The QAED Roadmap to Compliance for General Data Protection

Owner and Data Controller
Pyramids Business Tower, New Capital City, 18th floor, office 13, Egypt
Owner contact email: info@theqaed.com

1. Introduction to GDPR

The GDPR (General Data Protection Regulation), which entered into force in April 2016 following its publication in the Official Journal of the European Union, became applicable in May 2018 and is mandatory in all its elements across all Member States. A major component of the GDPR relates to transparency and providing accessible information to individuals about the collection and use of their personal data.

Regulatory Focus

The regulation establishes rules concerning the protection of individuals with regard to the processing of personal data, as well as rules concerning the free movement of such data. It protects the rights and freedoms of individuals, particularly the right to the protection of personal data.

Lawful Basis

Under the GDPR, all companies and organizations must have a lawful basis for processing and storing personal data. Without one, such processing or storage is considered unlawful. Some companies may qualify for exemptions, but otherwise, consent or a legal justification is required.

2. What is Personal Data?

• Any information relating to an identified or identifiable natural person (data subject).
• An identifiable person is one who can be identified directly or indirectly through identifiers such as name, ID number, location data, or online identifiers.

Examples of personal data include:

• Biographical information such as birth dates, national ID, phone numbers, and email addresses.
• Physical and behavioral information such as eye color, weight, and personality traits.
• Workplace and education data such as salary, tax records, and student numbers.
• Private or subjective data such as religion, political views, and location tracking.
• Health and genetic information including medical history and sick leave records.

3. Definition of Certification Scope

Certification audits evaluate the implementation and effectiveness of an organization’s data protection procedures according to the applicable standards.

• A certificate valid for three years is issued upon satisfactory results.
• Surveillance audits verify continued compliance and improvement.
• Re-certification after three years confirms ongoing conformance and effectiveness.

4. The QAED Roadmap for General Data Protection

4.1 How The QAED Collects and Uses Personal Data

This applies to:

• Potential and certified clients engaging The QAED’s certification services.
• Delegates attending The QAED training courses.
• Subcontractors such as trainers, auditors, technical experts, and report reviewers engaged by The QAED.
• Other stakeholders for business dealings.

Organizations processing personal data of EU citizens fall within GDPR’s scope, regardless of their location. The regulation emphasizes a holistic approach to data protection across all departments.

4.2 Types of Data Collected

The QAED collects personal data directly from agencies, clients, or employees through email, phone, or meetings. Data may include:

• Full name, age, job title, contact details, and addresses.
• Identification numbers, passport details, CVs, certificates, and professional records.
• Financial data such as credit card details, invoices, and payment records.
• Feedback and opinions voluntarily shared with The QAED.

4.3 Purposes for Using the Data

The QAED uses personal data for purposes including:

• Preparing proposals for certification or training services.
• Drafting subcontractor agreements and conducting auditor qualifications.
• Preparing audit plans, reports, and maintaining training records.
• Handling complaints and ensuring regulatory compliance.

Lawful Basis for Data Processing

• Consent of the data subject.
• Performance of a contract or to enter into one.
• Compliance with legal obligations.
• Protection of vital interests.
• Performance of public interest tasks.
• Legitimate interests, such as service updates or product recalls.

4.4 Data Sharing

• The QAED employees through authorized systems.
• IT service providers maintaining The QAED systems.
• Accreditation bodies or local authorities as required by law.

4.5 Retention Period

Personal data is stored only as long as necessary to fulfill its purpose and comply with legal obligations.

• Agreements: 6 years
• Employment records: 6 years
• Contracts and declarations: 6 years
• Audit reports: 3 years
• Mailing: 1 year after last action
• Invoices: 10 years
• Logo requests: 2 years after last action

4.6 How The QAED Protects Privacy

The QAED implements strict security procedures to prevent unauthorized access, loss, or destruction of personal data.

Physical Security

• Locked offices and storage units.
• Secured server rooms and equipment disposal procedures.
• Alarm systems and clean desk policies.

Technical Security

• Up-to-date operating systems and security patches.
• Antivirus software and strong firewalls.

Organizational Security

• Security and privacy training for employees and subcontractors.
• Documented data handling and backup policies.
• Strong password enforcement.

Personnel Security

All employees, subcontractors, service providers, and representatives must sign confidentiality agreements with The QAED.

4.7 Rights of Data Subjects

• Access: You have the right to request information about your personal data held by The QAED.
• Correction and Deletion: You may request correction or deletion of inaccurate or outdated data, subject to legal obligations.
• Complaints: You may file a complaint about The QAED’s data handling practices as described in this roadmap.

The QAED reserves the right to update this roadmap periodically. It was first established in June 2018.

The QAED undertakes to collect and protect personal data in accordance with GDPR requirements.

The QAED provides management system services including:

• GDPR gap analysis
• Certification of professional roles under UNI 11697
• Training and IT services certification (ISO 27001, ISO 20000, ISO 22301)

Contact Information

If you have questions or concerns about your privacy:

• Email: info@theqaed.com
• Or contact The QAED authorized representative via the contact directory at www.theqaed.com