Welcome to Generalist World and our platform at www.generalist.world! In this Privacy Policy, we would like to inform you which Personal Data we collect from you and use, whether and, if so, to which third parties this data is passed on, how long we store the data and what rights you have should you not agree with our responsible handling.

If, after reading this Privacy Policy, you still have questions, please do not hesitate to contact us using the contact details below.

Who is responsible for data processing?

The person responsible for data processing is

Generalist World

Isle of Raasay

IV408PB

United Kingdom

Web: www.generalist.world

E-Mail: [email protected]

What is Personal Data?

Personal Data is any information relating to personal or material circumstances that relates to an identified or identifiable individual. This includes, for example, your name, date of birth, e-mail address, postal address, or telephone number as well as online identifiers such as your IP address. In contrast, information of a general nature that cannot be used to determine your identity is not Personal Data. This includes, for example, the number of users of a website.

What is processing?

"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means. The term is broad and covers virtually any handling of data.

How do we use your Personal Data

In principle, we will only use your Personal Data in accordance with applicable data protection laws, in particular the General Data Protection Regulation (“GDPR”), and only as described in this Privacy Policy.

All Personal Data that we obtain from you via our platform will only be processed for the purposes described in more detail below. This is done within the framework of the respective legal regulations mentioned or only with your consent. In particular, we only process and collect Personal Data if:

• you have given your consent,
• the data is necessary for the fulfilment of a contract / pre-contractual measures,
• the data is necessary for the fulfilment of a legal obligation, or
• the data is necessary to protect the legitimate interests of our company, provided that your interests are not overridden.

We process and store your Personal Data only for the period of time required to achieve the respective processing purpose or for as long as a legal retention period (in particular commercial and tax law) exists. Once the purpose has been achieved or the retention period has expired, the corresponding data is routinely deleted.

Processing of Automatically Collected Data

a) Collection of access data and log files

We also collect data on every access to our platform. The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Log file information is stored for security reasons (e.g., for the clarification of abuse or fraud) for a maximum of 7 days and then deleted. Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the respective incident is finally clarified. The legal basis for the data processing is our legitimate interest in providing an appealing platform.

c) Use of cookies

We use so-called cookies on our web site. Cookies are small text files that are stored on your respective device (PC, smartphone, tablet, etc.) and saved by your browser. For further information please refer to our Cookie Policy. The legal basis for the use of cookies is your consent as well as our legitimate interest.

Data processing when you submit it to our platform and when you use our services

a) Contacting us

If you contact us, we process the following data from you for the purpose of processing and handling your request: first name, last name, e-mail address, and, if applicable, other information if you have provided it, and your message. The legal basis for the data processing is our obligation to fulfil the contract and/or to fulfil our pre-contractual obligations and/or our legitimate interest in processing your request.

b) Data processing in the context of providing our services

The protection of your data is particularly important to us in the performance of our services. We therefore only want to process as much Personal Data (for example, your name, address, e-mail address or telephone number) as is absolutely necessary. Nevertheless, we rely on the processing of certain Personal Data, to fulfil our contractual obligations to you or to carry out pre-contractual measures.

c) Account Registration

If you register on our platform, we will request mandatory and, where applicable, non-mandatory data in accordance with our registration form from both generalists and companies. The entry of your data is encrypted so that third parties cannot read your data when it is entered. The basis for this storage is our legitimate interest in communicating with registered users and, in the case of contracts, also the storage of contract data.

d) Using our Platform

We need to process certain information about you in order to provide you with optimal, tailored services and opportunities. When using our services, you can submit, share, and publish Personal Data. Some of the Personal Data you provide may be considered “special” or “sensitive”. This includes Personal Data concerning for example your health, racial or ethnic origins, sexual orientation, and religious beliefs. By choosing to provide this data, you consent to our processing of that data.

You have choices about the Personal Data you upload and share. You don’t have to provide Personal Data; however, Personal Data helps you to get more from our Services. It’s your choice whether to include special category data and to make that special category data public. Please do not upload or add data that you would not want to be available.

The legal basis for the processing of your personal and special category data is the establishment and implementation of the user contract for the use of the service as well as your consent. We store the data until you delete your user account. Insofar as legal retention periods are to be observed, storage also takes place beyond the time of deletion of a user account.

You may withdraw your consent and request us to stop using and/or disclosing your personal and special category data by submitting your request to us in writing to [email protected].

e) Administration, financial accounting, office organisation, contact management

We process data in the context of administrative tasks as well as organisation of our business, and compliance with legal obligations, such as archiving. In this regard, we process the same data that we process in the course of providing our contractual services. The processing bases are our legal obligations and our legitimate interest.

f) Credit/Debit Cards Payments

Payment by credit card and debit card is made via the payment service provider and Stripe of 185 Berry St #550, San Francisco, CA 94107, USA to which you pass on your payment details during the checkout, for payment processing.

g) Other Users

When you voluntarily share information on our Services (including your public profile), you disclose that information to other users. Of course, we also process your chats with other users as well as the content you publish, as part of the operation of the services. Other users may also provide us with information about you while using our Services. Please be careful with your information and make sure that you only share content that you truly agree to publish, as neither you nor we can control what others do with your information once you share it. The legal bases are to provide you with our services and your consent as well as our legitimate interest.

h) Service Notifications

By using our services, you are giving your consent to receiving notifications and messages per email. Those typically include general, profile and content information in relation to your use of our platform. Our system notifications are sent using SendinBlue of 47, Rue de la Chaussee d'Antin Paris, 75009 France and are designed to enhance your experience. You can of course opt out from receiving notifications by following the unsubscribe instructions at the bottom of every notification e-mail sent by us. The legal bases are to provide you with our services and your consent as well as our legitimate interest.

Data processing through integration of third-party services and content

We use content or service offers of third-party providers on the basis of our legitimate interests in order to integrate their content and services ("content").

This always requires that the third-party providers of this content are aware of the IP address of the user, as without the IP address they would not be able to send the content to their browser. The IP address is therefore necessary for the display of this content.

The following provides an overview of third-party providers and their content, together with links to their privacy policies, which contain further information on the processing of data and so-called opt-out measures, if any:

• Analytics and Tracking: Google Analytics by Google LLC.
• Fonts: Google Font API by Google LLC.
• Tag Management: Google Tag Manager and Google Site Tag by Google LLC.
• Platform Provider: pallet.com by Pallet Inc.
• Community Portal: Softr by Softr Platforms GmbH.

Transfer of Personal Data

We will not disclose or otherwise distribute your Personal Data to third parties unless this:

• is necessary for the performance of our services,
• you have consented to the disclosure,
• or the disclosure of data is permitted by relevant legal provisions.

However, we are entitled to outsource the processing of your Personal Data in whole or in part to external service providers acting as processors within the framework of the GDPR. External service providers support us, for example, in the technical operation and support of the platform (see above), data management, the provision and performance of services, marketing, as well as the implementation and fulfilment of reporting obligations.

The service providers commissioned by us however will process your data exclusively in accordance with our instructions and we remain in accordance with the GDPR responsible for the protection of your data. Doing so we always make sure that service providers commissioned by us are carefully selected, follow strict contractual regulations, technical and organisational measures, and additional controls by us.

We may also disclose Personal Data to third parties if we are legally obliged to do so e.g., by court order or if this is necessary to support criminal or legal investigations or proceedings at home or abroad or to fulfil our legitimate interests.

Automated decision-making

Automated decision-making including profiling does not take place at Generalist World.

Your data subject rights

You are entitled to the following rights:

• the right to information,
• the right to rectification,
• the right to erasure,
• the right to restriction of data processing,
• the right to data portability,
• the right to object to data processing,
• the right to revoke any consent you have given, and
• the right to lodge a complaint with the competent supervisory authority.

Please contact us at any time with questions and suggestions regarding data protection and to enforce your rights as a data subject.

Data retention

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, the data processed by us will be deleted or restricted in their processing in accordance with the GDPR. If the data is not deleted because they are required for other and legally permissible purposes, their processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

Data Security

Our data processing is subject to the principle that we only process the Personal Data that is necessary for the use of our services. In doing so, we take great care to ensure that your privacy and the confidentiality of all Personal Data are always guaranteed.

All transmitted data is protected by TLS encryption. Transport Layer Security (TLS) is a protocol used to ensure secure data transmission on the Internet. The public-private key procedure is used here. This means that data encrypted with a publicly accessible key can only be decrypted again with a separate private key.

We also use technical and organisational security measures (TOMs) throughout the company to protect the data we manage from you against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons.

Social Media

We are present on social media on the basis of our legitimate interest. If you contact us via those social media platforms, you should note that the chat history can neither be deleted by us nor by you. And that, in accordance with the GDPR, the relevant social media platform and we are jointly responsible for the processing of your data and enter into a so-called joint controller agreement. A Joint Controller Agreement itself if very legalistic and lengthy, but in a nutshell, it clarifies how the jointly responsible parties will fulfil the obligations arising from data protection laws that are applicable to them. The legal basis for the use of the relevant social media platform is our legitimate interest, your consent or, in the case of a (pre) contractual relationship with us, the initiation of a contractual service.

Updating your information

If you believe that the information, we hold about you is inaccurate or that we are no longer entitled to use it and want to request its rectification, deletion, or object to its processing, please do so by contacting us.

For your protection and the protection of all of our users, we may ask you to provide proof of identity before we can answer the above requests. Please keep in mind, we may reject requests for certain reasons, including if the request is unlawful or if it may infringe on trade secrets or intellectual property or the privacy of another person.

Also, we may not be able to accommodate certain requests to object to the processing of Personal Data, notably where such requests would not allow us to provide our service to you anymore.

Withdraw your consent

You may withdraw your consent and request us to stop using and/or disclosing your Personal Data for any or all of the Purposes by submitting your request to us. Should you withdraw your consent to the collection, use or disclosure of your Personal Data, it may impact our ability to proceed with your transactions, agreements, or interactions with us. Please note that your withdrawal of consent will not prevent us from exercising our legal rights (including any remedies) or undertaking any steps as we may be entitled to at law.

Personal Data and children

Our services are aimed at people aged 18 and over. We will not knowingly collect, use or disclose personal information from minors under the age of 18 without first obtaining consent from a legal guardian through direct offline contact.

Changes and updates to the privacy policy

We kindly ask you to regularly inform yourself about the content of our privacy policy. We will amend the privacy policy as soon as changes to the information processing activities we carry out make this necessary.

Concerns and Contact

If you have any concerns about a possible compromise of your privacy or misuse of your personal information on our part, or any other questions or comments, or wish to exercise your rights under applicable laws, please contact us.

This Privacy Policy was last updated on Monday, 19 December 2022

Data Protection Policy

Generalist World

Isle of Raasay

IV408PB

United Kingdom

Web: www.generalist.world

E-Mail: [email protected]

Data Protection Policy

Table of Contents

Table of Content    2

Introduction    3

Rationale    3

Our Role    3

Purpose of the policy    3

Scope    3

Data Protection Manager    4

Data Protection Principles    4

Data Subjects’ Rights    4

Accountability    5

Responsibility    5

Third-Party Data Processors    6

Data Security    6

Data Subject Access Requests    6

Reporting a personal data breach    7

Limitations on the transfer of personal data    7

Record Keeping    7

Secure Deletion and Archiving of Personal Data    8

Sensitive and Special Category data    8

Training and Audit    8

Data privacy by design and default    8

Data Protection Impact Assessments (DPIAs)    8

Marketing    9

Access Control    9

Antivirus/Anti-malware Protection    9

Glossary of Terms    10

Review    11

Introduction

Thank you for your interest in this Data Protection Policy! At Generalist World, we take our responsibilities under the General Data Protection Regulation (GDPR) very seriously.

As such, this policy sets out how personal data is managed and dealt with in order to ensure that the obligation to fulfill individuals’ reasonable expectations of privacy is applied and followed and that the responsibilities established under the GDPR are complied with.

The requirement specified in this procedure applies equally to all staff, contractors and service users and contracting parties engaged with Generalist World.

Rationale

Generalist World acquires, uses, stores, and otherwise processes personal data relating to potential and current service users, and contracting parties, current and potential and former contractors, employees, and collectively refers to those individuals in this policy as data subjects. Likewise, no distinction is made between the rights of data subjects, and all are treated equally under this policy.

Our Role

During the course of you using our services we are processing and only insofar as this is necessary for our services the following categories of personal data: First Name, Last Name, Contact Data, Payment Data, and Contract Data. As well as special category data which is personal data that needs more protection because it is sensitive. This may include personal data revealing racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, or data concerning health.

Generalist World will process personal data to the extent permitted by law, for example, in the course of providing our services or to comply with our legal obligations. We may also use personal data for the following purposes: Managing and planning operational processes and Contractual Data Processing for Payment and Administrative Purposes and Service provision.

The personal data you provide is collected and processed for the purpose of fulfilling a contract, our legal obligations, protecting legitimate interests. The legal basis for the processing of your data is, in addition to Art. 6 Para. 1 lit. b), c), d) and e) GDPR, and Article 9 Para. 2 lit. c), h) GDPR for Special Category Data and Sensitive Personal Data, if necessary.

Purpose of the policy

This policy seeks to ensure that Generalist World is:

• clear about how personal data must be processed;
• complying with the GDPR and with good practice;
• protecting the personal data entrusted to us and that it is processed in accordance with data subjects’ rights;
• protecting itself from risks of personal data breaches and breaches of data protection laws;

Scope

The policy covers both personal and special category personal data held by Generalist World in relation to data subjects. The policy applies equally to personal data held in print and digital form. All contractors and others processing personal data on behalf of Generalist World must read it and a failure to comply may result in disciplinary action. Generalist World’ Data Protection Manager is responsible for ensuring that contractors and others working on behalf of the Company complying with this policy and should implement appropriate practices, processes, controls, and training accordingly.

Data Protection Manager

Generalist World’s Data Protection Manager (DPM) is Milly, who can be reached at [email protected] or by Phone on 077436946417.

Data Protection Principles

Generalist World is responsible for, and must be able to demonstrate compliance with the data protection principles set out in the GDPR and all personal data must be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject,
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes subject to appropriate safeguards, and provided that there is no risk of breaching the privacy of the data subject,
• adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed,
• accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed is erased or rectified without delay,
• kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject, and
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

Data Subjects’ Rights

The GDPR grant several rights to data subjects. These include the following:

• the right to be informed;
• the right of access;
• the right of rectification;
• the right to erasure (the “right to be forgotten”);
• the right to restrict processing;
• the right to data portability;
• the right to object;
• rights with respect to automated decision-making and profiling;
• the right to withdraw consent;
• to be notified of a data breach which is likely to result in high risk to their rights and freedoms; and
• to make a complaint to the relevant Data Protection Supervisory Authority.

Generalist World requires the verification of the identity of an individual requesting data under any of the rights listed. Requests made must be complied within one month of receipt and immediately forwarded to the DPM and are processed free of charge.

To assert these rights, please contact our DPM at any time using the details provided above. You also have the right to lodge a complaint with your local data protection supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach any supervisory authority.

Accountability

Generalist World must implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. Generalist World is further responsible for and must be able to demonstrate compliance with the data protection principles. Consequently, adequate resources and controls to ensure and document GDPR compliance are put into place. Those are:

• the appointment of a DPM,
• security and privacy measures when processing and handling data are implemented,
• a Data Protection Impact Assessment (DPIA) is carried out,
• policies and procedures for processing and handling data are implemented,
• Generalist World contractors and others working on behalf of the Company are trained in accordance with the GDPR,
• security and privacy measures and processing and handling policies and procedures are reviewed and updated, and
• Audits and reviews are carried out regularly.

Responsibility

As the Data Controller, Generalist World is responsible for establishing policies and procedures in order to comply with data protection law.

The DPM is responsible for:

• advising Generalist World and its contractors and others working on behalf of the Company of its obligations under the GDPR,
• monitoring that the GDPR and other relevant data protection laws are followed and applied,
• monitoring training and audit activities related to GDPR compliance,
• advice when requested and conduct data protection impact assessments,
• act as the contact point for the relevant Data Protection Supervisory Authority and data subjects, and
• oversee Generalist World’s performance regarding risk deriving from processing operations, considering the nature, scope, context and purpose.

Contractors and others working on behalf of the Company must ensure that:

• all personal data is kept securely,
• no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party,
• personal Data is kept in accordance with Generalist World’ retention schedule,
• queries concerning data protection, complaints and access requests are forwarded to the DPM immediately,
• data protection breaches are swiftly made known to the DPM and that support in resolving breaches is prioritised,
• any uncertainty about data protection is addressed to the DPM and without delay, and
• they are aware of the Data Protection principles and have read this Policy.

Third-Party Data Processors

Where ****Generalist World is outsourcing or using external companies for the processing of personal data, the responsibility for the data remains with Generalist World.

A third-party data processor must:

• provide sufficient guarantees about its data protection and security measures,
• agree to a written contract covering what personal data is processed and for what purpose, and
• agree to a written data processing agreement.

Data Security

We have a clear and specific objective to ensure that personal data is kept secure and up to date. In particular we have agreed to:

• comply with the legal requirements in the provision of services,
• process and use your data only to the extent strictly necessary to perform our obligations or as otherwise provided,
• only disclose your data to contractors and others working on behalf of Generalist World that have a need to access your data,
• ensure that all such contractors and others working on behalf of Generalist World are bound by a confidentiality agreement,
• take all reasonable steps to ensure the reliability of all its contractors and others working on behalf of Generalist World who have access to your data,
• ensure that appropriate controls are in place to prevent access to special categories of Data, where relevant, except in circumstances expressly authorised, and
• implement, maintain and at all times operate adequate and appropriate technical and organisational measures to:
  • protect the security, confidentiality, integrity, and availability of your data, and
  • protect against unauthorised or unlawful processing of your data and against
  • accidental loss, destruction or the making vulnerable of, or damage to, your data,
  • such measures shall, at a minimum, meet
    • the requirements of the GDPR, and
    • the standards required by all applicable accepted industry practices.

Data Subject Access Requests

Data subjects have the right to receive a copy of their personal data which is held by Generalist World. Likewise, an individual is entitled to receive further information about processing their personal data and in particular on:

• the purpose of processing;
• the categories of personal data being processed;
• the recipients of personal data;
• the retention periods;
• information about their rights;
• the relevant safeguards when personal data is transferred outside the EEA; and
• any third-party source of the personal data.

Do not share any personal data without proper authorisation. Do not alter, conceal block, or destroy personal data after such request has been made. Contact the DPM before making any changes or replying to a Data subject Access Requests.

Reporting a personal data breach

The GDPR requires that Generalist World reports any personal data breach to the relevant Data Protection Supervisory Authority if there is a risk or high risk to the rights and freedoms of the data subject. If you know or suspect a personal data breach inform the DPM immediately and follow the instructions set out in the Data Breach Procedure.

Limitations on the transfer of personal data

The transfer of personal data to a country outside the EEA, will only take place if one or more of the following applies:

• the relevant Data Protection Supervisory Authority and or European Commission confirmed that the particular country ensures an adequate level of protection for the data subjects’ rights and freedoms,
• the particular country provides appropriate safeguards such as binding corporate rules, standard contractual clauses approved by the relevant Data Protection Supervisory Authority and or European Commission, an approved code of conduct or a certification mechanism,
• the data subject has explicitly agreed to the transfer,
• the transfer is necessary for the performance of a contract between the data subject and Generalist World, and
• the transfer is necessary for one of the other reasons set out in the GDPR including:
• the public interest,
• establish, exercise, or defend legal claims,
• to protect the vital interests of the data subjects, and
• if the data subject is physically or legally unable to give their consent.

Record Keeping

The GDPR requires Generalist World to keep full and accurate records of all data processing activities. Keep and maintain accurate corporate records reflecting personal data processing, including Consent Form. Records should include, at a minimum, the name and contact details of the DPM, clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period and a description of the security measures in place.

Similar, records of personal data breaches must also be kept and cover the following:

• the facts surrounding the breach,
• its effects, and
• the remedial action taken.

Secure Deletion and Archiving of Personal Data

Personal Data must be deleted and stored using one of the following secure methods:

• Documents in electronic format must be deleted with a secure deletion utility and standard deletion utilities should not be used,
• Personal Data on hard drives, removable drives, storage devices or any similar item must be securely erased before any disposal or reassignment of the equipment,
• Personal Data that is Archived on hard drives, removable drives, storage devices or any similar item must be organised in an orderly and organised manner and encrypted using at least AES-256,
• Paper copies must be destroyed using cross-cut shredders, and
• The DPM must approve and record the destruction or deletion of personal data.

Sensitive and Special Category data

Generalist World is through the performance of its services routinely collecting Sensitive and Special Category data. If the processing of Sensitive and Special Category data during the course of the provision of services or employment becomes necessary, we first need to obtain consents. In this context, consent means any freely given indication of the data subject's wishes for the specific case in an informed and unambiguous manner, in the form of a declaration or any other unambiguous affirmative act by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.

Training and Audit

Generalist World is required to ensure that all contractors and others working on behalf of Generalist World are adequately trained and compliance with the GDPR is possible. We also regularly test our policies, systems, and processes to assess and ensure compliance.

Data privacy by design and default

Generalist World has to ensure that by default only personal data which is necessary for each specific purpose is processed. The obligation applies:

• to the volume of personal data collected,
• the extent of the processing, and
• the period of storage and the accessibility of the personal data.

In particular, personal data should not be available to an indefinite number of persons, and you must ensure that you adhere to those measures.

Data Protection Impact Assessments (DPIAs)

Generalist World must also conduct DPIAs in respect of high-risk processing before that processing is undertaken. Generalist World’ DPM will conduct a DPIA when:

• new or changing technologies such as programs, systems or processes are introduced,
• automated processing including profiling takes place,
• sensitive and special category data is processed on a large scale, and
• systematic monitoring of a publicly accessible area on a large scale takes place.

A DPIA must include:

• a description of the processing, its purposes and the Data Controller’s legitimate interests if appropriate,
• an assessment of the necessity and proportionality of the processing in relation to its purpose,
• an assessment of the risk to individuals, and
• the risk-mitigation measures in place and demonstration of compliance.

Marketing

Generalist World is subject to certain rules and privacy laws when marketing to our service users, residents, guests and clientele. A data subject’s prior Consent is required for electronic direct marketing (for example, by email, text or automated calls). The right to object to direct marketing must be explicitly offered to the data subject in an intelligible manner so that it is clearly distinguishable from other information. A data subject’s request to object to direct marketing must be respected. If a data subject opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

Access Control

Access to all information will be controlled and will be driven by business requirements. Access will be granted, or arrangements made for users according to their role and the classification of information, only to a level that will allow them to carry out their duties.

A formal user registration and de-registration procedure will be maintained for access to all information systems and services. This will include mandatory authentication methods based on the sensitivity of the information being accessed and will include consideration of multiple factors as appropriate.

Specific controls will be implemented for users with elevated privileges and leavers, to reduce the risk of negligent or deliberate system misuse. Segregation of duties will be implemented, where practical.

Antivirus/Anti-malware Protection

All workstation and server-based assets used, whether connected to the Generalist World network or as stand-alone units, must use Generalist World approved antivirus/anti-malware protection software and configuration provided by the Generalist World. The following procedures shall be followed:

• Virus protection software must not be disabled or bypassed,
• Settings for the virus protection software must not be altered in a manner that will reduce the software effectiveness,
• Automatic update frequency cannot be altered to reduce the frequency of updates,
• All servers attached to the Generalist World network must utilise Generalist World approved/standard virus protection software and setup to detect and clean viruses,
• All electronic mail gateways, devices, and servers must use Generalist World approved e-mail virus/malware/spam protection software and must adhere to Generalist World rules for the set-up and use of this software,
• Any threat that is not automatically cleaned, quarantined, and subsequently deleted by malware protection software constitutes a security incident and must be reported, and
• Antivirus/anti-malware signature updates shall occur on a frequency defined by Generalist World but shall occur minimally once each calendar month.

Glossary of Terms

Automated Decision-Making (ADM)

When a decision is made which is based solely on automated processing (including profiling) which produces legal effects or significantly affects an individual. the GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not automated processing.

Profiling

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.

Consent

An agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.

Data Controller

The person or organisation that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the GDPR. Generalist World is the Data Controller of all personal data relating to it and used delivering education and training and all other purposes connected with it including business purposes.

Data Subject

A living identified or identifiable individual about whom we hold personal data.

Data Protection impact assessment (DPIA)

An assessment tool used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the processing of personal data.

Data Protection Manager (DPM)

The person appointed as such under the GDPR and in accordance with its requirements. A DPM is responsible for advising Generalist World on their obligations under the GDPR, for monitoring compliance with the GDPR, as well as with polices, cooperating with the relevant Data Protection Supervisory Authority and acting as a point of contact.

Personal Data

Any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location, or date of birth) or an opinion about that person’s actions or behaviour.

Special category data

Special category data is personal data that needs more protection because it is sensitive. This may include personal data revealing racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, or data concerning health. In order to process special category data, we first need to obtain consent.

Consent

Consent means any freely given indication of the data subject's wishes for the specific case in an informed and unambiguous manner, in the form of a declaration or any other unambiguous affirmative act by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.

Personal Data Breach

Any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission.

Privacy by Design and Default

Means ****implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.

Privacy Policy

A ****separate policy setting out information that may be provided to data subjects when Generalist World collects information for example through the website. These notices may take the form of general privacy statements applicable to a specific group of individuals) or they may be stand-alone, one-time privacy statements covering processing related to a specific purpose.

Processing or Process

Any activity that involves the use of personal data. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. Basically, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.

Pseudonymisation or Pseudonymised

Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

Review

Generalist World will continue to review the effectiveness of this Data Protection Policy to ensure it is achieving its stated objectives on at least an annual basis and more frequently if required taking into account changes in the law and organisational or security changes.

Concerns and Contact

If you have any questions or comments about our Data Protection Policy or wish to exercise your rights under applicable laws, please contact our DPM using the following contact details:

Generalist World

Isle of Raasay

IV408PB

United Kingdom

Web: www.generalist.world

E-Mail: [email protected]

This Data Protection Policy was last updated on Monday, December 19, 2022