General principles of processing personal data

At Patria, personal data is processed in accordance with data protection legislation, including the EU General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, GDPR), its national implementations and good processing and management practices. By way of good and secure practices it is ensured that personal data is processed only to the extent needed for the legal pur-poses of processing and is available only to authorised persons. The correct level of data protection is implemented through training and guidance of employees and by ongoing monitoring and evaluation of pro-cesses that deploy personal data. In all Patria’s operations, the processing of personal data is done in a systematic and documented way following the principles of lawfulness, fairness and transparency. Rights of the persons subject to processing are implemented.

Administration of data protection

Information about processing of personal data is provided to the persons subject to processing on Patria's Data Protection Policy and separate privacy notices of Patria’s respective functions. In the privacy notices information is provided about the processing activities and rights of the person. Any deviations from adequate processing of personal data are handled as personal data breaches and managed in security incident procedure according to the GDPR. Employees and other persons processing personal data are obliged to report personal data breaches immediately. Risks for safe processing of personal data are evaluated and the risks managed in accordance with classification and purpose of processing.

Patria’s Corporate Security Policy and the related guidelines on information security are followed throughout Patria to ensure the application of adequate technical and organisational safety measures in processing of personal data.

Responsibilities for lawful processing of personal data and for ensuring sufficient resources are with the organisation’s management. Adequate expertise and guidance are ensured, and appropriate tools and meth-ods are made available to employees and functions. All persons taking part in processing of personal data in Patria’s organization as either employees or in another role have an obligation to act in accordance with data protection legislation, this Data Protection Policy and other guidelines and instructions in force from time to time. In relations with subcontractors and other data processors as defined in the GDPR the principle of accountability is followed by executing and documenting Data Processing Agreements.