Privacy & PII Protection Policy

Document ID: DPWAT-ISMS-POL-013
Version: 1.0
Owner: CISO — Timo Andreas Bejan (legal contact as applicable: Administrator (ADM) — Anna Boros)
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-10-15
Next review: 2027-02-01 (or on major change)

1. Policy

DP WAT protects personal data (PII) in accordance with applicable privacy requirements (e.g., GDPR) and customer agreements.

2. Processor and controller roles

• When handling customer data, DP WAT acts as a processor under customer direction; DPAs are signed as part of customer contracts.
• DP WAT may act as controller for its own business data (employee records, supplier contacts), but is never controller for PII or sensitive personal data belonging to customers or their end users.

3. Principles

• Collect and process only the minimum PII required for business purposes.
• Restrict PII access to authorized roles.
• Apply appropriate security controls (MFA, least privilege, secure storage).
• Manage incidents involving PII through the incident management process; notify authorities within GDPR timelines (72 hours) where required.