Introduction to Privacy Rights

As part of its social responsibility, the IAARC is committed to international compliance with data protection laws. This data Protection Policy applies worldwide and is based on globally accepted, basic principles on data protection.  The Data Protection Policy provides one of the necessary framework conditions for data transmission. It ensures the adequate level of data protection prescribed by the European Union Data Protection Directive and the national laws for cross-border data transmission, including in countries that do not yet have adequate data protection laws.

This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with this Data Protection Policy, or it has stricter requirements than this Policy. The content of this Data Protection Policy must also be observed in the absence of corresponding national legislation. The reporting
requirements for data processing under national laws must be observed.

Principles for processing personal data

1. Fairness and lawfulness: When processing personal data, the individual rights of the data subjects
must be protected. Personal data must be collected and processed in a legal and fair manner.

2. Restriction to a specific purpose: Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.

3. Transparency: The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of, or informed of:
– The identity of the Data Controller
– The purpose of data processing
– Third parties
or categories of third parties to whom the data might be transmitted.

4. Data reduction and data economy: Before processing personal data, you must determine whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data must be used. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.

5. Deletion: Personal data that is no longer needed after the expiration of legal or business process-related
periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.

6. Factual accuracy; up-to-dateness of data: Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected,
supplemented or updated.

7. Confidentiality and data security: Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access,
illegal processing or distribution, as well as accidental loss, modification or destruction.