1. Introduction

Orion Digital Solutions (“Orion” or “the Company”) is committed to protecting the privacy and security of personal data entrusted to us. This Data Privacy Policy outlines Orion’s approach to safeguarding personal data and ensuring compliance with applicable data protection laws, including but not limited to:

• UAE Personal Data Protection Law (PDPL)
• Egyptian Data Protection Law (Law No. 151 of 2020)
• General Data Protection Regulation (GDPR)
• ISO/IEC 27001 Information Security Standards

This policy applies to all Orion employees, contractors, partners, and third-party vendors who process or have access to personal data within Orion’s operations.

2. Scope

This policy applies to:

• All personal data collected, processed, stored, or shared by Orion.
• All employees, contractors, and third parties handling personal data on behalf of Orion.
• All business operations where Orion processes personal data, whether in digital or physical formats.

As of the time of preparing this policy, Orion does not handle customer personal data. However, this policy shows our commitment to data protection across all of our interactions with customers, suppliers, employees and contractors, current and future.

3. Principles of Data Privacy

Orion adheres to the following fundamental principles to ensure data privacy and protection:

3.1 Lawfulness, Fairness, and Transparency

• Personal data is collected and processed lawfully, fairly, and transparently.
• Employees are informed about how their personal data is used and their rights.

3.2 Purpose Limitation

• Personal data is collected only for specified, explicit, and legitimate purposes.
• Orion does not use personal data for any purpose beyond its stated objectives.

3.3 Data Minimization

• Orion collects only the data necessary for business and legal purposes.
• Unnecessary personal data is not stored or processed.

3.4 Accuracy

• Orion ensures that personal data remains accurate and up-to-date.
• Employees have the right to request corrections to their data.

3.5 Storage Limitation

• Personal data is retained only for the duration necessary for legal, regulatory, or business purposes.
• Employee data is securely deleted or anonymized when no longer needed.

3.6 Integrity and Confidentiality

• Orion implements appropriate technical and organizational security measures to protect personal data.
• Access to personal data is restricted to authorized personnel only.

3.7 Accountability and Compliance

• Orion maintains detailed records to demonstrate compliance with data protection regulations.
• The Data Protection Officer/Chief Information Security Officer (DPO/CISO) ensures adherence to privacy laws.

4. Data Protection Measures

4.1 Data Classification and Encryption

• Orion classifies personal data based on sensitivity levels (Restricted, Confidential, Internal, Public).
• AES-256 encryption is used to protect personal data at rest, and TLS 1.2+ encryption for data in transit.
• Employee payroll and personnel data are stored in best-in-class off-the-shelf payroll software, which has built-in encryption and role-based access controls (RBAC).

4.2 Access Controls

• Role-based access controls (RBAC) ensure only authorized personnel access personal data.
• Multi-Factor Authentication (MFA) is enforced for systems storing personal data.
• Regular User Access Reviews (every 180 days) ensure access remains appropriate.

4.3 Data Subject Rights

Orion ensures compliance with legal rights of data subjects, including:

• Right to Access: Employees can request a copy of their personal data.
• Right to Rectification: Employees can request corrections to inaccurate data.
• Right to Erasure: Personal data is deleted upon request, where legally applicable.
• Right to Data Portability: Employees can request their personal data in a structured format.
• Right to Restriction of Processing: Employees can request limitations on data processing.

4.4 Third-Party Data Handling

• Orion ensures that third-party vendors processing personal data comply with strict data protection agreements (DPAs) in case this need will arise in the future.
• Vendors handling personal data must meet ISO/IEC 27001 and GDPR standards.

5. Incident Management and Data Breach Response

Orion has a formal Incident Management Process to respond to data breaches, including:

• Immediate containment and assessment of the breach.
• Notification to affected individuals and regulatory authorities (as per GDPR, PDPL, or Egyptian Data Protection Law).
• Implementation of corrective actions to prevent recurrence.

6. Compliance and Monitoring

• Orion conducts regular security audits to assess compliance with data protection laws.
• Privacy impact assessments (PIAs) are conducted for new projects involving personal data.
• The Data Protection Officer/Chief Information Security Officer (DPO/CISO) oversees compliance and responds to privacy-related concerns.

7. Policy Review and Updates

• This policy will be reviewed annually and updated as necessary to comply with changing regulations.
• Employees are notified of updates and provided with relevant training.

8. Contact Information

For questions or concerns regarding this policy, contact:

Data Protection Officer/Chief Information Security Officer (DPO/CISO)
Orion Digital Solutions
infosec@orion360.com

Approval & Acknowledgment
This Data Privacy Policy has been approved by Orion’s management and must be followed by all employees and contractors. Failure to comply may result in disciplinary action.

Last Updated:

11 November 2024