PERSONAL DATA PROTECTION POLICY
INDEX
- INTRODUCTION
- Main goals……………………………………………………………………………………………………………….. 2
- Scope of application…………………………………………………………………………………………………… 2
- Policy revision, communication and application………………………………………………………………… 2
- GENERAL PRINCIPLES FOR PERSONAL DATA PROTECTION………………………………………… 2
- Lawful, fair and transparent processing………………………………………………………………………….. 3
- Specific, explicit and legitimate purposes………………………………………………………………………… 3
- Adequate, relevant and limited processing………………………………………………………………………. 3
- Accurate and up-to-date data……………………………………………………………………………………….. 3
- Data kept for no longer than necessary………………………………………………………………………….. 3
- Data processed in a manner that ensures their security………………………………………………………. 3
- RIGHTS OF THE DATA SUBJECT……………………………………………………………………………….. 4
- GENERAL GUIDELINES FOR PERSONAL DATA PROCESSING AND PROTECTION……………. 4
- Records of personal data processing activities…………………………………………………………………. 5
- Privacy by design and by default…………………………………………………………………………………… 5
- Privacy impact assessment………………………………………………………………………………………….. 5
- Segregation of duties (need-to-know)…………………………………………………………………………….. 6
- Personal data erasure………………………………………………………………………………………………… 6
- Relationship with Processors………………………………………………………………………………………… 6
- Transfer of personal data to third parties…………………………………………………………………………. 7
- Transfer of personal data to third countries or international organisations………………………………. 7
- Personal data processing as a processor…………………………………………………………………………. 7
- Data breach………………………………………………………………………………………………………………. 8
- Management of evidence…………………………………………………………………………………………….. 8
- PERSONAL DATA PROTECTION SET OF RULES………………………………………………………….. 9
- PERSONAL DATA PROTECTION RESPONSIBILITIES…………………………………………………….. 9
- GLOSSARY……………………………………………………………………………………………………………. 10
- INTRODUCTION
This policy establishes the general principles to be considered in the processing and protection of personal data under the responsibility of LARISSA DEVELOPMENT OF SHOPPING CENTRES S.A. (hereinafter the Company).
The Company processes personal data through a different set of operational and technical means to support its business process activities. The Company acts in strict compliance with the principles described in this policy, with Regulation (EU) 2016/679 (General Data Protection Regulation) and with applicable data protection legislation, in all personal data processing activities of its responsibility.
The Personal Data Protection Policy is part of the personal data protection set of rules of the Company and is complemented by the remaining documents of that set of rules, which includes standards and procedures that define the approach of the Company towards management of security and privacy of personal data.
a. Main goals
The Personal Data Protection Policy establishes guidelines for the adoption of personal data protection and security practices and has the following main goals:
- To align the Company’s business strategy with applicable laws and regulations on personal data security and protection;
- To show transparency on the purposes and processing activities carried out by the Company;
- To promote protection and make available means for the exercise of data subjects’ rights;
- To improve efficiency of data-breach protection, response, notification and communication processes;
- To promote continuous improvement of personal data security and protection processes;
- To improve trust and close communication with all the Company’s stakeholders.
b. Scope of application
The Personal Data Protection Policy applies exclusively to personal data processing activities carried out by the Company. For the purpose of this policy, personal data means any information relating to an identified or identifiable natural person (data subject). A data subject is a person who can be identified, directly or indirectly, namely by reference to an identification number or to factors specific to his or hers physical, physiological, genetic, mental, economic, cultural or social identity.
The principles presented in this Personal Data Protection Policy complement the provisions on protection and processing of personal data in the legislation and regulations in place, and should be included in the contracts entered into by the Company.
The Personal Data Protection Policy must be followed and applied by all the Company’s employees (if applicable) in activities that may influence, directly or indirectly, personal data processing.
The Company’s employees (if applicable) must be aware and comply with this and other policies, standards and procedures which constitute the Company’s set of rules for personal data security and protection.
c. Policy revision, communication and application
The Personal Data Protection Policy must be reviewed annually by the Company´s Board of Directors, when a major change occurs and whenever legislative changes occur, to validate that the policy remains up-to-date and compliant with applicable laws and regulations.
This policy must be communicated to all the Company’s employees (if applicable) through the most adequate available means, namely through the intranet, training and awareness-raising sessions. Compliance with this policy is mandatory for all the Company’s employees (if applicable). The Personal Data Protection Policy is available on Sonae Sierra intranet.
2. GENERAL PRINCIPLES FOR PERSONAL DATA PROTECTION
The use and protection of personal data, for which the Company is responsible for, must comply with the following principles:
a. Lawful, fair and transparent processing
The Company and its employees (if applicable) must only use personal data of data subjects for which a specific lawful basis exists. The lawful basis which supports the processing activities of the Company may be:
- Consent given by the data subject;
- Performance of a contract to which the data subject is party;
- Legal obligation to which the controller is subject;
- Protection of the vital interests of data subjects;
- Exercise of functions of public interest;
- Legitimate interests of the Company, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
b. Specific, explicit and legitimate purposes
The processing of personal data, namely their collection, must be limited to specific, explicit and legitimate processing purposes.
The Company and its employees (if applicable) are prohibited to use personal data for purposes for which there is no identified and appropriate lawful basis.
c. Adequate, relevant and limited processing
During personal data processing activities, namely collection, the principle of data minimization must be followed. This means that the Company must process, and in particular collect, only personal data strictly necessary for the specific purpose.
The principle of minimization must also be applied to sharing and other activities of personal data processing, namely internal or external transfers, in which processing of only strictly necessary personal data must be guaranteed, without compromising the correct performance of the activity.
d. Accurate and up-to-date data
The Company and its employees (if applicable) must ensure that personal data processed is accurate and up to date. To this end, appropriate and reasonable procedures must be put in place to ensure accuracy, integrity, completeness and adequacy of personal data to processing purposes, whenever needed.
e. Data kept for no longer than necessary
The Company must define the period during which the personal data will be stored, which must be the period strictly necessary for each purpose.
f. Data processed in a manner that ensures their security
The Company must develop adequate security measures, in line with the best national and international practices, which enable the protection of personal data processed under its responsibility. This includes the implementation of technological controls, administrative, technical and physical measures and procedures which ensure the protection of personal data, and prevent improper use, unauthorized access and disclosure, loss, improper or negligent modification, or unauthorized destruction of personal data.
3. RIGHTS OF THE DATA SUBJECT
The Company must provide the necessary processes and tools which enable data subjects, involved in processing for which it is responsible to exercise their rights in a timely manner in accordance with Regulation (EU) 2016/679, namely:
- Information provided to the data subject: the Company must inform the data subject about the data which is collected about him or her, the purposes for which such data will be processed and their legal basis, the period of storage of the personal data or the criteria to define such periods, who is responsible for the processing, and the Data Protection Officer (if applicable), which categories of personal data, which recipients or categories of recipients, the rights of the data subject and whether there are automated decisions;
- Access to information: the Company must provide adequate means to enable the data subject to access the data held about him or her, the purposes of processing, the special categories of data used, the entities with whom data is shared and the storage periods;
- Rectification: the Company must provide adequate means that allow the data subject to rectify any personal data which is incorrect, as well as to update any data which has been modified;
- Erasure: the Company must provide adequate means to enable the data subject to request the erasure of his or her personal data, once the identity of the data subject is confirmed, and inform the data subject that the data has been erased, unless there is any legal or contractual requirement for the storage of the personal data;
- Portability: the Company must provide adequate means to transfer to the data subject or to a new controller his or her personal data in a structured, easy-to-read and standard format, provided that it is technically feasible and its costs are not unreasonable;
- Restriction of processing: the Company must provide adequate means to enable the data subject to restrict the processing of his or her personal data provided that the data is inaccurate or if the processing is unlawful and the data subject opposes the erasure of his or her personal data;
- Objection to processing: the Company must provide adequate means to enable the data subject to object to processing for the purposes of direct marketing, for purposes other than those for which the data was collected and/or processed for legitimate interests pursued by the Company, unless the Company demonstrated compelling legitimate grounds or for purposes of legal claims;
- Automated individual decision making: the Company must provide adequate means to enable the data subject not to be subject to decisions taken solely on the basis of automated processing, including profiling, except in cases in which the lawful basis is consent, or the entering into or performance of a contract;
- Protection of children’s rights: the Company must ensure that personal data of children is not processed, except if consent is given by those who have parental responsibility over the child.
4. GENERAL GUIDELINES FOR PERSONAL DATA PROCESSING AND PROTECTION
The following guidelines form a basis for carrying out personal data processing and protection, under the responsibility of the Company.
a. Records of personal data processing activities
The Company must keep records of all personal data processing activities under its responsibility. Any processing carried out must be based on a registry which contains all of the following information:
- The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the Data Protection Officer (if applicable);
- The purposes of the data processing;
- The lawful basis which supports the data processing;
- The description of the categories of data subjects and the categories of personal data;
- The categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or international organisations;
- The periods of storage of personal data or the criteria to define such periods, relating to the processing;
- The existence or absence of automated individual decision-making or profiling decisions and the underlying rationale;
- General description of the technical and organizational security measures.
Similarly, records of processing activities performed by processors under the responsibility of the controller must be stored and maintained.
These records must be formalized in writing, in electronic format or in paper. Additionally, these records shall be made available by the controller or processor to the supervisory authority on request.
b. Privacy by design and by default
The Company shall implement, throughout the whole of the life cycle of personal data under its responsibility, and in the processes of protection and processing of personal data, from design and by default, technical and organizational measures which ensure a level of security commensurate with the risk, including as appropriate:
- Pseudonymization and encryption of personal data;
- Implementation of measures and tools to ensure confidentiality, integrity, availability and resilience of processing systems and services;
- Ability to restore availability and access to personal data in a timely manner in case there is a physical or technical incident;
- Implementation of processes to regularly test, assess and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.
c. Privacy impact assessment
The Company must consider the need to carry out impact assessments on the protection of personal data, in the development and/or modification of/to business processes and information systems involving personal data, according to the level of risk concerning the exercise of the rights of the data subjects, in order to identify the risks and respective mitigation controls.
All Personal Data Processing Managers (if applicable) should contact the Data Protection Officer (if applicable) prior to adoption of new processes or information systems to confirm the need for such assessments.
The Company acting as controller is responsible for carrying out the impact assessment on the protection of personal data.
d. Segregation of duties (need-to-know)
To ensure that personal data is not accessed by employees (if applicable) without legitimacy for the purposes for which they were collected, the Company must establish and follow a process of assigning access to information (in physical or logical format) and to personal data based on the “need to know” principle. This principle states that each employee is only granted access to the roles and permissions strictly necessary to carry out his or her job.
Access profiles to information systems must be configured in such a way that it ensures that only authorized staff access personal data which is needed for specific purposes.
This principle must be applied whilst the user processes personal data, from the initial access request, and when the functional profile changes (e.g. transfer to another department/business area, leaving the Company).
e. Personal data erasure
The Company must apply secure mechanisms for the erasure or destruction of unnecessary personal data, the processing of which is incompatible with the specific, explicit and legitimate purposes.
However, the Company may follow a procedure to assess if the processing for other purposes is compatible with the purpose for which personal data were originally collected. The results of this assessment should be reported to the Data Protection Officer (if applicable) who will then assess the lawfulness of the processing for other purposes.
As an alternative to erasure, in particular circumstances validated with the Data Protection Officer (if applicable), the retention of personal data may be considered in a way which does not allow the identification of data subjects, namely by means of anonymization techniques.
The Company must carry out a periodic process of review and erasure of personal data within its responsibility.
f. Relationship with Processors
To control the risk exposure in the protection and processing of personal data by processors, active mechanisms for monitoring and reviewing services provided must be created and maintained, namely the security conditions and terms established in the contracts or other normative acts.
When outsourcing processing and protection of personal data, the controller shall preferentially use processors which offer sufficient guarantees, such as compliance with codes of conduct and/or certifications approved by the competent supervisory authority concerning technical and organizational measures, in such a way that the provision of personal data processing services meets and complies with the requirements set out in the General Data Protection Regulation, namely when it concerns processing security and exercise of rights of the data subject.
Outsourced processing must be governed by a written contract or a legal act binding the processor to the controller, which describes the subject and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the obligations and rights of the controller. The written contract or legal act established between the controller and the processor may allow the processor to contract another processor, if necessary, and must define the requirements governing this relationship.
The disclosure or access to personal data must only be granted to external entities if it is verified that the necessary controls are in place to ensure security in the processing of personal data, namely to ensure that whoever is authorized to process personal data has signed a confidentiality agreement or is subject to appropriate legal obligations of confidentiality and that personal data are only handled based on documented instructions from the controller.
The written contract or normative act must also determine if, after the conclusion of the service provided, the processor deletes or returns to the controller all data, deleting existing copies.
Processors must be aware of their obligations and accept the responsibilities and consequences involved in the processing of personal data, and are therefore aware that the legal or contractual responsibility to protect personal data is also theirs. Processors must be aware of and act in accordance with this policy in the provision of services concerning the processing of personal data.
g. Transfer of personal data to third parties
The personal data for which the Company is responsible for may be made available to third parties whenever there is a need or interest and this transfer is lawful.
h. Transfer of personal data to third countries or international organisations
In case of transfer of personal data to outside the European Union (that is, to third countries or international organisations outside of the European Union), the Company must comply with the provisions of the General Data Protection Regulation, namely: (i) by ensuring, before the transfer, that the third country, a territory or one or more specific sectors of that third country, or the international organisation concerned, has been subject to a decision of adequacy by the European Commission and that it remains valid on the date of the intended transfer of personal data, or, where no such decision has been taken, (ii) provided that it is possible to obtain appropriate safeguards and on condition that data subjects have enforceable rights and effective corrective legal measures.
If the transfer of personal data falls within the scope of a contractual relationship or legal act, the Company must ensure that the recipient entity located in the third country is bound, namely, to the terms stipulated in standard clauses of data protection adopted by the European Commission and/or adopted by the competent supervisory authority and approved by the European Commission, which are in place on the date of transfer of data concerned, or to binding rules applicable to undertakings approved by the competent supervisory authority.
i. Personal data processing as a processor
In case of processing of personal data for a third party, the Company must ensure that the contract or other normative act which regulates the relationship between the parties complies with the provisions of the General Data Protection Regulation, namely, its main requirements, as well as, as much as possible, of this Personal Data Protection Policy and subsequent applicable standards and procedures.
The contract or other normative act regulating the relationship between the parties must clearly identify the subject, duration, nature, purposes and sources of lawfulness of the processing to be performed, as well as if those sources of lawfulness are effectively verified. The responsibility of the Company must be limited to the treatment related to that subject and for the purposes expressly provided for in the contract or its normative act.
Prior to the conclusion of the contract or other normative act by the Company, as a processor, it must assess the means and capacity to comply with the technical and organisational means required, in particular, by the controller, carrying out appropriate technical and organisational measures to ensure compliance with the obligations assumed, and, at least a level of security which is adequate to the risks associated with the processing.
The Company must ensure, as a processor, namely:
- Implementation of security mechanisms which ensure adequate protection of personal data used in the processing;
- Implementation of effective and expeditious mechanisms for the detection and communication/reporting of any personal data breach whose personal data processing is of the responsibility of the processor;
- The contact name for matters related with the processing of personal data regulated by the contract;
- Implementation of registration mechanisms for data processing activities within the contractual relationship;
- Confidentiality of personal data being processed by its employees (if applicable) or any third parties contracted by the Company.
j. Data breach
When managing personal data breaches, personal data monitoring mechanisms must be implemented to reduce the impact of vulnerabilities in information systems and processes and assessment, internal reporting, decision making, response and communication of personal data breaches procedures must be implemented and formalised.
In addition, an organizational structure, supported by a technological infrastructure, capable of effectively managing and responding to the occurrence of personal data breaches, must be implemented and operational.
In the case of a personal data breach, the Personal Data Processing Manager (if applicable) must report the occurrence to the Data Protection Officer (if applicable) and assess the impact on the rights and freedoms of the data subject. When the personal data breach is likely to cause a high risk to the rights and freedoms of data subjects, the controller must communicate the occurrence to the data subject without undue delay, in compliance with the procedures for personal data breaches defined by the Company.
The controller must notify any personal data breach to the competent supervisory authority, within 72 hours of becoming aware of it, provided that such data breach is likely to result in a risk to the rights and freedoms of the data subjects. If notification to the supervisory authority is not possible within 72 hours, it shall be accompanied by reasons for the delay.
k. Management of evidence
The controller must ensure the design and maintenance of records of processing activities to evidence compliance with the General Data Protection Regulation. In addition, information systems dealing with personal data, such as applications, databases, operating systems and communications systems, must be configured to generate activity logs with sufficient information to evidence compliance with the regulation.
The controller defines the information to be recorded in the activity logs, in coordination with those responsible for the management and administration of the information systems. Activity logs, as well as the information contained therein, must be protected against unauthorized access or undue destruction.
5. PERSONAL DATA PROTECTION SET OF RULES
To ensure personal data protection in a consistent manner, namely protection against threats that may compromise confidentiality, integrity and availability of data, a set of rules is set up to define the guidelines and rules to be applied to the processing of personal data. This set of rules has the following structure:
- Personal Data Protection Policy: Defines the general framework and the Company’s commitment to personal data protection aligned with the strategic vision approved by the Board of Directors. It is a common basis to foster the adoption of consistent organizational security patterns and effective practices for personal data protection management, in order to convey trust to all stakeholders;
- Standards: Define guidelines for all personal data processing, security and protection activities to be adopted throughout the Company;
- Procedures: Define the activities necessary for personal data processing, security and protection, in any business process/support, in accordance with the Personal Data Protection Policy and standards.
6. PERSONAL DATA PROTECTION RESPONSIBILITIES
To streamline the management and operation of personal data processing protection, the internal organizational structure (governance model) is defined, which includes personal data protection processes, privacy management, risk management and internal reporting so that the Board of Directors has the information necessary to implement a governance aligned with the reality of the Company and that the business areas can operate in compliance with the General Data Protection Regulation.
In the organizational structure, the responsibilities of all internal stakeholders involved in the protection and processing of personal data should be defined, namely those of the Board of Directors, and of the Data Protection Officer (if applicable) and the Personal Data Processing Managers (if applicable).
The Board of Directors has as its main responsibilities the approval of the Personal Data Protection Policy, the approval of the governance model, the appointment of the Data Protection Officer(s) (if applicable), the independent assessment of the data protection management system and of the level of compliance with the General Data Protection Regulation.
The Board of Directors is responsible for reviewing the Personal Data Protection Policy, fostering and displaying commitment to the protection of personal data, supervising and ensuring alignment between personal data protection objectives and the strategic vision of the Company, by making available the necessary resources to implement and maintain appropriate measures for processing and protection of personal data, by promoting continuous improvement, by facilitating training and awareness of the Company’s employees (if applicable) about data protection and privacy and to ensure, together with the Data Protection Officer (if applicable), the operational effectiveness of measures and controls for the protection of personal data.
The Data Protection Officer (if applicable), is responsible for providing guidance on the implementation of measures for the processing of personal data in compliance with applicable regulations and legislation and for evidencing their effectiveness, in particular in terms of identifying risks related to their processing, their assessment in terms of origin, nature, probability and severity, as well as to identify best practices that allow their mitigation. It must be involved, in an appropriate and timely manner, in all matters related to the protection of personal data.
The Data Protection Officer (if applicable) is the point of contact with the supervisory authorities in matters relating to the protection of personal data.
In addition, the Data Protection Officer (if applicable) for monitoring and checking the level of compliance with the General Data Protection Regulation.
The Company, as the controller, must ensure that the processing and protection of personal data activities are defined and implemented in compliance with the requirements of the General Data Protection Regulation. The Company must also be able to evidence compliance with the current policy and other standards and procedures, namely the principles for the processing of personal data and the lawfulness of processing activities.
The Company must designate in writing its Personal Data Processing Managers (if applicable), with respect to their obligations under the General Data Protection Regulation.
The Personal Data Processing Managers of the Company (if applicable), as a controller, will be appointed by the Board of Directors taking into consideration the purposes of processing of personal data.
_____________________________________________________________
The Personal Data Protection Policy is in place and approved by the Board of Directors of the Company on the 23rd of May of 2018.
7. GLOSSARY
To support the reading and understanding of the Personal Data Protection Policy, this chapter compiles the definitions of terms used.
Availability | Possibility of a person, or system, duly authorized and upon request, being able to access personal data. | |
Compliance |
Fulfilment of the requirements applicable to the Company. |
|
Confidentiality |
Attribute that guarantees that information is not available or is not disclosed to unauthorized individuals, entities or processes. |
|
Consent | A freely given, specific, informed and explicit affirmative act by which the data subject accepts that his or her personal data is processed | |
Consequence | Effect arising from the occurrence of a particular event, decision or circumstance. | |
Continuous improvement | Recurring activity to improve performance. | |
Control | Risk mitigation measure (e.g. policies, processes, activities, mechanisms). | |
Controller | The natural or legal person, public authority, agency or other body which, individually or jointly with others, determines the purposes and means of processing of personal data; whenever the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria applicable to his appointment may be provided for by Union or Member State law. | |
Employee | The natural person who works for the Company, which includes all the professionals, workers, trainers, consultants, among others. | |
Evidence | Documentary or expert proof, which is intended to show a particular action/activity of an entity, process or system. | |
Incident | Unplanned or unwanted event or set of events, which may adversely affect the normal course of operations and compromise integrity, confidentiality and resilience of personal data. | |
Information systems |
Automated, or manual, system, which includes people, machines, communication networks and/or organized methods, for the processing of personal data. |
|
Integrity | Attribute that allows to confirm/ensure the accuracy and completeness of personal data. | |
Log | Register of an operation on personal data which allows the subsequent identification of the processing activities carried out. | |
Monitoring | Set of supervision and control actions for assessment and follow-up of the completion of a process or activity. | |
Personal Data | Information relating to an identified or identifiable natural person (data subject). A data subject is considered identifiable if he can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
|
|
Personal data breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. | |
Personal Data Processing Manager
Policy |
The employee of the Company who is responsible for the management of the process which includes personal data processing.
Purpose and general guidance as formally expressed by management. |
|
Processing | An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. | |
Processor | A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. | |
Profiling | Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. | |
Pseudonymization | The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. | |
Recipients | A natural or legal person, public authority, agency or another body to which personal data are disclosed, regardless of whether a third party or not. However, public authorities which may receive personal data in the framework of particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. | |
Representative | Means a natural or legal person established in the Union who, designated by the controller or processor in writing, represents the controller or processor with regards to their respective obligations [applicable in cases where the controller is not established in one of the member states of the European Union]. | |
Responsibility | Duty to take control of a certain action and its consequences. | |
Restriction of Processing | The insertion of a mark in stored personal data with the aim of limiting their processing in the future.
|
|
Review | Process of verifying the relevance and adequacy of a given object (e.g. document, process, risk, system). | |
Supervisory Authority | An independent public authority, which is established by a Member State, responsible for monitoring the application of the General Data Protection Regulation, in order to defend the fundamental rights and freedoms of natural persons in what concerns processing and to facilitate the free movement of such data in the Union. | |
Third party | A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or the processor, are authorized to process personal data. | |
Vulnerability | Weakness in an asset or control, which can be exploited by one or more threats. |