1. SCOPE, PURPOSE AND USERS

   ---

This Procedure provides general principles and approach model to respond to, and mitigate breaches of personal data (a “personal data breach”) in one or both of the following circumstances: 

• The personal data identifies data subjects who are residents of the Member States of the European Union (EU) and countries in the European Economic Area (EEA), regardless of where that data is subject to processing globally; and 

• The personal data is subject to processing in the EU and/or EEA, regardless of the country of residency of the data subject.  

The Procedure lays out the general principles and actions for successfully managing the response to a data breach as well as fulfilling the obligations surrounding the notification to Supervisory Authorities and individuals as required by the EU GDPR.  

All Employees/Staff, contractors or temporary Employees/Staff and third parties working for or acting on behalf of PlayerLync (“Company”) must be aware of, and follow this Procedure in the event of a personal data breach. 

• EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) 

• Personal Data Protection Policy 

3. Definitions 

The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation (GDPR):  

“Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51. 

4. 1. DATA BREACH RESPONSE TEAM

      ---

A Data Breach Response Team must be a multi-disciplinary team comprised of knowledgeable and skilled individuals in IT Department, IT Security, Legal, Legal and Public Affairs The team may be a physical (local) or virtual (multiple locations) team which responds to any suspected/alleged personal data breach.  

CTO appoints the members of the Data Breach Response Team. The Team must be appointed regardless of whether or not a breach has occurred.  

The Data Breach Response Team must be prepared to respond to a suspected/alleged or actual personal data breach 24/7, year-round. Therefore, the contact details for each member of the Data Breach Response Team, including personal contact details, shall be stored in a central location, and shall be used to assemble the team whenever notification of a suspected/alleged or actual personal data breach is received. 

The team consists of the following members, as of November 18th, 2019:  Greg Menard, Bob Paulsen, Dean Okimoto, Miguel DeJesus, Doug Andrew, Robert Smith, Gary Ilis, Cary Yokum, Doug Wieder, Russ Fick 

5. 1. DATA BREACH RESPONSE TEAM DUTIES

      ---

Once a personal data breach is reported to the Data Breach Response team leader, the team must implement the following: 

• Validate/triage the personal data breach 

• Ensure proper and impartial investigation (including digital forensics if necessary) is initiated, conducted, documented, and concluded 

• Identify remediation requirements and track resolution 

• Report findings to the top management 

• Coordinate with appropriate authorities as needed 

• Coordinate internal and external communications 

• Ensure that impacted data subjects are properly notified, if necessary 

The Data Breach Response Team will convene for each reported (and alleged) personal data breach, and will be headed by the Data Breach Response Team Leader.   

6. 1. DATA BREACH RESPONSE PROCESS

      ---

The Data Breach Response Process is initiated when anyone who notices that a suspected/alleged or actual personal data breach occurs, and any member of the Data Breach Response team is notified. The team is responsible to determine if the breach should be considered a breach affecting personal data.  

The Data Breach Team leader is responsible for documenting all decisions of the core team. Since these documents might be reviewed by the supervisory authorities, they need to be written very precisely and thoroughly to ensure traceability and accountability. 

7. 1. PERSONAL DATA BREACH NOTIFICATION: DATA PROCESSOR TO DATA CONTROLLER

      ---

When the personal data breach or suspected data breach affects personal data that is being processed on behalf of a third party, the Data Protection Officer of the Company acting as a data processor must report any personal data breach to the respective data controller/controllers without undue delay. 

The Data Protection Officer will send Notification to the controller that will include the following: 

• A description of the nature of the breach 

• Categories of personal data affected 

• Approximate number of data subjects affected 

• Name and contact details of the Data Breach Response Team Leader/ Data Protection Officer 

• Consequences of the personal data breach 

• Measures taken to address the personal data breach 

• Any information relating to the data breach 

Data Protection Officer (DPO) will record the data breach into the Data Breach Register. 

8. 1. PERSONAL DATA BREACH NOTIFICATION: DATA CONTROLLER TO SUPERVISORY AUTHORITY

      ---

When the personal data breach or suspected data breach affects personal data that is being processed by the Company as a data controller, the following actions are performed by the Data Protection Officer: 

1. The Company must establish whether the personal data breach should be reported to the Supervisory Authority.  

2. In order to establish the risk to the rights and freedoms of the data subject affected, the Data Protection Officer must perform the Data Protection Impact Assessment on the processing activity affected by the data breach.  

3. If the personal data breach is not likely to result in a risk to the rights and freedoms of the affected data subjects, no notification is required. However, the data breach should be recorded into the Data Breach Register. 

4. The Supervisory Authority must be notified with undue delay but no later than in 72 hours, if the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach. Any possible reasons for delay beyond 72 hours must be communicated to the Supervisory Authority. 

DPO or CTO will send Notifications to the Supervisory Authority that will include the following: 

• A description of the nature of the breach 

• Categories of personal data affected 

• Approximate number of data subjects affected 

• Name and contact details of the Data Breach Response Team Leader/ Data Protection Officer 

• Consequences of the personal data breach 

• Measures taken to address the personal data breach 

• Any information relating to the data breach  

CTO or CEO must assess if the personal data breach is likely to result in high risk to the rights and freedoms of the data subject. If yes, the Data Protection Officer the Company must notify with undue delay the affected data subjects.  

The Notification to the data subjects must be written in clear and plain language and must contain the same information listed in Section 7.  

If, due to the number of affected data subjects, it is disproportionately difficult to notify each affected data subject, the CTO (or DPO) must take the necessary measures to ensure that the affected data subjects are notified by using appropriate, publicly available channels.  

Any individual who breaches this Procedure may be subject to internal disciplinary action (up to and including termination of their employment); and may also face civil or criminal liability if their action violates the law.  

11. 1. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT

       ---

This document is valid as of 10/15/2021. 

The owner of this document is DPO, who must check and, if necessary, update the document at least once a year.