GDPR Privacy Policy Introduction

Virtualbook is committed to protecting the privacy and personal data of our customers, employees, and other individuals with whom we interact. As part of this commitment, we comply with the European Union's General Data Protection Regulation (GDPR) and have implemented policies and procedures to ensure that we process personal data lawfully, fairly, and transparently. This policy document outlines our company's GDPR policy and sets out our approach to data protection. Purpose The purpose of this policy is to ensure that we comply with the GDPR and to provide guidance to our employees on how to handle personal data appropriately. Scope This policy applies to all personal data that we process in the course of our business activities, including data collected from customers, employees, and other individuals. Policy Details Data Protection Officer (DPO) Our company has appointed a Data Protection Officer (DPO) to oversee our GDPR compliance efforts. The DPO is responsible for ensuring that we process personal data in accordance with the GDPR, maintaining records of processing activities, conducting Data Protection Impact Assessments (DPIAs), and acting as a point of contact for data subjects and supervisory authorities. Lawful Basis for Processing We ensure that we have a lawful basis for processing personal data. We identify the lawful basis for each processing activity and ensure that it is documented in our records of processing activities. We only process personal data for the purposes for which it was collected, and we do not use personal data for any other purpose that is incompatible with the original purpose. Data Subject Rights We respect the rights of data subjects under the GDPR, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object. We have implemented procedures to facilitate the exercise of these rights by data subjects, and we ensure that data subjects are provided with clear and concise information on how to exercise their rights. Consent We obtain valid and informed consent from data subjects before processing their personal data, where required by the GDPR. We provide clear and concise information to data subjects about the processing activities, including the purpose, legal basis, and duration of processing, as well as the right to withdraw consent at any time. Data Protection Impact Assessments (DPIAs) We conduct Data Protection Impact Assessments (DPIAs) where necessary to identify and mitigate potential privacy risks associated with processing activities. We ensure that the DPIA considers the necessity, proportionality, and effectiveness of the processing activity, and we involve our DPO in the DPIA process. Data Breach Notification We have implemented procedures for detecting, reporting, and investigating data breaches. We notify the supervisory authority and affected data subjects of a data breach without undue delay, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects. Data Retention We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. We regularly review our retention periods and ensure that personal data is securely deleted or anonymized when it is no longer required. International Data Transfers We ensure that personal data is transferred outside the European Economic Area (EEA) only where appropriate safeguards are in place, such as Standard Contractual Clauses or Binding Corporate Rules. Training and Awareness We provide training and awareness to our employees on data protection and GDPR compliance. We ensure that all employees who handle personal data are aware of their responsibilities under the GDPR and are familiar with our company's GDPR policy. Disciplinary Action Virtualbook takes data protection and GDPR compliance very seriously. Any employee who fails to comply with this policy or other data protection regulations may face disciplinary action, up to and including termination of employment. Examples of behavior that may result in disciplinary action include: • Failure to comply with GDPR regulations or company policies and procedures related to data protection. • Breach of confidentiality by disclosing personal data without authorization. • Mishandling of personal data or improper use of personal data. • Failure to report a data breach in accordance with company policies and GDPR regulations. • Unauthorized access or misuse of personal data. • Failure to cooperate with an investigation or audit related to GDPR compliance. Disciplinary action may include verbal or written warnings, suspension, or termination of employment, depending on the severity and frequency of the misconduct. The decision to take disciplinary action will be made in accordance with company policies and procedures and will consider the individual circumstances of each case. Our company will also take appropriate steps to prevent future breaches and improve our GDPR compliance efforts, including additional training and awareness programs for employees.   Declaration I Virtualbook acknowledge that I have read and understood the company's GDPR policy, and I agree to comply with all the requirements and obligations set out in the policy. I understand that this policy applies to all personal data that I may handle or process in the course of my employment, and that I am responsible for ensuring that such data is processed lawfully and in accordance with the GDPR and company policies. I understand that failure to comply with this policy may result in disciplinary action, up to and including termination of my employment. I also understand that the company may conduct audits or investigations to ensure compliance with this policy and other data protection regulations, and that I am required to cooperate fully with any such audits or investigations. I understand that I have a duty to report any suspected or actual breaches of personal data to the Data Protection Officer (DPO) or other designated person in accordance with company policies and GDPR regulations. I also understand that I have the right to exercise my data subject rights under the GDPR, and that the company has implemented procedures to facilitate the exercise of these rights. I acknowledge that data protection and GDPR compliance are critical to the success of the company, and that it is my responsibility as an employee to contribute to the company's efforts to protect personal data and comply with GDPR regulations. I agree to attend any training or awareness programs provided by the company to enhance my understanding of GDPR compliance and my role in protecting personal data. I hereby declare that I have read and understood the company's GDPR policy, and I agree to comply with all the requirements and obligations set out in the policy. I understand that any breach of this policy may result in disciplinary action, up to and including termination of my employment.