The purpose of this document is to establish and communicate to all areas of Event Hub the procedure for notifying and managing in a standard manner the incidents that may compromise the security of the Personal (PII) Data held by Event Hub, in compliance with the General Data Protection Regulations (GDPR).

As per GDPR security incidents involving Personal Data must be documented and reported.

This policy and procedure apply to all kinds of Security Incidents that may directly or indirectly lead to a breach of Personal Identifiable Information (PII) for Event Hub Customers, their Customers, Users, Employees, and other Data Subjects.

This policy and procedure should be strictly followed by each employee, contractor, or any other stakeholder working on data, system, and other assets. This document also addresses the common data breach scenarios and some additional technical cases that can be considered as potential data breach scenarios.

Controller: A Natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Processing Area: The unit responsible for processing the data associated with the corresponding processing.

Personal Data: Any information concerning identified or identifiable individuals.

‘Personal Data' means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Protection Manager: A natural or legal person, public authority, service, or other body that, alone or with others, determines the purposes and means of processing.

Incident: Any anomaly involving the destruction, loss, or accidental or unlawful alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication or access to such data.

Data Protection Officer: Is the main person in charge of controlling and supervising compliance with Protection and data protection regulations in the organization.

GDPR Compliance Officer: EventHub Nominated GDPR Compliance Officer as the official point of contact for communication with if an incident occurs, and throughout the incident response.

Data Subject: The person to whom the data belongs who is affected by the incident.

Data Processing: Operations and technical procedures of an automated or non-automated nature that allow for the collection, recording, storage, processing, modification, blocking, and cancellation, as well as the transfer of data resulting from communications, queries, interconnections, and transfers.

Third-Party: A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Supervisory Authority: An independent public authority that is established by a Member State.

Supervisory Authority Concerned: A supervisory authority is concerned by the processing of personal data because:

(a) the controller or processor is established on the territory of the Member State of that supervisory authority;

(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or

(c) a complaint has been lodged with that supervisory authority;

Representative: A natural or legal person established in the Union who, designated by the controller or processor in writing, represents the controller or processor with regard to their respective obligations under the GDPR Regulation.

Data Breach: A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity, or availability of personal data. In summary, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted, or disclosed; if someone accesses the data or passes it on without proper authorization; or if the data is made unavailable, for example, when it has been encrypted by ransomware or accidentally lost or destroyed.

o Personal data breaches can include:

o Loss or theft of personal data and/or equipment on which data is stored

o Access by an unauthorized third party

o Deliberate or accidental action (or inaction) by a controller or processor

o Sending personal data to an incorrect recipient

o Computing devices containing personal data being lost or stolen

o Alteration of personal data without permission

o Loss of availability of personal data

o Hacking attack

o Cyberattack

o Equipment failure

o Human error

o Unforeseen circumstances such as a fire or flood

o Flawed data destruction procedures

1. All data breach incidents should be logged and kept for future reference.

2. If it is suspected or confirmed that any incident might have caused a potential data breach thus impact the Protection or data subjects, the Data Protection Officer (DPO) or the Representative should be informed.

3. DPO or any internal team member should analyze the issue to identify the exact risk and then decide if the Supervisory Authority needed to be informed or not.

4. If a data breach is expected in some other region that doesn’t come under the Local Supervisory Authority, then an intimation should be done to that Concerned Supervisory Authority.

5. Notification to Supervisory Authority (SA) and Data Subjects (if applicable) should be done within 72 hours of Data Breach Incident. Notification to the Supervisory Authority and Data Subjects (if applicable) will be made through the GDPR Compliance Officer. The GDPR Compliance Officer will remain the central point of contact between the Data Protection Officer and the SA for the remaining steps in this policy.

6. Supervisory Authority (SA), Data Subjects should be kept updated with periodic feedback through respective channels.

7. In cases, where it is not possible to notify individual data subjects, a public notice should be placed on available channels including but not limited to website, official social media pages.

8. Notification should clearly mention the callback number and contact email so that respective authorities or data subjects can contact Event Hub for any queries.

9. Customer Supports Agents should be proactively available to help customers and answer their queries till the issue is resolved.

10. Data Subjects should also be guided about the steps to avoid or minimize the risk of Security Breach from their side.

11. Once the breach has been fixed, Supervisory Authority should be provided with a detailed report containing the descriptions, steps taken to resolve that issue, and other planned actions to avoid such mishaps in the future.