

The GDPR specifies that a Data Protection Officer (DPO) must be appointed when:

• the core activities of the firm consist of regular and systematic monitoring of data subjects on a ‘large’ scale; or
• the firm processes special category data or criminal offences, again if on a ‘large’ scale.

In view of these criteria and the firm’s activities, the firm has considered whether it is required to appoint a DPO and has decided not to appoint a DPO.

3. Data Processing

Handling of client data

Based on our Data Map, the following are the main types of data, data subjects, types of data processing, and our status as Controller or Processor.

Personal data processed by this firm

The firm process two different types of personal data: client data and firm data.

• 'Client data' is personal data received from clients in relation to professional engagements and practice; and
• 'Firm data' is personal data held by a firm in relation to its own management, employees and affairs generally, including marketing databases.

Categories of Data Subjects

The firm holds personal data for the following categories of people (Data Subjects):

1. Business Partners/Directors in the firm who are living natural persons
2. Current clients and their family members who are living natural persons (includes their Anti- Money Laundering customer due diligence data)
3. Employees of clients for whom we process outsourced payroll etc.
4. Former clients and their former employees for whom we have processed payroll etc. in the past
5. Prospective clients and website enquirers (including individuals on a mailing list and individuals who contact us via the website or otherwise with a view to becoming clients)
6. Sub-Contractors of the firm
7. Existing staff & former staff of the firm
8. Job applicants to the firm
9. Other ‘Contacts’ not already included on the above lists including complainants, enquirers etc.

Client data processing carried out by the firm

Customer Due Diligence

For all clients, the firm is obliged to obtain Customer Due Diligence information under Anti Money Laundering legislation. This data includes copies of passports (or similar photographic ID) which record the date of birth and nationality of clients, and utility bills (or similar) which provide evidence of the home address. This is considered to be personal data.

Data obtained in the provision of services

Accounts preparation and book keeping assignments for corporate clients - the firm obtains and processes personal data concerning a number of persons associated with the entity, including the directors, staff, customers, suppliers, subcontractors and other natural persons who are service providers of the client.

Accounts preparation assignments for unincorporated clients - In this case the firm considers all information obtained to be personal data because there is no legal separation between the business and the personal affairs of the client.

Corporation tax advice assignments - the firm obtains personal data concerning the directors and staff of the company.

Personal Tax - Income tax including directors’ PAYE, capital gains tax, capital acquisitions tax, and other personal tax heads. All data obtained and processed in these assignments is personal data processed by the firm.

Payroll Services - the firm obtains and processes personal data concerning the directors and staff of the clients.

In all of the above assignments, the firm will obtain names, addresses, email addresses, dates of birth, salary levels and other similar information. In personal tax, extensive details of the personal financial affairs of the client are obtained. In some personal tax cases, we may obtain information regarding the state of health of the client, which may be relevant to the claiming of personal tax credits. In some cases, the firm may obtain personal data concerning persons under eighteen years who are employed by clients.

AI-Assisted Tools - the firm uses AI-assisted tools including IncorproChat, powered by third-party providers (OpenAI and Anthropic). IncorproChat draws on a knowledge base of employee-produced content; it is not trained on user conversations. Users must not submit personal, confidential, or sensitive data through these tools. The firm's lawful basis for the AI-assisted processing described above is its legitimate interest in the efficient delivery of professional services and in periodically reviewing conversation logs to identify quality regressions and inform updates to the knowledge base. Conversation logs are retained for up to 12 months from the date of the conversation, after which they are deleted; where a conversation forms part of a client engagement record, the firm's general client-engagement retention periods apply instead.

Automated Decision-Making and Profiling - the firm does not use automated decision-making or profiling that produces legal or similarly significant effects about data subjects. Where the firm uses AI-assisted tools (see above), the output of those tools is reviewed by a member of staff before any decision affecting a data subject is taken. Data subjects retain the right under Article 22 of the GDPR not to be subject to a decision based solely on automated processing.

Lawful Basis

The GDPR stipulates that a firm must establish that it has a lawful basis for processing data. In relation to ‘client data’, the firm considers that the lawful bases are to meet the specific legal obligation to maintain documentation.

In all professional engagements, the firm considers that it has a legal right and obligation to maintain engagement files and correspondence files containing personal data so that it can subsequently demonstrate that it complied with its contractual obligations and that it applied due skill and care, as well as complying with other legal and professional obligations in the performance of the engagements.

It is the firm’s policy to identify and document the lawful basis for processing data at the start of the client engagement and to inform individual clients of this via a privacy notice, as an addendum to the engagement letter. Corporate clients will be required to separately sign an addendum setting out the data processing obligations of the firm and the client, as required by the GDPR. The following are the lawful bases identified by the firm for holding and processing client data:

Type of Engagement	Lawful basis for processing personal data
Accounts preparation and book keeping assignments for corporate clients	Necessary for Contract, Legal Obligation, Legitimate Interests
Accounts preparation assignments for unincorporated clients	Necessary for Contract, Legal Obligation, Legitimate Interests
Corporation tax compliance & advisory assignments	Necessary for Contract, Legal Obligation, Legitimate Interests
Personal Tax	Necessary for Contract, Legal Obligation, Legitimate Interests
Payroll Services (own employees)	Necessary for Contract, Legal Obligation, Legitimate Interests
Payroll Services (on behalf of corporate clients)	Necessary for Contract, Legal Obligation, Legitimate Interests

For the specific statutory provisions that establish each legal obligation, and the applicable retention periods, see our Privacy Notice.

Employee Data: The firm considers that it has a legal obligation to hold personal data of employees, and that the processing of employee’s personal data is necessary to fulfil the firm’s obligations under the employment contract of each employee. The firm holds only that personal data that is necessary to hold, and for the retention periods set out in its data retention policy. This is specified in the privacy statement in the firm’s employee handbook (provided to employees at induction).

Special Category Data

The firm acknowledges that personal data which reveals racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data and data concerning individuals’ sex life or orientation are considered ‘Special Category Data’ under the GDPR, and that processing such data is prohibited unless an exception applies. The firm does not intend to process Special Category Data on behalf of clients, and in any case will not do so unless an exception applies, as provided in the GDPR. Where it is necessary for the firm to process Special Category Data of an employee, the firm will do so in accordance with the employee hand book.

The firm’s status as a Data Controller or Processor

The firm acknowledges that in accordance with GDPR and the guidance of the European Data Protection Board (EDPB), the firm may be a data processor where a corporate client determines the purposes and means by which the firm processes personal data, and the firm is a data controller where the firm determines the purposes and means by which it processes personal data.

The firm acts as a controller or processor in accordance with the following table:

Type of Engagement	Controller or Processor
Accounts preparation and book keeping assignments for corporate clients	Controller
Accounts preparation assignments for unincorporated clients	Controller
Corporation tax compliance & advisory assignments	Controller
Personal Tax	Controller
Payroll Services (own employees)	Controller
Payroll Services (on behalf of corporate clients)	Processor

Note: Where a corporate client determines the purposes and means of processing (for example, by instructing the firm to process payroll data solely for that client's purposes), the firm acts as Processor and the client acts as Controller for that activity. The classifications above represent the firm's general position; the specific status may vary by engagement and will be documented in the relevant engagement letter or data processing agreement.

Contracts between data processors and data controllers

• ID-Pal Limited — identity verification
• Google Ireland Limited — cloud infrastructure, document processing, analytics
• OpenAI — document analysis and AI assistance
• Anthropic — AI assistance
• Mailgun (Sinch) — email delivery
• Revolut Bank UAB (Irish Branch) — payment processing
• Yapily Limited (UK) — open-banking transaction data, with the data subject's consent
• Calendly — meeting scheduling
• WhatsApp Ireland Ltd — client messaging
• Sentry — application error monitoring (error reports may incidentally include personal data that appears in stack traces or log context)
• LinkedIn Ireland Unlimited Company — advertising

Where these providers process personal data on our behalf, the relationship is governed by a written Article 28 agreement that documents the subject matter, duration, nature and purpose of the processing, the types of personal data and categories of data subjects involved, and the rights and obligations of the controller and processor.

Some of these providers transfer or onward-transfer personal data outside the EEA. OpenAI, Anthropic, Mailgun (Sinch) and Sentry are US-based; transfers to these providers are governed by the 2021 Standard Contractual Clauses approved by the European Commission. Calendly is US-based and transfers take place under the Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Google Ireland Limited, WhatsApp Ireland Ltd and LinkedIn Ireland Unlimited Company are EEA-based contracting entities, but personal data may be onward-transferred to the relevant US-based parent or affiliate (Google LLC, Meta Platforms Inc. and LinkedIn Corporation respectively); for Google those onward transfers are governed by Standard Contractual Clauses, and for WhatsApp/Meta and LinkedIn under the EU-US Data Privacy Framework supplemented by Standard Contractual Clauses where relevant. ID-Pal Limited and Revolut (Revolut Bank UAB Irish Branch) are EEA-based and personal data shared with them remains within the EEA. Yapily Limited is based in the United Kingdom; transfers of personal data to Yapily are made on the basis of the European Commission's adequacy decision for the United Kingdom dated 28 June 2021.

The categories of personal data transferred to each provider are determined by the service that provider delivers to the firm, as described in the list above. A copy of the Standard Contractual Clauses and other safeguards described above is available on request from our Head of Privacy at info@incorpro.ie.

The firm’s responsibilities when it acts as Data Controller

Where the firm acts as a Data Controller, it acknowledges that it is subject to the full scope of data protection obligations imposed by the GDPR. This includes (but is not limited to) the firm’s obligations to:

• provide privacy notices to all data subjects *;
• respond to subject access requests from data subjects; and
• report data breaches to the Data Protection Commission

* Article 14 of the GDPR contains limited exemptions from these requirements where the firm has not collected data directly from the data subjects. This is dealt with in more detail later in this section, under Privacy statements.

The firm’s responsibilities when it acts as Data Processor

Where the firm acts as a Data Processor, it acknowledges that it is subject to certain data protection obligations imposed by the GDPR. These obligations are:

• To process data only on the documented instructions from the controller (corporate client);
• To take all appropriate technical and organisational measures to ensure the security of personal data;
• To sub-contract only with the prior written permission of the controller;
• To co-operate with the Data Protection Commission;
• To conduct Data Protection Impact Assessments where required in accordance with GDPR;
• To maintain records of data processing activities;
• To report any data breach to the controller without undue delay; and
• To comply with any additional obligations in an agreed data processing contract with the controller.

Privacy Statements

Where the firm acts as a data controller, it is the firm’s policy to ensure the information below is supplied to data subjects (including to our employees and job candidates) before their personal data is collected and processed by the firm:

• The firm’s name and contact details, and the name and contact details of data protection officer (where one has been appointed);
• The purpose(s) of the processing as well as the legal bases for processing;
• Where the legal basis for processing is based on the firm’s legitimate interests, those legitimate interests should be identified;
• The recipients or categories of recipients of personal data;
• Whether the firm intends to transfer personal data to any non-EEA country and the legal basis for the transfer;
• The retention period for personal data and the criteria used to determine this;
• How data subjects can exercise their right of access, rectification, erasure, restriction to processing, objection to processing and data portability, if such rights apply;
• How data subjects can retract their consent to processing, where the processing by the firm is based on consent;
• The right to submit a complaint to the relevant Data Protection Supervisory Authority (i.e. DPC);
• Whether the data subject is required to provide their personal data pursuant to statute or a contract, and the consequences of failing to provide such data; and
• The existence of automated decision-making, including profiling, and the logic and consequences of the processing for the data subject.

With regard to firm employees, the firm will provide this information in the form of a notice to job candidates and a further privacy policy will be supplied to successful job applicants in the employee handbook as part of their induction to the firm. The employee handbook is an internal document provided directly to staff and is not publicly available.

Where the firm acts a Data Controller to a client, we will provide a copy of our privacy notice, as an appendix to our Engagement Letter with this client, thus covering our responsibilities to the client and its data subjects in this regard. The firm will also include its Privacy Notice on its website.

4. The Rights of Data Subjects

The data subjects of the firm have the following rights:

• Right to be informed (see Privacy Statements under Section 3);
• Right of access (see below);
• Right to rectification (see below);
• Right to erasure (‘right to be forgotten’) – see below;
• Right to restrict processing (see below);
• Right to object (see below);
• Right to data portability (see below); and
• Rights re: automated decision making and profiling;
• Right to withdraw consent (where processing is based on consent).

Data Subject Access Requests (DSARs)

Data subjects have the right to make a DSAR. The DSAR may be for all personal data of that data subject held by the firm or a subset of the data. The firm must respond to the request within 1 month, unless the firm can show that the request is manifestly unfounded or excessive, or where the request is sufficiently complex or one of a number of requests (in which case the 1-month deadline may be extended by a further 2 months, to a maximum of 3 months in total). The firm does not have the right to charge a fee for processing this request, again unless the firm can show that the request is manifestly unfounded or excessive.

Any DSAR received by the firm shall immediately be referred to the Head of Privacy, who is responsible for co-ordinating the firm’s response to any DSAR.

Where the firm receives a DSAR, the firm will first conduct due diligence to confirm the identity of the data subject. The firm will not comply with DSARs made by anyone other than the data subject themselves.

Where the firm receives a DSAR, the firm will assess all data held on behalf of the individual, including data held on:

• The firm’s central data server;
• Laptops and personal computers in the firm;
• The firm's application database and any associated cloud storage and backups (including Google Cloud Storage backups);
• Stored emails and other electronic messaging systems;
• Records held by our third-party data processors on our behalf (the firm will request a copy from those processors where necessary to respond to the DSAR); and
• Paper files.

Hard copies will be made of any documentation containing personal data of the data subject who made the DSAR.

All data relating to any individuals other than the maker of the request will be redacted. The firm will consider whether its legal and professional obligations require any data held by the firm to be kept confidential.

Records of all DSARs and response times shall be kept by the firm in a DSAR register.

Right of Erasure (Right to be Forgotten)

Data subjects have the right to request erasure of their personal data where the firm does not have a legitimate reason for retaining such data. Where the firm receives a request for erasure from a data subject, then the firm will assess all personal data held on the data subject, including data held on:

• The firm’s central data server;
• Laptops and personal computers in the firm;
• The firm's application database and any associated cloud storage and backups (including Google Cloud Storage backups);
• Stored emails and other electronic messaging systems;
• Records held by our third-party data processors on our behalf (the firm will instruct those processors to delete or anonymise the data, subject to any legal obligation that requires retention); and
• Paper files.

All personal data deemed as not held for a legitimate purpose will be deleted/destroyed in line with the firm’s policy.

Right of Rectification

Data Subjects have the right to require that their personal data be up to date and accurate. Where the firm receives a request from a data subject, the firm will verify whether the data subject’s data is up to date and accurate, and if not will make requested corrections.

Right to Restrict Processing

Where a data subject is contesting the accuracy of their personal data held by the firm (see right to rectification above), or is objecting to processing (see right to object below), or where the processing is unlawful, the data subject has the right to restrict processing of their personal data.

The firm’s policy is the follow the same procedure as a request under the Right to Erasure. It will review all data held by the firm relating to the data subject and consider whether it holds any data in excess of that needed under its legitimate purpose. It will then restrict future processing of any “excess” data in accordance with the request of the data subject.

The Right to Object to Processing

Under this right the data subject can object to the processing of their data. Where the objection relates to direct marketing, this right is absolute — the firm must cease processing immediately and no balancing assessment is required. In all other cases, the firm’s policy is to follow the same procedure as a request under the Right to Erasure above. It will review all data held by the firm relating to the data subject and consider whether it holds/processes any data in excess of that needed under its legitimate purpose. It will cease any processing of any “excess” data in accordance with the request of the data subject.

Right to Data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. This means they should be able to move, copy or transfer personal data easily from one IT environment to another, and from one service provider to another, in a safe and secure way. This is an extension of the access right, and data subjects have the right to receive their data in a structured and machine-readable form.

The right to data portability applies:

• to personal data an individual has provided to a controller;
• where the processing is based on the individual’s consent or for the performance of a contract; and
• the processing is carried out by automated means.

The firm does not process personal data by purely automated means and therefore does not hold data which would be subject to a data portability request.

In the event that the firm determines that it holds data relevant to a data portability request, it will review the personal data held. The firm will then determine the electronic format in which the data has been requested to be transferred, (e.g. the electronic file type). All data relating to any individuals other than the maker of the request, will be redacted. The firm will then consider whether its legal and professional obligations require any data held by the firm to be kept confidential and transfer the data deemed not subject to these restrictions to the third party (who may be another accountancy firm) as requested by the individual.

5. Data Governance

Accountability

The firm is required to be able to demonstrate compliance with each of its obligations under the GDPR. This requires that internal mechanisms and control systems are put in place to ensure compliance with the GDPR and that there is documentary evidence to prove this. This evidence may need to be produced to external stakeholders, including the Data Protection Commission (DPC), our supervisory authority in Ireland.

Some example policies for the firm to demonstrate GDPR compliance include through its policies addressing Data Protection Impact Statements, Privacy Notices and applying the concept of Privacy by Design, as well as Data Retention.

Data Protection Impact Assessments (DPIAs)

DPIAs are requirements under the GDPR in relation to processing activities that are likely to result in high risks to the rights of data subjects. DPIAs may be required particularly in relation to the roll-out of new technologies, such as significant new IT systems or new working practices.

It is the firm’s policy to conduct a DPIA to assess the risks that are inherent in any new proposed processing activities, which will in turn be designed to allow the firm to identify and mitigate the associated data protection risks, before we commence these new processing activities. In rollouts of new IT systems, for example, a DPIA must be completed, with satisfactory results, before processing of live data is carried out.

It is the firm’s policy to not carry out any activities that would require mandatory DPIAs, such as systematic and extensive evaluation of individuals based on automated processing (profiling), large scale processing of special categories of data and personal data relating to criminal convictions and offences, or systematic monitoring of public areas on a large scale.

Where a DPIA is required, the Head of Privacy shall be responsible for co-ordinating the DPIA within the firm. The DPIA shall include:

• a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
• an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
• an assessment of the risks to the rights and freedoms of data subjects;
• the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.

Where appropriate and practical, the firm will seek the views of data subjects or their representatives on the intended processing.

Where the DPIA indicates that the intended processing would result in a high risk in the absence of mitigating measures taken by the firm, the firm will consult with the DPC prior to beginning such processing.

Privacy by Design

It is the firm’s policy to place the protection of privacy at the centre of all decision making processes and at the start of any new service development or process development. The firm will consider both appropriate technological and organisational measures to ensure GDPR compliance in these circumstances.

If the firm is considering, for example, changes to working practices (e.g. homeworking), an office redesign or installing new technology, then means to protect the privacy of data subjects must be included in the decision making process and the rolling out of the change.

Transferring Data out of the European Economic Area (EEA)

Where it is necessary to transfer personal data outside the EEA, for example to cloud or AI service providers, the firm ensures appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission. The European Commission granted the United Kingdom an adequacy decision in June 2021, which is currently in force; transfers to UK-based service providers take place on this basis. The firm monitors developments and will ensure that appropriate safeguards remain in place for transfers to UK-based providers at all times. A copy of the Standard Contractual Clauses and other safeguards in place is available on request from our Head of Privacy at info@incorpro.ie.

Document Retention

Personal data is retained only for the purposes for which it was collected, and for the specific periods set out in the table below. The firm's retention periods are determined by the applicable statutory obligation, professional indemnity requirement, or documented operational need:

The firm’s policy in relation to document retention for client data

Data Category	Retention Period	Legal Basis for Retention
Anti-Money Laundering / Customer Due Diligence records	5 years from end of business relationship	Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, s.55
Tax and accounts records	6 years from end of relevant tax year	Revenue Ireland record-keeping requirements
Payroll records	6 years from end of relevant payroll period	Revenue Ireland record-keeping requirements
Other client engagement records	7 years from completion of engagement	Professional indemnity and contractual limitation periods
Website enquiry data (non-clients)	12 months from last contact	Legitimate interests (operational necessity)
Marketing / newsletter data	Until unsubscribe or objection; thereafter retained only if another lawful basis applies	Consent (withdrawn on unsubscribe or objection)
Employee records	7 years from end of employment	Statutory requirements (employment, tax, Revenue)
Job applicant records (unsuccessful)	12 months from date of decision	Legitimate interests; Employment Equality Acts
IncorproChat conversation logs	12 months from date of conversation; or per the relevant retention period above where attached to a client engagement	Legitimate interests (quality review and service improvement)

It is the firm’s policy to periodically review the data it holds and the grounds on which each category of data is held, and to decide whether the firm continues to need the data.

At the end of the retention period for employee records, all personal data relating to that former employee will be securely deleted or destroyed, unless a specific legal obligation requires retention for a longer period.

6. Security Controls under GDPR

Appropriate Security Controls for information

It is the firm’s policy to comply with its security obligations in relation to personal information by implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are present.

These measures include:

• Pseudonymisation of data where possible and practical. The GDPR distinguishes “anonymous" data, (namely, data rendered anonymous in such a manner that the individual is not identifiable), from “pseudonymisation”, which is data from which the identity of an individual is removed but it can be recovered (e.g. from a numerical identifier). For example, instead of naming particular data subjects in an audit, these could be numbered, with an associated spreadsheet held detailing the data subject name and matching numbers.
• The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services - the firm has a business continuity plan in place should it be the subject of a fire, flood or other severe operational shock.
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident - this is also covered in the firm’s business continuity plan.
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Security Policy

Under GDPR, all organisations must have a security policy, with the following topics included in our firm’s policy:

• Security Objectives and Scope;
• Management Intent;
• Security Principles, Standards and Compliance requirements at your firm;
• Roles and Responsibilities for Security Management;
• Asset Control;
• Remote Access;
• Data Backup;
• CCTV( where in place); and
• Overview of the Technical, Administration and Physical Safeguards in place.

Security Controls

The firm's security policy requires the following technical security measures to aid GDPR compliance:

• Ensuring that IT security is properly managed and overseen by an appropriate person in the firm with adequate support from IT professionals;
• Adequate Access Control is employed, including identity and access management;
• Intrusion Detection/Prevention and Data Loss Prevention Systems are put in place;
• Appropriate IT education to staff is undertaken. This includes demonstration examples of data unauthorised data access and malware;
• Employees and other users are required to change passwords on a regular basis;
• ensuring that all computing devices such as PCs, mobile phones, and tablets are using an up-to-date operating system;
• ensuring all computing devices are regularly updated with manufacturer’s software and security patches;
• using antivirus software on all devices;
• implementing a strong firewall;
• reviewing vendor supplied software and updating default system, administrator, and root passwords and other security parameters to ensure defaults are not left in place;
• ensuring data backups are taken and are stored securely in a separate location;
• ensuring that data backups are periodically reviewed and tested to ensure they are functioning correctly;
• ensuring that data is collected & stored securely;
• ensuring that mobile devices (such as laptops and mobile phones and tablets) are encrypted;
• ensuring that two-factor authentication is enabled for remote access; and
• ensuring that websites have TLS (transport layer security) in place to securely collect personal data via web forms (such as for newsletter subscriptions) or on e-commerce websites.

The firm's security policy requires the following physical security measures:

• keeping offices and storage units locked;
• keeping server rooms or cabinets locked;
• cabling desktop machines and laptops to desks;
• implementing clean desk policies;
• ensuring that fire and burglar alarms are in place and that they are functioning correctly;
• ensuring that ICT equipment such as hard drives and old laptops, computers and mobile devices are securely disposed of at end of life; and
• having specific and adequate insurance to cover the costs of any data breaches or cybercrime.

Review of these policies, including cyber security policies and procedure, on a regular basis is advised to ensure that they are up to date and effective.

7. Data Breaches

Definition of Data Breach

The GDPR defines a “personal data breach" as:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

Any suspected breach of personal data held by the firm must be immediately reported to the Head of Privacy, who shall be responsible for co-ordinating the firm’s response to the breach and any required communications with the DPC and data subjects.

All data breaches will be fully documented, as to the source of the breach, its nature, extent and the remedial action taken. Where the firm acts as controller of data, it will comply with its obligation to notify data breaches to the Data Protection Commission not later than 72 hours after having become aware of the breach.

The following are the contents of a notification breach under the GDPR to be used by the firm:

• Who – categories of data subjects affected
• How many – the approximate number of data subjects and data records impacted
• What types – the categories of data records involved
• Contact – the name and contact details of the Head of Privacy in your firm
• Consequences – description of the likely consequences of this breach
• Follow up – all measures taken or to be taken in relation to mitigating the breach

Firm’s obligations when acting as a processor

Where the firm acts as a Data Processor, it shall inform the relevant data controller (i.e. the corporate client). In these instances, the firm should be mindful of the potential obligation of the controller to inform to the DPC within 72 hours, and therefore these reports must be made as soon as feasibly possible and without undue delay.

Informing Data Subjects of Data Breaches

Where the firm acts as controller, it must inform the impacted data subjects if there is a high risk that they will be adversely affected by the breach. This must be done as soon as feasibly possible and without undue delay.

8. Related Policies

This GDPR Policy should be read alongside our other data protection documents:

• Privacy Notice — explains how we collect, use, and retain personal data, and sets out your rights as a data subject.
• Cookie Policy — explains what cookies we set on our website and how to manage your preferences.

To make a Data Subject Access Request (DSAR), exercise any of the other rights described in this policy, or contact our Head of Privacy, please email info@incorpro.ie or write to Incorpro Limited (registered in Ireland, company number 654276), Unit 2, 2 Bridge Street, Athlone, Westmeath, N37 F1W4, Ireland, marked for the attention of the Head of Privacy.

You also have the right to lodge a complaint with the Data Protection Commission, whose contact details are: Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland; telephone +353 (0)761 104 800; website www.dataprotection.ie; email info@dataprotection.ie.