For Quality & Standardization Certificates Issuing Services

GDPR

Navigate

▷ ACQ Roadmap to Compliance for General Data Protection

1. Introduction to GDPR

The General Data Protection Regulation (GDPR), implemented in April 2016 following its publication in the Official Journal of the European Union, became enforceable in May 2018. It is mandatory in its entirety and directly applicable across all Member States. A core aspect of GDPR emphasizes transparency, ensuring individuals have access to clear information regarding the collection and use of their personal data.

Regulatory Focus

The GDPR establishes rules for the protection of individuals with respect to the processing of personal data, as well as for ensuring the free movement of such data. It safeguards individuals’ rights and fundamental freedoms, particularly the right to personal data protection.

Lawful Basis

Under GDPR, all organizations must identify and document a lawful basis for processing and storing personal data. Certain companies or organizations may qualify for exemptions or derogations (alternative legal provisions). Without such a basis, the processing or storage of personal data is deemed “prima facie unlawful.”

2. What Constitutes Personal Data?
  • Any information related to an identified or identifiable natural person (‘data subject’);
  • An identifiable natural person is someone who can be identified, directly or indirectly, particularly through identifiers such as a name, identification number, location data, online identifier, or one or more specific factors related to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

This includes:
  • Biographical details or current living situation, such as dates of birth, Social Security numbers, phone numbers, and email addresses.
  • Appearance and behavior, such as eye color, weight, and personality traits.
  • Workplace and educational information, including salary, tax data, and student identification numbers.
  • Private and subjective data, including religion, political views, and geo-tracking data.
  • Health, sickness, and genetic information, such as medical history, genetic data, and details about sick leave.
    Examples: Names, addresses, National Insurance numbers, email addresses, IP addresses, CCTV images.
3. Scope of Certification

The certification audit is conducted to assess the implementation of the technical standard and evaluate the effectiveness of the organization’s procedures.

  • A certificate valid for 3 years is awarded upon a satisfactory outcome.
  • Surveillance audits are carried out to ensure that the procedures consistently meet the standard’s requirements and to monitor ongoing improvements.
  • Re-certification after 3 years is required to confirm continued compliance and the overall effectiveness of the procedures.
4. ACQ Roadmap for General Data Protection
4-1) How ACQ Collects and Uses Personal Data

ACQ collects and uses personal data from the following:

  • Potential and certified clients of ACQ seeking certification services;
  • Delegates attending ACQ training courses;
  • Subcontractors (trainers, auditors, technical experts, and/or report reviewers) engaged by ACQ;
  • Other stakeholders or interested parties involved in business dealings.
Who is Data Protection Certification For?

Organizations with employees are directly impacted by GDPR requirements for record keeping. However, any organization processing personal data of EU residents for professional or commercial purposes is considered a “controller” or “processor” under the regulation. The processing of any data related to an EU citizen (“data subject”) falls under the scope of the regulation, regardless of the organization’s location or registration.

Data protection is no longer a concern for IT or marketing alone. It requires a holistic approach across the entire organization due to the data lifecycle focus in the regulation.

REGULATION (EU) 2016/679

As per GDPR article 42, exceptions exist for public bodies processing data to enforce public security or to address criminal offenses.
4-2) Types of Data Collected

ACQ collects personal data directly from agencies when requesting ACQ services, typically via email, phone, face-to-face interactions, or through ACQ representatives.

Data collected may include, but is not limited to:

  • Full name, age, job title, phone number, email address, residential address, office address, identification number, passport number;
  • CV, academic certificates, training certificates, auditing and/or training experience, professional registrations, consulting experience;
  • Financial data such as credit card details for service/course payments and invoices;
  • Any voluntarily shared feedback or opinions on ACQ services.
4-3) Purposes for Using the Data

ACQ may use personal data for the following purposes:

  • Preparing proposals for certification services or training courses;
  • Drafting subcontractor agreements for audits, training, report reviews, and technical services;
  • Qualifying trainers, auditors, technical experts, and/or report reviewers;
  • Preparing audit plans and reports for certification services rendered;
  • Registering delegates and updating relevant systems;
  • Addressing complaints or feedback;
  • Meeting compliance and regulatory obligations, as required by accreditation bodies, training partners, or local authorities.
Lawful Basis for Collecting Personal Information

The GDPR specifies the lawful grounds for processing personal data, including:

  • Consent from the data subject;
  • Necessary for performance of a contract with the data subject or to enter into a contract;
  • Compliance with legal obligations;
  • Protection of vital interests of the data subject or another individual;
  • Performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller;
  • Legitimate interests for commercial, individual, or societal benefits (e.g., service announcements or product recalls).
4-4) ACQ Shares the Data

ACQ employees have access to client files, but each agency can only view its own information.

  • IT service providers who maintain ACQ systems;
  • ACQ authorized representatives conducting certification services;
  • Accreditation bodies and/or local authorities as required.
4-5) Retention Time

Personal data is retained for as long as necessary to fulfill the purposes for which it was collected and to comply with applicable legal and regulatory obligations. The retention periods are:

  • Agreement with agency: 6 years;
  • Employment records: 6 years;
  • Contracts, declarations of interest: 6 years;
  • Audit reports: 3 years;
  • Mailing: 1 year after last action;
  • Invoices: 10 years;
  • Logo requests: 2 years from last action.

4-6) ACQ Protects Privacy

ACQ follows strict security procedures for storing and disclosing information to prevent unauthorized access, loss, or destruction of personal data. These procedures include:

Physical Security:

  • Locked offices and storage units;
  • Locked server rooms and cabinets;
  • Securely cabling desktop machines and laptops;
  • Implementing clean desk policies;
  • Ensuring fire and burglar alarms are functioning;
  • Secure disposal of end-of-life equipment (computers, mobile devices, etc.).

Technical Security:

  • Regular updates for all computing devices, including operating systems and security patches;
  • Using antivirus software on all devices;
  • Implementing a robust firewall.

Organizational Security:

  • Training on security and privacy for employees, subcontractors, and representatives;
  • Documenting data collection and retention policies;
  • Enforcing strong password policies;
  • Documenting data backup policies.

Personnel Security:

  • All employees, subcontractors, service providers, and partners are bound by ACQ’s Confidentiality Agreement.

4-7) Rights of Personal Data

Personnel data subjects have the following rights regarding their personal data:

  • Access to personal data: You have the right to request the personal data ACQ holds about you, subject to identity verification.

  • Correction and Deletion: You can request correction or updates to your personal data. In some cases, you may request deletion, although legal obligations may prevent full deletion. ACQ may retain minimal data to demonstrate compliance with obligations.

  • Filing a Complaint: Complaints regarding ACQ’s adherence to this Roadmap should be addressed as specified.

ACQ reserves the right to update this Roadmap periodically. This Roadmap was first established in June 2018.

ACQ is committed to collecting and protecting personal data in accordance with the GDPR (EU General Data Protection Regulation).

ACQ provides management system services tailored to the organization’s business context and industry, including:

  • Gap analysis on GDPR compliance;
  • Certification of professional figures against the UNI 11697 standard;
  • Training services;
  • IT service certifications according to ISO 27001, ISO 20000, and ISO 22301 standards.

For questions or concerns about your privacy, please contact us

ACQ FOR QUALITY & STANDARDIZATION CERTIFICATES ISSUING SERVICES L.L.C

  • Location: Dubai, UAE
  • Tel: +971564998945
  • E-mail: info@acq.ae

All Rights Reserved 2025, ACQ Certification.