Everdust OÜ (“the Company”)

Data Breach Policy and Response Procedure

The General Data Protection Regulation (GDPR) aims to protect the rights of individuals about whom data is obtained, stored, processed, or supplied and requires that organisations take appropriate security measures against unauthorised access, alteration, disclosure, or destruction of Personal Data.

GDPR requires reporting of actual or suspected data breaches, and our procedure for dealing with breaches is set out below.

For the purposes of this Data Breach Policy, “we”, “us”, “Company” and “our” refer to Everdust OÜ, company number 16927064, having its registered address at Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117, as the Controller of your Personal Data, and "you", “User”, "your" refer to you as to a Data Subject.

The terms and headings used in this Data Breach Policy but not defined have similar meanings to those in the Privacy Policy.

What is a Data Breach?

A Data Breach is a security breach that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or Processed (the “Data Breach”).

Examples of a Data Breach could include the following (but are not exhaustive):

• Loss or theft of Personal Data or equipment on which Personal Data is stored, for example, loss of a laptop or a paper file (this includes accidental loss);
• Inappropriate access controls allowing unauthorised use;
• Equipment failure;
• Human error (for example, sending an email to the wrong recipient);
• Unforeseen circumstances such as a fire or flood;
• Hacking, phishing, and other “blagging” attacks, in which information is obtained by deceiving whoever holds it.

Data Breach Response Team

In case of a Data Breach, the Director, Kyrylo Zhankevych of the Company shall urgently form the Data Breach response team, which will handle the Data Breach, notify the appropriate persons, and mitigate its risks (the “Data Breach Response Team”).

А Data Breach Response Team must be а multi-disciplinary team headed by the Director, Kyrylo Zhankevych and comprised of knowledgeable and skilled specialists in the IT department or outsourced professionals, if necessary. The team must ensure that all employees and engaged contractors/processors adhere to this Data Breach Policy and provide an immediate, effective, and skillful response to any suspected/alleged or actual personal data breaches affecting the Company and Data Subjects.

The members of the Data Breach Response Team must be prepared to respond to а suspected/alleged or actual Data Breaches. The Data Breach Response Team shall perform all the responsibilities mentioned in this Data Breach Policy.

The duties of the Data Breach Response Team are:

• To communicate with the Supervisory Authority regarding the Data Breach using Annex I to this Policy, which contains the contact information of the competent authorities across the EU countries;
• In case of high risk to the rights and freedoms of natural persons, to communicate the Data Breach to the Data Subject;
• If the Company obtains data from any Third Party as a Processor, and the Data Breach involves obtained Personal Data, inform the Third Party about the Data Breach;
• To fulfil the Data Breach Register (Annex II to this Policy) to register a Data Breach that occurred;
• To communicate with the Company’s contractors or any other Third Parties that process the Personal Data involved in the Data Breach; and
• To take all appropriate technical and organisational measures to cease the Data Breach and mitigate its consequences.

The Data Breach Response Team shall perform its duties until all the necessary measures required by this Data Breach Policy are taken.

Notification to Data Protection Authority

The Company shall inform the Data Protection Authority about the Data Breach without undue delay and, where possible, not later than 72 hours after becoming aware of the Data Breach.

The Data Protection Authority shall be determined by the residence of the Data Subjects whose information was involved in the Data Breach. If the Data Breach concerns the Personal Data of Data Subjects from multiple countries, the Company shall inform all Data Protection Authorities.

Annex 1 contains all the necessary contact information of the EU Data Protection Authority. If the Data Breach concerns Data Subjects from other than the EU countries, the Response Team shall ask a competent privacy specialist for advice.

The notification to the Data Protection Authority shall contain at least the following information:

• The nature of the Data Breach.
• The responsible person's name and contact details from which more information can be obtained.
• The possible consequences of the Data Breach.
• The measures taken or proposed by us to address the Data Breach.

Notifications to Data Subjects

If a Data Breach may lead to a violation of the Data Subject’s rights and freedoms or has a high risk of this, the Company shall immediately inform this Data Subject of the fact of the Data Breach and report the following information:

• The nature of the Data Breach in clear and straightforward language.
• The responsible person's name and contact details from which more information can be obtained.
• The possible consequences of breaching the security of Personal Data.
• Еhe measures taken or proposed by us to address the Data Breach.
• Useful tips and know-how that can help you reduce the risks of the Data Breach.

Notification to the Data Subjects should be carried out by email or, where email is impossible to use, by other available means of communication.

We do not have to send the notification to the Data Subject if any of the following conditions are met:

• We have implemented appropriate technical and organisational protection measures, and those measures were applied to the Personal Data affected by the Data Breach, in particular, those that leave the Personal Data inaccessible to any person who is not authorised to access it, such as encryption;
• We have taken subsequent measures that ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialise; or
• Communicating with every data subject concerned would involve a disproportionate effort. In such a case, public communication or similar measures shall be used to inform the Data Subjects equally effectively.

If we apply one of the exemptions, we must document the circumstances, reason for not informing, and actions taken to meet one of the exemptions.

Communication with Third Parties

In case the Company processes the Personal Data on behalf of any Third Party, and the Data Breach occurs, the Company shall also notify this Third Party about it within 72 hours. The same rule applies to activities, in which Third Parties share personal data with the Company, and Data Breach has occurred. The conduction of such notification does not exempt the Company from the duty to conduct the Data Breach response procedure.

In case of receiving a notification about the Data Breach from Third Parties, the Director, Kyrylo Zhankevych of the Company shall:

• form the Data Breach Response Team;
• request the necessary information to perform the response procedure; and
• perform all the steps of the data breach response procedure specified in this Data Breach Policy.

Miscellaneous

This Data Breach Policy is valid from the Effective date.

The Company may change the Data Breach Policy from time to time. The new version will be valid from the Effective date changes.

The Data Breach Policy is construed in accordance with the Estonian legislation.