The Personal Information Policy aims to ensure that personal records and data within the company are processed in compliance with the EU Directive on data protection. It defines how personal information for each employee—processed honestly, lawfully, and for specific employment-related purposes—should be used.

 

Definitions

​

Personal information is defined as data relating to each candidate and employee within (or otherwise connected to) Eigen, specifically:

​

• Personal information processed or intended to be processed fully or partially by automated means (usually electronic data stored on computers, such as Next-of-Kin (NOK) forms, payroll records, timesheets, certificates, passports, CV information, social security forms, tax documents, etc.).

• Information forming or intended to form part of the company’s filing systems (typically paper-based records, such as onboarding documentation, HR letters, job descriptions, checklists, assessment forms, employee interview forms, etc.).

• Information that forms part of an accessible record (such as “Eigen Web” data, addresses, phone numbers, next-of-kin details, bank account numbers, ID numbers, medical records, etc.).

• Records maintained by local authorities for taxation or social services purposes.

 

This definition is based on sound data-processing principles, which confer specific rights related to personal data and impose responsibilities on individuals responsible for processing such data—including obtaining, recording, storing, or performing any operation involving data or information.

​

Procedure

 

Personal information shall be obtained solely for specified purposes and will not be processed in any manner incompatible with those purposes.

 

All personal data must be processed confidentially and shared only with relevant authorized parties.

 

Access to personal data is strictly limited to persons authorized by the company, and sensitive personal data shall only be processed for administrative purposes by these authorized individuals.

 

The Data Controller must clearly define and communicate access rights or codes, ensuring that relevant individuals are informed and thoroughly understand the data protection policy.

 

All personnel handling personal data administratively must ensure that such data is not disclosed to unauthorized parties. All physical records must be stored securely in locked locations, and passwords or codes granting access to IT systems containing personal data must not be shared with others.

 

Individuals working with personal data must adhere strictly to the company’s personal data processing guidelines and IT policy.

 

Personal data shall not be transferred, uploaded, or copied onto removable electronic devices such as USB drives.

 

Storage of personal data within email messages is permitted, provided that appropriate data handling practices are followed.

 

Personal information must never be used in a discriminatory or personal manner and must always be handled with utmost care and diligence.

 

Company data must be stored on the server, not on department drives or personal drives. Data must NOT be stored locally on desktop computers.

 

Computers must be locked when left unattended.

 

During maintenance or repair, hard drives must be secured to protect sensitive data.

 

Data Protection facilitates continuous information flow while simultaneously respecting individual privacy. It also enables identification processes and guards against unauthorized usage. Unauthorized use of personal data constitutes a breach of this Data Protection Policy and may lead to disciplinary actions.

 

Right to be Forgotten

 

Personal information will not be retained longer than necessary and, in any case, will be kept for a maximum period of 3 years following termination of employment.

 

Email accounts will be deleted within 12 months of an employee’s departure. Access to a former employee’s email account is limited to the IT department, with no more than two persons simultaneously managing incoming mail. The account may be used only for forwarding messages to other employees; responding directly to senders is prohibited.

 

Former employees’ email accounts shall include an automatic reply indicating that the employee is no longer with Eigen. According to Eigen’s IT policy, company email is not permitted for personal use; therefore, there is no need to monitor former employees’ inboxes for personal correspondence.