ATTICS International Data Protection Policy (Including GDPR)

Document Number

ATTICS-POL-018

Version Number

1.0

Document Control

DC18

Effective Date

06-01-2026

Document Status

Approved

Approval Date

06-01-2026

ATTICS International Data Protection Policy (Including GDPR)

These policies are developed exclusively for ATTICS International. Any copying, sharing, or reuse without written consent is not permitted.

Purpose

ATTICS International is committed to protecting the privacy, confidentiality, and security of personal and organizational data entrusted to us.

The purpose of this policy is to ensure that all personal data is processed lawfully, fairly, transparently, and securely in accordance with the General Data Protection Regulation (GDPR) and applicable international data protection laws, while supporting ATTICS International’s operational and certification activities.

Scope

This policy applies to:

  • All ATTICS International employees, management, and representatives
  • Contracted auditors, trainers, assessors, inspectors, and laboratory personnel
  • Approved centres, partners, and service providers
  • All clients, students, candidates, trainees, corporate customers, stakeholders, and website users

It covers all personal and confidential data processed during:

  • Auditing and certification services
  • Training and education services
  • Examination and assessment activities
  • Testing and laboratory services
  • Inspection and calibration services
  • Customer relationship and marketing activities
  • Website and digital platform operations

Definitions

Personal Data:

Any information relating to an identified or identifiable natural person.

Data Subject:

An individual whose personal data is processed by ATTICS International.

Processing:

Any operation performed on personal data including collection, recording, storage, use, transfer, or deletion.

Controller:

ATTICS International, which determines the purpose and means of data processing.

Processor:

Any third party processing data on behalf of ATTICS International.

Special Category Data refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data concerning a person’s sex life or sexual orientation.

Policy Statement

ATTICS International shall:

  • Process personal data lawfully, fairly, and transparently
  • Collect data only for specified and legitimate purposes
  • Ensure data is accurate and kept up to date
  • Retain data only as long as necessary
  • Protect data against unauthorized access, loss, or disclosure
  • Respect data subject rights
  • Ensure third-party processors provide adequate data protection safeguards

Lawful Basis for Processing

ATTICS International processes personal data under one or more of the following lawful bases:

  • Consent of the data subject
  • Performance of a contract or service agreement
  • Compliance with legal or regulatory obligations
  • Legitimate organizational interests
  • Protection of vital interests
  • Public interest or accreditation requirements

ATTICS International documents the specific lawful basis for each processing activity in its Record of Processing Activities (ROPA). For training and certification services, the primary lawful basis is performance of a contract; for marketing communications, legitimate interest applies with clear opt-out mechanisms provided.

Data Collected

ATTICS International may collect:

  • Personal identification and contact details
  • Educational and professional records
  • Examination and assessment results
  • Certification records
  • Audit, inspection, testing, and calibration client data
  • Payment and invoicing details
  • Website usage and inquiry information

Data Protection Principles

All data processing follows these principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Data Subject Rights

Data subjects have the right to:

  • Access their personal data
  • Request correction of inaccurate data
  • Request erasure of data (where applicable)
  • Restrict or object to processing
  • Request data portability
  • Withdraw consent at any time
  • Lodge complaints with a supervisory authority

Requests shall be acknowledged and processed within 30 calendar days.

Data Security Measures

ATTICS International ensures:

  • Secure IT systems and controlled access
  • Encrypted data transmission where applicable
  • Secure physical storage of records
  • Regular system backups
  • Staff confidentiality agreements
  • Cybersecurity and risk monitoring
  • Controlled access to laboratories, examination, and record facilities
  • Implementation of Privacy by Design and by Default principles in all new systems and processes
  • Regular Data Protection Impact Assessments (DPIAs) for high-risk processing activities
  • Mandatory multi-factor authentication for all systems accessing personal data
  • Annual penetration testing and vulnerability assessments of all IT systems

Data Sharing and Transfer

Personal data may be shared with:

  • Accreditation and regulatory bodies
  • Approved centres and partners
  • Examination and assessment platforms
  • Auditors, inspectors, and laboratory personnel
  • Legal or government authorities when required

Where data is transferred internationally, ATTICS International ensures appropriate safeguards in accordance with GDPR.

International Data Transfer Safeguards


When personal data is transferred outside the European Economic Area (EEA) or other jurisdictions with adequacy decisions, ATTICS International ensures appropriate safeguards are implemented, including Standard Contractual Clauses (SCCs) approved by the European Commission, Binding Corporate Rules (BCRs) where applicable, or other legally recognized transfer mechanisms.

Data Retention

Data is retained only for as long as necessary to:

  • Fulfil service and contractual obligations
  • Meet accreditation and legal requirements
  • Maintain certification and examination records
  • Resolve disputes or complaints

Retention periods are defined in ATTICS International’s Record Retention Procedure.

Data Breach Management

In case of a data breach:

  • Immediate investigation shall be initiated
  • Containment and recovery actions implemented
  • Regulatory authorities notified where required
  • Affected data subjects informed when necessary
  • Corrective measures recorded and reviewed

Responsibilities

Top Management

  • Ensures data protection compliance
  • Approves data protection policies and resources

Data Protection Officer / Assigned Representative

  • Oversees GDPR compliance
  • Handles data subject requests
  • Monitors data security practices

All Personnel

  • Follow data protection procedures
  • Maintain confidentiality
  • Report suspected data breaches immediately

Third-Party Processors

All external processors handling ATTICS International data must:

  • Sign data protection agreements
  • Demonstrate GDPR-compliant safeguards
  • Process data only under documented instructions

Data Protection Officer (DPO)


ATTICS International has appointed a Data Protection Officer who oversees GDPR compliance, serves as the point of contact for data subjects and supervisory authorities, and ensures ongoing monitoring of data protection practices. The DPO can be contacted at services@atticsintl.com.

Training and Awareness

All personnel receive data protection awareness training to ensure proper handling of personal and confidential data.

Compliance with International Standards

This policy supports compliance with:

  • GDPR (EU 2016/679)
  • ISO 9001:2015 – Information and customer data management
  • ISO/IEC 17024 – Protection of candidate data
  • ISO/IEC 17025 – Laboratory data integrity
  • ISO 21001:2025 – Learner data protection

Records of Processing Activities (ROPA)

ATTICS International maintains a comprehensive Record of Processing Activities documenting all personal data processing, including purposes, data categories, recipients, retention periods, and security measures, in compliance with Article 30 of the GDPR.

Related Documents


This policy should be read in conjunction with:

  • ATTICS International Quality Management System Manual
  • Applicable ISO standards referenced herein

Distribution


This policy is distributed to all employees via the company intranet and is available to stakeholders upon request. All personnel are responsible for reviewing and complying with the latest version available in the document management system.

Approved By: Mr. Zaib Ali

Authorized Position: Head of Operations

Signature:

zaib signaure

Date: 06-01-2026