Offshore Wind Academy

Data Protection & Confidentiality Policy

1. Purpose: This policy outlines the measures taken by the Offshore Wind Academy (OWA) to ensure the security, confidentiality, and lawful processing of personal and sensitive data. It ensures compliance with applicable data protection regulations, including but not limited to GDPR, CCPA, and U.S. privacy laws.

2. Scope: This policy applies to all OWA employees, contractors, third-party service providers, and any individuals handling confidential or personal data within the organization.

3. Definitions

Personal Data: Any information that can identify an individual, such as names, contact details, and financial information.

Sensitive Data: Includes health information, biometric data, and other legally protected personal data.

Processing: Any operation performed on personal data, including collection, storage, modification, and deletion.

4. Data Protection Principles All data must be:

-Processed lawfully, fairly, and transparently.

-Collected for specific, legitimate purposes.

-Limited to necessary data only.

-Accurate and updated regularly.

-Stored securely and protected from unauthorized access.

-Retained only for as long as necessary and disposed of securely.

5. Confidentiality Obligations

Employees and contractors must not disclose confidential data to unauthorized parties.

Personal data must only be accessed by authorized personnel.

Secure storage and encrypted transmission of sensitive data are required.

6. Data Access & Security Measures

Role-based access controls limit data access.

Multi-factor authentication is required for accessing sensitive data.

Regular security audits ensure compliance with best practices.

7. Third-Party Data Processing

Third-party vendors must comply with OWA’s data protection standards.

Contracts must define responsibilities for data security and confidentiality.

8. Data Breach Response

Any suspected or confirmed breach must be reported immediately.

The breach response team will assess and mitigate risks.

Affected parties and authorities will be notified as required by law.

9. Data Subject Rights Individuals have the right to:

-Access and request corrections to their personal data.

-Request deletion of data when appropriate.

-Object to certain types of data processing.

10. Training & Compliance

Regular data protection training for employees.

Periodic audits to verify compliance.

Non-compliance may result in disciplinary action.

11. Policy Review & Updates: This policy is reviewed periodically to ensure compliance with legal and operational requirements.