PRIVACY POLICY
H2H EVENTS LTD

In accordance with the terms of the Mauritian Data Protection Act 2017 (“MDPA”)

Organisation : H2H EVENTS LTD
Scope of Policy :H2H EVENTS LTD or the ‘company’, as an independent entity hereby undertakes to comply with theconditions set by the MDPA.

Policy operational date: 28 / 01 / 2023
Date approved: 28 / 01 / 2023
Approved by Kirti Sheonarain
Next policy review date: One year as from the date of approval

Annexed to this Policy

ANNEX (I)– Contacts of the Company for Data Protection Queries
ANNEX (II) – Accountability Principles for the Processing of Personal Data

1. Purpose of Policy
H2H EVENTS LTD is committed to uphold and promote the rights of all customers, clients, staff members and the general public (data subjects) who have entrusted the company with their personal data. The purpose of this policy is to enable H2H EVENTS LTD to:

• Protect the rights of data subjects;
• Clearly communicate the Company’s position on the MDPA;
•  Ensure continuous compliance with the MDPA; and
• Encourage good practice across the company and promote data protection.

This policy covers all aspects of the MDPA and explicitly covers several key provisions of the legislation. This does not exclude the need for compliance to other Articles of the MDPA not specifically mentioned.

2. Personal data
This policy applies to (personal data) relating to identifiable individuals, in terms of the MDPA.

3. Definitions
All terms used in this policy are as referenced from the MDPA.

4. Policy statement
Through the incorporation of this Policy, the company, commits to process the personal data of all data subjects in line with the accountability principles set in Annex (II) and covets to take all necessary, proportionate and legal measures to ensure that all personal data entrusted to the company is kept safe within the company’s data protection systems and processes.

In accordance with this Policy, H2H EVENTS LTD covets to:

• At all times uphold the fundamental rights of the data subject when handling personal data;
• remain transparent and honest as to the use of personal data; and will ensure to
•  Provide training and support for all staff who handle personal data.
  H2H EVENTS LTD recognizes that its priority under the MDPA is to avoid causing harm to individuals regarding their personal data by:
• Providing adequate and MDPA compliant systems and processes that keep personal data secure
• Ensuring that all personal data held by the company is accurate and updated
• Giving individual as much choice as is possible and reasonable over what data is held and how it is used.

5. H2H EVENTS LTD commitment as Data Controller
a) Principle relating to the processing of personal data
H2H EVENTS LTD will adhere to the six principles of processing of personal data as covered in Article 21 of the MDPA. This policy commitment will be supported by implementing controls which evaluate the extent to which these principles are respected for personal data processing.

b) Lawfulness
H2H EVENTS LTD will ensure that at least one of the six conditions under Article 23 of the MDPA for lawful processing are met for personal data processing. The company shall ensure to comply with all conditions set under the MDPA regarding the lawfulness of the collection of personal data. This policy commitment will be supported by implementing controls which evaluate the extent to which these lawfulness requirements are respected for personal data processing.

c) Consent
H2H EVENTS LTD will ensure that the conditions for consent are satisfied under Article 24 of the MDPA where applicable for personal data processing. The company will ensure that the conditions for consent are met in all areas where consent is required for the processing of personal data.

d) Children
H2H EVENTS LTD does not normally process the personal data of children (below the age of 16), but where such processing takes place steps will be taken to comply with Article 30 of the MDPA. The company shall obtain the consent of the Parent or Guardian of a child before processing personal data. Where personal data of children is processed, such as for dependents of employees, this policy commitment will be supported by implementing controls which evaluate the extent to which these Article 30 requirements are respected for the processing of
personal data of children. Where the personal data of a child (below the age of 16) is being processed, the company will apply Article 30 of the MDPA to take reasonable efforts to verify that consent has been authorised.

e) Special categories of personal data

H2H EVENTS LTD will ensure that the conditions for processing of special categories of personal data under Articles 29 and 34 of the MDPA are satisfied where applicable. This policy commitment will be supported by implementing controls which evaluate the extent to which personal data processing of special categories of personal data is expected.

f) Criminal convictions and offences
H2H EVENTS LTD does not normally process relating to criminal convictions and offences, but where such processing takes place, criminal convictions will be qualified under Article 29 of the MDPA and will be processed inaccordance with Article 29(2) of the MDPA.

6. Rights of Data Subjects

a) Transparent information, communication and modalities for exercising data subject rights
H2H EVENTS LTD will ensure that information provided to data subjects, such as via a privacy notice, will be in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in accordance with Article 37 of the MDPA. This policy commitment will be supported by implementing controls which ensure compliance with Articles 37, 38 and 39 of the MDPA in support of data subject rights. This includes the use of fair processing procedures.

b) Information to be provided where personal data are collected from data subject
H2H EVENTS LTD will ensure that the right of access by the data subject will be respected in accordance with Article 37 of the MDPA where applicable. The company shall, upon written request of a data subject, provide, at reasonable intervals, without excessive delay and free of charge confirmation as to whether the personal data relating to the data subject is being processed and forward a copy per request. The company may, where there is reasonable doubt concerning the identity of a data subject making a request for a copy of their personal data held by the company, request further information to confirm the identity of the person making the request.

c) Right of access
H2H EVENTS LTD will ensure that the right of access by the data subject will be respected in accordance with Article 37 of the MDPA where applicable. The company shall, upon written request of a data subject, provide, at reasonable intervals, without excessive delay and free of charge confirmation as to whether the personal data relating to the data subject is being processed and forward a copy per request. The company may, where there is reasonable doubt concerning the identity of a data subject making a request for a copy of their personal data held by the company, request further information to confirm the identity of the person making the request.

d) Right to rectification
H2H EVENTS LTD will ensure that the right to rectification by the data subject will be respected in accordance with Article 39 of the MDPA. Upon request from the data subject, all personal data shall be declared for rectification without undue delay. This policy commitment will be supported by procedural measures to facilitate the submission of data subject requests for rectification, including monitoring that those requests are responded to within the limits allowed.

e) Right to erasure
H2H EVENTS LTD will ensure that the right to erasure of personal data held on the data subject will be respected in accordance with Article 39 of the MDPA. The company undertakes to balance the need to respect data subject requests with the need to retain records for legitimate purposes. Upon request from the data subject and depending on the purposes of the data processing, the company will erase the personal data of the data subject without undue delay.

f) Right to restriction of processing
H2H EVENTS LTD will ensure that the right to restriction of processing will be respected in terms of the valid reasons which are covered under Article 39 of the MDPA. This policy commitment will be supported by procedural measures to facilitate the restriction of processing, including monitoring that those requests are responded to within the limits allowed.

g) Right to object
H2H EVENTS LTD will support the right to object to processing of personal data concerning him or her which will be subject to the purposes for which the data is processed in accordance with Article 39 of the MDPA.

7. Data Controller Responsibilities
a) Responsibility of the Controller
H2H EVENTS LTD will fulfil all of its responsibilities as outlined in Article 22, including implementing policies such as this document and related policies. The company will ensure that those acting under its authority, including employees and Processors will receive clear instructions on the processing of personal data. The company may make use of Data Transfer Agreements where personal data is transferred to a processor, stipulating the terms and conditions to be adhered to during processing.

b) Records of processing activities
H2H EVENTS LTD will ensure that an appropriate record of processing activities is kept and made available to relevant authorities as required under Article 33 of the MDPA.

c) Cooperation with the Supervisory Authority
H2H EVENTS LTD will co-operate at all times with the relevant Supervisory Authorities as required. The company shall be registered as a Data Controller as required under Article 14 of the MDPA and shall oblige to the requests of the Mauritius Data Protection Office.

d) Security of Processing
H2H EVENTS LTD will implement appropriate organisational and technical measures to ensure a level of security appropriate to the risk of processing of personal data in line with Article 31 of the MDPA. These measures will also prevent the unauthorised access to, alteration, disclosure, accidental loss and destruction of personal data.

e) Notification of a Personal Data Breach to the Supervisory Authority
H2H EVENTS LTD will ensure that there are organisational measures to support notification of a personal data breach to the supervisory authority in accordance with Article 25 of the MDPA. The data breach process and procedures will be adequately documented and communicated.

f) Notification of a Personal Data Breach to a Data Subject
H2H EVENTS will notify a data subject of a data breach within 72 hours after becoming aware of the breach in accordance with Article 29 of the MDPA. The company will ensure that there are organisational measures to support notification of a personal data breach to the data subject. The data breach process and procedures will be adequately documented and communicated.

g) Data Protection Impact Assessment
H2H EVENTS LTD will conduct a Data Protection Impact Assessment (DPIA) where the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons, in accordance with Article 34 of the MDPA.

h) Prior Consultation
H2H EVENTS LTD will consult the supervisory authority prior to processing where a DPIA under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the company to mitigate the risk.

8. Transfers of Personal Data to Third Countries of International Organisations
a) General Principle for Transfers
H2H EVENTS LTD will ensure that the general principle for transfers is respected. This will be achieved through the implementation of appropriate measures in accordance with Article 36 of the MDPA.

b) Transfers on the basis of an adequacy decision
H2H EVENTS LTD will monitor the list of countries, sectors and international organisations where an adequacy decision has been made. Where appropriate the company will benefit from that decision. Where it is not clear as to the adequacy of data protection regulation in countries outside of the EU and Mauritius, the company shall make reasonable inquiry into the data protection systems in use by the Processor. The company will incorporate appropriate contractual measures, including the use of standard data protection clauses to uphold the data subject’s rights in accordance with Article 36 of the MDPA.

ANNEX (I)
CONTACT OF THE COMPANY FOR DATA
PROTECTION QUERIES:

legal@dmh2h.com
+230 5252 2280
Royal Road, L’Amitié, Rivière du Rempart

ANNEX (II)

ACCOUNTABILITY PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

H2H EVENTS LTD will abide by these accountability principles in the course of processing personal data and shall
ensure that adequate systems and processes, including training is in place to create an environment where the
processing of personal data is conducted in accordance with the fundamental rights of data subjects.

PRINCIPLE APPLICATION

LAWFULNESS, FAIRNESS AND TRANSPARENCY

This involves the processing of data in accordance with one of the following principles:

1. ON THE BASIS OF CONSENT
Where the data subject has provided express consent – we may process your data for the specific purpose for which you have submitted your data and for no other purposes, unless you have been consulted.

2. FOR THE PURPOSE OF PERFORMING A CONTRACT
H2H EVENTS LTD may collect and process personal data per contract and for the purposes of performing the contract. Therefore, if personal data is held for contract purposes, the company may contact the data subject on occasion to request an update the personal data that has provided to ensure that contractual obligations can be fulfilled.

3. FOR THE PURPOSE OF FULFILLING LEGAL OBLIGATIONS
H2H EVENTS LTD may process personal data where there is a legal obligation to do so in which the company acting as a Controller is subject to a legal obligation.

4. FOR THE PURPOSE OF PROTECTING VITAL INTERESTS
In the event that H2H EVENTS LTD processes personal data in order to protect the vital interests of the data subject or those of another, it will ensure that the processing is absolutely necessary and complies with our legal obligations under the MDPA.

5. FOR THE PURPOSE OF CARRYING OUT A TASK IN THE PUBLIC INTEREST
H2H EVENTS LTD may process personal data where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the company.

6. FOR THE PURPOSES OF PURSUING THE LEGITIMATE INTERESTS OF A CONTROLLER
H2H EVENTS LTD may process personal data where the processing is necessary for the purposes of the legitimate interests pursued by a controller or processor or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms, which require protection of personal data. Wherever a third party is involved in the processing of personal data, the data subject will be made aware before personal data is shared with the third party.

Once the named principles (above) have been satisfied, the company will ensure that the data subject is aware of the processing, the purpose for which their data is being processed, who is processing their personal data.

PURPOSE LIMITATION

H2H EVENTS LTD will only process personal data based on the conditions named above and will ensure that all personal data processed is processed solely for the purposes as communicated to the data subject. This will be for a limited purpose and will be expressly communicated

DATA MINIMISATION

H2H EVENTS LTD will only process the personal data that is absolutely necessary to conduct its business functions. In addition, all data stored will be kept to the minimum requirement for operational purposes.

DATA ACCURACY

H2H EVENTS LTD will ensue that all personal data that is processed is kept is kept accurately, in its latest and most updated form. The company will provide data subjects with an opportunity at regular intervals to update their personal data, when personal data is held.

STORAGE LIMITATION

H2H EVENTS LTD will ensure that personal data is stored for no longer than is necessary to conduct a business function or for record keeping per legal requirement.
Data storage systems will ensure that ‘dormant’ personal data (such as the personal data held from a contract after the expiry or termination of a contract – kept for legal reasons such as in the event of a claim, etc.), is secure and encrypted and access is limited to key personnel.

INTEGRITY AND CONFIDENTIALITY

H2H EVENTS LTD will treat all personal data with the utmost regard. No personal data will be shared with third parties without providing notice and obtaining the consent of the data subject. Appropriate data security measures will be implemented to ensure that n 
unauthorised access to personal data is granted.