General Data Protection Regulation

Based on the directives set across the General Data Protection Regulation (EU) 2016/679 (“GDPR”), our compliance policy for GDPR sets out the steps that Aragenex Media LLP. (hereinafter referred to as Aragenex) is taking to ensure compliance with the European Union’s General Data Protection Regulation. This regulation is designed to protect an individual’s personal data. In addition to giving citizens control of their personal data, the GDPR also aims to unify data protection laws across the European Union and the European Economic Area (EEA).

In accordance with the directives laid down in GDPR, below are the GDPR principles that Aragenex complies with for all personal data:

➥  Collected for specified, explicit and legitimate purposes
➥  Adequate, relevant and limited to what is necessary in relation to the purposes
➥  Accurate and kept up to date
➥  Kept for no longer than necessary
➥  Processed in a manner that ensures appropriate security

As per adherence to GDPR directives, we follow the procedures below. These procedures are set out as a data processor, and our responsibilities remain limited to being a data processor under the Data Protection Act.

As a part of our responsibilities in line with the GDPR directives (with reference to Article 5 and Article 6), below are the procedures implemented and followed by Aragenex.

High-Level Data Flow Map

We maintain a high-level data flow map for all processing requirements we receive from our clients, wherein we act as a data processor as per Article 4 of the GDPR. This map helps our clients understand how their data flows within the Aragenex environment and who has access to it.

High-Level Data Map

In accordance with GDPR compliance, it is important for Aragenex and its clients to understand what data falls under GDPR and how to handle it appropriately. To address this, Aragenex uses a GDPR Data Map template. This provides clarity on what data is in our possession and how that data is moving through Aragenex as an organization.

Key elements maintained in the data map include:

1. How was the data collected?
   Understanding the source of data collection and its origin.

2. What personal data is Aragenex collecting?
   Personal data of data subjects collected under GDPR guidelines. Aragenex does not process:

   • Mission-critical personal data

   • Special category personal data

   • Data of children

   • Data of criminal convictions or offences (as per GDPR Articles 7, 8, 9, and 10).

3. Why is the data being collected?
   The reason for collecting personal data lies with the data controller, typically for business and marketing purposes.

4. How is the data stored, processed, and who has access?
   As per GDPR compliance {reference Article 4(2) and (6)}, Aragenex maintains strict policies regarding how data is stored, processed, and who within Aragenex may access it.

5. When is this data disposed of?
   All personal data collected is disposed of within 3 months (90 days) from the date it is delivered to the controller, or earlier as per agreed terms with the controller.

Consent & Rights of Data Subjects

• Do we have consents from the data subjects?
  As per GDPR Article 7, wherever Aragenex acts as a Data Controller, we only process or acquire personal information when appropriate consents have been obtained.

• Right to Withdraw Consent
  Under Article 7(3) of GDPR, data subjects have the right to withdraw their consent at any time. Aragenex strictly adheres to this policy.
  To exercise this right, please contact us at dpo@aragenexmedia.com.

Data Processing Register

In adherence to GDPR compliance, Aragenex fully complies with the rules required as both a data processor and, where applicable, a data controller. As part of this, we duly maintain a data processing register.

Reference Documents

• For our GDPR Privacy Notice, please refer to the document Aragenex Media Privacy Notice.

• For our GDPR Privacy Policy, please refer to the document Aragenex Media Privacy Policy & Disclaimer.